Upgrade to OpenSSL-0.9.8zf (released on 19-MAR-2015).

Contributed-under: TianoCore Contribution Agreement 1.0

Signed-off-by: Long Qin <qin.long@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17072 6f19259b-4bc3-4df7-8a09-765794883524

CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8ze.patch

@@ -1,281 +0,0 @@
-Index: crypto/bio/bss_file.c
-===================================================================
---- crypto/bio/bss_file.c	(revision 1)
-+++ crypto/bio/bss_file.c	(working copy)
-@@ -428,6 +428,23 @@
- 	return(ret);
- 	}
- 
-+#else
-+
-+BIO_METHOD *BIO_s_file(void)
-+	{
-+	return NULL;
-+	}
-+
-+BIO *BIO_new_file(const char *filename, const char *mode)
-+	{
-+	return NULL;
-+	}
-+
-+BIO *BIO_new_fp(FILE *stream, int close_flag)
-+	{
-+	return NULL;
-+	}
-+
- #endif /* OPENSSL_NO_STDIO */
- 
- #endif /* HEADER_BSS_FILE_C */
-Index: crypto/crypto.h
-===================================================================
---- crypto/crypto.h	(revision 1)
-+++ crypto/crypto.h	(working copy)
-@@ -235,15 +235,15 @@
- #ifndef OPENSSL_NO_LOCKING
- #ifndef CRYPTO_w_lock
- #define CRYPTO_w_lock(type)	\
--	CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,__FILE__,__LINE__)
-+	CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,NULL,0)
- #define CRYPTO_w_unlock(type)	\
--	CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,__FILE__,__LINE__)
-+	CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,NULL,0)
- #define CRYPTO_r_lock(type)	\
--	CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,__FILE__,__LINE__)
-+	CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,NULL,0)
- #define CRYPTO_r_unlock(type)	\
--	CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,__FILE__,__LINE__)
-+	CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,NULL,0)
- #define CRYPTO_add(addr,amount,type)	\
--	CRYPTO_add_lock(addr,amount,type,__FILE__,__LINE__)
-+	CRYPTO_add_lock(addr,amount,type,NULL,0)
- #endif
- #else
- #define CRYPTO_w_lock(a)
-@@ -361,19 +361,19 @@
- #define MemCheck_off()	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE)
- #define is_MemCheck_on() CRYPTO_is_mem_check_on()
- 
--#define OPENSSL_malloc(num)	CRYPTO_malloc((int)num,__FILE__,__LINE__)
--#define OPENSSL_strdup(str)	CRYPTO_strdup((str),__FILE__,__LINE__)
-+#define OPENSSL_malloc(num)	CRYPTO_malloc((int)num,NULL,0)
-+#define OPENSSL_strdup(str)	CRYPTO_strdup((str),NULL,0)
- #define OPENSSL_realloc(addr,num) \
--	CRYPTO_realloc((char *)addr,(int)num,__FILE__,__LINE__)
-+	CRYPTO_realloc((char *)addr,(int)num,NULL,0)
- #define OPENSSL_realloc_clean(addr,old_num,num) \
--	CRYPTO_realloc_clean(addr,old_num,num,__FILE__,__LINE__)
-+	CRYPTO_realloc_clean(addr,old_num,num,NULL,0)
- #define OPENSSL_remalloc(addr,num) \
--	CRYPTO_remalloc((char **)addr,(int)num,__FILE__,__LINE__)
-+	CRYPTO_remalloc((char **)addr,(int)num,NULL,0)
- #define OPENSSL_freeFunc	CRYPTO_free
- #define OPENSSL_free(addr)	CRYPTO_free(addr)
- 
- #define OPENSSL_malloc_locked(num) \
--	CRYPTO_malloc_locked((int)num,__FILE__,__LINE__)
