* New upstream release.debian/15+1533136590.3beb971-1

  - debian/patches/second-stage-path: dropped; the default loader path now
    includes an arch suffix.
  - debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
* Drop remaining patches that were not being applied.
* Sync packaging from Ubuntu:
  - debian/copyright: Update upstream source location.
  - debian/control: add a Build-Depends on libelf-dev.
  - Enable arm64 build.
  - debian/patches/fixup_git.patch: don't run git in clean; we're not
    really in a git tree.
  - debian/rules, debian/shim.install: use the upstream install target as
    intended, and move files to the target directory using dh_install.
  - define RELEASE and COMMIT_ID for the snapshot.
  - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
  - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
    options: set MAKELEVEL.
  - Define an EFI_ARCH variable, and use that for paths to shim. This
    makes it possible to build a shim for other architectures than amd64.
  - Set EFIDIR=$distro for dh_auto_install; that will let files be installed
    in the "right" final directories, and makes boot.csv for us.
  - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
    at compile-time for MokManager and fallback.
  - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
    and MokManager.

8 files changed, 219 insertions, 670 deletions

diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_api.c b/Cryptlib/OpenSSL/crypto/conf/conf_api.c
index 4cf75533..5535416a 100644
--- a/Cryptlib/OpenSSL/crypto/conf/conf_api.c
+++ b/Cryptlib/OpenSSL/crypto/conf/conf_api.c
@@ -1,81 +1,22 @@
-/* conf_api.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
+/*
+ * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
  *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
  */
 
 /* Part of the code in here was originally in conf.c, which is now removed */
 
-#ifndef CONF_DEBUG
-# undef NDEBUG                  /* avoid conflicting definitions */
-# define NDEBUG
-#endif
-
-#include <assert.h>
 #include <stdlib.h>
 #include <string.h>
 #include <openssl/conf.h>
 #include <openssl/conf_api.h>
 #include "e_os.h"
 
-static void value_free_hash_doall_arg(CONF_VALUE *a,
-                                      LHASH_OF(CONF_VALUE) *conf);
+static void value_free_hash(const CONF_VALUE *a, LHASH_OF(CONF_VALUE) *conf);
 static void value_free_stack_doall(CONF_VALUE *a);
-static IMPLEMENT_LHASH_DOALL_ARG_FN(value_free_hash, CONF_VALUE,
-                                    LHASH_OF(CONF_VALUE))
-static IMPLEMENT_LHASH_DOALL_FN(value_free_stack, CONF_VALUE)
 
 /* Up until OpenSSL 0.9.5a, this was get_section */
 CONF_VALUE *_CONF_get_section(const CONF *conf, const char *section)
@@ -157,35 +98,11 @@ char *_CONF_get_string(const CONF *conf, const char *section,
         return (getenv(name));
 }
 
-#if 0                           /* There's no way to provide error checking
-                                 * with this function, so force implementors
-                                 * of the higher levels to get a string and
-                                 * read the number themselves. */
-long _CONF_get_number(CONF *conf, char *section, char *name)
-{
-    char *str;
-    long ret = 0;
-
-    str = _CONF_get_string(conf, section, name);
-    if (str == NULL)
-        return (0);
-    for (;;) {
-        if (conf->meth->is_number(conf, *str))
-            ret = ret * 10 + conf->meth->to_int(conf, *str);
-        else
-            return (ret);
-        str++;
-    }
-}
-#endif
-
 static unsigned long conf_value_hash(const CONF_VALUE *v)
 {
-    return (lh_strhash(v->section) << 2) ^ lh_strhash(v->name);
+    return (OPENSSL_LH_strhash(v->section) << 2) ^ OPENSSL_LH_strhash(v->name);
 }
 
-static IMPLEMENT_LHASH_HASH_FN(conf_value, CONF_VALUE)
-
 static int conf_value_cmp(const CONF_VALUE *a, const CONF_VALUE *b)
 {
     int i;
@@ -205,43 +122,42 @@ static int conf_value_cmp(const CONF_VALUE *a, const CONF_VALUE *b)
         return ((a->name == NULL) ? -1 : 1);
 }
 
-static IMPLEMENT_LHASH_COMP_FN(conf_value, CONF_VALUE)
-
 int _CONF_new_data(CONF *conf)
 {
     if (conf == NULL) {
         return 0;
     }
-    if (conf->data == NULL)
-        if ((conf->data = lh_CONF_VALUE_new()) == NULL) {
+    if (conf->data == NULL) {
+        conf->data = lh_CONF_VALUE_new(conf_value_hash, conf_value_cmp);
+        if (conf->data == NULL)
             return 0;
-        }
+    }
     return 1;
 }
 
+typedef LHASH_OF(CONF_VALUE) LH_CONF_VALUE;
+
+IMPLEMENT_LHASH_DOALL_ARG_CONST(CONF_VALUE, LH_CONF_VALUE);
+
 void _CONF_free_data(CONF *conf)
 {
     if (conf == NULL || conf->data == NULL)
         return;
 
-    lh_CONF_VALUE_down_load(conf->data) = 0; /* evil thing to make * sure the
-                                              * 'OPENSSL_free()' works as *
-                                              * expected */
-    lh_CONF_VALUE_doall_arg(conf->data,
-                            LHASH_DOALL_ARG_FN(value_free_hash),
-                            LHASH_OF(CONF_VALUE), conf->data);
+    /* evil thing to make sure the 'OPENSSL_free()' works as expected */
+    lh_CONF_VALUE_set_down_load(conf->data, 0);
+    lh_CONF_VALUE_doall_LH_CONF_VALUE(conf->data, value_free_hash, conf->data);
 
