File ovmf-bsc1094291-update-openssl-1.0.2o.patch of Package ovmf.6568
From ccebe08b0bfbd4727f05ae3bc6e07f0bfe462065 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 22 May 2018 16:16:16 +0800
Subject: [PATCH] Update openssl to 1.0.2o
---
CryptoPkg/CryptoPkg.dec | 2 +-
...ssl-1.0.2k.patch => EDKII_openssl-1.0.2o.patch} | 204 +++++----------------
CryptoPkg/Library/OpensslLib/Install.sh | 2 +-
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 2 +-
4 files changed, 53 insertions(+), 157 deletions(-)
rename CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2k.patch => EDKII_openssl-1.0.2o.patch} (90%)
diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec
index ac1073c..b41ce39 100644
--- a/CryptoPkg/CryptoPkg.dec
+++ b/CryptoPkg/CryptoPkg.dec
@@ -24,7 +24,7 @@
[Includes]
Include
- Library/OpensslLib/openssl-1.0.2k/include
+ Library/OpensslLib/openssl-1.0.2o/include
[LibraryClasses]
## @libraryclass Provides basic library functions for cryptographic primitives.
diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2k.patch b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2o.patch
similarity index 90%
rename from CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2k.patch
rename to CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2o.patch
index cc0ce68..cd63f0e 100644
--- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2k.patch
+++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2o.patch
@@ -1,5 +1,5 @@
diff --git a/Configure b/Configure
-index 5da7cad..c2cc9c5 100755
+index 744b493..ac21c6f 100755
--- a/Configure
+++ b/Configure
@@ -611,6 +611,9 @@ my %table=(
@@ -22,10 +22,10 @@ index 5da7cad..c2cc9c5 100755
$disabled{"gost"} = "forced";
}
diff --git a/apps/apps.c b/apps/apps.c
-index c487bd9..64ade15 100644
+index c5a5152..3ef0e78 100644
--- a/apps/apps.c
+++ b/apps/apps.c
-@@ -2386,6 +2386,8 @@ int args_verify(char ***pargs, int *pargc,
+@@ -2390,6 +2390,8 @@ int args_verify(char ***pargs, int *pargc,
flags |= X509_V_FLAG_PARTIAL_CHAIN;
else if (!strcmp(arg, "-no_alt_chains"))
flags |= X509_V_FLAG_NO_ALT_CHAINS;
@@ -35,7 +35,7 @@ index c487bd9..64ade15 100644
flags |= X509_V_FLAG_ALLOW_PROXY_CERTS;
else
diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c
-index 2d562f9..91203b7 100644
+index 95f0416..d16f458 100644
--- a/crypto/asn1/a_strex.c
+++ b/crypto/asn1/a_strex.c
@@ -104,6 +104,7 @@ static int send_bio_chars(void *arg, const void *buf, int len)
@@ -254,7 +254,7 @@ index d5a5514..bede55c 100644
goto err;
diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c
-index 8177fd2..4dab3bb 100644
+index e911e15..5104656 100644
--- a/crypto/bn/bn_prime.c
+++ b/crypto/bn/bn_prime.c
@@ -131,7 +131,7 @@
@@ -298,7 +298,7 @@ index 8177fd2..4dab3bb 100644
if (ctx != NULL) {
BN_CTX_end(ctx);
BN_CTX_free(ctx);
-@@ -376,10 +381,9 @@ static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
+@@ -364,10 +369,9 @@ static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
return 1;
}
@@ -311,7 +311,7 @@ index 8177fd2..4dab3bb 100644
again:
diff --git a/crypto/conf/conf.h b/crypto/conf/conf.h
-index 8d926d5..c29e97d 100644
+index fe49113..9efc453 100644
