Update to openssl to 1.0.2e

Also update Cryptlib to edk2 r19218
- Undefine NO_BUILTIN_VA_FUNCS in Cryptlib/OpenSSL/ for x86_64 to use
  the gcc builtins and remove all EFIAPI from the functions
- Move the most of defines into the headers instead of Makefile
- Remove the global variable 'timeval'
- Remove the unused code: crypto/pqueue/* and crypto/ts/*
- Include bn.h in MokManager.c due to the changes in openssl

Signed-off-by: Gary Lin <glin@suse.com>

13 files changed, 283 insertions, 38 deletions

diff --git a/Cryptlib/Include/OpenSslSupport.h b/Cryptlib/Include/OpenSslSupport.h
index 004c3e8e..f73bbc9b 100644
--- a/Cryptlib/Include/OpenSslSupport.h
+++ b/Cryptlib/Include/OpenSslSupport.h
@@ -26,6 +26,31 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #define CONST const

 

 //

+// OpenSSL relies on explicit configuration for word size in crypto/bn,

+// but we want it to be automatically inferred from the target. So we

+// bypass what's in <openssl/opensslconf.h> for OPENSSL_SYS_UEFI, and

+// define our own here.

+//

+#ifdef CONFIG_HEADER_BN_H

+#error CONFIG_HEADER_BN_H already defined

+#endif

+

+#define CONFIG_HEADER_BN_H

+

+#if defined(MDE_CPU_X64) || defined(MDE_CPU_AARCH64) || defined(MDE_CPU_IA64)

+//

+// With GCC we would normally use SIXTY_FOUR_BIT_LONG, but MSVC needs

+// SIXTY_FOUR_BIT, because 'long' is 32-bit and only 'long long' is

+// 64-bit. Since using 'long long' works fine on GCC too, just do that.

+//

+#define SIXTY_FOUR_BIT

+#elif defined(MDE_CPU_IA32) || defined(MDE_CPU_ARM) || defined(MDE_CPU_EBC)

+#define THIRTY_TWO_BIT

+#else

+#error Unknown target architecture

+#endif

+

+//

 // File operations are not required for building Open SSL, 

 // so FILE is mapped to VOID * to pass build

 //

@@ -211,7 +236,7 @@ struct tm {
 struct timeval {

   long tv_sec;      /* time value, in seconds */

   long tv_usec;     /* time value, in microseconds */

-} timeval;

+};

 

 struct dirent {

   UINT32  d_fileno;         /* file number of entry */

diff --git a/Cryptlib/Include/openssl/bio.h b/Cryptlib/Include/openssl/bio.h
index 69bd48c9..561ae2f0 100644
--- a/Cryptlib/Include/openssl/bio.h
+++ b/Cryptlib/Include/openssl/bio.h
@@ -787,19 +787,11 @@ void BIO_copy_next_retry(BIO *b);
 # else
 #  define __bio_h__attr__(x)
 # endif
-# if defined(OPENSSL_SYS_UEFI)
-int EFIAPI BIO_printf(BIO *bio, const char *format, ...)
-# else
 int BIO_printf(BIO *bio, const char *format, ...)
-# endif
 __bio_h__attr__((__format__(__printf__, 2, 3)));
 int BIO_vprintf(BIO *bio, const char *format, va_list args)
 __bio_h__attr__((__format__(__printf__, 2, 0)));
-# if defined(OPENSSL_SYS_UEFI)
-int EFIAPI BIO_snprintf(char *buf, size_t n, const char *format, ...)
-# else
 int BIO_snprintf(char *buf, size_t n, const char *format, ...)
-# endif
 __bio_h__attr__((__format__(__printf__, 3, 4)));
 int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args)
 __bio_h__attr__((__format__(__printf__, 3, 0)));
diff --git a/Cryptlib/Include/openssl/buffer.h b/Cryptlib/Include/openssl/buffer.h
index c343dd77..efd240a5 100644
--- a/Cryptlib/Include/openssl/buffer.h
+++ b/Cryptlib/Include/openssl/buffer.h
@@ -86,7 +86,13 @@ int BUF_MEM_grow(BUF_MEM *str, size_t len);
 int BUF_MEM_grow_clean(BUF_MEM *str, size_t len);
 size_t BUF_strnlen(const char *str, size_t maxlen);
 char *BUF_strdup(const char *str);
+
+/*
+ * Like strndup, but in addition, explicitly guarantees to never read past the
+ * first |siz| bytes of |str|.
+ */
 char *BUF_strndup(const char *str, size_t siz);
+
 void *BUF_memdup(const void *data, size_t siz);
 void BUF_reverse(unsigned char *out, const unsigned char *in, size_t siz);
 
