514 files changed, 52174 insertions, 40130 deletions

diff --git a/Cryptlib/OpenSSL/crypto/LPdir_nyi.c b/Cryptlib/OpenSSL/crypto/LPdir_nyi.c
index 049044c4..b16e8495 100644
--- a/Cryptlib/OpenSSL/crypto/LPdir_nyi.c
+++ b/Cryptlib/OpenSSL/crypto/LPdir_nyi.c
@@ -1,13 +1,4 @@
 /*
- * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*
  * Copyright (c) 2004, Richard Levitte <richard@levitte.org>
  * All rights reserved.
  *
diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_cbc.c b/Cryptlib/OpenSSL/crypto/aes/aes_cbc.c
index 342841fc..805d0e26 100644
--- a/Cryptlib/OpenSSL/crypto/aes/aes_cbc.c
+++ b/Cryptlib/OpenSSL/crypto/aes/aes_cbc.c
@@ -1,10 +1,52 @@
-/*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/aes/aes_cbc.c */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <openssl/aes.h>
diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_cfb.c b/Cryptlib/OpenSSL/crypto/aes/aes_cfb.c
index f010e3c4..12250009 100644
--- a/Cryptlib/OpenSSL/crypto/aes/aes_cfb.c
+++ b/Cryptlib/OpenSSL/crypto/aes/aes_cfb.c
@@ -1,10 +1,52 @@
-/*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/aes/aes_cfb.c */
+/* ====================================================================
+ * Copyright (c) 2002-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <openssl/aes.h>
diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_core.c b/Cryptlib/OpenSSL/crypto/aes/aes_core.c
index bd5c7793..7019b5d7 100644
--- a/Cryptlib/OpenSSL/crypto/aes/aes_core.c
+++ b/Cryptlib/OpenSSL/crypto/aes/aes_core.c
@@ -1,12 +1,4 @@
-/*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
+/* crypto/aes/aes_core.c */
 /**
  * rijndael-alg-fst.c
  *
@@ -36,10 +28,14 @@
 /* Note: rewritten a little bit to provide error control and an OpenSSL-
    compatible API */
 
+#ifndef AES_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
 #include <assert.h>
 
 #include <stdlib.h>
-#include <openssl/crypto.h>
 #include <openssl/aes.h>
 #include "aes_locl.h"
 
@@ -629,8 +625,8 @@ static const u32 rcon[] = {
 /**
  * Expand the cipher key into the encryption key schedule.
  */
-int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
-                        AES_KEY *key)
+int private_AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+                                AES_KEY *key)
 {
 
     u32 *rk;
@@ -644,9 +640,9 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
 
     rk = key->rd_key;
 
-    if (bits == 128)
+    if (bits==128)
         key->rounds = 10;
-    else if (bits == 192)
+    else if (bits==192)
         key->rounds = 12;
     else
         key->rounds = 14;
@@ -731,8 +727,8 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
 /**
  * Expand the cipher key into the decryption key schedule.
  */
-int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
-                        AES_KEY *key)
+int private_AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+                                AES_KEY *key)
 {
 
     u32 *rk;
@@ -740,7 +736,7 @@ int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
     u32 temp;
 
     /* first, start with an encryption schedule */
-    status = AES_set_encrypt_key(userKey, bits, key);
+    status = private_AES_set_encrypt_key(userKey, bits, key);
     if (status < 0)
         return status;
 
@@ -1208,11 +1204,11 @@ static const u32 rcon[] = {
 /**
  * Expand the cipher key into the encryption key schedule.
  */
-int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
-                        AES_KEY *key)
+int private_AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+                                AES_KEY *key)
 {
     u32 *rk;
-    int i = 0;
+   	int i = 0;
     u32 temp;
 
     if (!userKey || !key)
@@ -1222,9 +1218,9 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
 
     rk = key->rd_key;
 
-    if (bits == 128)
+    if (bits==128)
         key->rounds = 10;
-    else if (bits == 192)
+    else if (bits==192)
         key->rounds = 12;
     else
         key->rounds = 14;
@@ -1309,8 +1305,8 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
 /**
  * Expand the cipher key into the decryption key schedule.
  */
-int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
-                        AES_KEY *key)
+int private_AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+                                AES_KEY *key)
 {
 
     u32 *rk;
@@ -1318,7 +1314,7 @@ int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
     u32 temp;
 
     /* first, start with an encryption schedule */
-    status = AES_set_encrypt_key(userKey, bits, key);
+    status = private_AES_set_encrypt_key(userKey, bits, key);
     if (status < 0)
         return status;
 
@@ -1355,7 +1351,7 @@ int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
             rk[j] = tpe ^ ROTATE(tpd,16) ^
                 ROTATE(tp9,24) ^ ROTATE(tpb,8);
 #else
-            rk[j] = tpe ^ (tpd >> 16) ^ (tpd << 16) ^
+            rk[j] = tpe ^ (tpd >> 16) ^ (tpd << 16) ^ 
                 (tp9 >> 8) ^ (tp9 << 24) ^
                 (tpb >> 24) ^ (tpb << 8);
 #endif
diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_ctr.c b/Cryptlib/OpenSSL/crypto/aes/aes_ctr.c
new file mode 100644
index 00000000..9e760c4b
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/aes/aes_ctr.c
@@ -0,0 +1,63 @@
+/* crypto/aes/aes_ctr.c */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#include <openssl/aes.h>
+#include <openssl/modes.h>
+
+void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
+                        size_t length, const AES_KEY *key,
+                        unsigned char ivec[AES_BLOCK_SIZE],
+                        unsigned char ecount_buf[AES_BLOCK_SIZE],
+                        unsigned int *num)
+{
+    CRYPTO_ctr128_encrypt(in, out, length, key, ivec, ecount_buf, num,
+                          (block128_f) AES_encrypt);
+}
diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_ecb.c b/Cryptlib/OpenSSL/crypto/aes/aes_ecb.c
index 29bfc1ad..52151a5c 100644
--- a/Cryptlib/OpenSSL/crypto/aes/aes_ecb.c
+++ b/Cryptlib/OpenSSL/crypto/aes/aes_ecb.c
@@ -1,12 +1,59 @@
-/*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/aes/aes_ecb.c */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
+#ifndef AES_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
 #include <assert.h>
 
 #include <openssl/aes.h>
diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_ige.c b/Cryptlib/OpenSSL/crypto/aes/aes_ige.c
index 9125264e..8f2b7706 100644
--- a/Cryptlib/OpenSSL/crypto/aes/aes_ige.c
+++ b/Cryptlib/OpenSSL/crypto/aes/aes_ige.c
@@ -1,13 +1,55 @@
-/*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/aes/aes_ige.c */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 
 #include <openssl/aes.h>
 #include "aes_locl.h"
diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_locl.h b/Cryptlib/OpenSSL/crypto/aes/aes_locl.h
index adee29df..7acd74ec 100644
--- a/Cryptlib/OpenSSL/crypto/aes/aes_locl.h
+++ b/Cryptlib/OpenSSL/crypto/aes/aes_locl.h
@@ -1,16 +1,63 @@
-/*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/aes/aes.h */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #ifndef HEADER_AES_LOCL_H
 # define HEADER_AES_LOCL_H
 
 # include <openssl/e_os2.h>
+
+# ifdef OPENSSL_NO_AES
+#  error AES is disabled.
+# endif
+
 # include <stdio.h>
 # include <stdlib.h>
 # include <string.h>
diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_misc.c b/Cryptlib/OpenSSL/crypto/aes/aes_misc.c
index 7403c84f..fafad4d6 100644
--- a/Cryptlib/OpenSSL/crypto/aes/aes_misc.c
+++ b/Cryptlib/OpenSSL/crypto/aes/aes_misc.c
@@ -1,16 +1,61 @@
-/*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/aes/aes_misc.c */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <openssl/opensslv.h>
+#include <openssl/crypto.h>
 #include <openssl/aes.h>
 #include "aes_locl.h"
 
+const char AES_version[] = "AES" OPENSSL_VERSION_PTEXT;
+
 const char *AES_options(void)
 {
 #ifdef FULL_UNROLL
@@ -19,3 +64,23 @@ const char *AES_options(void)
     return "aes(partial)";
 #endif
 }
+
+/* FIPS wrapper functions to block low level AES calls in FIPS mode */
+
+int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+                        AES_KEY *key)
+{
+#ifdef OPENSSL_FIPS
+    fips_cipher_abort(AES);
+#endif
+    return private_AES_set_encrypt_key(userKey, bits, key);
+}
+
+int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+                        AES_KEY *key)
+{
+#ifdef OPENSSL_FIPS
+    fips_cipher_abort(AES);
+#endif
+    return private_AES_set_decrypt_key(userKey, bits, key);
+}
diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_ofb.c b/Cryptlib/OpenSSL/crypto/aes/aes_ofb.c
index 215b5385..64a08caa 100644
--- a/Cryptlib/OpenSSL/crypto/aes/aes_ofb.c
+++ b/Cryptlib/OpenSSL/crypto/aes/aes_ofb.c
@@ -1,10 +1,52 @@
-/*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/aes/aes_ofb.c */
+/* ====================================================================
+ * Copyright (c) 2002-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <openssl/aes.h>
diff --git a/Cryptlib/OpenSSL/crypto/aes/aes_wrap.c b/Cryptlib/OpenSSL/crypto/aes/aes_wrap.c
index cae0b212..b7b64d57 100644
--- a/Cryptlib/OpenSSL/crypto/aes/aes_wrap.c
+++ b/Cryptlib/OpenSSL/crypto/aes/aes_wrap.c
@@ -1,13 +1,58 @@
+/* crypto/aes/aes_wrap.c */
 /*
- * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  */
 
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/aes.h>
 #include <openssl/modes.h>
 
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_bitstr.c b/Cryptlib/OpenSSL/crypto/asn1/a_bitstr.c
index 33be907f..f906188b 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/a_bitstr.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_bitstr.c
@@ -1,20 +1,68 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/a_bitstr.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1.h>
-#include "asn1_locl.h"
 
 int ASN1_BIT_STRING_set(ASN1_BIT_STRING *x, unsigned char *d, int len)
 {
-    return ASN1_STRING_set(x, d, len);
+    return M_ASN1_BIT_STRING_set(x, d, len);
 }
 
 int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
@@ -66,11 +114,10 @@ int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
 
     *(p++) = (unsigned char)bits;
     d = a->data;
-    if (len > 0) {
-        memcpy(p, d, len);
-        p += len;
+    memcpy(p, d, len);
+    p += len;
+    if (len > 0)
         p[-1] &= (0xff << bits);
-    }
     *pp = p;
     return (ret);
 }
@@ -89,7 +136,7 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
     }
 
     if ((a == NULL) || ((*a) == NULL)) {
-        if ((ret = ASN1_BIT_STRING_new()) == NULL)
+        if ((ret = M_ASN1_BIT_STRING_new()) == NULL)
             return (NULL);
     } else
         ret = (*a);
@@ -108,7 +155,7 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
     ret->flags |= (ASN1_STRING_FLAG_BITS_LEFT | i); /* set */
 
     if (len-- > 1) {            /* using one because of the bits left byte */
-        s = OPENSSL_malloc((int)len);
+        s = (unsigned char *)OPENSSL_malloc((int)len);
         if (s == NULL) {
             i = ERR_R_MALLOC_FAILURE;
             goto err;
@@ -120,7 +167,8 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
         s = NULL;
 
     ret->length = (int)len;
-    OPENSSL_free(ret->data);
+    if (ret->data != NULL)
+        OPENSSL_free(ret->data);
     ret->data = s;
     ret->type = V_ASN1_BIT_STRING;
     if (a != NULL)
@@ -129,8 +177,8 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
     return (ret);
  err:
     ASN1err(ASN1_F_C2I_ASN1_BIT_STRING, i);
-    if ((a == NULL) || (*a != ret))
-        ASN1_BIT_STRING_free(ret);
+    if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+        M_ASN1_BIT_STRING_free(ret);
     return (NULL);
 }
 
@@ -156,7 +204,11 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
     if ((a->length < (w + 1)) || (a->data == NULL)) {
         if (!value)
             return (1);         /* Don't need to set */
-        c = OPENSSL_clear_realloc(a->data, a->length, w + 1);
+        if (a->data == NULL)
+            c = (unsigned char *)OPENSSL_malloc(w + 1);
+        else
+            c = (unsigned char *)OPENSSL_realloc_clean(a->data,
+                                                       a->length, w + 1);
         if (c == NULL) {
             ASN1err(ASN1_F_ASN1_BIT_STRING_SET_BIT, ERR_R_MALLOC_FAILURE);
             return 0;
@@ -172,7 +224,7 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
     return (1);
 }
 
-int ASN1_BIT_STRING_get_bit(const ASN1_BIT_STRING *a, int n)
+int ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *a, int n)
 {
     int w, v;
 
@@ -189,8 +241,8 @@ int ASN1_BIT_STRING_get_bit(const ASN1_BIT_STRING *a, int n)
  * which is not specified in 'flags', 1 otherwise.
  * 'len' is the length of 'flags'.
  */
-int ASN1_BIT_STRING_check(const ASN1_BIT_STRING *a,
-                          const unsigned char *flags, int flags_len)
+int ASN1_BIT_STRING_check(ASN1_BIT_STRING *a,
+                          unsigned char *flags, int flags_len)
 {
     int i, ok;
     /* Check if there is one bit set at all. */
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_bool.c b/Cryptlib/OpenSSL/crypto/asn1/a_bool.c
new file mode 100644
index 00000000..1b85bc9e
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_bool.c
@@ -0,0 +1,111 @@
+/* crypto/asn1/a_bool.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1t.h>
+
+int i2d_ASN1_BOOLEAN(int a, unsigned char **pp)
+{
+    int r;
+    unsigned char *p;
+
+    r = ASN1_object_size(0, 1, V_ASN1_BOOLEAN);
+    if (pp == NULL)
+        return (r);
+    p = *pp;
+
+    ASN1_put_object(&p, 0, 1, V_ASN1_BOOLEAN, V_ASN1_UNIVERSAL);
+    *(p++) = (unsigned char)a;
+    *pp = p;
+    return (r);
+}
+
+int d2i_ASN1_BOOLEAN(int *a, const unsigned char **pp, long length)
+{
+    int ret = -1;
+    const unsigned char *p;
+    long len;
+    int inf, tag, xclass;
+    int i = 0;
+
+    p = *pp;
+    inf = ASN1_get_object(&p, &len, &tag, &xclass, length);
+    if (inf & 0x80) {
+        i = ASN1_R_BAD_OBJECT_HEADER;
+        goto err;
+    }
+
+    if (tag != V_ASN1_BOOLEAN) {
+        i = ASN1_R_EXPECTING_A_BOOLEAN;
+        goto err;
+    }
+
+    if (len != 1) {
+        i = ASN1_R_BOOLEAN_IS_WRONG_LENGTH;
+        goto err;
+    }
+    ret = (int)*(p++);
+    if (a != NULL)
+        (*a) = ret;
+    *pp = p;
+    return (ret);
+ err:
+    ASN1err(ASN1_F_D2I_ASN1_BOOLEAN, i);
+    return (ret);
+}
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_bytes.c b/Cryptlib/OpenSSL/crypto/asn1/a_bytes.c
new file mode 100644
index 00000000..65e53946
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_bytes.c
@@ -0,0 +1,334 @@
+/* crypto/asn1/a_bytes.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+
+static int asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c,
+                                  int depth);
+static ASN1_STRING *int_d2i_ASN1_bytes(ASN1_STRING **a,
+                                       const unsigned char **pp, long length,
+                                       int Ptag, int Pclass, int depth,
+                                       int *perr);
+/*
+ * type is a 'bitmap' of acceptable string types.
+ */
+ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a, const unsigned char **pp,
+                                 long length, int type)
+{
+    ASN1_STRING *ret = NULL;
+    const unsigned char *p;
+    unsigned char *s;
+    long len;
+    int inf, tag, xclass;
+    int i = 0;
+
+    p = *pp;
+    inf = ASN1_get_object(&p, &len, &tag, &xclass, length);
+    if (inf & 0x80)
+        goto err;
+
+    if (tag >= 32) {
+        i = ASN1_R_TAG_VALUE_TOO_HIGH;
+        goto err;
+    }
+    if (!(ASN1_tag2bit(tag) & type)) {
+        i = ASN1_R_WRONG_TYPE;
+        goto err;
+    }
+
+    /* If a bit-string, exit early */
+    if (tag == V_ASN1_BIT_STRING)
+        return (d2i_ASN1_BIT_STRING(a, pp, length));
+
+    if ((a == NULL) || ((*a) == NULL)) {
+        if ((ret = ASN1_STRING_new()) == NULL)
+            return (NULL);
+    } else
+        ret = (*a);
+
+    if (len != 0) {
+        s = OPENSSL_malloc((int)len + 1);
+        if (s == NULL) {
+            i = ERR_R_MALLOC_FAILURE;
+            goto err;
+        }
+        memcpy(s, p, (int)len);
+        s[len] = '\0';
+        p += len;
+    } else
+        s = NULL;
+
+    if (ret->data != NULL)
+        OPENSSL_free(ret->data);
+    ret->length = (int)len;
+    ret->data = s;
+    ret->type = tag;
+    if (a != NULL)
+        (*a) = ret;
+    *pp = p;
+    return (ret);
+ err:
+    ASN1err(ASN1_F_D2I_ASN1_TYPE_BYTES, i);
+    if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+        ASN1_STRING_free(ret);
+    return (NULL);
+}
+
+int i2d_ASN1_bytes(ASN1_STRING *a, unsigned char **pp, int tag, int xclass)
+{
+    int ret, r, constructed;
+    unsigned char *p;
+
+    if (a == NULL)
+        return (0);
+
+    if (tag == V_ASN1_BIT_STRING)
+        return (i2d_ASN1_BIT_STRING(a, pp));
+
+    ret = a->length;
+    r = ASN1_object_size(0, ret, tag);
+    if (pp == NULL)
+        return (r);
+    p = *pp;
+
+    if ((tag == V_ASN1_SEQUENCE) || (tag == V_ASN1_SET))
+        constructed = 1;
+    else
+        constructed = 0;
+    ASN1_put_object(&p, constructed, ret, tag, xclass);
+    memcpy(p, a->data, a->length);
+    p += a->length;
+    *pp = p;
+    return (r);
+}
+
+/*
+ * Maximum recursion depth of d2i_ASN1_bytes(): much more than should be
+ * encountered in pratice.
+ */
+
+#define ASN1_BYTES_MAXDEPTH 20
+
+ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, const unsigned char **pp,
+                            long length, int Ptag, int Pclass)
+{
+    int err = 0;
+    ASN1_STRING *s = int_d2i_ASN1_bytes(a, pp, length, Ptag, Pclass, 0, &err);
+    if (err != 0)
+        ASN1err(ASN1_F_D2I_ASN1_BYTES, err);
+    return s;
+}
+
+static ASN1_STRING *int_d2i_ASN1_bytes(ASN1_STRING **a,
+                                       const unsigned char **pp, long length,
+                                       int Ptag, int Pclass,
+                                       int depth, int *perr)
+{
+    ASN1_STRING *ret = NULL;
+    const unsigned char *p;
+    unsigned char *s;
+    long len;
+    int inf, tag, xclass;
+
+    if (depth > ASN1_BYTES_MAXDEPTH) {
+        *perr = ASN1_R_NESTED_ASN1_STRING;
+        return NULL;
+    }
+
+    if ((a == NULL) || ((*a) == NULL)) {
+        if ((ret = ASN1_STRING_new()) == NULL)
+            return (NULL);
+    } else
+        ret = (*a);
+
+    p = *pp;
+    inf = ASN1_get_object(&p, &len, &tag, &xclass, length);
+    if (inf & 0x80) {
+        *perr = ASN1_R_BAD_OBJECT_HEADER;
+        goto err;
+    }
+
+    if (tag != Ptag) {
+        *perr = ASN1_R_WRONG_TAG;
+        goto err;
+    }
+
+    if (inf & V_ASN1_CONSTRUCTED) {
+        ASN1_const_CTX c;
+
+        c.error = 0;
+        c.pp = pp;
+        c.p = p;
+        c.inf = inf;
+        c.slen = len;
+        c.tag = Ptag;
+        c.xclass = Pclass;
+        c.max = (length == 0) ? 0 : (p + length);
+        if (!asn1_collate_primitive(ret, &c, depth)) {
+            *perr = c.error;
+            goto err;
+        } else {
+            p = c.p;
+        }
+    } else {
+        if (len != 0) {
+            if ((ret->length < len) || (ret->data == NULL)) {
+                s = OPENSSL_malloc((int)len + 1);
+                if (s == NULL) {
+                    *perr = ERR_R_MALLOC_FAILURE;
+                    goto err;
+                }
+                if (ret->data != NULL)
+                    OPENSSL_free(ret->data);
+            } else
+                s = ret->data;
+            memcpy(s, p, (int)len);
+            s[len] = '\0';
+            p += len;
+        } else {
+            s = NULL;
+            if (ret->data != NULL)
+                OPENSSL_free(ret->data);
+        }
+
+        ret->length = (int)len;
+        ret->data = s;
+        ret->type = Ptag;
+    }
+
+    if (a != NULL)
+        (*a) = ret;
+    *pp = p;
+    return (ret);
+ err:
+    if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+        ASN1_STRING_free(ret);
+    return (NULL);
+}
+
+/*
+ * We are about to parse 0..n d2i_ASN1_bytes objects, we are to collapse them
+ * into the one structure that is then returned
+ */
+/*
+ * There have been a few bug fixes for this function from Paul Keogh
+ * <paul.keogh@sse.ie>, many thanks to him
+ */
+static int asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c,
+                                  int depth)
+{
+    ASN1_STRING *os = NULL;
+    BUF_MEM b;
+    int num;
+
+    b.length = 0;
+    b.max = 0;
+    b.data = NULL;
+
+    if (a == NULL) {
+        c->error = ERR_R_PASSED_NULL_PARAMETER;
+        goto err;
+    }
+
+    num = 0;
+    for (;;) {
+        if (c->inf & 1) {
+            c->eos = ASN1_const_check_infinite_end(&c->p,
+                                                   (long)(c->max - c->p));
+            if (c->eos)
+                break;
+        } else {
+            if (c->slen <= 0)
+                break;
+        }
+
+        c->q = c->p;
+        if (int_d2i_ASN1_bytes(&os, &c->p, c->max - c->p, c->tag, c->xclass,
+                               depth + 1, &c->error) == NULL) {
+            goto err;
+        }
+
+        if (!BUF_MEM_grow_clean(&b, num + os->length)) {
+            c->error = ERR_R_BUF_LIB;
+            goto err;
+        }
+        memcpy(&(b.data[num]), os->data, os->length);
+        if (!(c->inf & 1))
+            c->slen -= (c->p - c->q);
+        num += os->length;
+    }
+
+    if (!asn1_const_Finish(c))
+        goto err;
+
+    a->length = num;
+    if (a->data != NULL)
+        OPENSSL_free(a->data);
+    a->data = (unsigned char *)b.data;
+    if (os != NULL)
+        ASN1_STRING_free(os);
+    return (1);
+ err:
+    if (os != NULL)
+        ASN1_STRING_free(os);
+    if (b.data != NULL)
+        OPENSSL_free(b.data);
+    return (0);
+}
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_d2i_fp.c b/Cryptlib/OpenSSL/crypto/asn1/a_d2i_fp.c
index e5c1d0ed..51b6f245 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/a_d2i_fp.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_d2i_fp.c
@@ -1,23 +1,71 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/a_d2i_fp.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <limits.h>
-#include "internal/cryptlib.h"
-#include "internal/numbers.h"
+#include "cryptlib.h"
 #include <openssl/buffer.h>
-#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
 
 static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb);
 
 #ifndef NO_OLD_ASN1
-# ifndef OPENSSL_NO_STDIO
+# ifndef OPENSSL_NO_FP_API
 
 void *ASN1_d2i_fp(void *(*xnew) (void), d2i_of_void *d2i, FILE *in, void **x)
 {
@@ -49,7 +97,8 @@ void *ASN1_d2i_bio(void *(*xnew) (void), d2i_of_void *d2i, BIO *in, void **x)
     p = (unsigned char *)b->data;
     ret = d2i(x, &p, len);
  err:
-    BUF_MEM_free(b);
+    if (b != NULL)
+        BUF_MEM_free(b);
     return (ret);
 }
 
@@ -69,11 +118,12 @@ void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *x)
     p = (const unsigned char *)b->data;
     ret = ASN1_item_d2i(x, &p, len, it);
  err:
-    BUF_MEM_free(b);
+    if (b != NULL)
+        BUF_MEM_free(b);
     return (ret);
 }
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x)
 {
     BIO *b;
@@ -97,15 +147,12 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
     BUF_MEM *b;
     unsigned char *p;
     int i;
+    ASN1_const_CTX c;
     size_t want = HEADER_SIZE;
-    uint32_t eos = 0;
+    int eos = 0;
     size_t off = 0;
     size_t len = 0;
 
-    const unsigned char *q;
-    long slen;
-    int inf, tag, xclass;
-
     b = BUF_MEM_new();
     if (b == NULL) {
         ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE);
@@ -137,9 +184,10 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
         /* else data already loaded */
 
         p = (unsigned char *)&(b->data[off]);
-        q = p;
-        inf = ASN1_get_object(&q, &slen, &tag, &xclass, len - off);
-        if (inf & 0x80) {
+        c.p = p;
+        c.inf = ASN1_get_object(&(c.p), &(c.slen), &(c.tag), &(c.xclass),
+                                len - off);
+        if (c.inf & 0x80) {
             unsigned long e;
 
             e = ERR_GET_REASON(ERR_peek_error());
@@ -148,27 +196,27 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
             else
                 ERR_clear_error(); /* clear error */
         }
-        i = q - p;            /* header length */
+        i = c.p - p;            /* header length */
         off += i;               /* end of data */
 
-        if (inf & 1) {
+        if (c.inf & 1) {
             /* no data body so go round again */
-            if (eos == UINT32_MAX) {
+            eos++;
+            if (eos < 0) {
                 ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_HEADER_TOO_LONG);
                 goto err;
             }
-            eos++;
             want = HEADER_SIZE;
-        } else if (eos && (slen == 0) && (tag == V_ASN1_EOC)) {
+        } else if (eos && (c.slen == 0) && (c.tag == V_ASN1_EOC)) {
             /* eos value, so go back and read another header */
             eos--;
-            if (eos == 0)
+            if (eos <= 0)
                 break;
             else
                 want = HEADER_SIZE;
         } else {
-            /* suck in slen bytes of data */
-            want = slen;
+            /* suck in c.slen bytes of data */
+            want = c.slen;
             if (want > (len - off)) {
                 size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE;
 
@@ -210,12 +258,12 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
                         chunk_max *= 2;
                 }
             }
-            if (off + slen < off) {
+            if (off + c.slen < off) {
                 ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG);
                 goto err;
             }
-            off += slen;
-            if (eos == 0) {
+            off += c.slen;
+            if (eos <= 0) {
                 break;
             } else
                 want = HEADER_SIZE;
@@ -230,6 +278,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
     *pb = b;
     return off;
  err:
-    BUF_MEM_free(b);
+    if (b != NULL)
+        BUF_MEM_free(b);
     return -1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_digest.c b/Cryptlib/OpenSSL/crypto/asn1/a_digest.c
index 46bff0d8..7cbc4751 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/a_digest.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_digest.c
@@ -1,16 +1,65 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/a_digest.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <time.h>
 
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 
 #ifndef NO_SYS_TYPES_H
 # include <sys/types.h>
@@ -30,17 +79,15 @@ int ASN1_digest(i2d_of_void *i2d, const EVP_MD *type, char *data,
     unsigned char *str, *p;
 
     i = i2d(data, NULL);
-    if ((str = OPENSSL_malloc(i)) == NULL) {
+    if ((str = (unsigned char *)OPENSSL_malloc(i)) == NULL) {
         ASN1err(ASN1_F_ASN1_DIGEST, ERR_R_MALLOC_FAILURE);
         return (0);
     }
     p = str;
     i2d(data, &p);
 
-    if (!EVP_Digest(str, i, md, len, type, NULL)) {
-        OPENSSL_free(str);
+    if (!EVP_Digest(str, i, md, len, type, NULL))
         return 0;
-    }
     OPENSSL_free(str);
     return (1);
 }
@@ -57,10 +104,8 @@ int ASN1_item_digest(const ASN1_ITEM *it, const EVP_MD *type, void *asn,
     if (!str)
         return (0);
 
-    if (!EVP_Digest(str, i, md, len, type, NULL)) {
-        OPENSSL_free(str);
+    if (!EVP_Digest(str, i, md, len, type, NULL))
         return 0;
-    }
     OPENSSL_free(str);
     return (1);
 }
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_dup.c b/Cryptlib/OpenSSL/crypto/asn1/a_dup.c
index d9a57b2c..349ab562 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/a_dup.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_dup.c
@@ -1,14 +1,63 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/a_dup.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 
 #ifndef NO_OLD_ASN1
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_enum.c b/Cryptlib/OpenSSL/crypto/asn1/a_enum.c
new file mode 100644
index 00000000..c3498ac9
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_enum.c
@@ -0,0 +1,181 @@
+/* crypto/asn1/a_enum.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/bn.h>
+
+/*
+ * Code for ENUMERATED type: identical to INTEGER apart from a different tag.
+ * for comments on encoding see a_int.c
+ */
+
+int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v)
+{
+    int j, k;
+    unsigned int i;
+    unsigned char buf[sizeof(long) + 1];
+    long d;
+
+    a->type = V_ASN1_ENUMERATED;
+    if (a->length < (int)(sizeof(long) + 1)) {
+        if (a->data != NULL)
+            OPENSSL_free(a->data);
+        if ((a->data =
+             (unsigned char *)OPENSSL_malloc(sizeof(long) + 1)) != NULL)
+            memset((char *)a->data, 0, sizeof(long) + 1);
+    }
+    if (a->data == NULL) {
+        ASN1err(ASN1_F_ASN1_ENUMERATED_SET, ERR_R_MALLOC_FAILURE);
+        return (0);
+    }
+    d = v;
+    if (d < 0) {
+        d = -d;
+        a->type = V_ASN1_NEG_ENUMERATED;
+    }
+
+    for (i = 0; i < sizeof(long); i++) {
+        if (d == 0)
+            break;
+        buf[i] = (int)d & 0xff;
+        d >>= 8;
+    }
+    j = 0;
+    for (k = i - 1; k >= 0; k--)
+        a->data[j++] = buf[k];
+    a->length = j;
+    return (1);
+}
+
+long ASN1_ENUMERATED_get(ASN1_ENUMERATED *a)
+{
+    int neg = 0, i;
+    long r = 0;
+
+    if (a == NULL)
+        return (0L);
+    i = a->type;
+    if (i == V_ASN1_NEG_ENUMERATED)
+        neg = 1;
+    else if (i != V_ASN1_ENUMERATED)
+        return -1;
+
+    if (a->length > (int)sizeof(long)) {
+        /* hmm... a bit ugly */
+        return (0xffffffffL);
+    }
+    if (a->data == NULL)
+        return 0;
+
+    for (i = 0; i < a->length; i++) {
+        r <<= 8;
+        r |= (unsigned char)a->data[i];
+    }
+    if (neg)
+        r = -r;
+    return (r);
+}
+
+ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
+{
+    ASN1_ENUMERATED *ret;
+    int len, j;
+
+    if (ai == NULL)
+        ret = M_ASN1_ENUMERATED_new();
+    else
+        ret = ai;
+    if (ret == NULL) {
+        ASN1err(ASN1_F_BN_TO_ASN1_ENUMERATED, ERR_R_NESTED_ASN1_ERROR);
+        goto err;
+    }
+    if (BN_is_negative(bn))
+        ret->type = V_ASN1_NEG_ENUMERATED;
+    else
+        ret->type = V_ASN1_ENUMERATED;
+    j = BN_num_bits(bn);
+    len = ((j == 0) ? 0 : ((j / 8) + 1));
+    if (ret->length < len + 4) {
+        unsigned char *new_data = OPENSSL_realloc(ret->data, len + 4);
+        if (!new_data) {
+            ASN1err(ASN1_F_BN_TO_ASN1_ENUMERATED, ERR_R_MALLOC_FAILURE);
+            goto err;
+        }
+        ret->data = new_data;
+    }
+
+    ret->length = BN_bn2bin(bn, ret->data);
+    return (ret);
+ err:
+    if (ret != ai)
+        M_ASN1_ENUMERATED_free(ret);
+    return (NULL);
+}
+
+BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai, BIGNUM *bn)
+{
+    BIGNUM *ret;
+
+    if ((ret = BN_bin2bn(ai->data, ai->length, bn)) == NULL)
+        ASN1err(ASN1_F_ASN1_ENUMERATED_TO_BN, ASN1_R_BN_LIB);
+    else if (ai->type == V_ASN1_NEG_ENUMERATED)
+        BN_set_negative(ret, 1);
+    return (ret);
+}
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_gentm.c b/Cryptlib/OpenSSL/crypto/asn1/a_gentm.c
index c02c8d9a..fa76dcac 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/a_gentm.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_gentm.c
@@ -1,22 +1,123 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/a_gentm.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 /*
- * GENERALIZEDTIME implementation. Based on UTCTIME
+ * GENERALIZEDTIME implementation, written by Steve Henson. Based on UTCTIME
  */
 
 #include <stdio.h>
 #include <time.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
+#include "o_time.h"
 #include <openssl/asn1.h>
 #include "asn1_locl.h"
 
+#if 0
+
+int i2d_ASN1_GENERALIZEDTIME(ASN1_GENERALIZEDTIME *a, unsigned char **pp)
+{
+# ifdef CHARSET_EBCDIC
+    /* KLUDGE! We convert to ascii before writing DER */
+    int len;
+    char tmp[24];
+    ASN1_STRING tmpstr = *(ASN1_STRING *)a;
+
+    len = tmpstr.length;
+    ebcdic2ascii(tmp, tmpstr.data, (len >= sizeof tmp) ? sizeof tmp : len);
+    tmpstr.data = tmp;
+
+    a = (ASN1_GENERALIZEDTIME *)&tmpstr;
+# endif
+    return (i2d_ASN1_bytes((ASN1_STRING *)a, pp,
+                           V_ASN1_GENERALIZEDTIME, V_ASN1_UNIVERSAL));
+}
+
+ASN1_GENERALIZEDTIME *d2i_ASN1_GENERALIZEDTIME(ASN1_GENERALIZEDTIME **a,
+                                               unsigned char **pp,
+                                               long length)
+{
+    ASN1_GENERALIZEDTIME *ret = NULL;
+
+    ret =
+        (ASN1_GENERALIZEDTIME *)d2i_ASN1_bytes((ASN1_STRING **)a, pp, length,
+                                               V_ASN1_GENERALIZEDTIME,
+                                               V_ASN1_UNIVERSAL);
+    if (ret == NULL) {
+        ASN1err(ASN1_F_D2I_ASN1_GENERALIZEDTIME, ERR_R_NESTED_ASN1_ERROR);
+        return (NULL);
+    }
+# ifdef CHARSET_EBCDIC
+    ascii2ebcdic(ret->data, ret->data, ret->length);
+# endif
+    if (!ASN1_GENERALIZEDTIME_check(ret)) {
+        ASN1err(ASN1_F_D2I_ASN1_GENERALIZEDTIME, ASN1_R_INVALID_TIME_FORMAT);
+        goto err;
+    }
+
+    return (ret);
+ err:
+    if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+        M_ASN1_GENERALIZEDTIME_free(ret);
+    return (NULL);
+}
+
+#endif
+
 int asn1_generalizedtime_to_tm(struct tm *tm, const ASN1_GENERALIZEDTIME *d)
 {
     static const int min[9] = { 0, 0, 1, 1, 0, 0, 0, 0, 0 };
@@ -148,7 +249,8 @@ int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, const char *str)
     t.data = (unsigned char *)str;
     if (ASN1_GENERALIZEDTIME_check(&t)) {
         if (s != NULL) {
-            if (!ASN1_STRING_set((ASN1_STRING *)s, str, t.length))
+            if (!ASN1_STRING_set((ASN1_STRING *)s,
+                                 (unsigned char *)str, t.length))
                 return 0;
             s->type = V_ASN1_GENERALIZEDTIME;
         }
@@ -171,103 +273,40 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_adj(ASN1_GENERALIZEDTIME *s,
     struct tm *ts;
     struct tm data;
     size_t len = 20;
-    ASN1_GENERALIZEDTIME *tmps = NULL;
 
     if (s == NULL)
-        tmps = ASN1_GENERALIZEDTIME_new();
-    else
-        tmps = s;
-    if (tmps == NULL)
-        return NULL;
+        s = M_ASN1_GENERALIZEDTIME_new();
+    if (s == NULL)
+        return (NULL);
 
     ts = OPENSSL_gmtime(&t, &data);
     if (ts == NULL)
-        goto err;
+        return (NULL);
 
     if (offset_day || offset_sec) {
         if (!OPENSSL_gmtime_adj(ts, offset_day, offset_sec))
-            goto err;
+            return NULL;
     }
 
-    p = (char *)tmps->data;
-    if ((p == NULL) || ((size_t)tmps->length < len)) {
+    p = (char *)s->data;
+    if ((p == NULL) || ((size_t)s->length < len)) {
         p = OPENSSL_malloc(len);
         if (p == NULL) {
             ASN1err(ASN1_F_ASN1_GENERALIZEDTIME_ADJ, ERR_R_MALLOC_FAILURE);
-            goto err;
+            return (NULL);
         }
-        OPENSSL_free(tmps->data);
-        tmps->data = (unsigned char *)p;
+        if (s->data != NULL)
+            OPENSSL_free(s->data);
+        s->data = (unsigned char *)p;
     }
 
     BIO_snprintf(p, len, "%04d%02d%02d%02d%02d%02dZ", ts->tm_year + 1900,
                  ts->tm_mon + 1, ts->tm_mday, ts->tm_hour, ts->tm_min,
                  ts->tm_sec);
-    tmps->length = strlen(p);
-    tmps->type = V_ASN1_GENERALIZEDTIME;
+    s->length = strlen(p);
+    s->type = V_ASN1_GENERALIZEDTIME;
 #ifdef CHARSET_EBCDIC_not
-    ebcdic2ascii(tmps->data, tmps->data, tmps->length);
+    ebcdic2ascii(s->data, s->data, s->length);
 #endif
-    return tmps;
- err:
-    if (s == NULL)
-        ASN1_GENERALIZEDTIME_free(tmps);
-    return NULL;
-}
-
-const char *_asn1_mon[12] = {
-    "Jan", "Feb", "Mar", "Apr", "May", "Jun",
-    "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
-};
-
-int ASN1_GENERALIZEDTIME_print(BIO *bp, const ASN1_GENERALIZEDTIME *tm)
-{
-    char *v;
-    int gmt = 0;
-    int i;
-    int y = 0, M = 0, d = 0, h = 0, m = 0, s = 0;
-    char *f = NULL;
-    int f_len = 0;
-
-    i = tm->length;
-    v = (char *)tm->data;
-
-    if (i < 12)
-        goto err;
-    if (v[i - 1] == 'Z')
-        gmt = 1;
-    for (i = 0; i < 12; i++)
-        if ((v[i] > '9') || (v[i] < '0'))
-            goto err;
-    y = (v[0] - '0') * 1000 + (v[1] - '0') * 100
-        + (v[2] - '0') * 10 + (v[3] - '0');
-    M = (v[4] - '0') * 10 + (v[5] - '0');
-    if ((M > 12) || (M < 1))
-        goto err;
-    d = (v[6] - '0') * 10 + (v[7] - '0');
-    h = (v[8] - '0') * 10 + (v[9] - '0');
-    m = (v[10] - '0') * 10 + (v[11] - '0');
-    if (tm->length >= 14 &&
-        (v[12] >= '0') && (v[12] <= '9') &&
-        (v[13] >= '0') && (v[13] <= '9')) {
-        s = (v[12] - '0') * 10 + (v[13] - '0');
-        /* Check for fractions of seconds. */
-        if (tm->length >= 15 && v[14] == '.') {
-            int l = tm->length;
-            f = &v[14];         /* The decimal point. */
-            f_len = 1;
-            while (14 + f_len < l && f[f_len] >= '0' && f[f_len] <= '9')
-                ++f_len;
-        }
-    }
-
-    if (BIO_printf(bp, "%s %2d %02d:%02d:%02d%.*s %d%s",
-                   _asn1_mon[M - 1], d, h, m, s, f_len, f, y,
-                   (gmt) ? " GMT" : "") <= 0)
-        return (0);
-    else
-        return (1);
- err:
-    BIO_write(bp, "Bad time value", 14);
-    return (0);
+    return (s);
 }
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_i2d_fp.c b/Cryptlib/OpenSSL/crypto/asn1/a_i2d_fp.c
index 1514ede4..0f56cd4e 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/a_i2d_fp.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_i2d_fp.c
@@ -1,20 +1,69 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/a_i2d_fp.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/asn1.h>
 
 #ifndef NO_OLD_ASN1
 
-# ifndef OPENSSL_NO_STDIO
+# ifndef OPENSSL_NO_FP_API
 int ASN1_i2d_fp(i2d_of_void *i2d, FILE *out, void *x)
 {
     BIO *b;
@@ -38,7 +87,7 @@ int ASN1_i2d_bio(i2d_of_void *i2d, BIO *out, unsigned char *x)
     int i, j = 0, n, ret = 1;
 
     n = i2d(x, NULL);
-    b = OPENSSL_malloc(n);
+    b = (char *)OPENSSL_malloc(n);
     if (b == NULL) {
         ASN1err(ASN1_F_ASN1_I2D_BIO, ERR_R_MALLOC_FAILURE);
         return (0);
@@ -64,7 +113,7 @@ int ASN1_i2d_bio(i2d_of_void *i2d, BIO *out, unsigned char *x)
 
 #endif
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 int ASN1_item_i2d_fp(const ASN1_ITEM *it, FILE *out, void *x)
 {
     BIO *b;
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_int.c b/Cryptlib/OpenSSL/crypto/asn1/a_int.c
index e0bcd6e5..7e26704a 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/a_int.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_int.c
@@ -1,23 +1,69 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/a_int.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
-#include "internal/numbers.h"
-#include <limits.h>
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
-#include "asn1_locl.h"
 
 ASN1_INTEGER *ASN1_INTEGER_dup(const ASN1_INTEGER *x)
 {
-    return ASN1_STRING_dup(x);
+    return M_ASN1_INTEGER_dup(x);
 }
 
 int ASN1_INTEGER_cmp(const ASN1_INTEGER *x, const ASN1_INTEGER *y)
@@ -41,11 +87,10 @@ int ASN1_INTEGER_cmp(const ASN1_INTEGER *x, const ASN1_INTEGER *y)
 }
 
 /*-
- * This converts a big endian buffer and sign into its content encoding.
- * This is used for INTEGER and ENUMERATED types.
+ * This converts an ASN1 INTEGER into its content encoding.
  * The internal representation is an ASN1_STRING whose data is a big endian
  * representation of the value, ignoring the sign. The sign is determined by
- * the type: if type & V_ASN1_NEG is true it is negative, otherwise positive.
+ * the type: V_ASN1_INTEGER for positive and V_ASN1_NEG_INTEGER for negative.
  *
  * Positive integers are no problem: they are almost the same as the DER
  * encoding, except if the first byte is >= 0x80 we need to add a zero pad.
@@ -66,19 +111,19 @@ int ASN1_INTEGER_cmp(const ASN1_INTEGER *x, const ASN1_INTEGER *y)
  * followed by optional zeros isn't padded.
  */
 
-static size_t i2c_ibuf(const unsigned char *b, size_t blen, int neg,
-                       unsigned char **pp)
+int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
 {
-    int pad = 0;
-    size_t ret, i;
-    unsigned char *p, pb = 0;
-    const unsigned char *n;
+    int pad = 0, ret, i, neg;
+    unsigned char *p, *n, pb = 0;
 
-    if (b == NULL || blen == 0)
+    if (a == NULL)
+        return (0);
+    neg = a->type & V_ASN1_NEG;
+    if (a->length == 0)
         ret = 1;
     else {
-        ret = blen;
-        i = b[0];
+        ret = a->length;
+        i = a->data[0];
         if (ret == 1 && i == 0)
             neg = 0;
         if (!neg && (i > 127)) {
@@ -93,8 +138,8 @@ static size_t i2c_ibuf(const unsigned char *b, size_t blen, int neg,
                  * Special case: if any other bytes non zero we pad:
                  * otherwise we don't.
                  */
-                for (i = 1; i < blen; i++)
-                    if (b[i]) {
+                for (i = 1; i < a->length; i++)
+                    if (a->data[i]) {
                         pad = 1;
                         pb = 0xFF;
                         break;
@@ -104,299 +149,127 @@ static size_t i2c_ibuf(const unsigned char *b, size_t blen, int neg,
         ret += pad;
     }
     if (pp == NULL)
-        return ret;
+        return (ret);
     p = *pp;
 
     if (pad)
         *(p++) = pb;
-    if (b == NULL || blen == 0)
-        *p = 0;
+    if (a->length == 0)
+        *(p++) = 0;
     else if (!neg)
-        memcpy(p, b, blen);
+        memcpy(p, a->data, (unsigned int)a->length);
     else {
         /* Begin at the end of the encoding */
-        n = b + blen;
-        p += blen;
-        i = blen;
+        n = a->data + a->length - 1;
+        p += a->length - 1;
+        i = a->length;
         /* Copy zeros to destination as long as source is zero */
-        while (!n[-1] && i > 1) {
-            *(--p) = 0;
+        while (!*n && i > 1) {
+            *(p--) = 0;
             n--;
             i--;
         }
         /* Complement and increment next octet */
-        *(--p) = ((*(--n)) ^ 0xff) + 1;
+        *(p--) = ((*(n--)) ^ 0xff) + 1;
         i--;
         /* Complement any octets left */
         for (; i > 0; i--)
-            *(--p) = *(--n) ^ 0xff;
+            *(p--) = *(n--) ^ 0xff;
     }
 
     *pp += ret;
-    return ret;
-}
-
-/*
- * convert content octets into a big endian buffer. Returns the length
- * of buffer or 0 on error: for malformed INTEGER. If output buffer is
- * NULL just return length.
- */
-
-static size_t c2i_ibuf(unsigned char *b, int *pneg,
-                       const unsigned char *p, size_t plen)
-{
-    size_t i;
-    int neg, pad;
-    /* Zero content length is illegal */
-    if (plen == 0) {
-        ASN1err(ASN1_F_C2I_IBUF, ASN1_R_ILLEGAL_ZERO_CONTENT);
-        return 0;
-    }
-    neg = p[0] & 0x80;
-    if (pneg)
-        *pneg = neg;
-    /* Handle common case where length is 1 octet separately */
-    if (plen == 1) {
-        if (b) {
-            if (neg)
-                b[0] = (p[0] ^ 0xFF) + 1;
-            else
-                b[0] = p[0];
-        }
-        return 1;
-    }
-    if (p[0] == 0 || p[0] == 0xFF)
-        pad = 1;
-    else
-        pad = 0;
-    /* reject illegal padding: first two octets MSB can't match */
-    if (pad && (neg == (p[1] & 0x80))) {
-        ASN1err(ASN1_F_C2I_IBUF, ASN1_R_ILLEGAL_PADDING);
-        return 0;
-    }
-    /* If positive just copy across */
-    if (neg == 0) {
-        if (b)
-            memcpy(b, p + pad, plen - pad);
-        return plen - pad;
-    }
-
-    if (neg && pad) {
-        /* check is any following octets are non zero */
-        for (i = 1; i < plen; i++) {
-            if (p[i] != 0)
-                break;
-        }
-        /* if all bytes are zero handle as special case */
-        if (i == plen) {
-            if (b) {
-                b[0] = 1;
-                memset(b + 1, 0, plen - 1);
-            }
-            return plen;
-        }
-    }
-
-    plen -= pad;
-    /* Must be negative: calculate twos complement */
-    if (b) {
-        const unsigned char *from = p + plen - 1 + pad;
-        unsigned char *to = b + plen;
-        i = plen;
-        while (*from == 0 && i) {
-            *--to = 0;
-            i--;
-            from--;
-        }
-        *--to = (*from-- ^ 0xff) + 1;
-        OPENSSL_assert(i != 0);
-        i--;
-        for (; i > 0; i--)
-            *--to = *from-- ^ 0xff;
-    }
-    return plen;
-}
-
-int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
-{
-    return i2c_ibuf(a->data, a->length, a->type & V_ASN1_NEG, pp);
-}
-
-/* Convert big endian buffer into uint64_t, return 0 on error */
-static int asn1_get_uint64(uint64_t *pr, const unsigned char *b, size_t blen)
-{
-    size_t i;
-    if (blen > sizeof(*pr)) {
-        ASN1err(ASN1_F_ASN1_GET_UINT64, ASN1_R_TOO_LARGE);
-        return 0;
-    }
-    *pr = 0;
-    if (b == NULL)
-        return 0;
-    for (i = 0; i < blen; i++) {
-        *pr <<= 8;
-        *pr |= b[i];
-    }
-    return 1;
+    return (ret);
 }
 
-static size_t asn1_put_uint64(unsigned char *b, uint64_t r)
-{
-    if (r >= 0x100) {
-        unsigned char *p;
-        uint64_t rtmp = r;
-        size_t i = 0;
-
-        /* Work out how many bytes we need */
-        while (rtmp) {
-            rtmp >>= 8;
-            i++;
-        }
-
-        /* Copy from end to beginning */
-        p = b + i - 1;
-
-        do {
-            *p-- = r & 0xFF;
-            r >>= 8;
-        } while (p >= b);
+/* Convert just ASN1 INTEGER content octets to ASN1_INTEGER structure */
 
-        return i;
-    }
-
-    b[0] = (unsigned char)r;
-    return 1;
-
-}
-
-/*
- * Absolute value of INT64_MIN: we can't just use -INT64_MIN as it produces
- * overflow warnings.
- */
-
-#define ABS_INT64_MIN \
-    ((uint64_t)INT64_MAX + (uint64_t)(-(INT64_MIN + INT64_MAX)))
-
-/* signed version of asn1_get_uint64 */
-static int asn1_get_int64(int64_t *pr, const unsigned char *b, size_t blen,
-                          int neg)
-{
-    uint64_t r;
-    if (asn1_get_uint64(&r, b, blen) == 0)
-        return 0;
-    if (neg) {
-        if (r > ABS_INT64_MIN) {
-            ASN1err(ASN1_F_ASN1_GET_INT64, ASN1_R_TOO_SMALL);
-            return 0;
-        }
-        *pr = 0 - (uint64_t)r;
-    } else {
-        if (r > INT64_MAX) {
-            ASN1err(ASN1_F_ASN1_GET_INT64, ASN1_R_TOO_LARGE);
-            return 0;
-        }
-        *pr = (int64_t)r;
-    }
-    return 1;
-}
-
-/* Convert ASN1 INTEGER content octets to ASN1_INTEGER structure */
 ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp,
                                long len)
 {
     ASN1_INTEGER *ret = NULL;
-    size_t r;
-    int neg;
-
-    r = c2i_ibuf(NULL, NULL, *pp, len);
-
-    if (r == 0)
-        return NULL;
+    const unsigned char *p, *pend;
+    unsigned char *to, *s;
+    int i;
 
     if ((a == NULL) || ((*a) == NULL)) {
-        ret = ASN1_INTEGER_new();
-        if (ret == NULL)
-            return NULL;
+        if ((ret = M_ASN1_INTEGER_new()) == NULL)
+            return (NULL);
         ret->type = V_ASN1_INTEGER;
     } else
-        ret = *a;
-
-    if (ASN1_STRING_set(ret, NULL, r) == 0)
-        goto err;
-
-    c2i_ibuf(ret->data, &neg, *pp, len);
-
-    if (neg)
-        ret->type |= V_ASN1_NEG;
+        ret = (*a);
 
-    *pp += len;
-    if (a != NULL)
-        (*a) = ret;
-    return ret;
- err:
-    ASN1err(ASN1_F_C2I_ASN1_INTEGER, ERR_R_MALLOC_FAILURE);
-    if ((a == NULL) || (*a != ret))
-        ASN1_INTEGER_free(ret);
-    return NULL;
-}
+    p = *pp;
+    pend = p + len;
 
-static int asn1_string_get_int64(int64_t *pr, const ASN1_STRING *a, int itype)
-{
-    if (a == NULL) {
-        ASN1err(ASN1_F_ASN1_STRING_GET_INT64, ERR_R_PASSED_NULL_PARAMETER);
-        return 0;
-    }
-    if ((a->type & ~V_ASN1_NEG) != itype) {
-        ASN1err(ASN1_F_ASN1_STRING_GET_INT64, ASN1_R_WRONG_INTEGER_TYPE);
-        return 0;
+    /*
+     * We must OPENSSL_malloc stuff, even for 0 bytes otherwise it signifies
+     * a missing NULL parameter.
+     */
+    s = (unsigned char *)OPENSSL_malloc((int)len + 1);
+    if (s == NULL) {
+        i = ERR_R_MALLOC_FAILURE;
+        goto err;
     }
-    return asn1_get_int64(pr, a->data, a->length, a->type & V_ASN1_NEG);
-}
-
-static int asn1_string_set_int64(ASN1_STRING *a, int64_t r, int itype)
-{
-    unsigned char tbuf[sizeof(r)];
-    size_t l;
-    a->type = itype;
-    if (r < 0) {
-        l = asn1_put_uint64(tbuf, -r);
-        a->type |= V_ASN1_NEG;
+    to = s;
+    if (!len) {
+        /*
+         * Strictly speaking this is an illegal INTEGER but we tolerate it.
+         */
+        ret->type = V_ASN1_INTEGER;
+    } else if (*p & 0x80) {     /* a negative number */
+        ret->type = V_ASN1_NEG_INTEGER;
+        if ((*p == 0xff) && (len != 1)) {
+            p++;
+            len--;
+        }
+        i = len;
+        p += i - 1;
+        to += i - 1;
+        while ((!*p) && i) {
+            *(to--) = 0;
+            i--;
+            p--;
+        }
+        /*
+         * Special case: if all zeros then the number will be of the form FF
+         * followed by n zero bytes: this corresponds to 1 followed by n zero
+         * bytes. We've already written n zeros so we just append an extra
+         * one and set the first byte to a 1. This is treated separately
+         * because it is the only case where the number of bytes is larger
+         * than len.
+         */
+        if (!i) {
+            *s = 1;
+            s[len] = 0;
+            len++;
+        } else {
+            *(to--) = (*(p--) ^ 0xff) + 1;
+            i--;
+            for (; i > 0; i--)
+                *(to--) = *(p--) ^ 0xff;
+        }
     } else {
-        l = asn1_put_uint64(tbuf, r);
-        a->type &= ~V_ASN1_NEG;
-    }
-    if (l == 0)
-        return 0;
-    return ASN1_STRING_set(a, tbuf, l);
-}
-
-static int asn1_string_get_uint64(uint64_t *pr, const ASN1_STRING *a,
-                                  int itype)
-{
-    if (a == NULL) {
-        ASN1err(ASN1_F_ASN1_STRING_GET_UINT64, ERR_R_PASSED_NULL_PARAMETER);
-        return 0;
-    }
-    if ((a->type & ~V_ASN1_NEG) != itype) {
-        ASN1err(ASN1_F_ASN1_STRING_GET_UINT64, ASN1_R_WRONG_INTEGER_TYPE);
-        return 0;
-    }
-    if (a->type & V_ASN1_NEG) {
-        ASN1err(ASN1_F_ASN1_STRING_GET_UINT64, ASN1_R_ILLEGAL_NEGATIVE_VALUE);
-        return 0;
+        ret->type = V_ASN1_INTEGER;
+        if ((*p == 0) && (len != 1)) {
+            p++;
+            len--;
+        }
+        memcpy(s, p, (int)len);
     }
-    return asn1_get_uint64(pr, a->data, a->length);
-}
 
-static int asn1_string_set_uint64(ASN1_STRING *a, uint64_t r, int itype)
-{
-    unsigned char tbuf[sizeof(r)];
-    size_t l;
-    a->type = itype;
-    l = asn1_put_uint64(tbuf, r);
-    if (l == 0)
-        return 0;
-    return ASN1_STRING_set(a, tbuf, l);
+    if (ret->data != NULL)
+        OPENSSL_free(ret->data);
+    ret->data = s;
+    ret->length = (int)len;
+    if (a != NULL)
+        (*a) = ret;
+    *pp = pend;
+    return (ret);
+ err:
+    ASN1err(ASN1_F_C2I_ASN1_INTEGER, i);
+    if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+        M_ASN1_INTEGER_free(ret);
+    return (NULL);
 }
 
 /*
@@ -416,7 +289,7 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
     int i;
 
     if ((a == NULL) || ((*a) == NULL)) {
-        if ((ret = ASN1_INTEGER_new()) == NULL)
+        if ((ret = M_ASN1_INTEGER_new()) == NULL)
             return (NULL);
         ret->type = V_ASN1_INTEGER;
     } else
@@ -438,7 +311,7 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
      * We must OPENSSL_malloc stuff, even for 0 bytes otherwise it signifies
      * a missing NULL parameter.
      */
-    s = OPENSSL_malloc((int)len + 1);
+    s = (unsigned char *)OPENSSL_malloc((int)len + 1);
     if (s == NULL) {
         i = ERR_R_MALLOC_FAILURE;
         goto err;
@@ -453,7 +326,8 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
         p += len;
     }
 
-    OPENSSL_free(ret->data);
+    if (ret->data != NULL)
+        OPENSSL_free(ret->data);
     ret->data = s;
     ret->length = (int)len;
     if (a != NULL)
@@ -462,163 +336,129 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
     return (ret);
  err:
     ASN1err(ASN1_F_D2I_ASN1_UINTEGER, i);
-    if ((a == NULL) || (*a != ret))
-        ASN1_INTEGER_free(ret);
+    if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+        M_ASN1_INTEGER_free(ret);
     return (NULL);
 }
 
-static ASN1_STRING *bn_to_asn1_string(const BIGNUM *bn, ASN1_STRING *ai,
-                                      int atype)
+int ASN1_INTEGER_set(ASN1_INTEGER *a, long v)
 {
-    ASN1_INTEGER *ret;
-    int len;
-
-    if (ai == NULL) {
-        ret = ASN1_STRING_type_new(atype);
-    } else {
-        ret = ai;
-        ret->type = atype;
+    int j, k;
+    unsigned int i;
+    unsigned char buf[sizeof(long) + 1];
+    long d;
+
+    a->type = V_ASN1_INTEGER;
+    if (a->length < (int)(sizeof(long) + 1)) {
+        if (a->data != NULL)
+            OPENSSL_free(a->data);
+        if ((a->data =
+             (unsigned char *)OPENSSL_malloc(sizeof(long) + 1)) != NULL)
+            memset((char *)a->data, 0, sizeof(long) + 1);
     }
-
-    if (ret == NULL) {
-        ASN1err(ASN1_F_BN_TO_ASN1_STRING, ERR_R_NESTED_ASN1_ERROR);
-        goto err;
+    if (a->data == NULL) {
+        ASN1err(ASN1_F_ASN1_INTEGER_SET, ERR_R_MALLOC_FAILURE);
+        return (0);
     }
-
-    if (BN_is_negative(bn) && !BN_is_zero(bn))
-        ret->type |= V_ASN1_NEG_INTEGER;
-
-    len = BN_num_bytes(bn);
-
-    if (len == 0)
-        len = 1;
-
-    if (ASN1_STRING_set(ret, NULL, len) == 0) {
-        ASN1err(ASN1_F_BN_TO_ASN1_STRING, ERR_R_MALLOC_FAILURE);
-        goto err;
-    }
-
-    /* Correct zero case */
-    if (BN_is_zero(bn))
-        ret->data[0] = 0;
-    else
-        len = BN_bn2bin(bn, ret->data);
-    ret->length = len;
-    return ret;
- err:
-    if (ret != ai)
-        ASN1_INTEGER_free(ret);
-    return (NULL);
-}
-
-static BIGNUM *asn1_string_to_bn(const ASN1_INTEGER *ai, BIGNUM *bn,
-                                 int itype)
-{
-    BIGNUM *ret;
-
-    if ((ai->type & ~V_ASN1_NEG) != itype) {
-        ASN1err(ASN1_F_ASN1_STRING_TO_BN, ASN1_R_WRONG_INTEGER_TYPE);
-        return NULL;
+    d = v;
+    if (d < 0) {
+        d = -d;
+        a->type = V_ASN1_NEG_INTEGER;
     }
 
-    ret = BN_bin2bn(ai->data, ai->length, bn);
-    if (ret == 0) {
-        ASN1err(ASN1_F_ASN1_STRING_TO_BN, ASN1_R_BN_LIB);
-        return NULL;
+    for (i = 0; i < sizeof(long); i++) {
+        if (d == 0)
+            break;
+        buf[i] = (int)d & 0xff;
+        d >>= 8;
     }
-    if (ai->type & V_ASN1_NEG)
-        BN_set_negative(ret, 1);
-    return ret;
-}
-
-int ASN1_INTEGER_get_int64(int64_t *pr, const ASN1_INTEGER *a)
-{
-    return asn1_string_get_int64(pr, a, V_ASN1_INTEGER);
-}
-
-int ASN1_INTEGER_set_int64(ASN1_INTEGER *a, int64_t r)
-{
-    return asn1_string_set_int64(a, r, V_ASN1_INTEGER);
-}
-
-int ASN1_INTEGER_get_uint64(uint64_t *pr, const ASN1_INTEGER *a)
-{
-    return asn1_string_get_uint64(pr, a, V_ASN1_INTEGER);
-}
-
-int ASN1_INTEGER_set_uint64(ASN1_INTEGER *a, uint64_t r)
-{
-    return asn1_string_set_uint64(a, r, V_ASN1_INTEGER);
-}
-
-int ASN1_INTEGER_set(ASN1_INTEGER *a, long v)
-{
-    return ASN1_INTEGER_set_int64(a, v);
+    j = 0;
+    for (k = i - 1; k >= 0; k--)
+        a->data[j++] = buf[k];
+    a->length = j;
+    return (1);
 }
 
 long ASN1_INTEGER_get(const ASN1_INTEGER *a)
 {
-    int i;
-    int64_t r;
+    int neg = 0, i;
+    long r = 0;
+
     if (a == NULL)
-        return 0;
-    i = ASN1_INTEGER_get_int64(&r, a);
-    if (i == 0)
+        return (0L);
+    i = a->type;
+    if (i == V_ASN1_NEG_INTEGER)
+        neg = 1;
+    else if (i != V_ASN1_INTEGER)
         return -1;
-    if (r > LONG_MAX || r < LONG_MIN)
-        return -1;
-    return (long)r;
-}
 
-ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai)
-{
-    return bn_to_asn1_string(bn, ai, V_ASN1_INTEGER);
-}
+    if (a->length > (int)sizeof(long)) {
+        /* hmm... a bit ugly, return all ones */
+        return -1;
+    }
+    if (a->data == NULL)
+        return 0;
 
-BIGNUM *ASN1_INTEGER_to_BN(const ASN1_INTEGER *ai, BIGNUM *bn)
-{
-    return asn1_string_to_bn(ai, bn, V_ASN1_INTEGER);
+    for (i = 0; i < a->length; i++) {
+        r <<= 8;
+        r |= (unsigned char)a->data[i];
+    }
+    if (neg)
+        r = -r;
+    return (r);
 }
 
-int ASN1_ENUMERATED_get_int64(int64_t *pr, const ASN1_ENUMERATED *a)
+ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai)
 {
-    return asn1_string_get_int64(pr, a, V_ASN1_ENUMERATED);
-}
+    ASN1_INTEGER *ret;
+    int len, j;
 
-int ASN1_ENUMERATED_set_int64(ASN1_ENUMERATED *a, int64_t r)
-{
-    return asn1_string_set_int64(a, r, V_ASN1_ENUMERATED);
+    if (ai == NULL)
+        ret = M_ASN1_INTEGER_new();
+    else
+        ret = ai;
+    if (ret == NULL) {
+        ASN1err(ASN1_F_BN_TO_ASN1_INTEGER, ERR_R_NESTED_ASN1_ERROR);
+        goto err;
+    }
+    if (BN_is_negative(bn) && !BN_is_zero(bn))
+        ret->type = V_ASN1_NEG_INTEGER;
+    else
+        ret->type = V_ASN1_INTEGER;
+    j = BN_num_bits(bn);
+    len = ((j == 0) ? 0 : ((j / 8) + 1));
+    if (ret->length < len + 4) {
+        unsigned char *new_data = OPENSSL_realloc(ret->data, len + 4);
+        if (!new_data) {
+            ASN1err(ASN1_F_BN_TO_ASN1_INTEGER, ERR_R_MALLOC_FAILURE);
+            goto err;
+        }
+        ret->data = new_data;
+    }
+    ret->length = BN_bn2bin(bn, ret->data);
+    /* Correct zero case */
+    if (!ret->length) {
+        ret->data[0] = 0;
+        ret->length = 1;
+    }
+    return (ret);
+ err:
+    if (ret != ai)
+        M_ASN1_INTEGER_free(ret);
+    return (NULL);
 }
 
-int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v)
+BIGNUM *ASN1_INTEGER_to_BN(const ASN1_INTEGER *ai, BIGNUM *bn)
 {
-    return ASN1_ENUMERATED_set_int64(a, v);
-}
+    BIGNUM *ret;
 
-long ASN1_ENUMERATED_get(const ASN1_ENUMERATED *a)
-{
-    int i;
-    int64_t r;
-    if (a == NULL)
-        return 0;
-    if ((a->type & ~V_ASN1_NEG) != V_ASN1_ENUMERATED)
-        return -1;
-    if (a->length > (int)sizeof(long))
-        return 0xffffffffL;
-    i = ASN1_ENUMERATED_get_int64(&r, a);
-    if (i == 0)
-        return -1;
-    if (r > LONG_MAX || r < LONG_MIN)
-        return -1;
-    return (long)r;
+    if ((ret = BN_bin2bn(ai->data, ai->length, bn)) == NULL)
+        ASN1err(ASN1_F_ASN1_INTEGER_TO_BN, ASN1_R_BN_LIB);
+    else if (ai->type == V_ASN1_NEG_INTEGER)
+        BN_set_negative(ret, 1);
+    return (ret);
 }
 
-ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(const BIGNUM *bn, ASN1_ENUMERATED *ai)
-{
-    return bn_to_asn1_string(bn, ai, V_ASN1_ENUMERATED);
-}
+IMPLEMENT_STACK_OF(ASN1_INTEGER)
 
-BIGNUM *ASN1_ENUMERATED_to_BN(const ASN1_ENUMERATED *ai, BIGNUM *bn)
-{
-    return asn1_string_to_bn(ai, bn, V_ASN1_ENUMERATED);
-}
+IMPLEMENT_ASN1_SET_OF(ASN1_INTEGER)
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_mbstr.c b/Cryptlib/OpenSSL/crypto/asn1/a_mbstr.c
index 5578e923..6935efe0 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/a_mbstr.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_mbstr.c
@@ -1,15 +1,65 @@
+/* a_mbstr.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <ctype.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 
 static int traverse_string(const unsigned char *p, int len, int inform,
@@ -22,14 +72,13 @@ static int cpy_asc(unsigned long value, void *arg);
 static int cpy_bmp(unsigned long value, void *arg);
 static int cpy_univ(unsigned long value, void *arg);
 static int cpy_utf8(unsigned long value, void *arg);
-static int is_numeric(unsigned long value);
 static int is_printable(unsigned long value);
 
 /*
  * These functions take a string in UTF8, ASCII or multibyte form and a mask
  * of permissible ASN1 string types. It then works out the minimal type
- * (using the order Numeric < Printable < IA5 < T61 < BMP < Universal < UTF8)
- * and creates a string of the correct type with the supplied data. Yes this is
+ * (using the order Printable < IA5 < T61 < BMP < Universal < UTF8) and
+ * creates a string of the correct type with the supplied data. Yes this is
  * horrible: it has to be :-( The 'ncopy' form checks minimum and maximum
  * size limits too.
  */
@@ -120,9 +169,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 
     /* Now work out output format and string type */
     outform = MBSTRING_ASC;
-    if (mask & B_ASN1_NUMERICSTRING)
-        str_type = V_ASN1_NUMERICSTRING;
-    else if (mask & B_ASN1_PRINTABLESTRING)
+    if (mask & B_ASN1_PRINTABLESTRING)
         str_type = V_ASN1_PRINTABLESTRING;
     else if (mask & B_ASN1_IA5STRING)
         str_type = V_ASN1_IA5STRING;
@@ -143,14 +190,16 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
     if (*out) {
         free_out = 0;
         dest = *out;
-        OPENSSL_free(dest->data);
-        dest->data = NULL;
-        dest->length = 0;
+        if (dest->data) {
+            dest->length = 0;
+            OPENSSL_free(dest->data);
+            dest->data = NULL;
+        }
         dest->type = str_type;
     } else {
         free_out = 1;
         dest = ASN1_STRING_type_new(str_type);
-        if (dest == NULL) {
+        if (!dest) {
             ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY, ERR_R_MALLOC_FAILURE);
             return -1;
         }
@@ -188,7 +237,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
         cpyfunc = cpy_utf8;
         break;
     }
-    if ((p = OPENSSL_malloc(outlen + 1)) == NULL) {
+    if (!(p = OPENSSL_malloc(outlen + 1))) {
         if (free_out)
             ASN1_STRING_free(dest);
         ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY, ERR_R_MALLOC_FAILURE);
@@ -273,8 +322,6 @@ static int type_str(unsigned long value, void *arg)
 {
     unsigned long types;
     types = *((unsigned long *)arg);
-    if ((types & B_ASN1_NUMERICSTRING) && !is_numeric(value))
-        types &= ~B_ASN1_NUMERICSTRING;
     if ((types & B_ASN1_PRINTABLESTRING) && !is_printable(value))
         types &= ~B_ASN1_PRINTABLESTRING;
     if ((types & B_ASN1_IA5STRING) && (value > 127))
@@ -374,22 +421,3 @@ static int is_printable(unsigned long value)
 #endif                          /* CHARSET_EBCDIC */
     return 0;
 }
-
-/* Return 1 if the character is a digit or space */
-static int is_numeric(unsigned long value)
-{
-    int ch;
-    if (value > 0x7f)
-        return 0;
-    ch = (int)value;
-#ifndef CHARSET_EBCDIC
-    if (!isdigit(ch) && ch != ' ')
-        return 0;
-#else
-    if (ch > os_toascii['9'])
-        return 0;
-    if (ch < os_toascii['0'] && ch != os_toascii[' '])
-        return 0;
-#endif
-    return 1;
-}
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_object.c b/Cryptlib/OpenSSL/crypto/asn1/a_object.c
index 79f0ecd2..229a40ff 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/a_object.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_object.c
@@ -1,23 +1,70 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/a_object.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <limits.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/asn1.h>
 #include <openssl/objects.h>
 #include <openssl/bn.h>
-#include "internal/asn1_int.h"
-#include "asn1_locl.h"
 
-int i2d_ASN1_OBJECT(const ASN1_OBJECT *a, unsigned char **pp)
+int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
 {
     unsigned char *p;
     int objsize;
@@ -90,9 +137,9 @@ int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
             }
             if (!use_bn && l >= ((ULONG_MAX - 80) / 10L)) {
                 use_bn = 1;
-                if (bl == NULL)
+                if (!bl)
                     bl = BN_new();
-                if (bl == NULL || !BN_set_word(bl, l))
+                if (!bl || !BN_set_word(bl, l))
                     goto err;
             }
             if (use_bn) {
@@ -124,7 +171,7 @@ int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
                     OPENSSL_free(tmp);
                 tmpsize = blsize + 32;
                 tmp = OPENSSL_malloc(tmpsize);
-                if (tmp == NULL)
+                if (!tmp)
                     goto err;
             }
             while (blsize--) {
@@ -156,21 +203,23 @@ int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
     }
     if (tmp != ftmp)
         OPENSSL_free(tmp);
-    BN_free(bl);
+    if (bl)
+        BN_free(bl);
     return (len);
  err:
     if (tmp != ftmp)
         OPENSSL_free(tmp);
-    BN_free(bl);
+    if (bl)
+        BN_free(bl);
     return (0);
 }
 
-int i2t_ASN1_OBJECT(char *buf, int buf_len, const ASN1_OBJECT *a)
+int i2t_ASN1_OBJECT(char *buf, int buf_len, ASN1_OBJECT *a)
 {
     return OBJ_obj2txt(buf, buf_len, a, 0);
 }
 
-int i2a_ASN1_OBJECT(BIO *bp, const ASN1_OBJECT *a)
+int i2a_ASN1_OBJECT(BIO *bp, ASN1_OBJECT *a)
 {
     char buf[80], *p = buf;
     int i;
@@ -180,15 +229,12 @@ int i2a_ASN1_OBJECT(BIO *bp, const ASN1_OBJECT *a)
     i = i2t_ASN1_OBJECT(buf, sizeof buf, a);
     if (i > (int)(sizeof(buf) - 1)) {
         p = OPENSSL_malloc(i + 1);
-        if (p == NULL)
+        if (!p)
             return -1;
         i2t_ASN1_OBJECT(p, i + 1, a);
     }
-    if (i <= 0) {
-        i = BIO_write(bp, "<INVALID>", 9);
-        i += BIO_dump(bp, (const char *)a->data, a->length);
-        return i;
-    }
+    if (i <= 0)
+        return BIO_write(bp, "<INVALID>", 9);
     BIO_write(bp, p, i);
     if (p != buf)
         OPENSSL_free(p);
@@ -226,7 +272,7 @@ ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
 ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
                              long len)
 {
-    ASN1_OBJECT *ret = NULL, tobj;
+    ASN1_OBJECT *ret = NULL;
     const unsigned char *p;
     unsigned char *data;
     int i, length;
@@ -243,29 +289,6 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
     }
     /* Now 0 < len <= INT_MAX, so the cast is safe. */
     length = (int)len;
-    /*
-     * Try to lookup OID in table: these are all valid encodings so if we get
-     * a match we know the OID is valid.
-     */
-    tobj.nid = NID_undef;
-    tobj.data = p;
-    tobj.length = length;
-    tobj.flags = 0;
-    i = OBJ_obj2nid(&tobj);
-    if (i != NID_undef) {
-        /*
-         * Return shared registered OID object: this improves efficiency
-         * because we don't have to return a dynamically allocated OID
-         * and NID lookups can use the cached value.
-         */
-        ret = OBJ_nid2obj(i);
-        if (a) {
-            ASN1_OBJECT_free(*a);
-            *a = ret;
-        }
-        *pp += len;
-        return ret;
-    }
     for (i = 0; i < length; i++, p++) {
         if (*p == 0x80 && (!i || !(p[-1] & 0x80))) {
             ASN1err(ASN1_F_C2I_ASN1_OBJECT, ASN1_R_INVALID_OBJECT_ENCODING);
@@ -291,8 +314,9 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
     /* once detached we can change it */
     if ((data == NULL) || (ret->length < length)) {
         ret->length = 0;
-        OPENSSL_free(data);
-        data = OPENSSL_malloc(length);
+        if (data != NULL)
+            OPENSSL_free(data);
+        data = (unsigned char *)OPENSSL_malloc(length);
         if (data == NULL) {
             i = ERR_R_MALLOC_FAILURE;
             goto err;
@@ -314,7 +338,7 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
     return (ret);
  err:
     ASN1err(ASN1_F_C2I_ASN1_OBJECT, i);
-    if ((a == NULL) || (*a != ret))
+    if ((ret != NULL) && ((a == NULL) || (*a != ret)))
         ASN1_OBJECT_free(ret);
     return (NULL);
 }
@@ -323,11 +347,16 @@ ASN1_OBJECT *ASN1_OBJECT_new(void)
 {
     ASN1_OBJECT *ret;
 
-    ret = OPENSSL_zalloc(sizeof(*ret));
+    ret = (ASN1_OBJECT *)OPENSSL_malloc(sizeof(ASN1_OBJECT));
     if (ret == NULL) {
         ASN1err(ASN1_F_ASN1_OBJECT_NEW, ERR_R_MALLOC_FAILURE);
         return (NULL);
     }
+    ret->length = 0;
+    ret->data = NULL;
+    ret->nid = 0;
+    ret->sn = NULL;
+    ret->ln = NULL;
     ret->flags = ASN1_OBJECT_FLAG_DYNAMIC;
     return (ret);
 }
@@ -340,13 +369,16 @@ void ASN1_OBJECT_free(ASN1_OBJECT *a)
 #ifndef CONST_STRICT            /* disable purely for compile-time strict
                                  * const checking. Doing this on a "real"
                                  * compile will cause memory leaks */
-        OPENSSL_free((void*)a->sn);
-        OPENSSL_free((void*)a->ln);
+        if (a->sn != NULL)
+            OPENSSL_free((void *)a->sn);
+        if (a->ln != NULL)
+            OPENSSL_free((void *)a->ln);
 #endif
         a->sn = a->ln = NULL;
     }
     if (a->flags & ASN1_OBJECT_FLAG_DYNAMIC_DATA) {
-        OPENSSL_free((void*)a->data);
+        if (a->data != NULL)
+            OPENSSL_free((void *)a->data);
         a->data = NULL;
         a->length = 0;
     }
@@ -368,3 +400,7 @@ ASN1_OBJECT *ASN1_OBJECT_create(int nid, unsigned char *data, int len,
         ASN1_OBJECT_FLAG_DYNAMIC_DATA;
     return (OBJ_dup(&o));
 }
+
+IMPLEMENT_STACK_OF(ASN1_OBJECT)
+
+IMPLEMENT_ASN1_SET_OF(ASN1_OBJECT)
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_octet.c b/Cryptlib/OpenSSL/crypto/asn1/a_octet.c
index 2e1205ca..1a6e9ca9 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/a_octet.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_octet.c
@@ -1,29 +1,78 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/a_octet.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 
 ASN1_OCTET_STRING *ASN1_OCTET_STRING_dup(const ASN1_OCTET_STRING *x)
 {
-    return ASN1_STRING_dup(x);
+    return M_ASN1_OCTET_STRING_dup(x);
 }
 
 int ASN1_OCTET_STRING_cmp(const ASN1_OCTET_STRING *a,
                           const ASN1_OCTET_STRING *b)
 {
-    return ASN1_STRING_cmp(a, b);
+    return M_ASN1_OCTET_STRING_cmp(a, b);
 }
 
 int ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *x, const unsigned char *d,
                           int len)
 {
-    return ASN1_STRING_set(x, d, len);
+    return M_ASN1_OCTET_STRING_set(x, d, len);
 }
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_print.c b/Cryptlib/OpenSSL/crypto/asn1/a_print.c
index 1aafe7c8..d83e4ad8 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/a_print.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_print.c
@@ -1,15 +1,63 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/a_print.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include <ctype.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 
 int ASN1_PRINTABLE_type(const unsigned char *s, int len)
@@ -28,6 +76,7 @@ int ASN1_PRINTABLE_type(const unsigned char *s, int len)
 #ifndef CHARSET_EBCDIC
         if (!(((c >= 'a') && (c <= 'z')) ||
               ((c >= 'A') && (c <= 'Z')) ||
+              (c == ' ') ||
               ((c >= '0') && (c <= '9')) ||
               (c == ' ') || (c == '\'') ||
               (c == '(') || (c == ')') ||
@@ -78,32 +127,3 @@ int ASN1_UNIVERSALSTRING_to_string(ASN1_UNIVERSALSTRING *s)
     s->type = ASN1_PRINTABLE_type(s->data, s->length);
     return (1);
 }
-
-int ASN1_STRING_print(BIO *bp, const ASN1_STRING *v)
-{
-    int i, n;
-    char buf[80];
-    const char *p;
-
-    if (v == NULL)
-        return (0);
-    n = 0;
-    p = (const char *)v->data;
-    for (i = 0; i < v->length; i++) {
-        if ((p[i] > '~') || ((p[i] < ' ') &&
-                             (p[i] != '\n') && (p[i] != '\r')))
-            buf[n] = '.';
-        else
-            buf[n] = p[i];
-        n++;
-        if (n >= 80) {
-            if (BIO_write(bp, buf, n) <= 0)
-                return (0);
-            n = 0;
-        }
-    }
-    if (n > 0)
-        if (BIO_write(bp, buf, n) <= 0)
-            return (0);
-    return (1);
-}
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_set.c b/Cryptlib/OpenSSL/crypto/asn1/a_set.c
new file mode 100644
index 00000000..5fb58655
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_set.c
@@ -0,0 +1,243 @@
+/* crypto/asn1/a_set.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <limits.h>
+#include "cryptlib.h"
+#include <openssl/asn1_mac.h>
+
+#ifndef NO_ASN1_OLD
+
+typedef struct {
+    unsigned char *pbData;
+    int cbData;
+} MYBLOB;
+
+/*
+ * SetBlobCmp This function compares two elements of SET_OF block
+ */
+static int SetBlobCmp(const void *elem1, const void *elem2)
+{
+    const MYBLOB *b1 = (const MYBLOB *)elem1;
+    const MYBLOB *b2 = (const MYBLOB *)elem2;
+    int r;
+
+    r = memcmp(b1->pbData, b2->pbData,
+               b1->cbData < b2->cbData ? b1->cbData : b2->cbData);
+    if (r != 0)
+        return r;
+    return b1->cbData - b2->cbData;
+}
+
+/*
+ * int is_set: if TRUE, then sort the contents (i.e. it isn't a SEQUENCE)
+ */
+int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp,
+                 i2d_of_void *i2d, int ex_tag, int ex_class, int is_set)
+{
+    int ret = 0, r;
+    int i;
+    unsigned char *p;
+    unsigned char *pStart, *pTempMem;
+    MYBLOB *rgSetBlob;
+    int totSize;
+
+    if (a == NULL)
+        return (0);
+    for (i = sk_OPENSSL_BLOCK_num(a) - 1; i >= 0; i--) {
+        int tmplen = i2d(sk_OPENSSL_BLOCK_value(a, i), NULL);
+        if (tmplen > INT_MAX - ret)
+            return -1;
+        ret += i2d(sk_OPENSSL_BLOCK_value(a, i), NULL);
+    }
+    r = ASN1_object_size(1, ret, ex_tag);
+    if (pp == NULL || r == -1)
+        return (r);
+
+    p = *pp;
+    ASN1_put_object(&p, 1, ret, ex_tag, ex_class);
+
+/* Modified by gp@nsj.co.jp */
+    /* And then again by Ben */
+    /* And again by Steve */
+
+    if (!is_set || (sk_OPENSSL_BLOCK_num(a) < 2)) {
+        for (i = 0; i < sk_OPENSSL_BLOCK_num(a); i++)
+            i2d(sk_OPENSSL_BLOCK_value(a, i), &p);
+
+        *pp = p;
+        return (r);
+    }
+
+    pStart = p;                 /* Catch the beg of Setblobs */
+    /* In this array we will store the SET blobs */
+    rgSetBlob = OPENSSL_malloc(sk_OPENSSL_BLOCK_num(a) * sizeof(MYBLOB));
+    if (rgSetBlob == NULL) {
+        ASN1err(ASN1_F_I2D_ASN1_SET, ERR_R_MALLOC_FAILURE);
+        return (0);
+    }
+
+    for (i = 0; i < sk_OPENSSL_BLOCK_num(a); i++) {
+        rgSetBlob[i].pbData = p; /* catch each set encode blob */
+        i2d(sk_OPENSSL_BLOCK_value(a, i), &p);
+        rgSetBlob[i].cbData = p - rgSetBlob[i].pbData; /* Length of this
+                                                        * SetBlob */
+    }
+    *pp = p;
+    totSize = p - pStart;       /* This is the total size of all set blobs */
+
+    /*
+     * Now we have to sort the blobs. I am using a simple algo. *Sort ptrs
+     * *Copy to temp-mem *Copy from temp-mem to user-mem
+     */
+    qsort(rgSetBlob, sk_OPENSSL_BLOCK_num(a), sizeof(MYBLOB), SetBlobCmp);
+    if (!(pTempMem = OPENSSL_malloc(totSize))) {
+        ASN1err(ASN1_F_I2D_ASN1_SET, ERR_R_MALLOC_FAILURE);
+        return (0);
+    }
+
+/* Copy to temp mem */
+    p = pTempMem;
+    for (i = 0; i < sk_OPENSSL_BLOCK_num(a); ++i) {
+        memcpy(p, rgSetBlob[i].pbData, rgSetBlob[i].cbData);
+        p += rgSetBlob[i].cbData;
+    }
+
+/* Copy back to user mem*/
+    memcpy(pStart, pTempMem, totSize);
+    OPENSSL_free(pTempMem);
+    OPENSSL_free(rgSetBlob);
+
+    return (r);
+}
+
+STACK_OF(OPENSSL_BLOCK) *d2i_ASN1_SET(STACK_OF(OPENSSL_BLOCK) **a,
+                                      const unsigned char **pp,
+                                      long length, d2i_of_void *d2i,
+                                      void (*free_func) (OPENSSL_BLOCK),
+                                      int ex_tag, int ex_class)
+{
+    ASN1_const_CTX c;
+    STACK_OF(OPENSSL_BLOCK) *ret = NULL;
+
+    if ((a == NULL) || ((*a) == NULL)) {
+        if ((ret = sk_OPENSSL_BLOCK_new_null()) == NULL) {
+            ASN1err(ASN1_F_D2I_ASN1_SET, ERR_R_MALLOC_FAILURE);
+            goto err;
+        }
+    } else
+        ret = (*a);
+
+    c.p = *pp;
+    c.max = (length == 0) ? 0 : (c.p + length);
+
+    c.inf = ASN1_get_object(&c.p, &c.slen, &c.tag, &c.xclass, c.max - c.p);
+    if (c.inf & 0x80)
+        goto err;
+    if (ex_class != c.xclass) {
+        ASN1err(ASN1_F_D2I_ASN1_SET, ASN1_R_BAD_CLASS);
+        goto err;
+    }
+    if (ex_tag != c.tag) {
+        ASN1err(ASN1_F_D2I_ASN1_SET, ASN1_R_BAD_TAG);
+        goto err;
+    }
+    if ((c.slen + c.p) > c.max) {
+        ASN1err(ASN1_F_D2I_ASN1_SET, ASN1_R_LENGTH_ERROR);
+        goto err;
+    }
+    /*
+     * check for infinite constructed - it can be as long as the amount of
+     * data passed to us
+     */
+    if (c.inf == (V_ASN1_CONSTRUCTED + 1))
+        c.slen = length + *pp - c.p;
+    c.max = c.p + c.slen;
+
+    while (c.p < c.max) {
+        char *s;
+
+        if (M_ASN1_D2I_end_sequence())
+            break;
+        /*
+         * XXX: This was called with 4 arguments, incorrectly, it seems if
+         * ((s=func(NULL,&c.p,c.slen,c.max-c.p)) == NULL)
+         */
+        if ((s = d2i(NULL, &c.p, c.slen)) == NULL) {
+            ASN1err(ASN1_F_D2I_ASN1_SET, ASN1_R_ERROR_PARSING_SET_ELEMENT);
+            asn1_add_error(*pp, (int)(c.p - *pp));
+            goto err;
+        }
+        if (!sk_OPENSSL_BLOCK_push(ret, s))
+            goto err;
+    }
+    if (a != NULL)
+        (*a) = ret;
+    *pp = c.p;
+    return (ret);
+ err:
+    if ((ret != NULL) && ((a == NULL) || (*a != ret))) {
+        if (free_func != NULL)
+            sk_OPENSSL_BLOCK_pop_free(ret, free_func);
+        else
+            sk_OPENSSL_BLOCK_free(ret);
+    }
+    return (NULL);
+}
+
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_sign.c b/Cryptlib/OpenSSL/crypto/asn1/a_sign.c
index 7e21a5ec..51c6a0c3 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/a_sign.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_sign.c
@@ -1,16 +1,118 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/a_sign.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <time.h>
 
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 
 #ifndef NO_SYS_TYPES_H
 # include <sys/types.h>
@@ -21,8 +123,7 @@
 #include <openssl/x509.h>
 #include <openssl/objects.h>
 #include <openssl/buffer.h>
-#include "internal/asn1_int.h"
-#include "internal/evp_int.h"
+#include "asn1_locl.h"
 
 #ifndef NO_ASN1_OLD
 
@@ -30,15 +131,12 @@ int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1, X509_ALGOR *algor2,
               ASN1_BIT_STRING *signature, char *data, EVP_PKEY *pkey,
               const EVP_MD *type)
 {
-    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+    EVP_MD_CTX ctx;
     unsigned char *p, *buf_in = NULL, *buf_out = NULL;
     int i, inl = 0, outl = 0, outll = 0;
     X509_ALGOR *a;
 
-    if (ctx == NULL) {
-        ASN1err(ASN1_F_ASN1_SIGN, ERR_R_MALLOC_FAILURE);
-        goto err;
-    }
+    EVP_MD_CTX_init(&ctx);
     for (i = 0; i < 2; i++) {
         if (i == 0)
             a = algor1;
@@ -73,9 +171,9 @@ int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1, X509_ALGOR *algor2,
         }
     }
     inl = i2d(data, NULL);
-    buf_in = OPENSSL_malloc((unsigned int)inl);
+    buf_in = (unsigned char *)OPENSSL_malloc((unsigned int)inl);
     outll = outl = EVP_PKEY_size(pkey);
-    buf_out = OPENSSL_malloc((unsigned int)outl);
+    buf_out = (unsigned char *)OPENSSL_malloc((unsigned int)outl);
     if ((buf_in == NULL) || (buf_out == NULL)) {
         outl = 0;
         ASN1err(ASN1_F_ASN1_SIGN, ERR_R_MALLOC_FAILURE);
@@ -84,15 +182,16 @@ int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1, X509_ALGOR *algor2,
     p = buf_in;
 
     i2d(data, &p);
-    if (!EVP_SignInit_ex(ctx, type, NULL)
-        || !EVP_SignUpdate(ctx, (unsigned char *)buf_in, inl)
-        || !EVP_SignFinal(ctx, (unsigned char *)buf_out,
+    if (!EVP_SignInit_ex(&ctx, type, NULL)
+        || !EVP_SignUpdate(&ctx, (unsigned char *)buf_in, inl)
+        || !EVP_SignFinal(&ctx, (unsigned char *)buf_out,
                           (unsigned int *)&outl, pkey)) {
         outl = 0;
         ASN1err(ASN1_F_ASN1_SIGN, ERR_R_EVP_LIB);
         goto err;
     }
-    OPENSSL_free(signature->data);
+    if (signature->data != NULL)
+        OPENSSL_free(signature->data);
     signature->data = buf_out;
     buf_out = NULL;
     signature->length = outl;
@@ -103,9 +202,15 @@ int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1, X509_ALGOR *algor2,
     signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
     signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;
  err:
-    EVP_MD_CTX_free(ctx);
-    OPENSSL_clear_free((char *)buf_in, (unsigned int)inl);
-    OPENSSL_clear_free((char *)buf_out, outll);
+    EVP_MD_CTX_cleanup(&ctx);
+    if (buf_in != NULL) {
+        OPENSSL_cleanse((char *)buf_in, (unsigned int)inl);
+        OPENSSL_free(buf_in);
+    }
+    if (buf_out != NULL) {
+        OPENSSL_cleanse((char *)buf_out, outll);
+        OPENSSL_free(buf_out);
+    }
     return (outl);
 }
 
@@ -115,22 +220,13 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1,
                    X509_ALGOR *algor2, ASN1_BIT_STRING *signature, void *asn,
                    EVP_PKEY *pkey, const EVP_MD *type)
 {
-    int rv;
-    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
-
-    if (ctx == NULL) {
-        ASN1err(ASN1_F_ASN1_ITEM_SIGN, ERR_R_MALLOC_FAILURE);
+    EVP_MD_CTX ctx;
+    EVP_MD_CTX_init(&ctx);
+    if (!EVP_DigestSignInit(&ctx, NULL, type, NULL, pkey)) {
+        EVP_MD_CTX_cleanup(&ctx);
         return 0;
     }
-    if (!EVP_DigestSignInit(ctx, NULL, type, NULL, pkey)) {
-        EVP_MD_CTX_free(ctx);
-        return 0;
-    }
-
-    rv = ASN1_item_sign_ctx(it, algor1, algor2, signature, asn, ctx);
-
-    EVP_MD_CTX_free(ctx);
-    return rv;
+    return ASN1_item_sign_ctx(it, algor1, algor2, signature, asn, &ctx);
 }
 
 int ASN1_item_sign_ctx(const ASN1_ITEM *it,
@@ -145,16 +241,11 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it,
     int rv;
 
     type = EVP_MD_CTX_md(ctx);
-    pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx));
+    pkey = EVP_PKEY_CTX_get0_pkey(ctx->pctx);
 
-    if (type == NULL || pkey == NULL) {
+    if (!type || !pkey) {
         ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ASN1_R_CONTEXT_NOT_INITIALISED);
-        goto err;
-    }
-
-    if (pkey->ameth == NULL) {
-        ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED);
-        goto err;
+        return 0;
     }
 
     if (pkey->ameth->item_sign) {
@@ -176,13 +267,17 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it,
         rv = 2;
 
     if (rv == 2) {
-        if (!OBJ_find_sigid_by_algs(&signid,
-                                    EVP_MD_nid(type),
-                                    pkey->ameth->pkey_id)) {
-            ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX,
-                    ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED);
-            goto err;
-        }
+        if (type->flags & EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) {
+            if (!pkey->ameth ||
+                !OBJ_find_sigid_by_algs(&signid,
+                                        EVP_MD_nid(type),
+                                        pkey->ameth->pkey_id)) {
+                ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX,
+                        ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED);
+                return 0;
+            }
+        } else
+            signid = type->pkey_type;
 
         if (pkey->ameth->pkey_flags & ASN1_PKEY_SIGPARAM_NULL)
             paramtype = V_ASN1_NULL;
@@ -211,7 +306,8 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it,
         ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_EVP_LIB);
         goto err;
     }
-    OPENSSL_free(signature->data);
+    if (signature->data != NULL)
+        OPENSSL_free(signature->data);
     signature->data = buf_out;
     buf_out = NULL;
     signature->length = outl;
@@ -222,7 +318,14 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it,
     signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
     signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;
  err:
-    OPENSSL_clear_free((char *)buf_in, (unsigned int)inl);
-    OPENSSL_clear_free((char *)buf_out, outll);
+    EVP_MD_CTX_cleanup(ctx);
+    if (buf_in != NULL) {
+        OPENSSL_cleanse((char *)buf_in, (unsigned int)inl);
+        OPENSSL_free(buf_in);
+    }
+    if (buf_out != NULL) {
+        OPENSSL_cleanse((char *)buf_out, outll);
+        OPENSSL_free(buf_out);
+    }
     return (outl);
 }
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_strex.c b/Cryptlib/OpenSSL/crypto/asn1/a_strex.c
index 9839f5c7..91203b7a 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/a_strex.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_strex.c
@@ -1,16 +1,65 @@
+/* a_strex.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <string.h>
-#include "internal/cryptlib.h"
-#include "internal/asn1_int.h"
+#include "cryptlib.h"
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
@@ -26,7 +75,6 @@
 #define CHARTYPE_BS_ESC         (ASN1_STRFLGS_ESC_2253 | CHARTYPE_FIRST_ESC_2253 | CHARTYPE_LAST_ESC_2253)
 
 #define ESC_FLAGS (ASN1_STRFLGS_ESC_2253 | \
-                  ASN1_STRFLGS_ESC_2254 | \
                   ASN1_STRFLGS_ESC_QUOTE | \
                   ASN1_STRFLGS_ESC_CTRL | \
                   ASN1_STRFLGS_ESC_MSB)
@@ -35,6 +83,18 @@
  * Three IO functions for sending data to memory, a BIO and and a FILE
  * pointer.
  */
+#if 0                           /* never used */
+static int send_mem_chars(void *arg, const void *buf, int len)
+{
+    unsigned char **out = arg;
+    if (!out)
+        return 1;
+    memcpy(*out, buf, len);
+    *out += len;
+    return 1;
+}
+#endif
+
 static int send_bio_chars(void *arg, const void *buf, int len)
 {
     if (!arg)
@@ -44,7 +104,7 @@ static int send_bio_chars(void *arg, const void *buf, int len)
     return 1;
 }
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 static int send_fp_chars(void *arg, const void *buf, int len)
 {
     if (!arg)
@@ -66,8 +126,7 @@ typedef int char_io (void *arg, const void *buf, int len);
 static int do_esc_char(unsigned long c, unsigned char flags, char *do_quotes,
                        char_io *io_ch, void *arg)
 {
-    unsigned short chflgs;
-    unsigned char chtmp;
+    unsigned char chflgs, chtmp;
     char tmphex[HEX_SIZE(long) + 3];
 
     if (c > 0xffffffffL)
@@ -104,9 +163,7 @@ static int do_esc_char(unsigned long c, unsigned char flags, char *do_quotes,
             return -1;
         return 2;
     }
-    if (chflgs & (ASN1_STRFLGS_ESC_CTRL
-                  | ASN1_STRFLGS_ESC_MSB
-                  | ASN1_STRFLGS_ESC_2254)) {
+    if (chflgs & (ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB)) {
         BIO_snprintf(tmphex, 11, "\\%02X", chtmp);
         if (!io_ch(arg, tmphex, 3))
             return -1;
@@ -136,12 +193,11 @@ static int do_esc_char(unsigned long c, unsigned char flags, char *do_quotes,
  */
 
 static int do_buf(unsigned char *buf, int buflen,
-                  int type, unsigned short flags, char *quotes, char_io *io_ch,
+                  int type, unsigned char flags, char *quotes, char_io *io_ch,
                   void *arg)
 {
     int i, outlen, len;
-    unsigned short orflags;
-    unsigned char *p, *q;
+    unsigned char orflags, *p, *q;
     unsigned long c;
     p = buf;
     q = buf + buflen;
@@ -191,7 +247,7 @@ static int do_buf(unsigned char *buf, int buflen,
                  * character will never be escaped on first and last.
                  */
                 len =
-                    do_esc_char(utfbuf[i], (unsigned short)(flags | orflags),
+                    do_esc_char(utfbuf[i], (unsigned char)(flags | orflags),
                                 quotes, io_ch, arg);
                 if (len < 0)
                     return -1;
@@ -199,7 +255,7 @@ static int do_buf(unsigned char *buf, int buflen,
             }
         } else {
             len =
-                do_esc_char(c, (unsigned short)(flags | orflags), quotes,
+                do_esc_char(c, (unsigned char)(flags | orflags), quotes,
                             io_ch, arg);
             if (len < 0)
                 return -1;
@@ -238,7 +294,7 @@ static int do_hex_dump(char_io *io_ch, void *arg, unsigned char *buf,
  */
 
 static int do_dump(unsigned long lflags, char_io *io_ch, void *arg,
-                   const ASN1_STRING *str)
+                   ASN1_STRING *str)
 {
     /*
      * Placing the ASN1_STRING in a temp ASN1_TYPE allows the DER encoding to
@@ -261,7 +317,7 @@ static int do_dump(unsigned long lflags, char_io *io_ch, void *arg,
     t.value.ptr = (char *)str;
     der_len = i2d_ASN1_TYPE(&t, NULL);
     der_buf = OPENSSL_malloc(der_len);
-    if (der_buf == NULL)
+    if (!der_buf)
         return -1;
     p = der_buf;
     i2d_ASN1_TYPE(&t, &p);
@@ -296,15 +352,15 @@ static const signed char tag2nbyte[] = {
  */
 
 static int do_print_ex(char_io *io_ch, void *arg, unsigned long lflags,
-                       const ASN1_STRING *str)
+                       ASN1_STRING *str)
 {
     int outlen, len;
     int type;
     char quotes;
-    unsigned short flags;
+    unsigned char flags;
     quotes = 0;
     /* Keep a copy of escape flags */
-    flags = (unsigned short)(lflags & ESC_FLAGS);
+    flags = (unsigned char)(lflags & ESC_FLAGS);
 
     type = str->type;
 
@@ -388,14 +444,14 @@ static int do_indent(char_io *io_ch, void *arg, int indent)
 #define FN_WIDTH_LN     25
 #define FN_WIDTH_SN     10
 
-static int do_name_ex(char_io *io_ch, void *arg, const X509_NAME *n,
+static int do_name_ex(char_io *io_ch, void *arg, X509_NAME *n,
                       int indent, unsigned long flags)
 {
     int i, prev = -1, orflags, cnt;
     int fn_opt, fn_nid;
     ASN1_OBJECT *fn;
-    const ASN1_STRING *val;
-    const X509_NAME_ENTRY *ent;
+    ASN1_STRING *val;
+    X509_NAME_ENTRY *ent;
     char objtmp[80];
     const char *objbuf;
     int outlen, len;
@@ -459,7 +515,7 @@ static int do_name_ex(char_io *io_ch, void *arg, const X509_NAME *n,
         else
             ent = X509_NAME_get_entry(n, i);
         if (prev != -1) {
-            if (prev == X509_NAME_ENTRY_set(ent)) {
+            if (prev == ent->set) {
                 if (!io_ch(arg, sep_mv, sep_mv_len))
                     return -1;
                 outlen += sep_mv_len;
@@ -472,7 +528,7 @@ static int do_name_ex(char_io *io_ch, void *arg, const X509_NAME *n,
                 outlen += indent;
             }
         }
-        prev = X509_NAME_ENTRY_set(ent);
+        prev = ent->set;
         fn = X509_NAME_ENTRY_get_object(ent);
         val = X509_NAME_ENTRY_get_data(ent);
         fn_nid = OBJ_obj2nid(fn);
@@ -526,7 +582,7 @@ static int do_name_ex(char_io *io_ch, void *arg, const X509_NAME *n,
 
 /* Wrappers round the main functions */
 
-int X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent,
+int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent,
                        unsigned long flags)
 {
     if (flags == XN_FLAG_COMPAT)
@@ -534,8 +590,8 @@ int X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent,
     return do_name_ex(send_bio_chars, out, nm, indent, flags);
 }
 
-#ifndef OPENSSL_NO_STDIO
-int X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm, int indent,
+#ifndef OPENSSL_NO_FP_API
+int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent,
                           unsigned long flags)
 {
     if (flags == XN_FLAG_COMPAT) {
@@ -552,13 +608,13 @@ int X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm, int indent,
 }
 #endif
 
-int ASN1_STRING_print_ex(BIO *out, const ASN1_STRING *str, unsigned long flags)
+int ASN1_STRING_print_ex(BIO *out, ASN1_STRING *str, unsigned long flags)
 {
     return do_print_ex(send_bio_chars, out, flags, str);
 }
 
-#ifndef OPENSSL_NO_STDIO
-int ASN1_STRING_print_ex_fp(FILE *fp, const ASN1_STRING *str, unsigned long flags)
+#ifndef OPENSSL_NO_FP_API
+int ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags)
 {
     return do_print_ex(send_fp_chars, fp, flags, str);
 }
@@ -569,7 +625,7 @@ int ASN1_STRING_print_ex_fp(FILE *fp, const ASN1_STRING *str, unsigned long flag
  * in output string or a negative error code
  */
 
-int ASN1_STRING_to_UTF8(unsigned char **out, const ASN1_STRING *in)
+int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
 {
     ASN1_STRING stmp, *str = &stmp;
     int mbflag, type, ret;
@@ -593,53 +649,3 @@ int ASN1_STRING_to_UTF8(unsigned char **out, const ASN1_STRING *in)
     *out = stmp.data;
     return stmp.length;
 }
-
-/* Return 1 if host is a valid hostname and 0 otherwise */
-int asn1_valid_host(const ASN1_STRING *host)
-{
-    int hostlen = host->length;
-    const unsigned char *hostptr = host->data;
-    int type = host->type;
-    int i;
-    char width = -1;
-    unsigned short chflags = 0, prevchflags;
-
-    if (type > 0 && type < 31)
-        width = tag2nbyte[type];
-    if (width == -1 || hostlen == 0)
-        return 0;
-    /* Treat UTF8String as width 1 as any MSB set is invalid */
-    if (width == 0)
-        width = 1;
-    for (i = 0 ; i < hostlen; i+= width) {
-        prevchflags = chflags;
-        /* Value must be <= 0x7F: check upper bytes are all zeroes */
-        if (width == 4) {
-            if (*hostptr++ != 0 || *hostptr++ != 0 || *hostptr++ != 0)
-                return 0;
-        } else if (width == 2) {
-            if (*hostptr++ != 0)
-                return 0;
-        }
-        if (*hostptr > 0x7f)
-            return 0;
-        chflags = char_type[*hostptr++];
-        if (!(chflags & (CHARTYPE_HOST_ANY | CHARTYPE_HOST_WILD))) {
-            /* Nothing else allowed at start or end of string */
-            if (i == 0 || i == hostlen - 1)
-                return 0;
-            /* Otherwise invalid if not dot or hyphen */
-            if (!(chflags & (CHARTYPE_HOST_DOT | CHARTYPE_HOST_HYPHEN)))
-                return 0;
-            /*
-             * If previous is dot or hyphen then illegal unless both
-             * are hyphens: as .- -. .. are all illegal
-             */
-            if (prevchflags & (CHARTYPE_HOST_DOT | CHARTYPE_HOST_HYPHEN)
-                && ((prevchflags & CHARTYPE_HOST_DOT)
-                    || (chflags & CHARTYPE_HOST_DOT)))
-                return 0;
-        }
-    }
-    return 1;
-}
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_strnid.c b/Cryptlib/OpenSSL/crypto/asn1/a_strnid.c
index 53832c8a..2d2303d8 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/a_strnid.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_strnid.c
@@ -1,15 +1,65 @@
+/* a_strnid.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <ctype.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/objects.h>
 
@@ -50,19 +100,19 @@ int ASN1_STRING_set_default_mask_asc(const char *p)
 {
     unsigned long mask;
     char *end;
-    if (strncmp(p, "MASK:", 5) == 0) {
+    if (!strncmp(p, "MASK:", 5)) {
         if (!p[5])
             return 0;
         mask = strtoul(p + 5, &end, 0);
         if (*end)
             return 0;
-    } else if (strcmp(p, "nombstr") == 0)
+    } else if (!strcmp(p, "nombstr"))
         mask = ~((unsigned long)(B_ASN1_BMPSTRING | B_ASN1_UTF8STRING));
-    else if (strcmp(p, "pkix") == 0)
+    else if (!strcmp(p, "pkix"))
         mask = ~((unsigned long)B_ASN1_T61STRING);
-    else if (strcmp(p, "utf8only") == 0)
+    else if (!strcmp(p, "utf8only"))
         mask = B_ASN1_UTF8STRING;
-    else if (strcmp(p, "default") == 0)
+    else if (!strcmp(p, "default"))
         mask = 0xFFFFFFFFL;
     else
         return 0;
@@ -118,10 +168,6 @@ ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out,
 #define ub_email_address                128
 #define ub_serial_number                64
 
-/* From RFC4524 */
-
-#define ub_rfc822_mailbox               256
-
 /* This table must be kept in NID order */
 
 static const ASN1_STRING_TABLE tbl_standard[] = {
@@ -146,12 +192,7 @@ static const ASN1_STRING_TABLE tbl_standard[] = {
     {NID_name, 1, ub_name, DIRSTRING_TYPE, 0},
     {NID_dnQualifier, -1, -1, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK},
     {NID_domainComponent, 1, -1, B_ASN1_IA5STRING, STABLE_NO_MASK},
-    {NID_ms_csp_name, -1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK},
-    {NID_rfc822Mailbox, 1, ub_rfc822_mailbox, B_ASN1_IA5STRING,
-     STABLE_NO_MASK},
-    {NID_INN, 1, 12, B_ASN1_NUMERICSTRING, STABLE_NO_MASK},
-    {NID_OGRN, 1, 13, B_ASN1_NUMERICSTRING, STABLE_NO_MASK},
-    {NID_SNILS, 1, 11, B_ASN1_NUMERICSTRING, STABLE_NO_MASK}
+    {NID_ms_csp_name, -1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK}
 };
 
 static int sk_table_cmp(const ASN1_STRING_TABLE *const *a,
@@ -172,52 +213,20 @@ IMPLEMENT_OBJ_BSEARCH_CMP_FN(ASN1_STRING_TABLE, ASN1_STRING_TABLE, table);
 ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid)
 {
     int idx;
+    ASN1_STRING_TABLE *ttmp;
     ASN1_STRING_TABLE fnd;
     fnd.nid = nid;
-    if (stable) {
-        idx = sk_ASN1_STRING_TABLE_find(stable, &fnd);
-        if (idx >= 0)
-            return sk_ASN1_STRING_TABLE_value(stable, idx);
-    }
-    return OBJ_bsearch_table(&fnd, tbl_standard, OSSL_NELEM(tbl_standard));
-}
-
-/*
- * Return a string table pointer which can be modified: either directly from
- * table or a copy of an internal value added to the table.
- */
-
-static ASN1_STRING_TABLE *stable_get(int nid)
-{
-    ASN1_STRING_TABLE *tmp, *rv;
-    /* Always need a string table so allocate one if NULL */
-    if (stable == NULL) {
-        stable = sk_ASN1_STRING_TABLE_new(sk_table_cmp);
-        if (stable == NULL)
-            return NULL;
-    }
-    tmp = ASN1_STRING_TABLE_get(nid);
-    if (tmp && tmp->flags & STABLE_FLAGS_MALLOC)
-        return tmp;
-    rv = OPENSSL_zalloc(sizeof(*rv));
-    if (rv == NULL)
+    ttmp = OBJ_bsearch_table(&fnd, tbl_standard,
+                             sizeof(tbl_standard) /
+                             sizeof(ASN1_STRING_TABLE));
+    if (ttmp)
+        return ttmp;
+    if (!stable)
         return NULL;
-    if (!sk_ASN1_STRING_TABLE_push(stable, rv)) {
-        OPENSSL_free(rv);
+    idx = sk_ASN1_STRING_TABLE_find(stable, &fnd);
+    if (idx < 0)
         return NULL;
-    }
-    if (tmp) {
-        rv->nid = tmp->nid;
-        rv->minsize = tmp->minsize;
-        rv->maxsize = tmp->maxsize;
-        rv->mask = tmp->mask;
-        rv->flags = tmp->flags | STABLE_FLAGS_MALLOC;
-    } else {
-        rv->minsize = -1;
-        rv->maxsize = -1;
-        rv->flags = STABLE_FLAGS_MALLOC;
-    }
-    return rv;
+    return sk_ASN1_STRING_TABLE_value(stable, idx);
 }
 
 int ASN1_STRING_TABLE_add(int nid,
@@ -225,19 +234,33 @@ int ASN1_STRING_TABLE_add(int nid,
                           unsigned long flags)
 {
     ASN1_STRING_TABLE *tmp;
-    tmp = stable_get(nid);
-    if (!tmp) {
+    char new_nid = 0;
+    flags &= ~STABLE_FLAGS_MALLOC;
+    if (!stable)
+        stable = sk_ASN1_STRING_TABLE_new(sk_table_cmp);
+    if (!stable) {
         ASN1err(ASN1_F_ASN1_STRING_TABLE_ADD, ERR_R_MALLOC_FAILURE);
         return 0;
     }
-    if (minsize >= 0)
+    if (!(tmp = ASN1_STRING_TABLE_get(nid))) {
+        tmp = OPENSSL_malloc(sizeof(ASN1_STRING_TABLE));
+        if (!tmp) {
+            ASN1err(ASN1_F_ASN1_STRING_TABLE_ADD, ERR_R_MALLOC_FAILURE);
+            return 0;
+        }
+        tmp->flags = flags | STABLE_FLAGS_MALLOC;
+        tmp->nid = nid;
+        tmp->minsize = tmp->maxsize = -1;
+        new_nid = 1;
+    } else
+        tmp->flags = (tmp->flags & STABLE_FLAGS_MALLOC) | flags;
+    if (minsize != -1)
         tmp->minsize = minsize;
-    if (maxsize >= 0)
+    if (maxsize != -1)
         tmp->maxsize = maxsize;
-    if (mask)
-        tmp->mask = mask;
-    if (flags)
-        tmp->flags = STABLE_FLAGS_MALLOC | flags;
+    tmp->mask = mask;
+    if (new_nid)
+        sk_ASN1_STRING_TABLE_push(stable, tmp);
     return 1;
 }
 
@@ -258,6 +281,8 @@ static void st_free(ASN1_STRING_TABLE *tbl)
 }
 
 
+IMPLEMENT_STACK_OF(ASN1_STRING_TABLE)
+
 #ifdef STRING_TABLE_TEST
 
 main()
@@ -265,7 +290,8 @@ main()
     ASN1_STRING_TABLE *tmp;
     int i, last_nid = -1;
 
-    for (tmp = tbl_standard, i = 0; i < OSSL_NELEM(tbl_standard); i++, tmp++) {
+    for (tmp = tbl_standard, i = 0;
+         i < sizeof(tbl_standard) / sizeof(ASN1_STRING_TABLE); i++, tmp++) {
         if (tmp->nid < last_nid) {
             last_nid = 0;
             break;
@@ -278,7 +304,8 @@ main()
         exit(0);
     }
 
-    for (tmp = tbl_standard, i = 0; i < OSSL_NELEM(tbl_standard); i++, tmp++)
+    for (tmp = tbl_standard, i = 0;
+         i < sizeof(tbl_standard) / sizeof(ASN1_STRING_TABLE); i++, tmp++)
         printf("Index %d, NID %d, Name=%s\n", i, tmp->nid,
                OBJ_nid2ln(tmp->nid));
 
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_time.c b/Cryptlib/OpenSSL/crypto/asn1/a_time.c
index 3f82c2bc..fcb2d565 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/a_time.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_time.c
@@ -1,10 +1,56 @@
-/*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/a_time.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 /*-
@@ -12,11 +58,13 @@
  *    Time ::= CHOICE {
  *      utcTime        UTCTime,
  *      generalTime    GeneralizedTime }
+ * written by Steve Henson.
  */
 
 #include <stdio.h>
 #include <time.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
+#include "o_time.h"
 #include <openssl/asn1t.h>
 #include "asn1_locl.h"
 
@@ -24,6 +72,33 @@ IMPLEMENT_ASN1_MSTRING(ASN1_TIME, B_ASN1_TIME)
 
 IMPLEMENT_ASN1_FUNCTIONS(ASN1_TIME)
 
+#if 0
+int i2d_ASN1_TIME(ASN1_TIME *a, unsigned char **pp)
+{
+# ifdef CHARSET_EBCDIC
+    /* KLUDGE! We convert to ascii before writing DER */
+    char tmp[24];
+    ASN1_STRING tmpstr;
+
+    if (a->type == V_ASN1_UTCTIME || a->type == V_ASN1_GENERALIZEDTIME) {
+        int len;
+
+        tmpstr = *(ASN1_STRING *)a;
+        len = tmpstr.length;
+        ebcdic2ascii(tmp, tmpstr.data,
+                     (len >= sizeof tmp) ? sizeof tmp : len);
+        tmpstr.data = tmp;
+        a = (ASN1_GENERALIZEDTIME *)&tmpstr;
+    }
+# endif
+    if (a->type == V_ASN1_UTCTIME || a->type == V_ASN1_GENERALIZEDTIME)
+        return (i2d_ASN1_bytes((ASN1_STRING *)a, pp,
+                               a->type, V_ASN1_UNIVERSAL));
+    ASN1err(ASN1_F_I2D_ASN1_TIME, ASN1_R_EXPECTING_A_TIME);
+    return -1;
+}
+#endif
+
 ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t)
 {
     return ASN1_TIME_adj(s, t, 0, 0);
@@ -49,7 +124,7 @@ ASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s, time_t t,
     return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, offset_sec);
 }
 
-int ASN1_TIME_check(const ASN1_TIME *t)
+int ASN1_TIME_check(ASN1_TIME *t)
 {
     if (t->type == V_ASN1_GENERALIZEDTIME)
         return ASN1_GENERALIZEDTIME_check(t);
@@ -69,8 +144,8 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t,
     if (!ASN1_TIME_check(t))
         return NULL;
 
-    if (out == NULL || *out == NULL) {
-        if ((ret = ASN1_GENERALIZEDTIME_new()) == NULL)
+    if (!out || !*out) {
+        if (!(ret = ASN1_GENERALIZEDTIME_new()))
             return NULL;
         if (out)
             *out = ret;
@@ -92,11 +167,11 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t,
     str = (char *)ret->data;
     /* Work out the century and prepend */
     if (t->data[0] >= '5')
-        OPENSSL_strlcpy(str, "19", newlen);
+        BUF_strlcpy(str, "19", newlen);
     else
-        OPENSSL_strlcpy(str, "20", newlen);
+        BUF_strlcpy(str, "20", newlen);
 
-    OPENSSL_strlcat(str, (char *)t->data, newlen);
+    BUF_strlcat(str, (char *)t->data, newlen);
 
     return ret;
 }
@@ -151,13 +226,3 @@ int ASN1_TIME_diff(int *pday, int *psec,
         return 0;
     return OPENSSL_gmtime_diff(pday, psec, &tm_from, &tm_to);
 }
-
-int ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm)
-{
-    if (tm->type == V_ASN1_UTCTIME)
-        return ASN1_UTCTIME_print(bp, tm);
-    if (tm->type == V_ASN1_GENERALIZEDTIME)
-        return ASN1_GENERALIZEDTIME_print(bp, tm);
-    BIO_write(bp, "Bad time value", 14);
-    return (0);
-}
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_type.c b/Cryptlib/OpenSSL/crypto/asn1/a_type.c
index df42360e..bb166e85 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/a_type.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_type.c
@@ -1,19 +1,67 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/a_type.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/objects.h>
-#include "asn1_locl.h"
 
-int ASN1_TYPE_get(const ASN1_TYPE *a)
+int ASN1_TYPE_get(ASN1_TYPE *a)
 {
     if ((a->value.ptr != NULL) || (a->type == V_ASN1_NULL))
         return (a->type);
@@ -25,7 +73,7 @@ void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value)
 {
     if (a->value.ptr != NULL) {
         ASN1_TYPE **tmp_a = &a;
-        asn1_primitive_free((ASN1_VALUE **)tmp_a, NULL, 0);
+        ASN1_primitive_free((ASN1_VALUE **)tmp_a, NULL);
     }
     a->type = type;
     if (type == V_ASN1_BOOLEAN)
@@ -55,6 +103,10 @@ int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value)
     return 1;
 }
 
+IMPLEMENT_STACK_OF(ASN1_TYPE)
+
+IMPLEMENT_ASN1_SET_OF(ASN1_TYPE)
+
 /* Returns 0 if they are equal, != 0 otherwise. */
 int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b)
 {
@@ -101,34 +153,3 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b)
 
     return result;
 }
-
-ASN1_TYPE *ASN1_TYPE_pack_sequence(const ASN1_ITEM *it, void *s, ASN1_TYPE **t)
-{
-    ASN1_OCTET_STRING *oct;
-    ASN1_TYPE *rt;
-
-    oct = ASN1_item_pack(s, it, NULL);
-    if (oct == NULL)
-        return NULL;
-
-    if (t && *t) {
-        rt = *t;
-    } else {
-        rt = ASN1_TYPE_new();
-        if (rt == NULL) {
-            ASN1_OCTET_STRING_free(oct);
-            return NULL;
-        }
-        if (t)
-            *t = rt;
-    }
-    ASN1_TYPE_set(rt, V_ASN1_SEQUENCE, oct);
-    return rt;
-}
-
-void *ASN1_TYPE_unpack_sequence(const ASN1_ITEM *it, const ASN1_TYPE *t)
-{
-    if (t == NULL || t->type != V_ASN1_SEQUENCE || t->value.sequence == NULL)
-        return NULL;
-    return ASN1_item_unpack(t->value.sequence, it);
-}
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_utctm.c b/Cryptlib/OpenSSL/crypto/asn1/a_utctm.c
index 7916e300..724a10be 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/a_utctm.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_utctm.c
@@ -1,18 +1,115 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/a_utctm.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <time.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
+#include "o_time.h"
 #include <openssl/asn1.h>
 #include "asn1_locl.h"
 
+#if 0
+int i2d_ASN1_UTCTIME(ASN1_UTCTIME *a, unsigned char **pp)
+{
+# ifndef CHARSET_EBCDIC
+    return (i2d_ASN1_bytes((ASN1_STRING *)a, pp,
+                           V_ASN1_UTCTIME, V_ASN1_UNIVERSAL));
+# else
+    /* KLUDGE! We convert to ascii before writing DER */
+    int len;
+    char tmp[24];
+    ASN1_STRING x = *(ASN1_STRING *)a;
+
+    len = x.length;
+    ebcdic2ascii(tmp, x.data, (len >= sizeof tmp) ? sizeof tmp : len);
+    x.data = tmp;
+    return i2d_ASN1_bytes(&x, pp, V_ASN1_UTCTIME, V_ASN1_UNIVERSAL);
+# endif
+}
+
+ASN1_UTCTIME *d2i_ASN1_UTCTIME(ASN1_UTCTIME **a, unsigned char **pp,
+                               long length)
+{
+    ASN1_UTCTIME *ret = NULL;
+
+    ret = (ASN1_UTCTIME *)d2i_ASN1_bytes((ASN1_STRING **)a, pp, length,
+                                         V_ASN1_UTCTIME, V_ASN1_UNIVERSAL);
+    if (ret == NULL) {
+        ASN1err(ASN1_F_D2I_ASN1_UTCTIME, ERR_R_NESTED_ASN1_ERROR);
+        return (NULL);
+    }
+# ifdef CHARSET_EBCDIC
+    ascii2ebcdic(ret->data, ret->data, ret->length);
+# endif
+    if (!ASN1_UTCTIME_check(ret)) {
+        ASN1err(ASN1_F_D2I_ASN1_UTCTIME, ASN1_R_INVALID_TIME_FORMAT);
+        goto err;
+    }
+
+    return (ret);
+ err:
+    if ((ret != NULL) && ((a == NULL) || (*a != ret)))
+        M_ASN1_UTCTIME_free(ret);
+    return (NULL);
+}
+
+#endif
+
 int asn1_utctime_to_tm(struct tm *tm, const ASN1_UTCTIME *d)
 {
     static const int min[8] = { 0, 1, 1, 0, 0, 0, 0, 0 };
@@ -119,7 +216,8 @@ int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, const char *str)
     t.data = (unsigned char *)str;
     if (ASN1_UTCTIME_check(&t)) {
         if (s != NULL) {
-            if (!ASN1_STRING_set((ASN1_STRING *)s, str, t.length))
+            if (!ASN1_STRING_set((ASN1_STRING *)s,
+                                 (unsigned char *)str, t.length))
                 return 0;
             s->type = V_ASN1_UTCTIME;
         }
@@ -143,11 +241,11 @@ ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t,
     int free_s = 0;
 
     if (s == NULL) {
-        s = ASN1_UTCTIME_new();
-        if (s == NULL)
-            goto err;
         free_s = 1;
+        s = M_ASN1_UTCTIME_new();
     }
+    if (s == NULL)
+        goto err;
 
     ts = OPENSSL_gmtime(&t, &data);
     if (ts == NULL)
@@ -168,7 +266,8 @@ ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t,
             ASN1err(ASN1_F_ASN1_UTCTIME_ADJ, ERR_R_MALLOC_FAILURE);
             goto err;
         }
-        OPENSSL_free(s->data);
+        if (s->data != NULL)
+            OPENSSL_free(s->data);
         s->data = (unsigned char *)p;
     }
 
@@ -182,8 +281,8 @@ ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t,
 #endif
     return (s);
  err:
-    if (free_s)
-        ASN1_UTCTIME_free(s);
+    if (free_s && s)
+        M_ASN1_UTCTIME_free(s);
     return NULL;
 }
 
@@ -212,43 +311,42 @@ int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t)
     return 0;
 }
 
-int ASN1_UTCTIME_print(BIO *bp, const ASN1_UTCTIME *tm)
+#if 0
+time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s)
 {
-    const char *v;
-    int gmt = 0;
-    int i;
-    int y = 0, M = 0, d = 0, h = 0, m = 0, s = 0;
+    struct tm tm;
+    int offset;
 
-    i = tm->length;
-    v = (const char *)tm->data;
+    memset(&tm, '\0', sizeof tm);
 