--- a/crypto/conf/conf.h
+++ b/crypto/conf/conf.h
@@ -118,8 +118,10 @@ typedef void conf_finish_func (CONF_IMODULE *md);
@@ -367,10 +367,10 @@ index 8d926d5..c29e97d 100644
void CONF_modules_finish(void);
void CONF_modules_free(void);
diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c
-index 68c77ce..3d308c7 100644
+index 6237f6a..5b461eb 100644
--- a/crypto/conf/conf_def.c
+++ b/crypto/conf/conf_def.c
-@@ -182,6 +182,10 @@ static int def_destroy_data(CONF *conf)
+@@ -188,6 +188,10 @@ static int def_destroy_data(CONF *conf)
static int def_load(CONF *conf, const char *name, long *line)
{
@@ -381,7 +381,7 @@ index 68c77ce..3d308c7 100644
int ret;
BIO *in = NULL;
-@@ -202,6 +206,7 @@ static int def_load(CONF *conf, const char *name, long *line)
+@@ -208,6 +212,7 @@ static int def_load(CONF *conf, const char *name, long *line)
BIO_free(in);
return ret;
@@ -426,7 +426,7 @@ index 5281384..952b545 100644
#ifndef OPENSSL_NO_FP_API
int NCONF_load_fp(CONF *conf, FILE *fp, long *eline)
diff --git a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c
-index e0c9a67..13d93ea 100644
+index e2a9a81..262e4db 100644
--- a/crypto/conf/conf_mod.c
+++ b/crypto/conf/conf_mod.c
@@ -159,6 +159,7 @@ int CONF_modules_load(const CONF *cnf, const char *appname,
@@ -462,7 +462,7 @@ index c042cf2..a25b636 100644
}
diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c
-index 1925428..da4b34d 100644
+index 5fab45b..9079396 100644
--- a/crypto/cryptlib.c
+++ b/crypto/cryptlib.c
@@ -263,7 +263,7 @@ int CRYPTO_get_new_dynlockid(void)
@@ -492,7 +492,7 @@ index 1925428..da4b34d 100644
OPENSSL_free(pointer);
}
}
-@@ -670,6 +670,7 @@ unsigned long *OPENSSL_ia32cap_loc(void)
+@@ -677,6 +677,7 @@ unsigned long *OPENSSL_ia32cap_loc(void)
}
# if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM) && !defined(I386_ONLY)
@@ -500,7 +500,7 @@ index 1925428..da4b34d 100644
# define OPENSSL_CPUID_SETUP
# if defined(_WIN32)
typedef unsigned __int64 IA32CAP;
-@@ -980,11 +981,13 @@ void OPENSSL_showfatal(const char *fmta, ...)
+@@ -987,11 +988,13 @@ void OPENSSL_showfatal(const char *fmta, ...)
#else
void OPENSSL_showfatal(const char *fmta, ...)
{
@@ -514,7 +514,7 @@ index 1925428..da4b34d 100644
}
int OPENSSL_isservice(void)
-@@ -1011,10 +1014,12 @@ void OpenSSLDie(const char *file, int line, const char *assertion)
+@@ -1018,10 +1021,12 @@ void OpenSSLDie(const char *file, int line, const char *assertion)
#endif
}
@@ -642,38 +642,11 @@ index 01e275f..7633139 100644
int DES_read_password(DES_cblock *key, const char *prompt, int verify)
{
int ok;
-diff --git a/crypto/dh/Makefile b/crypto/dh/Makefile
-index 46fa5ac..cc366ec 100644
---- a/crypto/dh/Makefile
-+++ b/crypto/dh/Makefile
-@@ -134,7 +134,7 @@ dh_gen.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
- dh_gen.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
- dh_gen.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
- dh_gen.o: ../cryptlib.h dh_gen.c
--dh_kdf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+dh_kdf.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
- dh_kdf.o: ../../include/openssl/buffer.h ../../include/openssl/cms.h