diff --git a/Cryptlib/Include/openssl/dh.h b/Cryptlib/Include/openssl/dh.h
index 0502f1a9..b1776732 100644
--- a/Cryptlib/Include/openssl/dh.h
+++ b/Cryptlib/Include/openssl/dh.h
@@ -142,7 +142,7 @@ struct dh_st {
     BIGNUM *p;
     BIGNUM *g;
     long length;                /* optional */
-    BIGNUM *pub_key;            /* g^x */
+    BIGNUM *pub_key;            /* g^x % p */
     BIGNUM *priv_key;           /* x */
     int flags;
     BN_MONT_CTX *method_mont_p;
diff --git a/Cryptlib/Include/openssl/e_os2.h b/Cryptlib/Include/openssl/e_os2.h
index 7be9989a..909e22f7 100644
--- a/Cryptlib/Include/openssl/e_os2.h
+++ b/Cryptlib/Include/openssl/e_os2.h
@@ -97,7 +97,14 @@ extern "C" {
  * For 32 bit environment, there seems to be the CygWin environment and then
  * all the others that try to do the same thing Microsoft does...
  */
-# if defined(OPENSSL_SYSNAME_UWIN)
+/*
+ * UEFI lives here because it might be built with a Microsoft toolchain and
+ * we need to avoid the false positive match on Windows.
+ */
+# if defined(OPENSSL_SYSNAME_UEFI)
+#  undef OPENSSL_SYS_UNIX
+#  define OPENSSL_SYS_UEFI
+# elif defined(OPENSSL_SYSNAME_UWIN)
 #  undef OPENSSL_SYS_UNIX
 #  define OPENSSL_SYS_WIN32_UWIN
 # else
diff --git a/Cryptlib/Include/openssl/ec.h b/Cryptlib/Include/openssl/ec.h
index 6d3178f6..81e6faf6 100644
--- a/Cryptlib/Include/openssl/ec.h
+++ b/Cryptlib/Include/openssl/ec.h
@@ -106,7 +106,7 @@ typedef enum {
         /** the point is encoded as z||x, where the octet z specifies
          *  which solution of the quadratic equation y is  */
     POINT_CONVERSION_COMPRESSED = 2,
-        /** the point is encoded as z||x||y, where z is the octet 0x02  */
+        /** the point is encoded as z||x||y, where z is the octet 0x04  */
     POINT_CONVERSION_UNCOMPRESSED = 4,
         /** the point is encoded as z||x||y, where the octet z specifies
          *  which solution of the quadratic equation y is  */
diff --git a/Cryptlib/Include/openssl/ecdsa.h b/Cryptlib/Include/openssl/ecdsa.h
index c4016ac3..a6f0930f 100644
--- a/Cryptlib/Include/openssl/ecdsa.h
+++ b/Cryptlib/Include/openssl/ecdsa.h
@@ -233,7 +233,7 @@ void *ECDSA_get_ex_data(EC_KEY *d, int idx);
  *  \return pointer to a ECDSA_METHOD structure or NULL if an error occurred
  */
 
-ECDSA_METHOD *ECDSA_METHOD_new(ECDSA_METHOD *ecdsa_method);
+ECDSA_METHOD *ECDSA_METHOD_new(const ECDSA_METHOD *ecdsa_method);
 