-    if (i < 10)
-        goto err;
-    if (v[i - 1] == 'Z')
-        gmt = 1;
-    for (i = 0; i < 10; i++)
-        if ((v[i] > '9') || (v[i] < '0'))
-            goto err;
-    y = (v[0] - '0') * 10 + (v[1] - '0');
-    if (y < 50)
-        y += 100;
-    M = (v[2] - '0') * 10 + (v[3] - '0');
-    if ((M > 12) || (M < 1))
-        goto err;
-    d = (v[4] - '0') * 10 + (v[5] - '0');
-    h = (v[6] - '0') * 10 + (v[7] - '0');
-    m = (v[8] - '0') * 10 + (v[9] - '0');
-    if (tm->length >= 12 &&
-        (v[10] >= '0') && (v[10] <= '9') && (v[11] >= '0') && (v[11] <= '9'))
-        s = (v[10] - '0') * 10 + (v[11] - '0');
-
-    if (BIO_printf(bp, "%s %2d %02d:%02d:%02d %d%s",
-                   _asn1_mon[M - 1], d, h, m, s, y + 1900,
-                   (gmt) ? " GMT" : "") <= 0)
-        return (0);
-    else
-        return (1);
- err:
-    BIO_write(bp, "Bad time value", 14);
-    return (0);
+# define g2(p) (((p)[0]-'0')*10+(p)[1]-'0')
+    tm.tm_year = g2(s->data);
+    if (tm.tm_year < 50)
+        tm.tm_year += 100;
+    tm.tm_mon = g2(s->data + 2) - 1;
+    tm.tm_mday = g2(s->data + 4);
+    tm.tm_hour = g2(s->data + 6);
+    tm.tm_min = g2(s->data + 8);
+    tm.tm_sec = g2(s->data + 10);
+    if (s->data[12] == 'Z')
+        offset = 0;
+    else {
+        offset = g2(s->data + 13) * 60 + g2(s->data + 15);
+        if (s->data[12] == '-')
+            offset = -offset;
+    }
+# undef g2
+
+    /*
+     * FIXME: mktime assumes the current timezone
+     * instead of UTC, and unless we rewrite OpenSSL
+     * in Lisp we cannot locally change the timezone
+     * without possibly interfering with other parts
+     * of the program. timegm, which uses UTC, is
+     * non-standard.
+     * Also time_t is inappropriate for general
+     * UTC times because it may a 32 bit type.
+     */
+    return mktime(&tm) - offset * 60;
 }
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_utf8.c b/Cryptlib/OpenSSL/crypto/asn1/a_utf8.c
index e2dc09f6..23dc2e82 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/a_utf8.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_utf8.c
@@ -1,14 +1,63 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/a_utf8.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 
 /* UTF8 utilities */
diff --git a/Cryptlib/OpenSSL/crypto/asn1/a_verify.c b/Cryptlib/OpenSSL/crypto/asn1/a_verify.c
index 00ab136f..3ffd934c 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/a_verify.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/a_verify.c
@@ -1,16 +1,66 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/a_verify.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <time.h>
 
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
+#include "asn1_locl.h"
 
 #ifndef NO_SYS_TYPES_H
 # include <sys/types.h>
@@ -21,23 +71,18 @@
 #include <openssl/objects.h>
 #include <openssl/buffer.h>
 #include <openssl/evp.h>
-#include "internal/asn1_int.h"
-#include "internal/evp_int.h"
 
 #ifndef NO_ASN1_OLD
 
 int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *a, ASN1_BIT_STRING *signature,
                 char *data, EVP_PKEY *pkey)
 {
-    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+    EVP_MD_CTX ctx;
     const EVP_MD *type;
     unsigned char *p, *buf_in = NULL;
     int ret = -1, i, inl;
 
-    if (ctx == NULL) {
-        ASN1err(ASN1_F_ASN1_VERIFY, ERR_R_MALLOC_FAILURE);
-        goto err;
-    }
+    EVP_MD_CTX_init(&ctx);
     i = OBJ_obj2nid(a->algorithm);
     type = EVP_get_digestbyname(OBJ_nid2sn(i));
     if (type == NULL) {
@@ -59,26 +104,30 @@ int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *a, ASN1_BIT_STRING *signature,
     p = buf_in;
 
     i2d(data, &p);
-    ret = EVP_VerifyInit_ex(ctx, type, NULL)
-        && EVP_VerifyUpdate(ctx, (unsigned char *)buf_in, inl);
-
-    OPENSSL_clear_free(buf_in, (unsigned int)inl);
-
-    if (!ret) {
+    if (!EVP_VerifyInit_ex(&ctx, type, NULL)
+        || !EVP_VerifyUpdate(&ctx, (unsigned char *)buf_in, inl)) {
         ASN1err(ASN1_F_ASN1_VERIFY, ERR_R_EVP_LIB);
+        ret = 0;
         goto err;
     }
-    ret = -1;
 
-    if (EVP_VerifyFinal(ctx, (unsigned char *)signature->data,
+    OPENSSL_cleanse(buf_in, (unsigned int)inl);
+    OPENSSL_free(buf_in);
+
+    if (EVP_VerifyFinal(&ctx, (unsigned char *)signature->data,
                         (unsigned int)signature->length, pkey) <= 0) {
         ASN1err(ASN1_F_ASN1_VERIFY, ERR_R_EVP_LIB);
         ret = 0;
         goto err;
     }
+    /*
+     * we don't need to zero the 'ctx' because we just checked public
+     * information
+     */
+    /* memset(&ctx,0,sizeof(ctx)); */
     ret = 1;
  err:
-    EVP_MD_CTX_free(ctx);
+    EVP_MD_CTX_cleanup(&ctx);
     return (ret);
 }
 
@@ -87,7 +136,7 @@ int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *a, ASN1_BIT_STRING *signature,
 int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
                      ASN1_BIT_STRING *signature, void *asn, EVP_PKEY *pkey)
 {
-    EVP_MD_CTX *ctx = NULL;
+    EVP_MD_CTX ctx;
     unsigned char *buf_in = NULL;
     int ret = -1, inl;
 
@@ -103,11 +152,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
         return -1;
     }
 
-    ctx = EVP_MD_CTX_new();
-    if (ctx == NULL) {
-        ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_MALLOC_FAILURE);
-        goto err;
-    }
+    EVP_MD_CTX_init(&ctx);
 
     /* Convert signature OID into digest and public key OIDs */
     if (!OBJ_find_sigid_algs(OBJ_obj2nid(a->algorithm), &mdnid, &pknid)) {
@@ -120,7 +165,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
                     ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM);
             goto err;
         }
-        ret = pkey->ameth->item_verify(ctx, it, asn, a, signature, pkey);
+        ret = pkey->ameth->item_verify(&ctx, it, asn, a, signature, pkey);
         /*
          * Return value of 2 means carry on, anything else means we exit
          * straight away: either a fatal error of the underlying verification
@@ -144,7 +189,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
             goto err;
         }
 
-        if (!EVP_DigestVerifyInit(ctx, NULL, type, NULL, pkey)) {
+        if (!EVP_DigestVerifyInit(&ctx, NULL, type, NULL, pkey)) {
             ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_EVP_LIB);
             ret = 0;
             goto err;
@@ -159,24 +204,28 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
         goto err;
     }
 
-    ret = EVP_DigestVerifyUpdate(ctx, buf_in, inl);
-
-    OPENSSL_clear_free(buf_in, (unsigned int)inl);
-
-    if (!ret) {
+    if (!EVP_DigestVerifyUpdate(&ctx, buf_in, inl)) {
         ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_EVP_LIB);
+        ret = 0;
         goto err;
     }
-    ret = -1;
 
-    if (EVP_DigestVerifyFinal(ctx, signature->data,
+    OPENSSL_cleanse(buf_in, (unsigned int)inl);
+    OPENSSL_free(buf_in);
+
+    if (EVP_DigestVerifyFinal(&ctx, signature->data,
                               (size_t)signature->length) <= 0) {
         ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_EVP_LIB);
         ret = 0;
         goto err;
     }
+    /*
+     * we don't need to zero the 'ctx' because we just checked public
+     * information
+     */
+    /* memset(&ctx,0,sizeof(ctx)); */
     ret = 1;
  err:
-    EVP_MD_CTX_free(ctx);
+    EVP_MD_CTX_cleanup(&ctx);
     return (ret);
 }
diff --git a/Cryptlib/OpenSSL/crypto/asn1/ameth_lib.c b/Cryptlib/OpenSSL/crypto/asn1/ameth_lib.c
index cfde49ab..43ddebba 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/ameth_lib.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/ameth_lib.c
@@ -1,19 +1,77 @@
 /*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2006.
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
-#include <openssl/engine.h>
-#include "internal/asn1_int.h"
-#include "internal/evp_int.h"
+#ifndef OPENSSL_NO_ENGINE
+# include <openssl/engine.h>
+#endif
+#include "asn1_locl.h"
+
+extern const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[];
+extern const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[];
+extern const EVP_PKEY_ASN1_METHOD dh_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD dhx_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD eckey_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD hmac_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD cmac_asn1_meth;
 
 /* Keep this sorted in type order !! */
 static const EVP_PKEY_ASN1_METHOD *standard_methods[] = {
@@ -39,21 +97,20 @@ static const EVP_PKEY_ASN1_METHOD *standard_methods[] = {
     &cmac_asn1_meth,
 #endif
 #ifndef OPENSSL_NO_DH
-    &dhx_asn1_meth,
-#endif
-#ifndef OPENSSL_NO_EC
-    &ecx25519_asn1_meth
+    &dhx_asn1_meth
 #endif
 };
 
 typedef int sk_cmp_fn_type(const char *const *a, const char *const *b);
+DECLARE_STACK_OF(EVP_PKEY_ASN1_METHOD)
 static STACK_OF(EVP_PKEY_ASN1_METHOD) *app_methods = NULL;
 
 #ifdef TEST
 void main()
 {
     int i;
-    for (i = 0; i < OSSL_NELEM(standard_methods); i++)
+    for (i = 0;
+         i < sizeof(standard_methods) / sizeof(EVP_PKEY_ASN1_METHOD *); i++)
         fprintf(stderr, "Number %d id=%d (%s)\n", i,
                 standard_methods[i]->pkey_id,
                 OBJ_nid2sn(standard_methods[i]->pkey_id));
@@ -74,7 +131,7 @@ IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_ASN1_METHOD *,
 
 int EVP_PKEY_asn1_get_count(void)
 {
-    int num = OSSL_NELEM(standard_methods);
+    int num = sizeof(standard_methods) / sizeof(EVP_PKEY_ASN1_METHOD *);
     if (app_methods)
         num += sk_EVP_PKEY_ASN1_METHOD_num(app_methods);
     return num;
@@ -82,7 +139,7 @@ int EVP_PKEY_asn1_get_count(void)
 
 const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_get0(int idx)
 {
-    int num = OSSL_NELEM(standard_methods);
+    int num = sizeof(standard_methods) / sizeof(EVP_PKEY_ASN1_METHOD *);
     if (idx < 0)
         return NULL;
     if (idx < num)
@@ -102,7 +159,8 @@ static const EVP_PKEY_ASN1_METHOD *pkey_asn1_find(int type)
         if (idx >= 0)
             return sk_EVP_PKEY_ASN1_METHOD_value(app_methods, idx);
     }
-    ret = OBJ_bsearch_ameth(&t, standard_methods, OSSL_NELEM(standard_methods));
+    ret = OBJ_bsearch_ameth(&t, standard_methods, sizeof(standard_methods)
+                            / sizeof(EVP_PKEY_ASN1_METHOD *));
     if (!ret || !*ret)
         return NULL;
     return *ret;
@@ -167,8 +225,8 @@ const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find_str(ENGINE **pe,
         ameth = EVP_PKEY_asn1_get0(i);
         if (ameth->pkey_flags & ASN1_PKEY_ALIAS)
             continue;
-        if (((int)strlen(ameth->pem_str) == len)
-            && (strncasecmp(ameth->pem_str, str, len) == 0))
+        if (((int)strlen(ameth->pem_str) == len) &&
+            !strncasecmp(ameth->pem_str, str, len))
             return ameth;
     }
     return NULL;
@@ -178,7 +236,7 @@ int EVP_PKEY_asn1_add0(const EVP_PKEY_ASN1_METHOD *ameth)
 {
     if (app_methods == NULL) {
         app_methods = sk_EVP_PKEY_ASN1_METHOD_new(ameth_cmp);
-        if (app_methods == NULL)
+        if (!app_methods)
             return 0;
     }
     if (!sk_EVP_PKEY_ASN1_METHOD_push(app_methods, ameth))
@@ -191,7 +249,7 @@ int EVP_PKEY_asn1_add_alias(int to, int from)
 {
     EVP_PKEY_ASN1_METHOD *ameth;
     ameth = EVP_PKEY_asn1_new(from, ASN1_PKEY_ALIAS, NULL, NULL);
-    if (ameth == NULL)
+    if (!ameth)
         return 0;
     ameth->pkey_base_id = to;
     if (!EVP_PKEY_asn1_add0(ameth)) {
@@ -221,7 +279,7 @@ int EVP_PKEY_asn1_get0_info(int *ppkey_id, int *ppkey_base_id,
     return 1;
 }
 
-const EVP_PKEY_ASN1_METHOD *EVP_PKEY_get0_asn1(const EVP_PKEY *pkey)
+const EVP_PKEY_ASN1_METHOD *EVP_PKEY_get0_asn1(EVP_PKEY *pkey)
 {
     return pkey->ameth;
 }
@@ -229,30 +287,63 @@ const EVP_PKEY_ASN1_METHOD *EVP_PKEY_get0_asn1(const EVP_PKEY *pkey)
 EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags,
                                         const char *pem_str, const char *info)
 {
-    EVP_PKEY_ASN1_METHOD *ameth = OPENSSL_zalloc(sizeof(*ameth));
-
-    if (ameth == NULL)
+    EVP_PKEY_ASN1_METHOD *ameth;
+    ameth = OPENSSL_malloc(sizeof(EVP_PKEY_ASN1_METHOD));
+    if (!ameth)
         return NULL;
 
+    memset(ameth, 0, sizeof(EVP_PKEY_ASN1_METHOD));
+
     ameth->pkey_id = id;
     ameth->pkey_base_id = id;
     ameth->pkey_flags = flags | ASN1_PKEY_DYNAMIC;
 
     if (info) {
-        ameth->info = OPENSSL_strdup(info);
+        ameth->info = BUF_strdup(info);
         if (!ameth->info)
             goto err;
-    }
+    } else
+        ameth->info = NULL;
 
     if (pem_str) {
-        ameth->pem_str = OPENSSL_strdup(pem_str);
+        ameth->pem_str = BUF_strdup(pem_str);
         if (!ameth->pem_str)
             goto err;
-    }
+    } else
+        ameth->pem_str = NULL;
+
+    ameth->pub_decode = 0;
+    ameth->pub_encode = 0;
+    ameth->pub_cmp = 0;
+    ameth->pub_print = 0;
+
+    ameth->priv_decode = 0;
+    ameth->priv_encode = 0;
+    ameth->priv_print = 0;
+
+    ameth->old_priv_encode = 0;
+    ameth->old_priv_decode = 0;
+
+    ameth->item_verify = 0;
+    ameth->item_sign = 0;
+
+    ameth->pkey_size = 0;
+    ameth->pkey_bits = 0;
+
+    ameth->param_decode = 0;
+    ameth->param_encode = 0;
+    ameth->param_missing = 0;
+    ameth->param_copy = 0;
+    ameth->param_cmp = 0;
+    ameth->param_print = 0;
+
+    ameth->pkey_free = 0;
+    ameth->pkey_ctrl = 0;
 
     return ameth;
 
  err:
+
     EVP_PKEY_asn1_free(ameth);
     return NULL;
 
@@ -295,8 +386,10 @@ void EVP_PKEY_asn1_copy(EVP_PKEY_ASN1_METHOD *dst,
 void EVP_PKEY_asn1_free(EVP_PKEY_ASN1_METHOD *ameth)
 {
     if (ameth && (ameth->pkey_flags & ASN1_PKEY_DYNAMIC)) {
-        OPENSSL_free(ameth->pem_str);
-        OPENSSL_free(ameth->info);
+        if (ameth->pem_str)
+            OPENSSL_free(ameth->pem_str);
+        if (ameth->info)
+            OPENSSL_free(ameth->info);
         OPENSSL_free(ameth);
     }
 }
@@ -324,7 +417,7 @@ void EVP_PKEY_asn1_set_public(EVP_PKEY_ASN1_METHOD *ameth,
 
 void EVP_PKEY_asn1_set_private(EVP_PKEY_ASN1_METHOD *ameth,
                                int (*priv_decode) (EVP_PKEY *pk,
-                                                   const PKCS8_PRIV_KEY_INFO
+                                                   PKCS8_PRIV_KEY_INFO
                                                    *p8inf),
                                int (*priv_encode) (PKCS8_PRIV_KEY_INFO *p8,
                                                    const EVP_PKEY *pk),
@@ -374,13 +467,6 @@ void EVP_PKEY_asn1_set_ctrl(EVP_PKEY_ASN1_METHOD *ameth,
     ameth->pkey_ctrl = pkey_ctrl;
 }
 
-void EVP_PKEY_asn1_set_security_bits(EVP_PKEY_ASN1_METHOD *ameth,
-                                     int (*pkey_security_bits) (const EVP_PKEY
-                                                                *pk))
-{
-    ameth->pkey_security_bits = pkey_security_bits;
-}
-
 void EVP_PKEY_asn1_set_item(EVP_PKEY_ASN1_METHOD *ameth,
                             int (*item_verify) (EVP_MD_CTX *ctx,
                                                 const ASN1_ITEM *it,
diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn1_err.c b/Cryptlib/OpenSSL/crypto/asn1/asn1_err.c
index 97c3dec9..fd4ac8d9 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/asn1_err.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/asn1_err.c
@@ -1,11 +1,62 @@
-/*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/asn1_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2014 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
  */
 
 #include <stdio.h>
@@ -20,33 +71,38 @@
 
 static ERR_STRING_DATA ASN1_str_functs[] = {
     {ERR_FUNC(ASN1_F_A2D_ASN1_OBJECT), "a2d_ASN1_OBJECT"},
+    {ERR_FUNC(ASN1_F_A2I_ASN1_ENUMERATED), "a2i_ASN1_ENUMERATED"},
     {ERR_FUNC(ASN1_F_A2I_ASN1_INTEGER), "a2i_ASN1_INTEGER"},
     {ERR_FUNC(ASN1_F_A2I_ASN1_STRING), "a2i_ASN1_STRING"},
-    {ERR_FUNC(ASN1_F_APPEND_EXP), "append_exp"},
+    {ERR_FUNC(ASN1_F_APPEND_EXP), "APPEND_EXP"},
     {ERR_FUNC(ASN1_F_ASN1_BIT_STRING_SET_BIT), "ASN1_BIT_STRING_set_bit"},
-    {ERR_FUNC(ASN1_F_ASN1_CB), "asn1_cb"},
-    {ERR_FUNC(ASN1_F_ASN1_CHECK_TLEN), "asn1_check_tlen"},
-    {ERR_FUNC(ASN1_F_ASN1_COLLECT), "asn1_collect"},
-    {ERR_FUNC(ASN1_F_ASN1_D2I_EX_PRIMITIVE), "asn1_d2i_ex_primitive"},
+    {ERR_FUNC(ASN1_F_ASN1_CB), "ASN1_CB"},
+    {ERR_FUNC(ASN1_F_ASN1_CHECK_TLEN), "ASN1_CHECK_TLEN"},
+    {ERR_FUNC(ASN1_F_ASN1_COLLATE_PRIMITIVE), "ASN1_COLLATE_PRIMITIVE"},
+    {ERR_FUNC(ASN1_F_ASN1_COLLECT), "ASN1_COLLECT"},
+    {ERR_FUNC(ASN1_F_ASN1_D2I_EX_PRIMITIVE), "ASN1_D2I_EX_PRIMITIVE"},
     {ERR_FUNC(ASN1_F_ASN1_D2I_FP), "ASN1_d2i_fp"},
-    {ERR_FUNC(ASN1_F_ASN1_D2I_READ_BIO), "asn1_d2i_read_bio"},
+    {ERR_FUNC(ASN1_F_ASN1_D2I_READ_BIO), "ASN1_D2I_READ_BIO"},
     {ERR_FUNC(ASN1_F_ASN1_DIGEST), "ASN1_digest"},
-    {ERR_FUNC(ASN1_F_ASN1_DO_ADB), "asn1_do_adb"},
-    {ERR_FUNC(ASN1_F_ASN1_DO_LOCK), "asn1_do_lock"},
+    {ERR_FUNC(ASN1_F_ASN1_DO_ADB), "ASN1_DO_ADB"},
     {ERR_FUNC(ASN1_F_ASN1_DUP), "ASN1_dup"},
-    {ERR_FUNC(ASN1_F_ASN1_EX_C2I), "asn1_ex_c2i"},
-    {ERR_FUNC(ASN1_F_ASN1_FIND_END), "asn1_find_end"},
+    {ERR_FUNC(ASN1_F_ASN1_ENUMERATED_SET), "ASN1_ENUMERATED_set"},
+    {ERR_FUNC(ASN1_F_ASN1_ENUMERATED_TO_BN), "ASN1_ENUMERATED_to_BN"},
+    {ERR_FUNC(ASN1_F_ASN1_EX_C2I), "ASN1_EX_C2I"},
+    {ERR_FUNC(ASN1_F_ASN1_FIND_END), "ASN1_FIND_END"},
     {ERR_FUNC(ASN1_F_ASN1_GENERALIZEDTIME_ADJ), "ASN1_GENERALIZEDTIME_adj"},
+    {ERR_FUNC(ASN1_F_ASN1_GENERALIZEDTIME_SET), "ASN1_GENERALIZEDTIME_set"},
     {ERR_FUNC(ASN1_F_ASN1_GENERATE_V3), "ASN1_generate_v3"},
-    {ERR_FUNC(ASN1_F_ASN1_GET_INT64), "asn1_get_int64"},
     {ERR_FUNC(ASN1_F_ASN1_GET_OBJECT), "ASN1_get_object"},
-    {ERR_FUNC(ASN1_F_ASN1_GET_UINT64), "asn1_get_uint64"},
+    {ERR_FUNC(ASN1_F_ASN1_HEADER_NEW), "ASN1_HEADER_NEW"},
     {ERR_FUNC(ASN1_F_ASN1_I2D_BIO), "ASN1_i2d_bio"},
     {ERR_FUNC(ASN1_F_ASN1_I2D_FP), "ASN1_i2d_fp"},
+    {ERR_FUNC(ASN1_F_ASN1_INTEGER_SET), "ASN1_INTEGER_set"},
+    {ERR_FUNC(ASN1_F_ASN1_INTEGER_TO_BN), "ASN1_INTEGER_to_BN"},
     {ERR_FUNC(ASN1_F_ASN1_ITEM_D2I_FP), "ASN1_item_d2i_fp"},
     {ERR_FUNC(ASN1_F_ASN1_ITEM_DUP), "ASN1_item_dup"},
-    {ERR_FUNC(ASN1_F_ASN1_ITEM_EMBED_D2I), "asn1_item_embed_d2i"},
-    {ERR_FUNC(ASN1_F_ASN1_ITEM_EMBED_NEW), "asn1_item_embed_new"},
+    {ERR_FUNC(ASN1_F_ASN1_ITEM_EX_COMBINE_NEW), "ASN1_ITEM_EX_COMBINE_NEW"},
+    {ERR_FUNC(ASN1_F_ASN1_ITEM_EX_D2I), "ASN1_ITEM_EX_D2I"},
     {ERR_FUNC(ASN1_F_ASN1_ITEM_I2D_BIO), "ASN1_item_i2d_bio"},
     {ERR_FUNC(ASN1_F_ASN1_ITEM_I2D_FP), "ASN1_item_i2d_fp"},
     {ERR_FUNC(ASN1_F_ASN1_ITEM_PACK), "ASN1_item_pack"},
@@ -56,65 +112,85 @@ static ERR_STRING_DATA ASN1_str_functs[] = {
     {ERR_FUNC(ASN1_F_ASN1_ITEM_VERIFY), "ASN1_item_verify"},
     {ERR_FUNC(ASN1_F_ASN1_MBSTRING_NCOPY), "ASN1_mbstring_ncopy"},
     {ERR_FUNC(ASN1_F_ASN1_OBJECT_NEW), "ASN1_OBJECT_new"},
-    {ERR_FUNC(ASN1_F_ASN1_OUTPUT_DATA), "asn1_output_data"},
+    {ERR_FUNC(ASN1_F_ASN1_OUTPUT_DATA), "ASN1_OUTPUT_DATA"},
+    {ERR_FUNC(ASN1_F_ASN1_PACK_STRING), "ASN1_pack_string"},
     {ERR_FUNC(ASN1_F_ASN1_PCTX_NEW), "ASN1_PCTX_new"},
-    {ERR_FUNC(ASN1_F_ASN1_SCTX_NEW), "ASN1_SCTX_new"},
+    {ERR_FUNC(ASN1_F_ASN1_PKCS5_PBE_SET), "ASN1_PKCS5_PBE_SET"},
+    {ERR_FUNC(ASN1_F_ASN1_SEQ_PACK), "ASN1_seq_pack"},
+    {ERR_FUNC(ASN1_F_ASN1_SEQ_UNPACK), "ASN1_seq_unpack"},
     {ERR_FUNC(ASN1_F_ASN1_SIGN), "ASN1_sign"},
-    {ERR_FUNC(ASN1_F_ASN1_STR2TYPE), "asn1_str2type"},
-    {ERR_FUNC(ASN1_F_ASN1_STRING_GET_INT64), "asn1_string_get_int64"},
-    {ERR_FUNC(ASN1_F_ASN1_STRING_GET_UINT64), "asn1_string_get_uint64"},
+    {ERR_FUNC(ASN1_F_ASN1_STR2TYPE), "ASN1_STR2TYPE"},
     {ERR_FUNC(ASN1_F_ASN1_STRING_SET), "ASN1_STRING_set"},
     {ERR_FUNC(ASN1_F_ASN1_STRING_TABLE_ADD), "ASN1_STRING_TABLE_add"},
-    {ERR_FUNC(ASN1_F_ASN1_STRING_TO_BN), "asn1_string_to_bn"},
     {ERR_FUNC(ASN1_F_ASN1_STRING_TYPE_NEW), "ASN1_STRING_type_new"},
-    {ERR_FUNC(ASN1_F_ASN1_TEMPLATE_EX_D2I), "asn1_template_ex_d2i"},
-    {ERR_FUNC(ASN1_F_ASN1_TEMPLATE_NEW), "asn1_template_new"},
-    {ERR_FUNC(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I), "asn1_template_noexp_d2i"},
+    {ERR_FUNC(ASN1_F_ASN1_TEMPLATE_EX_D2I), "ASN1_TEMPLATE_EX_D2I"},
+    {ERR_FUNC(ASN1_F_ASN1_TEMPLATE_NEW), "ASN1_TEMPLATE_NEW"},
+    {ERR_FUNC(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I), "ASN1_TEMPLATE_NOEXP_D2I"},
     {ERR_FUNC(ASN1_F_ASN1_TIME_ADJ), "ASN1_TIME_adj"},
+    {ERR_FUNC(ASN1_F_ASN1_TIME_SET), "ASN1_TIME_set"},
     {ERR_FUNC(ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING),
      "ASN1_TYPE_get_int_octetstring"},
     {ERR_FUNC(ASN1_F_ASN1_TYPE_GET_OCTETSTRING), "ASN1_TYPE_get_octetstring"},
+    {ERR_FUNC(ASN1_F_ASN1_UNPACK_STRING), "ASN1_unpack_string"},
     {ERR_FUNC(ASN1_F_ASN1_UTCTIME_ADJ), "ASN1_UTCTIME_adj"},
+    {ERR_FUNC(ASN1_F_ASN1_UTCTIME_SET), "ASN1_UTCTIME_set"},
     {ERR_FUNC(ASN1_F_ASN1_VERIFY), "ASN1_verify"},
-    {ERR_FUNC(ASN1_F_B64_READ_ASN1), "b64_read_asn1"},
-    {ERR_FUNC(ASN1_F_B64_WRITE_ASN1), "B64_write_ASN1"},
+    {ERR_FUNC(ASN1_F_B64_READ_ASN1), "B64_READ_ASN1"},
+    {ERR_FUNC(ASN1_F_B64_WRITE_ASN1), "B64_WRITE_ASN1"},
     {ERR_FUNC(ASN1_F_BIO_NEW_NDEF), "BIO_new_NDEF"},
-    {ERR_FUNC(ASN1_F_BITSTR_CB), "bitstr_cb"},
-    {ERR_FUNC(ASN1_F_BN_TO_ASN1_STRING), "bn_to_asn1_string"},
+    {ERR_FUNC(ASN1_F_BITSTR_CB), "BITSTR_CB"},
+    {ERR_FUNC(ASN1_F_BN_TO_ASN1_ENUMERATED), "BN_to_ASN1_ENUMERATED"},
+    {ERR_FUNC(ASN1_F_BN_TO_ASN1_INTEGER), "BN_to_ASN1_INTEGER"},
     {ERR_FUNC(ASN1_F_C2I_ASN1_BIT_STRING), "c2i_ASN1_BIT_STRING"},
     {ERR_FUNC(ASN1_F_C2I_ASN1_INTEGER), "c2i_ASN1_INTEGER"},
     {ERR_FUNC(ASN1_F_C2I_ASN1_OBJECT), "c2i_ASN1_OBJECT"},
-    {ERR_FUNC(ASN1_F_C2I_IBUF), "c2i_ibuf"},
-    {ERR_FUNC(ASN1_F_COLLECT_DATA), "collect_data"},
+    {ERR_FUNC(ASN1_F_COLLECT_DATA), "COLLECT_DATA"},
+    {ERR_FUNC(ASN1_F_D2I_ASN1_BIT_STRING), "D2I_ASN1_BIT_STRING"},
+    {ERR_FUNC(ASN1_F_D2I_ASN1_BOOLEAN), "d2i_ASN1_BOOLEAN"},
+    {ERR_FUNC(ASN1_F_D2I_ASN1_BYTES), "d2i_ASN1_bytes"},
+    {ERR_FUNC(ASN1_F_D2I_ASN1_GENERALIZEDTIME), "D2I_ASN1_GENERALIZEDTIME"},
+    {ERR_FUNC(ASN1_F_D2I_ASN1_HEADER), "D2I_ASN1_HEADER"},
+    {ERR_FUNC(ASN1_F_D2I_ASN1_INTEGER), "D2I_ASN1_INTEGER"},
     {ERR_FUNC(ASN1_F_D2I_ASN1_OBJECT), "d2i_ASN1_OBJECT"},
+    {ERR_FUNC(ASN1_F_D2I_ASN1_SET), "d2i_ASN1_SET"},
+    {ERR_FUNC(ASN1_F_D2I_ASN1_TYPE_BYTES), "d2i_ASN1_type_bytes"},
     {ERR_FUNC(ASN1_F_D2I_ASN1_UINTEGER), "d2i_ASN1_UINTEGER"},
+    {ERR_FUNC(ASN1_F_D2I_ASN1_UTCTIME), "D2I_ASN1_UTCTIME"},
     {ERR_FUNC(ASN1_F_D2I_AUTOPRIVATEKEY), "d2i_AutoPrivateKey"},
+    {ERR_FUNC(ASN1_F_D2I_NETSCAPE_RSA), "d2i_Netscape_RSA"},
+    {ERR_FUNC(ASN1_F_D2I_NETSCAPE_RSA_2), "D2I_NETSCAPE_RSA_2"},
     {ERR_FUNC(ASN1_F_D2I_PRIVATEKEY), "d2i_PrivateKey"},
     {ERR_FUNC(ASN1_F_D2I_PUBLICKEY), "d2i_PublicKey"},
-    {ERR_FUNC(ASN1_F_DO_TCREATE), "do_tcreate"},
+    {ERR_FUNC(ASN1_F_D2I_RSA_NET), "d2i_RSA_NET"},
+    {ERR_FUNC(ASN1_F_D2I_RSA_NET_2), "D2I_RSA_NET_2"},
+    {ERR_FUNC(ASN1_F_D2I_X509), "D2I_X509"},
+    {ERR_FUNC(ASN1_F_D2I_X509_CINF), "D2I_X509_CINF"},
+    {ERR_FUNC(ASN1_F_D2I_X509_PKEY), "d2i_X509_PKEY"},
     {ERR_FUNC(ASN1_F_I2D_ASN1_BIO_STREAM), "i2d_ASN1_bio_stream"},
+    {ERR_FUNC(ASN1_F_I2D_ASN1_SET), "i2d_ASN1_SET"},
+    {ERR_FUNC(ASN1_F_I2D_ASN1_TIME), "I2D_ASN1_TIME"},
     {ERR_FUNC(ASN1_F_I2D_DSA_PUBKEY), "i2d_DSA_PUBKEY"},
     {ERR_FUNC(ASN1_F_I2D_EC_PUBKEY), "i2d_EC_PUBKEY"},
     {ERR_FUNC(ASN1_F_I2D_PRIVATEKEY), "i2d_PrivateKey"},
     {ERR_FUNC(ASN1_F_I2D_PUBLICKEY), "i2d_PublicKey"},
+    {ERR_FUNC(ASN1_F_I2D_RSA_NET), "i2d_RSA_NET"},
     {ERR_FUNC(ASN1_F_I2D_RSA_PUBKEY), "i2d_RSA_PUBKEY"},
-    {ERR_FUNC(ASN1_F_LONG_C2I), "long_c2i"},
-    {ERR_FUNC(ASN1_F_OID_MODULE_INIT), "oid_module_init"},
-    {ERR_FUNC(ASN1_F_PARSE_TAGGING), "parse_tagging"},
+    {ERR_FUNC(ASN1_F_LONG_C2I), "LONG_C2I"},
+    {ERR_FUNC(ASN1_F_OID_MODULE_INIT), "OID_MODULE_INIT"},
+    {ERR_FUNC(ASN1_F_PARSE_TAGGING), "PARSE_TAGGING"},
     {ERR_FUNC(ASN1_F_PKCS5_PBE2_SET_IV), "PKCS5_pbe2_set_iv"},
-    {ERR_FUNC(ASN1_F_PKCS5_PBE2_SET_SCRYPT), "PKCS5_pbe2_set_scrypt"},
     {ERR_FUNC(ASN1_F_PKCS5_PBE_SET), "PKCS5_pbe_set"},
     {ERR_FUNC(ASN1_F_PKCS5_PBE_SET0_ALGOR), "PKCS5_pbe_set0_algor"},
     {ERR_FUNC(ASN1_F_PKCS5_PBKDF2_SET), "PKCS5_pbkdf2_set"},
-    {ERR_FUNC(ASN1_F_PKCS5_SCRYPT_SET), "pkcs5_scrypt_set"},
     {ERR_FUNC(ASN1_F_SMIME_READ_ASN1), "SMIME_read_ASN1"},
     {ERR_FUNC(ASN1_F_SMIME_TEXT), "SMIME_text"},
-    {ERR_FUNC(ASN1_F_STBL_MODULE_INIT), "stbl_module_init"},
+    {ERR_FUNC(ASN1_F_X509_CINF_NEW), "X509_CINF_NEW"},
     {ERR_FUNC(ASN1_F_X509_CRL_ADD0_REVOKED), "X509_CRL_add0_revoked"},
     {ERR_FUNC(ASN1_F_X509_INFO_NEW), "X509_INFO_new"},
-    {ERR_FUNC(ASN1_F_X509_NAME_ENCODE), "x509_name_encode"},
-    {ERR_FUNC(ASN1_F_X509_NAME_EX_D2I), "x509_name_ex_d2i"},
-    {ERR_FUNC(ASN1_F_X509_NAME_EX_NEW), "x509_name_ex_new"},
+    {ERR_FUNC(ASN1_F_X509_NAME_ENCODE), "X509_NAME_ENCODE"},
+    {ERR_FUNC(ASN1_F_X509_NAME_EX_D2I), "X509_NAME_EX_D2I"},
+    {ERR_FUNC(ASN1_F_X509_NAME_EX_NEW), "X509_NAME_EX_NEW"},
+    {ERR_FUNC(ASN1_F_X509_NEW), "X509_NEW"},
     {ERR_FUNC(ASN1_F_X509_PKEY_NEW), "X509_PKEY_new"},
     {0, NULL}
 };
@@ -124,7 +200,10 @@ static ERR_STRING_DATA ASN1_str_reasons[] = {
     {ERR_REASON(ASN1_R_ASN1_PARSE_ERROR), "asn1 parse error"},
     {ERR_REASON(ASN1_R_ASN1_SIG_PARSE_ERROR), "asn1 sig parse error"},
     {ERR_REASON(ASN1_R_AUX_ERROR), "aux error"},
+    {ERR_REASON(ASN1_R_BAD_CLASS), "bad class"},
     {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER), "bad object header"},
+    {ERR_REASON(ASN1_R_BAD_PASSWORD_READ), "bad password read"},
+    {ERR_REASON(ASN1_R_BAD_TAG), "bad tag"},
     {ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),
      "bmpstring is wrong length"},
     {ERR_REASON(ASN1_R_BN_LIB), "bn lib"},
@@ -135,16 +214,21 @@ static ERR_STRING_DATA ASN1_str_reasons[] = {
     {ERR_REASON(ASN1_R_CONTEXT_NOT_INITIALISED), "context not initialised"},
     {ERR_REASON(ASN1_R_DATA_IS_WRONG), "data is wrong"},
     {ERR_REASON(ASN1_R_DECODE_ERROR), "decode error"},
+    {ERR_REASON(ASN1_R_DECODING_ERROR), "decoding error"},
     {ERR_REASON(ASN1_R_DEPTH_EXCEEDED), "depth exceeded"},
     {ERR_REASON(ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED),
      "digest and key type not supported"},
     {ERR_REASON(ASN1_R_ENCODE_ERROR), "encode error"},
     {ERR_REASON(ASN1_R_ERROR_GETTING_TIME), "error getting time"},
     {ERR_REASON(ASN1_R_ERROR_LOADING_SECTION), "error loading section"},
+    {ERR_REASON(ASN1_R_ERROR_PARSING_SET_ELEMENT),
+     "error parsing set element"},
     {ERR_REASON(ASN1_R_ERROR_SETTING_CIPHER_PARAMS),
      "error setting cipher params"},
     {ERR_REASON(ASN1_R_EXPECTING_AN_INTEGER), "expecting an integer"},
     {ERR_REASON(ASN1_R_EXPECTING_AN_OBJECT), "expecting an object"},
+    {ERR_REASON(ASN1_R_EXPECTING_A_BOOLEAN), "expecting a boolean"},
+    {ERR_REASON(ASN1_R_EXPECTING_A_TIME), "expecting a time"},
     {ERR_REASON(ASN1_R_EXPLICIT_LENGTH_MISMATCH), "explicit length mismatch"},
     {ERR_REASON(ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED),
      "explicit tag not constructed"},
@@ -158,7 +242,6 @@ static ERR_STRING_DATA ASN1_str_reasons[] = {
     {ERR_REASON(ASN1_R_ILLEGAL_HEX), "illegal hex"},
     {ERR_REASON(ASN1_R_ILLEGAL_IMPLICIT_TAG), "illegal implicit tag"},
     {ERR_REASON(ASN1_R_ILLEGAL_INTEGER), "illegal integer"},
-    {ERR_REASON(ASN1_R_ILLEGAL_NEGATIVE_VALUE), "illegal negative value"},
     {ERR_REASON(ASN1_R_ILLEGAL_NESTED_TAGGING), "illegal nested tagging"},
     {ERR_REASON(ASN1_R_ILLEGAL_NULL), "illegal null"},
     {ERR_REASON(ASN1_R_ILLEGAL_NULL_VALUE), "illegal null value"},
@@ -166,10 +249,8 @@ static ERR_STRING_DATA ASN1_str_reasons[] = {
     {ERR_REASON(ASN1_R_ILLEGAL_OPTIONAL_ANY), "illegal optional any"},
     {ERR_REASON(ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE),
      "illegal options on item template"},
-    {ERR_REASON(ASN1_R_ILLEGAL_PADDING), "illegal padding"},
     {ERR_REASON(ASN1_R_ILLEGAL_TAGGED_ANY), "illegal tagged any"},
     {ERR_REASON(ASN1_R_ILLEGAL_TIME_VALUE), "illegal time value"},
-    {ERR_REASON(ASN1_R_ILLEGAL_ZERO_CONTENT), "illegal zero content"},
     {ERR_REASON(ASN1_R_INTEGER_NOT_ASCII_FORMAT), "integer not ascii format"},
     {ERR_REASON(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG),
      "integer too large for long"},
@@ -181,15 +262,13 @@ static ERR_STRING_DATA ASN1_str_reasons[] = {
     {ERR_REASON(ASN1_R_INVALID_MODIFIER), "invalid modifier"},
     {ERR_REASON(ASN1_R_INVALID_NUMBER), "invalid number"},
     {ERR_REASON(ASN1_R_INVALID_OBJECT_ENCODING), "invalid object encoding"},
-    {ERR_REASON(ASN1_R_INVALID_SCRYPT_PARAMETERS),
-     "invalid scrypt parameters"},
     {ERR_REASON(ASN1_R_INVALID_SEPARATOR), "invalid separator"},
-    {ERR_REASON(ASN1_R_INVALID_STRING_TABLE_VALUE),
-     "invalid string table value"},
+    {ERR_REASON(ASN1_R_INVALID_TIME_FORMAT), "invalid time format"},
     {ERR_REASON(ASN1_R_INVALID_UNIVERSALSTRING_LENGTH),
      "invalid universalstring length"},
     {ERR_REASON(ASN1_R_INVALID_UTF8STRING), "invalid utf8string"},
-    {ERR_REASON(ASN1_R_INVALID_VALUE), "invalid value"},
+    {ERR_REASON(ASN1_R_IV_TOO_LARGE), "iv too large"},
+    {ERR_REASON(ASN1_R_LENGTH_ERROR), "length error"},
     {ERR_REASON(ASN1_R_LIST_ERROR), "list error"},
     {ERR_REASON(ASN1_R_MIME_NO_CONTENT_TYPE), "mime no content type"},
     {ERR_REASON(ASN1_R_MIME_PARSE_ERROR), "mime parse error"},
@@ -204,6 +283,7 @@ static ERR_STRING_DATA ASN1_str_reasons[] = {
     {ERR_REASON(ASN1_R_NOT_ASCII_FORMAT), "not ascii format"},
     {ERR_REASON(ASN1_R_NOT_ENOUGH_DATA), "not enough data"},
     {ERR_REASON(ASN1_R_NO_CONTENT_TYPE), "no content type"},
+    {ERR_REASON(ASN1_R_NO_DEFAULT_DIGEST), "no default digest"},
     {ERR_REASON(ASN1_R_NO_MATCHING_CHOICE_TYPE), "no matching choice type"},
     {ERR_REASON(ASN1_R_NO_MULTIPART_BODY_FAILURE),
      "no multipart body failure"},
@@ -212,6 +292,8 @@ static ERR_STRING_DATA ASN1_str_reasons[] = {
     {ERR_REASON(ASN1_R_NULL_IS_WRONG_LENGTH), "null is wrong length"},
     {ERR_REASON(ASN1_R_OBJECT_NOT_ASCII_FORMAT), "object not ascii format"},
     {ERR_REASON(ASN1_R_ODD_NUMBER_OF_CHARS), "odd number of chars"},
+    {ERR_REASON(ASN1_R_PRIVATE_KEY_HEADER_MISSING),
+     "private key header missing"},
     {ERR_REASON(ASN1_R_SECOND_NUMBER_TOO_LARGE), "second number too large"},
     {ERR_REASON(ASN1_R_SEQUENCE_LENGTH_MISMATCH), "sequence length mismatch"},
     {ERR_REASON(ASN1_R_SEQUENCE_NOT_CONSTRUCTED), "sequence not constructed"},
@@ -222,14 +304,16 @@ static ERR_STRING_DATA ASN1_str_reasons[] = {
     {ERR_REASON(ASN1_R_STREAMING_NOT_SUPPORTED), "streaming not supported"},
     {ERR_REASON(ASN1_R_STRING_TOO_LONG), "string too long"},
     {ERR_REASON(ASN1_R_STRING_TOO_SHORT), "string too short"},
+    {ERR_REASON(ASN1_R_TAG_VALUE_TOO_HIGH), "tag value too high"},
     {ERR_REASON(ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD),
      "the asn1 object identifier is not known for this md"},
     {ERR_REASON(ASN1_R_TIME_NOT_ASCII_FORMAT), "time not ascii format"},
-    {ERR_REASON(ASN1_R_TOO_LARGE), "too large"},
     {ERR_REASON(ASN1_R_TOO_LONG), "too long"},
-    {ERR_REASON(ASN1_R_TOO_SMALL), "too small"},
     {ERR_REASON(ASN1_R_TYPE_NOT_CONSTRUCTED), "type not constructed"},
     {ERR_REASON(ASN1_R_TYPE_NOT_PRIMITIVE), "type not primitive"},
+    {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY), "unable to decode rsa key"},
+    {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),
+     "unable to decode rsa private key"},
     {ERR_REASON(ASN1_R_UNEXPECTED_EOC), "unexpected eoc"},
     {ERR_REASON(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH),
      "universalstring is wrong length"},
@@ -241,20 +325,24 @@ static ERR_STRING_DATA ASN1_str_reasons[] = {
     {ERR_REASON(ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM),
      "unknown signature algorithm"},
     {ERR_REASON(ASN1_R_UNKNOWN_TAG), "unknown tag"},
+    {ERR_REASON(ASN1_R_UNKOWN_FORMAT), "unknown format"},
     {ERR_REASON(ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE),
      "unsupported any defined by type"},
+    {ERR_REASON(ASN1_R_UNSUPPORTED_CIPHER), "unsupported cipher"},
+    {ERR_REASON(ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM),
+     "unsupported encryption algorithm"},
     {ERR_REASON(ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE),
      "unsupported public key type"},
     {ERR_REASON(ASN1_R_UNSUPPORTED_TYPE), "unsupported type"},
-    {ERR_REASON(ASN1_R_WRONG_INTEGER_TYPE), "wrong integer type"},
     {ERR_REASON(ASN1_R_WRONG_PUBLIC_KEY_TYPE), "wrong public key type"},
     {ERR_REASON(ASN1_R_WRONG_TAG), "wrong tag"},
+    {ERR_REASON(ASN1_R_WRONG_TYPE), "wrong type"},
     {0, NULL}
 };
 
 #endif
 
-int ERR_load_ASN1_strings(void)
+void ERR_load_ASN1_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
 
@@ -263,5 +351,4 @@ int ERR_load_ASN1_strings(void)
         ERR_load_strings(0, ASN1_str_reasons);
     }
 #endif
-    return 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn1_gen.c b/Cryptlib/OpenSSL/crypto/asn1/asn1_gen.c
index 493a693a..65749239 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/asn1_gen.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/asn1_gen.c
@@ -1,13 +1,63 @@
+/* asn1_gen.c */
 /*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2002.
+ */
+/* ====================================================================
+ * Copyright (c) 2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/x509v3.h>
 
@@ -62,7 +112,7 @@ typedef struct {
     int exp_count;
 } tag_exp_arg;
 
-static ASN1_TYPE *generate_v3(const char *str, X509V3_CTX *cnf, int depth,
+static ASN1_TYPE *generate_v3(char *str, X509V3_CTX *cnf, int depth,
                               int *perr);
 static int bitstr_cb(const char *elem, int len, void *bitstr);
 static int asn1_cb(const char *elem, int len, void *bitstr);
@@ -75,7 +125,7 @@ static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf,
 static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype);
 static int asn1_str2tag(const char *tagstr, int len);
 
-ASN1_TYPE *ASN1_generate_nconf(const char *str, CONF *nconf)
+ASN1_TYPE *ASN1_generate_nconf(char *str, CONF *nconf)
 {
     X509V3_CTX cnf;
 
@@ -86,7 +136,7 @@ ASN1_TYPE *ASN1_generate_nconf(const char *str, CONF *nconf)
     return ASN1_generate_v3(str, &cnf);
 }
 
-ASN1_TYPE *ASN1_generate_v3(const char *str, X509V3_CTX *cnf)
+ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf)
 {
     int err = 0;
     ASN1_TYPE *ret = generate_v3(str, cnf, 0, &err);
@@ -95,7 +145,7 @@ ASN1_TYPE *ASN1_generate_v3(const char *str, X509V3_CTX *cnf)
     return ret;
 }
 
-static ASN1_TYPE *generate_v3(const char *str, X509V3_CTX *cnf, int depth,
+static ASN1_TYPE *generate_v3(char *str, X509V3_CTX *cnf, int depth,
                               int *perr)
 {
     ASN1_TYPE *ret;
@@ -109,7 +159,7 @@ static ASN1_TYPE *generate_v3(const char *str, X509V3_CTX *cnf, int depth,
     unsigned char *p;
     const unsigned char *cp;
     int cpy_len;
-    long hdr_len = 0;
+    long hdr_len;
     int hdr_constructed = 0, hdr_tag, hdr_class;
     int r;
 
@@ -193,7 +243,7 @@ static ASN1_TYPE *generate_v3(const char *str, X509V3_CTX *cnf, int depth,
     /* Allocate buffer for new encoding */
 
     new_der = OPENSSL_malloc(len);
-    if (new_der == NULL)
+    if (!new_der)
         goto err;
 
     /* Generate tagged encoding */
@@ -230,8 +280,10 @@ static ASN1_TYPE *generate_v3(const char *str, X509V3_CTX *cnf, int depth,
     ret = d2i_ASN1_TYPE(NULL, &cp, len);
 
  err:
-    OPENSSL_free(orig_der);
-    OPENSSL_free(new_der);
+    if (orig_der)
+        OPENSSL_free(orig_der);
+    if (new_der)
+        OPENSSL_free(new_der);
 
     return ret;
 
@@ -325,16 +377,16 @@ static int asn1_cb(const char *elem, int len, void *bitstr)
             ASN1err(ASN1_F_ASN1_CB, ASN1_R_UNKNOWN_FORMAT);
             return -1;
         }
-        if (strncmp(vstart, "ASCII", 5) == 0)
+        if (!strncmp(vstart, "ASCII", 5))
             arg->format = ASN1_GEN_FORMAT_ASCII;
-        else if (strncmp(vstart, "UTF8", 4) == 0)
+        else if (!strncmp(vstart, "UTF8", 4))
             arg->format = ASN1_GEN_FORMAT_UTF8;
-        else if (strncmp(vstart, "HEX", 3) == 0)
+        else if (!strncmp(vstart, "HEX", 3))
             arg->format = ASN1_GEN_FORMAT_HEX;
-        else if (strncmp(vstart, "BITLIST", 7) == 0)
+        else if (!strncmp(vstart, "BITLIST", 7))
             arg->format = ASN1_GEN_FORMAT_BITLIST;
         else {
-            ASN1err(ASN1_F_ASN1_CB, ASN1_R_UNKNOWN_FORMAT);
+            ASN1err(ASN1_F_ASN1_CB, ASN1_R_UNKOWN_FORMAT);
             return -1;
         }
         break;
@@ -391,6 +443,7 @@ static int parse_tagging(const char *vstart, int vlen, int *ptag, int *pclass)
             ASN1err(ASN1_F_PARSE_TAGGING, ASN1_R_INVALID_MODIFIER);
             ERR_add_error_data(2, "Char=", erch);
             return 0;
+            break;
 
         }
     } else
@@ -442,12 +495,15 @@ static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf,
 
     if (derlen < 0)
         goto bad;
-    if ((ret = ASN1_TYPE_new()) == NULL)
+
+    if (!(ret = ASN1_TYPE_new()))
         goto bad;
-    if ((ret->value.asn1_string = ASN1_STRING_type_new(utype)) == NULL)
+
+    if (!(ret->value.asn1_string = ASN1_STRING_type_new(utype)))
         goto bad;
 
     ret->type = utype;
+
     ret->value.asn1_string->data = der;
     ret->value.asn1_string->length = derlen;
 
@@ -455,10 +511,13 @@ static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf,
 
  bad:
 
-    OPENSSL_free(der);
+    if (der)
+        OPENSSL_free(der);
 
-    sk_ASN1_TYPE_pop_free(sk, ASN1_TYPE_free);
-    X509V3_section_free(cnf, sect);
+    if (sk)
+        sk_ASN1_TYPE_pop_free(sk, ASN1_TYPE_free);
+    if (sect)
+        X509V3_section_free(cnf, sect);
 
     return ret;
 }
@@ -567,8 +626,8 @@ static int asn1_str2tag(const char *tagstr, int len)
         len = strlen(tagstr);
 
     tntmp = tnst;
-    for (i = 0; i < OSSL_NELEM(tnst); i++, tntmp++) {
-        if ((len == tntmp->len) && (strncmp(tntmp->strnam, tagstr, len) == 0))
+    for (i = 0; i < sizeof(tnst) / sizeof(struct tag_name_st); i++, tntmp++) {
+        if ((len == tntmp->len) && !strncmp(tntmp->strnam, tagstr, len))
             return tntmp->tag;
     }
 
@@ -578,12 +637,15 @@ static int asn1_str2tag(const char *tagstr, int len)
 static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)
 {
     ASN1_TYPE *atmp = NULL;
+
     CONF_VALUE vtmp;
+
     unsigned char *rdata;
     long rdlen;
+
     int no_unused = 1;
 
-    if ((atmp = ASN1_TYPE_new()) == NULL) {
+    if (!(atmp = ASN1_TYPE_new())) {
         ASN1err(ASN1_F_ASN1_STR2TYPE, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
@@ -620,8 +682,7 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)
             ASN1err(ASN1_F_ASN1_STR2TYPE, ASN1_R_INTEGER_NOT_ASCII_FORMAT);
             goto bad_form;
         }
-        if ((atmp->value.integer
-                    = s2i_ASN1_INTEGER(NULL, str)) == NULL) {
+        if (!(atmp->value.integer = s2i_ASN1_INTEGER(NULL, (char *)str))) {
             ASN1err(ASN1_F_ASN1_STR2TYPE, ASN1_R_ILLEGAL_INTEGER);
             goto bad_str;
         }
@@ -632,7 +693,7 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)
             ASN1err(ASN1_F_ASN1_STR2TYPE, ASN1_R_OBJECT_NOT_ASCII_FORMAT);
             goto bad_form;
         }
-        if ((atmp->value.object = OBJ_txt2obj(str, 0)) == NULL) {
+        if (!(atmp->value.object = OBJ_txt2obj(str, 0))) {
             ASN1err(ASN1_F_ASN1_STR2TYPE, ASN1_R_ILLEGAL_OBJECT);
             goto bad_str;
         }
@@ -644,7 +705,7 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)
             ASN1err(ASN1_F_ASN1_STR2TYPE, ASN1_R_TIME_NOT_ASCII_FORMAT);
             goto bad_form;
         }
-        if ((atmp->value.asn1_string = ASN1_STRING_new()) == NULL) {
+        if (!(atmp->value.asn1_string = ASN1_STRING_new())) {
             ASN1err(ASN1_F_ASN1_STR2TYPE, ERR_R_MALLOC_FAILURE);
             goto bad_str;
         }
@@ -669,6 +730,7 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)
     case V_ASN1_UNIVERSALSTRING:
     case V_ASN1_GENERALSTRING:
     case V_ASN1_NUMERICSTRING:
+
         if (format == ASN1_GEN_FORMAT_ASCII)
             format = MBSTRING_ASC;
         else if (format == ASN1_GEN_FORMAT_UTF8)
@@ -687,20 +749,25 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)
         break;
 
     case V_ASN1_BIT_STRING:
+
     case V_ASN1_OCTET_STRING:
-        if ((atmp->value.asn1_string = ASN1_STRING_new()) == NULL) {
+
+        if (!(atmp->value.asn1_string = ASN1_STRING_new())) {
             ASN1err(ASN1_F_ASN1_STR2TYPE, ERR_R_MALLOC_FAILURE);
             goto bad_form;
         }
 
         if (format == ASN1_GEN_FORMAT_HEX) {
-            if ((rdata = OPENSSL_hexstr2buf(str, &rdlen)) == NULL) {
+
+            if (!(rdata = string_to_hex((char *)str, &rdlen))) {
                 ASN1err(ASN1_F_ASN1_STR2TYPE, ASN1_R_ILLEGAL_HEX);
                 goto bad_str;
             }
+
             atmp->value.asn1_string->data = rdata;
             atmp->value.asn1_string->length = rdlen;
             atmp->value.asn1_string->type = utype;
+
         } else if (format == ASN1_GEN_FORMAT_ASCII)
             ASN1_STRING_set(atmp->value.asn1_string, str, -1);
         else if ((format == ASN1_GEN_FORMAT_BITLIST)
@@ -728,6 +795,7 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)
     default:
         ASN1err(ASN1_F_ASN1_STR2TYPE, ASN1_R_UNSUPPORTED_TYPE);
         goto bad_str;
+        break;
     }
 
     atmp->type = utype;
@@ -761,29 +829,3 @@ static int bitstr_cb(const char *elem, int len, void *bitstr)
     }
     return 1;
 }
-
-static int mask_cb(const char *elem, int len, void *arg)
-{
-    unsigned long *pmask = arg, tmpmask;
-    int tag;
-    if (elem == NULL)
-        return 0;
-    if ((len == 3) && (strncmp(elem, "DIR", 3) == 0)) {
-        *pmask |= B_ASN1_DIRECTORYSTRING;
-        return 1;
-    }
-    tag = asn1_str2tag(elem, len);
-    if (!tag || (tag & ASN1_GEN_FLAG))
-        return 0;
-    tmpmask = ASN1_tag2bit(tag);
-    if (!tmpmask)
-        return 0;
-    *pmask |= tmpmask;
-    return 1;
-}
-
-int ASN1_str2mask(const char *str, unsigned long *pmask)
-{
-    *pmask = 0;
-    return CONF_parse_list(str, '|', 1, mask_cb, pmask);
-}
diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn1_lib.c b/Cryptlib/OpenSSL/crypto/asn1/asn1_lib.c
index 8ca53b4c..e63e82a8 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/asn1_lib.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/asn1_lib.c
@@ -1,21 +1,71 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/asn1_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <limits.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1.h>
-#include "asn1_locl.h"
+#include <openssl/asn1_mac.h>
 
 static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
                            long max);
 static void asn1_put_length(unsigned char **pp, int length);
+const char ASN1_version[] = "ASN.1" OPENSSL_VERSION_PTEXT;
 
 static int _asn1_check_infinite_end(const unsigned char **p, long len)
 {
@@ -87,6 +137,12 @@ int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag,
     if (inf && !(ret & V_ASN1_CONSTRUCTED))
         goto err;
 
+#if 0
+    fprintf(stderr, "p=%d + *plength=%ld > omax=%ld + *pp=%d  (%d > %d)\n",
+            (int)p, *plength, omax, (int)*pp, (int)(p + *plength),
+            (int)(omax + *pp));
+
+#endif
     if (*plength > (omax - (p - *pp))) {
         ASN1err(ASN1_F_ASN1_GET_OBJECT, ASN1_R_TOO_LONG);
         /*
@@ -119,14 +175,7 @@ static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
         *inf = 0;
         i = *p & 0x7f;
         if (*(p++) & 0x80) {
-            if (max < (long)i + 1)
-                return 0;
-            /* Skip leading zeroes */
-            while (i && *p == 0) {
-                p++;
-                i--;
-            }
-            if (i > sizeof(long))
+            if (i > sizeof(ret) || max < (long)i)
                 return 0;
             while (i-- > 0) {
                 ret <<= 8L;
@@ -233,6 +282,57 @@ int ASN1_object_size(int constructed, int length, int tag)
     return ret + length;
 }
 
+static int _asn1_Finish(ASN1_const_CTX *c)
+{
+    if ((c->inf == (1 | V_ASN1_CONSTRUCTED)) && (!c->eos)) {
+        if (!ASN1_const_check_infinite_end(&c->p, c->slen)) {
+            c->error = ERR_R_MISSING_ASN1_EOS;
+            return (0);
+        }
+    }
+    if (((c->slen != 0) && !(c->inf & 1)) || ((c->slen < 0) && (c->inf & 1))) {
+        c->error = ERR_R_ASN1_LENGTH_MISMATCH;
+        return (0);
+    }
+    return (1);
+}
+
+int asn1_Finish(ASN1_CTX *c)
+{
+    return _asn1_Finish((ASN1_const_CTX *)c);
+}
+
+int asn1_const_Finish(ASN1_const_CTX *c)
+{
+    return _asn1_Finish(c);
+}
+
+int asn1_GetSequence(ASN1_const_CTX *c, long *length)
+{
+    const unsigned char *q;
+
+    q = c->p;
+    c->inf = ASN1_get_object(&(c->p), &(c->slen), &(c->tag), &(c->xclass),
+                             *length);
+    if (c->inf & 0x80) {
+        c->error = ERR_R_BAD_GET_ASN1_OBJECT_CALL;
+        return (0);
+    }
+    if (c->tag != V_ASN1_SEQUENCE) {
+        c->error = ERR_R_EXPECTING_AN_ASN1_SEQUENCE;
+        return (0);
+    }
+    (*length) -= (c->p - q);
+    if (c->max && (*length < 0)) {
+        c->error = ERR_R_ASN1_LENGTH_MISMATCH;
+        return (0);
+    }
+    if (c->inf == (1 | V_ASN1_CONSTRUCTED))
+        c->slen = *length;
+    c->eos = 0;
+    return (1);
+}
+
 int ASN1_STRING_copy(ASN1_STRING *dst, const ASN1_STRING *str)
 {
     if (str == NULL)
@@ -240,9 +340,7 @@ int ASN1_STRING_copy(ASN1_STRING *dst, const ASN1_STRING *str)
     dst->type = str->type;
     if (!ASN1_STRING_set(dst, str->data, str->length))
         return 0;
-    /* Copy flags but preserve embed value */
-    dst->flags &= ASN1_STRING_FLAG_EMBED;
-    dst->flags |= str->flags & ~ASN1_STRING_FLAG_EMBED;
+    dst->flags = str->flags;
     return 1;
 }
 
@@ -252,7 +350,7 @@ ASN1_STRING *ASN1_STRING_dup(const ASN1_STRING *str)
     if (!str)
         return NULL;
     ret = ASN1_STRING_new();
-    if (ret == NULL)
+    if (!ret)
         return NULL;
     if (!ASN1_STRING_copy(ret, str)) {
         ASN1_STRING_free(ret);
@@ -274,7 +372,11 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len)
     }
     if ((str->length <= len) || (str->data == NULL)) {
         c = str->data;
-        str->data = OPENSSL_realloc(c, len + 1);
+        if (c == NULL)
+            str->data = OPENSSL_malloc(len + 1);
+        else
+            str->data = OPENSSL_realloc(c, len + 1);
+
         if (str->data == NULL) {
             ASN1err(ASN1_F_ASN1_STRING_SET, ERR_R_MALLOC_FAILURE);
             str->data = c;
@@ -292,7 +394,8 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len)
 
 void ASN1_STRING_set0(ASN1_STRING *str, void *data, int len)
 {
-    OPENSSL_free(str->data);
+    if (str->data)
+        OPENSSL_free(str->data);
     str->data = data;
     str->length = len;
 }
@@ -306,37 +409,30 @@ ASN1_STRING *ASN1_STRING_type_new(int type)
 {
     ASN1_STRING *ret;
 
-    ret = OPENSSL_zalloc(sizeof(*ret));
+    ret = (ASN1_STRING *)OPENSSL_malloc(sizeof(ASN1_STRING));
     if (ret == NULL) {
         ASN1err(ASN1_F_ASN1_STRING_TYPE_NEW, ERR_R_MALLOC_FAILURE);
         return (NULL);
     }
+    ret->length = 0;
     ret->type = type;
+    ret->data = NULL;
+    ret->flags = 0;
     return (ret);
 }
 