- dh_kdf.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
- dh_kdf.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
diff --git a/crypto/dh/dh.h b/crypto/dh/dh.h
-index a5bd901..6488879 100644
+index 80b28fb..6527500 100644
--- a/crypto/dh/dh.h
+++ b/crypto/dh/dh.h
-@@ -240,11 +240,13 @@ DH *DH_get_1024_160(void);
- DH *DH_get_2048_224(void);
- DH *DH_get_2048_256(void);
-
-+# ifndef OPENSSL_NO_CMS
- /* RFC2631 KDF */
- int DH_KDF_X9_42(unsigned char *out, size_t outlen,
- const unsigned char *Z, size_t Zlen,
- ASN1_OBJECT *key_oid,
- const unsigned char *ukm, size_t ukmlen, const EVP_MD *md);
-+# endif
-
- # define EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, len) \
- EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, EVP_PKEY_OP_PARAMGEN, \
-@@ -337,7 +339,9 @@ int DH_KDF_X9_42(unsigned char *out, size_t outlen,
+@@ -356,7 +356,9 @@ int DH_KDF_X9_42(unsigned char *out, size_t outlen,
/* KDF types */
# define EVP_PKEY_DH_KDF_NONE 1
@@ -683,70 +656,6 @@ index a5bd901..6488879 100644
/* BEGIN ERROR CODES */
/*
-diff --git a/crypto/dh/dh_kdf.c b/crypto/dh/dh_kdf.c
-index a882cb2..aace5fb 100644
---- a/crypto/dh/dh_kdf.c
-+++ b/crypto/dh/dh_kdf.c
-@@ -51,6 +51,9 @@
- * ====================================================================
- */
-
-+#include <e_os.h>
-+
-+#ifndef OPENSSL_NO_CMS
- #include <string.h>
- #include <openssl/dh.h>
- #include <openssl/evp.h>
-@@ -58,6 +61,7 @@
- #include <openssl/cms.h>
-
- /* Key derivation from X9.42/RFC2631 */
-+/* Uses CMS functions, hence the #ifdef wrapper. */
-
- #define DH_KDF_MAX (1L << 30)
-
-@@ -185,3 +189,4 @@ int DH_KDF_X9_42(unsigned char *out, size_t outlen,
- EVP_MD_CTX_cleanup(&mctx);
- return rv;
- }
-+#endif
-diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
-index b58e3fa..926be98 100644
---- a/crypto/dh/dh_pmeth.c
-+++ b/crypto/dh/dh_pmeth.c
-@@ -207,7 +207,11 @@ static int pkey_dh_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
- case EVP_PKEY_CTRL_DH_KDF_TYPE:
- if (p1 == -2)
- return dctx->kdf_type;
-+#ifdef OPENSSL_NO_CMS
-+ if (p1 != EVP_PKEY_DH_KDF_NONE)
-+#else
- if (p1 != EVP_PKEY_DH_KDF_NONE && p1 != EVP_PKEY_DH_KDF_X9_42)
-+#endif
- return -2;
- dctx->kdf_type = p1;
- return 1;
-@@ -448,7 +452,9 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
- return ret;
- *keylen = ret;
- return 1;
-- } else if (dctx->kdf_type == EVP_PKEY_DH_KDF_X9_42) {
-+ }
-+#ifndef OPENSSL_NO_CMS
-+ else if (dctx->kdf_type == EVP_PKEY_DH_KDF_X9_42) {
- unsigned char *Z = NULL;
- size_t Zlen = 0;
- if (!dctx->kdf_outlen || !dctx->kdf_oid)
-@@ -479,7 +485,8 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
- }
- return ret;
- }
-- return 1;
-+#endif
-+ return 0;
- }
-
- const EVP_PKEY_METHOD dh_pkey_meth = {
diff --git a/crypto/engine/eng_int.h b/crypto/engine/eng_int.h
index 46f163b..b4a72a0 100644
--- a/crypto/engine/eng_int.h
@@ -784,7 +693,7 @@ index 34b0029..cf622bb 100644
#define TEST_ENG_OPENSSL_RC4_P_INIT
/* #define TEST_ENG_OPENSSL_RC4_P_CIPHER */
diff --git a/crypto/err/err.h b/crypto/err/err.h
-index 585aa8b..04c6cfc 100644
+index f423656..bec2ab1 100644
