--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-default/patches/102-wanboot.patch Wed Oct 26 13:19:33 2016 -0700
@@ -0,0 +1,950 @@
+#
+# This patch file makes the changes neccessary to build wanboot-openssl.o
+# binary. This is Solaris-specific: not suitable for upstream.
+#
+--- openssl-1.0.0g/Makefile.org 2010-01-27 08:06:58.000000000 -0800
++++ openssl-1.0.0g-1/Makefile.org 2012-03-26 03:04:08.440194448 -0700
+@@ -139,7 +139,13 @@
+
+ BASEADDR=
+
++# For wanboot, we only need crypto and ssl.
++# 'apps' are not patched to work in stand-alone environment anyway.
++ifeq ($(PLATFORM), solaris64-sparcv9-cc-sunw-wanboot)
++DIRS= crypto ssl
++else
+ DIRS= crypto ssl engines apps test tools
++endif
+ ENGDIRS= ccgost
+ SHLIBDIRS= crypto ssl
+
+--- openssl-1.0.0g/Makefile 2012-01-18 05:42:28.000000000 -0800
++++ openssl-1.0.0g-1/Makefile 2012-03-26 03:03:59.170540344 -0700
+@@ -138,7 +138,13 @@
+
+ BASEADDR=0xFB00000
+
++# For wanboot, we only need crypto and ssl.
++# 'apps' are not patched to work in stand-alone environment anyway.
++ifeq ($(PLATFORM), solaris64-sparcv9-cc-sunw-wanboot)
++DIRS= crypto ssl
++else
+ DIRS= crypto ssl engines apps test tools
++endif
+ ENGDIRS= ccgost
+ SHLIBDIRS= crypto ssl
+
+--- openssl-1.0.0e/crypto/cryptlib.c 2011-06-22 08:39:00.000000000 -0700
++++ openssl-1.0.0e/crypto/cryptlib.c 2011-12-12 06:17:45.422476900 -0800
+@@ -421,11 +421,13 @@
+ static void solaris_locking_callback(int mode, int type, const char *file,
+ int line)
+ {
++#ifndef _BOOT
+ if (mode & CRYPTO_LOCK) {
+ (void) pthread_mutex_lock(&solaris_openssl_locks[type]);
+ } else {
+ (void) pthread_mutex_unlock(&solaris_openssl_locks[type]);
+ }
++#endif
+ }
+
+ /*
+@@ -434,6 +436,7 @@
+ static struct CRYPTO_dynlock_value *
+ solaris_dynlock_create(const char *file, int line)
+ {
++#ifndef _BOOT
+ int ret;
+ pthread_mutex_t *dynlock;
+
+@@ -446,6 +449,9 @@
+ OPENSSL_assert(ret == 0);
+
+ return ((struct CRYPTO_dynlock_value *)dynlock);
++#else
++ return (NULL);
++#endif
+ }
+
+ static void
+@@ -452,6 +458,7 @@
+ solaris_dynlock_lock(int mode, struct CRYPTO_dynlock_value *dynlock,
+ const char *file, int line)
+ {
++#ifndef _BOOT
+ int ret;
+
+ if (mode & CRYPTO_LOCK) {
+@@ -461,6 +468,7 @@
+ }
+
+ OPENSSL_assert(ret == 0);
++#endif
+ }
+
+ static void
+@@ -467,23 +475,28 @@
+ solaris_dynlock_destroy(struct CRYPTO_dynlock_value *dynlock,
+ const char *file, int line)
+ {
++#ifndef _BOOT
+ int ret;
+ ret = pthread_mutex_destroy((pthread_mutex_t *)dynlock);
+ OPENSSL_assert(ret == 0);
++#endif
+ }
+
+
+ static void solaris_fork_prep(void)
+ {
++#ifndef _BOOT
+ int i;
+
+ for (i = 0; i < CRYPTO_NUM_LOCKS; i++) {
+ (void) pthread_mutex_lock(&solaris_openssl_locks[i]);
+ }
++#endif
+ }
+
+ static void solaris_fork_post(void)
+ {
++#ifndef _BOOT
+ int i;
+
+ for (i = CRYPTO_NUM_LOCKS - 1; i >= 0; i--) {
+@@ -494,6 +507,7 @@
+ OPENSSL_assert(dynlock_lock_callback == solaris_dynlock_lock);
+ OPENSSL_assert(dynlock_destroy_callback == solaris_dynlock_destroy);
+ OPENSSL_assert(locking_callback == solaris_locking_callback);
++#endif
+ }
+
+ /*
+@@ -517,6 +531,12 @@
+ locking_callback = solaris_locking_callback;
+ }
+
++ /*
++ * pthread_* can't be used in wanboot.