     /*
      * We now have only 'section' entries in the hash table. Due to problems
      * with
      */
 
-    lh_CONF_VALUE_doall(conf->data, LHASH_DOALL_FN(value_free_stack));
+    lh_CONF_VALUE_doall(conf->data, value_free_stack_doall);
     lh_CONF_VALUE_free(conf->data);
 }
 
-static void value_free_hash_doall_arg(CONF_VALUE *a,
-                                      LHASH_OF(CONF_VALUE) *conf)
+static void value_free_hash(const CONF_VALUE *a, LHASH_OF(CONF_VALUE) *conf)
 {
     if (a->name != NULL)
         (void)lh_CONF_VALUE_delete(conf, a);
@@ -263,8 +179,7 @@ static void value_free_stack_doall(CONF_VALUE *a)
         OPENSSL_free(vv->name);
         OPENSSL_free(vv);
     }
-    if (sk != NULL)
-        sk_CONF_VALUE_free(sk);
+    sk_CONF_VALUE_free(sk);
     OPENSSL_free(a->section);
     OPENSSL_free(a);
 }
@@ -273,12 +188,12 @@ static void value_free_stack_doall(CONF_VALUE *a)
 CONF_VALUE *_CONF_new_section(CONF *conf, const char *section)
 {
     STACK_OF(CONF_VALUE) *sk = NULL;
-    int ok = 0, i;
+    int i;
     CONF_VALUE *v = NULL, *vv;
 
     if ((sk = sk_CONF_VALUE_new_null()) == NULL)
         goto err;
-    if ((v = OPENSSL_malloc(sizeof(CONF_VALUE))) == NULL)
+    if ((v = OPENSSL_malloc(sizeof(*v))) == NULL)
         goto err;
     i = strlen(section) + 1;
     if ((v->section = OPENSSL_malloc(i)) == NULL)
@@ -290,16 +205,10 @@ CONF_VALUE *_CONF_new_section(CONF *conf, const char *section)
 
     vv = lh_CONF_VALUE_insert(conf->data, v);
     OPENSSL_assert(vv == NULL);
-    ok = 1;
+    return v;
+
  err:
-    if (!ok) {
-        if (sk != NULL)
-            sk_CONF_VALUE_free(sk);
-        if (v != NULL)
-            OPENSSL_free(v);
-        v = NULL;
-    }
-    return (v);
+    sk_CONF_VALUE_free(sk);
+    OPENSSL_free(v);
+    return NULL;
 }
-
-IMPLEMENT_STACK_OF(CONF_VALUE)
diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_def.c b/Cryptlib/OpenSSL/crypto/conf/conf_def.c
index 3d308c7e..8861b3a5 100644
--- a/Cryptlib/OpenSSL/crypto/conf/conf_def.c
+++ b/Cryptlib/OpenSSL/crypto/conf/conf_def.c
@@ -1,66 +1,17 @@
-/* crypto/conf/conf.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
+/*
+ * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
  *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
  */
 
 /* Part of the code in here was originally in conf.c, which is now removed */
 
 #include <stdio.h>
 #include <string.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
 #include <openssl/stack.h>
 #include <openssl/lhash.h>
 #include <openssl/conf.h>
@@ -88,8 +39,6 @@ static int def_dump(const CONF *conf, BIO *bp);
 static int def_is_number(const CONF *conf, char c);
 static int def_to_int(const CONF *conf, char c);
 
-const char CONF_def_version[] = "CONF_def" OPENSSL_VERSION_PTEXT;
-
 static CONF_METHOD default_method = {
     "OpenSSL default",
     def_create,
@@ -130,8 +79,8 @@ static CONF *def_create(CONF_METHOD *meth)
 {
     CONF *ret;
 
-    ret = OPENSSL_malloc(sizeof(CONF) + sizeof(unsigned short *));
-    if (ret)
+    ret = OPENSSL_malloc(sizeof(*ret));
+    if (ret != NULL)
         if (meth->init(ret) == 0) {
             OPENSSL_free(ret);
             ret = NULL;
@@ -145,7 +94,7 @@ static int def_init_default(CONF *conf)
         return 0;
 
     conf->meth = &default_method;
-    conf->meth_data = CONF_type_default;
+    conf->meth_data = (void *)CONF_type_default;
     conf->data = NULL;
 
     return 1;
@@ -182,10 +131,6 @@ static int def_destroy_data(CONF *conf)
 
 static int def_load(CONF *conf, const char *name, long *line)
 {
-#ifdef OPENSSL_NO_STDIO
-    CONFerr(CONF_F_DEF_LOAD, ERR_R_SYS_LIB);
-    return 0;
-#else
     int ret;
     BIO *in = NULL;
 
@@ -206,7 +151,6 @@ static int def_load(CONF *conf, const char *name, long *line)
     BIO_free(in);
 
     return ret;
-#endif
 }
 
 static int def_load_bio(CONF *conf, BIO *in, long *line)
@@ -230,7 +174,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
         goto err;
     }
 
-    section = BUF_strdup("default");
+    section = OPENSSL_strdup("default");
     if (section == NULL) {
         CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE);
         goto err;
@@ -361,19 +305,19 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
             p++;
             *p = '\0';
 