--- a/crypto/err/err.h
+++ b/crypto/err/err.h
@@ -200,39 +200,39 @@ typedef struct err_state_st {
@@ -861,7 +770,7 @@ index 585aa8b..04c6cfc 100644
/*
* Borland C seems too stupid to be able to shift and do longs in the
diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h
-index d258ef8..376f260 100644
+index cf1de15..106ba30 100644
--- a/crypto/evp/evp.h
+++ b/crypto/evp/evp.h
@@ -602,11 +602,13 @@ int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in);
@@ -879,7 +788,7 @@ index d258ef8..376f260 100644
int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
const unsigned char *salt, const unsigned char *data,
diff --git a/crypto/evp/evp_key.c b/crypto/evp/evp_key.c
-index 5be9e33..63c8866 100644
+index cdffe1c..595a8c4 100644
--- a/crypto/evp/evp_key.c
+++ b/crypto/evp/evp_key.c
@@ -63,6 +63,7 @@
@@ -890,8 +799,8 @@ index 5be9e33..63c8866 100644
/* should be init to zeros. */
static char prompt_string[80];
-@@ -117,6 +118,7 @@ int EVP_read_pw_string_min(char *buf, int min, int len, const char *prompt,
- OPENSSL_cleanse(buff, BUFSIZ);
+@@ -119,6 +120,7 @@ int EVP_read_pw_string_min(char *buf, int min, int len, const char *prompt,
+ UI_free(ui);
return ret;
}
+#endif /* OPENSSL_NO_UI */
@@ -972,7 +881,7 @@ index aac72fb..d271ec8 100644
EVP_PKEY *PEM_read_bio_Parameters(BIO *bp, EVP_PKEY **x);
int PEM_write_bio_Parameters(BIO *bp, EVP_PKEY *x);
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
-index c82b3c0..56c77b1 100644
+index 4d5f053..0592cc6 100644
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -84,7 +84,7 @@ int pem_check_suffix(const char *pem_str, const char *suffix);
@@ -985,7 +894,7 @@ index c82b3c0..56c77b1 100644
* We should not ever call the default callback routine from windows.
*/
diff --git a/crypto/pem/pem_pk8.c b/crypto/pem/pem_pk8.c
-index 5747c73..9edca4d 100644
+index daf210f..9b018ca 100644
--- a/crypto/pem/pem_pk8.c
+++ b/crypto/pem/pem_pk8.c
@@ -69,9 +69,11 @@
@@ -1102,7 +1011,7 @@ index dc9b484..e75c4b2 100644
+ return ret;
}
diff --git a/crypto/rand/rand_egd.c b/crypto/rand/rand_egd.c
-index 737aebf..f23f348 100644
+index 66fb14c..5526d12 100644
--- a/crypto/rand/rand_egd.c
+++ b/crypto/rand/rand_egd.c
@@ -95,7 +95,7 @@
@@ -1115,7 +1024,7 @@ index 737aebf..f23f348 100644
{
return (-1);
diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c
-index 6c5b65d..11ee152 100644
+index 097e409..fb0304e 100644
--- a/crypto/rand/rand_unix.c
+++ b/crypto/rand/rand_unix.c
@@ -116,7 +116,7 @@
@@ -1151,10 +1060,10 @@ index 028892a..4ed4bfe 100644
/* This method ignores the configured seed and fails for an unknown user. */
SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username);
diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
-index a8ec52a..ce20804 100644
+index c8bc7a9..7fd29e0 100644
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c
-@@ -228,6 +228,7 @@ static int SRP_user_pwd_set_ids(SRP_user_pwd *vinfo, const char *id,
+@@ -231,6 +231,7 @@ static int SRP_user_pwd_set_ids(SRP_user_pwd *vinfo, const char *id,
return (info == NULL || NULL != (vinfo->info = BUF_strdup(info)));
}
@@ -1162,7 +1071,7 @@ index a8ec52a..ce20804 100644