++ * wanboot needs not be thread-safe and mutexes and locking callback
++ * function will not be setup for wanboot.
++ */
++#ifndef _BOOT
+ /* allocate and initialize locks needed by OpenSSL */
+ solaris_openssl_locks =
+ OPENSSL_malloc(sizeof (pthread_mutex_t) * CRYPTO_NUM_LOCKS);
+@@ -530,6 +550,7 @@
+ }
+
+ (void) pthread_atfork(solaris_fork_prep, solaris_fork_post, solaris_fork_post);
++#endif
+ }
+
+
+@@ -1104,6 +1120,12 @@
+ MessageBox(NULL, buf, _T("OpenSSL: FATAL"), MB_OK | MB_ICONERROR);
+ }
+ #else
++/*
++ * Solaris libsa.a used for WAN boot doesn't provide for vfprintf(). Since
++ * OPENSSL_showfatal() is not used anywhere else then here we can safely use
++ * the code from 0.9.7d version.
++ */
++#ifndef _BOOT
+ void OPENSSL_showfatal(const char *fmta, ...)
+ {
+ va_list ap;
+@@ -1112,6 +1134,7 @@
+ vfprintf(stderr, fmta, ap);
+ va_end(ap);
+ }
++#endif /* _BOOT */
+
+ int OPENSSL_isservice(void)
+ {
+@@ -1121,9 +1144,15 @@
+
+ void OpenSSLDie(const char *file, int line, const char *assertion)
+ {
++#ifndef _BOOT
+ OPENSSL_showfatal
+ ("%s(%d): OpenSSL internal error, assertion failed: %s\n", file, line,
+ assertion);
++#else
++ fprintf(stderr,
++ "%s(%d): OpenSSL internal error, assertion failed: %s\n",
++ file,line,assertion);
++#endif
+ #if !defined(_WIN32) || defined(__CYGWIN__)
+ abort();
+ #else
+--- openssl-1.0.0e/crypto/err/err_all.c 2009-08-09 07:58:05.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/err/err_all.c 2011-12-13 05:22:01.205351400 -0800
+@@ -148,7 +148,9 @@
+ ERR_load_X509V3_strings();
+ ERR_load_PKCS12_strings();
+ ERR_load_RAND_strings();
++#ifndef _BOOT
+ ERR_load_DSO_strings();
++#endif /* _BOOT */
+ ERR_load_TS_strings();
+ # ifndef OPENSSL_NO_ENGINE
+ ERR_load_ENGINE_strings();
+--- openssl-1.0.0e/crypto/evp/evp_key.c 2010-03-27 12:27:50.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/evp/evp_key.c 2011-12-13 05:19:32.956908600 -0800
+@@ -83,7 +83,7 @@
+ else
+ return (prompt_string);
+ }
+-
++#ifndef _BOOT
+ /*
+ * For historical reasons, the standard function for reading passwords is in
+ * the DES library -- if someone ever wants to disable DES, this function
+@@ -115,6 +115,7 @@
+ OPENSSL_cleanse(buff, BUFSIZ);
+ return ret;
+ }
++#endif /* !_BOOT */
+
+ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
+ const unsigned char *salt, const unsigned char *data,
+--- openssl-1.0.0e/crypto/rand/rand_unix.c 2009-04-06 07:31:36.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/rand/rand_unix.c 2011-12-19 07:28:39.988944800 -0800
+@@ -122,7 +122,11 @@
+ # include <sys/time.h>
+ # include <sys/times.h>
+ # include <sys/stat.h>
++#ifdef _BOOT
++# include <sys/fcntl.h>
++#else
+ # include <fcntl.h>
++#endif
+ # include <unistd.h>
+ # include <time.h>
+ # if defined(OPENSSL_SYS_LINUX) /* should actually be available virtually
+@@ -259,6 +263,11 @@
+ const char **egdsocket = NULL;