-            if (!(v = (CONF_VALUE *)OPENSSL_malloc(sizeof(CONF_VALUE)))) {
+            if ((v = OPENSSL_malloc(sizeof(*v))) == NULL) {
                 CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE);
                 goto err;
             }
             if (psection == NULL)
                 psection = section;
-            v->name = (char *)OPENSSL_malloc(strlen(pname) + 1);
+            v->name = OPENSSL_malloc(strlen(pname) + 1);
             v->value = NULL;
             if (v->name == NULL) {
                 CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE);
                 goto err;
             }
-            BUF_strlcpy(v->name, pname, strlen(pname) + 1);
+            OPENSSL_strlcpy(v->name, pname, strlen(pname) + 1);
             if (!str_copy(conf, psection, &(v->value), start))
                 goto err;
 
@@ -388,53 +332,31 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
                 }
             } else
                 tv = sv;
-#if 1
             if (_CONF_add_string(conf, tv, v) == 0) {
                 CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE);
                 goto err;
             }
-#else
-            v->section = tv->section;
-            if (!sk_CONF_VALUE_push(ts, v)) {
-                CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE);
-                goto err;
-            }
-            vv = (CONF_VALUE *)lh_insert(conf->data, v);
-            if (vv != NULL) {
-                sk_CONF_VALUE_delete_ptr(ts, vv);
-                OPENSSL_free(vv->name);
-                OPENSSL_free(vv->value);
-                OPENSSL_free(vv);
-            }
-#endif
             v = NULL;
         }
     }
-    if (buff != NULL)
-        BUF_MEM_free(buff);
-    if (section != NULL)
-        OPENSSL_free(section);
+    BUF_MEM_free(buff);
+    OPENSSL_free(section);
     return (1);
  err:
-    if (buff != NULL)
-        BUF_MEM_free(buff);
-    if (section != NULL)
-        OPENSSL_free(section);
+    BUF_MEM_free(buff);
+    OPENSSL_free(section);
     if (line != NULL)
         *line = eline;
     BIO_snprintf(btmp, sizeof btmp, "%ld", eline);
     ERR_add_error_data(2, "line ", btmp);
-    if ((h != conf->data) && (conf->data != NULL)) {
+    if (h != conf->data) {
         CONF_free(conf->data);
         conf->data = NULL;
     }
     if (v != NULL) {
-        if (v->name != NULL)
-            OPENSSL_free(v->name);
-        if (v->value != NULL)
-            OPENSSL_free(v->value);
-        if (v != NULL)
-            OPENSSL_free(v);
+        OPENSSL_free(v->name);
+        OPENSSL_free(v->value);
+        OPENSSL_free(v);
     }
     return (0);
 }
@@ -614,14 +536,12 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
             buf->data[to++] = *(from++);
     }
     buf->data[to] = '\0';
-    if (*pto != NULL)
-        OPENSSL_free(*pto);
+    OPENSSL_free(*pto);
     *pto = buf->data;
     OPENSSL_free(buf);
     return (1);
  err:
-    if (buf != NULL)
-        BUF_MEM_free(buf);
+    BUF_MEM_free(buf);
     return (0);
 }
 
@@ -683,7 +603,7 @@ static char *scan_dquote(CONF *conf, char *p)
     return (p);
 }
 
-static void dump_value_doall_arg(CONF_VALUE *a, BIO *out)
+static void dump_value_doall_arg(const CONF_VALUE *a, BIO *out)
 {
     if (a->name)
         BIO_printf(out, "[%s] %s=%s\n", a->section, a->name, a->value);
@@ -691,12 +611,11 @@ static void dump_value_doall_arg(CONF_VALUE *a, BIO *out)
         BIO_printf(out, "[[%s]]\n", a->section);
 }
 
-static IMPLEMENT_LHASH_DOALL_ARG_FN(dump_value, CONF_VALUE, BIO)
+IMPLEMENT_LHASH_DOALL_ARG_CONST(CONF_VALUE, BIO);
 
 static int def_dump(const CONF *conf, BIO *out)
 {
-    lh_CONF_VALUE_doall_arg(conf->data, LHASH_DOALL_ARG_FN(dump_value),
-                            BIO, out);
+    lh_CONF_VALUE_doall_BIO(conf->data, dump_value_doall_arg, out);
     return 1;
 }
 
diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_def.h b/Cryptlib/OpenSSL/crypto/conf/conf_def.h
index 7d897b89..da4767e1 100644
--- a/Cryptlib/OpenSSL/crypto/conf/conf_def.h
+++ b/Cryptlib/OpenSSL/crypto/conf/conf_def.h
@@ -1,64 +1,12 @@
-/* crypto/conf/conf_def.h */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
 /*
- * THIS FILE WAS AUTOMAGICALLY GENERATED! Please modify and use keysets.pl to
- * regenerate it.
+ * WARNING: do not edit!
+ * Generated by crypto/conf/keysets.pl
+ *
+ * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
  */
 
 #define CONF_NUMBER             1
@@ -79,7 +27,7 @@
 #define CONF_ALPHA_NUMERIC_PUNCT (CONF_ALPHA|CONF_NUMBER|CONF_UNDER| \
                                         CONF_PUNCTUATION)
 