-void asn1_string_embed_free(ASN1_STRING *a, int embed)
-{
-    if (a == NULL)
-        return;
-    if (!(a->flags & ASN1_STRING_FLAG_NDEF))
-        OPENSSL_free(a->data);
-    if (embed == 0)
-        OPENSSL_free(a);
-}
-
 void ASN1_STRING_free(ASN1_STRING *a)
 {
     if (a == NULL)
         return;
-    asn1_string_embed_free(a, a->flags & ASN1_STRING_FLAG_EMBED);
+    if (a->data && !(a->flags & ASN1_STRING_FLAG_NDEF))
+        OPENSSL_free(a->data);
+    OPENSSL_free(a);
 }
 
 void ASN1_STRING_clear_free(ASN1_STRING *a)
 {
-    if (a == NULL)
-        return;
-    if (a->data && !(a->flags & ASN1_STRING_FLAG_NDEF))
+    if (a && a->data && !(a->flags & ASN1_STRING_FLAG_NDEF))
         OPENSSL_cleanse(a->data, a->length);
     ASN1_STRING_free(a);
 }
@@ -356,29 +452,32 @@ int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
         return (i);
 }
 
-int ASN1_STRING_length(const ASN1_STRING *x)
+void asn1_add_error(const unsigned char *address, int offset)
 {
-    return x->length;
+    char buf1[DECIMAL_SIZE(address) + 1], buf2[DECIMAL_SIZE(offset) + 1];
+
+    BIO_snprintf(buf1, sizeof buf1, "%lu", (unsigned long)address);
+    BIO_snprintf(buf2, sizeof buf2, "%d", offset);
+    ERR_add_error_data(4, "address=", buf1, " offset=", buf2);
 }
 
-void ASN1_STRING_length_set(ASN1_STRING *x, int len)
+int ASN1_STRING_length(const ASN1_STRING *x)
 {
-    x->length = len;
+    return M_ASN1_STRING_length(x);
 }
 
-int ASN1_STRING_type(const ASN1_STRING *x)
+void ASN1_STRING_length_set(ASN1_STRING *x, int len)
 {
-    return x->type;
+    M_ASN1_STRING_length_set(x, len);
+    return;
 }
 
-const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x)
+int ASN1_STRING_type(ASN1_STRING *x)
 {
-    return x->data;
+    return M_ASN1_STRING_type(x);
 }
 
-# if OPENSSL_API_COMPAT < 0x10100000L
 unsigned char *ASN1_STRING_data(ASN1_STRING *x)
 {
-    return x->data;
+    return M_ASN1_STRING_data(x);
 }
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn1_locl.h b/Cryptlib/OpenSSL/crypto/asn1/asn1_locl.h
index 5f597bd9..4c004fab 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/asn1_locl.h
+++ b/Cryptlib/OpenSSL/crypto/asn1/asn1_locl.h
@@ -1,10 +1,60 @@
+/* asn1t.h */
 /*
- * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2006.
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 /* Internal ASN1 structures and functions: not for application use */
@@ -12,67 +62,74 @@
 int asn1_utctime_to_tm(struct tm *tm, const ASN1_UTCTIME *d);
 int asn1_generalizedtime_to_tm(struct tm *tm, const ASN1_GENERALIZEDTIME *d);
 
-/* ASN1 scan context structure */
+/* ASN1 print context structure */
 
-struct asn1_sctx_st {
-    /* The ASN1_ITEM associated with this field */
-    const ASN1_ITEM *it;
-    /* If ASN1_TEMPLATE associated with this field */
-    const ASN1_TEMPLATE *tt;
-    /* Various flags associated with field and context */
+struct asn1_pctx_st {
     unsigned long flags;
-    /* If SEQUENCE OF or SET OF, field index */
-    int skidx;
-    /* ASN1 depth of field */
-    int depth;
-    /* Structure and field name */
-    const char *sname, *fname;
-    /* If a primitive type the type of underlying field */
-    int prim_type;
-    /* The field value itself */
-    ASN1_VALUE **field;
-    /* Callback to pass information to */
-    int (*scan_cb) (ASN1_SCTX *ctx);
-    /* Context specific application data */
-    void *app_data;
-} /* ASN1_SCTX */ ;
-
-typedef struct mime_param_st MIME_PARAM;
-DEFINE_STACK_OF(MIME_PARAM)
-typedef struct mime_header_st MIME_HEADER;
-DEFINE_STACK_OF(MIME_HEADER)
-
-/* Month values for printing out times */
-extern const char *_asn1_mon[12];
-
-void asn1_string_embed_free(ASN1_STRING *a, int embed);
+    unsigned long nm_flags;
+    unsigned long cert_flags;
+    unsigned long oid_flags;
+    unsigned long str_flags;
+} /* ASN1_PCTX */ ;
 
-int asn1_get_choice_selector(ASN1_VALUE **pval, const ASN1_ITEM *it);
-int asn1_set_choice_selector(ASN1_VALUE **pval, int value,
-                             const ASN1_ITEM *it);
+/* ASN1 public key method structure */
 
-ASN1_VALUE **asn1_get_field_ptr(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt);
+struct evp_pkey_asn1_method_st {
+    int pkey_id;
+    int pkey_base_id;
+    unsigned long pkey_flags;
+    char *pem_str;
+    char *info;
+    int (*pub_decode) (EVP_PKEY *pk, X509_PUBKEY *pub);
+    int (*pub_encode) (X509_PUBKEY *pub, const EVP_PKEY *pk);
+    int (*pub_cmp) (const EVP_PKEY *a, const EVP_PKEY *b);
+    int (*pub_print) (BIO *out, const EVP_PKEY *pkey, int indent,
+                      ASN1_PCTX *pctx);
+    int (*priv_decode) (EVP_PKEY *pk, PKCS8_PRIV_KEY_INFO *p8inf);
+    int (*priv_encode) (PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pk);
+    int (*priv_print) (BIO *out, const EVP_PKEY *pkey, int indent,
+                       ASN1_PCTX *pctx);
+    int (*pkey_size) (const EVP_PKEY *pk);
+    int (*pkey_bits) (const EVP_PKEY *pk);
+    int (*param_decode) (EVP_PKEY *pkey,
+                         const unsigned char **pder, int derlen);
+    int (*param_encode) (const EVP_PKEY *pkey, unsigned char **pder);
+    int (*param_missing) (const EVP_PKEY *pk);
+    int (*param_copy) (EVP_PKEY *to, const EVP_PKEY *from);
+    int (*param_cmp) (const EVP_PKEY *a, const EVP_PKEY *b);
+    int (*param_print) (BIO *out, const EVP_PKEY *pkey, int indent,
+                        ASN1_PCTX *pctx);
+    int (*sig_print) (BIO *out,
+                      const X509_ALGOR *sigalg, const ASN1_STRING *sig,
+                      int indent, ASN1_PCTX *pctx);
+    void (*pkey_free) (EVP_PKEY *pkey);
+    int (*pkey_ctrl) (EVP_PKEY *pkey, int op, long arg1, void *arg2);
+    /* Legacy functions for old PEM */
+    int (*old_priv_decode) (EVP_PKEY *pkey,
+                            const unsigned char **pder, int derlen);
+    int (*old_priv_encode) (const EVP_PKEY *pkey, unsigned char **pder);
+    /* Custom ASN1 signature verification */
+    int (*item_verify) (EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
+                        X509_ALGOR *a, ASN1_BIT_STRING *sig, EVP_PKEY *pkey);
+    int (*item_sign) (EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
+                      X509_ALGOR *alg1, X509_ALGOR *alg2,
+                      ASN1_BIT_STRING *sig);
+} /* EVP_PKEY_ASN1_METHOD */ ;
 
-const ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt,
-                                 int nullerr);
-
-int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it);
-
-void asn1_enc_init(ASN1_VALUE **pval, const ASN1_ITEM *it);
-void asn1_enc_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
-int asn1_enc_restore(int *len, unsigned char **out, ASN1_VALUE **pval,
-                     const ASN1_ITEM *it);
-int asn1_enc_save(ASN1_VALUE **pval, const unsigned char *in, int inlen,
-                  const ASN1_ITEM *it);
+/*
+ * Method to handle CRL access. In general a CRL could be very large (several
+ * Mb) and can consume large amounts of resources if stored in memory by
+ * multiple processes. This method allows general CRL operations to be
+ * redirected to more efficient callbacks: for example a CRL entry database.
+ */
 
-void asn1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int embed);
-void asn1_template_free(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt);
+#define X509_CRL_METHOD_DYNAMIC         1
 
-ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
-                             long length);
-int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp);
-ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
-                                     const unsigned char **pp, long length);
-int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp);
-ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp,
-                               long length);
+struct x509_crl_method_st {
+    int flags;
+    int (*crl_init) (X509_CRL *crl);
+    int (*crl_free) (X509_CRL *crl);
+    int (*crl_lookup) (X509_CRL *crl, X509_REVOKED **ret,
+                       ASN1_INTEGER *ser, X509_NAME *issuer);
+    int (*crl_verify) (X509_CRL *crl, EVP_PKEY *pk);
+};
diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn1_par.c b/Cryptlib/OpenSSL/crypto/asn1/asn1_par.c
index 4db3df9b..e85e3398 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/asn1_par.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/asn1_par.c
@@ -1,14 +1,63 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/asn1_par.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/objects.h>
 #include <openssl/asn1.h>
@@ -76,19 +125,28 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
     ASN1_OBJECT *o = NULL;
     ASN1_OCTET_STRING *os = NULL;
     /* ASN1_BMPSTRING *bmp=NULL; */
-    int dump_indent, dump_cont = 0;
+    int dump_indent;
+
+#if 0
+    dump_indent = indent;
+#else
+    dump_indent = 6;            /* Because we know BIO_dump_indent() */
+#endif
 
     if (depth > ASN1_PARSE_MAXDEPTH) {
             BIO_puts(bp, "BAD RECURSION DEPTH\n");
             return 0;
     }
 
-    dump_indent = 6;            /* Because we know BIO_dump_indent() */
     p = *pp;
     tot = p + length;
-    while (length > 0) {
+    op = p - 1;
+    while ((p < tot) && (op < p)) {
         op = p;
         j = ASN1_get_object(&p, &len, &tag, &xclass, length);
+#ifdef LINT
+        j = j;
+#endif
         if (j & 0x80) {
             if (BIO_write(bp, "Error in encoding\n", 18) <= 0)
                 goto end;
@@ -115,7 +173,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
         if (!asn1_print_info(bp, tag, xclass, j, (indent) ? depth : 0))
             goto end;
         if (j & V_ASN1_CONSTRUCTED) {
-            const unsigned char *sp = p;
+            const unsigned char *sp;
 
             ep = p + len;
             if (BIO_write(bp, "\n", 1) <= 0)
@@ -126,6 +184,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
                 goto end;
             }
             if ((j == 0x21) && (len == 0)) {
+                sp = p;
                 for (;;) {
                     r = asn1_parse2(bp, &p, (long)(tot - p),
                                     offset + (p - *pp), depth + 1,
@@ -144,8 +203,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
 
                 while (p < ep) {
                     sp = p;
-                    r = asn1_parse2(bp, &p, tmp,
-                                    offset + (p - *pp), depth + 1,
+                    r = asn1_parse2(bp, &p, tmp, offset + (p - *pp), depth + 1,
                                     indent, dump);
                     if (r == 0) {
                         ret = 0;
@@ -179,18 +237,19 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
                         goto end;
                     i2a_ASN1_OBJECT(bp, o);
                 } else {
-                    if (BIO_puts(bp, ":BAD OBJECT") <= 0)
+                    if (BIO_write(bp, ":BAD OBJECT", 11) <= 0)
                         goto end;
-                    dump_cont = 1;
                 }
             } else if (tag == V_ASN1_BOOLEAN) {
-                if (len != 1) {
-                    if (BIO_puts(bp, ":BAD BOOLEAN") <= 0)
+                int ii;
+
+                opp = op;
+                ii = d2i_ASN1_BOOLEAN(NULL, &opp, len + hl);
+                if (ii < 0) {
+                    if (BIO_write(bp, "Bad boolean\n", 12) <= 0)
                         goto end;
-                    dump_cont = 1;
                 }
-                if (len > 0)
-                    BIO_printf(bp, ":%u", p[0]);
+                BIO_printf(bp, ":%d", ii);
             } else if (tag == V_ASN1_BMPSTRING) {
                 /* do the BMP thang */
             } else if (tag == V_ASN1_OCTET_STRING) {
@@ -247,8 +306,10 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
                         nl = 1;
                     }
                 }
-                ASN1_OCTET_STRING_free(os);
-                os = NULL;
+                if (os != NULL) {
+                    M_ASN1_OCTET_STRING_free(os);
+                    os = NULL;
+                }
             } else if (tag == V_ASN1_INTEGER) {
                 ASN1_INTEGER *bs;
                 int i;
@@ -270,11 +331,10 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
                             goto end;
                     }
                 } else {
-                    if (BIO_puts(bp, ":BAD INTEGER") <= 0)
+                    if (BIO_write(bp, "BAD INTEGER", 11) <= 0)
                         goto end;
-                    dump_cont = 1;
                 }
-                ASN1_INTEGER_free(bs);
+                M_ASN1_INTEGER_free(bs);
             } else if (tag == V_ASN1_ENUMERATED) {
                 ASN1_ENUMERATED *bs;
                 int i;
@@ -296,11 +356,10 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
                             goto end;
                     }
                 } else {
-                    if (BIO_puts(bp, ":BAD ENUMERATED") <= 0)
+                    if (BIO_write(bp, "BAD ENUMERATED", 14) <= 0)
                         goto end;
-                    dump_cont = 1;
                 }
-                ASN1_ENUMERATED_free(bs);
+                M_ASN1_ENUMERATED_free(bs);
             } else if (len > 0 && dump) {
                 if (!nl) {
                     if (BIO_write(bp, "\n", 1) <= 0)
@@ -312,18 +371,6 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
                     goto end;
                 nl = 1;
             }
-            if (dump_cont) {
-                int i;
-                const unsigned char *tmp = op + hl;
-                if (BIO_puts(bp, ":[") <= 0)
-                    goto end;
-                for (i = 0; i < len; i++) {
-                    if (BIO_printf(bp, "%02X", tmp[i]) <= 0)
-                        goto end;
-                }
-                if (BIO_puts(bp, "]") <= 0)
-                    goto end;
-            }
 
             if (!nl) {
                 if (BIO_write(bp, "\n", 1) <= 0)
@@ -339,8 +386,10 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
     }
     ret = 1;
  end:
-    ASN1_OBJECT_free(o);
-    ASN1_OCTET_STRING_free(os);
+    if (o != NULL)
+        ASN1_OBJECT_free(o);
+    if (os != NULL)
+        M_ASN1_OCTET_STRING_free(os);
     *pp = p;
     return (ret);
 }
diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn_mime.c b/Cryptlib/OpenSSL/crypto/asn1/asn_mime.c
index d7ec801b..017be9d9 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/asn_mime.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/asn_mime.c
@@ -1,21 +1,65 @@
+/* asn_mime.c */
 /*
- * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <ctype.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/rand.h>
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
-#include "internal/evp_int.h"
-#include "internal/bio.h"
 #include "asn1_locl.h"
 
 /*
@@ -28,35 +72,41 @@
  * from parameter values. Quotes are stripped off
  */
 
-struct mime_param_st {
+typedef struct {
     char *param_name;           /* Param name e.g. "micalg" */
     char *param_value;          /* Param value e.g. "sha1" */
-};
+} MIME_PARAM;
 
-struct mime_header_st {
+DECLARE_STACK_OF(MIME_PARAM)
+IMPLEMENT_STACK_OF(MIME_PARAM)
+
+typedef struct {
     char *name;                 /* Name of line e.g. "content-type" */
     char *value;                /* Value of line e.g. "text/plain" */
     STACK_OF(MIME_PARAM) *params; /* Zero or more parameters */
-};
+} MIME_HEADER;
+
+DECLARE_STACK_OF(MIME_HEADER)
+IMPLEMENT_STACK_OF(MIME_HEADER)
 
 static int asn1_output_data(BIO *out, BIO *data, ASN1_VALUE *val, int flags,
                             const ASN1_ITEM *it);
 static char *strip_ends(char *name);
 static char *strip_start(char *name);
 static char *strip_end(char *name);
-static MIME_HEADER *mime_hdr_new(const char *name, const char *value);
-static int mime_hdr_addparam(MIME_HEADER *mhdr, const char *name, const char *value);
+static MIME_HEADER *mime_hdr_new(char *name, char *value);
+static int mime_hdr_addparam(MIME_HEADER *mhdr, char *name, char *value);
 static STACK_OF(MIME_HEADER) *mime_parse_hdr(BIO *bio);
 static int mime_hdr_cmp(const MIME_HEADER *const *a,
                         const MIME_HEADER *const *b);
 static int mime_param_cmp(const MIME_PARAM *const *a,
                           const MIME_PARAM *const *b);
 static void mime_param_free(MIME_PARAM *param);
-static int mime_bound_check(char *line, int linelen, const char *bound, int blen);
-static int multi_split(BIO *bio, const char *bound, STACK_OF(BIO) **ret);
-static int strip_eol(char *linebuf, int *plen, int flags);
-static MIME_HEADER *mime_hdr_find(STACK_OF(MIME_HEADER) *hdrs, const char *name);
-static MIME_PARAM *mime_param_find(MIME_HEADER *hdr, const char *name);
+static int mime_bound_check(char *line, int linelen, char *bound, int blen);
+static int multi_split(BIO *bio, char *bound, STACK_OF(BIO) **ret);
+static int strip_eol(char *linebuf, int *plen);
+static MIME_HEADER *mime_hdr_find(STACK_OF(MIME_HEADER) *hdrs, char *name);
+static MIME_PARAM *mime_param_find(MIME_HEADER *hdr, char *name);
 static void mime_hdr_free(MIME_HEADER *hdr);
 
 #define MAX_SMLEN 1024
@@ -101,7 +151,7 @@ static int B64_write_ASN1(BIO *out, ASN1_VALUE *val, BIO *in, int flags,
     BIO *b64;
     int r;
     b64 = BIO_new(BIO_f_base64());
-    if (b64 == NULL) {
+    if (!b64) {
         ASN1err(ASN1_F_B64_WRITE_ASN1, ERR_R_MALLOC_FAILURE);
         return 0;
     }
@@ -132,8 +182,7 @@ static ASN1_VALUE *b64_read_asn1(BIO *bio, const ASN1_ITEM *it)
 {
     BIO *b64;
     ASN1_VALUE *val;
-
-    if ((b64 = BIO_new(BIO_f_base64())) == NULL) {
+    if (!(b64 = BIO_new(BIO_f_base64()))) {
         ASN1err(ASN1_F_B64_READ_ASN1, ERR_R_MALLOC_FAILURE);
         return 0;
     }
@@ -142,7 +191,7 @@ static ASN1_VALUE *b64_read_asn1(BIO *bio, const ASN1_ITEM *it)
     if (!val)
         ASN1err(ASN1_F_B64_READ_ASN1, ASN1_R_DECODE_ERROR);
     (void)BIO_flush(bio);
-    BIO_pop(bio);
+    bio = BIO_pop(bio);
     BIO_free(b64);
     return val;
 }
@@ -197,6 +246,7 @@ static int asn1_write_micalg(BIO *out, STACK_OF(X509_ALGOR) *mdalgs)
         case NID_id_GostR3411_94:
             BIO_puts(out, "gostr3411-94");
             goto err;
+            break;
 
         default:
             if (have_unknown)
@@ -320,7 +370,7 @@ static int asn1_output_data(BIO *out, BIO *data, ASN1_VALUE *val, int flags,
     int rv = 1;
 
     /*
-     * If data is not detached or resigning then the output BIO is already
+     * If data is not deteched or resigning then the output BIO is already
      * set up to finalise when it is written through.
      */
     if (!(flags & SMIME_DETACHED) || (flags & PKCS7_REUSE_DIGEST)) {
@@ -380,13 +430,12 @@ ASN1_VALUE *SMIME_read_ASN1(BIO *bio, BIO **bcont, const ASN1_ITEM *it)
     if (bcont)
         *bcont = NULL;
 
-    if ((headers = mime_parse_hdr(bio)) == NULL) {
+    if (!(headers = mime_parse_hdr(bio))) {
         ASN1err(ASN1_F_SMIME_READ_ASN1, ASN1_R_MIME_PARSE_ERROR);
         return NULL;
     }
 
-    if ((hdr = mime_hdr_find(headers, "content-type")) == NULL
-        || hdr->value == NULL) {
+    if (!(hdr = mime_hdr_find(headers, "content-type")) || !hdr->value) {
         sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
         ASN1err(ASN1_F_SMIME_READ_ASN1, ASN1_R_NO_CONTENT_TYPE);
         return NULL;
@@ -394,7 +443,7 @@ ASN1_VALUE *SMIME_read_ASN1(BIO *bio, BIO **bcont, const ASN1_ITEM *it)
 
     /* Handle multipart/signed */
 
-    if (strcmp(hdr->value, "multipart/signed") == 0) {
+    if (!strcmp(hdr->value, "multipart/signed")) {
         /* Split into two parts */
         prm = mime_param_find(hdr, "boundary");
         if (!prm || !prm->param_value) {
@@ -413,7 +462,7 @@ ASN1_VALUE *SMIME_read_ASN1(BIO *bio, BIO **bcont, const ASN1_ITEM *it)
         /* Parse the signature piece */
         asnin = sk_BIO_value(parts, 1);
 
-        if ((headers = mime_parse_hdr(asnin)) == NULL) {
+        if (!(headers = mime_parse_hdr(asnin))) {
             ASN1err(ASN1_F_SMIME_READ_ASN1, ASN1_R_MIME_SIG_PARSE_ERROR);
             sk_BIO_pop_free(parts, BIO_vfree);
             return NULL;
@@ -421,8 +470,7 @@ ASN1_VALUE *SMIME_read_ASN1(BIO *bio, BIO **bcont, const ASN1_ITEM *it)
 
         /* Get content type */
 
-        if ((hdr = mime_hdr_find(headers, "content-type")) == NULL
-            || hdr->value == NULL) {
+        if (!(hdr = mime_hdr_find(headers, "content-type")) || !hdr->value) {
             sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
             ASN1err(ASN1_F_SMIME_READ_ASN1, ASN1_R_NO_SIG_CONTENT_TYPE);
             return NULL;
@@ -438,7 +486,7 @@ ASN1_VALUE *SMIME_read_ASN1(BIO *bio, BIO **bcont, const ASN1_ITEM *it)
         }
         sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
         /* Read in ASN1 */
-        if ((val = b64_read_asn1(asnin, it)) == NULL) {
+        if (!(val = b64_read_asn1(asnin, it))) {
             ASN1err(ASN1_F_SMIME_READ_ASN1, ASN1_R_ASN1_SIG_PARSE_ERROR);
             sk_BIO_pop_free(parts, BIO_vfree);
             return NULL;
@@ -465,7 +513,7 @@ ASN1_VALUE *SMIME_read_ASN1(BIO *bio, BIO **bcont, const ASN1_ITEM *it)
 
     sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
 
-    if ((val = b64_read_asn1(bio, it)) == NULL) {
+    if (!(val = b64_read_asn1(bio, it))) {
         ASN1err(ASN1_F_SMIME_READ_ASN1, ASN1_R_ASN1_PARSE_ERROR);
         return NULL;
     }
@@ -485,32 +533,20 @@ int SMIME_crlf_copy(BIO *in, BIO *out, int flags)
      * when streaming as we don't end up with one OCTET STRING per line.
      */
     bf = BIO_new(BIO_f_buffer());
-    if (bf == NULL)
+    if (!bf)
         return 0;
     out = BIO_push(bf, out);
     if (flags & SMIME_BINARY) {
         while ((len = BIO_read(in, linebuf, MAX_SMLEN)) > 0)
             BIO_write(out, linebuf, len);
     } else {
-        int eolcnt = 0;
         if (flags & SMIME_TEXT)
             BIO_printf(out, "Content-Type: text/plain\r\n\r\n");
         while ((len = BIO_gets(in, linebuf, MAX_SMLEN)) > 0) {
-            eol = strip_eol(linebuf, &len, flags);
-            if (len) {
-                /* Not EOF: write out all CRLF */
-                if (flags & SMIME_ASCIICRLF) {
-                    int i;
-                    for (i = 0; i < eolcnt; i++)
-                        BIO_write(out, "\r\n", 2);
-                    eolcnt = 0;
-                }
+            eol = strip_eol(linebuf, &len);
+            if (len)
                 BIO_write(out, linebuf, len);
-                if (eol)
-                    BIO_write(out, "\r\n", 2);
-            } else if (flags & SMIME_ASCIICRLF)
-                eolcnt++;
-            else if (eol)
+            if (eol)
                 BIO_write(out, "\r\n", 2);
         }
     }
@@ -528,12 +564,11 @@ int SMIME_text(BIO *in, BIO *out)
     STACK_OF(MIME_HEADER) *headers;
     MIME_HEADER *hdr;
 
-    if ((headers = mime_parse_hdr(in)) == NULL) {
+    if (!(headers = mime_parse_hdr(in))) {
         ASN1err(ASN1_F_SMIME_TEXT, ASN1_R_MIME_PARSE_ERROR);
         return 0;
     }
-    if ((hdr = mime_hdr_find(headers, "content-type")) == NULL
-        || hdr->value == NULL) {
+    if (!(hdr = mime_hdr_find(headers, "content-type")) || !hdr->value) {
         ASN1err(ASN1_F_SMIME_TEXT, ASN1_R_MIME_NO_CONTENT_TYPE);
         sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
         return 0;
@@ -557,7 +592,7 @@ int SMIME_text(BIO *in, BIO *out)
  * canonical parts in a STACK of bios
  */
 
-static int multi_split(BIO *bio, const char *bound, STACK_OF(BIO) **ret)
+static int multi_split(BIO *bio, char *bound, STACK_OF(BIO) **ret)
 {
     char linebuf[MAX_SMLEN];
     int len, blen;
@@ -572,32 +607,24 @@ static int multi_split(BIO *bio, const char *bound, STACK_OF(BIO) **ret)
     first = 1;
     parts = sk_BIO_new_null();
     *ret = parts;
-    if (*ret == NULL)
-        return 0;
     while ((len = BIO_gets(bio, linebuf, MAX_SMLEN)) > 0) {
         state = mime_bound_check(linebuf, len, bound, blen);
         if (state == 1) {
             first = 1;
             part++;
         } else if (state == 2) {
-            if (!sk_BIO_push(parts, bpart)) {
-                BIO_free(bpart);
-                return 0;
-            }
+            sk_BIO_push(parts, bpart);
             return 1;
         } else if (part) {
             /* Strip CR+LF from linebuf */
-            next_eol = strip_eol(linebuf, &len, 0);
+            next_eol = strip_eol(linebuf, &len);
             if (first) {
                 first = 0;
                 if (bpart)
-                    if (!sk_BIO_push(parts, bpart)) {
-                        BIO_free(bpart);
-                        return 0;
-                    }
+                    sk_BIO_push(parts, bpart);
                 bpart = BIO_new(BIO_s_mem());
                 if (bpart == NULL)
-                    return 0;
+                    return 1;
                 BIO_set_mem_eof_return(bpart, 0);
             } else if (eol)
                 BIO_write(bpart, "\r\n", 2);
@@ -606,7 +633,6 @@ static int multi_split(BIO *bio, const char *bound, STACK_OF(BIO) **ret)
                 BIO_write(bpart, linebuf, len);
         }
     }
-    BIO_free(bpart);
     return 0;
 }
 
@@ -625,12 +651,12 @@ static STACK_OF(MIME_HEADER) *mime_parse_hdr(BIO *bio)
     char *p, *q, c;
     char *ntmp;
     char linebuf[MAX_SMLEN];
-    MIME_HEADER *mhdr = NULL, *new_hdr = NULL;
+    MIME_HEADER *mhdr = NULL;
     STACK_OF(MIME_HEADER) *headers;
     int len, state, save_state = 0;
 
     headers = sk_MIME_HEADER_new(mime_hdr_cmp);
-    if (headers == NULL)
+    if (!headers)
         return NULL;
     while ((len = BIO_gets(bio, linebuf, MAX_SMLEN)) > 0) {
         /* If whitespace at line start then continuation line */
@@ -662,13 +688,8 @@ static STACK_OF(MIME_HEADER) *mime_parse_hdr(BIO *bio)
                 if (c == ';') {
                     mime_debug("Found End Value\n");
                     *p = 0;
-                    new_hdr = mime_hdr_new(ntmp, strip_ends(q));
-                    if (new_hdr == NULL)
-                        goto err;
-                    if (!sk_MIME_HEADER_push(headers, new_hdr))
-                        goto err;
-                    mhdr = new_hdr;
-                    new_hdr = NULL;
+                    mhdr = mime_hdr_new(ntmp, strip_ends(q));
+                    sk_MIME_HEADER_push(headers, mhdr);
                     ntmp = NULL;
                     q = p + 1;
                     state = MIME_NAME;
@@ -719,13 +740,8 @@ static STACK_OF(MIME_HEADER) *mime_parse_hdr(BIO *bio)
         }
 
         if (state == MIME_TYPE) {
-            new_hdr = mime_hdr_new(ntmp, strip_ends(q));
-            if (new_hdr == NULL)
-                goto err;
-            if (!sk_MIME_HEADER_push(headers, new_hdr))
-                goto err;
-            mhdr = new_hdr;
-            new_hdr = NULL;
+            mhdr = mime_hdr_new(ntmp, strip_ends(q));
+            sk_MIME_HEADER_push(headers, mhdr);
         } else if (state == MIME_VALUE)
             mime_hdr_addparam(mhdr, ntmp, strip_ends(q));
         if (p == linebuf)
@@ -734,10 +750,6 @@ static STACK_OF(MIME_HEADER) *mime_parse_hdr(BIO *bio)
 
     return headers;
 
-err:
-    mime_hdr_free(new_hdr);
-    sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
-    return NULL;
 }
 
 static char *strip_ends(char *name)
@@ -787,14 +799,13 @@ static char *strip_end(char *name)
     return NULL;
 }
 
-static MIME_HEADER *mime_hdr_new(const char *name, const char *value)
+static MIME_HEADER *mime_hdr_new(char *name, char *value)
 {
-    MIME_HEADER *mhdr = NULL;
-    char *tmpname = NULL, *tmpval = NULL, *p;
+    MIME_HEADER *mhdr;
+    char *tmpname, *tmpval, *p;
     int c;
-
     if (name) {
-        if ((tmpname = OPENSSL_strdup(name)) == NULL)
+        if (!(tmpname = BUF_strdup(name)))
             return NULL;
         for (p = tmpname; *p; p++) {
             c = (unsigned char)*p;
@@ -803,10 +814,11 @@ static MIME_HEADER *mime_hdr_new(const char *name, const char *value)
                 *p = c;
             }
         }
-    }
+    } else
+        tmpname = NULL;
     if (value) {
-        if ((tmpval = OPENSSL_strdup(value)) == NULL)
-            goto err;
+        if (!(tmpval = BUF_strdup(value)))
+            return NULL;
         for (p = tmpval; *p; p++) {
             c = (unsigned char)*p;
             if (isupper(c)) {
@@ -814,32 +826,31 @@ static MIME_HEADER *mime_hdr_new(const char *name, const char *value)
                 *p = c;
             }
         }
-    }
-    mhdr = OPENSSL_malloc(sizeof(*mhdr));
-    if (mhdr == NULL)
-        goto err;
+    } else
+        tmpval = NULL;
+    mhdr = (MIME_HEADER *)OPENSSL_malloc(sizeof(MIME_HEADER));
+    if (!mhdr)
+        return NULL;
     mhdr->name = tmpname;
     mhdr->value = tmpval;
-    if ((mhdr->params = sk_MIME_PARAM_new(mime_param_cmp)) == NULL)
-        goto err;
+    if (!(mhdr->params = sk_MIME_PARAM_new(mime_param_cmp)))
+        return NULL;
     return mhdr;
-
- err:
-    OPENSSL_free(tmpname);
-    OPENSSL_free(tmpval);
-    OPENSSL_free(mhdr);
-    return NULL;
 }
 
-static int mime_hdr_addparam(MIME_HEADER *mhdr, const char *name, const char *value)
+static int mime_hdr_addparam(MIME_HEADER *mhdr, char *name, char *value)
 {
-    char *tmpname = NULL, *tmpval = NULL, *p;
+    char *tmpname, *tmpval, *p;
     int c;
-    MIME_PARAM *mparam = NULL;
+    MIME_PARAM *mparam;
+
+    if (!mhdr)
+        return 0;
+
     if (name) {
-        tmpname = OPENSSL_strdup(name);
+        tmpname = BUF_strdup(name);
         if (!tmpname)
-            goto err;
+            return 0;
         for (p = tmpname; *p; p++) {
             c = (unsigned char)*p;
             if (isupper(c)) {
@@ -847,26 +858,22 @@ static int mime_hdr_addparam(MIME_HEADER *mhdr, const char *name, const char *va
                 *p = c;
             }
         }
-    }
+    } else
+        tmpname = NULL;
     if (value) {
-        tmpval = OPENSSL_strdup(value);
+        tmpval = BUF_strdup(value);
         if (!tmpval)
-            goto err;
-    }
+            return 0;
+    } else
+        tmpval = NULL;
     /* Parameter values are case sensitive so leave as is */
-    mparam = OPENSSL_malloc(sizeof(*mparam));
-    if (mparam == NULL)
-        goto err;
+    mparam = (MIME_PARAM *)OPENSSL_malloc(sizeof(MIME_PARAM));
+    if (!mparam)
+        return 0;
     mparam->param_name = tmpname;
     mparam->param_value = tmpval;
-    if (!sk_MIME_PARAM_push(mhdr->params, mparam))
-        goto err;
+    sk_MIME_PARAM_push(mhdr->params, mparam);
     return 1;
- err:
-    OPENSSL_free(tmpname);
-    OPENSSL_free(tmpval);
-    OPENSSL_free(mparam);
-    return 0;
 }
 
 static int mime_hdr_cmp(const MIME_HEADER *const *a,
@@ -888,28 +895,22 @@ static int mime_param_cmp(const MIME_PARAM *const *a,
 
 /* Find a header with a given name (if possible) */
 
-static MIME_HEADER *mime_hdr_find(STACK_OF(MIME_HEADER) *hdrs, const char *name)
+static MIME_HEADER *mime_hdr_find(STACK_OF(MIME_HEADER) *hdrs, char *name)
 {
     MIME_HEADER htmp;
     int idx;
-
-    htmp.name = (char *)name;
-    htmp.value = NULL;
-    htmp.params = NULL;
-
+    htmp.name = name;
     idx = sk_MIME_HEADER_find(hdrs, &htmp);
     if (idx < 0)
         return NULL;
     return sk_MIME_HEADER_value(hdrs, idx);
 }
 
-static MIME_PARAM *mime_param_find(MIME_HEADER *hdr, const char *name)
+static MIME_PARAM *mime_param_find(MIME_HEADER *hdr, char *name)
 {
     MIME_PARAM param;
     int idx;
-
-    param.param_name = (char *)name;
-    param.param_value = NULL;
+    param.param_name = name;
     idx = sk_MIME_PARAM_find(hdr->params, &param);
     if (idx < 0)
         return NULL;
@@ -918,10 +919,10 @@ static MIME_PARAM *mime_param_find(MIME_HEADER *hdr, const char *name)
 
 static void mime_hdr_free(MIME_HEADER *hdr)
 {
-    if (hdr == NULL)
-        return;
-    OPENSSL_free(hdr->name);
-    OPENSSL_free(hdr->value);
+    if (hdr->name)
+        OPENSSL_free(hdr->name);
+    if (hdr->value)
+        OPENSSL_free(hdr->value);
     if (hdr->params)
         sk_MIME_PARAM_pop_free(hdr->params, mime_param_free);
     OPENSSL_free(hdr);
@@ -929,8 +930,10 @@ static void mime_hdr_free(MIME_HEADER *hdr)
 
 static void mime_param_free(MIME_PARAM *param)
 {
-    OPENSSL_free(param->param_name);
-    OPENSSL_free(param->param_value);
+    if (param->param_name)
+        OPENSSL_free(param->param_name);
+    if (param->param_value)
+        OPENSSL_free(param->param_value);
     OPENSSL_free(param);
 }
 
@@ -940,7 +943,7 @@ static void mime_param_free(MIME_PARAM *param)
  * 1 : part boundary
  * 2 : final boundary
  */
-static int mime_bound_check(char *line, int linelen, const char *bound, int blen)
+static int mime_bound_check(char *line, int linelen, char *bound, int blen)
 {
     if (linelen == -1)
         linelen = strlen(line);
@@ -950,9 +953,8 @@ static int mime_bound_check(char *line, int linelen, const char *bound, int blen
     if (blen + 2 > linelen)
         return 0;
     /* Check for part boundary */
-    if ((strncmp(line, "--", 2) == 0)
-        && strncmp(line + 2, bound, blen) == 0) {
-        if (strncmp(line + blen + 2, "--", 2) == 0)
+    if (!strncmp(line, "--", 2) && !strncmp(line + 2, bound, blen)) {
+        if (!strncmp(line + blen + 2, "--", 2))
             return 2;
         else
             return 1;
@@ -960,7 +962,7 @@ static int mime_bound_check(char *line, int linelen, const char *bound, int blen
     return 0;
 }
 
-static int strip_eol(char *linebuf, int *plen, int flags)
+static int strip_eol(char *linebuf, int *plen)
 {
     int len = *plen;
     char *p, c;
@@ -970,8 +972,6 @@ static int strip_eol(char *linebuf, int *plen, int flags)
         c = *p;
         if (c == '\n')
             is_eol = 1;
-        else if (is_eol && flags & SMIME_ASCIICRLF && c < 33)
-            continue;
         else if (c != '\r')
             break;
     }
diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn_moid.c b/Cryptlib/OpenSSL/crypto/asn1/asn_moid.c
index 8176b760..fab2dd92 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/asn_moid.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/asn_moid.c
@@ -1,24 +1,73 @@
+/* asn_moid.c */
 /*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Stephen Henson (steve@openssl.org) for the OpenSSL project
+ * 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001-2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <ctype.h>
 #include <openssl/crypto.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/conf.h>
+#include <openssl/dso.h>
 #include <openssl/x509.h>
-#include "internal/asn1_int.h"
-#include "internal/objects.h"
 
 /* Simple ASN1 OID module: add all objects in a given section */
 
-static int do_create(const char *value, const char *name);
+static int do_create(char *value, char *name);
 
 static int oid_module_init(CONF_IMODULE *md, const CONF *cnf)
 {
@@ -26,9 +75,8 @@ static int oid_module_init(CONF_IMODULE *md, const CONF *cnf)
     const char *oid_section;
     STACK_OF(CONF_VALUE) *sktmp;
     CONF_VALUE *oval;
-
     oid_section = CONF_imodule_get_value(md);
-    if ((sktmp = NCONF_get_section(cnf, oid_section)) == NULL) {
+    if (!(sktmp = NCONF_get_section(cnf, oid_section))) {
         ASN1err(ASN1_F_OID_MODULE_INIT, ASN1_R_ERROR_LOADING_SECTION);
         return 0;
     }
@@ -44,6 +92,7 @@ static int oid_module_init(CONF_IMODULE *md, const CONF *cnf)
 
 static void oid_module_finish(CONF_IMODULE *md)
 {
+    OBJ_cleanup();
 }
 
 void ASN1_add_oid_module(void)
@@ -57,12 +106,11 @@ void ASN1_add_oid_module(void)
  * shortname = some long name, 1.2.3.4
  */
 
-static int do_create(const char *value, const char *name)
+static int do_create(char *value, char *name)
 {
     int nid;
     ASN1_OBJECT *oid;
-    const char *ln, *ostr, *p;
-    char *lntmp;
+    char *ln, *ostr, *p, *lntmp;
     p = strrchr(value, ',');
     if (!p) {
         ln = name;
diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn_mstbl.c b/Cryptlib/OpenSSL/crypto/asn1/asn_mstbl.c
deleted file mode 100644
index 82609390..00000000
--- a/Cryptlib/OpenSSL/crypto/asn1/asn_mstbl.c
+++ /dev/null
@@ -1,114 +0,0 @@
-/*
- * Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include <ctype.h>
-#include <openssl/crypto.h>
-#include "internal/cryptlib.h"
-#include <openssl/conf.h>
-#include <openssl/x509v3.h>
-
-/* Multi string module: add table entries from a given section */
-
-static int do_tcreate(const char *value, const char *name);
-
-static int stbl_module_init(CONF_IMODULE *md, const CONF *cnf)
-{
-    int i;
-    const char *stbl_section;
-    STACK_OF(CONF_VALUE) *sktmp;
-    CONF_VALUE *mval;
-
-    stbl_section = CONF_imodule_get_value(md);
-    if ((sktmp = NCONF_get_section(cnf, stbl_section)) == NULL) {
-        ASN1err(ASN1_F_STBL_MODULE_INIT, ASN1_R_ERROR_LOADING_SECTION);
-        return 0;
-    }
-    for (i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
-        mval = sk_CONF_VALUE_value(sktmp, i);
-        if (!do_tcreate(mval->value, mval->name)) {
-            ASN1err(ASN1_F_STBL_MODULE_INIT, ASN1_R_INVALID_VALUE);
-            return 0;
-        }
-    }
-    return 1;
-}
-
-static void stbl_module_finish(CONF_IMODULE *md)
-{
-    ASN1_STRING_TABLE_cleanup();
-}
-
-void ASN1_add_stable_module(void)
-{
-    CONF_module_add("stbl_section", stbl_module_init, stbl_module_finish);
-}
-
-/*
- * Create an table entry based on a name value pair. format is oid_name =
- * n1:v1, n2:v2,... where name is "min", "max", "mask" or "flags".
- */
-
-static int do_tcreate(const char *value, const char *name)
-{
-    char *eptr;
-    int nid, i, rv = 0;
-    long tbl_min = -1, tbl_max = -1;
-    unsigned long tbl_mask = 0, tbl_flags = 0;
-    STACK_OF(CONF_VALUE) *lst = NULL;
-    CONF_VALUE *cnf = NULL;
-    nid = OBJ_sn2nid(name);
-    if (nid == NID_undef)
-        nid = OBJ_ln2nid(name);
-    if (nid == NID_undef)
-        goto err;
-    lst = X509V3_parse_list(value);
-    if (!lst)
-        goto err;
-    for (i = 0; i < sk_CONF_VALUE_num(lst); i++) {
-        cnf = sk_CONF_VALUE_value(lst, i);
-        if (strcmp(cnf->name, "min") == 0) {
-            tbl_min = strtoul(cnf->value, &eptr, 0);
-            if (*eptr)
-                goto err;
-        } else if (strcmp(cnf->name, "max") == 0) {
-            tbl_max = strtoul(cnf->value, &eptr, 0);
-            if (*eptr)
-                goto err;
-        } else if (strcmp(cnf->name, "mask") == 0) {
-            if (!ASN1_str2mask(cnf->value, &tbl_mask) || !tbl_mask)
-                goto err;
-        } else if (strcmp(cnf->name, "flags") == 0) {
-            if (strcmp(cnf->value, "nomask") == 0)
-                tbl_flags = STABLE_NO_MASK;
-            else if (strcmp(cnf->value, "none") == 0)
-                tbl_flags = STABLE_FLAGS_CLEAR;
-            else
-                goto err;
-        } else
-            goto err;
-    }
-    rv = 1;
- err:
-    if (rv == 0) {
-        ASN1err(ASN1_F_DO_TCREATE, ASN1_R_INVALID_STRING_TABLE_VALUE);
-        if (cnf)
-            ERR_add_error_data(4, "field=", cnf->name,
-                               ", value=", cnf->value);
-        else
-            ERR_add_error_data(4, "name=", name, ", value=", value);
-    } else {
-        rv = ASN1_STRING_TABLE_add(nid, tbl_min, tbl_max,
-                                   tbl_mask, tbl_flags);
-        if (!rv)
-            ASN1err(ASN1_F_DO_TCREATE, ERR_R_MALLOC_FAILURE);
-    }
-    sk_CONF_VALUE_pop_free(lst, X509V3_conf_free);
-    return rv;
-}
diff --git a/Cryptlib/OpenSSL/crypto/asn1/asn_pack.c b/Cryptlib/OpenSSL/crypto/asn1/asn_pack.c
index 63bc3067..366caf01 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/asn_pack.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/asn_pack.c
@@ -1,62 +1,207 @@
+/* asn_pack.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 
+#ifndef NO_ASN1_OLD
+
 /* ASN1 packing and unpacking functions */
 
-ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **oct)
+/* Turn an ASN1 encoded SEQUENCE OF into a STACK of structures */
+
+STACK_OF(OPENSSL_BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len,
+                                         d2i_of_void *d2i,
+                                         void (*free_func) (OPENSSL_BLOCK))
+{
+    STACK_OF(OPENSSL_BLOCK) *sk;
+    const unsigned char *pbuf;
+    pbuf = buf;
+    if (!(sk = d2i_ASN1_SET(NULL, &pbuf, len, d2i, free_func,
+                            V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL)))
+        ASN1err(ASN1_F_ASN1_SEQ_UNPACK, ASN1_R_DECODE_ERROR);
+    return sk;
+}
+
+/*
+ * Turn a STACK structures into an ASN1 encoded SEQUENCE OF structure in a
+ * OPENSSL_malloc'ed buffer
+ */
+
+unsigned char *ASN1_seq_pack(STACK_OF(OPENSSL_BLOCK) *safes, i2d_of_void *i2d,
+                             unsigned char **buf, int *len)
+{
+    int safelen;
+    unsigned char *safe, *p;
+    if (!(safelen = i2d_ASN1_SET(safes, NULL, i2d, V_ASN1_SEQUENCE,
+                                 V_ASN1_UNIVERSAL, IS_SEQUENCE))) {
+        ASN1err(ASN1_F_ASN1_SEQ_PACK, ASN1_R_ENCODE_ERROR);
+        return NULL;
+    }
+    if (!(safe = OPENSSL_malloc(safelen))) {
+        ASN1err(ASN1_F_ASN1_SEQ_PACK, ERR_R_MALLOC_FAILURE);
+        return NULL;
+    }
+    p = safe;
+    i2d_ASN1_SET(safes, &p, i2d, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL,
+                 IS_SEQUENCE);
+    if (len)
+        *len = safelen;
+    if (buf)
+        *buf = safe;
+    return safe;
+}
+
+/* Extract an ASN1 object from an ASN1_STRING */
+
+void *ASN1_unpack_string(ASN1_STRING *oct, d2i_of_void *d2i)
+{
+    const unsigned char *p;
+    char *ret;
+
+    p = oct->data;
+    if (!(ret = d2i(NULL, &p, oct->length)))
+        ASN1err(ASN1_F_ASN1_UNPACK_STRING, ASN1_R_DECODE_ERROR);
+    return ret;
+}
+
+/* Pack an ASN1 object into an ASN1_STRING */
+
+ASN1_STRING *ASN1_pack_string(void *obj, i2d_of_void *i2d, ASN1_STRING **oct)
 {
+    unsigned char *p;
     ASN1_STRING *octmp;
 
-     if (oct == NULL || *oct == NULL) {
-        if ((octmp = ASN1_STRING_new()) == NULL) {
-            ASN1err(ASN1_F_ASN1_ITEM_PACK, ERR_R_MALLOC_FAILURE);
+    if (!oct || !*oct) {
+        if (!(octmp = ASN1_STRING_new())) {
+            ASN1err(ASN1_F_ASN1_PACK_STRING, ERR_R_MALLOC_FAILURE);
             return NULL;
         }
-    } else {
+        if (oct)
+            *oct = octmp;
+    } else
         octmp = *oct;
-    }
-
-    OPENSSL_free(octmp->data);
-    octmp->data = NULL;
 
-    if ((octmp->length = ASN1_item_i2d(obj, &octmp->data, it)) == 0) {
-        ASN1err(ASN1_F_ASN1_ITEM_PACK, ASN1_R_ENCODE_ERROR);
+    if (!(octmp->length = i2d(obj, NULL))) {
+        ASN1err(ASN1_F_ASN1_PACK_STRING, ASN1_R_ENCODE_ERROR);
         goto err;
     }
-    if (octmp->data == NULL) {
-        ASN1err(ASN1_F_ASN1_ITEM_PACK, ERR_R_MALLOC_FAILURE);
+    if (!(p = OPENSSL_malloc(octmp->length))) {
+        ASN1err(ASN1_F_ASN1_PACK_STRING, ERR_R_MALLOC_FAILURE);
         goto err;
     }
-
-    if (oct != NULL && *oct == NULL)
-        *oct = octmp;
-
+    octmp->data = p;
+    i2d(obj, &p);
     return octmp;
  err:
-    if (oct == NULL || *oct == NULL)
+    if (!oct || !*oct) {
         ASN1_STRING_free(octmp);
+        if (oct)
+            *oct = NULL;
+    }
     return NULL;
 }
 
+#endif
+
+/* ASN1_ITEM versions of the above */
+
+ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **oct)
+{
+    ASN1_STRING *octmp;
+
+    if (!oct || !*oct) {
+        if (!(octmp = ASN1_STRING_new())) {
+            ASN1err(ASN1_F_ASN1_ITEM_PACK, ERR_R_MALLOC_FAILURE);
+            return NULL;
+        }
+        if (oct)
+            *oct = octmp;
+    } else
+        octmp = *oct;
+
+    if (octmp->data) {
+        OPENSSL_free(octmp->data);
+        octmp->data = NULL;
+    }
+
+    if (!(octmp->length = ASN1_item_i2d(obj, &octmp->data, it))) {
+        ASN1err(ASN1_F_ASN1_ITEM_PACK, ASN1_R_ENCODE_ERROR);
+        return NULL;
+    }
+    if (!octmp->data) {
+        ASN1err(ASN1_F_ASN1_ITEM_PACK, ERR_R_MALLOC_FAILURE);
+        return NULL;
+    }
+    return octmp;
+}
+
 /* Extract an ASN1 object from an ASN1_STRING */
 
-void *ASN1_item_unpack(const ASN1_STRING *oct, const ASN1_ITEM *it)
+void *ASN1_item_unpack(ASN1_STRING *oct, const ASN1_ITEM *it)
 {
     const unsigned char *p;
     void *ret;
 
     p = oct->data;
-    if ((ret = ASN1_item_d2i(NULL, &p, oct->length, it)) == NULL)
+    if (!(ret = ASN1_item_d2i(NULL, &p, oct->length, it)))
         ASN1err(ASN1_F_ASN1_ITEM_UNPACK, ASN1_R_DECODE_ERROR);
     return ret;
 }
diff --git a/Cryptlib/OpenSSL/crypto/asn1/bio_asn1.c b/Cryptlib/OpenSSL/crypto/asn1/bio_asn1.c
index 400effa1..c3afff69 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/bio_asn1.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/bio_asn1.c
@@ -1,10 +1,60 @@
+/* bio_asn1.c */
 /*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 /*
@@ -14,7 +64,7 @@
  */
 
 #include <string.h>
-#include <internal/bio.h>
+#include <openssl/bio.h>
 #include <openssl/asn1.h>
 
 /* Must be large enough for biggest tag+length */
@@ -75,7 +125,7 @@ static int asn1_bio_setup_ex(BIO *b, BIO_ASN1_BUF_CTX *ctx,
                              asn1_bio_state_t ex_state,
                              asn1_bio_state_t other_state);
 
-static const BIO_METHOD methods_asn1 = {
+static BIO_METHOD methods_asn1 = {
     BIO_TYPE_ASN1,
     "asn1",
     asn1_bio_write,
@@ -88,55 +138,59 @@ static const BIO_METHOD methods_asn1 = {
     asn1_bio_callback_ctrl,
 };
 
-const BIO_METHOD *BIO_f_asn1(void)
+BIO_METHOD *BIO_f_asn1(void)
 {
     return (&methods_asn1);
 }
 
 static int asn1_bio_new(BIO *b)
 {
-    BIO_ASN1_BUF_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
-
-    if (ctx == NULL)
+    BIO_ASN1_BUF_CTX *ctx;
+    ctx = OPENSSL_malloc(sizeof(BIO_ASN1_BUF_CTX));
+    if (!ctx)
         return 0;
     if (!asn1_bio_init(ctx, DEFAULT_ASN1_BUF_SIZE)) {
         OPENSSL_free(ctx);
         return 0;
     }
-    BIO_set_data(b, ctx);
-    BIO_set_init(b, 1);
-
+    b->init = 1;
+    b->ptr = (char *)ctx;
+    b->flags = 0;
     return 1;
 }
 
 static int asn1_bio_init(BIO_ASN1_BUF_CTX *ctx, int size)
 {
     ctx->buf = OPENSSL_malloc(size);
-    if (ctx->buf == NULL)
+    if (!ctx->buf)
         return 0;
     ctx->bufsize = size;
+    ctx->bufpos = 0;
+    ctx->buflen = 0;
+    ctx->copylen = 0;
     ctx->asn1_class = V_ASN1_UNIVERSAL;
     ctx->asn1_tag = V_ASN1_OCTET_STRING;
+    ctx->ex_buf = NULL;
+    ctx->ex_len = 0;
+    ctx->ex_pos = 0;
     ctx->state = ASN1_STATE_START;
+    ctx->prefix = ctx->prefix_free = ctx->suffix = ctx->suffix_free = NULL;
+    ctx->ex_arg = NULL;
     return 1;
 }
 
 static int asn1_bio_free(BIO *b)
 {
     BIO_ASN1_BUF_CTX *ctx;
-
-    if (b == NULL)
-        return 0;
-
-    ctx = BIO_get_data(b);
+    ctx = (BIO_ASN1_BUF_CTX *)b->ptr;
     if (ctx == NULL)
         return 0;
-
-    OPENSSL_free(ctx->buf);
+    if (ctx->buf)
+        OPENSSL_free(ctx->buf);
     OPENSSL_free(ctx);
-    BIO_set_data(b, NULL);
-    BIO_set_init(b, 0);
-
+    b->init = 0;
+    b->ptr = NULL;
+    b->flags = 0;
     return 1;
 }
 
@@ -145,11 +199,10 @@ static int asn1_bio_write(BIO *b, const char *in, int inl)
     BIO_ASN1_BUF_CTX *ctx;
     int wrmax, wrlen, ret;
     unsigned char *p;
-    BIO *next;
-
-    ctx = BIO_get_data(b);
-    next = BIO_next(b);
-    if (in == NULL || inl < 0 || ctx == NULL || next == NULL)
+    if (!in || (inl < 0) || (b->next_bio == NULL))
+        return 0;
+    ctx = (BIO_ASN1_BUF_CTX *)b->ptr;
+    if (ctx == NULL)
         return 0;
 
     wrlen = 0;
@@ -187,7 +240,7 @@ static int asn1_bio_write(BIO *b, const char *in, int inl)
             break;
 
         case ASN1_STATE_HEADER_COPY:
-            ret = BIO_write(next, ctx->buf + ctx->bufpos, ctx->buflen);
+            ret = BIO_write(b->next_bio, ctx->buf + ctx->bufpos, ctx->buflen);
             if (ret <= 0)
                 goto done;
 
@@ -207,7 +260,7 @@ static int asn1_bio_write(BIO *b, const char *in, int inl)
                 wrmax = ctx->copylen;
             else
                 wrmax = inl;
-            ret = BIO_write(next, in, wrmax);
+            ret = BIO_write(b->next_bio, in, wrmax);
             if (ret <= 0)
                 break;
             wrlen += ret;
@@ -243,11 +296,10 @@ static int asn1_bio_flush_ex(BIO *b, BIO_ASN1_BUF_CTX *ctx,
                              asn1_ps_func *cleanup, asn1_bio_state_t next)
 {
     int ret;
-
     if (ctx->ex_len <= 0)
         return 1;
     for (;;) {
-        ret = BIO_write(BIO_next(b), ctx->ex_buf + ctx->ex_pos, ctx->ex_len);
+        ret = BIO_write(b->next_bio, ctx->ex_buf + ctx->ex_pos, ctx->ex_len);
         if (ret <= 0)
             break;
         ctx->ex_len -= ret;
@@ -282,10 +334,9 @@ static int asn1_bio_setup_ex(BIO *b, BIO_ASN1_BUF_CTX *ctx,
 
 static int asn1_bio_read(BIO *b, char *in, int inl)
 {
-    BIO *next = BIO_next(b);
-    if (next == NULL)
+    if (!b->next_bio)
         return 0;
-    return BIO_read(next, in, inl);
+    return BIO_read(b->next_bio, in, inl);
 }
 
 static int asn1_bio_puts(BIO *b, const char *str)
@@ -295,18 +346,16 @@ static int asn1_bio_puts(BIO *b, const char *str)
 
 static int asn1_bio_gets(BIO *b, char *str, int size)
 {
-    BIO *next = BIO_next(b);
-    if (next == NULL)
+    if (!b->next_bio)
         return 0;
-    return BIO_gets(next, str, size);
+    return BIO_gets(b->next_bio, str, size);
 }
 
 static long asn1_bio_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
 {
-    BIO *next = BIO_next(b);
-    if (next == NULL)
-        return 0;
-    return BIO_callback_ctrl(next, cmd, fp);
+    if (b->next_bio == NULL)
+        return (0);
+    return BIO_callback_ctrl(b->next_bio, cmd, fp);
 }
 
 static long asn1_bio_ctrl(BIO *b, int cmd, long arg1, void *arg2)
@@ -314,12 +363,9 @@ static long asn1_bio_ctrl(BIO *b, int cmd, long arg1, void *arg2)
     BIO_ASN1_BUF_CTX *ctx;
     BIO_ASN1_EX_FUNCS *ex_func;
     long ret = 1;
-    BIO *next;
-
-    ctx = BIO_get_data(b);
+    ctx = (BIO_ASN1_BUF_CTX *)b->ptr;
     if (ctx == NULL)
         return 0;
-    next = BIO_next(b);
     switch (cmd) {
 
     case BIO_C_SET_PREFIX:
@@ -355,7 +401,7 @@ static long asn1_bio_ctrl(BIO *b, int cmd, long arg1, void *arg2)
         break;
 
     case BIO_CTRL_FLUSH:
-        if (next == NULL)
+        if (!b->next_bio)
             return 0;
 
         /* Call post function if possible */
@@ -373,16 +419,17 @@ static long asn1_bio_ctrl(BIO *b, int cmd, long arg1, void *arg2)
         }
 
         if (ctx->state == ASN1_STATE_DONE)
-            return BIO_ctrl(next, cmd, arg1, arg2);
+            return BIO_ctrl(b->next_bio, cmd, arg1, arg2);
         else {
             BIO_clear_retry_flags(b);
             return 0;
         }
+        break;
 
     default:
-        if (next == NULL)
+        if (!b->next_bio)
             return 0;
-        return BIO_ctrl(next, cmd, arg1, arg2);
+        return BIO_ctrl(b->next_bio, cmd, arg1, arg2);
 
     }
 
diff --git a/Cryptlib/OpenSSL/crypto/asn1/bio_ndef.c b/Cryptlib/OpenSSL/crypto/asn1/bio_ndef.c
index 0f206b24..8d704663 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/bio_ndef.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/bio_ndef.c
@@ -1,10 +1,56 @@
+/* bio_ndef.c */
 /*
- * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <openssl/asn1.h>
@@ -19,7 +65,7 @@
 /*
  * The usage is quite simple, initialize an ASN1 structure, get a BIO from it
  * then any data written through the BIO will end up translated to
- * appropriate format on the fly. The data is streamed out and does *not*
+ * approptiate format on the fly. The data is streamed out and does *not*
  * need to be all held in memory at once. When the BIO is flushed the output
  * is finalized and any signatures etc written out. The BIO is a 'proper'
  * BIO and can handle non blocking I/O correctly. The usage is simple. The
@@ -60,21 +106,21 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
         ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED);
         return NULL;
     }
-    ndef_aux = OPENSSL_zalloc(sizeof(*ndef_aux));
+    ndef_aux = OPENSSL_malloc(sizeof(NDEF_SUPPORT));
     asn_bio = BIO_new(BIO_f_asn1());
-    if (ndef_aux == NULL || asn_bio == NULL)
-        goto err;
 
     /* ASN1 bio needs to be next to output BIO */
+
     out = BIO_push(asn_bio, out);
-    if (out == NULL)
+
+    if (!ndef_aux || !asn_bio || !out)
         goto err;
 
     BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
     BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
 
     /*
-     * Now let callback prepends any digest, cipher etc BIOs ASN1 structure
+     * Now let callback prepend any digest, cipher etc BIOs ASN1 structure
      * needs.
      */
 
@@ -90,14 +136,17 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
     ndef_aux->ndef_bio = sarg.ndef_bio;
     ndef_aux->boundary = sarg.boundary;
     ndef_aux->out = out;
+    ndef_aux->derbuf = NULL;
 
     BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux);
 
     return sarg.ndef_bio;
 
  err:
-    BIO_free(asn_bio);
-    OPENSSL_free(ndef_aux);
+    if (asn_bio)
+        BIO_free(asn_bio);
+    if (ndef_aux)
+        OPENSSL_free(ndef_aux);
     return NULL;
 }
 
@@ -114,7 +163,7 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf, int *plen, void *parg)
 
     derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it);
     p = OPENSSL_malloc(derlen);
-    if (p == NULL)
+    if (!p)
         return 0;
 
     ndef_aux->derbuf = p;
@@ -139,7 +188,8 @@ static int ndef_prefix_free(BIO *b, unsigned char **pbuf, int *plen,
 
     ndef_aux = *(NDEF_SUPPORT **)parg;
 
-    OPENSSL_free(ndef_aux->derbuf);
+    if (ndef_aux->derbuf)
+        OPENSSL_free(ndef_aux->derbuf);
 
     ndef_aux->derbuf = NULL;
     *pbuf = NULL;
@@ -183,7 +233,7 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg)
 
     derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it);
     p = OPENSSL_malloc(derlen);
-    if (p == NULL)
+    if (!p)
         return 0;
 
     ndef_aux->derbuf = p;
diff --git a/Cryptlib/OpenSSL/crypto/asn1/charmap.h b/Cryptlib/OpenSSL/crypto/asn1/charmap.h
index 2a75925c..3305ad14 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/charmap.h
+++ b/Cryptlib/OpenSSL/crypto/asn1/charmap.h
@@ -1,34 +1,15 @@
 /*
- * WARNING: do not edit!
- * Generated by crypto/asn1/charmap.pl
- *
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Auto generated with chartype.pl script. Mask of various character
+ * properties
  */
 