+ # endif
+
++#ifdef _BOOT
++/* open() is provided by standalone libsa not visible from here */
++extern int open(const char *, int);
++#endif
++
+ # ifdef DEVRANDOM
+ memset(randomstats, 0, sizeof(randomstats));
+ /*
+@@ -307,11 +316,15 @@
+ do {
+ int try_read = 0;
+
+-# if defined(OPENSSL_SYS_BEOS_R5)
++# if defined(OPENSSL_SYS_BEOS_R5) || defined(_BOOT)
+ /*
+ * select() is broken in BeOS R5, so we simply try to read
+ * something and snooze if we couldn't
+ */
++ /*
++ * select() is not available when linking stand-alone
++ * library for wanboot
++ */
+ try_read = 1;
+
+ # elif defined(OPENSSL_SYS_LINUX)
+@@ -365,6 +378,7 @@
+ } else
+ r = -1;
+
++#ifndef _BOOT
+ /*
+ * Some Unixen will update t in select(), some won't. For
+ * those who won't, or if we didn't use select() in the first
+@@ -377,13 +391,17 @@
+ while ((r > 0 ||
+ (errno == EINTR || errno == EAGAIN)) && usec != 0
+ && n < ENTROPY_NEEDED);
++#else /* _BOOT */
++ }
++ while (r > 0 && n < ENTROPY_NEEDED);
++#endif /* _BOOT */
+
+ close(fd);
+ }
+ }
+ # endif /* defined(DEVRANDOM) */
+
+-# ifdef DEVRANDOM_EGD
++# if defined(DEVRANDOM_EGD) && !defined(_BOOT)
+ /*
+ * Use an EGD socket to read entropy from an EGD or PRNGD entropy
+ * collecting daemon.
+@@ -407,6 +424,7 @@
+ }
+ # endif
+
++#ifndef _BOOT
+ /* put in some default random data, we need more than just this */
+ l = curr_pid;
+ RAND_add(&l, sizeof(l), 0.0);
+@@ -415,6 +433,7 @@
+
+ l = time(NULL);
+ RAND_add(&l, sizeof(l), 0.0);
++#endif /* !_BOOT */
+
+ # if defined(OPENSSL_SYS_BEOS)
+ {
+--- openssl-1.0.0e/crypto/rand/randfile.c 2011-03-19 02:44:37.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/rand/randfile.c 2011-12-13 05:26:51.884824200 -0800
+@@ -191,6 +193,7 @@
+ return (ret);
+ }
+
++#ifndef _BOOT
+ int RAND_write_file(const char *file)
+ {
+ unsigned char buf[BUFSIZE];
+@@ -335,3 +338,5 @@
+ #endif
+ return (buf);
+ }
++
++#endif /* _BOOT */
+--- openssl-1.0.0e/crypto/x509v3/v3_utl.c 2009-07-27 14:08:53.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/x509v3/v3_utl.c 2011-12-13 05:10:08.844191400 -0800
+@@ -1146,9 +1146,50 @@
+ }
+ }
+
++#if defined(_BOOT)
++/* This function was copied from bio/b_sock.c */
++static int get_ip(const char *str, unsigned char ip[4])
++{
++ unsigned int tmp[4];
++ int num = 0, c, ok = 0;
++
++ tmp[0]=tmp[1]=tmp[2]=tmp[3]=0;
++
++ for (;;) {
++ c = *(str++);
++ if ((c >= '0') && (c <= '9')) {
++ ok = 1;
++ tmp[num] = tmp[num]*10+c-'0';
++ if (tmp[num] > 255)
++ return(0);
++ } else if (c == '.') {
++ if (!ok)
++ return (-1);
++ if (num == 3)
++ return (0);
++ num++;
++ ok = 0;
++ } else if (c == '\0' && (num == 3) && ok)
++ break;
++ else
++ return(0);
++ }
++ ip[0]=tmp[0];
++ ip[1]=tmp[1];
++ ip[2]=tmp[2];
++ ip[3]=tmp[3];
++ return(1);
++}
++#endif /* _BOOT */
++
+ static int ipv4_from_asc(unsigned char *v4, const char *in)
+ {
+ int a0, a1, a2, a3;
++