-#define KEYTYPES(c)             ((unsigned short *)((c)->meth_data))
+#define KEYTYPES(c)             ((const unsigned short *)((c)->meth_data))
 #ifndef CHARSET_EBCDIC
 # define IS_COMMENT(c,a)         (KEYTYPES(c)[(a)&0xff]&CONF_COMMENT)
 # define IS_FCOMMENT(c,a)        (KEYTYPES(c)[(a)&0xff]&CONF_FCOMMENT)
@@ -96,21 +44,21 @@
 
 #else                           /* CHARSET_EBCDIC */
 
-# define IS_COMMENT(c,a)         (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_COMMENT)
-# define IS_FCOMMENT(c,a)        (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_FCOMMENT)
-# define IS_EOF(c,a)             (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_EOF)
-# define IS_ESC(c,a)             (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_ESC)
-# define IS_NUMBER(c,a)          (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_NUMBER)
-# define IS_WS(c,a)              (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_WS)
-# define IS_ALPHA_NUMERIC(c,a)   (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_ALPHA_NUMERIC)
+# define IS_COMMENT(c,a)         (KEYTYPES(c)[os_toascii[a & 0xff]]&CONF_COMMENT)
+# define IS_FCOMMENT(c,a)        (KEYTYPES(c)[os_toascii[a & 0xff]]&CONF_FCOMMENT)
+# define IS_EOF(c,a)             (KEYTYPES(c)[os_toascii[a & 0xff]]&CONF_EOF)
+# define IS_ESC(c,a)             (KEYTYPES(c)[os_toascii[a & 0xff]]&CONF_ESC)
+# define IS_NUMBER(c,a)          (KEYTYPES(c)[os_toascii[a & 0xff]]&CONF_NUMBER)
+# define IS_WS(c,a)              (KEYTYPES(c)[os_toascii[a & 0xff]]&CONF_WS)
+# define IS_ALPHA_NUMERIC(c,a)   (KEYTYPES(c)[os_toascii[a & 0xff]]&CONF_ALPHA_NUMERIC)
 # define IS_ALPHA_NUMERIC_PUNCT(c,a) \
-                                (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_ALPHA_NUMERIC_PUNCT)
-# define IS_QUOTE(c,a)           (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_QUOTE)
-# define IS_DQUOTE(c,a)          (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_DQUOTE)
-# define IS_HIGHBIT(c,a)         (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_HIGHBIT)
+                                (KEYTYPES(c)[os_toascii[a & 0xff]]&CONF_ALPHA_NUMERIC_PUNCT)
+# define IS_QUOTE(c,a)           (KEYTYPES(c)[os_toascii[a & 0xff]]&CONF_QUOTE)
+# define IS_DQUOTE(c,a)          (KEYTYPES(c)[os_toascii[a & 0xff]]&CONF_DQUOTE)
+# define IS_HIGHBIT(c,a)         (KEYTYPES(c)[os_toascii[a & 0xff]]&CONF_HIGHBIT)
 #endif                          /* CHARSET_EBCDIC */
 
-static unsigned short CONF_type_default[256] = {
+static const unsigned short CONF_type_default[256] = {
     0x0008, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
     0x0000, 0x0010, 0x0010, 0x0000, 0x0000, 0x0010, 0x0000, 0x0000,
     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
@@ -145,7 +93,7 @@ static unsigned short CONF_type_default[256] = {
     0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000,
 };
 
-static unsigned short CONF_type_win32[256] = {
+static const unsigned short CONF_type_win32[256] = {
     0x0008, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
     0x0000, 0x0010, 0x0010, 0x0000, 0x0000, 0x0010, 0x0000, 0x0000,
     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_err.c b/Cryptlib/OpenSSL/crypto/conf/conf_err.c
index bb5e2fe2..b583c057 100644
--- a/Cryptlib/OpenSSL/crypto/conf/conf_err.c
+++ b/Cryptlib/OpenSSL/crypto/conf/conf_err.c
@@ -1,62 +1,11 @@
-/* crypto/conf/conf_err.c */
-/* ====================================================================
- * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
 /*
- * NOTE: this file was auto generated by the mkerr.pl script: any changes
- * made to it will be overwritten when the script next updates this file,
- * only reason strings will be preserved.
+ * Generated by util/mkerr.pl DO NOT EDIT
+ * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
@@ -72,18 +21,15 @@
 static ERR_STRING_DATA CONF_str_functs[] = {
     {ERR_FUNC(CONF_F_CONF_DUMP_FP), "CONF_dump_fp"},
     {ERR_FUNC(CONF_F_CONF_LOAD), "CONF_load"},
-    {ERR_FUNC(CONF_F_CONF_LOAD_BIO), "CONF_load_bio"},
     {ERR_FUNC(CONF_F_CONF_LOAD_FP), "CONF_load_fp"},
-    {ERR_FUNC(CONF_F_CONF_MODULES_LOAD), "CONF_modules_load"},
     {ERR_FUNC(CONF_F_CONF_PARSE_LIST), "CONF_parse_list"},
-    {ERR_FUNC(CONF_F_DEF_LOAD), "DEF_LOAD"},
-    {ERR_FUNC(CONF_F_DEF_LOAD_BIO), "DEF_LOAD_BIO"},
-    {ERR_FUNC(CONF_F_MODULE_INIT), "MODULE_INIT"},
-    {ERR_FUNC(CONF_F_MODULE_LOAD_DSO), "MODULE_LOAD_DSO"},
-    {ERR_FUNC(CONF_F_MODULE_RUN), "MODULE_RUN"},
+    {ERR_FUNC(CONF_F_DEF_LOAD), "def_load"},
+    {ERR_FUNC(CONF_F_DEF_LOAD_BIO), "def_load_bio"},
+    {ERR_FUNC(CONF_F_MODULE_INIT), "module_init"},
+    {ERR_FUNC(CONF_F_MODULE_LOAD_DSO), "module_load_dso"},
+    {ERR_FUNC(CONF_F_MODULE_RUN), "module_run"},
     {ERR_FUNC(CONF_F_NCONF_DUMP_BIO), "NCONF_dump_bio"},
     {ERR_FUNC(CONF_F_NCONF_DUMP_FP), "NCONF_dump_fp"},
-    {ERR_FUNC(CONF_F_NCONF_GET_NUMBER), "NCONF_get_number"},
     {ERR_FUNC(CONF_F_NCONF_GET_NUMBER_E), "NCONF_get_number_e"},
     {ERR_FUNC(CONF_F_NCONF_GET_SECTION), "NCONF_get_section"},
     {ERR_FUNC(CONF_F_NCONF_GET_STRING), "NCONF_get_string"},
@@ -91,7 +37,7 @@ static ERR_STRING_DATA CONF_str_functs[] = {
     {ERR_FUNC(CONF_F_NCONF_LOAD_BIO), "NCONF_load_bio"},
     {ERR_FUNC(CONF_F_NCONF_LOAD_FP), "NCONF_load_fp"},
     {ERR_FUNC(CONF_F_NCONF_NEW), "NCONF_new"},
-    {ERR_FUNC(CONF_F_STR_COPY), "STR_COPY"},
+    {ERR_FUNC(CONF_F_STR_COPY), "str_copy"},
     {0, NULL}
 };
 