-+	CRYPTO_malloc_locked((int)num,NULL,0)
- #define OPENSSL_free_locked(addr) CRYPTO_free_locked(addr)
- 
- 
-@@ -487,7 +487,7 @@
- long CRYPTO_get_mem_debug_options(void);
- 
- #define CRYPTO_push_info(info) \
--        CRYPTO_push_info_(info, __FILE__, __LINE__);
-+        CRYPTO_push_info_(info, NULL, 0);
- int CRYPTO_push_info_(const char *info, const char *file, int line);
- int CRYPTO_pop_info(void);
- int CRYPTO_remove_all_info(void);
-@@ -528,17 +528,17 @@
- 
- /* die if we have to */
- void OpenSSLDie(const char *file,int line,const char *assertion);
--#define OPENSSL_assert(e)       (void)((e) ? 0 : (OpenSSLDie(__FILE__, __LINE__, #e),1))
-+#define OPENSSL_assert(e)       (void)((e) ? 0 : (OpenSSLDie(NULL, 0, #e),1))
- 
- unsigned long *OPENSSL_ia32cap_loc(void);
- #define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc()))
- int OPENSSL_isservice(void);
- 
- #ifdef OPENSSL_FIPS
--#define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \
-+#define FIPS_ERROR_IGNORED(alg) OpenSSLDie(NULL, 0, \
- 		alg " previous FIPS forbidden algorithm error ignored");
- 
--#define FIPS_BAD_ABORT(alg) OpenSSLDie(__FILE__, __LINE__, \
-+#define FIPS_BAD_ABORT(alg) OpenSSLDie(NULL, 0, \
- 		#alg " Algorithm forbidden in FIPS mode");
- 
- #ifdef OPENSSL_FIPS_STRICT
-Index: crypto/err/err.c
-===================================================================
---- crypto/err/err.c	(revision 1)
-+++ crypto/err/err.c	(working copy)
-@@ -313,7 +313,12 @@
- 	es->err_data_flags[i]=flags;
- 	}
- 
-+/* Add EFIAPI for UEFI version. */
-+#if defined(OPENSSL_SYS_UEFI)
-+void EFIAPI ERR_add_error_data(int num, ...)
-+#else
- void ERR_add_error_data(int num, ...)
-+#endif
- 	{
- 	va_list args;
- 	int i,n,s;
-Index: crypto/err/err.h
-===================================================================
---- crypto/err/err.h	(revision 1)
-+++ crypto/err/err.h	(working copy)
-@@ -286,8 +286,14 @@
- #endif
- #ifndef OPENSSL_NO_BIO
- void ERR_print_errors(BIO *bp);
-+
-+/* Add EFIAPI for UEFI version. */
-+#if defined(OPENSSL_SYS_UEFI)
-+void EFIAPI ERR_add_error_data(int num, ...);
-+#else
- void ERR_add_error_data(int num, ...);
- #endif
-+#endif
- void ERR_load_strings(int lib,ERR_STRING_DATA str[]);
- void ERR_unload_strings(int lib,ERR_STRING_DATA str[]);
- void ERR_load_ERR_strings(void);
-Index: crypto/opensslconf.h
-===================================================================
---- crypto/opensslconf.h	(revision 1)
-+++ crypto/opensslconf.h	(working copy)
-@@ -162,6 +162,9 @@
- /* The prime number generation stuff may not work when
-  * EIGHT_BIT but I don't care since I've only used this mode
-  * for debuging the bignum libraries */
-+
-+/* Bypass following definition for UEFI version. */
-+#if !defined(OPENSSL_SYS_UEFI)
- #undef SIXTY_FOUR_BIT_LONG
- #undef SIXTY_FOUR_BIT
- #define THIRTY_TWO_BIT
-@@ -169,6 +172,8 @@
- #undef EIGHT_BIT
- #endif
- 
-+#endif
-+
- #if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H)
- #define CONFIG_HEADER_RC4_LOCL_H
- /* if this is defined data[i] is used instead of *data, this is a %20