++#if defined(_BOOT)
++ if (get_ip(in, v4) != 1)
++ return 0;
++#else /* _BOOT */
+ if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
+ return 0;
+ if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255)
+@@ -1158,6 +1199,7 @@
+ v4[1] = a1;
+ v4[2] = a2;
+ v4[3] = a3;
++#endif /* _BOOT */
+ return 1;
+ }
+
+--- openssl-1.0.0e/e_os.h 2011-12-19 04:17:51.631087400 -0800
++++ openssl-1.0.0e_patched/e_os.h 2011-12-19 04:15:15.776668900 -0800
+@@ -213,10 +213,19 @@
+ # define get_last_socket_error() errno
+ # define clear_socket_error() errno=0
+ # define ioctlsocket(a,b,c) ioctl(a,b,c)
++#ifdef _BOOT
++#include <netinet/in.h>
++extern int socket_read(int, void *, size_t, int);
++extern int socket_close(int);
++# define closesocket(s) socket_close(s)
++# define readsocket(s,b,n) socket_read((s),(b),(n), 200)
++# define writesocket(s,b,n) send((s),(b),(n), 0)
++#else /* !_BOOT */
+ # define closesocket(s) close(s)
+ # define readsocket(s,b,n) read((s),(b),(n))
+ # define writesocket(s,b,n) write((s),(b),(n))
+ # endif
++#endif
+
+ # ifdef WIN16 /* never the case */
+ # define MS_CALLBACK _far _loadds
+--- openssl-1.0.0e/crypto/sparcv9cap.c 2010-09-05 12:48:01.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/sparcv9cap.c 2011-12-23 05:24:02.011607700 -0800
+@@ -12,7 +12,11 @@
+ #if defined(__GNUC__) && defined(__linux)
+ __attribute__ ((visibility("hidden")))
+ #endif
++#ifndef _BOOT
+ unsigned int OPENSSL_sparcv9cap_P[2] = { SPARCV9_TICK_PRIVILEGED, 0 };
++#else
++unsigned int OPENSSL_sparcv9cap_P[2] = { SPARCV9_VIS1, 0 };
++#endif
+
+ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
+ const BN_ULONG *np, const BN_ULONG *n0, int num)
+@@ -74,6 +78,7 @@
+ size_t _sparcv9_vis1_instrument_bus(unsigned int *, size_t);
+ size_t _sparcv9_vis1_instrument_bus2(unsigned int *, size_t, size_t);
+
++#ifndef _BOOT
+ unsigned long OPENSSL_rdtsc(void)
+ {
+ if (OPENSSL_sparcv9cap_P[0] & SPARCV9_TICK_PRIVILEGED)
+@@ -103,9 +108,20 @@
+ else
+ return 0;
+ }
++#endif
+
+-#if 0 && defined(__sun) && defined(__SVR4)
++#if defined(_BOOT)
+ /*
++ * Hardcoding sparc capabilities for wanboot.
++ * Older CPUs are EOLed anyway.
++ */
++void OPENSSL_cpuid_setup(void)
++{
++ OPENSSL_sparcv9cap_P[0] = SPARCV9_VIS1;
++}
++
++#elif 0 && defined(__sun) && defined(__SVR4)
++/*
+ * This code path is disabled, because of incompatibility of libdevinfo.so.1
+ * and libmalloc.so.1 (see below for details)
+ */
+--- openssl-1.0.0e/crypto/sparccpuid.S 2010-09-05 12:48:01.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/sparccpuid.S 2012-02-13 07:42:58.259478325 -0800
+@@ -400,6 +400,7 @@
+ .type OPENSSL_cleanse,#function
+ .size OPENSSL_cleanse,.-OPENSSL_cleanse
+
++#ifndef _BOOT
+ .global _sparcv9_vis1_instrument_bus
+ .weak _sparcv9_vis1_instrument_bus
+ .align 8
+@@ -501,3 +502,7 @@
+ nop
+ call OPENSSL_cpuid_setup
+ nop
++#else
++ nop
++ nop
++#endif