@@ -101,7 +47,6 @@ static ERR_STRING_DATA CONF_str_reasons[] = {
     {ERR_REASON(CONF_R_MISSING_CLOSE_SQUARE_BRACKET),
      "missing close square bracket"},
     {ERR_REASON(CONF_R_MISSING_EQUAL_SIGN), "missing equal sign"},
-    {ERR_REASON(CONF_R_MISSING_FINISH_FUNCTION), "missing finish function"},
     {ERR_REASON(CONF_R_MISSING_INIT_FUNCTION), "missing init function"},
     {ERR_REASON(CONF_R_MODULE_INITIALIZATION_ERROR),
      "module initialization error"},
@@ -121,7 +66,7 @@ static ERR_STRING_DATA CONF_str_reasons[] = {
 
 #endif
 
-void ERR_load_CONF_strings(void)
+int ERR_load_CONF_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
 
@@ -130,4 +75,5 @@ void ERR_load_CONF_strings(void)
         ERR_load_strings(0, CONF_str_reasons);
     }
 #endif
+    return 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_lib.c b/Cryptlib/OpenSSL/crypto/conf/conf_lib.c
index 952b5452..35321149 100644
--- a/Cryptlib/OpenSSL/crypto/conf/conf_lib.c
+++ b/Cryptlib/OpenSSL/crypto/conf/conf_lib.c
@@ -1,70 +1,21 @@
-/* conf_lib.c */
 /*
- * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project
- * 2000.
- */
-/* ====================================================================
- * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
  *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
+#include <string.h>
+#include <internal/conf.h>
 #include <openssl/crypto.h>
 #include <openssl/err.h>
 #include <openssl/conf.h>
 #include <openssl/conf_api.h>
 #include <openssl/lhash.h>
-
-const char CONF_version[] = "CONF" OPENSSL_VERSION_PTEXT;
+#include "e_os.h"
 
 static CONF_METHOD *default_CONF_method = NULL;
 
@@ -90,7 +41,6 @@ int CONF_set_default_method(CONF_METHOD *meth)
     return 1;
 }
 
-#ifndef OPENSSL_NO_STDIO
 LHASH_OF(CONF_VALUE) *CONF_load(LHASH_OF(CONF_VALUE) *conf, const char *file,
                                 long *eline)
 {
@@ -112,15 +62,14 @@ LHASH_OF(CONF_VALUE) *CONF_load(LHASH_OF(CONF_VALUE) *conf, const char *file,
 
     return ltmp;
 }
-#endif
 
-#ifndef OPENSSL_NO_FP_API
+#ifndef OPENSSL_NO_STDIO
 LHASH_OF(CONF_VALUE) *CONF_load_fp(LHASH_OF(CONF_VALUE) *conf, FILE *fp,
                                    long *eline)
 {
     BIO *btmp;
     LHASH_OF(CONF_VALUE) *ltmp;
-    if (!(btmp = BIO_new_fp(fp, BIO_NOCLOSE))) {
+    if ((btmp = BIO_new_fp(fp, BIO_NOCLOSE)) == NULL) {
         CONFerr(CONF_F_CONF_LOAD_FP, ERR_R_BUF_LIB);
         return NULL;
     }
@@ -196,13 +145,13 @@ void CONF_free(LHASH_OF(CONF_VALUE) *conf)
     NCONF_free_data(&ctmp);
 }
 
-#ifndef OPENSSL_NO_FP_API
+#ifndef OPENSSL_NO_STDIO
 int CONF_dump_fp(LHASH_OF(CONF_VALUE) *conf, FILE *out)
 {
     BIO *btmp;
     int ret;
 