-Index: crypto/pkcs7/pk7_smime.c
-===================================================================
---- crypto/pkcs7/pk7_smime.c	(revision 1)
-+++ crypto/pkcs7/pk7_smime.c	(working copy)
-@@ -88,7 +88,10 @@
- 	if (!PKCS7_content_new(p7, NID_pkcs7_data))
- 		goto err;
- 
--	if (!(si = PKCS7_add_signature(p7,signcert,pkey,EVP_sha1()))) {
-+  /* 
-+    NOTE: Update to SHA-256 digest algorithm for UEFI version.
-+  */
-+	if (!(si = PKCS7_add_signature(p7,signcert,pkey,EVP_sha256()))) {
- 		PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR);
- 		goto err;
- 	}
-@@ -173,7 +176,8 @@
- 	STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
- 	PKCS7_SIGNER_INFO *si;
- 	X509_STORE_CTX cert_ctx;
--	char buf[4096];
-+	char *buf = NULL;
-+	int bufsiz;
- 	int i, j=0, k, ret = 0;
- 	BIO *p7bio;
- 	BIO *tmpin, *tmpout;
-@@ -284,10 +288,16 @@
- 		BIO_set_mem_eof_return(tmpout, 0);
- 	} else tmpout = out;
- 
-+	bufsiz = 4096;
-+	buf = OPENSSL_malloc (bufsiz);
-+		if (buf == NULL) {
-+			goto err;
-+	}
-+
- 	/* We now have to 'read' from p7bio to calculate digests etc. */
- 	for (;;)
- 	{
--		i=BIO_read(p7bio,buf,sizeof(buf));
-+		i=BIO_read(p7bio,buf,bufsiz);
- 		if (i <= 0) break;
- 		if (tmpout) BIO_write(tmpout, buf, i);
- 	}
-@@ -326,6 +336,10 @@
- 
- 	sk_X509_free(signers);
- 
-+	if (buf != NULL) {
-+		OPENSSL_free (buf);
-+	}
-+
- 	return ret;
- }
- 
-Index: crypto/rand/rand_egd.c
-===================================================================
---- crypto/rand/rand_egd.c	(revision 1)
-+++ crypto/rand/rand_egd.c	(working copy)
-@@ -95,7 +95,7 @@
-  *   RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255.
-  */
- 
--#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS)
-+#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_UEFI)
- int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
- 	{
- 	return(-1);
-Index: crypto/rand/rand_unix.c
-===================================================================
---- crypto/rand/rand_unix.c	(revision 1)
-+++ crypto/rand/rand_unix.c	(working copy)
-@@ -116,7 +116,7 @@
- #include <openssl/rand.h>
- #include "rand_lcl.h"
- 
--#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE))
-+#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_UEFI))
- 
- #include <sys/types.h>
- #include <sys/time.h>
-@@ -322,7 +322,7 @@
- #endif /* !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE)) */
- 
- 
--#if defined(OPENSSL_SYS_VXWORKS)
-+#if defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI)
- int RAND_poll(void)
- 	{
- 	return 0;
-Index: crypto/x509/x509_vfy.c
-===================================================================
---- crypto/x509/x509_vfy.c	(revision 1)
-+++ crypto/x509/x509_vfy.c	(working copy)
-@@ -899,6 +899,10 @@
- 
- static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
- 	{
-+#if defined(OPENSSL_SYS_UEFI)
-+  /* Bypass Certificate Time Checking for UEFI version. */
-+  return 1;
-+#else
- 	time_t *ptime;
- 	int i;
- 
-@@ -942,6 +946,7 @@
- 		}
- 
- 	return 1;
-+#endif	
- 	}
- 
- static int internal_verify(X509_STORE_CTX *ctx)

CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8zf.patch

@@ -0,0 +1,279 @@
+Index: crypto/bio/bss_file.c
+===================================================================
+--- crypto/bio/bss_file.c	(revision 1)
++++ crypto/bio/bss_file.c	(working copy)
+@@ -418,6 +418,23 @@
+     return (ret);
+ }
+ 
++#else
++
++BIO_METHOD *BIO_s_file(void)
++{
++    return NULL;
++}
++
++BIO *BIO_new_file(const char *filename, const char *mode)
++{
++    return NULL;
++}
++
++BIO *BIO_new_fp(FILE *stream, int close_flag)
++{
++    return NULL;
++}
++
+ # endif                         /* OPENSSL_NO_STDIO */
+ 
+ #endif                          /* HEADER_BSS_FILE_C */
+Index: crypto/crypto.h
+===================================================================
+--- crypto/crypto.h	(revision 1)
++++ crypto/crypto.h	(working copy)
+@@ -239,15 +239,15 @@
+ # ifndef OPENSSL_NO_LOCKING
+ #  ifndef CRYPTO_w_lock
+ #   define CRYPTO_w_lock(type)     \
+-        CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,__FILE__,__LINE__)
++        CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,NULL,0)
+ #   define CRYPTO_w_unlock(type)   \
+-        CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,__FILE__,__LINE__)
++        CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,NULL,0)
+ #   define CRYPTO_r_lock(type)     \
+-        CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,__FILE__,__LINE__)
++        CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,NULL,0)
+ #   define CRYPTO_r_unlock(type)   \
+-        CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,__FILE__,__LINE__)
++        CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,NULL,0)
+ #   define CRYPTO_add(addr,amount,type)    \
+-        CRYPTO_add_lock(addr,amount,type,__FILE__,__LINE__)
++        CRYPTO_add_lock(addr,amount,type,NULL,0)
+ #  endif
+ # else
+ #  define CRYPTO_w_lock(a)
+@@ -374,19 +374,19 @@
+ # define MemCheck_off()  CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE)
+ # define is_MemCheck_on() CRYPTO_is_mem_check_on()
+ 
+-# define OPENSSL_malloc(num)     CRYPTO_malloc((int)num,__FILE__,__LINE__)
+-# define OPENSSL_strdup(str)     CRYPTO_strdup((str),__FILE__,__LINE__)
++# define OPENSSL_malloc(num)     CRYPTO_malloc((int)num,NULL,0)
++# define OPENSSL_strdup(str)     CRYPTO_strdup((str),NULL,0)
+ # define OPENSSL_realloc(addr,num) \
+-        CRYPTO_realloc((char *)addr,(int)num,__FILE__,__LINE__)
++        CRYPTO_realloc((char *)addr,(int)num,NULL,0)
+ # define OPENSSL_realloc_clean(addr,old_num,num) \
+-        CRYPTO_realloc_clean(addr,old_num,num,__FILE__,__LINE__)
++        CRYPTO_realloc_clean(addr,old_num,num,NULL,0)
+ # define OPENSSL_remalloc(addr,num) \
+-        CRYPTO_remalloc((char **)addr,(int)num,__FILE__,__LINE__)
++        CRYPTO_remalloc((char **)addr,(int)num,NULL,0)
+ # define OPENSSL_freeFunc        CRYPTO_free
+ # define OPENSSL_free(addr)      CRYPTO_free(addr)
+ 
+ # define OPENSSL_malloc_locked(num) \
+-        CRYPTO_malloc_locked((int)num,__FILE__,__LINE__)
++        CRYPTO_malloc_locked((int)num,NULL,0)
+ # define OPENSSL_free_locked(addr) CRYPTO_free_locked(addr)
