From d5b5b8f8aa956266289ad9c523a410419fea87f8 Mon Sep 17 00:00:00 2001
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date: Sun, 12 Jul 2015 18:58:24 +0000
Subject: [PATCH] CryptoPkg: update OpenSSL dependency to version 1.0.2d

Upstream OpenSSL version 1.0.2c contained a fatal flaw
[CVE-2015-1793] and is no longer available from the openssl.org
download servers. So upgrade to its replacement, version 1.0.2d.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17928 6f19259b-4bc3-4df7-8a09-765794883524
---
 ....0.2c.patch => EDKII_openssl-1.0.2d.patch} |  4 +--
 CryptoPkg/Library/OpensslLib/Install.cmd      |  2 +-
 CryptoPkg/Library/OpensslLib/Install.sh       |  2 +-
 CryptoPkg/Library/OpensslLib/OpensslLib.inf   |  2 +-
 CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt  | 26 +++++++++----------
 5 files changed, 18 insertions(+), 18 deletions(-)
 rename CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2c.patch => EDKII_openssl-1.0.2d.patch} (96%)

diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch
similarity index 96%
rename from CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch
rename to CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch
index 0d9575e94a..72e5f3da54 100644
--- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch
+++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch
@@ -210,7 +210,7 @@ diff U3 crypto/rsa/rsa_ameth.c crypto/rsa/rsa_ameth.c
 diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c
 --- crypto/x509/x509_vfy.c	Thu Jun 11 21:52:58 2015
 +++ crypto/x509/x509_vfy.c	Fri Jun 12 11:29:37 2015
-@@ -1647,6 +1647,10 @@
+@@ -1653,6 +1653,10 @@
  
  static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
  {
@@ -221,7 +221,7 @@ diff U3 crypto/x509/x509_vfy.c crypto/x509/x509_vfy.c
      time_t *ptime;
      int i;
  
-@@ -1686,6 +1690,7 @@
+@@ -1692,6 +1696,7 @@
      }
  
      return 1;
diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd b/CryptoPkg/Library/OpensslLib/Install.cmd
index f8d8582d9e..ef0a4bdceb 100755
--- a/CryptoPkg/Library/OpensslLib/Install.cmd
+++ b/CryptoPkg/Library/OpensslLib/Install.cmd
@@ -1,4 +1,4 @@
-cd openssl-1.0.2c
+cd openssl-1.0.2d
 copy e_os2.h                    ..\..\..\Include\openssl
 copy crypto\crypto.h            ..\..\..\Include\openssl
 copy crypto\opensslv.h          ..\..\..\Include\openssl
diff --git a/CryptoPkg/Library/OpensslLib/Install.sh b/CryptoPkg/Library/OpensslLib/Install.sh
index 087655d50e..877e775b81 100755
--- a/CryptoPkg/Library/OpensslLib/Install.sh
+++ b/CryptoPkg/Library/OpensslLib/Install.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-cd openssl-1.0.2c
+cd openssl-1.0.2d
 cp e_os2.h                    ../../../Include/openssl
 cp crypto/crypto.h            ../../../Include/openssl
 cp crypto/opensslv.h          ../../../Include/openssl
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index dbf8a96217..28d3aec00e 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -20,7 +20,7 @@
   MODULE_TYPE                    = BASE
   VERSION_STRING                 = 1.0
   LIBRARY_CLASS                  = OpensslLib
-  DEFINE OPENSSL_PATH            = openssl-1.0.2c
+  DEFINE OPENSSL_PATH            = openssl-1.0.2d
   DEFINE OPENSSL_FLAGS           = -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_POSIX_IO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_ASM
   DEFINE OPENSSL_EXFLAGS         = -DOPENSSL_SMALL_FOOTPRINT -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_RIPEMD -DOPENSSL_NO_RC2 -DOPENSSL_NO_IDEA -DOPENSSL_NO_BF -DOPENSSL_NO_CAST -DOPENSSL_NO_WHIRLPOOL -DOPENSSL_NO_DSA -DOPENSSL_NO_EC -DOPENSSL_NO_ECDH -DOPENSSL_NO_ECDSA -DOPENSSL_NO_SRP -DOPENSSL_NO_ENGINE
 
diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
index 0ea7b8aa0b..59e74ee9b0 100644
--- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
+++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
@@ -17,36 +17,36 @@ cryptography. This patch will enable openssl building under UEFI environment.
 ================================================================================
                                 OpenSSL-Version
 ================================================================================
-  Current supported OpenSSL version for UEFI Crypto Library is 1.0.2c.
-    http://www.openssl.org/source/openssl-1.0.2c.tar.gz
+  Current supported OpenSSL version for UEFI Crypto Library is 1.0.2d.
+    http://www.openssl.org/source/openssl-1.0.2d.tar.gz
 
 
 ================================================================================
                       HOW to Install Openssl for UEFI Building
 ================================================================================
-1.  Download OpenSSL 1.0.2c from official website:
-    http://www.openssl.org/source/openssl-1.0.2c.tar.gz
+1.  Download OpenSSL 1.0.2d from official website:
+    http://www.openssl.org/source/openssl-1.0.2d.tar.gz
 
-    NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2c.tar.tar.
-          When you do the download, rename the "openssl-1.0.2c.tar.tar" to
-          "openssl-1.0.2c.tar.gz" or rename the local downloaded file with ".tar.tar"
+    NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2d.tar.tar.
+          When you do the download, rename the "openssl-1.0.2d.tar.tar" to
+          "openssl-1.0.2d.tar.gz" or rename the local downloaded file with ".tar.tar"
           extension to ".tar.gz".
 
-2.  Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2c
+2.  Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2d
 
     NOTE: If you use WinZip to unpack the openssl source in Windows, please
           uncheck the WinZip smart CR/LF conversion option (WINZIP: Options -->
           Configuration --> Miscellaneous --> "TAR file smart CR/LF conversion").
 
-3.  Apply this patch: EDKII_openssl-1.0.2c.patch, and make installation
+3.  Apply this patch: EDKII_openssl-1.0.2d.patch, and make installation
 
     For Windows Environment:
     ------------------------
     1) Make sure the patch utility has been installed in your machine.
        Install Cygwin or get the patch utility binary from
           http://gnuwin32.sourceforge.net/packages/patch.htm
-    2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2c
-    3) patch -p0 -i ..\EDKII_openssl-1.0.2c.patch
+    2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2d
+    3) patch -p0 -i ..\EDKII_openssl-1.0.2d.patch
     4) cd ..
     5) Install.cmd
 
@@ -54,8 +54,8 @@ cryptography. This patch will enable openssl building under UEFI environment.
     -----------------------
     1) Make sure the patch utility has been installed in your machine.
        Patch utility is available from http://directory.fsf.org/project/patch/
-    2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2c
-    3) patch -p0 -i ../EDKII_openssl-1.0.2c.patch
+    2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2d
+    3) patch -p0 -i ../EDKII_openssl-1.0.2d.patch
     4) cd ..
     5) ./Install.sh
 
-- 
2.39.2