-    if (!(btmp = BIO_new_fp(out, BIO_NOCLOSE))) {
+    if ((btmp = BIO_new_fp(out, BIO_NOCLOSE)) == NULL) {
         CONFerr(CONF_F_CONF_DUMP_FP, ERR_R_BUF_LIB);
         return 0;
     }
@@ -257,7 +206,6 @@ void NCONF_free_data(CONF *conf)
     conf->meth->destroy_data(conf);
 }
 
-#ifndef OPENSSL_NO_STDIO
 int NCONF_load(CONF *conf, const char *file, long *eline)
 {
     if (conf == NULL) {
@@ -267,14 +215,13 @@ int NCONF_load(CONF *conf, const char *file, long *eline)
 
     return conf->meth->load(conf, file, eline);
 }
-#endif
 
-#ifndef OPENSSL_NO_FP_API
+#ifndef OPENSSL_NO_STDIO
 int NCONF_load_fp(CONF *conf, FILE *fp, long *eline)
 {
     BIO *btmp;
     int ret;
-    if (!(btmp = BIO_new_fp(fp, BIO_NOCLOSE))) {
+    if ((btmp = BIO_new_fp(fp, BIO_NOCLOSE)) == NULL) {
         CONFerr(CONF_F_NCONF_LOAD_FP, ERR_R_BUF_LIB);
         return 0;
     }
@@ -353,12 +300,12 @@ int NCONF_get_number_e(const CONF *conf, const char *group, const char *name,
     return 1;
 }
 
-#ifndef OPENSSL_NO_FP_API
+#ifndef OPENSSL_NO_STDIO
 int NCONF_dump_fp(const CONF *conf, FILE *out)
 {
     BIO *btmp;
     int ret;
-    if (!(btmp = BIO_new_fp(out, BIO_NOCLOSE))) {
+    if ((btmp = BIO_new_fp(out, BIO_NOCLOSE)) == NULL) {
         CONFerr(CONF_F_NCONF_DUMP_FP, ERR_R_BUF_LIB);
         return 0;
     }
@@ -378,18 +325,41 @@ int NCONF_dump_bio(const CONF *conf, BIO *out)
     return conf->meth->dump(conf, out);
 }
 
-/* This function should be avoided */
-#if 0
-long NCONF_get_number(CONF *conf, char *group, char *name)
+/*
+ * These routines call the C malloc/free, to avoid intermixing with
+ * OpenSSL function pointers before the library is initialized.
+ */
+OPENSSL_INIT_SETTINGS *OPENSSL_INIT_new(void)
 {
-    int status;
-    long ret = 0;
+    OPENSSL_INIT_SETTINGS *ret = malloc(sizeof(*ret));
 
-    status = NCONF_get_number_e(conf, group, name, &ret);
-    if (status == 0) {
-        /* This function does not believe in errors... */
-        ERR_get_error();
-    }
+    if (ret != NULL)
+        memset(ret, 0, sizeof(*ret));
     return ret;
 }
+
+
+#ifndef OPENSSL_NO_STDIO
+int OPENSSL_INIT_set_config_appname(OPENSSL_INIT_SETTINGS *settings,
+                                    const char *appname)
+{
+    char *newappname = NULL;
+
+    if (appname != NULL) {
+        newappname = strdup(appname);
+        if (newappname == NULL)
+            return 0;
+    }
+
+    free(settings->appname);
+    settings->appname = newappname;
+
+    return 1;
+}
 #endif
+
+void OPENSSL_INIT_free(OPENSSL_INIT_SETTINGS *settings)
+{
+    free(settings->appname);
+    free(settings);
+}
diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_mall.c b/Cryptlib/OpenSSL/crypto/conf/conf_mall.c
index b4dbd662..4e7a434e 100644
--- a/Cryptlib/OpenSSL/crypto/conf/conf_mall.c
+++ b/Cryptlib/OpenSSL/crypto/conf/conf_mall.c
@@ -1,72 +1,19 @@
-/* conf_mall.c */
 /*
- * Written by Stephen Henson (steve@openssl.org) for the OpenSSL project
- * 2001.
- */
-/* ====================================================================
- * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
  *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <openssl/crypto.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
 #include <openssl/conf.h>
-#include <openssl/dso.h>
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
-#ifndef OPENSSL_NO_ENGINE
-# include <openssl/engine.h>
-#endif
+#include <openssl/engine.h>
 
 /* Load all OpenSSL builtin modules */
 
@@ -74,6 +21,7 @@ void OPENSSL_load_builtin_modules(void)
 {
     /* Add builtin modules here */
     ASN1_add_oid_module();
+    ASN1_add_stable_module();
 #ifndef OPENSSL_NO_ENGINE
     ENGINE_add_conf_module();
 #endif
diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_mod.c b/Cryptlib/OpenSSL/crypto/conf/conf_mod.c
index 5e0a482a..31f838e0 100644
--- a/Cryptlib/OpenSSL/crypto/conf/conf_mod.c
+++ b/Cryptlib/OpenSSL/crypto/conf/conf_mod.c
@@ -1,68 +1,18 @@
-/* conf_mod.c */
 /*
- * Written by Stephen Henson (steve@openssl.org) for the OpenSSL project
- * 2001.
- */
-/* ====================================================================
- * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
  *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <ctype.h>
 #include <openssl/crypto.h>
-#include "cryptlib.h"
-#include <openssl/conf.h>
-#include <openssl/dso.h>
+#include "internal/cryptlib.h"
+#include "internal/conf.h"
+#include "internal/dso.h"
 #include <openssl/x509.h>
 