+ 
+ const char *SSLeay_version(int type);
+@@ -531,7 +531,7 @@
+ long CRYPTO_get_mem_debug_options(void);
+ 
+ # define CRYPTO_push_info(info) \
+-        CRYPTO_push_info_(info, __FILE__, __LINE__);
++        CRYPTO_push_info_(info, NULL, 0);
+ int CRYPTO_push_info_(const char *info, const char *file, int line);
+ int CRYPTO_pop_info(void);
+ int CRYPTO_remove_all_info(void);
+@@ -578,7 +578,7 @@
+ 
+ /* die if we have to */
+ void OpenSSLDie(const char *file, int line, const char *assertion);
+-# define OPENSSL_assert(e)       (void)((e) ? 0 : (OpenSSLDie(__FILE__, __LINE__, #e),1))
++# define OPENSSL_assert(e)       (void)((e) ? 0 : (OpenSSLDie(NULL, 0, #e),1))
+ 
+ unsigned long *OPENSSL_ia32cap_loc(void);
+ # define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc()))
+@@ -585,10 +585,10 @@
+ int OPENSSL_isservice(void);
+ 
+ # ifdef OPENSSL_FIPS
+-#  define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \
++#  define FIPS_ERROR_IGNORED(alg) OpenSSLDie(NULL, 0, \
+                 alg " previous FIPS forbidden algorithm error ignored");
+ 
+-#  define FIPS_BAD_ABORT(alg) OpenSSLDie(__FILE__, __LINE__, \
++#  define FIPS_BAD_ABORT(alg) OpenSSLDie(NULL, 0, \
+                 #alg " Algorithm forbidden in FIPS mode");
+ 
+ #  ifdef OPENSSL_FIPS_STRICT
+Index: crypto/err/err.c
+===================================================================
+--- crypto/err/err.c	(revision 1)
++++ crypto/err/err.c	(working copy)
+@@ -321,7 +321,12 @@
+     es->err_data_flags[i] = flags;
+ }
+ 
++/* Add EFIAPI for UEFI version. */
++#if defined(OPENSSL_SYS_UEFI)
++void EFIAPI ERR_add_error_data(int num, ...)
++#else
+ void ERR_add_error_data(int num, ...)
++#endif
+ {
+     va_list args;
+     int i, n, s;
+Index: crypto/err/err.h
+===================================================================
+--- crypto/err/err.h	(revision 1)
++++ crypto/err/err.h	(working copy)
+@@ -285,7 +285,13 @@
+ # endif
+ # ifndef OPENSSL_NO_BIO
+ void ERR_print_errors(BIO *bp);
++
++/* Add EFIAPI for UEFI version. */
++#if defined(OPENSSL_SYS_UEFI)
++void EFIAPI ERR_add_error_data(int num, ...);
++#else
+ void ERR_add_error_data(int num, ...);
++#endif
+ # endif
+ void ERR_load_strings(int lib, ERR_STRING_DATA str[]);
+ void ERR_unload_strings(int lib, ERR_STRING_DATA str[]);
+Index: crypto/opensslconf.h
+===================================================================
+--- crypto/opensslconf.h	(revision 1)
++++ crypto/opensslconf.h	(working copy)
+@@ -162,6 +162,9 @@
+ /* The prime number generation stuff may not work when
+  * EIGHT_BIT but I don't care since I've only used this mode
+  * for debuging the bignum libraries */
++
++/* Bypass following definition for UEFI version. */
++#if !defined(OPENSSL_SYS_UEFI)
+ #undef SIXTY_FOUR_BIT_LONG
+ #undef SIXTY_FOUR_BIT
+ #define THIRTY_TWO_BIT
+@@ -169,6 +172,8 @@
+ #undef EIGHT_BIT
+ #endif
+ 
++#endif
++
+ #if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H)
+ #define CONFIG_HEADER_RC4_LOCL_H
+ /* if this is defined data[i] is used instead of *data, this is a %20
+Index: crypto/pkcs7/pk7_smime.c