-#define CHARTYPE_HOST_ANY 4096
-#define CHARTYPE_HOST_DOT 8192
-#define CHARTYPE_HOST_HYPHEN 16384
-#define CHARTYPE_HOST_WILD 32768
-
-/*
- * Mask of various character properties
- */
-
-static const unsigned short char_type[] = {
-    1026,    2,    2,    2,    2,    2,    2,    2,    2,    2,    2,    2,
-       2,    2,    2,    2,    2,    2,    2,    2,    2,    2,    2,    2,
-       2,    2,    2,    2,    2,    2,    2,    2,  120,    0,    1,   40,
-       0,    0,    0,   16, 1040, 1040, 33792,   25,   25, 16400, 8208,   16,
-    4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112,   16,    9,
-       9,   16,    9,   16,    0, 4112, 4112, 4112, 4112, 4112, 4112, 4112,
-    4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112,
-    4112, 4112, 4112, 4112, 4112, 4112, 4112,    0, 1025,    0,    0,    0,
-       0, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112,
-    4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112,
-    4112, 4112, 4112,    0,    0,    0,    0,    2
+static const unsigned char char_type[] = {
+    2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
+    2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
+    120, 0, 1, 40, 0, 0, 0, 16, 16, 16, 0, 25, 25, 16, 16, 16,
+    16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 9, 9, 16, 9, 16,
+    0, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16,
+    16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 0, 1, 0, 0, 0,
+    0, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16,
+    16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 0, 0, 0, 0, 2
 };
diff --git a/Cryptlib/OpenSSL/crypto/asn1/d2i_pr.c b/Cryptlib/OpenSSL/crypto/asn1/d2i_pr.c
index e311b909..86dcf5fb 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/d2i_pr.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/d2i_pr.c
@@ -1,22 +1,72 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/d2i_pr.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
-#include <openssl/engine.h>
+#ifndef OPENSSL_NO_ENGINE
+# include <openssl/engine.h>
+#endif
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
-#include "internal/asn1_int.h"
-#include "internal/evp_int.h"
+#include "asn1_locl.h"
 
 EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp,
                          long length)
@@ -32,8 +82,10 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp,
     } else {
         ret = *a;
 #ifndef OPENSSL_NO_ENGINE
-        ENGINE_finish(ret->engine);
-        ret->engine = NULL;
+        if (ret->engine) {
+            ENGINE_finish(ret->engine);
+            ret->engine = NULL;
+        }
 #endif
     }
 
@@ -66,7 +118,7 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp,
         (*a) = ret;
     return (ret);
  err:
-    if (a == NULL || *a != ret)
+    if ((ret != NULL) && ((a == NULL) || (*a != ret)))
         EVP_PKEY_free(ret);
     return (NULL);
 }
diff --git a/Cryptlib/OpenSSL/crypto/asn1/d2i_pu.c b/Cryptlib/OpenSSL/crypto/asn1/d2i_pu.c
index dfdc1a6c..33542dd1 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/d2i_pu.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/d2i_pu.c
@@ -1,23 +1,76 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/d2i_pu.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/asn1.h>
-#include <openssl/rsa.h>
-#include <openssl/dsa.h>
-#include <openssl/ec.h>
-
-#include "internal/evp_int.h"
+#ifndef OPENSSL_NO_RSA
+# include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+# include <openssl/dsa.h>
+#endif
+#ifndef OPENSSL_NO_EC
+# include <openssl/ec.h>
+#endif
 
 EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp,
                         long length)
@@ -40,7 +93,10 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp,
     switch (EVP_PKEY_id(ret)) {
 #ifndef OPENSSL_NO_RSA
     case EVP_PKEY_RSA:
-        if ((ret->pkey.rsa = d2i_RSAPublicKey(NULL, pp, length)) == NULL) {
+        /* TMP UGLY CAST */
+        if ((ret->pkey.rsa = d2i_RSAPublicKey(NULL,
+                                              (const unsigned char **)pp,
+                                              length)) == NULL) {
             ASN1err(ASN1_F_D2I_PUBLICKEY, ERR_R_ASN1_LIB);
             goto err;
         }
@@ -49,7 +105,8 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp,
 #ifndef OPENSSL_NO_DSA
     case EVP_PKEY_DSA:
         /* TMP UGLY CAST */
-        if (!d2i_DSAPublicKey(&ret->pkey.dsa, pp, length)) {
+        if (!d2i_DSAPublicKey(&(ret->pkey.dsa),
+                              (const unsigned char **)pp, length)) {
             ASN1err(ASN1_F_D2I_PUBLICKEY, ERR_R_ASN1_LIB);
             goto err;
         }
@@ -57,7 +114,8 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp,
 #endif
 #ifndef OPENSSL_NO_EC
     case EVP_PKEY_EC:
-        if (!o2i_ECPublicKey(&ret->pkey.ec, pp, length)) {
+        if (!o2i_ECPublicKey(&(ret->pkey.ec),
+                             (const unsigned char **)pp, length)) {
             ASN1err(ASN1_F_D2I_PUBLICKEY, ERR_R_ASN1_LIB);
             goto err;
         }
@@ -72,7 +130,7 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp,
         (*a) = ret;
     return (ret);
  err:
-    if (a == NULL || *a != ret)
+    if ((ret != NULL) && ((a == NULL) || (*a != ret)))
         EVP_PKEY_free(ret);
     return (NULL);
 }
diff --git a/Cryptlib/OpenSSL/crypto/asn1/evp_asn1.c b/Cryptlib/OpenSSL/crypto/asn1/evp_asn1.c
index a458367e..5876afa5 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/evp_asn1.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/evp_asn1.c
@@ -1,25 +1,74 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/evp_asn1.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1.h>
-#include <openssl/asn1t.h>
+#include <openssl/asn1_mac.h>
 
 int ASN1_TYPE_set_octetstring(ASN1_TYPE *a, unsigned char *data, int len)
 {
     ASN1_STRING *os;
 
-    if ((os = ASN1_OCTET_STRING_new()) == NULL)
+    if ((os = M_ASN1_OCTET_STRING_new()) == NULL)
         return (0);
-    if (!ASN1_OCTET_STRING_set(os, data, len)) {
-        ASN1_OCTET_STRING_free(os);
+    if (!M_ASN1_OCTET_STRING_set(os, data, len)) {
+        M_ASN1_OCTET_STRING_free(os);
         return 0;
     }
     ASN1_TYPE_set(a, V_ASN1_OCTET_STRING, os);
@@ -27,17 +76,17 @@ int ASN1_TYPE_set_octetstring(ASN1_TYPE *a, unsigned char *data, int len)
 }
 
 /* int max_len:  for returned value    */
-int ASN1_TYPE_get_octetstring(const ASN1_TYPE *a, unsigned char *data, int max_len)
+int ASN1_TYPE_get_octetstring(ASN1_TYPE *a, unsigned char *data, int max_len)
 {
     int ret, num;
-    const unsigned char *p;
+    unsigned char *p;
 
     if ((a->type != V_ASN1_OCTET_STRING) || (a->value.octet_string == NULL)) {
         ASN1err(ASN1_F_ASN1_TYPE_GET_OCTETSTRING, ASN1_R_DATA_IS_WRONG);
         return (-1);
     }
-    p = ASN1_STRING_get0_data(a->value.octet_string);
-    ret = ASN1_STRING_length(a->value.octet_string);
+    p = M_ASN1_STRING_data(a->value.octet_string);
+    ret = M_ASN1_STRING_length(a->value.octet_string);
     if (ret < max_len)
         num = ret;
     else
@@ -46,70 +95,101 @@ int ASN1_TYPE_get_octetstring(const ASN1_TYPE *a, unsigned char *data, int max_l
     return (ret);
 }
 
-typedef struct {
-    long num;
-    ASN1_OCTET_STRING *oct;
-} asn1_int_oct;
-
-ASN1_SEQUENCE(asn1_int_oct) = {
-        ASN1_SIMPLE(asn1_int_oct, num, LONG),
-        ASN1_SIMPLE(asn1_int_oct, oct, ASN1_OCTET_STRING)
-} static_ASN1_SEQUENCE_END(asn1_int_oct)
-
-DECLARE_ASN1_ITEM(asn1_int_oct)
-
 int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num, unsigned char *data,
                                   int len)
 {
-    asn1_int_oct atmp;
-    ASN1_OCTET_STRING oct;
-
-    atmp.num = num;
-    atmp.oct = &oct;
-    oct.data = data;
-    oct.type = V_ASN1_OCTET_STRING;
-    oct.length = len;
-    oct.flags = 0;
-
-    if (ASN1_TYPE_pack_sequence(ASN1_ITEM_rptr(asn1_int_oct), &atmp, &a))
-        return 1;
-    return 0;
+    int n, size;
+    ASN1_OCTET_STRING os, *osp;
+    ASN1_INTEGER in;
+    unsigned char *p;
+    unsigned char buf[32];      /* when they have 256bit longs, I'll be in
+                                 * trouble */
+    in.data = buf;
+    in.length = 32;
+    os.data = data;
+    os.type = V_ASN1_OCTET_STRING;
+    os.length = len;
+    ASN1_INTEGER_set(&in, num);
+    n = i2d_ASN1_INTEGER(&in, NULL);
+    n += M_i2d_ASN1_OCTET_STRING(&os, NULL);
+
+    size = ASN1_object_size(1, n, V_ASN1_SEQUENCE);
+
+    if ((osp = ASN1_STRING_new()) == NULL)
+        return (0);
+    /* Grow the 'string' */
+    if (!ASN1_STRING_set(osp, NULL, size)) {
+        ASN1_STRING_free(osp);
+        return (0);
+    }
+
+    M_ASN1_STRING_length_set(osp, size);
+    p = M_ASN1_STRING_data(osp);
+
+    ASN1_put_object(&p, 1, n, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+    i2d_ASN1_INTEGER(&in, &p);
+    M_i2d_ASN1_OCTET_STRING(&os, &p);
+
+    ASN1_TYPE_set(a, V_ASN1_SEQUENCE, osp);
+    return (1);
 }
 
 /*
- * we return the actual length...
+ * we return the actual length..., num may be missing, in which case, set it
+ * to zero
  */
 /* int max_len:  for returned value    */
-int ASN1_TYPE_get_int_octetstring(const ASN1_TYPE *a, long *num,
+int ASN1_TYPE_get_int_octetstring(ASN1_TYPE *a, long *num,
                                   unsigned char *data, int max_len)
 {
-    asn1_int_oct *atmp = NULL;
     int ret = -1, n;
+    ASN1_INTEGER *ai = NULL;
+    ASN1_OCTET_STRING *os = NULL;
+    const unsigned char *p;
+    long length;
+    ASN1_const_CTX c;
 
     if ((a->type != V_ASN1_SEQUENCE) || (a->value.sequence == NULL)) {
         goto err;
     }
+    p = M_ASN1_STRING_data(a->value.sequence);
+    length = M_ASN1_STRING_length(a->value.sequence);
 
-    atmp = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(asn1_int_oct), a);
+    c.pp = &p;
+    c.p = p;
+    c.max = p + length;
+    c.error = ASN1_R_DATA_IS_WRONG;
 
-    if (atmp == NULL)
+    M_ASN1_D2I_start_sequence();
+    c.q = c.p;
+    if ((ai = d2i_ASN1_INTEGER(NULL, &c.p, c.slen)) == NULL)
+        goto err;
+    c.slen -= (c.p - c.q);
+    c.q = c.p;
+    if ((os = d2i_ASN1_OCTET_STRING(NULL, &c.p, c.slen)) == NULL)
+        goto err;
+    c.slen -= (c.p - c.q);
+    if (!M_ASN1_D2I_end_sequence())
         goto err;
 
     if (num != NULL)
-        *num = atmp->num;
+        *num = ASN1_INTEGER_get(ai);
 
-    ret = ASN1_STRING_length(atmp->oct);
+    ret = M_ASN1_STRING_length(os);
     if (max_len > ret)
         n = ret;
     else
         n = max_len;
 
     if (data != NULL)
-        memcpy(data, ASN1_STRING_get0_data(atmp->oct), n);
-    if (ret == -1) {
+        memcpy(data, M_ASN1_STRING_data(os), n);
+    if (0) {
  err:
         ASN1err(ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING, ASN1_R_DATA_IS_WRONG);
     }
-    M_ASN1_free_of(atmp, asn1_int_oct);
-    return ret;
+    if (os != NULL)
+        M_ASN1_OCTET_STRING_free(os);
+    if (ai != NULL)
+        M_ASN1_INTEGER_free(ai);
+    return (ret);
 }
diff --git a/Cryptlib/OpenSSL/crypto/asn1/f_enum.c b/Cryptlib/OpenSSL/crypto/asn1/f_enum.c
new file mode 100644
index 00000000..94cd54db
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/asn1/f_enum.c
@@ -0,0 +1,203 @@
+/* crypto/asn1/f_enum.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/asn1.h>
+
+/* Based on a_int.c: equivalent ENUMERATED functions */
+
+int i2a_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *a)
+{
+    int i, n = 0;
+    static const char *h = "0123456789ABCDEF";
+    char buf[2];
+
+    if (a == NULL)
+        return (0);
+
+    if (a->length == 0) {
+        if (BIO_write(bp, "00", 2) != 2)
+            goto err;
+        n = 2;
+    } else {
+        for (i = 0; i < a->length; i++) {
+            if ((i != 0) && (i % 35 == 0)) {
+                if (BIO_write(bp, "\\\n", 2) != 2)
+                    goto err;
+                n += 2;
+            }
+            buf[0] = h[((unsigned char)a->data[i] >> 4) & 0x0f];
+            buf[1] = h[((unsigned char)a->data[i]) & 0x0f];
+            if (BIO_write(bp, buf, 2) != 2)
+                goto err;
+            n += 2;
+        }
+    }
+    return (n);
+ err:
+    return (-1);
+}
+
+int a2i_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *bs, char *buf, int size)
+{
+    int ret = 0;
+    int i, j, k, m, n, again, bufsize;
+    unsigned char *s = NULL, *sp;
+    unsigned char *bufp;
+    int num = 0, slen = 0, first = 1;
+
+    bs->type = V_ASN1_ENUMERATED;
+
+    bufsize = BIO_gets(bp, buf, size);
+    for (;;) {
+        if (bufsize < 1)
+            goto err_sl;
+        i = bufsize;
+        if (buf[i - 1] == '\n')
+            buf[--i] = '\0';
+        if (i == 0)
+            goto err_sl;
+        if (buf[i - 1] == '\r')
+            buf[--i] = '\0';
+        if (i == 0)
+            goto err_sl;
+        again = (buf[i - 1] == '\\');
+
+        for (j = 0; j < i; j++) {
+            if (!(((buf[j] >= '0') && (buf[j] <= '9')) ||
+                  ((buf[j] >= 'a') && (buf[j] <= 'f')) ||
+                  ((buf[j] >= 'A') && (buf[j] <= 'F')))) {
+                i = j;
+                break;
+            }
+        }
+        buf[i] = '\0';
+        /*
+         * We have now cleared all the crap off the end of the line
+         */
+        if (i < 2)
+            goto err_sl;
+
+        bufp = (unsigned char *)buf;
+        if (first) {
+            first = 0;
+            if ((bufp[0] == '0') && (buf[1] == '0')) {
+                bufp += 2;
+                i -= 2;
+            }
+        }
+        k = 0;
+        i -= again;
+        if (i % 2 != 0) {
+            ASN1err(ASN1_F_A2I_ASN1_ENUMERATED, ASN1_R_ODD_NUMBER_OF_CHARS);
+            goto err;
+        }
+        i /= 2;
+        if (num + i > slen) {
+            if (s == NULL)
+                sp = (unsigned char *)OPENSSL_malloc((unsigned int)num +
+                                                     i * 2);
+            else
+                sp = (unsigned char *)OPENSSL_realloc(s,
+                                                      (unsigned int)num +
+                                                      i * 2);
+            if (sp == NULL) {
+                ASN1err(ASN1_F_A2I_ASN1_ENUMERATED, ERR_R_MALLOC_FAILURE);
+                goto err;
+            }
+            s = sp;
+            slen = num + i * 2;
+        }
+        for (j = 0; j < i; j++, k += 2) {
+            for (n = 0; n < 2; n++) {
+                m = bufp[k + n];
+                if ((m >= '0') && (m <= '9'))
+                    m -= '0';
+                else if ((m >= 'a') && (m <= 'f'))
+                    m = m - 'a' + 10;
+                else if ((m >= 'A') && (m <= 'F'))
+                    m = m - 'A' + 10;
+                else {
+                    ASN1err(ASN1_F_A2I_ASN1_ENUMERATED,
+                            ASN1_R_NON_HEX_CHARACTERS);
+                    goto err;
+                }
+                s[num + j] <<= 4;
+                s[num + j] |= m;
+            }
+        }
+        num += i;
+        if (again)
+            bufsize = BIO_gets(bp, buf, size);
+        else
+            break;
+    }
+    bs->length = num;
+    bs->data = s;
+    ret = 1;
+ err:
+    if (0) {
+ err_sl:
+        ASN1err(ASN1_F_A2I_ASN1_ENUMERATED, ASN1_R_SHORT_LINE);
+    }
+    if (ret != 1)
+        OPENSSL_free(s);
+    return (ret);
+}
diff --git a/Cryptlib/OpenSSL/crypto/asn1/f_int.c b/Cryptlib/OpenSSL/crypto/asn1/f_int.c
index 51fc884b..2bdc78d7 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/f_int.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/f_int.c
@@ -1,19 +1,67 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/f_int.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include <ctype.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/asn1.h>
 
-int i2a_ASN1_INTEGER(BIO *bp, const ASN1_INTEGER *a)
+int i2a_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *a)
 {
     int i, n = 0;
     static const char *h = "0123456789ABCDEF";
@@ -53,6 +101,7 @@ int i2a_ASN1_INTEGER(BIO *bp, const ASN1_INTEGER *a)
 
 int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size)
 {
+    int ret = 0;
     int i, j, k, m, n, again, bufsize;
     unsigned char *s = NULL, *sp;
     unsigned char *bufp;
@@ -63,16 +112,16 @@ int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size)
     bufsize = BIO_gets(bp, buf, size);
     for (;;) {
         if (bufsize < 1)
-            goto err;
+            goto err_sl;
         i = bufsize;
         if (buf[i - 1] == '\n')
             buf[--i] = '\0';
         if (i == 0)
-            goto err;
+            goto err_sl;
         if (buf[i - 1] == '\r')
             buf[--i] = '\0';
         if (i == 0)
-            goto err;
+            goto err_sl;
         again = (buf[i - 1] == '\\');
 
         for (j = 0; j < i; j++) {
@@ -98,7 +147,7 @@ int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size)
          * We have now cleared all the crap off the end of the line
          */
         if (i < 2)
-            goto err;
+            goto err_sl;
 
         bufp = (unsigned char *)buf;
         if (first) {
@@ -112,24 +161,32 @@ int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size)
         i -= again;
         if (i % 2 != 0) {
             ASN1err(ASN1_F_A2I_ASN1_INTEGER, ASN1_R_ODD_NUMBER_OF_CHARS);
-            OPENSSL_free(s);
-            return 0;
+            goto err;
         }
         i /= 2;
         if (num + i > slen) {
-            sp = OPENSSL_clear_realloc(s, slen, num + i * 2);
+            if (s == NULL)
+                sp = (unsigned char *)OPENSSL_malloc((unsigned int)num +
+                                                     i * 2);
+            else
+                sp = OPENSSL_realloc_clean(s, slen, num + i * 2);
             if (sp == NULL) {
                 ASN1err(ASN1_F_A2I_ASN1_INTEGER, ERR_R_MALLOC_FAILURE);
-                OPENSSL_free(s);
-                return 0;
+                goto err;
             }
             s = sp;
             slen = num + i * 2;
         }
         for (j = 0; j < i; j++, k += 2) {
             for (n = 0; n < 2; n++) {
-                m = OPENSSL_hexchar2int(bufp[k + n]);
-                if (m < 0) {
+                m = bufp[k + n];
+                if ((m >= '0') && (m <= '9'))
+                    m -= '0';
+                else if ((m >= 'a') && (m <= 'f'))
+                    m = m - 'a' + 10;
+                else if ((m >= 'A') && (m <= 'F'))
+                    m = m - 'A' + 10;
+                else {
                     ASN1err(ASN1_F_A2I_ASN1_INTEGER,
                             ASN1_R_NON_HEX_CHARACTERS);
                     goto err;
@@ -146,22 +203,13 @@ int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size)
     }
     bs->length = num;
     bs->data = s;
-    return 1;
+    ret = 1;
  err:
-    ASN1err(ASN1_F_A2I_ASN1_INTEGER, ASN1_R_SHORT_LINE);
-    OPENSSL_free(s);
-    return 0;
-}
-
-int i2a_ASN1_ENUMERATED(BIO *bp, const ASN1_ENUMERATED *a)
-{
-    return i2a_ASN1_INTEGER(bp, a);
-}
-
-int a2i_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *bs, char *buf, int size)
-{
-    int rv = a2i_ASN1_INTEGER(bp, bs, buf, size);
-    if (rv == 1)
-        bs->type = V_ASN1_INTEGER | (bs->type & V_ASN1_NEG);
-    return rv;
+    if (0) {
+ err_sl:
+        ASN1err(ASN1_F_A2I_ASN1_INTEGER, ASN1_R_SHORT_LINE);
+    }
+    if (ret != 1)
+        OPENSSL_free(s);
+    return (ret);
 }
diff --git a/Cryptlib/OpenSSL/crypto/asn1/f_string.c b/Cryptlib/OpenSSL/crypto/asn1/f_string.c
index b9258bba..0f7b9cfb 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/f_string.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/f_string.c
@@ -1,19 +1,67 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/f_string.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include <ctype.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/asn1.h>
 
-int i2a_ASN1_STRING(BIO *bp, const ASN1_STRING *a, int type)
+int i2a_ASN1_STRING(BIO *bp, ASN1_STRING *a, int type)
 {
     int i, n = 0;
     static const char *h = "0123456789ABCDEF";
@@ -47,7 +95,8 @@ int i2a_ASN1_STRING(BIO *bp, const ASN1_STRING *a, int type)
 
 int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, int size)
 {
-    int i, j, k, m, n, again, bufsize, spec_char;
+    int ret = 0;
+    int i, j, k, m, n, again, bufsize;
     unsigned char *s = NULL, *sp;
     unsigned char *bufp;
     int num = 0, slen = 0, first = 1;
@@ -58,7 +107,7 @@ int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, int size)
             if (first)
                 break;
             else
-                goto err;
+                goto err_sl;
         }
         first = 0;
 
@@ -66,27 +115,27 @@ int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, int size)
         if (buf[i - 1] == '\n')
             buf[--i] = '\0';
         if (i == 0)
-            goto err;
+            goto err_sl;
         if (buf[i - 1] == '\r')
             buf[--i] = '\0';
         if (i == 0)
-            goto err;
+            goto err_sl;
         again = (buf[i - 1] == '\\');
 
         for (j = i - 1; j > 0; j--) {
 #ifndef CHARSET_EBCDIC
-            spec_char = (!(((buf[j] >= '0') && (buf[j] <= '9')) ||
+            if (!(((buf[j] >= '0') && (buf[j] <= '9')) ||
                   ((buf[j] >= 'a') && (buf[j] <= 'f')) ||
-                  ((buf[j] >= 'A') && (buf[j] <= 'F'))));
+                  ((buf[j] >= 'A') && (buf[j] <= 'F'))))
 #else
             /*
              * This #ifdef is not strictly necessary, since the characters
              * A...F a...f 0...9 are contiguous (yes, even in EBCDIC - but
              * not the whole alphabet). Nevertheless, isxdigit() is faster.
              */
-            spec_char = (!isxdigit(buf[j]));
+            if (!isxdigit(buf[j]))
 #endif
-            if (spec_char) {
+            {
                 i = j;
                 break;
             }
@@ -96,7 +145,7 @@ int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, int size)
          * We have now cleared all the crap off the end of the line
          */
         if (i < 2)
-            goto err;
+            goto err_sl;
 
         bufp = (unsigned char *)buf;
 
@@ -104,28 +153,37 @@ int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, int size)
         i -= again;
         if (i % 2 != 0) {
             ASN1err(ASN1_F_A2I_ASN1_STRING, ASN1_R_ODD_NUMBER_OF_CHARS);
-            OPENSSL_free(s);
-            return 0;
+            goto err;
         }
         i /= 2;
         if (num + i > slen) {
-            sp = OPENSSL_realloc(s, (unsigned int)num + i * 2);
+            if (s == NULL)
+                sp = (unsigned char *)OPENSSL_malloc((unsigned int)num +
+                                                     i * 2);
+            else
+                sp = (unsigned char *)OPENSSL_realloc(s,
+                                                      (unsigned int)num +
+                                                      i * 2);
             if (sp == NULL) {
                 ASN1err(ASN1_F_A2I_ASN1_STRING, ERR_R_MALLOC_FAILURE);
-                OPENSSL_free(s);
-                return 0;
+                goto err;
             }
             s = sp;
             slen = num + i * 2;
         }
         for (j = 0; j < i; j++, k += 2) {
             for (n = 0; n < 2; n++) {
-                m = OPENSSL_hexchar2int(bufp[k + n]);
-                if (m < 0) {
+                m = bufp[k + n];
+                if ((m >= '0') && (m <= '9'))
+                    m -= '0';
+                else if ((m >= 'a') && (m <= 'f'))
+                    m = m - 'a' + 10;
+                else if ((m >= 'A') && (m <= 'F'))
+                    m = m - 'A' + 10;
+                else {
                     ASN1err(ASN1_F_A2I_ASN1_STRING,
                             ASN1_R_NON_HEX_CHARACTERS);
-                    OPENSSL_free(s);
-                    return 0;
+                    goto err;
                 }
                 s[num + j] <<= 4;
                 s[num + j] |= m;
@@ -139,10 +197,13 @@ int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, int size)
     }
     bs->length = num;
     bs->data = s;
-    return 1;
-
+    ret = 1;
  err:
-    ASN1err(ASN1_F_A2I_ASN1_STRING, ASN1_R_SHORT_LINE);
-    OPENSSL_free(s);
-    return 0;
+    if (0) {
+ err_sl:
+        ASN1err(ASN1_F_A2I_ASN1_STRING, ASN1_R_SHORT_LINE);
+    }
+    if (ret != 1)
+        OPENSSL_free(s);
+    return (ret);
 }
diff --git a/Cryptlib/OpenSSL/crypto/asn1/i2d_pr.c b/Cryptlib/OpenSSL/crypto/asn1/i2d_pr.c
index 445b0c84..12966ec5 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/i2d_pr.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/i2d_pr.c
@@ -1,18 +1,66 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/i2d_pr.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/x509.h>
-#include "internal/asn1_int.h"
-#include "internal/evp_int.h"
+#include "asn1_locl.h"
 
 int i2d_PrivateKey(EVP_PKEY *a, unsigned char **pp)
 {
diff --git a/Cryptlib/OpenSSL/crypto/asn1/i2d_pu.c b/Cryptlib/OpenSSL/crypto/asn1/i2d_pu.c
index 8986c43c..b8ed3554 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/i2d_pu.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/i2d_pu.c
@@ -1,38 +1,93 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/i2d_pu.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
-#include <openssl/rsa.h>
-#include <openssl/dsa.h>
-#include <openssl/ec.h>
+#ifndef OPENSSL_NO_RSA
+# include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+# include <openssl/dsa.h>
+#endif
+#ifndef OPENSSL_NO_EC
+# include <openssl/ec.h>
+#endif
 
 int i2d_PublicKey(EVP_PKEY *a, unsigned char **pp)
 {
-    switch (EVP_PKEY_id(a)) {
+    switch (a->type) {
 #ifndef OPENSSL_NO_RSA
     case EVP_PKEY_RSA:
-        return i2d_RSAPublicKey(EVP_PKEY_get0_RSA(a), pp);
+        return (i2d_RSAPublicKey(a->pkey.rsa, pp));
 #endif
 #ifndef OPENSSL_NO_DSA
     case EVP_PKEY_DSA:
-        return i2d_DSAPublicKey(EVP_PKEY_get0_DSA(a), pp);
+        return (i2d_DSAPublicKey(a->pkey.dsa, pp));
 #endif
 #ifndef OPENSSL_NO_EC
     case EVP_PKEY_EC:
-        return i2o_ECPublicKey(EVP_PKEY_get0_EC_KEY(a), pp);
+        return (i2o_ECPublicKey(a->pkey.ec, pp));
 #endif
     default:
         ASN1err(ASN1_F_I2D_PUBLICKEY, ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
-        return -1;
+        return (-1);
     }
 }
diff --git a/Cryptlib/OpenSSL/crypto/asn1/n_pkey.c b/Cryptlib/OpenSSL/crypto/asn1/n_pkey.c
index 267ce601..bede55c8 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/n_pkey.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/n_pkey.c
@@ -1,22 +1,68 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/n_pkey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
-#include "openssl/opensslconf.h"
-#ifdef OPENSSL_NO_RSA
-NON_EMPTY_TRANSLATION_UNIT
-#else
-
-# include "internal/cryptlib.h"
-# include <stdio.h>
+#include <stdio.h>
+#include "cryptlib.h"
+#ifndef OPENSSL_NO_RSA
 # include <openssl/rsa.h>
 # include <openssl/objects.h>
 # include <openssl/asn1t.h>
+# include <openssl/asn1_mac.h>
 # include <openssl/evp.h>
 # include <openssl/x509.h>
 
@@ -41,7 +87,7 @@ typedef struct netscape_encrypted_pkey_st {
 ASN1_BROKEN_SEQUENCE(NETSCAPE_ENCRYPTED_PKEY) = {
         ASN1_SIMPLE(NETSCAPE_ENCRYPTED_PKEY, os, ASN1_OCTET_STRING),
         ASN1_SIMPLE(NETSCAPE_ENCRYPTED_PKEY, enckey, X509_SIG)
-} static_ASN1_BROKEN_SEQUENCE_END(NETSCAPE_ENCRYPTED_PKEY)
+} ASN1_BROKEN_SEQUENCE_END(NETSCAPE_ENCRYPTED_PKEY)
 
 DECLARE_ASN1_FUNCTIONS_const(NETSCAPE_ENCRYPTED_PKEY)
 DECLARE_ASN1_ENCODE_FUNCTIONS_const(NETSCAPE_ENCRYPTED_PKEY,NETSCAPE_ENCRYPTED_PKEY)
@@ -51,12 +97,258 @@ ASN1_SEQUENCE(NETSCAPE_PKEY) = {
         ASN1_SIMPLE(NETSCAPE_PKEY, version, LONG),
         ASN1_SIMPLE(NETSCAPE_PKEY, algor, X509_ALGOR),
         ASN1_SIMPLE(NETSCAPE_PKEY, private_key, ASN1_OCTET_STRING)
-} static_ASN1_SEQUENCE_END(NETSCAPE_PKEY)
+} ASN1_SEQUENCE_END(NETSCAPE_PKEY)
 
 DECLARE_ASN1_FUNCTIONS_const(NETSCAPE_PKEY)
 DECLARE_ASN1_ENCODE_FUNCTIONS_const(NETSCAPE_PKEY,NETSCAPE_PKEY)
 IMPLEMENT_ASN1_FUNCTIONS_const(NETSCAPE_PKEY)
 
+static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,
+                          int (*cb) (char *buf, int len, const char *prompt,
+                                     int verify), int sgckey);
+
+int i2d_Netscape_RSA(const RSA *a, unsigned char **pp,
+                     int (*cb) (char *buf, int len, const char *prompt,
+                                int verify))
+{
+    return i2d_RSA_NET(a, pp, cb, 0);
+}
+
+int i2d_RSA_NET(const RSA *a, unsigned char **pp,
+                int (*cb) (char *buf, int len, const char *prompt,
+                           int verify), int sgckey)
+{
+    int i, j, ret = 0;
+    int rsalen, pkeylen, olen;
+    NETSCAPE_PKEY *pkey = NULL;
+    NETSCAPE_ENCRYPTED_PKEY *enckey = NULL;
+    unsigned char buf[256], *zz;
+    unsigned char key[EVP_MAX_KEY_LENGTH];
+    EVP_CIPHER_CTX ctx;
+    EVP_CIPHER_CTX_init(&ctx);
+
+    if (a == NULL)
+        return (0);
+
+    if ((pkey = NETSCAPE_PKEY_new()) == NULL)
+        goto err;
+    if ((enckey = NETSCAPE_ENCRYPTED_PKEY_new()) == NULL)
+        goto err;
+    pkey->version = 0;
+
+    pkey->algor->algorithm = OBJ_nid2obj(NID_rsaEncryption);
+    if ((pkey->algor->parameter = ASN1_TYPE_new()) == NULL)
+        goto err;
+    pkey->algor->parameter->type = V_ASN1_NULL;
+
+    rsalen = i2d_RSAPrivateKey(a, NULL);
+
+    /*
+     * Fake some octet strings just for the initial length calculation.
+     */
+
+    pkey->private_key->length = rsalen;
+
+    pkeylen = i2d_NETSCAPE_PKEY(pkey, NULL);
+
+    enckey->enckey->digest->length = pkeylen;
+
+    enckey->os->length = 11;    /* "private-key" */
+
+    enckey->enckey->algor->algorithm = OBJ_nid2obj(NID_rc4);
+    if ((enckey->enckey->algor->parameter = ASN1_TYPE_new()) == NULL)
+        goto err;
+    enckey->enckey->algor->parameter->type = V_ASN1_NULL;
+
+    if (pp == NULL) {
+        olen = i2d_NETSCAPE_ENCRYPTED_PKEY(enckey, NULL);
+        NETSCAPE_PKEY_free(pkey);
+        NETSCAPE_ENCRYPTED_PKEY_free(enckey);
+        return olen;
+    }
+
+    /* Since its RC4 encrypted length is actual length */
+    if ((zz = (unsigned char *)OPENSSL_malloc(rsalen)) == NULL) {
+        ASN1err(ASN1_F_I2D_RSA_NET, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+
+    pkey->private_key->data = zz;
+    /* Write out private key encoding */
+    i2d_RSAPrivateKey(a, &zz);
+
+    if ((zz = OPENSSL_malloc(pkeylen)) == NULL) {
+        ASN1err(ASN1_F_I2D_RSA_NET, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+
+    if (!ASN1_STRING_set(enckey->os, "private-key", -1)) {
+        ASN1err(ASN1_F_I2D_RSA_NET, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+    enckey->enckey->digest->data = zz;
+    i2d_NETSCAPE_PKEY(pkey, &zz);
+
+    /* Wipe the private key encoding */
+    OPENSSL_cleanse(pkey->private_key->data, rsalen);
+
+    if (cb == NULL)
+#ifndef OPENSSL_NO_UI
+        cb = EVP_read_pw_string;
+#else
+        i = 1;
+    else
+#endif
+    i = cb((char *)buf, 256, "Enter Private Key password:", 1);
+    if (i != 0) {
+        ASN1err(ASN1_F_I2D_RSA_NET, ASN1_R_BAD_PASSWORD_READ);
+        goto err;
+    }
+    i = strlen((char *)buf);
+    /* If the key is used for SGC the algorithm is modified a little. */
+    if (sgckey) {
+        if (!EVP_Digest(buf, i, buf, NULL, EVP_md5(), NULL))
+            goto err;
+        memcpy(buf + 16, "SGCKEYSALT", 10);
+        i = 26;
+    }
+
+    if (!EVP_BytesToKey(EVP_rc4(), EVP_md5(), NULL, buf, i, 1, key, NULL))
+        goto err;
+    OPENSSL_cleanse(buf, 256);
+
+    /* Encrypt private key in place */
+    zz = enckey->enckey->digest->data;
+    if (!EVP_EncryptInit_ex(&ctx, EVP_rc4(), NULL, key, NULL))
+        goto err;
+    if (!EVP_EncryptUpdate(&ctx, zz, &i, zz, pkeylen))
+        goto err;
+    if (!EVP_EncryptFinal_ex(&ctx, zz + i, &j))
+        goto err;
+
+    ret = i2d_NETSCAPE_ENCRYPTED_PKEY(enckey, pp);
+ err:
+    EVP_CIPHER_CTX_cleanup(&ctx);
+    NETSCAPE_ENCRYPTED_PKEY_free(enckey);
+    NETSCAPE_PKEY_free(pkey);
+    return (ret);
+}
+
+RSA *d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length,
+                      int (*cb) (char *buf, int len, const char *prompt,
+                                 int verify))
+{
+    return d2i_RSA_NET(a, pp, length, cb, 0);
+}
+
+RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length,
+                 int (*cb) (char *buf, int len, const char *prompt,
+                            int verify), int sgckey)
+{
+    RSA *ret = NULL;
+    const unsigned char *p;
+    NETSCAPE_ENCRYPTED_PKEY *enckey = NULL;
+
+    p = *pp;
+
+    enckey = d2i_NETSCAPE_ENCRYPTED_PKEY(NULL, &p, length);
+    if (!enckey) {
+        ASN1err(ASN1_F_D2I_RSA_NET, ASN1_R_DECODING_ERROR);
+        return NULL;
+    }
+
+    if ((enckey->os->length != 11) || (strncmp("private-key",
+                                               (char *)enckey->os->data,
+                                               11) != 0)) {
+        ASN1err(ASN1_F_D2I_RSA_NET, ASN1_R_PRIVATE_KEY_HEADER_MISSING);
+        NETSCAPE_ENCRYPTED_PKEY_free(enckey);
+        return NULL;
+    }
+    if (OBJ_obj2nid(enckey->enckey->algor->algorithm) != NID_rc4) {
+        ASN1err(ASN1_F_D2I_RSA_NET, ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM);
+        goto err;
+    }
+    if (cb == NULL)
+#ifndef OPENSSL_NO_UI
+        cb = EVP_read_pw_string;
+#else
+        goto err;
+#endif
+    if ((ret = d2i_RSA_NET_2(a, enckey->enckey->digest, cb, sgckey)) == NULL)
+        goto err;
+
+    *pp = p;
+
+ err:
+    NETSCAPE_ENCRYPTED_PKEY_free(enckey);
+    return ret;
+
+}
+
+static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,
+                          int (*cb) (char *buf, int len, const char *prompt,
+                                     int verify), int sgckey)
+{
+    NETSCAPE_PKEY *pkey = NULL;
+    RSA *ret = NULL;
+    int i, j;
+    unsigned char buf[256];
+    const unsigned char *zz;
+    unsigned char key[EVP_MAX_KEY_LENGTH];
+    EVP_CIPHER_CTX ctx;
+    EVP_CIPHER_CTX_init(&ctx);
+
+    i = cb((char *)buf, 256, "Enter Private Key password:", 0);
+    if (i != 0) {
+        ASN1err(ASN1_F_D2I_RSA_NET_2, ASN1_R_BAD_PASSWORD_READ);
+        goto err;
+    }
+
+    i = strlen((char *)buf);
+    if (sgckey) {
+        if (!EVP_Digest(buf, i, buf, NULL, EVP_md5(), NULL))
+            goto err;
+        memcpy(buf + 16, "SGCKEYSALT", 10);
+        i = 26;
+    }
+
+    if (!EVP_BytesToKey(EVP_rc4(), EVP_md5(), NULL, buf, i, 1, key, NULL))
+        goto err;
+    OPENSSL_cleanse(buf, 256);
+
+    if (!EVP_DecryptInit_ex(&ctx, EVP_rc4(), NULL, key, NULL))
+        goto err;
+    if (!EVP_DecryptUpdate(&ctx, os->data, &i, os->data, os->length))
+        goto err;
+    if (!EVP_DecryptFinal_ex(&ctx, &(os->data[i]), &j))
+        goto err;
+    os->length = i + j;
+
+    zz = os->data;
+
+    if ((pkey = d2i_NETSCAPE_PKEY(NULL, &zz, os->length)) == NULL) {
+        ASN1err(ASN1_F_D2I_RSA_NET_2,
+                ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY);
+        goto err;
+    }
+
+    zz = pkey->private_key->data;
+    if ((ret = d2i_RSAPrivateKey(a, &zz, pkey->private_key->length)) == NULL) {
+        ASN1err(ASN1_F_D2I_RSA_NET_2, ASN1_R_UNABLE_TO_DECODE_RSA_KEY);
+        goto err;
+    }
+ err:
+    EVP_CIPHER_CTX_cleanup(&ctx);
+    NETSCAPE_PKEY_free(pkey);
+    return (ret);
+}
+
 # endif                         /* OPENSSL_NO_RC4 */
 
+#else                           /* !OPENSSL_NO_RSA */
+
+# if PEDANTIC
+static void *dummy = &dummy;
+# endif
+
 #endif
diff --git a/Cryptlib/OpenSSL/crypto/asn1/nsseq.c b/Cryptlib/OpenSSL/crypto/asn1/nsseq.c
index c7baf40d..f2f7cba4 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/nsseq.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/nsseq.c
@@ -1,10 +1,60 @@
+/* nsseq.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
diff --git a/Cryptlib/OpenSSL/crypto/asn1/p5_pbe.c b/Cryptlib/OpenSSL/crypto/asn1/p5_pbe.c
index ab7e1689..e2a1def5 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/p5_pbe.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/p5_pbe.c
@@ -1,14 +1,64 @@
+/* p5_pbe.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
 #include <openssl/rand.h>
@@ -29,10 +79,10 @@ int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
 {
     PBEPARAM *pbe = NULL;
     ASN1_STRING *pbe_str = NULL;
-    unsigned char *sstr = NULL;
+    unsigned char *sstr;
 
     pbe = PBEPARAM_new();
-    if (pbe == NULL) {
+    if (!pbe) {
         ASN1err(ASN1_F_PKCS5_PBE_SET0_ALGOR, ERR_R_MALLOC_FAILURE);
         goto err;
     }
@@ -44,20 +94,16 @@ int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
     }
     if (!saltlen)
         saltlen = PKCS5_SALT_LEN;
-
-    sstr = OPENSSL_malloc(saltlen);
-    if (sstr == NULL) {
+    if (!ASN1_STRING_set(pbe->salt, NULL, saltlen)) {
         ASN1err(ASN1_F_PKCS5_PBE_SET0_ALGOR, ERR_R_MALLOC_FAILURE);
         goto err;
     }
+    sstr = ASN1_STRING_data(pbe->salt);
     if (salt)
         memcpy(sstr, salt, saltlen);
     else if (RAND_bytes(sstr, saltlen) <= 0)
         goto err;
 
-    ASN1_STRING_set0(pbe->salt, sstr, saltlen);
-    sstr = NULL;
-
     if (!ASN1_item_pack(pbe, ASN1_ITEM_rptr(PBEPARAM), &pbe_str)) {
         ASN1err(ASN1_F_PKCS5_PBE_SET0_ALGOR, ERR_R_MALLOC_FAILURE);
         goto err;
@@ -70,9 +116,10 @@ int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
         return 1;
 
  err:
-    OPENSSL_free(sstr);
-    PBEPARAM_free(pbe);
-    ASN1_STRING_free(pbe_str);
+    if (pbe != NULL)
+        PBEPARAM_free(pbe);
+    if (pbe_str != NULL)
+        ASN1_STRING_free(pbe_str);
     return 0;
 }
 
@@ -83,7 +130,7 @@ X509_ALGOR *PKCS5_pbe_set(int alg, int iter,
 {
     X509_ALGOR *ret;
     ret = X509_ALGOR_new();
-    if (ret == NULL) {
+    if (!ret) {
         ASN1err(ASN1_F_PKCS5_PBE_SET, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
diff --git a/Cryptlib/OpenSSL/crypto/asn1/p5_pbev2.c b/Cryptlib/OpenSSL/crypto/asn1/p5_pbev2.c
index 14e8700b..4c037d3d 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/p5_pbev2.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/p5_pbev2.c
@@ -1,14 +1,64 @@
+/* p5_pbev2.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999-2004.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
 #include <openssl/rand.h>
@@ -43,7 +93,7 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
 {
     X509_ALGOR *scheme = NULL, *ret = NULL;
     int alg_nid, keylen;
-    EVP_CIPHER_CTX *ctx = NULL;
+    EVP_CIPHER_CTX ctx;
     unsigned char iv[EVP_MAX_IV_LENGTH];
     PBE2PARAM *pbe2 = NULL;
 
@@ -54,13 +104,14 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
         goto err;
     }
 
-    if ((pbe2 = PBE2PARAM_new()) == NULL)
+    if (!(pbe2 = PBE2PARAM_new()))
         goto merr;
 
     /* Setup the AlgorithmIdentifier for the encryption scheme */
     scheme = pbe2->encryption;
+
     scheme->algorithm = OBJ_nid2obj(alg_nid);
-    if ((scheme->parameter = ASN1_TYPE_new()) == NULL)
+    if (!(scheme->parameter = ASN1_TYPE_new()))
         goto merr;
 
     /* Create random IV */
@@ -71,15 +122,14 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
             goto err;
     }
 
-    ctx = EVP_CIPHER_CTX_new();
-    if (ctx == NULL)
-        goto merr;
+    EVP_CIPHER_CTX_init(&ctx);
 
     /* Dummy cipherinit to just setup the IV, and PRF */
-    if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, iv, 0))
+    if (!EVP_CipherInit_ex(&ctx, cipher, NULL, NULL, iv, 0))
         goto err;
-    if (EVP_CIPHER_param_to_asn1(ctx, scheme->parameter) < 0) {
+    if (EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) {
         ASN1err(ASN1_F_PKCS5_PBE2_SET_IV, ASN1_R_ERROR_SETTING_CIPHER_PARAMS);
+        EVP_CIPHER_CTX_cleanup(&ctx);
         goto err;
     }
     /*
@@ -87,12 +137,11 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
      * here: just means use default PRF.
      */
     if ((prf_nid == -1) &&
-        EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PBE_PRF_NID, 0, &prf_nid) <= 0) {
+        EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_PBE_PRF_NID, 0, &prf_nid) <= 0) {
         ERR_clear_error();
-        prf_nid = NID_hmacWithSHA256;
+        prf_nid = NID_hmacWithSHA1;
     }
-    EVP_CIPHER_CTX_free(ctx);
-    ctx = NULL;
+    EVP_CIPHER_CTX_cleanup(&ctx);
 
     /* If its RC2 then we'd better setup the key length */
 
@@ -112,16 +161,19 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
 
     /* Now set up top level AlgorithmIdentifier */
 
-    if ((ret = X509_ALGOR_new()) == NULL)
+    if (!(ret = X509_ALGOR_new()))
+        goto merr;
+    if (!(ret->parameter = ASN1_TYPE_new()))
         goto merr;
 
     ret->algorithm = OBJ_nid2obj(NID_pbes2);
 
     /* Encode PBE2PARAM into parameter */
 
-    if (!ASN1_TYPE_pack_sequence(ASN1_ITEM_rptr(PBE2PARAM), pbe2,
-                                 &ret->parameter))
+    if (!ASN1_item_pack(pbe2, ASN1_ITEM_rptr(PBE2PARAM),
+                        &ret->parameter->value.sequence))
          goto merr;
+    ret->parameter->type = V_ASN1_SEQUENCE;
 
     PBE2PARAM_free(pbe2);
     pbe2 = NULL;
@@ -132,7 +184,6 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
     ASN1err(ASN1_F_PKCS5_PBE2_SET_IV, ERR_R_MALLOC_FAILURE);
 
  err:
-    EVP_CIPHER_CTX_free(ctx);
     PBE2PARAM_free(pbe2);
     /* Note 'scheme' is freed as part of pbe2 */
     X509_ALGOR_free(ret);
@@ -153,17 +204,17 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
     PBKDF2PARAM *kdf = NULL;
     ASN1_OCTET_STRING *osalt = NULL;
 
-    if ((kdf = PBKDF2PARAM_new()) == NULL)
+    if (!(kdf = PBKDF2PARAM_new()))
         goto merr;
-    if ((osalt = ASN1_OCTET_STRING_new()) == NULL)
+    if (!(osalt = M_ASN1_OCTET_STRING_new()))
         goto merr;
 
     kdf->salt->value.octet_string = osalt;
     kdf->salt->type = V_ASN1_OCTET_STRING;
 
-    if (saltlen == 0)
+    if (!saltlen)
         saltlen = PKCS5_SALT_LEN;
-    if ((osalt->data = OPENSSL_malloc(saltlen)) == NULL)
+    if (!(osalt->data = OPENSSL_malloc(saltlen)))
         goto merr;
 
     osalt->length = saltlen;
@@ -182,7 +233,7 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
     /* If have a key len set it up */
 
     if (keylen > 0) {
-        if ((kdf->keylength = ASN1_INTEGER_new()) == NULL)
+        if (!(kdf->keylength = M_ASN1_INTEGER_new()))
             goto merr;
         if (!ASN1_INTEGER_set(kdf->keylength, keylen))
             goto merr;
@@ -191,7 +242,7 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
     /* prf can stay NULL if we are using hmacWithSHA1 */
     if (prf_nid > 0 && prf_nid != NID_hmacWithSHA1) {
         kdf->prf = X509_ALGOR_new();
-        if (kdf->prf == NULL)
+        if (!kdf->prf)
             goto merr;
         X509_ALGOR_set0(kdf->prf, OBJ_nid2obj(prf_nid), V_ASN1_NULL, NULL);
     }
@@ -199,16 +250,20 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
     /* Finally setup the keyfunc structure */
 
     keyfunc = X509_ALGOR_new();
-    if (keyfunc == NULL)
+    if (!keyfunc)
         goto merr;
 
     keyfunc->algorithm = OBJ_nid2obj(NID_id_pbkdf2);
 
     /* Encode PBKDF2PARAM into parameter of pbe2 */
 
-    if (!ASN1_TYPE_pack_sequence(ASN1_ITEM_rptr(PBKDF2PARAM), kdf,
-                                 &keyfunc->parameter))
+    if (!(keyfunc->parameter = ASN1_TYPE_new()))
+        goto merr;
+
+    if (!ASN1_item_pack(kdf, ASN1_ITEM_rptr(PBKDF2PARAM),
+                        &keyfunc->parameter->value.sequence))
          goto merr;
+    keyfunc->parameter->type = V_ASN1_SEQUENCE;
 
     PBKDF2PARAM_free(kdf);
     return keyfunc;
diff --git a/Cryptlib/OpenSSL/crypto/asn1/p5_scrypt.c b/Cryptlib/OpenSSL/crypto/asn1/p5_scrypt.c
deleted file mode 100644
index 4cb78374..00000000
--- a/Cryptlib/OpenSSL/crypto/asn1/p5_scrypt.c
+++ /dev/null
@@ -1,283 +0,0 @@
-/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include "internal/cryptlib.h"
-#include <openssl/asn1t.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/x509.h>
-#include <openssl/rand.h>
-
-#ifndef OPENSSL_NO_SCRYPT
-/* PKCS#5 scrypt password based encryption structures */
-
-typedef struct {
-    ASN1_OCTET_STRING *salt;
-    ASN1_INTEGER *costParameter;
-    ASN1_INTEGER *blockSize;
-    ASN1_INTEGER *parallelizationParameter;
-    ASN1_INTEGER *keyLength;
-} SCRYPT_PARAMS;
-
-ASN1_SEQUENCE(SCRYPT_PARAMS) = {
-        ASN1_SIMPLE(SCRYPT_PARAMS, salt, ASN1_OCTET_STRING),
-        ASN1_SIMPLE(SCRYPT_PARAMS, costParameter, ASN1_INTEGER),
-        ASN1_SIMPLE(SCRYPT_PARAMS, blockSize, ASN1_INTEGER),
-        ASN1_SIMPLE(SCRYPT_PARAMS, parallelizationParameter, ASN1_INTEGER),
-        ASN1_OPT(SCRYPT_PARAMS, keyLength, ASN1_INTEGER),
-} static_ASN1_SEQUENCE_END(SCRYPT_PARAMS)
-
-DECLARE_ASN1_ALLOC_FUNCTIONS(SCRYPT_PARAMS)
-IMPLEMENT_ASN1_ALLOC_FUNCTIONS(SCRYPT_PARAMS)
-
-static X509_ALGOR *pkcs5_scrypt_set(const unsigned char *salt, size_t saltlen,
-                                    size_t keylen, uint64_t N, uint64_t r,
-                                    uint64_t p);
-
-/*
- * Return an algorithm identifier for a PKCS#5 v2.0 PBE algorithm using scrypt
- */
-
-X509_ALGOR *PKCS5_pbe2_set_scrypt(const EVP_CIPHER *cipher,
-                                  const unsigned char *salt, int saltlen,
-                                  unsigned char *aiv, uint64_t N, uint64_t r,
-                                  uint64_t p)
-{
-    X509_ALGOR *scheme = NULL, *ret = NULL;
-    int alg_nid;
-    size_t keylen = 0;
-    EVP_CIPHER_CTX *ctx = NULL;
-    unsigned char iv[EVP_MAX_IV_LENGTH];
-    PBE2PARAM *pbe2 = NULL;
-
-    if (!cipher) {
-        ASN1err(ASN1_F_PKCS5_PBE2_SET_SCRYPT, ERR_R_PASSED_NULL_PARAMETER);
-        goto err;
-    }
-
-    if (EVP_PBE_scrypt(NULL, 0, NULL, 0, N, r, p, 0, NULL, 0) == 0) {
-        ASN1err(ASN1_F_PKCS5_PBE2_SET_SCRYPT,
-                ASN1_R_INVALID_SCRYPT_PARAMETERS);
-        goto err;
-    }
-
-    alg_nid = EVP_CIPHER_type(cipher);
-    if (alg_nid == NID_undef) {
-        ASN1err(ASN1_F_PKCS5_PBE2_SET_SCRYPT,
-                ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER);
-        goto err;
-    }
-
-    pbe2 = PBE2PARAM_new();
-    if (pbe2 == NULL)
-        goto merr;
-
-    /* Setup the AlgorithmIdentifier for the encryption scheme */
-    scheme = pbe2->encryption;
-
-    scheme->algorithm = OBJ_nid2obj(alg_nid);
-    scheme->parameter = ASN1_TYPE_new();
-    if (scheme->parameter == NULL)
-        goto merr;
-
-    /* Create random IV */
-    if (EVP_CIPHER_iv_length(cipher)) {
-        if (aiv)
-            memcpy(iv, aiv, EVP_CIPHER_iv_length(cipher));
-        else if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0)
-            goto err;
-    }
-
-    ctx = EVP_CIPHER_CTX_new();
-    if (ctx == NULL)
-        goto merr;
-
-    /* Dummy cipherinit to just setup the IV */
-    if (EVP_CipherInit_ex(ctx, cipher, NULL, NULL, iv, 0) == 0)
-        goto err;
-    if (EVP_CIPHER_param_to_asn1(ctx, scheme->parameter) < 0) {
-        ASN1err(ASN1_F_PKCS5_PBE2_SET_SCRYPT,
-                ASN1_R_ERROR_SETTING_CIPHER_PARAMS);
-        goto err;
-    }
-    EVP_CIPHER_CTX_free(ctx);
-    ctx = NULL;
-
-    /* If its RC2 then we'd better setup the key length */
-
-    if (alg_nid == NID_rc2_cbc)
-        keylen = EVP_CIPHER_key_length(cipher);
-
-    /* Setup keyfunc */
-
-    X509_ALGOR_free(pbe2->keyfunc);
-
-    pbe2->keyfunc = pkcs5_scrypt_set(salt, saltlen, keylen, N, r, p);
-
-    if (pbe2->keyfunc == NULL)
-        goto merr;
-
-    /* Now set up top level AlgorithmIdentifier */
-
-    ret = X509_ALGOR_new();
-    if (ret == NULL)
-        goto merr;
-
-    ret->algorithm = OBJ_nid2obj(NID_pbes2);
-
-    /* Encode PBE2PARAM into parameter */
-
-    if (ASN1_TYPE_pack_sequence(ASN1_ITEM_rptr(PBE2PARAM), pbe2,
-                                &ret->parameter) == NULL)
-        goto merr;
-
-    PBE2PARAM_free(pbe2);
-    pbe2 = NULL;
-
-    return ret;
-
- merr:
-    ASN1err(ASN1_F_PKCS5_PBE2_SET_SCRYPT, ERR_R_MALLOC_FAILURE);
-
- err:
-    PBE2PARAM_free(pbe2);
-    X509_ALGOR_free(ret);
-    EVP_CIPHER_CTX_free(ctx);
-
-    return NULL;
-}
-
-static X509_ALGOR *pkcs5_scrypt_set(const unsigned char *salt, size_t saltlen,
-                                    size_t keylen, uint64_t N, uint64_t r,
-                                    uint64_t p)
-{
-    X509_ALGOR *keyfunc = NULL;
-    SCRYPT_PARAMS *sparam = SCRYPT_PARAMS_new();
-
-    if (sparam == NULL)
-        goto merr;
-
-    if (!saltlen)
-        saltlen = PKCS5_SALT_LEN;
-
-    /* This will either copy salt or grow the buffer */
-    if (ASN1_STRING_set(sparam->salt, salt, saltlen) == 0)
-        goto merr;
-
-    if (salt == NULL && RAND_bytes(sparam->salt->data, saltlen) <= 0)
-        goto err;
-
-    if (ASN1_INTEGER_set_uint64(sparam->costParameter, N) == 0)
-        goto merr;
-
-    if (ASN1_INTEGER_set_uint64(sparam->blockSize, r) == 0)
-        goto merr;
-
-    if (ASN1_INTEGER_set_uint64(sparam->parallelizationParameter, p) == 0)
-        goto merr;
-
-    /* If have a key len set it up */
-
-    if (keylen > 0) {
-        sparam->keyLength = ASN1_INTEGER_new();
-        if (sparam->keyLength == NULL)
-            goto merr;
-        if (ASN1_INTEGER_set_int64(sparam->keyLength, keylen) == 0)
-            goto merr;
-    }
-
-    /* Finally setup the keyfunc structure */
-
-    keyfunc = X509_ALGOR_new();
-    if (keyfunc == NULL)
-        goto merr;
-
-    keyfunc->algorithm = OBJ_nid2obj(NID_id_scrypt);
-
-    /* Encode SCRYPT_PARAMS into parameter of pbe2 */
-
-    if (ASN1_TYPE_pack_sequence(ASN1_ITEM_rptr(SCRYPT_PARAMS), sparam,
-                                &keyfunc->parameter) == NULL)
-        goto merr;
-
-    SCRYPT_PARAMS_free(sparam);
-    return keyfunc;
-
- merr:
-    ASN1err(ASN1_F_PKCS5_SCRYPT_SET, ERR_R_MALLOC_FAILURE);
- err:
-    SCRYPT_PARAMS_free(sparam);
-    X509_ALGOR_free(keyfunc);
-    return NULL;
-}
-
-int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
-                             int passlen, ASN1_TYPE *param,
-                             const EVP_CIPHER *c, const EVP_MD *md, int en_de)
-{
-    unsigned char *salt, key[EVP_MAX_KEY_LENGTH];
-    uint64_t p, r, N;
-    size_t saltlen;
-    size_t keylen = 0;
-    int rv = 0;
-    SCRYPT_PARAMS *sparam = NULL;
-
-    if (EVP_CIPHER_CTX_cipher(ctx) == NULL) {
-        EVPerr(EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN, EVP_R_NO_CIPHER_SET);
-        goto err;
-    }
-
-    /* Decode parameter */
-
-    sparam = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(SCRYPT_PARAMS), param);
-
-    if (sparam == NULL) {
-        EVPerr(EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN, EVP_R_DECODE_ERROR);
-        goto err;
-    }
-
-    keylen = EVP_CIPHER_CTX_key_length(ctx);
-
-    /* Now check the parameters of sparam */
-
-    if (sparam->keyLength) {
-        uint64_t spkeylen;
-        if ((ASN1_INTEGER_get_uint64(&spkeylen, sparam->keyLength) == 0)
-            || (spkeylen != keylen)) {
-            EVPerr(EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN,
-                   EVP_R_UNSUPPORTED_KEYLENGTH);
-            goto err;
-        }
-    }
-    /* Check all parameters fit in uint64_t and are acceptable to scrypt */
-    if (ASN1_INTEGER_get_uint64(&N, sparam->costParameter) == 0
-        || ASN1_INTEGER_get_uint64(&r, sparam->blockSize) == 0
-        || ASN1_INTEGER_get_uint64(&p, sparam->parallelizationParameter) == 0
-        || EVP_PBE_scrypt(NULL, 0, NULL, 0, N, r, p, 0, NULL, 0) == 0) {
-        EVPerr(EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN,
-               EVP_R_ILLEGAL_SCRYPT_PARAMETERS);
-        goto err;
-    }
-
-    /* it seems that its all OK */
-
-    salt = sparam->salt->data;
-    saltlen = sparam->salt->length;
-    if (EVP_PBE_scrypt(pass, passlen, salt, saltlen, N, r, p, 0, key, keylen)
-        == 0)
-        goto err;
-    rv = EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de);
- err:
-    if (keylen)
-        OPENSSL_cleanse(key, keylen);
-    SCRYPT_PARAMS_free(sparam);
-    return rv;
-}
-#endif /* OPENSSL_NO_SCRYPT */
diff --git a/Cryptlib/OpenSSL/crypto/asn1/p8_pkey.c b/Cryptlib/OpenSSL/crypto/asn1/p8_pkey.c
index dbee827e..0a425cd2 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/p8_pkey.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/p8_pkey.c
@@ -1,17 +1,66 @@
+/* p8_pkey.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
-#include "internal/x509_int.h"
 
 /* Minor tweak to operation: zero private key data */
 static int pkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
@@ -20,8 +69,10 @@ static int pkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
     /* Since the structure must still be valid use ASN1_OP_FREE_PRE */
     if (operation == ASN1_OP_FREE_PRE) {
         PKCS8_PRIV_KEY_INFO *key = (PKCS8_PRIV_KEY_INFO *)*pval;
-        if (key->pkey)
-            OPENSSL_cleanse(key->pkey->data, key->pkey->length);
+        if (key->pkey && key->pkey->type == V_ASN1_OCTET_STRING
+            && key->pkey->value.octet_string != NULL)
+            OPENSSL_cleanse(key->pkey->value.octet_string->data,
+                            key->pkey->value.octet_string->length);
     }
     return 1;
 }
@@ -29,7 +80,7 @@ static int pkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
 ASN1_SEQUENCE_cb(PKCS8_PRIV_KEY_INFO, pkey_cb) = {
         ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, version, ASN1_INTEGER),
         ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, pkeyalg, X509_ALGOR),
-        ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, pkey, ASN1_OCTET_STRING),
+        ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, pkey, ASN1_ANY),
         ASN1_IMP_SET_OF_OPT(PKCS8_PRIV_KEY_INFO, attributes, X509_ATTRIBUTE, 0)
 } ASN1_SEQUENCE_END_cb(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO)
 