 /** frees a ECDSA_METHOD structure
  *  \param  ecdsa_method  pointer to the ECDSA_METHOD structure
diff --git a/Cryptlib/Include/openssl/err.h b/Cryptlib/Include/openssl/err.h
index bbfdb959..585aa8ba 100644
--- a/Cryptlib/Include/openssl/err.h
+++ b/Cryptlib/Include/openssl/err.h
@@ -344,14 +344,7 @@ void ERR_print_errors_fp(FILE *fp);
 # ifndef OPENSSL_NO_BIO
 void ERR_print_errors(BIO *bp);
 # endif
-
-/* Add EFIAPI for UEFI version. */
-#if defined(OPENSSL_SYS_UEFI)
-void EFIAPI ERR_add_error_data(int num, ...);
-#else
 void ERR_add_error_data(int num, ...);
-#endif
-
 void ERR_add_error_vdata(int num, va_list args);
 void ERR_load_strings(int lib, ERR_STRING_DATA str[]);
 void ERR_unload_strings(int lib, ERR_STRING_DATA str[]);
diff --git a/Cryptlib/Include/openssl/opensslconf.h b/Cryptlib/Include/openssl/opensslconf.h
index 90a4d2c8..fd565ddb 100644
--- a/Cryptlib/Include/openssl/opensslconf.h
+++ b/Cryptlib/Include/openssl/opensslconf.h
@@ -5,15 +5,72 @@
 extern "C" {
 #endif
 /* OpenSSL was configured with the following options: */
+#ifndef OPENSSL_SYSNAME_UEFI
+# define OPENSSL_SYSNAME_UEFI
+#endif
 #ifndef OPENSSL_DOING_MAKEDEPEND
 
 
+#ifndef OPENSSL_NO_BF
+# define OPENSSL_NO_BF
+#endif
+#ifndef OPENSSL_NO_CAMELLIA
+# define OPENSSL_NO_CAMELLIA
+#endif
+#ifndef OPENSSL_NO_CAPIENG
+# define OPENSSL_NO_CAPIENG
+#endif
+#ifndef OPENSSL_NO_CAST
+# define OPENSSL_NO_CAST
+#endif
+#ifndef OPENSSL_NO_CMS
+# define OPENSSL_NO_CMS
+#endif
+#ifndef OPENSSL_NO_DEPRECATED
+# define OPENSSL_NO_DEPRECATED
+#endif
+#ifndef OPENSSL_NO_DGRAM
+# define OPENSSL_NO_DGRAM
+#endif
+#ifndef OPENSSL_NO_DSA
+# define OPENSSL_NO_DSA
+#endif
+#ifndef OPENSSL_NO_DYNAMIC_ENGINE
+# define OPENSSL_NO_DYNAMIC_ENGINE
+#endif
+#ifndef OPENSSL_NO_EC
+# define OPENSSL_NO_EC
+#endif
 #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
 # define OPENSSL_NO_EC_NISTP_64_GCC_128
 #endif
+#ifndef OPENSSL_NO_ECDH
+# define OPENSSL_NO_ECDH
+#endif
+#ifndef OPENSSL_NO_ECDSA
+# define OPENSSL_NO_ECDSA
+#endif
+#ifndef OPENSSL_NO_ENGINE
+# define OPENSSL_NO_ENGINE
+#endif
+#ifndef OPENSSL_NO_ENGINES
+# define OPENSSL_NO_ENGINES
+#endif
+#ifndef OPENSSL_NO_FILENAMES
+# define OPENSSL_NO_FILENAMES
+#endif
+#ifndef OPENSSL_NO_FP_API
+# define OPENSSL_NO_FP_API
+#endif
 #ifndef OPENSSL_NO_GMP
 # define OPENSSL_NO_GMP
 #endif
+#ifndef OPENSSL_NO_GOST
+# define OPENSSL_NO_GOST
+#endif
+#ifndef OPENSSL_NO_IDEA
+# define OPENSSL_NO_IDEA
+#endif
 #ifndef OPENSSL_NO_JPAKE
 # define OPENSSL_NO_JPAKE
 #endif
@@ -23,30 +80,90 @@ extern "C" {
 #ifndef OPENSSL_NO_LIBUNBOUND
 # define OPENSSL_NO_LIBUNBOUND
 #endif
+#ifndef OPENSSL_NO_LOCKING
+# define OPENSSL_NO_LOCKING
+#endif
 #ifndef OPENSSL_NO_MD2
 # define OPENSSL_NO_MD2
 #endif
+#ifndef OPENSSL_NO_MDC2
+# define OPENSSL_NO_MDC2
+#endif
+#ifndef OPENSSL_NO_POSIX_IO
+# define OPENSSL_NO_POSIX_IO
+#endif
+#ifndef OPENSSL_NO_RC2
+# define OPENSSL_NO_RC2
+#endif
 #ifndef OPENSSL_NO_RC5
 # define OPENSSL_NO_RC5
 #endif
+#ifndef OPENSSL_NO_RCS
+# define OPENSSL_NO_RCS
+#endif
 #ifndef OPENSSL_NO_RFC3779
 # define OPENSSL_NO_RFC3779
 #endif
+#ifndef OPENSSL_NO_RIPEMD
+# define OPENSSL_NO_RIPEMD
+#endif
+#ifndef OPENSSL_NO_SCRYPT
+# define OPENSSL_NO_SCRYPT
+#endif
+#ifndef OPENSSL_NO_SCT
+# define OPENSSL_NO_SCT
+#endif
 #ifndef OPENSSL_NO_SCTP
 # define OPENSSL_NO_SCTP
 #endif
+#ifndef OPENSSL_NO_SEED
+# define OPENSSL_NO_SEED
+#endif
+#ifndef OPENSSL_NO_SHA0
+# define OPENSSL_NO_SHA0
+#endif
+#ifndef OPENSSL_NO_SOCK
+# define OPENSSL_NO_SOCK
+#endif
+#ifndef OPENSSL_NO_SRP
+# define OPENSSL_NO_SRP
+#endif
 #ifndef OPENSSL_NO_SSL_TRACE
 # define OPENSSL_NO_SSL_TRACE
 #endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
+#ifndef OPENSSL_NO_SSL3
+# define OPENSSL_NO_SSL3
+#endif
+#ifndef OPENSSL_NO_STDIO
+# define OPENSSL_NO_STDIO
+#endif
 #ifndef OPENSSL_NO_STORE
 # define OPENSSL_NO_STORE
 #endif
+#ifndef OPENSSL_NO_UI
+# define OPENSSL_NO_UI
+#endif
 #ifndef OPENSSL_NO_UNIT_TEST
 # define OPENSSL_NO_UNIT_TEST
 #endif
+#ifndef OPENSSL_NO_WHIRLPOOL
+# define OPENSSL_NO_WHIRLPOOL
+#endif
 