+===================================================================
+--- crypto/pkcs7/pk7_smime.c	(revision 1)
++++ crypto/pkcs7/pk7_smime.c	(working copy)
+@@ -90,7 +90,14 @@
+     if (!PKCS7_content_new(p7, NID_pkcs7_data))
+         goto err;
+ 
++#if defined(OPENSSL_SYS_UEFI)
++    /*
++     * NOTE: Update to SHA-256 digest algorithm for UEFI version.
++     */
++    if (!(si = PKCS7_add_signature(p7, signcert, pkey, EVP_sha256()))) {
++#else
+     if (!(si = PKCS7_add_signature(p7, signcert, pkey, EVP_sha1()))) {
++#endif
+         PKCS7err(PKCS7_F_PKCS7_SIGN, PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR);
+         goto err;
+     }
+@@ -175,7 +182,8 @@
+     STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
+     PKCS7_SIGNER_INFO *si;
+     X509_STORE_CTX cert_ctx;
+-    char buf[4096];
++    char *buf = NULL;
++    int bufsiz;
+     int i, j = 0, k, ret = 0;
+     BIO *p7bio;
+     BIO *tmpin, *tmpout;
+@@ -286,6 +294,12 @@
+     } else
+         tmpout = out;
+ 
++    bufsiz = 4096;
++    buf = OPENSSL_malloc (bufsiz);
++    if (buf == NULL) {
++      goto err;
++    }
++
+     /* We now have to 'read' from p7bio to calculate digests etc. */
+     for (;;) {
+         i = BIO_read(p7bio, buf, sizeof(buf));
+@@ -328,6 +342,10 @@
+ 
+     sk_X509_free(signers);
+ 
++    if (buf != NULL) {
++      OPENSSL_free (buf);
++    }
++
+     return ret;
+ }
+ 
+Index: crypto/rand/rand_egd.c
+===================================================================
+--- crypto/rand/rand_egd.c	(revision 1)
++++ crypto/rand/rand_egd.c	(working copy)
+@@ -95,7 +95,7 @@
+  *   RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255.
+  */
+ 
+-#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS)
++#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_UEFI)
+ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
+ {
+     return (-1);
+Index: crypto/rand/rand_unix.c
+===================================================================
+--- crypto/rand/rand_unix.c	(revision 1)
++++ crypto/rand/rand_unix.c	(working copy)
+@@ -116,7 +116,7 @@
+ #include <openssl/rand.h>
+ #include "rand_lcl.h"
+ 
+-#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE))
++#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_UEFI))
+ 
+ # include <sys/types.h>
+ # include <sys/time.h>
+@@ -332,7 +332,7 @@
+                                  * defined(OPENSSL_SYS_VXWORKS) ||
+                                  * defined(OPENSSL_SYS_NETWARE)) */
+ 
+-#if defined(OPENSSL_SYS_VXWORKS)
++#if defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI)
+ int RAND_poll(void)
+ {
+     return 0;
+Index: crypto/x509/x509_vfy.c
+===================================================================
+--- crypto/x509/x509_vfy.c	(revision 1)
++++ crypto/x509/x509_vfy.c	(working copy)
+@@ -871,6 +871,10 @@
+ 
+ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
+ {
++#if defined(OPENSSL_SYS_UEFI)
++  /* Bypass Certificate Time Checking for UEFI version. */
++  return 1;
++#else
+     time_t *ptime;
+     int i;
+ 
+@@ -910,6 +914,7 @@
+     }
+ 
+     return 1;
++#endif
+ }
+ 
+ static int internal_verify(X509_STORE_CTX *ctx)