@@ -39,42 +90,56 @@ int PKCS8_pkey_set0(PKCS8_PRIV_KEY_INFO *priv, ASN1_OBJECT *aobj,
                     int version,
                     int ptype, void *pval, unsigned char *penc, int penclen)
 {
+    unsigned char **ppenc = NULL;
     if (version >= 0) {
         if (!ASN1_INTEGER_set(priv->version, version))
             return 0;
     }
-    if (!X509_ALGOR_set0(priv->pkeyalg, aobj, ptype, pval))
+    if (penc) {
+        int pmtype;
+        ASN1_OCTET_STRING *oct;
+        oct = ASN1_OCTET_STRING_new();
+        if (!oct)
+            return 0;
+        oct->data = penc;
+        ppenc = &oct->data;
+        oct->length = penclen;
+        if (priv->broken == PKCS8_NO_OCTET)
+            pmtype = V_ASN1_SEQUENCE;
+        else
+            pmtype = V_ASN1_OCTET_STRING;
+        ASN1_TYPE_set(priv->pkey, pmtype, oct);
+    }
+    if (!X509_ALGOR_set0(priv->pkeyalg, aobj, ptype, pval)) {
+        /* If call fails do not swallow 'enc' */
+        if (ppenc)
+            *ppenc = NULL;
         return 0;
-    if (penc)
-        ASN1_STRING_set0(priv->pkey, penc, penclen);
+    }
     return 1;
 }
 
-int PKCS8_pkey_get0(const ASN1_OBJECT **ppkalg,
+int PKCS8_pkey_get0(ASN1_OBJECT **ppkalg,
                     const unsigned char **pk, int *ppklen,
-                    const X509_ALGOR **pa, const PKCS8_PRIV_KEY_INFO *p8)
+                    X509_ALGOR **pa, PKCS8_PRIV_KEY_INFO *p8)
 {
     if (ppkalg)
         *ppkalg = p8->pkeyalg->algorithm;
-    if (pk) {
-        *pk = ASN1_STRING_get0_data(p8->pkey);
-        *ppklen = ASN1_STRING_length(p8->pkey);
-    }
+    if (p8->pkey->type == V_ASN1_OCTET_STRING) {
+        p8->broken = PKCS8_OK;
+        if (pk) {
+            *pk = p8->pkey->value.octet_string->data;
+            *ppklen = p8->pkey->value.octet_string->length;
+        }
+    } else if (p8->pkey->type == V_ASN1_SEQUENCE) {
+        p8->broken = PKCS8_NO_OCTET;
+        if (pk) {
+            *pk = p8->pkey->value.sequence->data;
+            *ppklen = p8->pkey->value.sequence->length;
+        }
+    } else
+        return 0;
     if (pa)
         *pa = p8->pkeyalg;
     return 1;
 }
-
-const STACK_OF(X509_ATTRIBUTE) *
-PKCS8_pkey_get0_attrs(const PKCS8_PRIV_KEY_INFO *p8)
-{
-    return p8->attributes;
-}
-
-int PKCS8_pkey_add1_attr_by_NID(PKCS8_PRIV_KEY_INFO *p8, int nid, int type,
-                                const unsigned char *bytes, int len)
-{
-    if (X509at_add1_attr_by_NID(&p8->attributes, nid, type, bytes, len) != NULL)
-        return 1;
-    return 0;
-}
diff --git a/Cryptlib/OpenSSL/crypto/asn1/t_bitst.c b/Cryptlib/OpenSSL/crypto/asn1/t_bitst.c
index c0aeca4c..d5cf3c77 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/t_bitst.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/t_bitst.c
@@ -1,14 +1,64 @@
+/* t_bitst.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
 
@@ -30,7 +80,7 @@ int ASN1_BIT_STRING_name_print(BIO *out, ASN1_BIT_STRING *bs,
     return 1;
 }
 
-int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, const char *name, int value,
+int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value,
                             BIT_STRING_BITNAME *tbl)
 {
     int bitnum;
@@ -44,12 +94,11 @@ int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, const char *name, int value,
     return 1;
 }
 
-int ASN1_BIT_STRING_num_asc(const char *name, BIT_STRING_BITNAME *tbl)
+int ASN1_BIT_STRING_num_asc(char *name, BIT_STRING_BITNAME *tbl)
 {
     BIT_STRING_BITNAME *bnam;
     for (bnam = tbl; bnam->lname; bnam++) {
-        if ((strcmp(bnam->sname, name) == 0)
-            || (strcmp(bnam->lname, name) == 0))
+        if (!strcmp(bnam->sname, name) || !strcmp(bnam->lname, name))
             return bnam->bitnum;
     }
     return -1;
diff --git a/Cryptlib/OpenSSL/crypto/asn1/t_crl.c b/Cryptlib/OpenSSL/crypto/asn1/t_crl.c
new file mode 100644
index 00000000..0dfaf0ba
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/asn1/t_crl.c
@@ -0,0 +1,133 @@
+/* t_crl.c */
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/bn.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+#ifndef OPENSSL_NO_FP_API
+int X509_CRL_print_fp(FILE *fp, X509_CRL *x)
+{
+    BIO *b;
+    int ret;
+
+    if ((b = BIO_new(BIO_s_file())) == NULL) {
+        X509err(X509_F_X509_CRL_PRINT_FP, ERR_R_BUF_LIB);
+        return (0);
+    }
+    BIO_set_fp(b, fp, BIO_NOCLOSE);
+    ret = X509_CRL_print(b, x);
+    BIO_free(b);
+    return (ret);
+}
+#endif
+
+int X509_CRL_print(BIO *out, X509_CRL *x)
+{
+    STACK_OF(X509_REVOKED) *rev;
+    X509_REVOKED *r;
+    long l;
+    int i;
+    char *p;
+
+    BIO_printf(out, "Certificate Revocation List (CRL):\n");
+    l = X509_CRL_get_version(x);
+    BIO_printf(out, "%8sVersion %lu (0x%lx)\n", "", l + 1, l);
+    i = OBJ_obj2nid(x->sig_alg->algorithm);
+    X509_signature_print(out, x->sig_alg, NULL);
+    p = X509_NAME_oneline(X509_CRL_get_issuer(x), NULL, 0);
+    BIO_printf(out, "%8sIssuer: %s\n", "", p);
+    OPENSSL_free(p);
+    BIO_printf(out, "%8sLast Update: ", "");
+    ASN1_TIME_print(out, X509_CRL_get_lastUpdate(x));
+    BIO_printf(out, "\n%8sNext Update: ", "");
+    if (X509_CRL_get_nextUpdate(x))
+        ASN1_TIME_print(out, X509_CRL_get_nextUpdate(x));
+    else
+        BIO_printf(out, "NONE");
+    BIO_printf(out, "\n");
+
+    X509V3_extensions_print(out, "CRL extensions", x->crl->extensions, 0, 8);
+
+    rev = X509_CRL_get_REVOKED(x);
+
+    if (sk_X509_REVOKED_num(rev) > 0)
+        BIO_printf(out, "Revoked Certificates:\n");
+    else
+        BIO_printf(out, "No Revoked Certificates.\n");
+
+    for (i = 0; i < sk_X509_REVOKED_num(rev); i++) {
+        r = sk_X509_REVOKED_value(rev, i);
+        BIO_printf(out, "    Serial Number: ");
+        i2a_ASN1_INTEGER(out, r->serialNumber);
+        BIO_printf(out, "\n        Revocation Date: ");
+        ASN1_TIME_print(out, r->revocationDate);
+        BIO_printf(out, "\n");
+        X509V3_extensions_print(out, "CRL entry extensions",
+                                r->extensions, 0, 8);
+    }
+    X509_signature_print(out, x->sig_alg, x->signature);
+
+    return 1;
+
+}
diff --git a/Cryptlib/OpenSSL/crypto/asn1/t_pkey.c b/Cryptlib/OpenSSL/crypto/asn1/t_pkey.c
index 3b2c9df8..735c3426 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/t_pkey.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/t_pkey.c
@@ -1,59 +1,77 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/t_pkey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/objects.h>
 #include <openssl/buffer.h>
-#include "internal/bn_int.h"
-
-/* Number of octets per line */
-#define ASN1_BUF_PRINT_WIDTH    15
-/* Maximum indent */
-#define ASN1_PRINT_MAX_INDENT 128
-
-int ASN1_buf_print(BIO *bp, const unsigned char *buf, size_t buflen, int indent)
-{
-    size_t i;
-
-    for (i = 0; i < buflen; i++) {
-        if ((i % ASN1_BUF_PRINT_WIDTH) == 0) {
-            if (i > 0 && BIO_puts(bp, "\n") <= 0)
-                return 0;
-            if (!BIO_indent(bp, indent, ASN1_PRINT_MAX_INDENT))
-                return 0;
-        }
-        /*
-         * Use colon separators for each octet for compatibility as
-         * this function is used to print out key components.
-         */
-        if (BIO_printf(bp, "%02x%s", buf[i],
-                       (i == buflen - 1) ? "" : ":") <= 0)
-                return 0;
-    }
-    if (BIO_write(bp, "\n", 1) <= 0)
-        return 0;
-    return 1;
-}
+#include <openssl/bn.h>
 
 int ASN1_bn_print(BIO *bp, const char *number, const BIGNUM *num,
-                  unsigned char *ign, int indent)
+                  unsigned char *buf, int off)
 {
-    int n, rv = 0;
+    int n, i;
     const char *neg;
-    unsigned char *buf = NULL, *tmp = NULL;
-    int buflen;
 
     if (num == NULL)
-        return 1;
-    neg = BN_is_negative(num) ? "-" : "";
-    if (!BIO_indent(bp, indent, ASN1_PRINT_MAX_INDENT))
+        return (1);
+    neg = (BN_is_negative(num)) ? "-" : "";
+    if (!BIO_indent(bp, off, 128))
         return 0;
     if (BN_is_zero(num)) {
         if (BIO_printf(bp, "%s 0\n", number) <= 0)
@@ -63,31 +81,33 @@ int ASN1_bn_print(BIO *bp, const char *number, const BIGNUM *num,
 
     if (BN_num_bytes(num) <= BN_BYTES) {
         if (BIO_printf(bp, "%s %s%lu (%s0x%lx)\n", number, neg,
-                       (unsigned long)bn_get_words(num)[0], neg,
-                       (unsigned long)bn_get_words(num)[0]) <= 0)
-            return 0;
-        return 1;
-    }
-
-    buflen = BN_num_bytes(num) + 1;
-    buf = tmp = OPENSSL_malloc(buflen);
-    if (buf == NULL)
-        goto err;
-    buf[0] = 0;
-    if (BIO_printf(bp, "%s%s\n", number,
-                   (neg[0] == '-') ? " (Negative)" : "") <= 0)
-        goto err;
-    n = BN_bn2bin(num, buf + 1);
+                       (unsigned long)num->d[0], neg,
+                       (unsigned long)num->d[0])
+            <= 0)
+            return (0);
+    } else {
+        buf[0] = 0;
+        if (BIO_printf(bp, "%s%s", number,
+                       (neg[0] == '-') ? " (Negative)" : "") <= 0)
+            return (0);
+        n = BN_bn2bin(num, &buf[1]);
 
-    if (buf[1] & 0x80)
-        n++;
-    else
-        tmp++;
+        if (buf[1] & 0x80)
+            n++;
+        else
+            buf++;
 
-    if (ASN1_buf_print(bp, tmp, n, indent + 4) == 0)
-        goto err;
-    rv = 1;
-    err:
-    OPENSSL_clear_free(buf, buflen);
-    return rv;
+        for (i = 0; i < n; i++) {
+            if ((i % 15) == 0) {
+                if (BIO_puts(bp, "\n") <= 0 || !BIO_indent(bp, off + 4, 128))
+                    return 0;
+            }
+            if (BIO_printf(bp, "%02x%s", buf[i], ((i + 1) == n) ? "" : ":")
+                <= 0)
+                return (0);
+        }
+        if (BIO_write(bp, "\n", 1) <= 0)
+            return (0);
+    }
+    return (1);
 }
diff --git a/Cryptlib/OpenSSL/crypto/asn1/t_req.c b/Cryptlib/OpenSSL/crypto/asn1/t_req.c
new file mode 100644
index 00000000..c32241c2
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/asn1/t_req.c
@@ -0,0 +1,256 @@
+/* crypto/asn1/t_req.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/bn.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#ifndef OPENSSL_NO_RSA
+# include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+# include <openssl/dsa.h>
+#endif
+
+#ifndef OPENSSL_NO_FP_API
+int X509_REQ_print_fp(FILE *fp, X509_REQ *x)
+{
+    BIO *b;
+    int ret;
+
+    if ((b = BIO_new(BIO_s_file())) == NULL) {
+        X509err(X509_F_X509_REQ_PRINT_FP, ERR_R_BUF_LIB);
+        return (0);
+    }
+    BIO_set_fp(b, fp, BIO_NOCLOSE);
+    ret = X509_REQ_print(b, x);
+    BIO_free(b);
+    return (ret);
+}
+#endif
+
+int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags,
+                      unsigned long cflag)
+{
+    unsigned long l;
+    int i;
+    const char *neg;
+    X509_REQ_INFO *ri;
+    EVP_PKEY *pkey;
+    STACK_OF(X509_ATTRIBUTE) *sk;
+    STACK_OF(X509_EXTENSION) *exts;
+    char mlch = ' ';
+    int nmindent = 0;
+
+    if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
+        mlch = '\n';
+        nmindent = 12;
+    }
+
+    if (nmflags == X509_FLAG_COMPAT)
+        nmindent = 16;
+
+    ri = x->req_info;
+    if (!(cflag & X509_FLAG_NO_HEADER)) {
+        if (BIO_write(bp, "Certificate Request:\n", 21) <= 0)
+            goto err;
+        if (BIO_write(bp, "    Data:\n", 10) <= 0)
+            goto err;
+    }
+    if (!(cflag & X509_FLAG_NO_VERSION)) {
+        neg = (ri->version->type == V_ASN1_NEG_INTEGER) ? "-" : "";
+        l = 0;
+        for (i = 0; i < ri->version->length; i++) {
+            l <<= 8;
+            l += ri->version->data[i];
+        }
+        if (BIO_printf(bp, "%8sVersion: %s%lu (%s0x%lx)\n", "", neg, l, neg,
+                       l) <= 0)
+            goto err;
+    }
+    if (!(cflag & X509_FLAG_NO_SUBJECT)) {
+        if (BIO_printf(bp, "        Subject:%c", mlch) <= 0)
+            goto err;
+        if (X509_NAME_print_ex(bp, ri->subject, nmindent, nmflags) < 0)
+            goto err;
+        if (BIO_write(bp, "\n", 1) <= 0)
+            goto err;
+    }
+    if (!(cflag & X509_FLAG_NO_PUBKEY)) {
+        if (BIO_write(bp, "        Subject Public Key Info:\n", 33) <= 0)
+            goto err;
+        if (BIO_printf(bp, "%12sPublic Key Algorithm: ", "") <= 0)
+            goto err;
+        if (i2a_ASN1_OBJECT(bp, ri->pubkey->algor->algorithm) <= 0)
+            goto err;
+        if (BIO_puts(bp, "\n") <= 0)
+            goto err;
+
+        pkey = X509_REQ_get_pubkey(x);
+        if (pkey == NULL) {
+            BIO_printf(bp, "%12sUnable to load Public Key\n", "");
+            ERR_print_errors(bp);
+        } else {
+            EVP_PKEY_print_public(bp, pkey, 16, NULL);
+            EVP_PKEY_free(pkey);
+        }
+    }
+
+    if (!(cflag & X509_FLAG_NO_ATTRIBUTES)) {
+        /* may not be */
+        if (BIO_printf(bp, "%8sAttributes:\n", "") <= 0)
+            goto err;
+
+        sk = x->req_info->attributes;
+        if (sk_X509_ATTRIBUTE_num(sk) == 0) {
+            if (BIO_printf(bp, "%12sa0:00\n", "") <= 0)
+                goto err;
+        } else {
+            for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
+                ASN1_TYPE *at;
+                X509_ATTRIBUTE *a;
+                ASN1_BIT_STRING *bs = NULL;
+                ASN1_TYPE *t;
+                int j, type = 0, count = 1, ii = 0;
+
+                a = sk_X509_ATTRIBUTE_value(sk, i);
+                if (X509_REQ_extension_nid(OBJ_obj2nid(a->object)))
+                    continue;
+                if (BIO_printf(bp, "%12s", "") <= 0)
+                    goto err;
+                if ((j = i2a_ASN1_OBJECT(bp, a->object)) > 0) {
+                    if (a->single) {
+                        t = a->value.single;
+                        type = t->type;
+                        bs = t->value.bit_string;
+                    } else {
+                        ii = 0;
+                        count = sk_ASN1_TYPE_num(a->value.set);
+ get_next:
+                        at = sk_ASN1_TYPE_value(a->value.set, ii);
+                        type = at->type;
+                        bs = at->value.asn1_string;
+                    }
+                }
+                for (j = 25 - j; j > 0; j--)
+                    if (BIO_write(bp, " ", 1) != 1)
+                        goto err;
+                if (BIO_puts(bp, ":") <= 0)
+                    goto err;
+                if (bs != NULL && (
+                    (type == V_ASN1_PRINTABLESTRING) ||
+                    (type == V_ASN1_UTF8STRING) ||
+                    (type == V_ASN1_T61STRING) ||
+                    (type == V_ASN1_IA5STRING))) {
+                    if (BIO_write(bp, (char *)bs->data, bs->length)
+                        != bs->length)
+                        goto err;
+                    BIO_puts(bp, "\n");
+                } else {
+                    BIO_puts(bp, "unable to print attribute\n");
+                }
+                if (++ii < count)
+                    goto get_next;
+            }
+        }
+    }
+    if (!(cflag & X509_FLAG_NO_EXTENSIONS)) {
+        exts = X509_REQ_get_extensions(x);
+        if (exts) {
+            BIO_printf(bp, "%8sRequested Extensions:\n", "");
+            for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
+                ASN1_OBJECT *obj;
+                X509_EXTENSION *ex;
+                int j;
+                ex = sk_X509_EXTENSION_value(exts, i);
+                if (BIO_printf(bp, "%12s", "") <= 0)
+                    goto err;
+                obj = X509_EXTENSION_get_object(ex);
+                i2a_ASN1_OBJECT(bp, obj);
+                j = X509_EXTENSION_get_critical(ex);
+                if (BIO_printf(bp, ": %s\n", j ? "critical" : "") <= 0)
+                    goto err;
+                if (!X509V3_EXT_print(bp, ex, cflag, 16)) {
+                    BIO_printf(bp, "%16s", "");
+                    M_ASN1_OCTET_STRING_print(bp, ex->value);
+                }
+                if (BIO_write(bp, "\n", 1) <= 0)
+                    goto err;
+            }
+            sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
+        }
+    }
+
+    if (!(cflag & X509_FLAG_NO_SIGDUMP)) {
+        if (!X509_signature_print(bp, x->sig_alg, x->signature))
+            goto err;
+    }
+
+    return (1);
+ err:
+    X509err(X509_F_X509_REQ_PRINT_EX, ERR_R_BUF_LIB);
+    return (0);
+}
+
+int X509_REQ_print(BIO *bp, X509_REQ *x)
+{
+    return X509_REQ_print_ex(bp, x, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
+}
diff --git a/Cryptlib/OpenSSL/crypto/asn1/t_spki.c b/Cryptlib/OpenSSL/crypto/asn1/t_spki.c
index 51b56d0a..3bf48db5 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/t_spki.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/t_spki.c
@@ -1,18 +1,72 @@
+/* t_spki.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
-#include <openssl/rsa.h>
-#include <openssl/dsa.h>
+#ifndef OPENSSL_NO_RSA
+# include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+# include <openssl/dsa.h>
+#endif
 #include <openssl/bn.h>
 
 /* Print out an SPKI */
@@ -21,12 +75,10 @@ int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki)
 {
     EVP_PKEY *pkey;
     ASN1_IA5STRING *chal;
-    ASN1_OBJECT *spkioid;
     int i, n;
     char *s;
     BIO_printf(out, "Netscape SPKI:\n");
-    X509_PUBKEY_get0_param(&spkioid, NULL, NULL, NULL, spki->spkac->pubkey);
-    i = OBJ_obj2nid(spkioid);
+    i = OBJ_obj2nid(spki->spkac->pubkey->algor->algorithm);
     BIO_printf(out, "  Public Key Algorithm: %s\n",
                (i == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(i));
     pkey = X509_PUBKEY_get(spki->spkac->pubkey);
@@ -39,7 +91,7 @@ int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki)
     chal = spki->spkac->challenge;
     if (chal->length)
         BIO_printf(out, "  Challenge String: %s\n", chal->data);
-    i = OBJ_obj2nid(spki->sig_algor.algorithm);
+    i = OBJ_obj2nid(spki->sig_algor->algorithm);
     BIO_printf(out, "  Signature Algorithm: %s",
                (i == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(i));
 
diff --git a/Cryptlib/OpenSSL/crypto/asn1/t_x509.c b/Cryptlib/OpenSSL/crypto/asn1/t_x509.c
new file mode 100644
index 00000000..8888396f
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/asn1/t_x509.c
@@ -0,0 +1,556 @@
+/* crypto/asn1/t_x509.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/bn.h>
+#ifndef OPENSSL_NO_RSA
+# include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+# include <openssl/dsa.h>
+#endif
+#ifndef OPENSSL_NO_EC
+# include <openssl/ec.h>
+#endif
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include "asn1_locl.h"
+
+#ifndef OPENSSL_NO_FP_API
+int X509_print_fp(FILE *fp, X509 *x)
+{
+    return X509_print_ex_fp(fp, x, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
+}
+
+int X509_print_ex_fp(FILE *fp, X509 *x, unsigned long nmflag,
+                     unsigned long cflag)
+{
+    BIO *b;
+    int ret;
+
+    if ((b = BIO_new(BIO_s_file())) == NULL) {
+        X509err(X509_F_X509_PRINT_EX_FP, ERR_R_BUF_LIB);
+        return (0);
+    }
+    BIO_set_fp(b, fp, BIO_NOCLOSE);
+    ret = X509_print_ex(b, x, nmflag, cflag);
+    BIO_free(b);
+    return (ret);
+}
+#endif
+
+int X509_print(BIO *bp, X509 *x)
+{
+    return X509_print_ex(bp, x, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
+}
+
+int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
+                  unsigned long cflag)
+{
+    long l;
+    int ret = 0, i;
+    char *m = NULL, mlch = ' ';
+    int nmindent = 0;
+    X509_CINF *ci;
+    ASN1_INTEGER *bs;
+    EVP_PKEY *pkey = NULL;
+    const char *neg;
+
+    if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
+        mlch = '\n';
+        nmindent = 12;
+    }
+
+    if (nmflags == X509_FLAG_COMPAT)
+        nmindent = 16;
+
+    ci = x->cert_info;
+    if (!(cflag & X509_FLAG_NO_HEADER)) {
+        if (BIO_write(bp, "Certificate:\n", 13) <= 0)
+            goto err;
+        if (BIO_write(bp, "    Data:\n", 10) <= 0)
+            goto err;
+    }
+    if (!(cflag & X509_FLAG_NO_VERSION)) {
+        l = X509_get_version(x);
+        if (BIO_printf(bp, "%8sVersion: %lu (0x%lx)\n", "", l + 1, l) <= 0)
+            goto err;
+    }
+    if (!(cflag & X509_FLAG_NO_SERIAL)) {
+
+        if (BIO_write(bp, "        Serial Number:", 22) <= 0)
+            goto err;
+
+        bs = X509_get_serialNumber(x);
+        if (bs->length < (int)sizeof(long)
+            || (bs->length == sizeof(long) && (bs->data[0] & 0x80) == 0)) {
+            l = ASN1_INTEGER_get(bs);
+            if (bs->type == V_ASN1_NEG_INTEGER) {
+                l = -l;
+                neg = "-";
+            } else
+                neg = "";
+            if (BIO_printf(bp, " %s%lu (%s0x%lx)\n", neg, l, neg, l) <= 0)
+                goto err;
+        } else {
+            neg = (bs->type == V_ASN1_NEG_INTEGER) ? " (Negative)" : "";
+            if (BIO_printf(bp, "\n%12s%s", "", neg) <= 0)
+                goto err;
+
+            for (i = 0; i < bs->length; i++) {
+                if (BIO_printf(bp, "%02x%c", bs->data[i],
+                               ((i + 1 == bs->length) ? '\n' : ':')) <= 0)
+                    goto err;
+            }
+        }
+
+    }
+
+    if (!(cflag & X509_FLAG_NO_SIGNAME)) {
+        if (X509_signature_print(bp, ci->signature, NULL) <= 0)
+            goto err;
+#if 0
+        if (BIO_printf(bp, "%8sSignature Algorithm: ", "") <= 0)
+            goto err;
+        if (i2a_ASN1_OBJECT(bp, ci->signature->algorithm) <= 0)
+            goto err;
+        if (BIO_puts(bp, "\n") <= 0)
+            goto err;
+#endif
+    }
+
+    if (!(cflag & X509_FLAG_NO_ISSUER)) {
+        if (BIO_printf(bp, "        Issuer:%c", mlch) <= 0)
+            goto err;
+        if (X509_NAME_print_ex(bp, X509_get_issuer_name(x), nmindent, nmflags)
+            < 0)
+            goto err;
+        if (BIO_write(bp, "\n", 1) <= 0)
+            goto err;
+    }
+    if (!(cflag & X509_FLAG_NO_VALIDITY)) {
+        if (BIO_write(bp, "        Validity\n", 17) <= 0)
+            goto err;
+        if (BIO_write(bp, "            Not Before: ", 24) <= 0)
+            goto err;
+        if (!ASN1_TIME_print(bp, X509_get_notBefore(x)))
+            goto err;
+        if (BIO_write(bp, "\n            Not After : ", 25) <= 0)
+            goto err;
+        if (!ASN1_TIME_print(bp, X509_get_notAfter(x)))
+            goto err;
+        if (BIO_write(bp, "\n", 1) <= 0)
+            goto err;
+    }
+    if (!(cflag & X509_FLAG_NO_SUBJECT)) {
+        if (BIO_printf(bp, "        Subject:%c", mlch) <= 0)
+            goto err;
+        if (X509_NAME_print_ex
+            (bp, X509_get_subject_name(x), nmindent, nmflags) < 0)
+            goto err;
+        if (BIO_write(bp, "\n", 1) <= 0)
+            goto err;
+    }
+    if (!(cflag & X509_FLAG_NO_PUBKEY)) {
+        if (BIO_write(bp, "        Subject Public Key Info:\n", 33) <= 0)
+            goto err;
+        if (BIO_printf(bp, "%12sPublic Key Algorithm: ", "") <= 0)
+            goto err;
+        if (i2a_ASN1_OBJECT(bp, ci->key->algor->algorithm) <= 0)
+            goto err;
+        if (BIO_puts(bp, "\n") <= 0)
+            goto err;
+
+        pkey = X509_get_pubkey(x);
+        if (pkey == NULL) {
+            BIO_printf(bp, "%12sUnable to load Public Key\n", "");
+            ERR_print_errors(bp);
+        } else {
+            EVP_PKEY_print_public(bp, pkey, 16, NULL);
+            EVP_PKEY_free(pkey);
+        }
+    }
+
+    if (!(cflag & X509_FLAG_NO_IDS)) {
+        if (ci->issuerUID) {
+            if (BIO_printf(bp, "%8sIssuer Unique ID: ", "") <= 0)
+                goto err;
+            if (!X509_signature_dump(bp, ci->issuerUID, 12))
+                goto err;
+        }
+        if (ci->subjectUID) {
+            if (BIO_printf(bp, "%8sSubject Unique ID: ", "") <= 0)
+                goto err;
+            if (!X509_signature_dump(bp, ci->subjectUID, 12))
+                goto err;
+        }
+    }
+
+    if (!(cflag & X509_FLAG_NO_EXTENSIONS))
+        X509V3_extensions_print(bp, "X509v3 extensions",
+                                ci->extensions, cflag, 8);
+
+    if (!(cflag & X509_FLAG_NO_SIGDUMP)) {
+        if (X509_signature_print(bp, x->sig_alg, x->signature) <= 0)
+            goto err;
+    }
+    if (!(cflag & X509_FLAG_NO_AUX)) {
+        if (!X509_CERT_AUX_print(bp, x->aux, 0))
+            goto err;
+    }
+    ret = 1;
+ err:
+    if (m != NULL)
+        OPENSSL_free(m);
+    return (ret);
+}
+
+int X509_ocspid_print(BIO *bp, X509 *x)
+{
+    unsigned char *der = NULL;
+    unsigned char *dertmp;
+    int derlen;
+    int i;
+    unsigned char SHA1md[SHA_DIGEST_LENGTH];
+
+    /*
+     * display the hash of the subject as it would appear in OCSP requests
+     */
+    if (BIO_printf(bp, "        Subject OCSP hash: ") <= 0)
+        goto err;
+    derlen = i2d_X509_NAME(x->cert_info->subject, NULL);
+    if ((der = dertmp = (unsigned char *)OPENSSL_malloc(derlen)) == NULL)
+        goto err;
+    i2d_X509_NAME(x->cert_info->subject, &dertmp);
+
+    if (!EVP_Digest(der, derlen, SHA1md, NULL, EVP_sha1(), NULL))
+        goto err;
+    for (i = 0; i < SHA_DIGEST_LENGTH; i++) {
+        if (BIO_printf(bp, "%02X", SHA1md[i]) <= 0)
+            goto err;
+    }
+    OPENSSL_free(der);
+    der = NULL;
+
+    /*
+     * display the hash of the public key as it would appear in OCSP requests
+     */
+    if (BIO_printf(bp, "\n        Public key OCSP hash: ") <= 0)
+        goto err;
+
+    if (!EVP_Digest(x->cert_info->key->public_key->data,
+                    x->cert_info->key->public_key->length,
+                    SHA1md, NULL, EVP_sha1(), NULL))
+        goto err;
+    for (i = 0; i < SHA_DIGEST_LENGTH; i++) {
+        if (BIO_printf(bp, "%02X", SHA1md[i]) <= 0)
+            goto err;
+    }
+    BIO_printf(bp, "\n");
+
+    return (1);
+ err:
+    if (der != NULL)
+        OPENSSL_free(der);
+    return (0);
+}
+
+int X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent)
+{
+    const unsigned char *s;
+    int i, n;
+
+    n = sig->length;
+    s = sig->data;
+    for (i = 0; i < n; i++) {
+        if ((i % 18) == 0) {
+            if (BIO_write(bp, "\n", 1) <= 0)
+                return 0;
+            if (BIO_indent(bp, indent, indent) <= 0)
+                return 0;
+        }
+        if (BIO_printf(bp, "%02x%s", s[i], ((i + 1) == n) ? "" : ":") <= 0)
+            return 0;
+    }
+    if (BIO_write(bp, "\n", 1) != 1)
+        return 0;
+
+    return 1;
+}
+
+int X509_signature_print(BIO *bp, X509_ALGOR *sigalg, ASN1_STRING *sig)
+{
+    int sig_nid;
+    if (BIO_puts(bp, "    Signature Algorithm: ") <= 0)
+        return 0;
+    if (i2a_ASN1_OBJECT(bp, sigalg->algorithm) <= 0)
+        return 0;
+
+    sig_nid = OBJ_obj2nid(sigalg->algorithm);
+    if (sig_nid != NID_undef) {
+        int pkey_nid, dig_nid;
+        const EVP_PKEY_ASN1_METHOD *ameth;
+        if (OBJ_find_sigid_algs(sig_nid, &dig_nid, &pkey_nid)) {
+            ameth = EVP_PKEY_asn1_find(NULL, pkey_nid);
+            if (ameth && ameth->sig_print)
+                return ameth->sig_print(bp, sigalg, sig, 9, 0);
+        }
+    }
+    if (sig)
+        return X509_signature_dump(bp, sig, 9);
+    else if (BIO_puts(bp, "\n") <= 0)
+        return 0;
+    return 1;
+}
+
+int ASN1_STRING_print(BIO *bp, const ASN1_STRING *v)
+{
+    int i, n;
+    char buf[80];
+    const char *p;
+
+    if (v == NULL)
+        return (0);
+    n = 0;
+    p = (const char *)v->data;
+    for (i = 0; i < v->length; i++) {
+        if ((p[i] > '~') || ((p[i] < ' ') &&
+                             (p[i] != '\n') && (p[i] != '\r')))
+            buf[n] = '.';
+        else
+            buf[n] = p[i];
+        n++;
+        if (n >= 80) {
+            if (BIO_write(bp, buf, n) <= 0)
+                return (0);
+            n = 0;
+        }
+    }
+    if (n > 0)
+        if (BIO_write(bp, buf, n) <= 0)
+            return (0);
+    return (1);
+}
+
+int ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm)
+{
+    if (tm->type == V_ASN1_UTCTIME)
+        return ASN1_UTCTIME_print(bp, tm);
+    if (tm->type == V_ASN1_GENERALIZEDTIME)
+        return ASN1_GENERALIZEDTIME_print(bp, tm);
+    BIO_write(bp, "Bad time value", 14);
+    return (0);
+}
+
+static const char *mon[12] = {
+    "Jan", "Feb", "Mar", "Apr", "May", "Jun",
+    "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
+};
+
+int ASN1_GENERALIZEDTIME_print(BIO *bp, const ASN1_GENERALIZEDTIME *tm)
+{
+    char *v;
+    int gmt = 0;
+    int i;
+    int y = 0, M = 0, d = 0, h = 0, m = 0, s = 0;
+    char *f = NULL;
+    int f_len = 0;
+
+    i = tm->length;
+    v = (char *)tm->data;
+
+    if (i < 12)
+        goto err;
+    if (v[i - 1] == 'Z')
+        gmt = 1;
+    for (i = 0; i < 12; i++)
+        if ((v[i] > '9') || (v[i] < '0'))
+            goto err;
+    y = (v[0] - '0') * 1000 + (v[1] - '0') * 100
+        + (v[2] - '0') * 10 + (v[3] - '0');
+    M = (v[4] - '0') * 10 + (v[5] - '0');
+    if ((M > 12) || (M < 1))
+        goto err;
+    d = (v[6] - '0') * 10 + (v[7] - '0');
+    h = (v[8] - '0') * 10 + (v[9] - '0');
+    m = (v[10] - '0') * 10 + (v[11] - '0');
+    if (tm->length >= 14 &&
+        (v[12] >= '0') && (v[12] <= '9') &&
+        (v[13] >= '0') && (v[13] <= '9')) {
+        s = (v[12] - '0') * 10 + (v[13] - '0');
+        /* Check for fractions of seconds. */
+        if (tm->length >= 15 && v[14] == '.') {
+            int l = tm->length;
+            f = &v[14];         /* The decimal point. */
+            f_len = 1;
+            while (14 + f_len < l && f[f_len] >= '0' && f[f_len] <= '9')
+                ++f_len;
+        }
+    }
+
+    if (BIO_printf(bp, "%s %2d %02d:%02d:%02d%.*s %d%s",
+                   mon[M - 1], d, h, m, s, f_len, f, y,
+                   (gmt) ? " GMT" : "") <= 0)
+        return (0);
+    else
+        return (1);
+ err:
+    BIO_write(bp, "Bad time value", 14);
+    return (0);
+}
+
+int ASN1_UTCTIME_print(BIO *bp, const ASN1_UTCTIME *tm)
+{
+    const char *v;
+    int gmt = 0;
+    int i;
+    int y = 0, M = 0, d = 0, h = 0, m = 0, s = 0;
+
+    i = tm->length;
+    v = (const char *)tm->data;
+
+    if (i < 10)
+        goto err;
+    if (v[i - 1] == 'Z')
+        gmt = 1;
+    for (i = 0; i < 10; i++)
+        if ((v[i] > '9') || (v[i] < '0'))
+            goto err;
+    y = (v[0] - '0') * 10 + (v[1] - '0');
+    if (y < 50)
+        y += 100;
+    M = (v[2] - '0') * 10 + (v[3] - '0');
+    if ((M > 12) || (M < 1))
+        goto err;
+    d = (v[4] - '0') * 10 + (v[5] - '0');
+    h = (v[6] - '0') * 10 + (v[7] - '0');
+    m = (v[8] - '0') * 10 + (v[9] - '0');
+    if (tm->length >= 12 &&
+        (v[10] >= '0') && (v[10] <= '9') && (v[11] >= '0') && (v[11] <= '9'))
+        s = (v[10] - '0') * 10 + (v[11] - '0');
+
+    if (BIO_printf(bp, "%s %2d %02d:%02d:%02d %d%s",
+                   mon[M - 1], d, h, m, s, y + 1900,
+                   (gmt) ? " GMT" : "") <= 0)
+        return (0);
+    else
+        return (1);
+ err:
+    BIO_write(bp, "Bad time value", 14);
+    return (0);
+}
+
+int X509_NAME_print(BIO *bp, X509_NAME *name, int obase)
+{
+    char *s, *c, *b;
+    int ret = 0, l, i;
+
+    l = 80 - 2 - obase;
+
+    b = X509_NAME_oneline(name, NULL, 0);
+    if (!b)
+        return 0;
+    if (!*b) {
+        OPENSSL_free(b);
+        return 1;
+    }
+    s = b + 1;                  /* skip the first slash */
+
+    c = s;
+    for (;;) {
+#ifndef CHARSET_EBCDIC
+        if (((*s == '/') &&
+             ((s[1] >= 'A') && (s[1] <= 'Z') && ((s[2] == '=') ||
+                                                 ((s[2] >= 'A')
+                                                  && (s[2] <= 'Z')
+                                                  && (s[3] == '='))
+              ))) || (*s == '\0'))
+#else
+        if (((*s == '/') &&
+             (isupper(s[1]) && ((s[2] == '=') ||
+                                (isupper(s[2]) && (s[3] == '='))
+              ))) || (*s == '\0'))
+#endif
+        {
+            i = s - c;
+            if (BIO_write(bp, c, i) != i)
+                goto err;
+            c = s + 1;          /* skip following slash */
+            if (*s != '\0') {
+                if (BIO_write(bp, ", ", 2) != 2)
+                    goto err;
+            }
+            l--;
+        }
+        if (*s == '\0')
+            break;
+        s++;
+        l--;
+    }
+
+    ret = 1;
+    if (0) {
+ err:
+        X509err(X509_F_X509_NAME_PRINT, ERR_R_BUF_LIB);
+    }
+    OPENSSL_free(b);
+    return (ret);
+}
diff --git a/Cryptlib/OpenSSL/crypto/asn1/t_x509a.c b/Cryptlib/OpenSSL/crypto/asn1/t_x509a.c
new file mode 100644
index 00000000..f4b8f94c
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/asn1/t_x509a.c
@@ -0,0 +1,115 @@
+/* t_x509a.c */
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/asn1.h>
+#include <openssl/x509.h>
+
+/*
+ * X509_CERT_AUX and string set routines
+ */
+
+int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent)
+{
+    char oidstr[80], first;
+    int i;
+    if (!aux)
+        return 1;
+    if (aux->trust) {
+        first = 1;
+        BIO_printf(out, "%*sTrusted Uses:\n%*s", indent, "", indent + 2, "");
+        for (i = 0; i < sk_ASN1_OBJECT_num(aux->trust); i++) {
+            if (!first)
+                BIO_puts(out, ", ");
+            else
+                first = 0;
+            OBJ_obj2txt(oidstr, sizeof oidstr,
+                        sk_ASN1_OBJECT_value(aux->trust, i), 0);
+            BIO_puts(out, oidstr);
+        }
+        BIO_puts(out, "\n");
+    } else
+        BIO_printf(out, "%*sNo Trusted Uses.\n", indent, "");
+    if (aux->reject) {
+        first = 1;
+        BIO_printf(out, "%*sRejected Uses:\n%*s", indent, "", indent + 2, "");
+        for (i = 0; i < sk_ASN1_OBJECT_num(aux->reject); i++) {
+            if (!first)
+                BIO_puts(out, ", ");
+            else
+                first = 0;
+            OBJ_obj2txt(oidstr, sizeof oidstr,
+                        sk_ASN1_OBJECT_value(aux->reject, i), 0);
+            BIO_puts(out, oidstr);
+        }
+        BIO_puts(out, "\n");
+    } else
+        BIO_printf(out, "%*sNo Rejected Uses.\n", indent, "");
+    if (aux->alias)
+        BIO_printf(out, "%*sAlias: %s\n", indent, "", aux->alias->data);
+    if (aux->keyid) {
+        BIO_printf(out, "%*sKey Id: ", indent, "");
+        for (i = 0; i < aux->keyid->length; i++)
+            BIO_printf(out, "%s%02X", i ? ":" : "", aux->keyid->data[i]);
+        BIO_write(out, "\n", 1);
+    }
+    return 1;
+}
diff --git a/Cryptlib/OpenSSL/crypto/asn1/tasn_dec.c b/Cryptlib/OpenSSL/crypto/asn1/tasn_dec.c
index c9b63751..d2540273 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/tasn_dec.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/tasn_dec.c
@@ -1,10 +1,60 @@
+/* tasn_dec.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stddef.h>
@@ -14,12 +64,6 @@
 #include <openssl/objects.h>
 #include <openssl/buffer.h>
 #include <openssl/err.h>
-#include "internal/numbers.h"
-#include "asn1_locl.h"
-
-static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
-                               long len, const ASN1_ITEM *it,
-                               int tag, int aclass, char opt, ASN1_TLC *ctx);
 
 static int asn1_check_eoc(const unsigned char **in, long len);
 static int asn1_find_end(const unsigned char **in, long len, char inf);
@@ -47,8 +91,6 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
                                  const ASN1_ITEM *it,
                                  int tag, int aclass, char opt,
                                  ASN1_TLC *ctx);
-static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
-                       int utype, char *free_cont, const ASN1_ITEM *it);
 
 /* Table to convert tags to bit values, used for MSTRING type */
 static const unsigned long tag2bit[32] = {
@@ -106,15 +148,13 @@ ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval,
     return NULL;
 }
 
-int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
-                     const ASN1_ITEM *it,
-                     int tag, int aclass, char opt, ASN1_TLC *ctx)
+int ASN1_template_d2i(ASN1_VALUE **pval,
+                      const unsigned char **in, long len,
+                      const ASN1_TEMPLATE *tt)
 {
-    int rv;
-    rv = asn1_item_embed_d2i(pval, in, len, it, tag, aclass, opt, ctx);
-    if (rv <= 0)
-        ASN1_item_ex_free(pval, it);
-    return rv;
+    ASN1_TLC c;
+    asn1_tlc_clear_nc(&c);
+    return asn1_template_ex_d2i(pval, in, len, tt, 0, &c);
 }
 
 /*
@@ -122,22 +162,26 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
  * tag mismatch return -1 to handle OPTIONAL
  */
 
-static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
-                               long len, const ASN1_ITEM *it,
-                               int tag, int aclass, char opt, ASN1_TLC *ctx)
+int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+                     const ASN1_ITEM *it,
+                     int tag, int aclass, char opt, ASN1_TLC *ctx)
 {
     const ASN1_TEMPLATE *tt, *errtt = NULL;
+    const ASN1_COMPAT_FUNCS *cf;
     const ASN1_EXTERN_FUNCS *ef;
     const ASN1_AUX *aux = it->funcs;
     ASN1_aux_cb *asn1_cb;
     const unsigned char *p = NULL, *q;
-    unsigned char oclass;
+    unsigned char *wp = NULL;   /* BIG FAT WARNING! BREAKS CONST WHERE USED */
+    unsigned char imphack = 0, oclass;
     char seq_eoc, seq_nolen, cst, isopt;
     long tmplen;
     int i;
     int otag;
     int ret = 0;
-    ASN1_VALUE **pchptr;
+    ASN1_VALUE **pchptr, *ptmpval;
+    int combine = aclass & ASN1_TFLG_COMBINE;
+    aclass &= ~ASN1_TFLG_COMBINE;
     if (!pval)
         return 0;
     if (aux && aux->asn1_cb)
@@ -155,7 +199,7 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
              * template in the template itself.
              */
             if ((tag != -1) || opt) {
-                ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I,
+                ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
                         ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
                 goto err;
             }
@@ -164,6 +208,7 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
         }
         return asn1_d2i_ex_primitive(pval, in, len, it,
                                      tag, aclass, opt, ctx);
+        break;
 
     case ASN1_ITYPE_MSTRING:
         p = *in;
@@ -171,7 +216,7 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
         ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
                               &p, len, -1, 0, 1, ctx);
         if (!ret) {
-            ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ERR_R_NESTED_ASN1_ERROR);
+            ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
             goto err;
         }
 
@@ -180,7 +225,7 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
             /* If OPTIONAL, assume this is OK */
             if (opt)
                 return -1;
-            ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_MSTRING_NOT_UNIVERSAL);
+            ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MSTRING_NOT_UNIVERSAL);
             goto err;
         }
         /* Check tag matches bit map */
@@ -188,7 +233,7 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
             /* If OPTIONAL, assume this is OK */
             if (opt)
                 return -1;
-            ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_MSTRING_WRONG_TAG);
+            ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MSTRING_WRONG_TAG);
             goto err;
         }
         return asn1_d2i_ex_primitive(pval, in, len, it, otag, 0, 0, ctx);
@@ -198,6 +243,66 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
         ef = it->funcs;
         return ef->asn1_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx);
 
+    case ASN1_ITYPE_COMPAT:
+        /* we must resort to old style evil hackery */
+        cf = it->funcs;
+
+        /* If OPTIONAL see if it is there */
+        if (opt) {
+            int exptag;
+            p = *in;
+            if (tag == -1)
+                exptag = it->utype;
+            else
+                exptag = tag;
+            /*
+             * Don't care about anything other than presence of expected tag
+             */
+
+            ret = asn1_check_tlen(NULL, NULL, NULL, NULL, NULL,
+                                  &p, len, exptag, aclass, 1, ctx);
+            if (!ret) {
+                ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                goto err;
+            }
+            if (ret == -1)
+                return -1;
+        }
+
+        /*
+         * This is the old style evil hack IMPLICIT handling: since the
+         * underlying code is expecting a tag and class other than the one
+         * present we change the buffer temporarily then change it back
+         * afterwards. This doesn't and never did work for tags > 30. Yes
+         * this is *horrible* but it is only needed for old style d2i which
+         * will hopefully not be around for much longer. FIXME: should copy
+         * the buffer then modify it so the input buffer can be const: we
+         * should *always* copy because the old style d2i might modify the
+         * buffer.
+         */
+
+        if (tag != -1) {
+            wp = *(unsigned char **)in;
+            imphack = *wp;
+            if (p == NULL) {
+                ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                goto err;
+            }
+            *wp = (unsigned char)((*p & V_ASN1_CONSTRUCTED)
+                                  | it->utype);
+        }
+
+        ptmpval = cf->asn1_d2i(pval, in, len);
+
+        if (tag != -1)
+            *wp = imphack;
+
+        if (ptmpval)
+            return 1;
+
+        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+        goto err;
+
     case ASN1_ITYPE_CHOICE:
         if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
             goto auxerr;
@@ -207,11 +312,11 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
             if ((i >= 0) && (i < it->tcount)) {
                 tt = it->templates + i;
                 pchptr = asn1_get_field_ptr(pval, tt);
-                asn1_template_free(pchptr, tt);
+                ASN1_template_free(pchptr, tt);
                 asn1_set_choice_selector(pval, -1, it);
             }
         } else if (!ASN1_item_ex_new(pval, it)) {
-            ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ERR_R_NESTED_ASN1_ERROR);
+            ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
             goto err;
         }
         /* CHOICE type, try each possibility in turn */
@@ -228,13 +333,9 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
             /* If positive return, read OK, break loop */
             if (ret > 0)
                 break;
-            /*
-             * Must be an ASN1 parsing error.
-             * Free up any partial choice value
-             */
-            asn1_template_free(pchptr, tt);
+            /* Otherwise must be an ASN1 parsing error */
             errtt = tt;
-            ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ERR_R_NESTED_ASN1_ERROR);
+            ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
             goto err;
         }
 
@@ -246,12 +347,11 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
                 ASN1_item_ex_free(pval, it);
                 return -1;
             }
-            ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_NO_MATCHING_CHOICE_TYPE);
+            ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_NO_MATCHING_CHOICE_TYPE);
             goto err;
         }
 
         asn1_set_choice_selector(pval, i, it);
-
         if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL))
             goto auxerr;
         *in = p;
@@ -271,7 +371,7 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
         ret = asn1_check_tlen(&len, NULL, NULL, &seq_eoc, &cst,
                               &p, len, tag, aclass, opt, ctx);
         if (!ret) {
-            ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ERR_R_NESTED_ASN1_ERROR);
+            ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
             goto err;
         } else if (ret == -1)
             return -1;
@@ -283,12 +383,12 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
         else
             seq_nolen = seq_eoc;
         if (!cst) {
-            ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_SEQUENCE_NOT_CONSTRUCTED);
+            ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_SEQUENCE_NOT_CONSTRUCTED);
             goto err;
         }
 
         if (!*pval && !ASN1_item_ex_new(pval, it)) {
-            ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ERR_R_NESTED_ASN1_ERROR);
+            ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
             goto err;
         }
 
@@ -304,7 +404,7 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
                 if (seqtt == NULL)
                     continue;
                 pseqval = asn1_get_field_ptr(pval, seqtt);
-                asn1_template_free(pseqval, seqtt);
+                ASN1_template_free(pseqval, seqtt);
             }
         }
 
@@ -322,7 +422,7 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
             q = p;
             if (asn1_check_eoc(&p, len)) {
                 if (!seq_eoc) {
-                    ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_UNEXPECTED_EOC);
+                    ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_UNEXPECTED_EOC);
                     goto err;
                 }
                 len -= p - q;
@@ -352,7 +452,7 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
                 /*
                  * OPTIONAL component absent. Free and zero the field.
                  */
-                asn1_template_free(pseqval, seqtt);
+                ASN1_template_free(pseqval, seqtt);
                 continue;
             }
             /* Update length */
@@ -361,12 +461,12 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
 
         /* Check for EOC if expecting one */
         if (seq_eoc && !asn1_check_eoc(&p, len)) {
-            ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_MISSING_EOC);
+            ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MISSING_EOC);
             goto err;
         }
         /* Check all data read */
         if (!seq_nolen && len) {
-            ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_SEQUENCE_LENGTH_MISMATCH);
+            ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_SEQUENCE_LENGTH_MISMATCH);
             goto err;
         }
 
@@ -383,10 +483,10 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
             if (seqtt->flags & ASN1_TFLG_OPTIONAL) {
                 ASN1_VALUE **pseqval;
                 pseqval = asn1_get_field_ptr(pval, seqtt);
-                asn1_template_free(pseqval, seqtt);
+                ASN1_template_free(pseqval, seqtt);
             } else {
                 errtt = seqtt;
-                ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_FIELD_MISSING);
+                ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_FIELD_MISSING);
                 goto err;
             }
         }
@@ -402,8 +502,10 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
         return 0;
     }
  auxerr:
-    ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_AUX_ERROR);
+    ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
  err:
+    if (combine == 0)
+        ASN1_item_ex_free(pval, it);
     if (errtt)
         ERR_add_error_data(4, "Field=", errtt->field_name,
                            ", Type=", it->sname);
@@ -485,6 +587,7 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val,
     return 1;
 
  err:
+    ASN1_template_free(val, tt);
     return 0;
 }
 
@@ -495,7 +598,6 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
 {
     int flags, aclass;
     int ret;
-    ASN1_VALUE *tval;
     const unsigned char *p, *q;
     if (!val)
         return 0;
@@ -505,15 +607,6 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
     p = *in;
     q = p;
 
-    /*
-     * If field is embedded then val needs fixing so it is a pointer to
-     * a pointer to a field.
-     */
-    if (tt->flags & ASN1_TFLG_EMBED) {
-        tval = (ASN1_VALUE *)val;
-        val = &tval;
-    }
-
     if (flags & ASN1_TFLG_SK_MASK) {
         /* SET OF, SEQUENCE OF */
         int sktag, skaclass;
@@ -538,7 +631,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
         } else if (ret == -1)
             return -1;
         if (!*val)
-            *val = (ASN1_VALUE *)OPENSSL_sk_new_null();
+            *val = (ASN1_VALUE *)sk_new_null();
         else {
             /*
              * We've got a valid STACK: free up any items present
@@ -572,18 +665,15 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
                 break;
             }
             skfield = NULL;
-            if (!asn1_item_embed_d2i(&skfield, &p, len,
-                                     ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx)) {
+            if (!ASN1_item_ex_d2i(&skfield, &p, len,
+                                  ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx)) {
                 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
                         ERR_R_NESTED_ASN1_ERROR);
-                /* |skfield| may be partially allocated despite failure. */
-                ASN1_item_free(skfield, ASN1_ITEM_ptr(tt->item));
                 goto err;
             }
             len -= p - q;
             if (!sk_ASN1_VALUE_push((STACK_OF(ASN1_VALUE) *)*val, skfield)) {
                 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_MALLOC_FAILURE);
-                ASN1_item_free(skfield, ASN1_ITEM_ptr(tt->item));
                 goto err;
             }
         }
@@ -593,9 +683,9 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
         }
     } else if (flags & ASN1_TFLG_IMPTAG) {
         /* IMPLICIT tagging */
-        ret = asn1_item_embed_d2i(val, &p, len,
-                                  ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt,
-                                  ctx);
+        ret = ASN1_item_ex_d2i(val, &p, len,
+                               ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt,
+                               ctx);
         if (!ret) {
             ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
             goto err;
@@ -603,8 +693,8 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
             return -1;
     } else {
         /* Nothing special */
-        ret = asn1_item_embed_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
-                                  -1, 0, opt, ctx);
+        ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
+                               -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
         if (!ret) {
             ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
             goto err;
@@ -616,6 +706,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
     return 1;
 
  err:
+    ASN1_template_free(val, tt);
     return 0;
 }
 
@@ -628,7 +719,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
     long plen;
     char cst, inf, free_cont = 0;
     const unsigned char *p;
-    BUF_MEM buf = { 0, NULL, 0, 0 };
+    BUF_MEM buf = { 0, NULL, 0 };
     const unsigned char *cont = NULL;
     long len;
     if (!pval) {
@@ -683,7 +774,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
         || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER)) {
         /*
          * Clear context cache for type OTHER because the auto clear when we
-         * have a exact match won't work
+         * have a exact match wont work
          */
         if (utype == V_ASN1_OTHER) {
             asn1_tlc_clear(ctx);
@@ -746,15 +837,15 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
     *in = p;
     ret = 1;
  err:
-    if (free_cont)
+    if (free_cont && buf.data)
         OPENSSL_free(buf.data);
     return ret;
 }
 
 /* Translate ASN1 content octets into a structure */
 
-static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
-                       int utype, char *free_cont, const ASN1_ITEM *it)
+int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
+                int utype, char *free_cont, const ASN1_ITEM *it)
 {
     ASN1_VALUE **opval = NULL;
     ASN1_STRING *stmp;
@@ -850,7 +941,7 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
         /* All based on ASN1_STRING and handled the same */
         if (!*pval) {
             stmp = ASN1_STRING_type_new(utype);
-            if (stmp == NULL) {
+            if (!stmp) {
                 ASN1err(ASN1_F_ASN1_EX_C2I, ERR_R_MALLOC_FAILURE);
                 goto err;
             }
@@ -861,7 +952,8 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
         }
         /* If we've already allocated a buffer use it */
         if (*free_cont) {
-            OPENSSL_free(stmp->data);
+            if (stmp->data)
+                OPENSSL_free(stmp->data);
             stmp->data = (unsigned char *)cont; /* UGLY CAST! RL */
             stmp->length = len;
             *free_cont = 0;
@@ -898,7 +990,7 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
 
 static int asn1_find_end(const unsigned char **in, long len, char inf)
 {
-    uint32_t expected_eoc;
+    int expected_eoc;
     long plen;
     const unsigned char *p = *in, *q;
     /* If not indefinite length constructed just add length */
@@ -928,15 +1020,10 @@ static int asn1_find_end(const unsigned char **in, long len, char inf)
             ASN1err(ASN1_F_ASN1_FIND_END, ERR_R_NESTED_ASN1_ERROR);
             return 0;
         }
-        if (inf) {
-            if (expected_eoc == UINT32_MAX) {
-                ASN1err(ASN1_F_ASN1_FIND_END, ERR_R_NESTED_ASN1_ERROR);
-                return 0;
-            }
+        if (inf)
             expected_eoc++;
-        } else {
+        else
             p += plen;
-        }
         len -= p - q;
     }
     if (expected_eoc) {
@@ -948,7 +1035,7 @@ static int asn1_find_end(const unsigned char **in, long len, char inf)
 }
 
 /*
- * This function collects the asn1 data from a constructed string type into
+ * This function collects the asn1 data from a constructred string type into
  * a buffer. The values of 'in' and 'len' should refer to the contents of the
  * constructed type and 'inf' should be set if it is indefinite length.
  */
diff --git a/Cryptlib/OpenSSL/crypto/asn1/tasn_enc.c b/Cryptlib/OpenSSL/crypto/asn1/tasn_enc.c
index caa48696..081a9d53 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/tasn_enc.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/tasn_enc.c
@@ -1,20 +1,69 @@
+/* tasn_enc.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000-2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stddef.h>
 #include <string.h>
-#include "internal/cryptlib.h"
+#include <limits.h>
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/objects.h>
-#include "internal/asn1_int.h"
-#include "asn1_locl.h"
 
 static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out,
                                  const ASN1_ITEM *it, int tag, int aclass);
@@ -25,8 +74,6 @@ static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
                                 const ASN1_TEMPLATE *tt, int tag, int aclass);
 static int asn1_item_flags_i2d(ASN1_VALUE *val, unsigned char **out,
                                const ASN1_ITEM *it, int flags);
-static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype,
-                       const ASN1_ITEM *it);
 
 /*
  * Top level i2d equivalents: the 'ndef' variant instructs the encoder to use
@@ -61,7 +108,7 @@ static int asn1_item_flags_i2d(ASN1_VALUE *val, unsigned char **out,
         if (len <= 0)
             return len;
         buf = OPENSSL_malloc(len);
-        if (buf == NULL)
+        if (!buf)
             return -1;
         p = buf;
         ASN1_item_ex_i2d(&val, &p, it, -1, flags);
@@ -81,7 +128,9 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
                      const ASN1_ITEM *it, int tag, int aclass)
 {
     const ASN1_TEMPLATE *tt = NULL;
+    unsigned char *p = NULL;
     int i, seqcontlen, seqlen, ndef = 1;
+    const ASN1_COMPAT_FUNCS *cf;
     const ASN1_EXTERN_FUNCS *ef;
     const ASN1_AUX *aux = it->funcs;
     ASN1_aux_cb *asn1_cb = 0;
@@ -99,6 +148,7 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
             return asn1_template_ex_i2d(pval, out, it->templates,
                                         tag, aclass);
         return asn1_i2d_ex_primitive(pval, out, it, tag, aclass);
+        break;
 
     case ASN1_ITYPE_MSTRING:
         return asn1_i2d_ex_primitive(pval, out, it, -1, aclass);
@@ -124,6 +174,20 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
         ef = it->funcs;
         return ef->asn1_ex_i2d(pval, out, it, tag, aclass);
 
+    case ASN1_ITYPE_COMPAT:
+        /* old style hackery... */
+        cf = it->funcs;
+        if (out)
+            p = *out;
+        i = cf->asn1_i2d(*pval, out);
+        /*
+         * Fixup for IMPLICIT tag: note this messes up for tags > 30, but so
+         * did the old code. Tags > 30 are very rare anyway.
+         */
+        if (out && (tag != -1))
+            *p = aclass | tag | (*p & V_ASN1_CONSTRUCTED);
+        return i;
+
     case ASN1_ITYPE_NDEF_SEQUENCE:
         /* Use indefinite length constructed if requested */
         if (aclass & ASN1_TFLG_NDEF)
@@ -192,21 +256,17 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
     return 0;
 }
 
+int ASN1_template_i2d(ASN1_VALUE **pval, unsigned char **out,
+                      const ASN1_TEMPLATE *tt)
+{
+    return asn1_template_ex_i2d(pval, out, tt, -1, 0);
+}
+
 static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
                                 const ASN1_TEMPLATE *tt, int tag, int iclass)
 {
     int i, ret, flags, ttag, tclass, ndef;
-    ASN1_VALUE *tval;
     flags = tt->flags;
-
-    /*
-     * If field is embedded then val needs fixing so it is a pointer to
-     * a pointer to a field.
-     */
-    if (flags & ASN1_TFLG_EMBED) {
-        tval = (ASN1_VALUE *)pval;
-        pval = &tval;
-    }
     /*
      * Work out tag and class to use: tagging may come either from the
      * template or the arguments, not both because this would create
@@ -380,10 +440,10 @@ static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out,
         else {
             derlst = OPENSSL_malloc(sk_ASN1_VALUE_num(sk)
                                     * sizeof(*derlst));
-            if (derlst == NULL)
+            if (!derlst)
                 return 0;
             tmpdat = OPENSSL_malloc(skcontlen);
-            if (tmpdat == NULL) {
+            if (!tmpdat) {
                 OPENSSL_free(derlst);
                 return 0;
             }
@@ -486,8 +546,8 @@ static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out,
 
 /* Produce content octets from a structure */
 
-static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype,
-                       const ASN1_ITEM *it)
+int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype,
+                const ASN1_ITEM *it)
 {
     ASN1_BOOLEAN *tbool = NULL;
     ASN1_STRING *strtmp;
@@ -556,6 +616,7 @@ static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype,
     case V_ASN1_BIT_STRING:
         return i2c_ASN1_BIT_STRING((ASN1_BIT_STRING *)*pval,
                                    cout ? &cout : NULL);
+        break;
 
     case V_ASN1_INTEGER:
     case V_ASN1_ENUMERATED:
@@ -563,6 +624,7 @@ static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype,
          * These are all have the same content format as ASN1_INTEGER
          */
         return i2c_ASN1_INTEGER((ASN1_INTEGER *)*pval, cout ? &cout : NULL);
+        break;
 
     case V_ASN1_OCTET_STRING:
     case V_ASN1_NUMERICSTRING:
diff --git a/Cryptlib/OpenSSL/crypto/asn1/tasn_fre.c b/Cryptlib/OpenSSL/crypto/asn1/tasn_fre.c
index 3c98efb3..aeea4eff 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/tasn_fre.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/tasn_fre.c
@@ -1,42 +1,91 @@
+/* tasn_fre.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stddef.h>
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/objects.h>
-#include "asn1_locl.h"
 
-static void asn1_item_embed_free(ASN1_VALUE **pval, const ASN1_ITEM *it,
-                                 int embed);
+static void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it,
+                                   int combine);
 
 /* Free up an ASN1 structure */
 
 void ASN1_item_free(ASN1_VALUE *val, const ASN1_ITEM *it)
 {
-    asn1_item_embed_free(&val, it, 0);
+    asn1_item_combine_free(&val, it, 0);
 }
 
 void ASN1_item_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
-    asn1_item_embed_free(pval, it, 0);
+    asn1_item_combine_free(pval, it, 0);
 }
 