static int SRP_user_pwd_set_sv(SRP_user_pwd *vinfo, const char *s,
const char *v)
{
-@@ -254,6 +255,7 @@ static int SRP_user_pwd_set_sv(SRP_user_pwd *vinfo, const char *s,
+@@ -257,6 +258,7 @@ static int SRP_user_pwd_set_sv(SRP_user_pwd *vinfo, const char *s,
vinfo->v = NULL;
return 0;
}
@@ -1170,7 +1079,7 @@ index a8ec52a..ce20804 100644
static int SRP_user_pwd_set_sv_BN(SRP_user_pwd *vinfo, BIGNUM *s, BIGNUM *v)
{
-@@ -312,6 +314,7 @@ int SRP_VBASE_free(SRP_VBASE *vb)
+@@ -315,6 +317,7 @@ int SRP_VBASE_free(SRP_VBASE *vb)
return 0;
}
@@ -1178,7 +1087,7 @@ index a8ec52a..ce20804 100644
static SRP_gN_cache *SRP_gN_new_init(const char *ch)
{
unsigned char tmp[MAX_LEN];
-@@ -346,6 +349,7 @@ static void SRP_gN_free(SRP_gN_cache *gN_cache)
+@@ -349,6 +352,7 @@ static void SRP_gN_free(SRP_gN_cache *gN_cache)
BN_free(gN_cache->bn);
OPENSSL_free(gN_cache);
}
@@ -1186,7 +1095,7 @@ index a8ec52a..ce20804 100644
static SRP_gN *SRP_get_gN_by_id(const char *id, STACK_OF(SRP_gN) *gN_tab)
{
-@@ -362,6 +366,7 @@ static SRP_gN *SRP_get_gN_by_id(const char *id, STACK_OF(SRP_gN) *gN_tab)
+@@ -365,6 +369,7 @@ static SRP_gN *SRP_get_gN_by_id(const char *id, STACK_OF(SRP_gN) *gN_tab)
return SRP_get_default_gN(id);
}
@@ -1194,7 +1103,7 @@ index a8ec52a..ce20804 100644
static BIGNUM *SRP_gN_place_bn(STACK_OF(SRP_gN_cache) *gN_cache, char *ch)
{
int i;
-@@ -503,6 +508,7 @@ int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file)
+@@ -506,6 +511,7 @@ int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file)
return error_code;
}
@@ -1451,7 +1360,7 @@ index 0f29011..80dd40e 100644
int verify)
{
diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c
-index bbc3189..29695f9 100644
+index 6f0209a..927f045 100644
--- a/crypto/x509/by_dir.c
+++ b/crypto/x509/by_dir.c
@@ -69,6 +69,8 @@
@@ -1463,7 +1372,7 @@ index bbc3189..29695f9 100644
#include <openssl/lhash.h>
#include <openssl/x509.h>
-@@ -438,3 +440,5 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
+@@ -439,3 +441,5 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
BUF_MEM_free(b);
return (ok);
}
@@ -1551,7 +1460,7 @@ index 34cad53..12f12a7 100644
val_len = strlen(val->value + 5);
tmp_data = OPENSSL_realloc((*policy)->data,
diff --git a/crypto/x509v3/v3_scts.c b/crypto/x509v3/v3_scts.c
-index 0b7c681..1895b8f 100644
+index 87a6ae1..7c99f21 100644
--- a/crypto/x509v3/v3_scts.c
+++ b/crypto/x509v3/v3_scts.c
@@ -61,6 +61,7 @@
@@ -1635,12 +1544,12 @@ index f4a8358..94d3293 100644
/* Error codes for the ZENCOD functions. */
diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
-index 44792f9..7f95d58 100644
+index 10399ec..ec99851 100644
--- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
-@@ -203,6 +203,10 @@ chain found is not trusted, then OpenSSL will continue to check to see if an
- alternative chain can be found that is trusted. With this flag set the behaviour
- will match that of OpenSSL versions prior to 1.0.2b.
+@@ -224,6 +224,10 @@ becomes the trust-anchor.
+ Thus, even when an intermediate certificate is found in the trust store, the
+ verified chain passed to callbacks may still be anchored by a root CA.