 #endif /* OPENSSL_DOING_MAKEDEPEND */
 
+#ifndef OPENSSL_NO_ASM
+# define OPENSSL_NO_ASM
+#endif
+#ifndef OPENSSL_NO_ERR
+# define OPENSSL_NO_ERR
+#endif
+#ifndef OPENSSL_NO_HW
+# define OPENSSL_NO_HW
+#endif
 #ifndef OPENSSL_NO_DYNAMIC_ENGINE
 # define OPENSSL_NO_DYNAMIC_ENGINE
 #endif
@@ -56,12 +173,66 @@ extern "C" {
    who haven't had the time to do the appropriate changes in their
    applications.  */
 #ifdef OPENSSL_ALGORITHM_DEFINES
+# if defined(OPENSSL_NO_BF) && !defined(NO_BF)
+#  define NO_BF
+# endif
+# if defined(OPENSSL_NO_CAMELLIA) && !defined(NO_CAMELLIA)
+#  define NO_CAMELLIA
+# endif
+# if defined(OPENSSL_NO_CAPIENG) && !defined(NO_CAPIENG)
+#  define NO_CAPIENG
+# endif
+# if defined(OPENSSL_NO_CAST) && !defined(NO_CAST)
+#  define NO_CAST
+# endif
+# if defined(OPENSSL_NO_CMS) && !defined(NO_CMS)
+#  define NO_CMS
+# endif
+# if defined(OPENSSL_NO_DEPRECATED) && !defined(NO_DEPRECATED)
+#  define NO_DEPRECATED
+# endif
+# if defined(OPENSSL_NO_DGRAM) && !defined(NO_DGRAM)
+#  define NO_DGRAM
+# endif
+# if defined(OPENSSL_NO_DSA) && !defined(NO_DSA)
+#  define NO_DSA
+# endif
+# if defined(OPENSSL_NO_DYNAMIC_ENGINE) && !defined(NO_DYNAMIC_ENGINE)
+#  define NO_DYNAMIC_ENGINE
+# endif
+# if defined(OPENSSL_NO_EC) && !defined(NO_EC)
+#  define NO_EC
+# endif
 # if defined(OPENSSL_NO_EC_NISTP_64_GCC_128) && !defined(NO_EC_NISTP_64_GCC_128)
 #  define NO_EC_NISTP_64_GCC_128
 # endif
+# if defined(OPENSSL_NO_ECDH) && !defined(NO_ECDH)
+#  define NO_ECDH
+# endif
+# if defined(OPENSSL_NO_ECDSA) && !defined(NO_ECDSA)
+#  define NO_ECDSA
+# endif
+# if defined(OPENSSL_NO_ENGINE) && !defined(NO_ENGINE)
+#  define NO_ENGINE
+# endif
+# if defined(OPENSSL_NO_ENGINES) && !defined(NO_ENGINES)
+#  define NO_ENGINES
+# endif
+# if defined(OPENSSL_NO_FILENAMES) && !defined(NO_FILENAMES)
+#  define NO_FILENAMES
+# endif
+# if defined(OPENSSL_NO_FP_API) && !defined(NO_FP_API)
+#  define NO_FP_API
+# endif
 # if defined(OPENSSL_NO_GMP) && !defined(NO_GMP)
 #  define NO_GMP
 # endif
+# if defined(OPENSSL_NO_GOST) && !defined(NO_GOST)
+#  define NO_GOST
+# endif
+# if defined(OPENSSL_NO_IDEA) && !defined(NO_IDEA)
+#  define NO_IDEA
+# endif