+--- openssl-1.0.1c/crypto/Makefile Thu Aug 2 12:56:38 2012
++++ openssl-1.0.1c/crypto/Makefile.new Thu Aug 2 12:59:43 2012
+@@ -36,9 +36,9 @@
+ LIB= $(TOP)/libcrypto.a
+ SHARED_LIB= libcrypto$(SHLIB_EXT)
+ LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c \
+- ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c fips_ers.c
++ ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c fips_ers.c wanboot-stubs.c
+ LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o \
+- uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o $(CPUID_OBJ)
++ uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o wanboot-stubs.o $(CPUID_OBJ)
+
+ SRC= $(LIBSRC)
+
+--- openssl-1.0.1f/ssl/s3_clnt.c Thu Jan 30 02:53:33 2014
++++ openssl-1.0.1f/ssl/s3_clnt.c.new Thu Jan 30 02:57:51 2014
+@@ -698,6 +698,7 @@
+ if (!ssl_get_new_session(s, 0))
+ goto err;
+ }
++#ifndef _BOOT
+ if (s->method->version == DTLS_ANY_VERSION) {
+ /* Determine which DTLS version to use */
+ int options = s->options;
+@@ -730,6 +731,7 @@
+ }
+ s->client_version = s->version;
+ }
++#endif
+ /* else use the pre-loaded session */
+
+ p = s->s3->client_random;
+@@ -750,8 +750,12 @@
+ } else
+ i = 1;
+
++#ifndef _BOOT
+ if (i && ssl_fill_hello_random(s, 0, p,
+ sizeof(s->s3->client_random)) <= 0)
++#else
++ if (i && RAND_pseudo_bytes(p, sizeof(s->s3->client_random)) <= 0)
++#endif
+ goto err;
+
+ /* Do the message type and length last */
+@@ -938,6 +942,7 @@
+ }
+
+ d = p = (unsigned char *)s->init_msg;
++#ifndef _BOOT
+ if (s->method->version == DTLS_ANY_VERSION) {
+ /* Work out correct protocol version to use */
+ int hversion = (p[0] << 8) | p[1];
+@@ -960,6 +965,7 @@
+ }
+ s->session->ssl_version = s->version = s->method->version;
+ }
++#endif
+
+ if ((p[0] != (s->version >> 8)) || (p[1] != (s->version & 0xff))) {
+ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_SSL_VERSION);
+--- openssl-1.0.1f/ssl/s3_lib.c Wed Oct 15 11:18:30 2014
++++ openssl-1.0.1f/ssl/s3_lib.c.new Wed Oct 15 11:20:07 2014
+@@ -3574,7 +3574,11 @@
+ * Apparently we're using a version-flexible SSL_METHOD (not at its
+ * highest protocol version).
+ */
++#ifndef _BOOT
+ if (s->ctx->method->version == SSLv23_method()->version) {
++#else
++ if (s->ctx->method->version == TLS1_2_VERSION) {
++#endif
+ #if TLS_MAX_VERSION != TLS1_2_VERSION
+ # error Code needs update for SSLv23_method() support beyond TLS1_2_VERSION.
+ #endif
+--- openssl-1.0.2d/ssl/ssl_algs.c.orig Fri Aug 7 08:54:56 2015
++++ openssl-1.0.2d/ssl/ssl_algs.c Fri Aug 7 08:14:38 2015
+@@ -96,8 +96,10 @@
+ EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
+ # endif
+ # if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA256)
++#ifndef _BOOT
+ EVP_add_cipher(EVP_aes_128_cbc_hmac_sha256());
+ EVP_add_cipher(EVP_aes_256_cbc_hmac_sha256());
++#endif
+ # endif
+
+ #endif
+--- openssl-1.0.2d/ssl/ssl_cert.c.orig Fri Aug 7 08:57:29 2015