CryptoPkg/Library/OpensslLib/Install.cmd

@@ -1,4 +1,4 @@
-cd openssl-0.9.8ze
+cd openssl-0.9.8zf
 copy e_os2.h              ..\..\..\Include\openssl
 copy crypto\crypto.h  ..\..\..\Include\openssl
 copy crypto\tmdiff.h  ..\..\..\Include\openssl

CryptoPkg/Library/OpensslLib/Install.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-cd openssl-0.9.8ze
+cd openssl-0.9.8zf
 cp e_os2.h ../../../Include/openssl
 cp crypto/crypto.h ../../../Include/openssl
 cp crypto/tmdiff.h ../../../Include/openssl

CryptoPkg/Library/OpensslLib/OpensslLib.inf

@@ -20,7 +20,7 @@
   MODULE_TYPE                    = BASE
   VERSION_STRING                 = 1.0
   LIBRARY_CLASS                  = OpensslLib
-  DEFINE OPENSSL_PATH            = openssl-0.9.8ze
+  DEFINE OPENSSL_PATH            = openssl-0.9.8zf
   DEFINE OPENSSL_FLAGS           = -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_ASM
   DEFINE OPENSSL_EXFLAGS         = -DOPENSSL_SMALL_FOOTPRINT -DOPENSSL_NO_MD2 -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_RIPEMD -DOPENSSL_NO_RC2 -DOPENSSL_NO_IDEA -DOPENSSL_NO_BF -DOPENSSL_NO_CAST -DOPENSSL_NO_WHIRLPOOL -DOPENSSL_NO_DSA -DOPENSSL_NO_EC -DOPENSSL_NO_ECDH -DOPENSSL_NO_ECDSA -DOPENSSL_NO_ENGINE
 

CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt

@@ -17,36 +17,36 @@ cryptography. This patch will enable openssl building under UEFI environment.
 ================================================================================
                                 OpenSSL-Version
 ================================================================================
-  Current supported OpenSSL version for UEFI Crypto Library is 0.9.8ze.
-    http://www.openssl.org/source/openssl-0.9.8ze.tar.gz
+  Current supported OpenSSL version for UEFI Crypto Library is 0.9.8zf.
+    http://www.openssl.org/source/openssl-0.9.8zf.tar.gz
 
 
 ================================================================================
                       HOW to Install Openssl for UEFI Building
 ================================================================================
-1.  Download OpenSSL 0.9.8ze from official website:
-   	http://www.openssl.org/source/openssl-0.9.8ze.tar.gz
+1.  Download OpenSSL 0.9.8zf from official website:
+   	http://www.openssl.org/source/openssl-0.9.8zf.tar.gz
 
-    NOTE: Some web browsers may rename the downloaded TAR file to openssl-0.9.8ze.tar.tar.
-          When you do the download, rename the "openssl-0.9.8ze.tar.tar" to
-          "openssl-0.9.8ze.tar.gz" or rename the local downloaded file with ".tar.tar"
+    NOTE: Some web browsers may rename the downloaded TAR file to openssl-0.9.8zf.tar.tar.
+          When you do the download, rename the "openssl-0.9.8zf.tar.tar" to
+          "openssl-0.9.8zf.tar.gz" or rename the local downloaded file with ".tar.tar"
           extension to ".tar.gz".
 
-2.  Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-0.9.8ze
+2.  Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-0.9.8zf
 
     NOTE: If you use WinZip to unpack the openssl source in Windows, please 
           uncheck the WinZip smart CR/LF conversion option (WINZIP: Options --> 
           Configuration --> Miscellaneous --> "TAR file smart CR/LF conversion").
   
-3.  Apply this patch: EDKII_openssl-0.9.8ze.patch, and make installation
+3.  Apply this patch: EDKII_openssl-0.9.8zf.patch, and make installation
 
     For Windows Environment:
     ------------------------
     1) Make sure the patch utility has been installed in your machine.
        Install Cygwin or get the patch utility binary from 
           http://gnuwin32.sourceforge.net/packages/patch.htm
-    2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-0.9.8ze
-    3) patch -p0 -i ..\EDKII_openssl-0.9.8ze.patch
+    2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-0.9.8zf
+    3) patch -p0 -i ..\EDKII_openssl-0.9.8zf.patch
     4) cd ..
     5) Install.cmd
 
@@ -54,8 +54,8 @@ cryptography. This patch will enable openssl building under UEFI environment.
     -----------------------
     1) Make sure the patch utility has been installed in your machine.
        Patch utility is available from http://directory.fsf.org/project/patch/
-    2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-0.9.8ze
-    3) patch -p0 -i ../EDKII_openssl-0.9.8ze.patch
+    2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-0.9.8zf
+    3) patch -p0 -i ../EDKII_openssl-0.9.8zf.patch
     4) cd ..
     5) ./Install.sh