 # if defined(OPENSSL_NO_JPAKE) && !defined(NO_JPAKE)
 #  define NO_JPAKE
 # endif
@@ -71,27 +242,78 @@ extern "C" {
 # if defined(OPENSSL_NO_LIBUNBOUND) && !defined(NO_LIBUNBOUND)
 #  define NO_LIBUNBOUND
 # endif
+# if defined(OPENSSL_NO_LOCKING) && !defined(NO_LOCKING)
+#  define NO_LOCKING
+# endif
 # if defined(OPENSSL_NO_MD2) && !defined(NO_MD2)
 #  define NO_MD2
 # endif
+# if defined(OPENSSL_NO_MDC2) && !defined(NO_MDC2)
+#  define NO_MDC2
+# endif
+# if defined(OPENSSL_NO_POSIX_IO) && !defined(NO_POSIX_IO)
+#  define NO_POSIX_IO
+# endif
+# if defined(OPENSSL_NO_RC2) && !defined(NO_RC2)
+#  define NO_RC2
+# endif
 # if defined(OPENSSL_NO_RC5) && !defined(NO_RC5)
 #  define NO_RC5
 # endif
+# if defined(OPENSSL_NO_RCS) && !defined(NO_RCS)
+#  define NO_RCS
+# endif
 # if defined(OPENSSL_NO_RFC3779) && !defined(NO_RFC3779)
 #  define NO_RFC3779
 # endif
+# if defined(OPENSSL_NO_RIPEMD) && !defined(NO_RIPEMD)
+#  define NO_RIPEMD
+# endif
+# if defined(OPENSSL_NO_SCRYPT) && !defined(NO_SCRYPT)
+#  define NO_SCRYPT
+# endif
+# if defined(OPENSSL_NO_SCT) && !defined(NO_SCT)
+#  define NO_SCT
+# endif
 # if defined(OPENSSL_NO_SCTP) && !defined(NO_SCTP)
 #  define NO_SCTP
 # endif
+# if defined(OPENSSL_NO_SEED) && !defined(NO_SEED)
+#  define NO_SEED
+# endif
+# if defined(OPENSSL_NO_SHA0) && !defined(NO_SHA0)
+#  define NO_SHA0
+# endif
+# if defined(OPENSSL_NO_SOCK) && !defined(NO_SOCK)
+#  define NO_SOCK
+# endif
+# if defined(OPENSSL_NO_SRP) && !defined(NO_SRP)
+#  define NO_SRP
+# endif
 # if defined(OPENSSL_NO_SSL_TRACE) && !defined(NO_SSL_TRACE)
 #  define NO_SSL_TRACE
 # endif
+# if defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2)
+#  define NO_SSL2
+# endif
+# if defined(OPENSSL_NO_SSL3) && !defined(NO_SSL3)
+#  define NO_SSL3
+# endif
+# if defined(OPENSSL_NO_STDIO) && !defined(NO_STDIO)
+#  define NO_STDIO
+# endif
 # if defined(OPENSSL_NO_STORE) && !defined(NO_STORE)
 #  define NO_STORE
 # endif
+# if defined(OPENSSL_NO_UI) && !defined(NO_UI)
+#  define NO_UI
+# endif
 # if defined(OPENSSL_NO_UNIT_TEST) && !defined(NO_UNIT_TEST)
 #  define NO_UNIT_TEST
 # endif
+# if defined(OPENSSL_NO_WHIRLPOOL) && !defined(NO_WHIRLPOOL)
+#  define NO_WHIRLPOOL
+# endif
 #endif
 