++++ openssl-1.0.2d/ssl/ssl_cert.c Fri Aug 7 08:14:37 2015
+@@ -384,11 +384,13 @@
+ ret->ciphers_raw = NULL;
+
+ #ifndef OPENSSL_NO_TLSEXT
++#ifndef _BOOT
+ if (!custom_exts_copy(&ret->cli_ext, &cert->cli_ext))
+ goto err;
+ if (!custom_exts_copy(&ret->srv_ext, &cert->srv_ext))
+ goto err;
+ #endif
++#endif
+
+ return (ret);
+
+@@ -409,9 +411,11 @@
+ #endif
+
+ #ifndef OPENSSL_NO_TLSEXT
++#ifndef _BOOT
+ custom_exts_free(&ret->cli_ext);
+ custom_exts_free(&ret->srv_ext);
+ #endif
++#endif
+
+ ssl_cert_clear_certs(ret);
+
+@@ -502,11 +506,13 @@
+ if (c->ciphers_raw)
+ OPENSSL_free(c->ciphers_raw);
+ #ifndef OPENSSL_NO_TLSEXT
++#ifndef _BOOT
+ custom_exts_free(&c->cli_ext);
+ custom_exts_free(&c->srv_ext);
+ if (c->alpn_proposed)
+ OPENSSL_free(c->alpn_proposed);
+ #endif
++#endif
+ OPENSSL_free(c);
+ }
+
+--- openssl-1.0.2d/ssl/ssl_conf.c.orig Fri Aug 7 08:57:43 2015
++++ openssl-1.0.2d/ssl/ssl_conf.c Fri Aug 7 08:14:38 2015
+@@ -386,6 +386,7 @@
+ return rv > 0;
+ }
+
++#ifndef _BOOT
+ static int cmd_ServerInfoFile(SSL_CONF_CTX *cctx, const char *value)
+ {
+ int rv = 1;
+@@ -398,6 +399,8 @@
+ return rv > 0;
+ }
+
++#endif
++
+ #ifndef OPENSSL_NO_DH
+ static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value)
+ {
+@@ -456,7 +459,9 @@
+ SSL_CONF_CMD_STRING(Options, NULL),
+ SSL_CONF_CMD(Certificate, "cert", SSL_CONF_TYPE_FILE),
+ SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_TYPE_FILE),
++#ifndef _BOOT
+ SSL_CONF_CMD(ServerInfoFile, NULL, SSL_CONF_TYPE_FILE),
++#endif
+ #ifndef OPENSSL_NO_DH
+ SSL_CONF_CMD(DHParameters, "dhparam", SSL_CONF_TYPE_FILE)
+ #endif
+--- openssl-1.0.2d/ssl/ssl_rsa.c.orig Fri Aug 7 08:58:26 2015
++++ openssl-1.0.2d/ssl/ssl_rsa.c Fri Aug 7 08:14:38 2015
+@@ -788,6 +788,7 @@
+ return 0; /* Error */
+ }
+
++#ifndef _BOOT
+ static int serverinfo_srv_parse_cb(SSL *s, unsigned int ext_type,
+ const unsigned char *in,
+ size_t inlen, int *al, void *arg)
+@@ -1005,4 +1006,5 @@
+ return ret;
+ }
+ # endif /* OPENSSL_NO_STDIO */
++#endif /*!_BOOT*/
+ #endif /* OPENSSL_NO_TLSEXT */
+--- openssl-1.0.2d/ssl/t1_lib.c.orig Fri Aug 7 08:59:39 2015
++++ openssl-1.0.2d/ssl/t1_lib.c Fri Aug 7 09:01:32 2015
+@@ -1559,10 +1559,12 @@
+ ret += el;
+ }
+ # endif
++#ifndef _BOOT
+ custom_ext_init(&s->cert->cli_ext);
+ /* Add custom TLS Extensions to ClientHello */
+ if (!custom_ext_add(s, 0, &ret, limit, al))
+ return NULL;
++#endif
+
+ /*
+ * Add padding to workaround bugs in F5 terminators. See
+@@ -1798,8 +1800,10 @@
+ }
+ }
+ # endif
++#ifndef _BOOT
+ if (!custom_ext_add(s, 1, &ret, limit, al))
+ return NULL;
++#endif
+
+ if (s->s3->alpn_selected) {
+ const unsigned char *selected = s->s3->alpn_selected;
+@@ -2428,6 +2432,7 @@
+ return 0;
+ }
+
++#ifndef _BOOT
+ /*
+ * Parse any custom extensions found. "data" is the start of the extension data
+ * and "limit" is the end of the record. TODO: add strict syntax checking.