+The B<X509_V_FLAG_NO_CHECK_TIME> flag suppresses checking the validity period
+of certificates and CRLs against the current time. If X509_VERIFY_PARAM_set_time()
@@ -1650,7 +1559,7 @@ index 44792f9..7f95d58 100644
The above functions should be used to manipulate verification parameters
diff --git a/doc/crypto/threads.pod b/doc/crypto/threads.pod
-index dc0e939..fe123bb 100644
+index 30c19b8..250b9e2 100644
--- a/doc/crypto/threads.pod
+++ b/doc/crypto/threads.pod
@@ -51,15 +51,15 @@ CRYPTO_destroy_dynlockid, CRYPTO_lock - OpenSSL thread support
@@ -1863,18 +1772,18 @@ index f6b3ff2..1dcbe36 100755
SEED,-
SHA,-
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
-index 9bc6153..b5648eb 100644
+index e6bc761..f25825a 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
-@@ -1068,7 +1068,7 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, int b)
- int dtls1_read_failed(SSL *s, int code)
+@@ -1076,7 +1076,7 @@ int dtls1_read_failed(SSL *s, int code)
{
if (code > 0) {
+ #ifdef TLS_DEBUG
- fprintf(stderr, "invalid state reached %s:%d", __FILE__, __LINE__);
+ fprintf(stderr, "dtls1_read_failed(); invalid state reached\n");
+ #endif
return 1;
}
-
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index 499f0e8..5672f99 100644
--- a/ssl/ssl_asn1.c
@@ -1915,10 +1824,10 @@ index 499f0e8..5672f99 100644
os.data = NULL;
os.length = 0;
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
-index 1be6fb0..cbec97c 100644
+index 363d2b2..9f43f28 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
-@@ -855,12 +855,12 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
+@@ -856,12 +856,12 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
return (add_client_CA(&(ctx->client_CA), x));
}
@@ -1932,7 +1841,7 @@ index 1be6fb0..cbec97c 100644
/**
* Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed;
* it doesn't really have anything to do with clients (except that a common use
-@@ -928,7 +928,6 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
+@@ -929,7 +929,6 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
ERR_clear_error();
return (ret);
}
@@ -1940,7 +1849,7 @@ index 1be6fb0..cbec97c 100644
/**
* Add a file of certs to a stack.
-@@ -1048,6 +1047,7 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
+@@ -1049,6 +1048,7 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
return ret;
}
@@ -1987,7 +1896,7 @@ index 8d3709d..2bb403b 100644
static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd)
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
-index b6d1ee9..75f38cd 100644
+index 50491ff..e04d7d0 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -779,9 +779,7 @@ int tls1_enc(SSL *s, int send)
@@ -2019,19 +1928,6 @@ index baa3b59..1ee3f02 100644
system ("$ossl_path no-ec > $null_path");
if ($? == 0)
{
-diff --git a/util/libeay.num b/util/libeay.num
-index 2094ab3..992abb2 100755
---- a/util/libeay.num
-+++ b/util/libeay.num
-@@ -4370,7 +4370,7 @@ DH_compute_key_padded 4732 EXIST::FUNCTION:DH
- ECDSA_METHOD_set_sign 4733 EXIST::FUNCTION:ECDSA
- CMS_RecipientEncryptedKey_cert_cmp 4734 EXIST:!VMS:FUNCTION:CMS
- CMS_RecipEncryptedKey_cert_cmp 4734 EXIST:VMS:FUNCTION:CMS
--DH_KDF_X9_42 4735 EXIST::FUNCTION:DH
-+DH_KDF_X9_42 4735 EXIST::FUNCTION:CMS,DH
- RSA_OAEP_PARAMS_free 4736 EXIST::FUNCTION:RSA
- EVP_des_ede3_wrap 4737 EXIST::FUNCTION:DES
- RSA_OAEP_PARAMS_it 4738 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RSA
diff --git a/util/mkdef.pl b/util/mkdef.pl
index b9b159a..9841498 100755
--- a/util/mkdef.pl
diff --git a/CryptoPkg/Library/OpensslLib/Install.sh b/CryptoPkg/Library/OpensslLib/Install.sh
index cdf2595..f7a8e02 100755
--- a/CryptoPkg/Library/OpensslLib/Install.sh
+++ b/CryptoPkg/Library/OpensslLib/Install.sh
@@ -1,6 +1,6 @@
#!/bin/sh
-cd openssl-1.0.2k
+cd openssl-1.0.2o
cp ../opensslconf.h crypto
mkdir -p include/openssl
cp e_os2.h include/openssl
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index 2845719..ff6e645 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -20,7 +20,7 @@
MODULE_TYPE = BASE
VERSION_STRING = 1.0
LIBRARY_CLASS = OpensslLib
- DEFINE OPENSSL_PATH = openssl-1.0.2k
+ DEFINE OPENSSL_PATH = openssl-1.0.2o
DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE
#
--
2.16.3