 #define DSO_mod_init_name "OPENSSL_init"
@@ -106,16 +56,16 @@ static STACK_OF(CONF_IMODULE) *initialized_modules = NULL;
 
 static void module_free(CONF_MODULE *md);
 static void module_finish(CONF_IMODULE *imod);
-static int module_run(const CONF *cnf, char *name, char *value,
+static int module_run(const CONF *cnf, const char *name, const char *value,
                       unsigned long flags);
 static CONF_MODULE *module_add(DSO *dso, const char *name,
                                conf_init_func *ifunc,
                                conf_finish_func *ffunc);
-static CONF_MODULE *module_find(char *name);
-static int module_init(CONF_MODULE *pmod, char *name, char *value,
+static CONF_MODULE *module_find(const char *name);
+static int module_init(CONF_MODULE *pmod, const char *name, const char *value,
                        const CONF *cnf);
-static CONF_MODULE *module_load_dso(const CONF *cnf, char *name, char *value,
-                                    unsigned long flags);
+static CONF_MODULE *module_load_dso(const CONF *cnf, const char *name,
+                                    const char *value);
 
 /* Main function: load modules from a CONF structure */
 
@@ -159,7 +109,6 @@ int CONF_modules_load(const CONF *cnf, const char *appname,
 
 }
 
-#ifndef OPENSSL_NO_STDIO
 int CONF_modules_load_file(const char *filename, const char *appname,
                            unsigned long flags)
 {
@@ -167,7 +116,7 @@ int CONF_modules_load_file(const char *filename, const char *appname,
     CONF *conf = NULL;
     int ret = 0;
     conf = NCONF_new(NULL);
-    if (!conf)
+    if (conf == NULL)
         goto err;
 
     if (filename == NULL) {
@@ -195,9 +144,8 @@ int CONF_modules_load_file(const char *filename, const char *appname,
 
     return ret;
 }
-#endif
 
-static int module_run(const CONF *cnf, char *name, char *value,
+static int module_run(const CONF *cnf, const char *name, const char *value,
                       unsigned long flags)
 {
     CONF_MODULE *md;
@@ -207,7 +155,7 @@ static int module_run(const CONF *cnf, char *name, char *value,
 
     /* Module not found: try to load DSO */
     if (!md && !(flags & CONF_MFLAGS_NO_DSO))
-        md = module_load_dso(cnf, name, value, flags);
+        md = module_load_dso(cnf, name, value);
 
     if (!md) {
         if (!(flags & CONF_MFLAGS_SILENT)) {
@@ -233,13 +181,13 @@ static int module_run(const CONF *cnf, char *name, char *value,
 }
 
 /* Load a module from a DSO */
-static CONF_MODULE *module_load_dso(const CONF *cnf, char *name, char *value,
-                                    unsigned long flags)
+static CONF_MODULE *module_load_dso(const CONF *cnf,
+                                    const char *name, const char *value)
 {
     DSO *dso = NULL;
     conf_init_func *ifunc;
     conf_finish_func *ffunc;
-    char *path = NULL;
+    const char *path = NULL;
     int errcode = 0;
     CONF_MODULE *md;
     /* Look for alternative path in module section */
@@ -268,8 +216,7 @@ static CONF_MODULE *module_load_dso(const CONF *cnf, char *name, char *value,
     return md;
 
  err:
-    if (dso)
-        DSO_free(dso);
+    DSO_free(dso);
     CONFerr(CONF_F_MODULE_LOAD_DSO, errcode);
     ERR_add_error_data(4, "module=", name, ", path=", path);
     return NULL;
@@ -284,17 +231,21 @@ static CONF_MODULE *module_add(DSO *dso, const char *name,
         supported_modules = sk_CONF_MODULE_new_null();
     if (supported_modules == NULL)
         return NULL;
-    tmod = OPENSSL_malloc(sizeof(CONF_MODULE));
+    tmod = OPENSSL_zalloc(sizeof(*tmod));
     if (tmod == NULL)
         return NULL;
 
     tmod->dso = dso;
-    tmod->name = BUF_strdup(name);
+    tmod->name = OPENSSL_strdup(name);
     tmod->init = ifunc;
     tmod->finish = ffunc;
-    tmod->links = 0;
+    if (tmod->name == NULL) {
+        OPENSSL_free(tmod);
+        return NULL;
+    }
 
     if (!sk_CONF_MODULE_push(supported_modules, tmod)) {
+        OPENSSL_free(tmod->name);
         OPENSSL_free(tmod);
         return NULL;
     }
@@ -308,7 +259,7 @@ static CONF_MODULE *module_add(DSO *dso, const char *name,
  * initialized more than once.
  */
 
-static CONF_MODULE *module_find(char *name)
+static CONF_MODULE *module_find(const char *name)
 {
     CONF_MODULE *tmod;
     int i, nchar;
@@ -322,7 +273,7 @@ static CONF_MODULE *module_find(char *name)
 
     for (i = 0; i < sk_CONF_MODULE_num(supported_modules); i++) {
         tmod = sk_CONF_MODULE_value(supported_modules, i);
-        if (!strncmp(tmod->name, name, nchar))
+        if (strncmp(tmod->name, name, nchar) == 0)
             return tmod;
     }
 