 /* crypto/opensslconf.h.in */
@@ -152,20 +374,17 @@ extern "C" {
 #endif
 #endif
 
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
+#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H) && !defined(OPENSSL_SYSNAME_UEFI)
 #define CONFIG_HEADER_BN_H
 #undef BN_LLONG
 
 /* Should we define BN_DIV2W here? */
 
 /* Only one for the following should be defined */
-/* Bypass the following definitions for UEFI version. */
-#if !defined(OPENSSL_SYS_UEFI)
 #undef SIXTY_FOUR_BIT_LONG
 #undef SIXTY_FOUR_BIT
 #define THIRTY_TWO_BIT
 #endif
-#endif
 
 #if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H)
 #define CONFIG_HEADER_RC4_LOCL_H
@@ -219,7 +438,7 @@ extern "C" {
    optimization options.  Older Sparc's work better with only UNROLL, but
    there's no way to tell at compile time what it is you're running on */
  
-#if defined( sun )		/* Newer Sparc's */
+#if defined( __sun ) || defined ( sun )		/* Newer Sparc's */
 #  define DES_PTR
 #  define DES_RISC1
 #  define DES_UNROLL
diff --git a/Cryptlib/Include/openssl/opensslv.h b/Cryptlib/Include/openssl/opensslv.h
index c06b13ac..abcef15b 100644
--- a/Cryptlib/Include/openssl/opensslv.h
+++ b/Cryptlib/Include/openssl/opensslv.h
@@ -30,11 +30,11 @@ extern "C" {
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-# define OPENSSL_VERSION_NUMBER  0x1000204fL
+# define OPENSSL_VERSION_NUMBER  0x1000205fL
 # ifdef OPENSSL_FIPS
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2d-fips 9 Jul 2015"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2e-fips 3 Dec 2015"
 # else
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2d 9 Jul 2015"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2e 3 Dec 2015"
 # endif
 # define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
diff --git a/Cryptlib/Include/openssl/ssl.h b/Cryptlib/Include/openssl/ssl.h
index 6fe1a247..afec1f5b 100644
--- a/Cryptlib/Include/openssl/ssl.h
+++ b/Cryptlib/Include/openssl/ssl.h
@@ -2681,6 +2681,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC                 292
 # define SSL_F_SSL3_ENC                                   134
 # define SSL_F_SSL3_GENERATE_KEY_BLOCK                    238
+# define SSL_F_SSL3_GENERATE_MASTER_SECRET                388
 # define SSL_F_SSL3_GET_CERTIFICATE_REQUEST               135
 # define SSL_F_SSL3_GET_CERT_STATUS                       289
 # define SSL_F_SSL3_GET_CERT_VERIFY                       136
@@ -2846,8 +2847,11 @@ void ERR_load_SSL_strings(void);
 # define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK              106
 # define SSL_R_BAD_DECOMPRESSION                          107
 # define SSL_R_BAD_DH_G_LENGTH                            108
+# define SSL_R_BAD_DH_G_VALUE                             375
 # define SSL_R_BAD_DH_PUB_KEY_LENGTH                      109
+# define SSL_R_BAD_DH_PUB_KEY_VALUE                       393
 # define SSL_R_BAD_DH_P_LENGTH                            110
+# define SSL_R_BAD_DH_P_VALUE                             395
 # define SSL_R_BAD_DIGEST_LENGTH                          111
 # define SSL_R_BAD_DSA_SIGNATURE                          112
 # define SSL_R_BAD_ECC_CERT                               304
diff --git a/Cryptlib/Include/openssl/tls1.h b/Cryptlib/Include/openssl/tls1.h
index 5929607f..7e237d06 100644
--- a/Cryptlib/Include/openssl/tls1.h
+++ b/Cryptlib/Include/openssl/tls1.h
@@ -231,13 +231,12 @@ extern "C" {
 /* ExtensionType value from RFC5620 */
 # define TLSEXT_TYPE_heartbeat   15
 