+@@ -2464,6 +2469,7 @@
+
+ return 1;
+ }
++#endif /*!_BOOT*/
+
+ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p,
+ unsigned char *limit)
+@@ -2486,11 +2492,13 @@
+ return 0;
+ }
+
++#ifndef _BOOT
+ custom_ext_init(&s->cert->srv_ext);
+ if (ssl_scan_clienthello_custom_tlsext(s, ptmp, limit, &al) <= 0) {
+ ssl3_send_alert(s, SSL3_AL_FATAL, al);
+ return 0;
+ }
++#endif
+
+ return 1;
+ }
+@@ -2762,6 +2770,7 @@
+ return 0;
+ }
+ # endif
++#ifndef _BOOT
+ /*
+ * If this extension type was not otherwise handled, but matches a
+ * custom_cli_ext_record, then send it to the c callback
+@@ -2768,6 +2777,7 @@
+ */
+ else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
+ return 0;
++#endif
+
+ data += size;
+ }
+--- openssl-1.0.2d/crypto/x509/x_all.c.orig Fri Aug 7 09:28:54 2015
++++ openssl-1.0.2d/crypto/x509/x_all.c Fri Aug 7 08:14:33 2015
+@@ -106,11 +106,13 @@
+ x->sig_alg, x->signature, x->cert_info, ctx);
+ }
+
++#ifndef _BOOT
+ int X509_http_nbio(OCSP_REQ_CTX *rctx, X509 **pcert)
+ {
+ return OCSP_REQ_CTX_nbio_d2i(rctx,
+ (ASN1_VALUE **)pcert, ASN1_ITEM_rptr(X509));
+ }
++#endif
+
+ int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
+ {
+@@ -140,6 +142,7 @@
+ x->crl, ctx);
+ }
+
++#ifndef _BOOT
+ int X509_CRL_http_nbio(OCSP_REQ_CTX *rctx, X509_CRL **pcrl)
+ {
+ return OCSP_REQ_CTX_nbio_d2i(rctx,
+@@ -146,6 +149,7 @@
+ (ASN1_VALUE **)pcrl,
+ ASN1_ITEM_rptr(X509_CRL));
+ }
++#endif
+
+ int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
+ {
+--- openssl-1.0.2d/crypto/dh/dh_ameth.c.orig Fri Aug 7 10:19:49 2015
++++ openssl-1.0.2d/crypto/dh/dh_ameth.c Fri Aug 7 08:14:35 2015
+@@ -557,6 +557,7 @@
+ return do_dh_print(bp, x, 4, NULL, 0);
+ }
+
++#ifndef _BOOT
+ #ifndef OPENSSL_NO_CMS
+ static int dh_cms_decrypt(CMS_RecipientInfo *ri);
+ static int dh_cms_encrypt(CMS_RecipientInfo *ri);
+@@ -583,6 +584,7 @@
+ }
+
+ }
++#endif
+
+ const EVP_PKEY_ASN1_METHOD dh_asn1_meth = {
+ EVP_PKEY_DH,
+@@ -645,9 +647,14 @@
+ 0,
+
+ int_dh_free,
++#ifndef _BOOT
+ dh_pkey_ctrl
++#else
++ 0
++#endif
+ };
+
++#ifndef _BOOT
+ #ifndef OPENSSL_NO_CMS
+
+ static int dh_cms_set_peerkey(EVP_PKEY_CTX *pctx,
+@@ -955,3 +962,5 @@
+ }
+
+ #endif
++
++#endif
+--- openssl-1.0.2d/crypto/dh/dh_pmeth.c.orig Fri Aug 7 10:16:52 2015
++++ openssl-1.0.2d/crypto/dh/dh_pmeth.c Fri Aug 7 08:14:34 2015
+@@ -194,11 +194,13 @@
+ dctx->use_dsa = p1;
+ return 1;
+
++#ifndef _BOOT
+ case EVP_PKEY_CTRL_DH_RFC5114:
+ if (p1 < 1 || p1 > 3)
+ return -2;
+ dctx->rfc5114_param = p1;
+ return 1;
++#endif
+
+ case EVP_PKEY_CTRL_PEER_KEY:
+ /* Default behaviour is OK */
+@@ -207,7 +209,11 @@
+ case EVP_PKEY_CTRL_DH_KDF_TYPE:
+ if (p1 == -2)
+ return dctx->kdf_type;
++#ifndef _BOOT
+ if (p1 != EVP_PKEY_DH_KDF_NONE && p1 != EVP_PKEY_DH_KDF_X9_42)
++#else
++ if (p1 != EVP_PKEY_DH_KDF_NONE)
++#endif
+ return -2;
+ dctx->kdf_type = p1;
+ return 1;
+@@ -268,6 +274,7 @@
+ len = atoi(value);
+ return EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, len);
+ }
++#ifndef _BOOT
+ if (!strcmp(type, "dh_rfc5114")) {