@@ -331,7 +282,7 @@ static CONF_MODULE *module_find(char *name)
 }
 
 /* initialize a module */
-static int module_init(CONF_MODULE *pmod, char *name, char *value,
+static int module_init(CONF_MODULE *pmod, const char *name, const char *value,
                        const CONF *cnf)
 {
     int ret = 1;
@@ -339,13 +290,13 @@ static int module_init(CONF_MODULE *pmod, char *name, char *value,
     CONF_IMODULE *imod = NULL;
 
     /* Otherwise add initialized module to list */
-    imod = OPENSSL_malloc(sizeof(CONF_IMODULE));
-    if (!imod)
+    imod = OPENSSL_malloc(sizeof(*imod));
+    if (imod == NULL)
         goto err;
 
     imod->pmod = pmod;
-    imod->name = BUF_strdup(name);
-    imod->value = BUF_strdup(value);
+    imod->name = OPENSSL_strdup(name);
+    imod->value = OPENSSL_strdup(value);
     imod->usr_data = NULL;
 
     if (!imod->name || !imod->value)
@@ -385,10 +336,8 @@ static int module_init(CONF_MODULE *pmod, char *name, char *value,
 
  memerr:
     if (imod) {
-        if (imod->name)
-            OPENSSL_free(imod->name);
-        if (imod->value)
-            OPENSSL_free(imod->value);
+        OPENSSL_free(imod->name);
+        OPENSSL_free(imod->value);
         OPENSSL_free(imod);
     }
 
@@ -426,8 +375,7 @@ void CONF_modules_unload(int all)
 /* unload a single module */
 static void module_free(CONF_MODULE *md)
 {
-    if (md->dso)
-        DSO_free(md->dso);
+    DSO_free(md->dso);
     OPENSSL_free(md->name);
     OPENSSL_free(md);
 }
@@ -449,6 +397,8 @@ void CONF_modules_finish(void)
 
 static void module_finish(CONF_IMODULE *imod)
 {
+    if (!imod)
+        return;
     if (imod->pmod->finish)
         imod->pmod->finish(imod);
     imod->pmod->links--;
@@ -468,7 +418,7 @@ int CONF_module_add(const char *name, conf_init_func *ifunc,
         return 0;
 }
 
-void CONF_modules_free(void)
+void conf_modules_free_int(void)
 {
     CONF_modules_finish();
     CONF_modules_unload(1);
@@ -530,7 +480,7 @@ char *CONF_get1_default_config_file(void)
 
     file = getenv("OPENSSL_CONF");
     if (file)
-        return BUF_strdup(file);
+        return OPENSSL_strdup(file);
 
     len = strlen(X509_get_default_cert_area());
 #ifndef OPENSSL_SYS_VMS
@@ -540,13 +490,13 @@ char *CONF_get1_default_config_file(void)
 
     file = OPENSSL_malloc(len + 1);
 
-    if (!file)
+    if (file == NULL)
         return NULL;
-    BUF_strlcpy(file, X509_get_default_cert_area(), len + 1);
+    OPENSSL_strlcpy(file, X509_get_default_cert_area(), len + 1);
 #ifndef OPENSSL_SYS_VMS
-    BUF_strlcat(file, "/", len + 1);
+    OPENSSL_strlcat(file, "/", len + 1);
 #endif
-    BUF_strlcat(file, OPENSSL_CONF, len + 1);
+    OPENSSL_strlcat(file, OPENSSL_CONF, len + 1);
 
     return file;
 }
diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_sap.c b/Cryptlib/OpenSSL/crypto/conf/conf_sap.c
index a25b6365..bed95abe 100644
--- a/Cryptlib/OpenSSL/crypto/conf/conf_sap.c
+++ b/Cryptlib/OpenSSL/crypto/conf/conf_sap.c
@@ -1,72 +1,19 @@
-/* conf_sap.c */
 /*
- * Written by Stephen Henson (steve@openssl.org) for the OpenSSL project
- * 2001.
- */
-/* ====================================================================
- * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
  *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <openssl/crypto.h>
-#include "cryptlib.h"
-#include <openssl/conf.h>
-#include <openssl/dso.h>
+#include "internal/cryptlib.h"
+#include <internal/conf.h>
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
-#ifndef OPENSSL_NO_ENGINE
-# include <openssl/engine.h>
-#endif
+#include <openssl/engine.h>
 
 /*
  * This is the automatic configuration loader: it is called automatically by
@@ -76,7 +23,19 @@
 
 static int openssl_configured = 0;
 
-void OPENSSL_config(const char *config_name)
+#if OPENSSL_API_COMPAT < 0x10100000L
+void OPENSSL_config(const char *appname)
+{
+    OPENSSL_INIT_SETTINGS settings;
+
+    memset(&settings, 0, sizeof(settings));
+    if (appname != NULL)
+        settings.appname = strdup(appname);
+    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, &settings);
+}
+#endif
+
+void openssl_config_int(const char *appname)
 {
     if (openssl_configured)
         return;
@@ -87,15 +46,15 @@ void OPENSSL_config(const char *config_name)
     ENGINE_load_builtin_engines();
 #endif
     ERR_clear_error();
-#ifndef OPENSSL_NO_STDIO
-    CONF_modules_load_file(NULL, config_name,
+#ifndef OPENSSL_SYS_UEFI
+    CONF_modules_load_file(NULL, appname,
                                CONF_MFLAGS_DEFAULT_SECTION |
                                CONF_MFLAGS_IGNORE_MISSING_FILE);
 #endif
     openssl_configured = 1;
 }
 
-void OPENSSL_no_config()
+void openssl_no_config_int(void)
 {
     openssl_configured = 1;
 }