-/* ExtensionType value from draft-ietf-tls-applayerprotoneg-00 */
+/* ExtensionType value from RFC7301 */
 # define TLSEXT_TYPE_application_layer_protocol_negotiation 16
 
 /*
  * ExtensionType value for TLS padding extension.
- * http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
- * http://tools.ietf.org/html/draft-agl-tls-padding-03
+ * http://tools.ietf.org/html/draft-agl-tls-padding
  */
 # define TLSEXT_TYPE_padding     21
 
@@ -262,20 +261,19 @@ extern "C" {
 #  define TLSEXT_TYPE_next_proto_neg              13172
 # endif
 
-/* NameType value from RFC 3546 */
+/* NameType value from RFC3546 */
 # define TLSEXT_NAMETYPE_host_name 0
-/* status request value from RFC 3546 */
+/* status request value from RFC3546 */
 # define TLSEXT_STATUSTYPE_ocsp 1
 
-/* ECPointFormat values from draft-ietf-tls-ecc-12 */
+/* ECPointFormat values from RFC4492 */
 # define TLSEXT_ECPOINTFORMAT_first                      0
 # define TLSEXT_ECPOINTFORMAT_uncompressed               0
 # define TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime  1
 # define TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2  2
 # define TLSEXT_ECPOINTFORMAT_last                       2
 
-/* Signature and hash algorithms from RFC 5246 */
-
+/* Signature and hash algorithms from RFC5246 */
 # define TLSEXT_signature_anonymous                      0
 # define TLSEXT_signature_rsa                            1
 # define TLSEXT_signature_dsa                            2
@@ -430,7 +428,6 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 # define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA                0x03000066
 
 /* AES ciphersuites from RFC3268 */
-
 # define TLS1_CK_RSA_WITH_AES_128_SHA                    0x0300002F
 # define TLS1_CK_DH_DSS_WITH_AES_128_SHA                 0x03000030
 # define TLS1_CK_DH_RSA_WITH_AES_128_SHA                 0x03000031
@@ -595,7 +592,7 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 # define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA               "DHE-RSA-AES256-SHA"
 # define TLS1_TXT_ADH_WITH_AES_256_SHA                   "ADH-AES256-SHA"
 
-/* ECC ciphersuites from draft-ietf-tls-ecc-01.txt (Mar 15, 2001) */
+/* ECC ciphersuites from RFC4492 */
 # define TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA               "ECDH-ECDSA-NULL-SHA"
 # define TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA            "ECDH-ECDSA-RC4-SHA"
 # define TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA       "ECDH-ECDSA-DES-CBC3-SHA"
diff --git a/Cryptlib/Include/openssl/x509_vfy.h b/Cryptlib/Include/openssl/x509_vfy.h
index bd8613c6..3b70abd5 100644
--- a/Cryptlib/Include/openssl/x509_vfy.h
+++ b/Cryptlib/Include/openssl/x509_vfy.h
@@ -438,6 +438,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
  * will force the behaviour to match that of previous versions.
  */
 # define X509_V_FLAG_NO_ALT_CHAINS               0x100000
+/* Do not check certificate/CRL validity against current time */
+# define X509_V_FLAG_NO_CHECK_TIME               0x200000
 
 # define X509_VP_FLAG_DEFAULT                    0x1
 # define X509_VP_FLAG_OVERWRITE                  0x2