-static void asn1_item_embed_free(ASN1_VALUE **pval, const ASN1_ITEM *it,
-                                 int embed)
+static void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it,
+                                   int combine)
 {
     const ASN1_TEMPLATE *tt = NULL, *seqtt;
     const ASN1_EXTERN_FUNCS *ef;
+    const ASN1_COMPAT_FUNCS *cf;
     const ASN1_AUX *aux = it->funcs;
     ASN1_aux_cb *asn1_cb;
     int i;
-
     if (!pval)
         return;
     if ((it->itype != ASN1_ITYPE_PRIMITIVE) && !*pval)
@@ -50,13 +99,13 @@ static void asn1_item_embed_free(ASN1_VALUE **pval, const ASN1_ITEM *it,
 
     case ASN1_ITYPE_PRIMITIVE:
         if (it->templates)
-            asn1_template_free(pval, it->templates);
+            ASN1_template_free(pval, it->templates);
         else
-            asn1_primitive_free(pval, it, embed);
+            ASN1_primitive_free(pval, it);
         break;
 
     case ASN1_ITYPE_MSTRING:
-        asn1_primitive_free(pval, it, embed);
+        ASN1_primitive_free(pval, it);
         break;
 
     case ASN1_ITYPE_CHOICE:
@@ -68,19 +117,24 @@ static void asn1_item_embed_free(ASN1_VALUE **pval, const ASN1_ITEM *it,
         i = asn1_get_choice_selector(pval, it);
         if ((i >= 0) && (i < it->tcount)) {
             ASN1_VALUE **pchval;
-
             tt = it->templates + i;
             pchval = asn1_get_field_ptr(pval, tt);
-            asn1_template_free(pchval, tt);
+            ASN1_template_free(pchval, tt);
         }
         if (asn1_cb)
             asn1_cb(ASN1_OP_FREE_POST, pval, it, NULL);
-        if (embed == 0) {
+        if (!combine) {
             OPENSSL_free(*pval);
             *pval = NULL;
         }
         break;
 
+    case ASN1_ITYPE_COMPAT:
+        cf = it->funcs;
+        if (cf && cf->asn1_free)
+            cf->asn1_free(*pval);
+        break;
+
     case ASN1_ITYPE_EXTERN:
         ef = it->funcs;
         if (ef && ef->asn1_ex_free)
@@ -89,7 +143,7 @@ static void asn1_item_embed_free(ASN1_VALUE **pval, const ASN1_ITEM *it,
 
     case ASN1_ITYPE_NDEF_SEQUENCE:
     case ASN1_ITYPE_SEQUENCE:
-        if (asn1_do_lock(pval, -1, it) != 0) /* if error or ref-counter > 0 */
+        if (asn1_do_lock(pval, -1, it) > 0)
             return;
         if (asn1_cb) {
             i = asn1_cb(ASN1_OP_FREE_PRE, pval, it, NULL);
@@ -99,23 +153,21 @@ static void asn1_item_embed_free(ASN1_VALUE **pval, const ASN1_ITEM *it,
         asn1_enc_free(pval, it);
         /*
          * If we free up as normal we will invalidate any ANY DEFINED BY
-         * field and we won't be able to determine the type of the field it
+         * field and we wont be able to determine the type of the field it
          * defines. So free up in reverse order.
          */
-        tt = it->templates + it->tcount;
-        for (i = 0; i < it->tcount; i++) {
+        tt = it->templates + it->tcount - 1;
+        for (i = 0; i < it->tcount; tt--, i++) {
             ASN1_VALUE **pseqval;
-
-            tt--;
             seqtt = asn1_do_adb(pval, tt, 0);
             if (!seqtt)
                 continue;
             pseqval = asn1_get_field_ptr(pval, seqtt);
-            asn1_template_free(pseqval, seqtt);
+            ASN1_template_free(pseqval, seqtt);
         }
         if (asn1_cb)
             asn1_cb(ASN1_OP_FREE_POST, pval, it, NULL);
-        if (embed == 0) {
+        if (!combine) {
             OPENSSL_free(*pval);
             *pval = NULL;
         }
@@ -123,48 +175,37 @@ static void asn1_item_embed_free(ASN1_VALUE **pval, const ASN1_ITEM *it,
     }
 }
 
-void asn1_template_free(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
+void ASN1_template_free(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
 {
-    int embed = tt->flags & ASN1_TFLG_EMBED;
-    ASN1_VALUE *tval;
-    if (embed) {
-        tval = (ASN1_VALUE *)pval;
-        pval = &tval;
-    }
+    int i;
     if (tt->flags & ASN1_TFLG_SK_MASK) {
         STACK_OF(ASN1_VALUE) *sk = (STACK_OF(ASN1_VALUE) *)*pval;
-        int i;
-
         for (i = 0; i < sk_ASN1_VALUE_num(sk); i++) {
-            ASN1_VALUE *vtmp = sk_ASN1_VALUE_value(sk, i);
-
-            asn1_item_embed_free(&vtmp, ASN1_ITEM_ptr(tt->item), embed);
+            ASN1_VALUE *vtmp;
+            vtmp = sk_ASN1_VALUE_value(sk, i);
+            asn1_item_combine_free(&vtmp, ASN1_ITEM_ptr(tt->item), 0);
         }
         sk_ASN1_VALUE_free(sk);
         *pval = NULL;
-    } else {
-        asn1_item_embed_free(pval, ASN1_ITEM_ptr(tt->item), embed);
-    }
+    } else
+        asn1_item_combine_free(pval, ASN1_ITEM_ptr(tt->item),
+                               tt->flags & ASN1_TFLG_COMBINE);
 }
 
-void asn1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int embed)
+void ASN1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
     int utype;
-
-    /* Special case: if 'it' is a primitive with a free_func, use that. */
     if (it) {
-        const ASN1_PRIMITIVE_FUNCS *pf = it->funcs;
-
+        const ASN1_PRIMITIVE_FUNCS *pf;
+        pf = it->funcs;
         if (pf && pf->prim_free) {
             pf->prim_free(pval, it);
             return;
         }
     }
-
-    /* Special case: if 'it' is NULL, free contents of ASN1_TYPE */
+    /* Special case: if 'it' is NULL free contents of ASN1_TYPE */
     if (!it) {
         ASN1_TYPE *typ = (ASN1_TYPE *)*pval;
-
         utype = typ->type;
         pval = &typ->value.asn1_value;
         if (!*pval)
@@ -195,12 +236,13 @@ void asn1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int embed)
         break;
 
     case V_ASN1_ANY:
-        asn1_primitive_free(pval, NULL, 0);
+        ASN1_primitive_free(pval, NULL);
         OPENSSL_free(*pval);
         break;
 
     default:
-        asn1_string_embed_free((ASN1_STRING *)*pval, embed);
+        ASN1_STRING_free((ASN1_STRING *)*pval);
+        *pval = NULL;
         break;
     }
     *pval = NULL;
diff --git a/Cryptlib/OpenSSL/crypto/asn1/tasn_new.c b/Cryptlib/OpenSSL/crypto/asn1/tasn_new.c
index e9b83773..b0c73bee 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/tasn_new.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/tasn_new.c
@@ -1,10 +1,60 @@
+/* tasn_new.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000-2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stddef.h>
@@ -13,14 +63,10 @@
 #include <openssl/err.h>
 #include <openssl/asn1t.h>
 #include <string.h>
-#include "asn1_locl.h"
 
-static int asn1_item_embed_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
-                               int embed);
-static int asn1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
-                              int embed);
+static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
+                                    int combine);
 static void asn1_item_clear(ASN1_VALUE **pval, const ASN1_ITEM *it);
-static int asn1_template_new(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt);
 static void asn1_template_clear(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt);
 static void asn1_primitive_clear(ASN1_VALUE **pval, const ASN1_ITEM *it);
 
@@ -36,12 +82,14 @@ ASN1_VALUE *ASN1_item_new(const ASN1_ITEM *it)
 
 int ASN1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
-    return asn1_item_embed_new(pval, it, 0);
+    return asn1_item_ex_combine_new(pval, it, 0);
 }
 
-int asn1_item_embed_new(ASN1_VALUE **pval, const ASN1_ITEM *it, int embed)
+static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
+                                    int combine)
 {
     const ASN1_TEMPLATE *tt = NULL;
+    const ASN1_COMPAT_FUNCS *cf;
     const ASN1_EXTERN_FUNCS *ef;
     const ASN1_AUX *aux = it->funcs;
     ASN1_aux_cb *asn1_cb;
@@ -52,8 +100,9 @@ int asn1_item_embed_new(ASN1_VALUE **pval, const ASN1_ITEM *it, int embed)
     else
         asn1_cb = 0;
 
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
-    OPENSSL_mem_debug_push(it->sname ? it->sname : "asn1_item_embed_new");
+#ifdef CRYPTO_MDEBUG
+    if (it->sname)
+        CRYPTO_push_info(it->sname);
 #endif
 
     switch (it->itype) {
@@ -66,16 +115,25 @@ int asn1_item_embed_new(ASN1_VALUE **pval, const ASN1_ITEM *it, int embed)
         }
         break;
 
+    case ASN1_ITYPE_COMPAT:
+        cf = it->funcs;
+        if (cf && cf->asn1_new) {
+            *pval = cf->asn1_new();
+            if (!*pval)
+                goto memerr;
+        }
+        break;
+
     case ASN1_ITYPE_PRIMITIVE:
         if (it->templates) {
-            if (!asn1_template_new(pval, it->templates))
+            if (!ASN1_template_new(pval, it->templates))
                 goto memerr;
-        } else if (!asn1_primitive_new(pval, it, embed))
+        } else if (!ASN1_primitive_new(pval, it))
             goto memerr;
         break;
 
     case ASN1_ITYPE_MSTRING:
-        if (!asn1_primitive_new(pval, it, embed))
+        if (!ASN1_primitive_new(pval, it))
             goto memerr;
         break;
 
@@ -85,22 +143,22 @@ int asn1_item_embed_new(ASN1_VALUE **pval, const ASN1_ITEM *it, int embed)
             if (!i)
                 goto auxerr;
             if (i == 2) {
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
-                OPENSSL_mem_debug_pop();
+#ifdef CRYPTO_MDEBUG
+                if (it->sname)
+                    CRYPTO_pop_info();
 #endif
                 return 1;
             }
         }
-        if (embed) {
-            memset(*pval, 0, it->size);
-        } else {
-            *pval = OPENSSL_zalloc(it->size);
-            if (*pval == NULL)
+        if (!combine) {
+            *pval = OPENSSL_malloc(it->size);
+            if (!*pval)
                 goto memerr;
+            memset(*pval, 0, it->size);
         }
         asn1_set_choice_selector(pval, -1, it);
         if (asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it, NULL))
-            goto auxerr2;
+            goto auxerr;
         break;
 
     case ASN1_ITYPE_NDEF_SEQUENCE:
@@ -110,52 +168,50 @@ int asn1_item_embed_new(ASN1_VALUE **pval, const ASN1_ITEM *it, int embed)
             if (!i)
                 goto auxerr;
             if (i == 2) {
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
-                OPENSSL_mem_debug_pop();
+#ifdef CRYPTO_MDEBUG
+                if (it->sname)
+                    CRYPTO_pop_info();
 #endif
                 return 1;
             }
         }
-        if (embed) {
-            memset(*pval, 0, it->size);
-        } else {
-            *pval = OPENSSL_zalloc(it->size);
-            if (*pval == NULL)
+        if (!combine) {
+            *pval = OPENSSL_malloc(it->size);
+            if (!*pval)
                 goto memerr;
+            memset(*pval, 0, it->size);
+            asn1_do_lock(pval, 0, it);
+            asn1_enc_init(pval, it);
         }
-        /* 0 : init. lock */
-        if (asn1_do_lock(pval, 0, it) < 0)
-            goto memerr2;
-        asn1_enc_init(pval, it);
         for (i = 0, tt = it->templates; i < it->tcount; tt++, i++) {
             pseqval = asn1_get_field_ptr(pval, tt);
-            if (!asn1_template_new(pseqval, tt))
-                goto memerr2;
+            if (!ASN1_template_new(pseqval, tt))
+                goto memerr;
         }
         if (asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it, NULL))
-            goto auxerr2;
+            goto auxerr;
         break;
     }
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
-    OPENSSL_mem_debug_pop();
+#ifdef CRYPTO_MDEBUG
+    if (it->sname)
+        CRYPTO_pop_info();
 #endif
     return 1;
 
- memerr2:
-    ASN1_item_ex_free(pval, it);
  memerr:
-    ASN1err(ASN1_F_ASN1_ITEM_EMBED_NEW, ERR_R_MALLOC_FAILURE);
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
-    OPENSSL_mem_debug_pop();
+    ASN1err(ASN1_F_ASN1_ITEM_EX_COMBINE_NEW, ERR_R_MALLOC_FAILURE);
+#ifdef CRYPTO_MDEBUG
+    if (it->sname)
+        CRYPTO_pop_info();
 #endif
     return 0;
 
- auxerr2:
-    ASN1_item_ex_free(pval, it);
  auxerr:
-    ASN1err(ASN1_F_ASN1_ITEM_EMBED_NEW, ASN1_R_AUX_ERROR);
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
-    OPENSSL_mem_debug_pop();
+    ASN1err(ASN1_F_ASN1_ITEM_EX_COMBINE_NEW, ASN1_R_AUX_ERROR);
+    ASN1_item_ex_free(pval, it);
+#ifdef CRYPTO_MDEBUG
+    if (it->sname)
+        CRYPTO_pop_info();
 #endif
     return 0;
 
@@ -186,6 +242,7 @@ static void asn1_item_clear(ASN1_VALUE **pval, const ASN1_ITEM *it)
         asn1_primitive_clear(pval, it);
         break;
 
+    case ASN1_ITYPE_COMPAT:
     case ASN1_ITYPE_CHOICE:
     case ASN1_ITYPE_SEQUENCE:
     case ASN1_ITYPE_NDEF_SEQUENCE:
@@ -194,16 +251,10 @@ static void asn1_item_clear(ASN1_VALUE **pval, const ASN1_ITEM *it)
     }
 }
 
-static int asn1_template_new(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
+int ASN1_template_new(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
 {
     const ASN1_ITEM *it = ASN1_ITEM_ptr(tt->item);
-    int embed = tt->flags & ASN1_TFLG_EMBED;
-    ASN1_VALUE *tval;
     int ret;
-    if (embed) {
-        tval = (ASN1_VALUE *)pval;
-        pval = &tval;
-    }
     if (tt->flags & ASN1_TFLG_OPTIONAL) {
         asn1_template_clear(pval, tt);
         return 1;
@@ -214,9 +265,9 @@ static int asn1_template_new(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
         *pval = NULL;
         return 1;
     }
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
-    OPENSSL_mem_debug_push(tt->field_name
-            ? tt->field_name : "asn1_template_new");
+#ifdef CRYPTO_MDEBUG
+    if (tt->field_name)
+        CRYPTO_push_info(tt->field_name);
 #endif
     /* If SET OF or SEQUENCE OF, its a STACK */
     if (tt->flags & ASN1_TFLG_SK_MASK) {
@@ -232,10 +283,11 @@ static int asn1_template_new(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
         goto done;
     }
     /* Otherwise pass it back to the item routine */
-    ret = asn1_item_embed_new(pval, it, embed);
+    ret = asn1_item_ex_combine_new(pval, it, tt->flags & ASN1_TFLG_COMBINE);
  done:
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
-    OPENSSL_mem_debug_pop();
+#ifdef CRYPTO_MDEBUG
+    if (it->sname)
+        CRYPTO_pop_info();
 #endif
     return ret;
 }
@@ -254,8 +306,7 @@ static void asn1_template_clear(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
  * all the old functions.
  */
 
-static int asn1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
-                              int embed)
+int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
     ASN1_TYPE *typ;
     ASN1_STRING *str;
@@ -288,8 +339,8 @@ static int asn1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
         return 1;
 
     case V_ASN1_ANY:
-        typ = OPENSSL_malloc(sizeof(*typ));
-        if (typ == NULL)
+        typ = OPENSSL_malloc(sizeof(ASN1_TYPE));
+        if (!typ)
             return 0;
         typ->value.ptr = NULL;
         typ->type = -1;
@@ -297,17 +348,10 @@ static int asn1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
         break;
 
     default:
-        if (embed) {
-            str = *(ASN1_STRING **)pval;
-            memset(str, 0, sizeof(*str));
-            str->type = utype;
-            str->flags = ASN1_STRING_FLAG_EMBED;
-        } else {
-            str = ASN1_STRING_type_new(utype);
-            *pval = (ASN1_VALUE *)str;
-        }
+        str = ASN1_STRING_type_new(utype);
         if (it->itype == ASN1_ITYPE_MSTRING && str)
             str->flags |= ASN1_STRING_FLAG_MSTRING;
+        *pval = (ASN1_VALUE *)str;
         break;
     }
     if (*pval)
diff --git a/Cryptlib/OpenSSL/crypto/asn1/tasn_prn.c b/Cryptlib/OpenSSL/crypto/asn1/tasn_prn.c
index f53e9056..f628cadd 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/tasn_prn.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/tasn_prn.c
@@ -1,21 +1,70 @@
+/* tasn_prn.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000,2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stddef.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/objects.h>
 #include <openssl/buffer.h>
 #include <openssl/err.h>
 #include <openssl/x509v3.h>
-#include "internal/asn1_int.h"
 #include "asn1_locl.h"
 
 /*
@@ -24,7 +73,7 @@
 
 /* ASN1_PCTX routines */
 
-static ASN1_PCTX default_pctx = {
+ASN1_PCTX default_pctx = {
     ASN1_PCTX_FLAGS_SHOW_ABSENT, /* flags */
     0,                          /* nm_flags */
     0,                          /* cert_flags */
@@ -35,12 +84,16 @@ static ASN1_PCTX default_pctx = {
 ASN1_PCTX *ASN1_PCTX_new(void)
 {
     ASN1_PCTX *ret;
-
-    ret = OPENSSL_zalloc(sizeof(*ret));
+    ret = OPENSSL_malloc(sizeof(ASN1_PCTX));
     if (ret == NULL) {
         ASN1err(ASN1_F_ASN1_PCTX_NEW, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
+    ret->flags = 0;
+    ret->nm_flags = 0;
+    ret->cert_flags = 0;
+    ret->oid_flags = 0;
+    ret->str_flags = 0;
     return ret;
 }
 
@@ -49,7 +102,7 @@ void ASN1_PCTX_free(ASN1_PCTX *p)
     OPENSSL_free(p);
 }
 
-unsigned long ASN1_PCTX_get_flags(const ASN1_PCTX *p)
+unsigned long ASN1_PCTX_get_flags(ASN1_PCTX *p)
 {
     return p->flags;
 }
@@ -59,7 +112,7 @@ void ASN1_PCTX_set_flags(ASN1_PCTX *p, unsigned long flags)
     p->flags = flags;
 }
 
-unsigned long ASN1_PCTX_get_nm_flags(const ASN1_PCTX *p)
+unsigned long ASN1_PCTX_get_nm_flags(ASN1_PCTX *p)
 {
     return p->nm_flags;
 }
@@ -69,7 +122,7 @@ void ASN1_PCTX_set_nm_flags(ASN1_PCTX *p, unsigned long flags)
     p->nm_flags = flags;
 }
 
-unsigned long ASN1_PCTX_get_cert_flags(const ASN1_PCTX *p)
+unsigned long ASN1_PCTX_get_cert_flags(ASN1_PCTX *p)
 {
     return p->cert_flags;
 }
@@ -79,7 +132,7 @@ void ASN1_PCTX_set_cert_flags(ASN1_PCTX *p, unsigned long flags)
     p->cert_flags = flags;
 }
 
-unsigned long ASN1_PCTX_get_oid_flags(const ASN1_PCTX *p)
+unsigned long ASN1_PCTX_get_oid_flags(ASN1_PCTX *p)
 {
     return p->oid_flags;
 }
@@ -89,7 +142,7 @@ void ASN1_PCTX_set_oid_flags(ASN1_PCTX *p, unsigned long flags)
     p->oid_flags = flags;
 }
 
-unsigned long ASN1_PCTX_get_str_flags(const ASN1_PCTX *p)
+unsigned long ASN1_PCTX_get_str_flags(ASN1_PCTX *p)
 {
     return p->str_flags;
 }
@@ -106,7 +159,7 @@ static int asn1_item_print_ctx(BIO *out, ASN1_VALUE **fld, int indent,
                                const char *fname, const char *sname,
                                int nohdr, const ASN1_PCTX *pctx);
 
-static int asn1_template_print_ctx(BIO *out, ASN1_VALUE **fld, int indent,
+int asn1_template_print_ctx(BIO *out, ASN1_VALUE **fld, int indent,
                             const ASN1_TEMPLATE *tt, const ASN1_PCTX *pctx);
 
 static int asn1_primitive_print(BIO *out, ASN1_VALUE **fld,
@@ -170,7 +223,7 @@ static int asn1_item_print_ctx(BIO *out, ASN1_VALUE **fld, int indent,
                 return 0;
             break;
         }
-        /* fall through */
+        /* fall thru */
     case ASN1_ITYPE_MSTRING:
         if (!asn1_primitive_print(out, fld, it, indent, fname, sname, pctx))
             return 0;
@@ -194,6 +247,10 @@ static int asn1_item_print_ctx(BIO *out, ASN1_VALUE **fld, int indent,
         break;
 
     case ASN1_ITYPE_CHOICE:
+#if 0
+        if (!nohdr && !asn1_print_fsname(out, indent, fname, sname, pctx))
+            return 0;
+#endif
         /* CHOICE type, get selector */
         i = asn1_get_choice_selector(fld, it);
         /* This should never happen... */
@@ -261,12 +318,11 @@ static int asn1_item_print_ctx(BIO *out, ASN1_VALUE **fld, int indent,
     return 1;
 }
 
-static int asn1_template_print_ctx(BIO *out, ASN1_VALUE **fld, int indent,
+int asn1_template_print_ctx(BIO *out, ASN1_VALUE **fld, int indent,
                             const ASN1_TEMPLATE *tt, const ASN1_PCTX *pctx)
 {
     int i, flags;
     const char *sname, *fname;
-    ASN1_VALUE *tfld;
     flags = tt->flags;
     if (pctx->flags & ASN1_PCTX_FLAGS_SHOW_FIELD_STRUCT_NAME)
         sname = ASN1_ITEM_ptr(tt->item)->sname;
@@ -276,16 +332,6 @@ static int asn1_template_print_ctx(BIO *out, ASN1_VALUE **fld, int indent,
         fname = NULL;
     else
         fname = tt->field_name;
-
-    /*
-     * If field is embedded then fld needs fixing so it is a pointer to
-     * a pointer to a field.
-     */
-    if (flags & ASN1_TFLG_EMBED) {
-        tfld = (ASN1_VALUE *)fld;
-        fld = &tfld;
-    }
-
     if (flags & ASN1_TFLG_SK_MASK) {
         char *tname;
         ASN1_VALUE *skitem;
@@ -331,8 +377,13 @@ static int asn1_print_fsname(BIO *out, int indent,
                              const char *fname, const char *sname,
                              const ASN1_PCTX *pctx)
 {
-    static const char spaces[] = "                    ";
-    static const int nspaces = sizeof(spaces) - 1;
+    static char spaces[] = "                    ";
+    const int nspaces = sizeof(spaces) - 1;
+
+#if 0
+    if (!sname && !fname)
+        return 1;
+#endif
 
     while (indent > nspaces) {
         if (BIO_write(out, spaces, nspaces) != nspaces)
@@ -365,7 +416,8 @@ static int asn1_print_fsname(BIO *out, int indent,
     return 1;
 }
 
-static int asn1_print_boolean(BIO *out, int boolval)
+static int asn1_print_boolean_ctx(BIO *out, int boolval,
+                                  const ASN1_PCTX *pctx)
 {
     const char *str;
     switch (boolval) {
@@ -389,7 +441,8 @@ static int asn1_print_boolean(BIO *out, int boolval)
 
 }
 
-static int asn1_print_integer(BIO *out, const ASN1_INTEGER *str)
+static int asn1_print_integer_ctx(BIO *out, ASN1_INTEGER *str,
+                                  const ASN1_PCTX *pctx)
 {
     char *s;
     int ret = 1;
@@ -402,7 +455,8 @@ static int asn1_print_integer(BIO *out, const ASN1_INTEGER *str)
     return ret;
 }
 
-static int asn1_print_oid(BIO *out, const ASN1_OBJECT *oid)
+static int asn1_print_oid_ctx(BIO *out, const ASN1_OBJECT *oid,
+                              const ASN1_PCTX *pctx)
 {
     char objbuf[80];
     const char *ln;
@@ -415,7 +469,8 @@ static int asn1_print_oid(BIO *out, const ASN1_OBJECT *oid)
     return 1;
 }
 
-static int asn1_print_obstring(BIO *out, const ASN1_STRING *str, int indent)
+static int asn1_print_obstring_ctx(BIO *out, ASN1_STRING *str, int indent,
+                                   const ASN1_PCTX *pctx)
 {
     if (str->type == V_ASN1_BIT_STRING) {
         if (BIO_printf(out, " (%ld unused bits)\n", str->flags & 0x7) <= 0)
@@ -423,7 +478,7 @@ static int asn1_print_obstring(BIO *out, const ASN1_STRING *str, int indent)
     } else if (BIO_puts(out, "\n") <= 0)
         return 0;
     if ((str->length > 0)
-        && BIO_dump_indent(out, (const char *)str->data, str->length,
+        && BIO_dump_indent(out, (char *)str->data, str->length,
                            indent + 2) <= 0)
         return 0;
     return 1;
@@ -489,13 +544,13 @@ static int asn1_primitive_print(BIO *out, ASN1_VALUE **fld,
             int boolval = *(int *)fld;
             if (boolval == -1)
                 boolval = it->size;
-            ret = asn1_print_boolean(out, boolval);
+            ret = asn1_print_boolean_ctx(out, boolval, pctx);
         }
         break;
 
     case V_ASN1_INTEGER:
     case V_ASN1_ENUMERATED:
-        ret = asn1_print_integer(out, str);
+        ret = asn1_print_integer_ctx(out, str, pctx);
         break;
 
     case V_ASN1_UTCTIME:
@@ -507,12 +562,12 @@ static int asn1_primitive_print(BIO *out, ASN1_VALUE **fld,
         break;
 
     case V_ASN1_OBJECT:
-        ret = asn1_print_oid(out, (const ASN1_OBJECT *)*fld);
+        ret = asn1_print_oid_ctx(out, (const ASN1_OBJECT *)*fld, pctx);
         break;
 
     case V_ASN1_OCTET_STRING:
     case V_ASN1_BIT_STRING:
-        ret = asn1_print_obstring(out, str, indent);
+        ret = asn1_print_obstring_ctx(out, str, indent, pctx);
         needlf = 0;
         break;
 
diff --git a/Cryptlib/OpenSSL/crypto/asn1/tasn_scn.c b/Cryptlib/OpenSSL/crypto/asn1/tasn_scn.c
deleted file mode 100644
index e1df2cfc..00000000
--- a/Cryptlib/OpenSSL/crypto/asn1/tasn_scn.c
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
- * Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stddef.h>
-#include "internal/cryptlib.h"
-#include <openssl/asn1.h>
-#include <openssl/asn1t.h>
-#include <openssl/objects.h>
-#include <openssl/buffer.h>
-#include <openssl/err.h>
-#include <openssl/x509v3.h>
-#include "asn1_locl.h"
-
-/*
- * General ASN1 structure recursive scanner: iterate through all fields
- * passing details to a callback.
- */
-
-ASN1_SCTX *ASN1_SCTX_new(int (*scan_cb) (ASN1_SCTX *ctx))
-{
-    ASN1_SCTX *ret = OPENSSL_zalloc(sizeof(*ret));
-
-    if (ret == NULL) {
-        ASN1err(ASN1_F_ASN1_SCTX_NEW, ERR_R_MALLOC_FAILURE);
-        return NULL;
-    }
-    ret->scan_cb = scan_cb;
-    return ret;
-}
-
-void ASN1_SCTX_free(ASN1_SCTX *p)
-{
-    OPENSSL_free(p);
-}
-
-const ASN1_ITEM *ASN1_SCTX_get_item(ASN1_SCTX *p)
-{
-    return p->it;
-}
-
-const ASN1_TEMPLATE *ASN1_SCTX_get_template(ASN1_SCTX *p)
-{
-    return p->tt;
-}
-
-unsigned long ASN1_SCTX_get_flags(ASN1_SCTX *p)
-{
-    return p->flags;
-}
-
-void ASN1_SCTX_set_app_data(ASN1_SCTX *p, void *data)
-{
-    p->app_data = data;
-}
-
-void *ASN1_SCTX_get_app_data(ASN1_SCTX *p)
-{
-    return p->app_data;
-}
diff --git a/Cryptlib/OpenSSL/crypto/asn1/tasn_typ.c b/Cryptlib/OpenSSL/crypto/asn1/tasn_typ.c
index 98d98790..740e86d5 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/tasn_typ.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/tasn_typ.c
@@ -1,50 +1,115 @@
+/* tasn_typ.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
-
 #include <stdio.h>
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 
 /* Declarations for string types */
 
-#define IMPLEMENT_ASN1_STRING_FUNCTIONS(sname) \
-    IMPLEMENT_ASN1_TYPE(sname) \
-    IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(sname, sname, sname) \
-sname *sname##_new(void) \
-{ \
-    return ASN1_STRING_type_new(V_##sname); \
-} \
-void sname##_free(sname *x) \
-{ \
-    ASN1_STRING_free(x); \
-}
-
-IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_OCTET_STRING)
-IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_INTEGER)
-IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_ENUMERATED)
-IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_BIT_STRING)
-IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_UTF8STRING)
-IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_PRINTABLESTRING)
-IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_T61STRING)
-IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_IA5STRING)
-IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_GENERALSTRING)
-IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_UTCTIME)
-IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_GENERALIZEDTIME)
-IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_VISIBLESTRING)
-IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_UNIVERSALSTRING)
-IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_BMPSTRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_INTEGER)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_INTEGER)
+
+IMPLEMENT_ASN1_TYPE(ASN1_ENUMERATED)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_ENUMERATED)
+
+IMPLEMENT_ASN1_TYPE(ASN1_BIT_STRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_BIT_STRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_OCTET_STRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_OCTET_STRING)
 
 IMPLEMENT_ASN1_TYPE(ASN1_NULL)
 IMPLEMENT_ASN1_FUNCTIONS(ASN1_NULL)
 
 IMPLEMENT_ASN1_TYPE(ASN1_OBJECT)
 
+IMPLEMENT_ASN1_TYPE(ASN1_UTF8STRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_UTF8STRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_PRINTABLESTRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_PRINTABLESTRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_T61STRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_T61STRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_IA5STRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_IA5STRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_GENERALSTRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_GENERALSTRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_UTCTIME)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_UTCTIME)
+
+IMPLEMENT_ASN1_TYPE(ASN1_GENERALIZEDTIME)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_GENERALIZEDTIME)
+
+IMPLEMENT_ASN1_TYPE(ASN1_VISIBLESTRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_VISIBLESTRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_UNIVERSALSTRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_UNIVERSALSTRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_BMPSTRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_BMPSTRING)
+
 IMPLEMENT_ASN1_TYPE(ASN1_ANY)
 
 /* Just swallow an ASN1_SEQUENCE in an ASN1_STRING */
diff --git a/Cryptlib/OpenSSL/crypto/asn1/tasn_utl.c b/Cryptlib/OpenSSL/crypto/asn1/tasn_utl.c
index f79d7d6b..e14889fe 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/tasn_utl.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/tasn_utl.c
@@ -1,20 +1,68 @@
+/* tasn_utl.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000-2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stddef.h>
 #include <string.h>
-#include <internal/cryptlib.h>
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/objects.h>
 #include <openssl/err.h>
-#include "asn1_locl.h"
 
 /* Utility functions for manipulating fields and offsets */
 
@@ -46,19 +94,16 @@ int asn1_set_choice_selector(ASN1_VALUE **pval, int value,
 }
 
 /*
- * Do atomic reference counting. The value 'op' decides what to do.
- * If it is +1 then the count is incremented.
- * If |op| is 0, lock is initialised and count is set to 1.
- * If |op| is -1, count is decremented and the return value is the current
- * reference count or 0 if no reference count is active.
- * It returns -1 on initialisation error.
- * Used by ASN1_SEQUENCE construct of X509, X509_REQ, X509_CRL objects
+ * Do reference counting. The value 'op' decides what to do. if it is +1
+ * then the count is incremented. If op is 0 count is set to 1. If op is -1
+ * count is decremented and the return value is the current refrence count or
+ * 0 if no reference count exists.
  */
+
 int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it)
 {
     const ASN1_AUX *aux;
     int *lck, ret;
-    CRYPTO_RWLOCK **lock;
     if ((it->itype != ASN1_ITYPE_SEQUENCE)
         && (it->itype != ASN1_ITYPE_NDEF_SEQUENCE))
         return 0;
@@ -66,26 +111,18 @@ int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it)
     if (!aux || !(aux->flags & ASN1_AFLG_REFCOUNT))
         return 0;
     lck = offset2ptr(*pval, aux->ref_offset);
-    lock = offset2ptr(*pval, aux->ref_lock);
     if (op == 0) {
         *lck = 1;
-        *lock = CRYPTO_THREAD_lock_new();
-        if (*lock == NULL) {
-            ASN1err(ASN1_F_ASN1_DO_LOCK, ERR_R_MALLOC_FAILURE);
-            return -1;
-        }
         return 1;
     }
-    if (CRYPTO_atomic_add(lck, op, &ret, *lock) < 0)
-        return -1;  /* failed */
+    ret = CRYPTO_add(lck, op, aux->ref_lock);
 #ifdef REF_PRINT
-    fprintf(stderr, "%p:%4d:%s\n", it, *lck, it->sname);
+    fprintf(stderr, "%s: Reference Count: %d\n", it->sname, *lck);
+#endif
+#ifdef REF_CHECK
+    if (ret < 0)
+        fprintf(stderr, "%s, bad reference count\n", it->sname);
 #endif
-    REF_ASSERT_ISNT(ret < 0);
-    if (ret == 0) {
-        CRYPTO_THREAD_lock_free(*lock);
-        *lock = NULL;
-    }
     return ret;
 }
 
@@ -116,7 +153,8 @@ void asn1_enc_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
     ASN1_ENCODING *enc;
     enc = asn1_get_enc_ptr(pval, it);
     if (enc) {
-        OPENSSL_free(enc->enc);
+        if (enc->enc)
+            OPENSSL_free(enc->enc);
         enc->enc = NULL;
         enc->len = 0;
         enc->modified = 1;
@@ -131,9 +169,10 @@ int asn1_enc_save(ASN1_VALUE **pval, const unsigned char *in, int inlen,
     if (!enc)
         return 1;
 
-    OPENSSL_free(enc->enc);
+    if (enc->enc)
+        OPENSSL_free(enc->enc);
     enc->enc = OPENSSL_malloc(inlen);
-    if (enc->enc == NULL)
+    if (!enc->enc)
         return 0;
     memcpy(enc->enc, in, inlen);
     enc->len = inlen;
@@ -162,6 +201,8 @@ int asn1_enc_restore(int *len, unsigned char **out, ASN1_VALUE **pval,
 ASN1_VALUE **asn1_get_field_ptr(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
 {
     ASN1_VALUE **pvaltmp;
+    if (tt->flags & ASN1_TFLG_COMBINE)
+        return pval;
     pvaltmp = offset2ptr(*pval, tt->offset);
     /*
      * NOTE for BOOLEAN types the field is just a plain int so we can't
@@ -208,12 +249,6 @@ const ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt,
     else
         selector = ASN1_INTEGER_get((ASN1_INTEGER *)*sfld);
 
-    /* Let application callback translate value */
-    if (adb->adb_cb != NULL && adb->adb_cb(&selector) == 0) {
-        ASN1err(ASN1_F_ASN1_DO_ADB, ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE);
-        return NULL;
-    }
-
     /*
      * Try to find matching entry in table Maybe should check application
      * types first to allow application override? Might also be useful to
diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_algor.c b/Cryptlib/OpenSSL/crypto/asn1/x_algor.c
index 72378db9..fd7d16d4 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/x_algor.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/x_algor.c
@@ -1,17 +1,66 @@
+/* x_algor.c */
 /*
- * Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stddef.h>
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
-#include "internal/evp_int.h"
 
 ASN1_SEQUENCE(X509_ALGOR) = {
         ASN1_SIMPLE(X509_ALGOR, algorithm, ASN1_OBJECT),
@@ -26,6 +75,9 @@ IMPLEMENT_ASN1_FUNCTIONS(X509_ALGOR)
 IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(X509_ALGORS, X509_ALGORS, X509_ALGORS)
 IMPLEMENT_ASN1_DUP_FUNCTION(X509_ALGOR)
 
+IMPLEMENT_STACK_OF(X509_ALGOR)
+IMPLEMENT_ASN1_SET_OF(X509_ALGOR)
+
 int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval)
 {
     if (!alg)
@@ -37,21 +89,24 @@ int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval)
             return 0;
     }
     if (alg) {
-        ASN1_OBJECT_free(alg->algorithm);
+        if (alg->algorithm)
+            ASN1_OBJECT_free(alg->algorithm);
         alg->algorithm = aobj;
     }
     if (ptype == 0)
         return 1;
     if (ptype == V_ASN1_UNDEF) {
-        ASN1_TYPE_free(alg->parameter);
-        alg->parameter = NULL;
+        if (alg->parameter) {
+            ASN1_TYPE_free(alg->parameter);
+            alg->parameter = NULL;
+        }
     } else
         ASN1_TYPE_set(alg->parameter, ptype, pval);
     return 1;
 }
 
-void X509_ALGOR_get0(const ASN1_OBJECT **paobj, int *pptype,
-                     const void **ppval, const X509_ALGOR *algor)
+void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval,
+                     X509_ALGOR *algor)
 {
     if (paobj)
         *paobj = algor->algorithm;
diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_attrib.c b/Cryptlib/OpenSSL/crypto/asn1/x_attrib.c
new file mode 100644
index 00000000..93ef53bd
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/asn1/x_attrib.c
@@ -0,0 +1,124 @@
+/* crypto/asn1/x_attrib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/objects.h>
+#include <openssl/asn1t.h>
+#include <openssl/x509.h>
+
+/*-
+ * X509_ATTRIBUTE: this has the following form:
+ *
+ * typedef struct x509_attributes_st
+ *      {
+ *      ASN1_OBJECT *object;
+ *      int single;
+ *      union   {
+ *              char            *ptr;
+ *              STACK_OF(ASN1_TYPE) *set;
+ *              ASN1_TYPE       *single;
+ *              } value;
+ *      } X509_ATTRIBUTE;
+ *
+ * this needs some extra thought because the CHOICE type is
+ * merged with the main structure and because the value can
+ * be anything at all we *must* try the SET OF first because
+ * the ASN1_ANY type will swallow anything including the whole
+ * SET OF structure.
+ */
+
+ASN1_CHOICE(X509_ATTRIBUTE_SET) = {
+        ASN1_SET_OF(X509_ATTRIBUTE, value.set, ASN1_ANY),
+        ASN1_SIMPLE(X509_ATTRIBUTE, value.single, ASN1_ANY)
+} ASN1_CHOICE_END_selector(X509_ATTRIBUTE, X509_ATTRIBUTE_SET, single)
+
+ASN1_SEQUENCE(X509_ATTRIBUTE) = {
+        ASN1_SIMPLE(X509_ATTRIBUTE, object, ASN1_OBJECT),
+        /* CHOICE type merged with parent */
+        ASN1_EX_COMBINE(0, 0, X509_ATTRIBUTE_SET)
+} ASN1_SEQUENCE_END(X509_ATTRIBUTE)
+
+IMPLEMENT_ASN1_FUNCTIONS(X509_ATTRIBUTE)
+IMPLEMENT_ASN1_DUP_FUNCTION(X509_ATTRIBUTE)
+
+X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value)
+{
+    X509_ATTRIBUTE *ret = NULL;
+    ASN1_TYPE *val = NULL;
+
+    if ((ret = X509_ATTRIBUTE_new()) == NULL)
+        return (NULL);
+    ret->object = OBJ_nid2obj(nid);
+    ret->single = 0;
+    if ((ret->value.set = sk_ASN1_TYPE_new_null()) == NULL)
+        goto err;
+    if ((val = ASN1_TYPE_new()) == NULL)
+        goto err;
+    if (!sk_ASN1_TYPE_push(ret->value.set, val))
+        goto err;
+
+    ASN1_TYPE_set(val, atrtype, value);
+    return (ret);
+ err:
+    if (ret != NULL)
+        X509_ATTRIBUTE_free(ret);
+    if (val != NULL)
+        ASN1_TYPE_free(val);
+    return (NULL);
+}
diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_bignum.c b/Cryptlib/OpenSSL/crypto/asn1/x_bignum.c
index da57e77a..c644199c 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/x_bignum.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/x_bignum.c
@@ -1,14 +1,64 @@
+/* x_bignum.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
 
@@ -22,15 +72,12 @@
 #define BN_SENSITIVE    1
 
 static int bn_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
-static int bn_secure_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
 static void bn_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
 
 static int bn_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype,
                   const ASN1_ITEM *it);
 static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
                   int utype, char *free_cont, const ASN1_ITEM *it);
-static int bn_secure_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
-                         int utype, char *free_cont, const ASN1_ITEM *it);
 static int bn_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it,
                     int indent, const ASN1_PCTX *pctx);
 
@@ -44,37 +91,18 @@ static ASN1_PRIMITIVE_FUNCS bignum_pf = {
     bn_print
 };
 
-static ASN1_PRIMITIVE_FUNCS cbignum_pf = {
-    NULL, 0,
-    bn_secure_new,
-    bn_free,
-    0,
-    bn_secure_c2i,
-    bn_i2c,
-    bn_print
-};
-
 ASN1_ITEM_start(BIGNUM)
         ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &bignum_pf, 0, "BIGNUM"
 ASN1_ITEM_end(BIGNUM)
 
 ASN1_ITEM_start(CBIGNUM)
-        ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &cbignum_pf, BN_SENSITIVE, "CBIGNUM"
+        ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &bignum_pf, BN_SENSITIVE, "BIGNUM"
 ASN1_ITEM_end(CBIGNUM)
 
 static int bn_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
     *pval = (ASN1_VALUE *)BN_new();
-    if (*pval != NULL)
-        return 1;
-    else
-        return 0;
-}
-
-static int bn_secure_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
-{
-    *pval = (ASN1_VALUE *)BN_secure_new();
-    if (*pval != NULL)
+    if (*pval)
         return 1;
     else
         return 0;
@@ -127,14 +155,6 @@ static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
     return 1;
 }
 
-static int bn_secure_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
-                         int utype, char *free_cont, const ASN1_ITEM *it)
-{
-    if (!*pval)
-        bn_secure_new(pval, it);
-    return bn_c2i(pval, cont, len, utype, free_cont, it);
-}
-
 static int bn_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it,
                     int indent, const ASN1_PCTX *pctx)
 {
diff --git a/Cryptlib/OpenSSL/crypto/x509/x_crl.c b/Cryptlib/OpenSSL/crypto/asn1/x_crl.c
index dbed850b..c78ded89 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x_crl.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/x_crl.c
@@ -1,26 +1,74 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/x_crl.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1t.h>
+#include "asn1_locl.h"
 #include <openssl/x509.h>
-#include "internal/x509_int.h"
 #include <openssl/x509v3.h>
-#include "x509_lcl.h"
 
 static int X509_REVOKED_cmp(const X509_REVOKED *const *a,
                             const X509_REVOKED *const *b);
 static void setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp);
 
 ASN1_SEQUENCE(X509_REVOKED) = {
-        ASN1_EMBED(X509_REVOKED,serialNumber, ASN1_INTEGER),
+        ASN1_SIMPLE(X509_REVOKED,serialNumber, ASN1_INTEGER),
         ASN1_SIMPLE(X509_REVOKED,revocationDate, ASN1_TIME),
         ASN1_SEQUENCE_OF_OPT(X509_REVOKED,extensions, X509_EXTENSION)
 } ASN1_SEQUENCE_END(X509_REVOKED)
@@ -41,7 +89,7 @@ static const X509_CRL_METHOD *default_crl_method = &int_crl_meth;
 
 /*
  * The X509_CRL_INFO structure needs a bit of customisation. Since we cache
- * the original encoding the signature won't be affected by reordering of the
+ * the original encoding the signature wont be affected by reordering of the
  * revoked field.
  */
 static int crl_inf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
@@ -66,7 +114,7 @@ static int crl_inf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
 
 ASN1_SEQUENCE_enc(X509_CRL_INFO, enc, crl_inf_cb) = {
         ASN1_OPT(X509_CRL_INFO, version, ASN1_INTEGER),
-        ASN1_EMBED(X509_CRL_INFO, sig_alg, X509_ALGOR),
+        ASN1_SIMPLE(X509_CRL_INFO, sig_alg, X509_ALGOR),
         ASN1_SIMPLE(X509_CRL_INFO, issuer, X509_NAME),
         ASN1_SIMPLE(X509_CRL_INFO, lastUpdate, ASN1_TIME),
         ASN1_OPT(X509_CRL_INFO, nextUpdate, ASN1_TIME),
@@ -131,8 +179,8 @@ static int crl_set_issuers(X509_CRL *crl)
 
         for (j = 0; j < sk_X509_EXTENSION_num(exts); j++) {
             ext = sk_X509_EXTENSION_value(exts, j);
-            if (X509_EXTENSION_get_critical(ext)) {
-                if (OBJ_obj2nid(X509_EXTENSION_get_object(ext)) == NID_certificate_issuer)
+            if (ext->critical > 0) {
+                if (OBJ_obj2nid(ext->object) == NID_certificate_issuer)
                     continue;
                 crl->flags |= EXFLAG_CRITICAL;
                 break;
@@ -172,7 +220,9 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
         break;
 
     case ASN1_OP_D2I_POST:
+#ifndef OPENSSL_NO_SHA
         X509_CRL_digest(crl, EVP_sha1(), crl->sha1_hash, NULL);
+#endif
         crl->idp = X509_CRL_get_ext_d2i(crl,
                                         NID_issuing_distribution_point, NULL,
                                         NULL);
@@ -200,15 +250,16 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
          * directly: applications shouldn't do this.
          */
 
-        exts = crl->crl.extensions;
+        exts = crl->crl->extensions;
 
         for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) {
             int nid;
+
             ext = sk_X509_EXTENSION_value(exts, idx);
-            nid = OBJ_obj2nid(X509_EXTENSION_get_object(ext));
+            nid = OBJ_obj2nid(ext->object);
             if (nid == NID_freshest_crl)
                 crl->flags |= EXFLAG_FRESHEST;
-            if (X509_EXTENSION_get_critical(ext)) {
+            if (ext->critical > 0) {
                 /* We handle IDP and deltas */
                 if ((nid == NID_issuing_distribution_point)
                     || (nid == NID_authority_key_identifier)
@@ -226,8 +277,6 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
             if (crl->meth->crl_init(crl) == 0)
                 return 0;
         }
-
-        crl->flags |= EXFLAG_SET;
         break;
 
     case ASN1_OP_FREE_POST:
@@ -235,8 +284,10 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
             if (!crl->meth->crl_free(crl))
                 return 0;
         }
-        AUTHORITY_KEYID_free(crl->akid);
-        ISSUING_DIST_POINT_free(crl->idp);
+        if (crl->akid)
+            AUTHORITY_KEYID_free(crl->akid);
+        if (crl->idp)
+            ISSUING_DIST_POINT_free(crl->idp);
         ASN1_INTEGER_free(crl->crl_number);
         ASN1_INTEGER_free(crl->base_crl_number);
         sk_GENERAL_NAMES_pop_free(crl->issuers, GENERAL_NAMES_free);
@@ -283,10 +334,10 @@ static void setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp)
     DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl));
 }
 
-ASN1_SEQUENCE_ref(X509_CRL, crl_cb) = {
-        ASN1_EMBED(X509_CRL, crl, X509_CRL_INFO),
-        ASN1_EMBED(X509_CRL, sig_alg, X509_ALGOR),
-        ASN1_EMBED(X509_CRL, signature, ASN1_BIT_STRING)
+ASN1_SEQUENCE_ref(X509_CRL, crl_cb, CRYPTO_LOCK_X509_CRL) = {
+        ASN1_SIMPLE(X509_CRL, crl, X509_CRL_INFO),
+        ASN1_SIMPLE(X509_CRL, sig_alg, X509_ALGOR),
+        ASN1_SIMPLE(X509_CRL, signature, ASN1_BIT_STRING)
 } ASN1_SEQUENCE_END_ref(X509_CRL, X509_CRL)
 
 IMPLEMENT_ASN1_FUNCTIONS(X509_REVOKED)
@@ -302,17 +353,17 @@ IMPLEMENT_ASN1_DUP_FUNCTION(X509_CRL)
 static int X509_REVOKED_cmp(const X509_REVOKED *const *a,
                             const X509_REVOKED *const *b)
 {
-    return (ASN1_STRING_cmp((ASN1_STRING *)&(*a)->serialNumber,
-                            (ASN1_STRING *)&(*b)->serialNumber));
+    return (ASN1_STRING_cmp((ASN1_STRING *)(*a)->serialNumber,
+                            (ASN1_STRING *)(*b)->serialNumber));
 }
 
 int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev)
 {
     X509_CRL_INFO *inf;
-    inf = &crl->crl;
-    if (inf->revoked == NULL)
+    inf = crl->crl;
+    if (!inf->revoked)
         inf->revoked = sk_X509_REVOKED_new(X509_REVOKED_cmp);
-    if (inf->revoked == NULL || !sk_X509_REVOKED_push(inf->revoked, rev)) {
+    if (!inf->revoked || !sk_X509_REVOKED_push(inf->revoked, rev)) {
         ASN1err(ASN1_F_X509_CRL_ADD0_REVOKED, ERR_R_MALLOC_FAILURE);
         return 0;
     }
@@ -347,7 +398,7 @@ int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x)
 static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r)
 {
     return (ASN1_item_verify(ASN1_ITEM_rptr(X509_CRL_INFO),
-                             &crl->sig_alg, &crl->signature, &crl->crl, r));
+                             crl->sig_alg, crl->signature, crl->crl, r));
 }
 
 static int crl_revoked_issuer_match(X509_CRL *crl, X509_NAME *nm,
@@ -383,23 +434,23 @@ static int def_crl_lookup(X509_CRL *crl,
 {
     X509_REVOKED rtmp, *rev;
     int idx;
-    rtmp.serialNumber = *serial;
+    rtmp.serialNumber = serial;
     /*
      * Sort revoked into serial number order if not already sorted. Do this
      * under a lock to avoid race condition.
      */
-    if (!sk_X509_REVOKED_is_sorted(crl->crl.revoked)) {
-        CRYPTO_THREAD_write_lock(crl->lock);
-        sk_X509_REVOKED_sort(crl->crl.revoked);
-        CRYPTO_THREAD_unlock(crl->lock);
+    if (!sk_X509_REVOKED_is_sorted(crl->crl->revoked)) {
+        CRYPTO_w_lock(CRYPTO_LOCK_X509_CRL);
+        sk_X509_REVOKED_sort(crl->crl->revoked);
+        CRYPTO_w_unlock(CRYPTO_LOCK_X509_CRL);
     }
-    idx = sk_X509_REVOKED_find(crl->crl.revoked, &rtmp);
+    idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp);
     if (idx < 0)
         return 0;
     /* Need to look for matching name */
-    for (; idx < sk_X509_REVOKED_num(crl->crl.revoked); idx++) {
-        rev = sk_X509_REVOKED_value(crl->crl.revoked, idx);
-        if (ASN1_INTEGER_cmp(&rev->serialNumber, serial))
+    for (; idx < sk_X509_REVOKED_num(crl->crl->revoked); idx++) {
+        rev = sk_X509_REVOKED_value(crl->crl->revoked, idx);
+        if (ASN1_INTEGER_cmp(rev->serialNumber, serial))
             return 0;
         if (crl_revoked_issuer_match(crl, issuer, rev)) {
             if (ret)
@@ -430,8 +481,8 @@ X509_CRL_METHOD *X509_CRL_METHOD_new(int (*crl_init) (X509_CRL *crl),
                                                         EVP_PKEY *pk))
 {
     X509_CRL_METHOD *m;
-    m = OPENSSL_malloc(sizeof(*m));
-    if (m == NULL)
+    m = OPENSSL_malloc(sizeof(X509_CRL_METHOD));
+    if (!m)
         return NULL;
     m->crl_init = crl_init;
     m->crl_free = crl_free;
@@ -443,7 +494,7 @@ X509_CRL_METHOD *X509_CRL_METHOD_new(int (*crl_init) (X509_CRL *crl),
 
 void X509_CRL_METHOD_free(X509_CRL_METHOD *m)
 {
-    if (m == NULL || !(m->flags & X509_CRL_METHOD_DYNAMIC))
+    if (!(m->flags & X509_CRL_METHOD_DYNAMIC))
         return;
     OPENSSL_free(m);
 }
@@ -457,3 +508,11 @@ void *X509_CRL_get_meth_data(X509_CRL *crl)
 {
     return crl->meth_data;
 }
+
+IMPLEMENT_STACK_OF(X509_REVOKED)
+
+IMPLEMENT_ASN1_SET_OF(X509_REVOKED)
+
+IMPLEMENT_STACK_OF(X509_CRL)
+
+IMPLEMENT_ASN1_SET_OF(X509_CRL)
diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_exten.c b/Cryptlib/OpenSSL/crypto/asn1/x_exten.c
new file mode 100644
index 00000000..00a9580a
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/asn1/x_exten.c
@@ -0,0 +1,77 @@
+/* x_exten.c */
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stddef.h>
+#include <openssl/x509.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+
+ASN1_SEQUENCE(X509_EXTENSION) = {
+        ASN1_SIMPLE(X509_EXTENSION, object, ASN1_OBJECT),
+        ASN1_OPT(X509_EXTENSION, critical, ASN1_BOOLEAN),
+        ASN1_SIMPLE(X509_EXTENSION, value, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END(X509_EXTENSION)
+
+ASN1_ITEM_TEMPLATE(X509_EXTENSIONS) =
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, Extension, X509_EXTENSION)
+ASN1_ITEM_TEMPLATE_END(X509_EXTENSIONS)
+
+IMPLEMENT_ASN1_FUNCTIONS(X509_EXTENSION)
+IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(X509_EXTENSIONS, X509_EXTENSIONS, X509_EXTENSIONS)
+IMPLEMENT_ASN1_DUP_FUNCTION(X509_EXTENSION)
diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_info.c b/Cryptlib/OpenSSL/crypto/asn1/x_info.c
index 8d99f07c..067fd72a 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/x_info.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/x_info.c
@@ -1,39 +1,117 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/x_info.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/asn1.h>
 #include <openssl/x509.h>
 
 X509_INFO *X509_INFO_new(void)
 {
-    X509_INFO *ret;
+    X509_INFO *ret = NULL;
 
-    ret = OPENSSL_zalloc(sizeof(*ret));
+    ret = (X509_INFO *)OPENSSL_malloc(sizeof(X509_INFO));
     if (ret == NULL) {
         ASN1err(ASN1_F_X509_INFO_NEW, ERR_R_MALLOC_FAILURE);
-        return NULL;
+        return (NULL);
     }
 
-    return ret;
+    ret->enc_cipher.cipher = NULL;
+    ret->enc_len = 0;
+    ret->enc_data = NULL;
+
+    ret->references = 1;
+    ret->x509 = NULL;
+    ret->crl = NULL;
+    ret->x_pkey = NULL;
+    return (ret);
 }
 
 void X509_INFO_free(X509_INFO *x)
 {
+    int i;
+
     if (x == NULL)
         return;
 
-    X509_free(x->x509);
-    X509_CRL_free(x->crl);
-    X509_PKEY_free(x->x_pkey);
-    OPENSSL_free(x->enc_data);
+    i = CRYPTO_add(&x->references, -1, CRYPTO_LOCK_X509_INFO);
+#ifdef REF_PRINT
+    REF_PRINT("X509_INFO", x);
+#endif
+    if (i > 0)
+        return;
+#ifdef REF_CHECK
+    if (i < 0) {
+        fprintf(stderr, "X509_INFO_free, bad reference count\n");
+        abort();
+    }
+#endif
+
+    if (x->x509 != NULL)
+        X509_free(x->x509);
+    if (x->crl != NULL)
+        X509_CRL_free(x->crl);
+    if (x->x_pkey != NULL)
+        X509_PKEY_free(x->x_pkey);
+    if (x->enc_data != NULL)
+        OPENSSL_free(x->enc_data);
     OPENSSL_free(x);
 }
+
+IMPLEMENT_STACK_OF(X509_INFO)
diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_long.c b/Cryptlib/OpenSSL/crypto/asn1/x_long.c
index c2844713..3aed44a3 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/x_long.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/x_long.c
@@ -1,14 +1,64 @@
+/* x_long.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
 
@@ -76,7 +126,7 @@ static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype,
      * set.
      */
     if (ltmp < 0)
-        utmp = 0 - (unsigned long)ltmp - 1;
+        utmp = -ltmp - 1;
     else
         utmp = ltmp;
     clen = BN_num_bits_word(utmp);
@@ -128,8 +178,8 @@ static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
     }
     ltmp = (long)utmp;
     if (neg) {
+        ltmp++;
         ltmp = -ltmp;
-        ltmp--;
     }
     if (ltmp == it->size) {
         ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
diff --git a/Cryptlib/OpenSSL/crypto/x509/x_name.c b/Cryptlib/OpenSSL/crypto/asn1/x_name.c
index 97d735f8..26378fdb 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x_name.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/x_name.c
@@ -1,20 +1,70 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/x_name.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <ctype.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
-#include "internal/x509_int.h"
-#include "internal/asn1_int.h"
-#include "x509_lcl.h"
+#include "asn1_locl.h"
+
+typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY;
+DECLARE_STACK_OF(STACK_OF_X509_NAME_ENTRY)
 
 /*
  * Maximum length of X509_NAME: much larger than anything we should
@@ -35,7 +85,7 @@ static void x509_name_ex_free(ASN1_VALUE **val, const ASN1_ITEM *it);
 
 static int x509_name_encode(X509_NAME *a);
 static int x509_name_canon(X509_NAME *a);
-static int asn1_string_canon(ASN1_STRING *out, const ASN1_STRING *in);
+static int asn1_string_canon(ASN1_STRING *out, ASN1_STRING *in);
 static int i2d_name_canon(STACK_OF(STACK_OF_X509_NAME_ENTRY) * intname,
                           unsigned char **in);
 
@@ -58,11 +108,11 @@ IMPLEMENT_ASN1_DUP_FUNCTION(X509_NAME_ENTRY)
 
 ASN1_ITEM_TEMPLATE(X509_NAME_ENTRIES) =
         ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SET_OF, 0, RDNS, X509_NAME_ENTRY)
-static_ASN1_ITEM_TEMPLATE_END(X509_NAME_ENTRIES)
+ASN1_ITEM_TEMPLATE_END(X509_NAME_ENTRIES)
 
 ASN1_ITEM_TEMPLATE(X509_NAME_INTERNAL) =
         ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, Name, X509_NAME_ENTRIES)
-static_ASN1_ITEM_TEMPLATE_END(X509_NAME_INTERNAL)
+ASN1_ITEM_TEMPLATE_END(X509_NAME_INTERNAL)
 
 /*
  * Normally that's where it would end: we'd have two nested STACK structures
@@ -71,7 +121,7 @@ static_ASN1_ITEM_TEMPLATE_END(X509_NAME_INTERNAL)
  * convert to the external form.
  */
 
-static const ASN1_EXTERN_FUNCS x509_name_ff = {
+const ASN1_EXTERN_FUNCS x509_name_ff = {
     NULL,
     x509_name_ex_new,
     x509_name_ex_free,
@@ -89,14 +139,16 @@ IMPLEMENT_ASN1_DUP_FUNCTION(X509_NAME)
 
 static int x509_name_ex_new(ASN1_VALUE **val, const ASN1_ITEM *it)
 {
-    X509_NAME *ret = OPENSSL_zalloc(sizeof(*ret));
-
-    if (ret == NULL)
+    X509_NAME *ret = NULL;
+    ret = OPENSSL_malloc(sizeof(X509_NAME));
+    if (!ret)
         goto memerr;
     if ((ret->entries = sk_X509_NAME_ENTRY_new_null()) == NULL)
         goto memerr;
     if ((ret->bytes = BUF_MEM_new()) == NULL)
         goto memerr;
+    ret->canon_enc = NULL;
+    ret->canon_enclen = 0;
     ret->modified = 1;
     *val = (ASN1_VALUE *)ret;
     return 1;
@@ -104,7 +156,8 @@ static int x509_name_ex_new(ASN1_VALUE **val, const ASN1_ITEM *it)
  memerr:
     ASN1err(ASN1_F_X509_NAME_EX_NEW, ERR_R_MALLOC_FAILURE);
     if (ret) {
-        sk_X509_NAME_ENTRY_free(ret->entries);
+        if (ret->entries)
+            sk_X509_NAME_ENTRY_free(ret->entries);
         OPENSSL_free(ret);
     }
     return 0;
@@ -113,28 +166,18 @@ static int x509_name_ex_new(ASN1_VALUE **val, const ASN1_ITEM *it)
 static void x509_name_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
     X509_NAME *a;
-
     if (!pval || !*pval)
         return;
     a = (X509_NAME *)*pval;
 
     BUF_MEM_free(a->bytes);
     sk_X509_NAME_ENTRY_pop_free(a->entries, X509_NAME_ENTRY_free);
-    OPENSSL_free(a->canon_enc);
+    if (a->canon_enc)
+        OPENSSL_free(a->canon_enc);
     OPENSSL_free(a);
     *pval = NULL;
 }
 
-static void local_sk_X509_NAME_ENTRY_free(STACK_OF(X509_NAME_ENTRY) *ne)
-{
-    sk_X509_NAME_ENTRY_free(ne);
-}
-
-static void local_sk_X509_NAME_ENTRY_pop_free(STACK_OF(X509_NAME_ENTRY) *ne)
-{
-    sk_X509_NAME_ENTRY_pop_free(ne, X509_NAME_ENTRY_free);
-}
-
 static int x509_name_ex_d2i(ASN1_VALUE **val,
                             const unsigned char **in, long len,
                             const ASN1_ITEM *it, int tag, int aclass,
@@ -185,24 +228,20 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
             entry->set = i;
             if (!sk_X509_NAME_ENTRY_push(nm.x->entries, entry))
                 goto err;
-            sk_X509_NAME_ENTRY_set(entries, j, NULL);
         }
+        sk_X509_NAME_ENTRY_free(entries);
     }
+    sk_STACK_OF_X509_NAME_ENTRY_free(intname.s);
     ret = x509_name_canon(nm.x);
     if (!ret)
         goto err;
-    sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname.s,
-                                         local_sk_X509_NAME_ENTRY_free);
     nm.x->modified = 0;
     *val = nm.a;
     *in = p;
     return ret;
-
  err:
     if (nm.x != NULL)
         X509_NAME_free(nm.x);
-    sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname.s,
-                                         local_sk_X509_NAME_ENTRY_pop_free);
     ASN1err(ASN1_F_X509_NAME_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
     return 0;
 }
@@ -228,6 +267,16 @@ static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out,
     return ret;
 }
 