+ DH_PKEY_CTX *dctx = ctx->data;
+ int len;
+@@ -277,6 +284,7 @@
+ dctx->rfc5114_param = len;
+ return 1;
+ }
++#endif
+ if (!strcmp(type, "dh_paramgen_generator")) {
+ int len;
+ len = atoi(value);
+@@ -355,6 +363,7 @@
+ DH_PKEY_CTX *dctx = ctx->data;
+ BN_GENCB *pcb, cb;
+ int ret;
++#ifndef _BOOT
+ if (dctx->rfc5114_param) {
+ switch (dctx->rfc5114_param) {
+ case 1:
+@@ -375,6 +384,7 @@
+ EVP_PKEY_assign(pkey, EVP_PKEY_DHX, dh);
+ return 1;
+ }
++#endif
+
+ if (ctx->pkey_gencb) {
+ pcb = &cb;
+@@ -448,6 +458,7 @@
+ return ret;
+ *keylen = ret;
+ return 1;
++#ifndef _BOOT
+ } else if (dctx->kdf_type == EVP_PKEY_DH_KDF_X9_42) {
+ unsigned char *Z = NULL;
+ size_t Zlen = 0;
+@@ -478,6 +489,7 @@
+ OPENSSL_free(Z);
+ }
+ return ret;
++#endif
+ }
+ return 1;
+ }
+--- openssl-1.0.2d/crypto/evp/e_des3.c.orig Fri Aug 7 10:22:12 2015
++++ openssl-1.0.2d/crypto/evp/e_des3.c Fri Aug 7 10:23:16 2015
+@@ -381,6 +381,8 @@
+ return &des_ede3_ecb;
+ }
+
++#ifndef _BOOT
++
+ # ifndef OPENSSL_NO_SHA
+
+ # include <openssl/sha.h>
+@@ -491,4 +493,6 @@
+ }
+
+ # endif
++#endif
++
+ #endif
+--- openssl-1.0.2d/crypto/evp/c_allc.c.orig Fri Aug 7 10:21:48 2015
++++ openssl-1.0.2d/crypto/evp/c_allc.c Fri Aug 7 08:14:31 2015
+@@ -93,8 +93,10 @@
+ EVP_add_cipher(EVP_des_ecb());
+ EVP_add_cipher(EVP_des_ede());
+ EVP_add_cipher(EVP_des_ede3());
++#ifndef _BOOT
+ EVP_add_cipher(EVP_des_ede3_wrap());
+ #endif
++#endif
+
+ #ifndef OPENSSL_NO_RC4
+ EVP_add_cipher(EVP_rc4());
+@@ -207,8 +209,10 @@
+ EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
+ # endif
+ # if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA256)
++#ifndef _BOOT
+ EVP_add_cipher(EVP_aes_128_cbc_hmac_sha256());
+ EVP_add_cipher(EVP_aes_256_cbc_hmac_sha256());
++#endif
+ # endif
+ #endif
+
+--- openssl-1.0.2d/crypto/cms/cms_env.c.orig Fri Aug 7 10:25:00 2015
++++ openssl-1.0.2d/crypto/cms/cms_env.c Fri Aug 7 10:25:37 2015
+@@ -106,6 +106,7 @@
+ int i;
+ if (ri->type == CMS_RECIPINFO_TRANS)
+ pkey = ri->d.ktri->pkey;
++#ifndef _BOOT
+ else if (ri->type == CMS_RECIPINFO_AGREE) {
+ EVP_PKEY_CTX *pctx = ri->d.kari->pctx;
+ if (!pctx)
+@@ -114,6 +115,9 @@
+ if (!pkey)
+ return 0;
+ } else
++#else
++ else
++#endif
+ return 0;
+ if (!pkey->ameth || !pkey->ameth->pkey_ctrl)
+ return 1;
+@@ -148,8 +152,10 @@
+ {
+ if (ri->type == CMS_RECIPINFO_TRANS)
+ return ri->d.ktri->pctx;
++#ifndef _BOOT
+ else if (ri->type == CMS_RECIPINFO_AGREE)
+ return ri->d.kari->pctx;
++#endif
+ return NULL;
+ }
+
+@@ -255,10 +261,12 @@
+ goto err;
+ break;
+
++#ifndef _BOOT
+ case CMS_RECIPINFO_AGREE:
+ if (!cms_RecipientInfo_kari_init(ri, recip, pk, flags))
+ goto err;
+ break;
++#endif
+
+ default:
+ CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT,
+@@ -827,8 +835,10 @@
+ case CMS_RECIPINFO_TRANS:
+ return cms_RecipientInfo_ktri_encrypt(cms, ri);
+
++#ifndef _BOOT
+ case CMS_RECIPINFO_AGREE:
+ return cms_RecipientInfo_kari_encrypt(cms, ri);
++#endif
+
+ case CMS_RECIPINFO_KEK:
+ return cms_RecipientInfo_kekri_encrypt(cms, ri);