+static void local_sk_X509_NAME_ENTRY_free(STACK_OF(X509_NAME_ENTRY) *ne)
+{
+    sk_X509_NAME_ENTRY_free(ne);
+}
+
+static void local_sk_X509_NAME_ENTRY_pop_free(STACK_OF(X509_NAME_ENTRY) *ne)
+{
+    sk_X509_NAME_ENTRY_pop_free(ne, X509_NAME_ENTRY_free);
+}
+
 static int x509_name_encode(X509_NAME *a)
 {
     union {
@@ -250,10 +299,8 @@ static int x509_name_encode(X509_NAME *a)
             entries = sk_X509_NAME_ENTRY_new_null();
             if (!entries)
                 goto memerr;
-            if (!sk_STACK_OF_X509_NAME_ENTRY_push(intname.s, entries)) {
-                sk_X509_NAME_ENTRY_free(entries);
+            if (!sk_STACK_OF_X509_NAME_ENTRY_push(intname.s, entries))
                 goto memerr;
-            }
             set = entry->set;
         }
         if (!sk_X509_NAME_ENTRY_push(entries, entry))
@@ -281,7 +328,7 @@ static int x509_name_ex_print(BIO *out, ASN1_VALUE **pval,
                               int indent,
                               const char *fname, const ASN1_PCTX *pctx)
 {
-    if (X509_NAME_print_ex(out, (const X509_NAME *)*pval,
+    if (X509_NAME_print_ex(out, (X509_NAME *)*pval,
                            indent, pctx->nm_flags) <= 0)
         return 0;
     return 2;
@@ -292,7 +339,7 @@ static int x509_name_ex_print(BIO *out, ASN1_VALUE **pval,
  * it all strings are converted to UTF8, leading, trailing and multiple
  * spaces collapsed, converted to lower case and the leading SEQUENCE header
  * removed. In future we could also normalize the UTF8 too. By doing this
- * comparison of Name structures can be rapidly performed by just using
+ * comparison of Name structures can be rapidly perfomed by just using
  * memcmp() of the canonical encoding. By omitting the leading SEQUENCE name
  * constraints of type dirName can also be checked with a simple memcmp().
  */
@@ -303,10 +350,12 @@ static int x509_name_canon(X509_NAME *a)
     STACK_OF(STACK_OF_X509_NAME_ENTRY) *intname = NULL;
     STACK_OF(X509_NAME_ENTRY) *entries = NULL;
     X509_NAME_ENTRY *entry, *tmpentry = NULL;
-    int i, set = -1, ret = 0, len;
+    int i, set = -1, ret = 0;
 
-    OPENSSL_free(a->canon_enc);
-    a->canon_enc = NULL;
+    if (a->canon_enc) {
+        OPENSSL_free(a->canon_enc);
+        a->canon_enc = NULL;
+    }
     /* Special case: empty X509_NAME => null encoding */
     if (sk_X509_NAME_ENTRY_num(a->entries) == 0) {
         a->canon_enclen = 0;
@@ -321,18 +370,14 @@ static int x509_name_canon(X509_NAME *a)
             entries = sk_X509_NAME_ENTRY_new_null();
             if (!entries)
                 goto err;
-            if (!sk_STACK_OF_X509_NAME_ENTRY_push(intname, entries)) {
-                sk_X509_NAME_ENTRY_free(entries);
+            if (!sk_STACK_OF_X509_NAME_ENTRY_push(intname, entries))
                 goto err;
-            }
             set = entry->set;
         }
         tmpentry = X509_NAME_ENTRY_new();
-        if (tmpentry == NULL)
+        if (!tmpentry)
             goto err;
         tmpentry->object = OBJ_dup(entry->object);
-        if (tmpentry->object == NULL)
-            goto err;
         if (!asn1_string_canon(tmpentry->value, entry->value))
             goto err;
         if (!sk_X509_NAME_ENTRY_push(entries, tmpentry))
@@ -342,14 +387,11 @@ static int x509_name_canon(X509_NAME *a)
 
     /* Finally generate encoding */
 
-    len = i2d_name_canon(intname, NULL);
-    if (len < 0)
-        goto err;
-    a->canon_enclen = len;
+    a->canon_enclen = i2d_name_canon(intname, NULL);
 
     p = OPENSSL_malloc(a->canon_enclen);
 
-    if (p == NULL)
+    if (!p)
         goto err;
 
     a->canon_enc = p;
@@ -360,9 +402,11 @@ static int x509_name_canon(X509_NAME *a)
 
  err:
 
-    X509_NAME_ENTRY_free(tmpentry);
-    sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname,
-                                         local_sk_X509_NAME_ENTRY_pop_free);
+    if (tmpentry)
+        X509_NAME_ENTRY_free(tmpentry);
+    if (intname)
+        sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname,
+                                             local_sk_X509_NAME_ENTRY_pop_free);
     return ret;
 }
 
@@ -373,7 +417,7 @@ static int x509_name_canon(X509_NAME *a)
         | B_ASN1_PRINTABLESTRING | B_ASN1_T61STRING | B_ASN1_IA5STRING \
         | B_ASN1_VISIBLESTRING)
 
-static int asn1_string_canon(ASN1_STRING *out, const ASN1_STRING *in)
+static int asn1_string_canon(ASN1_STRING *out, ASN1_STRING *in)
 {
     unsigned char *to, *from;
     int len, i;
@@ -407,10 +451,10 @@ static int asn1_string_canon(ASN1_STRING *out, const ASN1_STRING *in)
         len--;
     }
 
-    to = from + len;
+    to = from + len - 1;
 
     /* Ignore trailing spaces */
-    while ((len > 0) && !(to[-1] & 0x80) && isspace(to[-1])) {
+    while ((len > 0) && !(*to & 0x80) && isspace(*to)) {
         to--;
         len--;
     }
@@ -487,71 +531,6 @@ int X509_NAME_set(X509_NAME **xn, X509_NAME *name)
     return (*xn != NULL);
 }
 
-int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase)
-{
-    char *s, *c, *b;
-    int l, i;
-
-    l = 80 - 2 - obase;
+IMPLEMENT_STACK_OF(X509_NAME_ENTRY)
 
-    b = X509_NAME_oneline(name, NULL, 0);
-    if (!b)
-        return 0;
-    if (!*b) {
-        OPENSSL_free(b);
-        return 1;
-    }
-    s = b + 1;                  /* skip the first slash */
-
-    c = s;
-    for (;;) {
-#ifndef CHARSET_EBCDIC
-        if (((*s == '/') &&
-             ((s[1] >= 'A') && (s[1] <= 'Z') && ((s[2] == '=') ||
-                                                 ((s[2] >= 'A')
-                                                  && (s[2] <= 'Z')
-                                                  && (s[3] == '='))
-              ))) || (*s == '\0'))
-#else
-        if (((*s == '/') &&
-             (isupper(s[1]) && ((s[2] == '=') ||
-                                (isupper(s[2]) && (s[3] == '='))
-              ))) || (*s == '\0'))
-#endif
-        {
-            i = s - c;
-            if (BIO_write(bp, c, i) != i)
-                goto err;
-            c = s + 1;          /* skip following slash */
-            if (*s != '\0') {
-                if (BIO_write(bp, ", ", 2) != 2)
-                    goto err;
-            }
-            l--;
-        }
-        if (*s == '\0')
-            break;
-        s++;
-        l--;
-    }
-
-    OPENSSL_free(b);
-    return 1;
- err:
-    X509err(X509_F_X509_NAME_PRINT, ERR_R_BUF_LIB);
-    OPENSSL_free(b);
-    return 0;
-}
-
-int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder,
-                       size_t *pderlen)
-{
-    /* Make sure encoding is valid */
-    if (i2d_X509_NAME(nm, NULL) <= 0)
-        return 0;
-    if (pder != NULL)
-        *pder = (unsigned char *)nm->bytes->data;
-    if (pderlen != NULL)
-        *pderlen = nm->bytes->length;
-    return 1;
-}
+IMPLEMENT_ASN1_SET_OF(X509_NAME_ENTRY)
diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_nx509.c b/Cryptlib/OpenSSL/crypto/asn1/x_nx509.c
new file mode 100644
index 00000000..5aa0ed58
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/asn1/x_nx509.c
@@ -0,0 +1,72 @@
+/* x_nx509.c */
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2005.
+ */
+/* ====================================================================
+ * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stddef.h>
+#include <openssl/x509.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+
+/* Old netscape certificate wrapper format */
+
+ASN1_SEQUENCE(NETSCAPE_X509) = {
+        ASN1_SIMPLE(NETSCAPE_X509, header, ASN1_OCTET_STRING),
+        ASN1_OPT(NETSCAPE_X509, cert, X509)
+} ASN1_SEQUENCE_END(NETSCAPE_X509)
+
+IMPLEMENT_ASN1_FUNCTIONS(NETSCAPE_X509)
diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_pkey.c b/Cryptlib/OpenSSL/crypto/asn1/x_pkey.c
index 593049f0..2da23e47 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/x_pkey.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/x_pkey.c
@@ -1,47 +1,153 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/x_pkey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
+#include <openssl/asn1_mac.h>
 #include <openssl/x509.h>
 
-X509_PKEY *X509_PKEY_new(void)
+/* need to implement */
+int i2d_X509_PKEY(X509_PKEY *a, unsigned char **pp)
 {
-    X509_PKEY *ret = NULL;
+    return (0);
+}
 
-    ret = OPENSSL_zalloc(sizeof(*ret));
-    if (ret == NULL)
-        goto err;
+X509_PKEY *d2i_X509_PKEY(X509_PKEY **a, const unsigned char **pp, long length)
+{
+    int i;
+    M_ASN1_D2I_vars(a, X509_PKEY *, X509_PKEY_new);
 
-    ret->enc_algor = X509_ALGOR_new();
-    ret->enc_pkey = ASN1_OCTET_STRING_new();
-    if (ret->enc_algor == NULL || ret->enc_pkey == NULL)
+    M_ASN1_D2I_Init();
+    M_ASN1_D2I_start_sequence();
+    M_ASN1_D2I_get_x(X509_ALGOR, ret->enc_algor, d2i_X509_ALGOR);
+    M_ASN1_D2I_get_x(ASN1_OCTET_STRING, ret->enc_pkey, d2i_ASN1_OCTET_STRING);
+
+    ret->cipher.cipher =
+        EVP_get_cipherbyname(OBJ_nid2ln
+                             (OBJ_obj2nid(ret->enc_algor->algorithm)));
+    if (ret->cipher.cipher == NULL) {
+        c.error = ASN1_R_UNSUPPORTED_CIPHER;
+        c.line = __LINE__;
         goto err;
+    }
+    if (ret->enc_algor->parameter->type == V_ASN1_OCTET_STRING) {
+        i = ret->enc_algor->parameter->value.octet_string->length;
+        if (i > EVP_MAX_IV_LENGTH) {
+            c.error = ASN1_R_IV_TOO_LARGE;
+            c.line = __LINE__;
+            goto err;
+        }
+        memcpy(ret->cipher.iv,
+               ret->enc_algor->parameter->value.octet_string->data, i);
+    } else
+        memset(ret->cipher.iv, 0, EVP_MAX_IV_LENGTH);
+    M_ASN1_D2I_Finish(a, X509_PKEY_free, ASN1_F_D2I_X509_PKEY);
+}
 
-    return ret;
-err:
-    X509_PKEY_free(ret);
-    ASN1err(ASN1_F_X509_PKEY_NEW, ERR_R_MALLOC_FAILURE);
-    return NULL;
+X509_PKEY *X509_PKEY_new(void)
+{
+    X509_PKEY *ret = NULL;
+    ASN1_CTX c;
+
+    M_ASN1_New_Malloc(ret, X509_PKEY);
+    ret->version = 0;
+    M_ASN1_New(ret->enc_algor, X509_ALGOR_new);
+    M_ASN1_New(ret->enc_pkey, M_ASN1_OCTET_STRING_new);
+    ret->dec_pkey = NULL;
+    ret->key_length = 0;
+    ret->key_data = NULL;
+    ret->key_free = 0;
+    ret->cipher.cipher = NULL;
+    memset(ret->cipher.iv, 0, EVP_MAX_IV_LENGTH);
+    ret->references = 1;
+    return (ret);
+    M_ASN1_New_Error(ASN1_F_X509_PKEY_NEW);
 }
 
 void X509_PKEY_free(X509_PKEY *x)
 {
+    int i;
+
     if (x == NULL)
         return;
 
-    X509_ALGOR_free(x->enc_algor);
-    ASN1_OCTET_STRING_free(x->enc_pkey);
-    EVP_PKEY_free(x->dec_pkey);
-    if (x->key_free)
+    i = CRYPTO_add(&x->references, -1, CRYPTO_LOCK_X509_PKEY);
+#ifdef REF_PRINT
+    REF_PRINT("X509_PKEY", x);
+#endif
+    if (i > 0)
+        return;
+#ifdef REF_CHECK
+    if (i < 0) {
+        fprintf(stderr, "X509_PKEY_free, bad reference count\n");
+        abort();
+    }
+#endif
+
+    if (x->enc_algor != NULL)
+        X509_ALGOR_free(x->enc_algor);
+    if (x->enc_pkey != NULL)
+        M_ASN1_OCTET_STRING_free(x->enc_pkey);
+    if (x->dec_pkey != NULL)
+        EVP_PKEY_free(x->dec_pkey);
+    if ((x->key_data != NULL) && (x->key_free))
         OPENSSL_free(x->key_data);
     OPENSSL_free(x);
 }
diff --git a/Cryptlib/OpenSSL/crypto/x509/x_pubkey.c b/Cryptlib/OpenSSL/crypto/asn1/x_pubkey.c
index cc692834..6c57a797 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x_pubkey.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/x_pubkey.c
@@ -1,29 +1,72 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/x_pubkey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
-#include "internal/asn1_int.h"
-#include "internal/evp_int.h"
-#include "internal/x509_int.h"
-#include <openssl/rsa.h>
-#include <openssl/dsa.h>
-
-struct X509_pubkey_st {
-    X509_ALGOR *algor;
-    ASN1_BIT_STRING *public_key;
-    EVP_PKEY *pkey;
-};
-
-static int x509_pubkey_decode(EVP_PKEY **pk, X509_PUBKEY *key);
+#include "asn1_locl.h"
+#ifndef OPENSSL_NO_RSA
+# include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+# include <openssl/dsa.h>
+#endif
 
 /* Minor tweak to operation: free up EVP_PKEY */
 static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
@@ -32,19 +75,6 @@ static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
     if (operation == ASN1_OP_FREE_POST) {
         X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval;
         EVP_PKEY_free(pubkey->pkey);
-    } else if (operation == ASN1_OP_D2I_POST) {
-        /* Attempt to decode public key and cache in pubkey structure. */
-        X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval;
-        EVP_PKEY_free(pubkey->pkey);
-        /*
-         * Opportunistically decode the key but remove any non fatal errors
-         * from the queue. Subsequent explicit attempts to decode/use the key
-         * will return an appropriate error.
-         */
-        ERR_set_mark();
-        if (x509_pubkey_decode(&pubkey->pkey, pubkey) == -1)
-            return 0;
-        ERR_pop_to_mark();
     }
     return 1;
 }
@@ -82,95 +112,71 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
         goto error;
     }
 
-    X509_PUBKEY_free(*x);
+    if (*x != NULL)
+        X509_PUBKEY_free(*x);
+
     *x = pk;
-    pk->pkey = pkey;
-    EVP_PKEY_up_ref(pkey);
-    return 1;
 
+    return 1;
  error:
-    X509_PUBKEY_free(pk);
+    if (pk != NULL)
+        X509_PUBKEY_free(pk);
     return 0;
 }
 
-/*
- * Attempt to decode a public key.
- * Returns 1 on success, 0 for a decode failure and -1 for a fatal
- * error e.g. malloc failure.
- */
+EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
+{
+    EVP_PKEY *ret = NULL;
 
+    if (key == NULL)
+        goto error;
 
-static int x509_pubkey_decode(EVP_PKEY **ppkey, X509_PUBKEY *key)
-    {
-    EVP_PKEY *pkey = EVP_PKEY_new();
+    if (key->pkey != NULL) {
+        CRYPTO_add(&key->pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
+        return key->pkey;
+    }
 
-    if (pkey == NULL) {
-        X509err(X509_F_X509_PUBKEY_DECODE, ERR_R_MALLOC_FAILURE);
-        return -1;
+    if (key->public_key == NULL)
+        goto error;
+
+    if ((ret = EVP_PKEY_new()) == NULL) {
+        X509err(X509_F_X509_PUBKEY_GET, ERR_R_MALLOC_FAILURE);
+        goto error;
     }
 
-    if (!EVP_PKEY_set_type(pkey, OBJ_obj2nid(key->algor->algorithm))) {
-        X509err(X509_F_X509_PUBKEY_DECODE, X509_R_UNSUPPORTED_ALGORITHM);
+    if (!EVP_PKEY_set_type(ret, OBJ_obj2nid(key->algor->algorithm))) {
+        X509err(X509_F_X509_PUBKEY_GET, X509_R_UNSUPPORTED_ALGORITHM);
         goto error;
     }
 
-    if (pkey->ameth->pub_decode) {
-        /*
-         * Treat any failure of pub_decode as a decode error. In
-         * future we could have different return codes for decode
-         * errors and fatal errors such as malloc failure.
-         */
-        if (!pkey->ameth->pub_decode(pkey, key)) {
-            X509err(X509_F_X509_PUBKEY_DECODE, X509_R_PUBLIC_KEY_DECODE_ERROR);
+    if (ret->ameth->pub_decode) {
+        if (!ret->ameth->pub_decode(ret, key)) {
+            X509err(X509_F_X509_PUBKEY_GET, X509_R_PUBLIC_KEY_DECODE_ERROR);
             goto error;
         }
     } else {
-        X509err(X509_F_X509_PUBKEY_DECODE, X509_R_METHOD_NOT_SUPPORTED);
+        X509err(X509_F_X509_PUBKEY_GET, X509_R_METHOD_NOT_SUPPORTED);
         goto error;
     }
 
-    *ppkey = pkey;
-    return 1;
-
- error:
-    EVP_PKEY_free(pkey);
-    return 0;
-}
-
-EVP_PKEY *X509_PUBKEY_get0(X509_PUBKEY *key)
-{
-    EVP_PKEY *ret = NULL;
-
-    if (key == NULL || key->public_key == NULL)
-        return NULL;
-
-    if (key->pkey != NULL)
-        return key->pkey;
-
-    /*
-     * When the key ASN.1 is initially parsed an attempt is made to
-     * decode the public key and cache the EVP_PKEY structure. If this
-     * operation fails the cached value will be NULL. Parsing continues
-     * to allow parsing of unknown key types or unsupported forms.
-     * We repeat the decode operation so the appropriate errors are left
-     * in the queue.
-     */
-    x509_pubkey_decode(&ret, key);
-    /* If decode doesn't fail something bad happened */
-    if (ret != NULL) {
-        X509err(X509_F_X509_PUBKEY_GET0, ERR_R_INTERNAL_ERROR);
+    /* Check to see if another thread set key->pkey first */
+    CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY);
+    if (key->pkey) {
+        CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
         EVP_PKEY_free(ret);
+        ret = key->pkey;
+    } else {
+        key->pkey = ret;
+        CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
     }
+    CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY);
 
-    return NULL;
-}
+    return ret;
 
-EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
-{
-    EVP_PKEY *ret = X509_PUBKEY_get0(key);
+ error:
     if (ret != NULL)
-        EVP_PKEY_up_ref(ret);
-    return ret;
+        EVP_PKEY_free(ret);
+    return (NULL);
 }
 
 /*
@@ -244,7 +250,7 @@ int i2d_RSA_PUBKEY(RSA *a, unsigned char **pp)
     if (!a)
         return 0;
     pktmp = EVP_PKEY_new();
-    if (pktmp == NULL) {
+    if (!pktmp) {
         ASN1err(ASN1_F_I2D_RSA_PUBKEY, ERR_R_MALLOC_FAILURE);
         return 0;
     }
@@ -284,7 +290,7 @@ int i2d_DSA_PUBKEY(DSA *a, unsigned char **pp)
     if (!a)
         return 0;
     pktmp = EVP_PKEY_new();
-    if (pktmp == NULL) {
+    if (!pktmp) {
         ASN1err(ASN1_F_I2D_DSA_PUBKEY, ERR_R_MALLOC_FAILURE);
         return 0;
     }
@@ -341,7 +347,8 @@ int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *aobj,
     if (!X509_ALGOR_set0(pub->algor, aobj, ptype, pval))
         return 0;
     if (penc) {
-        OPENSSL_free(pub->public_key->data);
+        if (pub->public_key->data)
+            OPENSSL_free(pub->public_key->data);
         pub->public_key->data = penc;
         pub->public_key->length = penclen;
         /* Set number of unused bits to zero */
@@ -365,10 +372,3 @@ int X509_PUBKEY_get0_param(ASN1_OBJECT **ppkalg,
         *pa = pub->algor;
     return 1;
 }
-
-ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x)
-{
-    if (x == NULL)
-        return NULL;
-    return x->cert_info.key->public_key;
-}
diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_req.c b/Cryptlib/OpenSSL/crypto/asn1/x_req.c
new file mode 100644
index 00000000..ae293aa0
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/asn1/x_req.c
@@ -0,0 +1,116 @@
+/* crypto/asn1/x_req.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1t.h>
+#include <openssl/x509.h>
+
+/*-
+ * X509_REQ_INFO is handled in an unusual way to get round
+ * invalid encodings. Some broken certificate requests don't
+ * encode the attributes field if it is empty. This is in
+ * violation of PKCS#10 but we need to tolerate it. We do
+ * this by making the attributes field OPTIONAL then using
+ * the callback to initialise it to an empty STACK.
+ *
+ * This means that the field will be correctly encoded unless
+ * we NULL out the field.
+ *
+ * As a result we no longer need the req_kludge field because
+ * the information is now contained in the attributes field:
+ * 1. If it is NULL then it's the invalid omission.
+ * 2. If it is empty it is the correct encoding.
+ * 3. If it is not empty then some attributes are present.
+ *
+ */
+
+static int rinf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
+                   void *exarg)
+{
+    X509_REQ_INFO *rinf = (X509_REQ_INFO *)*pval;
+
+    if (operation == ASN1_OP_NEW_POST) {
+        rinf->attributes = sk_X509_ATTRIBUTE_new_null();
+        if (!rinf->attributes)
+            return 0;
+    }
+    return 1;
+}
+
+ASN1_SEQUENCE_enc(X509_REQ_INFO, enc, rinf_cb) = {
+        ASN1_SIMPLE(X509_REQ_INFO, version, ASN1_INTEGER),
+        ASN1_SIMPLE(X509_REQ_INFO, subject, X509_NAME),
+        ASN1_SIMPLE(X509_REQ_INFO, pubkey, X509_PUBKEY),
+        /* This isn't really OPTIONAL but it gets round invalid
+         * encodings
+         */
+        ASN1_IMP_SET_OF_OPT(X509_REQ_INFO, attributes, X509_ATTRIBUTE, 0)
+} ASN1_SEQUENCE_END_enc(X509_REQ_INFO, X509_REQ_INFO)
+
+IMPLEMENT_ASN1_FUNCTIONS(X509_REQ_INFO)
+
+ASN1_SEQUENCE_ref(X509_REQ, 0, CRYPTO_LOCK_X509_REQ) = {
+        ASN1_SIMPLE(X509_REQ, req_info, X509_REQ_INFO),
+        ASN1_SIMPLE(X509_REQ, sig_alg, X509_ALGOR),
+        ASN1_SIMPLE(X509_REQ, signature, ASN1_BIT_STRING)
+} ASN1_SEQUENCE_END_ref(X509_REQ, X509_REQ)
+
+IMPLEMENT_ASN1_FUNCTIONS(X509_REQ)
+
+IMPLEMENT_ASN1_DUP_FUNCTION(X509_REQ)
diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_sig.c b/Cryptlib/OpenSSL/crypto/asn1/x_sig.c
index e465cf2d..dd33720c 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/x_sig.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/x_sig.c
@@ -1,17 +1,65 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/x_sig.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
-#include "internal/x509_int.h"
 
 ASN1_SEQUENCE(X509_SIG) = {
         ASN1_SIMPLE(X509_SIG, algor, X509_ALGOR),
@@ -19,21 +67,3 @@ ASN1_SEQUENCE(X509_SIG) = {
 } ASN1_SEQUENCE_END(X509_SIG)
 
 IMPLEMENT_ASN1_FUNCTIONS(X509_SIG)
-
-void X509_SIG_get0(const X509_SIG *sig, const X509_ALGOR **palg,
-                   const ASN1_OCTET_STRING **pdigest)
-{
-    if (palg)
-        *palg = sig->algor;
-    if (pdigest)
-        *pdigest = sig->digest;
-}
-
-void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **palg,
-                   ASN1_OCTET_STRING **pdigest)
-{
-    if (palg)
-        *palg = sig->algor;
-    if (pdigest)
-        *pdigest = sig->digest;
-}
diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_spki.c b/Cryptlib/OpenSSL/crypto/asn1/x_spki.c
index c45400b4..1df6b87d 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/x_spki.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/x_spki.c
@@ -1,10 +1,59 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/x_spki.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
  /*
@@ -13,7 +62,7 @@
   */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/asn1t.h>
 
@@ -26,7 +75,7 @@ IMPLEMENT_ASN1_FUNCTIONS(NETSCAPE_SPKAC)
 
 ASN1_SEQUENCE(NETSCAPE_SPKI) = {
         ASN1_SIMPLE(NETSCAPE_SPKI, spkac, NETSCAPE_SPKAC),
-        ASN1_EMBED(NETSCAPE_SPKI, sig_algor, X509_ALGOR),
+        ASN1_SIMPLE(NETSCAPE_SPKI, sig_algor, X509_ALGOR),
         ASN1_SIMPLE(NETSCAPE_SPKI, signature, ASN1_BIT_STRING)
 } ASN1_SEQUENCE_END(NETSCAPE_SPKI)
 
diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_val.c b/Cryptlib/OpenSSL/crypto/asn1/x_val.c
index d1f1d3bf..ee75a1e2 100644
--- a/Cryptlib/OpenSSL/crypto/asn1/x_val.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/x_val.c
@@ -1,14 +1,63 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/x_val.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
 
diff --git a/Cryptlib/OpenSSL/crypto/x509/x_x509.c b/Cryptlib/OpenSSL/crypto/asn1/x_x509.c
index 6783fd87..aada4a84 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x_x509.c
+++ b/Cryptlib/OpenSSL/crypto/asn1/x_x509.c
@@ -1,26 +1,74 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/x_x509.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
-#include "internal/x509_int.h"
 
 ASN1_SEQUENCE_enc(X509_CINF, enc, 0) = {
         ASN1_EXP_OPT(X509_CINF, version, ASN1_INTEGER, 0),
-        ASN1_EMBED(X509_CINF, serialNumber, ASN1_INTEGER),
-        ASN1_EMBED(X509_CINF, signature, X509_ALGOR),
+        ASN1_SIMPLE(X509_CINF, serialNumber, ASN1_INTEGER),
+        ASN1_SIMPLE(X509_CINF, signature, X509_ALGOR),
         ASN1_SIMPLE(X509_CINF, issuer, X509_NAME),
-        ASN1_EMBED(X509_CINF, validity, X509_VAL),
+        ASN1_SIMPLE(X509_CINF, validity, X509_VAL),
         ASN1_SIMPLE(X509_CINF, subject, X509_NAME),
         ASN1_SIMPLE(X509_CINF, key, X509_PUBKEY),
         ASN1_IMP_OPT(X509_CINF, issuerUID, ASN1_BIT_STRING, 1),
@@ -41,9 +89,10 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
     switch (operation) {
 
     case ASN1_OP_NEW_POST:
+        ret->valid = 0;
+        ret->name = NULL;
         ret->ex_flags = 0;
         ret->ex_pathlen = -1;
-        ret->ex_pcpathlen = -1;
         ret->skid = NULL;
         ret->akid = NULL;
 #ifndef OPENSSL_NO_RFC3779
@@ -52,8 +101,13 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
 #endif
         ret->aux = NULL;
         ret->crldp = NULL;
-        if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data))
-            return 0;
+        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
+        break;
+
+    case ASN1_OP_D2I_POST:
+        if (ret->name != NULL)
+            OPENSSL_free(ret->name);
+        ret->name = X509_NAME_oneline(ret->cert_info->subject, NULL, 0);
         break;
 
     case ASN1_OP_FREE_POST:
@@ -69,6 +123,9 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
         sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free);
         ASIdentifiers_free(ret->rfc3779_asid);
 #endif
+
+        if (ret->name != NULL)
+            OPENSSL_free(ret->name);
         break;
 
     }
@@ -77,16 +134,23 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
 
 }
 
-ASN1_SEQUENCE_ref(X509, x509_cb) = {
-        ASN1_EMBED(X509, cert_info, X509_CINF),
-        ASN1_EMBED(X509, sig_alg, X509_ALGOR),
-        ASN1_EMBED(X509, signature, ASN1_BIT_STRING)
+ASN1_SEQUENCE_ref(X509, x509_cb, CRYPTO_LOCK_X509) = {
+        ASN1_SIMPLE(X509, cert_info, X509_CINF),
+        ASN1_SIMPLE(X509, sig_alg, X509_ALGOR),
+        ASN1_SIMPLE(X509, signature, ASN1_BIT_STRING)
 } ASN1_SEQUENCE_END_ref(X509, X509)
 
 IMPLEMENT_ASN1_FUNCTIONS(X509)
 
 IMPLEMENT_ASN1_DUP_FUNCTION(X509)
 
+int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+                          CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+{
+    return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509, argl, argp,
+                                   new_func, dup_func, free_func);
+}
+
 int X509_set_ex_data(X509 *r, int idx, void *arg)
 {
     return (CRYPTO_set_ex_data(&r->ex_data, idx, arg));
@@ -113,11 +177,12 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
     /* Save start position */
     q = *pp;
 
-    if (a == NULL || *a == NULL)
+    if (!a || *a == NULL) {
         freeret = 1;
+    }
     ret = d2i_X509(a, &q, length);
     /* If certificate unreadable then forget it */
-    if (ret == NULL)
+    if (!ret)
         return NULL;
     /* update length */
     length -= q - *pp;
@@ -205,20 +270,20 @@ int i2d_X509_AUX(X509 *a, unsigned char **pp)
 
 int i2d_re_X509_tbs(X509 *x, unsigned char **pp)
 {
-    x->cert_info.enc.modified = 1;
-    return i2d_X509_CINF(&x->cert_info, pp);
+    x->cert_info->enc.modified = 1;
+    return i2d_X509_CINF(x->cert_info, pp);
 }
 
-void X509_get0_signature(const ASN1_BIT_STRING **psig,
-                         const X509_ALGOR **palg, const X509 *x)
+void X509_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
+                         const X509 *x)
 {
     if (psig)
-        *psig = &x->signature;
+        *psig = x->signature;
     if (palg)
-        *palg = &x->sig_alg;
+        *palg = x->sig_alg;
 }
 
 int X509_get_signature_nid(const X509 *x)
 {
-    return OBJ_obj2nid(x->sig_alg.algorithm);
+    return OBJ_obj2nid(x->sig_alg->algorithm);
 }
diff --git a/Cryptlib/OpenSSL/crypto/asn1/x_x509a.c b/Cryptlib/OpenSSL/crypto/asn1/x_x509a.c
new file mode 100644
index 00000000..ad93592a
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/asn1/x_x509a.c
@@ -0,0 +1,196 @@
+/* a_x509a.c */
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/asn1t.h>
+#include <openssl/x509.h>
+
+/*
+ * X509_CERT_AUX routines. These are used to encode additional user
+ * modifiable data about a certificate. This data is appended to the X509
+ * encoding when the *_X509_AUX routines are used. This means that the
+ * "traditional" X509 routines will simply ignore the extra data.
+ */
+
+static X509_CERT_AUX *aux_get(X509 *x);
+
+ASN1_SEQUENCE(X509_CERT_AUX) = {
+        ASN1_SEQUENCE_OF_OPT(X509_CERT_AUX, trust, ASN1_OBJECT),
+        ASN1_IMP_SEQUENCE_OF_OPT(X509_CERT_AUX, reject, ASN1_OBJECT, 0),
+        ASN1_OPT(X509_CERT_AUX, alias, ASN1_UTF8STRING),
+        ASN1_OPT(X509_CERT_AUX, keyid, ASN1_OCTET_STRING),
+        ASN1_IMP_SEQUENCE_OF_OPT(X509_CERT_AUX, other, X509_ALGOR, 1)
+} ASN1_SEQUENCE_END(X509_CERT_AUX)
+
+IMPLEMENT_ASN1_FUNCTIONS(X509_CERT_AUX)
+
+static X509_CERT_AUX *aux_get(X509 *x)
+{
+    if (!x)
+        return NULL;
+    if (!x->aux && !(x->aux = X509_CERT_AUX_new()))
+        return NULL;
+    return x->aux;
+}
+
+int X509_alias_set1(X509 *x, unsigned char *name, int len)
+{
+    X509_CERT_AUX *aux;
+    if (!name) {
+        if (!x || !x->aux || !x->aux->alias)
+            return 1;
+        ASN1_UTF8STRING_free(x->aux->alias);
+        x->aux->alias = NULL;
+        return 1;
+    }
+    if (!(aux = aux_get(x)))
+        return 0;
+    if (!aux->alias && !(aux->alias = ASN1_UTF8STRING_new()))
+        return 0;
+    return ASN1_STRING_set(aux->alias, name, len);
+}
+
+int X509_keyid_set1(X509 *x, unsigned char *id, int len)
+{
+    X509_CERT_AUX *aux;
+    if (!id) {
+        if (!x || !x->aux || !x->aux->keyid)
+            return 1;
+        ASN1_OCTET_STRING_free(x->aux->keyid);
+        x->aux->keyid = NULL;
+        return 1;
+    }
+    if (!(aux = aux_get(x)))
+        return 0;
+    if (!aux->keyid && !(aux->keyid = ASN1_OCTET_STRING_new()))
+        return 0;
+    return ASN1_STRING_set(aux->keyid, id, len);
+}
+
+unsigned char *X509_alias_get0(X509 *x, int *len)
+{
+    if (!x->aux || !x->aux->alias)
+        return NULL;
+    if (len)
+        *len = x->aux->alias->length;
+    return x->aux->alias->data;
+}
+
+unsigned char *X509_keyid_get0(X509 *x, int *len)
+{
+    if (!x->aux || !x->aux->keyid)
+        return NULL;
+    if (len)
+        *len = x->aux->keyid->length;
+    return x->aux->keyid->data;
+}
+
+int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj)
+{
+    X509_CERT_AUX *aux;
+    ASN1_OBJECT *objtmp;
+    if (!(objtmp = OBJ_dup(obj)))
+        return 0;
+    if (!(aux = aux_get(x)))
+        return 0;
+    if (!aux->trust && !(aux->trust = sk_ASN1_OBJECT_new_null()))
+        return 0;
+    return sk_ASN1_OBJECT_push(aux->trust, objtmp);
+}
+
+int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj)
+{
+    X509_CERT_AUX *aux;
+    ASN1_OBJECT *objtmp;
+    if (!(objtmp = OBJ_dup(obj)))
+        return 0;
+    if (!(aux = aux_get(x)))
+        goto err;
+    if (!aux->reject && !(aux->reject = sk_ASN1_OBJECT_new_null()))
+        goto err;
+    return sk_ASN1_OBJECT_push(aux->reject, objtmp);
+ err:
+    ASN1_OBJECT_free(objtmp);
+    return 0;
+}
+
+void X509_trust_clear(X509 *x)
+{
+    if (x->aux && x->aux->trust) {
+        sk_ASN1_OBJECT_pop_free(x->aux->trust, ASN1_OBJECT_free);
+        x->aux->trust = NULL;
+    }
+}
+
+void X509_reject_clear(X509 *x)
+{
+    if (x->aux && x->aux->reject) {
+        sk_ASN1_OBJECT_pop_free(x->aux->reject, ASN1_OBJECT_free);
+        x->aux->reject = NULL;
+    }
+}
+
+ASN1_SEQUENCE(X509_CERT_PAIR) = {
+        ASN1_EXP_OPT(X509_CERT_PAIR, forward, X509, 0),
+        ASN1_EXP_OPT(X509_CERT_PAIR, reverse, X509, 1)
+} ASN1_SEQUENCE_END(X509_CERT_PAIR)
+
+IMPLEMENT_ASN1_FUNCTIONS(X509_CERT_PAIR)
diff --git a/Cryptlib/OpenSSL/crypto/async/arch/async_null.c b/Cryptlib/OpenSSL/crypto/async/arch/async_null.c
deleted file mode 100644
index 3eaf170f..00000000
--- a/Cryptlib/OpenSSL/crypto/async/arch/async_null.c
+++ /dev/null
@@ -1,23 +0,0 @@
-/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/* This must be the first #include file */
-#include "../async_locl.h"
-
-#ifdef ASYNC_NULL
-int ASYNC_is_capable(void)
-{
-    return 0;
-}
-
-void async_local_cleanup(void)
-{
-}
-#endif
-
diff --git a/Cryptlib/OpenSSL/crypto/async/arch/async_null.h b/Cryptlib/OpenSSL/crypto/async/arch/async_null.h
deleted file mode 100644
index aef40b5d..00000000
--- a/Cryptlib/OpenSSL/crypto/async/arch/async_null.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/async.h>
-
-/*
- * If we haven't managed to detect any other async architecture then we default
- * to NULL.
- */
-#ifndef ASYNC_ARCH
-# define ASYNC_NULL
-# define ASYNC_ARCH
-
-typedef struct async_fibre_st {
-    int dummy;
-} async_fibre;
-
-
-# define async_fibre_swapcontext(o,n,r)         0
-# define async_fibre_makecontext(c)             0
-# define async_fibre_free(f)
-# define async_fibre_init_dispatcher(f)
-
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/async/arch/async_posix.c b/Cryptlib/OpenSSL/crypto/async/arch/async_posix.c
deleted file mode 100644
index 02c342d3..00000000
--- a/Cryptlib/OpenSSL/crypto/async/arch/async_posix.c
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/* This must be the first #include file */
-#include "../async_locl.h"
-
-#ifdef ASYNC_POSIX
-
-# include <stddef.h>
-# include <unistd.h>
-
-#define STACKSIZE       32768
-
-int ASYNC_is_capable(void)
-{
-    ucontext_t ctx;
-
-    /*
-     * Some platforms provide getcontext() but it does not work (notably
-     * MacOSX PPC64). Check for a working getcontext();
-     */
-    return getcontext(&ctx) == 0;
-}
-
-void async_local_cleanup(void)
-{
-}
-
-int async_fibre_makecontext(async_fibre *fibre)
-{
-    fibre->env_init = 0;
-    if (getcontext(&fibre->fibre) == 0) {
-        fibre->fibre.uc_stack.ss_sp = OPENSSL_malloc(STACKSIZE);
-        if (fibre->fibre.uc_stack.ss_sp != NULL) {
-            fibre->fibre.uc_stack.ss_size = STACKSIZE;
-            fibre->fibre.uc_link = NULL;
-            makecontext(&fibre->fibre, async_start_func, 0);
-            return 1;
-        }
-    } else {
-        fibre->fibre.uc_stack.ss_sp = NULL;
-    }
-    return 0;
-}
-
-void async_fibre_free(async_fibre *fibre)
-{
-    OPENSSL_free(fibre->fibre.uc_stack.ss_sp);
-    fibre->fibre.uc_stack.ss_sp = NULL;
-}
-
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/async/arch/async_posix.h b/Cryptlib/OpenSSL/crypto/async/arch/async_posix.h
deleted file mode 100644
index 3c61f7f7..00000000
--- a/Cryptlib/OpenSSL/crypto/async/arch/async_posix.h
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#ifndef OPENSSL_ASYNC_ARCH_ASYNC_POSIX_H
-#define OPENSSL_ASYNC_ARCH_ASYNC_POSIX_H
-#include <openssl/e_os2.h>
-
-#if (defined(OPENSSL_SYS_UNIX) || defined(OPENSSL_SYS_CYGWIN)) \
-    && defined(OPENSSL_THREADS) && !defined(OPENSSL_NO_ASYNC) \
-    && !defined(__ANDROID__) && !defined(__OpenBSD__)
-
-# include <unistd.h>
-
-# if _POSIX_VERSION >= 200112L
-
-# include <pthread.h>
-
-#  define ASYNC_POSIX
-#  define ASYNC_ARCH
-
-#  include <ucontext.h>
-#  include <setjmp.h>
-#  include "e_os.h"
-
-typedef struct async_fibre_st {
-    ucontext_t fibre;
-    jmp_buf env;
-    int env_init;
-} async_fibre;
-
-static ossl_inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r)
-{
-    o->env_init = 1;
-
-    if (!r || !_setjmp(o->env)) {
-        if (n->env_init)
-            _longjmp(n->env, 1);
-        else
-            setcontext(&n->fibre);
-    }
-
-    return 1;
-}
-
-#  define async_fibre_init_dispatcher(d)
-
-int async_fibre_makecontext(async_fibre *fibre);
-void async_fibre_free(async_fibre *fibre);
-
-# endif
-#endif
-#endif /* OPENSSL_ASYNC_ARCH_ASYNC_POSIX_H */
diff --git a/Cryptlib/OpenSSL/crypto/async/arch/async_win.c b/Cryptlib/OpenSSL/crypto/async/arch/async_win.c
deleted file mode 100644
index 077d56ce..00000000
--- a/Cryptlib/OpenSSL/crypto/async/arch/async_win.c
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/* This must be the first #include file */
-#include "../async_locl.h"
-
-#ifdef ASYNC_WIN
-
-# include <windows.h>
-# include "internal/cryptlib.h"
-
-int ASYNC_is_capable(void)
-{
-    return 1;
-}
-
-void async_local_cleanup(void)
-{
-    async_ctx *ctx = async_get_ctx();
-    if (ctx != NULL) {
-        async_fibre *fibre = &ctx->dispatcher;
-        if (fibre != NULL && fibre->fibre != NULL && fibre->converted) {
-            ConvertFiberToThread();
-            fibre->fibre = NULL;
-        }
-    }
-}
-
-int async_fibre_init_dispatcher(async_fibre *fibre)
-{
-    fibre->fibre = ConvertThreadToFiber(NULL);
-    if (fibre->fibre == NULL) {
-        fibre->converted = 0;
-        fibre->fibre = GetCurrentFiber();
-        if (fibre->fibre == NULL)
-            return 0;
-    } else {
-        fibre->converted = 1;
-    }
-
-    return 1;
-}
-
-VOID CALLBACK async_start_func_win(PVOID unused)
-{
-    async_start_func();
-}
-
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/async/arch/async_win.h b/Cryptlib/OpenSSL/crypto/async/arch/async_win.h
deleted file mode 100644
index 61cfdd72..00000000
--- a/Cryptlib/OpenSSL/crypto/async/arch/async_win.h
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*
- * This is the same detection used in cryptlib to set up the thread local
- * storage that we depend on, so just copy that
- */
-#if defined(_WIN32) && !defined(OPENSSL_NO_ASYNC)
-#include <openssl/async.h>
-# define ASYNC_WIN
-# define ASYNC_ARCH
-
-# include <windows.h>
-# include "internal/cryptlib.h"
-
-typedef struct async_fibre_st {
-    LPVOID fibre;
-    int converted;
-} async_fibre;
-
-# define async_fibre_swapcontext(o,n,r) \
-        (SwitchToFiber((n)->fibre), 1)
-# define async_fibre_makecontext(c) \
-        ((c)->fibre = CreateFiber(0, async_start_func_win, 0))
-# define async_fibre_free(f)             (DeleteFiber((f)->fibre))
-
-int async_fibre_init_dispatcher(async_fibre *fibre);
-VOID CALLBACK async_start_func_win(PVOID unused);
-
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/async/async.c b/Cryptlib/OpenSSL/crypto/async/async.c
deleted file mode 100644
index 8c699af7..00000000
--- a/Cryptlib/OpenSSL/crypto/async/async.c
+++ /dev/null
@@ -1,433 +0,0 @@
-/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*
- * Without this we start getting longjmp crashes because it thinks we're jumping
- * up the stack when in fact we are jumping to an entirely different stack. The
- * cost of this is not having certain buffer overrun/underrun checks etc for
- * this source file :-(
- */
-#undef _FORTIFY_SOURCE
-
-/* This must be the first #include file */
-#include "async_locl.h"
-
-#include <openssl/err.h>
-#include <internal/cryptlib_int.h>
-#include <string.h>
-
-#define ASYNC_JOB_RUNNING   0
-#define ASYNC_JOB_PAUSING   1
-#define ASYNC_JOB_PAUSED    2
-#define ASYNC_JOB_STOPPING  3
-
-static CRYPTO_THREAD_LOCAL ctxkey;
-static CRYPTO_THREAD_LOCAL poolkey;
-
-static void async_free_pool_internal(async_pool *pool);
-
-static async_ctx *async_ctx_new(void)
-{
-    async_ctx *nctx = NULL;
-
-    nctx = OPENSSL_malloc(sizeof (async_ctx));
-    if (nctx == NULL) {
-        ASYNCerr(ASYNC_F_ASYNC_CTX_NEW, ERR_R_MALLOC_FAILURE);
-        goto err;
-    }
-
-    async_fibre_init_dispatcher(&nctx->dispatcher);
-    nctx->currjob = NULL;
-    nctx->blocked = 0;
-    if (!CRYPTO_THREAD_set_local(&ctxkey, nctx))
-        goto err;
-
-    return nctx;
-err:
-    OPENSSL_free(nctx);
-
-    return NULL;
-}
-
-async_ctx *async_get_ctx(void)
-{
-    if (!OPENSSL_init_crypto(OPENSSL_INIT_ASYNC, NULL))
-        return NULL;
-
-    return (async_ctx *)CRYPTO_THREAD_get_local(&ctxkey);
-}
-
-static int async_ctx_free(void)
-{
-    async_ctx *ctx;
-
-    ctx = async_get_ctx();
-
-    if (!CRYPTO_THREAD_set_local(&ctxkey, NULL))
-        return 0;
-
-    OPENSSL_free(ctx);
-
-    return 1;
-}
-
-static ASYNC_JOB *async_job_new(void)
-{
-    ASYNC_JOB *job = NULL;
-
-    job = OPENSSL_zalloc(sizeof (ASYNC_JOB));
-    if (job == NULL) {
-        ASYNCerr(ASYNC_F_ASYNC_JOB_NEW, ERR_R_MALLOC_FAILURE);
-        return NULL;
-    }
-
-    job->status = ASYNC_JOB_RUNNING;
-
-    return job;
-}
-
-static void async_job_free(ASYNC_JOB *job)
-{
-    if (job != NULL) {
-        OPENSSL_free(job->funcargs);
-        async_fibre_free(&job->fibrectx);
-        OPENSSL_free(job);
-    }
-}
-
-static ASYNC_JOB *async_get_pool_job(void) {
-    ASYNC_JOB *job;
-    async_pool *pool;
-
-    pool = (async_pool *)CRYPTO_THREAD_get_local(&poolkey);
-    if (pool == NULL) {
-        /*
-         * Pool has not been initialised, so init with the defaults, i.e.
-         * no max size and no pre-created jobs
-         */
-        if (ASYNC_init_thread(0, 0) == 0)
-            return NULL;
-        pool = (async_pool *)CRYPTO_THREAD_get_local(&poolkey);
-    }
-
-    job = sk_ASYNC_JOB_pop(pool->jobs);
-    if (job == NULL) {
-        /* Pool is empty */
-        if ((pool->max_size != 0) && (pool->curr_size >= pool->max_size))
-            return NULL;
-
-        job = async_job_new();
-        if (job != NULL) {
-            if (! async_fibre_makecontext(&job->fibrectx)) {
-                async_job_free(job);
-                return NULL;
-            }
-            pool->curr_size++;
-        }
-    }
-    return job;
-}
-
-static void async_release_job(ASYNC_JOB *job) {
-    async_pool *pool;
-
-    pool = (async_pool *)CRYPTO_THREAD_get_local(&poolkey);
-    OPENSSL_free(job->funcargs);
-    job->funcargs = NULL;
-    sk_ASYNC_JOB_push(pool->jobs, job);
-}
-
-void async_start_func(void)
-{
-    ASYNC_JOB *job;
-    async_ctx *ctx = async_get_ctx();
-
-    while (1) {
-        /* Run the job */
-        job = ctx->currjob;
-        job->ret = job->func(job->funcargs);
-
-        /* Stop the job */
-        job->status = ASYNC_JOB_STOPPING;
-        if (!async_fibre_swapcontext(&job->fibrectx,
-                                     &ctx->dispatcher, 1)) {
-            /*
-             * Should not happen. Getting here will close the thread...can't do
-             * much about it
-             */
-            ASYNCerr(ASYNC_F_ASYNC_START_FUNC, ASYNC_R_FAILED_TO_SWAP_CONTEXT);
-        }
-    }
-}
-
-int ASYNC_start_job(ASYNC_JOB **job, ASYNC_WAIT_CTX *wctx, int *ret,
-                    int (*func)(void *), void *args, size_t size)
-{
-    async_ctx *ctx = async_get_ctx();
-    if (ctx == NULL)
-        ctx = async_ctx_new();
-    if (ctx == NULL) {
-        return ASYNC_ERR;
-    }
-
-    if (*job) {
-        ctx->currjob = *job;
-    }
-
-    for (;;) {
-        if (ctx->currjob != NULL) {
-            if (ctx->currjob->status == ASYNC_JOB_STOPPING) {
-                *ret = ctx->currjob->ret;
-                ctx->currjob->waitctx = NULL;
-                async_release_job(ctx->currjob);
-                ctx->currjob = NULL;
-                *job = NULL;
-                return ASYNC_FINISH;
-            }
-
-            if (ctx->currjob->status == ASYNC_JOB_PAUSING) {
-                *job = ctx->currjob;
-                ctx->currjob->status = ASYNC_JOB_PAUSED;
-                ctx->currjob = NULL;
-                return ASYNC_PAUSE;
-            }
-
-            if (ctx->currjob->status == ASYNC_JOB_PAUSED) {
-                ctx->currjob = *job;
-                /* Resume previous job */
-                if (!async_fibre_swapcontext(&ctx->dispatcher,
-                        &ctx->currjob->fibrectx, 1)) {
-                    ASYNCerr(ASYNC_F_ASYNC_START_JOB,
-                             ASYNC_R_FAILED_TO_SWAP_CONTEXT);
-                    goto err;
-                }
-                continue;
-            }
-
-            /* Should not happen */
-            ASYNCerr(ASYNC_F_ASYNC_START_JOB, ERR_R_INTERNAL_ERROR);
-            async_release_job(ctx->currjob);
-            ctx->currjob = NULL;
-            *job = NULL;
-            return ASYNC_ERR;
-        }
-
-        /* Start a new job */
-        if ((ctx->currjob = async_get_pool_job()) == NULL) {
-            return ASYNC_NO_JOBS;
-        }
-
-        if (args != NULL) {
-            ctx->currjob->funcargs = OPENSSL_malloc(size);
-            if (ctx->currjob->funcargs == NULL) {
-                ASYNCerr(ASYNC_F_ASYNC_START_JOB, ERR_R_MALLOC_FAILURE);
-                async_release_job(ctx->currjob);
-                ctx->currjob = NULL;
-                return ASYNC_ERR;
-            }
-            memcpy(ctx->currjob->funcargs, args, size);
-        } else {
-            ctx->currjob->funcargs = NULL;
-        }
-
-        ctx->currjob->func = func;
-        ctx->currjob->waitctx = wctx;
-        if (!async_fibre_swapcontext(&ctx->dispatcher,
-                &ctx->currjob->fibrectx, 1)) {
-            ASYNCerr(ASYNC_F_ASYNC_START_JOB, ASYNC_R_FAILED_TO_SWAP_CONTEXT);
-            goto err;
-        }
-    }
-
-err:
-    async_release_job(ctx->currjob);
-    ctx->currjob = NULL;
-    *job = NULL;
-    return ASYNC_ERR;
-}
-
-int ASYNC_pause_job(void)
-{
-    ASYNC_JOB *job;
-    async_ctx *ctx = async_get_ctx();
-
-    if (ctx == NULL
-            || ctx->currjob == NULL
-            || ctx->blocked) {
-        /*
-         * Could be we've deliberately not been started within a job so this is
-         * counted as success.
-         */
-        return 1;
-    }
-
-    job = ctx->currjob;
-    job->status = ASYNC_JOB_PAUSING;
-
-    if (!async_fibre_swapcontext(&job->fibrectx,
-                                 &ctx->dispatcher, 1)) {
-        ASYNCerr(ASYNC_F_ASYNC_PAUSE_JOB, ASYNC_R_FAILED_TO_SWAP_CONTEXT);
-        return 0;
-    }
-    /* Reset counts of added and deleted fds */
-    async_wait_ctx_reset_counts(job->waitctx);
-
-    return 1;
-}
-
-static void async_empty_pool(async_pool *pool)
-{
-    ASYNC_JOB *job;
-
-    if (!pool || !pool->jobs)
-        return;
-
-    do {
-        job = sk_ASYNC_JOB_pop(pool->jobs);
-        async_job_free(job);
-    } while (job);
-}
-
-int async_init(void)
-{
-    if (!CRYPTO_THREAD_init_local(&ctxkey, NULL))
-        return 0;
-
-    if (!CRYPTO_THREAD_init_local(&poolkey, NULL)) {
-        CRYPTO_THREAD_cleanup_local(&ctxkey);
-        return 0;
-    }
-
-    return 1;
-}
-
-void async_deinit(void)
-{
-    CRYPTO_THREAD_cleanup_local(&ctxkey);
-    CRYPTO_THREAD_cleanup_local(&poolkey);
-}
-
-int ASYNC_init_thread(size_t max_size, size_t init_size)
-{
-    async_pool *pool;
-    size_t curr_size = 0;
-
-    if (init_size > max_size) {
-        ASYNCerr(ASYNC_F_ASYNC_INIT_THREAD, ASYNC_R_INVALID_POOL_SIZE);
-        return 0;
-    }
-
-    if (!OPENSSL_init_crypto(OPENSSL_INIT_ASYNC, NULL)) {
-        return 0;
-    }
-    if (!ossl_init_thread_start(OPENSSL_INIT_THREAD_ASYNC)) {
-        return 0;
-    }
-
-    pool = OPENSSL_zalloc(sizeof *pool);
-    if (pool == NULL) {
-        ASYNCerr(ASYNC_F_ASYNC_INIT_THREAD, ERR_R_MALLOC_FAILURE);
-        return 0;
-    }
-
-    pool->jobs = sk_ASYNC_JOB_new_null();
-    if (pool->jobs == NULL) {
-        ASYNCerr(ASYNC_F_ASYNC_INIT_THREAD, ERR_R_MALLOC_FAILURE);
-        OPENSSL_free(pool);
-        return 0;
-    }
-
-    pool->max_size = max_size;
-
-    /* Pre-create jobs as required */
-    while (init_size--) {
-        ASYNC_JOB *job;
-        job = async_job_new();
-        if (job == NULL || !async_fibre_makecontext(&job->fibrectx)) {
-            /*
-             * Not actually fatal because we already created the pool, just
-             * skip creation of any more jobs
-             */
-            async_job_free(job);
-            break;
-        }
-        job->funcargs = NULL;
-        sk_ASYNC_JOB_push(pool->jobs, job);
-        curr_size++;
-    }
-    pool->curr_size = curr_size;
-    if (!CRYPTO_THREAD_set_local(&poolkey, pool)) {
-        ASYNCerr(ASYNC_F_ASYNC_INIT_THREAD, ASYNC_R_FAILED_TO_SET_POOL);
-        goto err;
-    }
-
-    return 1;
-err:
-    async_free_pool_internal(pool);
-    return 0;
-}
-
-static void async_free_pool_internal(async_pool *pool)
-{
-    if (pool == NULL)
-        return;
-
-    async_empty_pool(pool);
-    sk_ASYNC_JOB_free(pool->jobs);
-    OPENSSL_free(pool);
-    CRYPTO_THREAD_set_local(&poolkey, NULL);
-    async_local_cleanup();
-    async_ctx_free();
-}
-
-void ASYNC_cleanup_thread(void)
-{
-    async_free_pool_internal((async_pool *)CRYPTO_THREAD_get_local(&poolkey));
-}
-
-ASYNC_JOB *ASYNC_get_current_job(void)
-{
-    async_ctx *ctx;
-
-    ctx = async_get_ctx();
-    if (ctx == NULL)
-        return NULL;
-
-    return ctx->currjob;
-}
-
-ASYNC_WAIT_CTX *ASYNC_get_wait_ctx(ASYNC_JOB *job)
-{
-    return job->waitctx;
-}
-
-void ASYNC_block_pause(void)
-{
-    async_ctx *ctx = async_get_ctx();
-    if (ctx == NULL || ctx->currjob == NULL) {
-        /*
-         * We're not in a job anyway so ignore this
-         */
-        return;
-    }
-    ctx->blocked++;
-}
-
-void ASYNC_unblock_pause(void)
-{
-    async_ctx *ctx = async_get_ctx();
-    if (ctx == NULL || ctx->currjob == NULL) {
-        /*
-         * We're not in a job anyway so ignore this
-         */
-        return;
-    }
-    if (ctx->blocked > 0)
-        ctx->blocked--;
-}
diff --git a/Cryptlib/OpenSSL/crypto/async/async_err.c b/Cryptlib/OpenSSL/crypto/async/async_err.c
deleted file mode 100644
index ae97e965..00000000
--- a/Cryptlib/OpenSSL/crypto/async/async_err.c
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include <openssl/err.h>
-#include <openssl/async.h>
-
-/* BEGIN ERROR CODES */
-#ifndef OPENSSL_NO_ERR
-
-# define ERR_FUNC(func) ERR_PACK(ERR_LIB_ASYNC,func,0)
-# define ERR_REASON(reason) ERR_PACK(ERR_LIB_ASYNC,0,reason)
-
-static ERR_STRING_DATA ASYNC_str_functs[] = {
-    {ERR_FUNC(ASYNC_F_ASYNC_CTX_NEW), "async_ctx_new"},
-    {ERR_FUNC(ASYNC_F_ASYNC_INIT_THREAD), "ASYNC_init_thread"},
-    {ERR_FUNC(ASYNC_F_ASYNC_JOB_NEW), "async_job_new"},
-    {ERR_FUNC(ASYNC_F_ASYNC_PAUSE_JOB), "ASYNC_pause_job"},
-    {ERR_FUNC(ASYNC_F_ASYNC_START_FUNC), "async_start_func"},
-    {ERR_FUNC(ASYNC_F_ASYNC_START_JOB), "ASYNC_start_job"},
-    {0, NULL}
-};
-
-static ERR_STRING_DATA ASYNC_str_reasons[] = {
-    {ERR_REASON(ASYNC_R_FAILED_TO_SET_POOL), "failed to set pool"},
-    {ERR_REASON(ASYNC_R_FAILED_TO_SWAP_CONTEXT), "failed to swap context"},
-    {ERR_REASON(ASYNC_R_INIT_FAILED), "init failed"},
-    {ERR_REASON(ASYNC_R_INVALID_POOL_SIZE), "invalid pool size"},
-    {0, NULL}
-};
-
-#endif
-
-int ERR_load_ASYNC_strings(void)
-{
-#ifndef OPENSSL_NO_ERR
-
-    if (ERR_func_error_string(ASYNC_str_functs[0].error) == NULL) {
-        ERR_load_strings(0, ASYNC_str_functs);
-        ERR_load_strings(0, ASYNC_str_reasons);
-    }
-#endif
-    return 1;
-}
diff --git a/Cryptlib/OpenSSL/crypto/async/async_locl.h b/Cryptlib/OpenSSL/crypto/async/async_locl.h
deleted file mode 100644
index f0ac05a3..00000000
--- a/Cryptlib/OpenSSL/crypto/async/async_locl.h
+++ /dev/null
@@ -1,77 +0,0 @@
-/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*
- * Must do this before including any header files, because on MacOS/X <stlib.h>
- * includes <signal.h> which includes <ucontext.h>
- */
-#if defined(__APPLE__) && defined(__MACH__) && !defined(_XOPEN_SOURCE)
-# define _XOPEN_SOURCE          /* Otherwise incomplete ucontext_t structure */
-# pragma GCC diagnostic ignored "-Wdeprecated-declarations"
-#endif
-
-#if defined(_WIN32)
-# include <windows.h>
-#endif
-
-#include <internal/async.h>
-#include <openssl/crypto.h>
-
-typedef struct async_ctx_st async_ctx;
-typedef struct async_pool_st async_pool;
-
-#include "arch/async_win.h"
-#include "arch/async_posix.h"
-#include "arch/async_null.h"
-
-struct async_ctx_st {
-    async_fibre dispatcher;
-    ASYNC_JOB *currjob;
-    unsigned int blocked;
-};
-
-struct async_job_st {
-    async_fibre fibrectx;
-    int (*func) (void *);
-    void *funcargs;
-    int ret;
-    int status;
-    ASYNC_WAIT_CTX *waitctx;
-};
-
-struct fd_lookup_st {
-    const void *key;
-    OSSL_ASYNC_FD fd;
-    void *custom_data;
-    void (*cleanup)(ASYNC_WAIT_CTX *, const void *, OSSL_ASYNC_FD, void *);
-    int add;
-    int del;
-    struct fd_lookup_st *next;
-};
-
-struct async_wait_ctx_st {
-    struct fd_lookup_st *fds;
-    size_t numadd;
-    size_t numdel;
-};
-
-DEFINE_STACK_OF(ASYNC_JOB)
-
-struct async_pool_st {
-    STACK_OF(ASYNC_JOB) *jobs;
-    size_t curr_size;
-    size_t max_size;
-};
-
-void async_local_cleanup(void);
-void async_start_func(void);
-async_ctx *async_get_ctx(void);
-
-void async_wait_ctx_reset_counts(ASYNC_WAIT_CTX *ctx);
-
diff --git a/Cryptlib/OpenSSL/crypto/async/async_wait.c b/Cryptlib/OpenSSL/crypto/async/async_wait.c
deleted file mode 100644
index e115985d..00000000
--- a/Cryptlib/OpenSSL/crypto/async/async_wait.c
+++ /dev/null
@@ -1,211 +0,0 @@
-/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/* This must be the first #include file */
-#include "async_locl.h"
-
-#include <openssl/err.h>
-
-ASYNC_WAIT_CTX *ASYNC_WAIT_CTX_new(void)
-{
-    return OPENSSL_zalloc(sizeof(ASYNC_WAIT_CTX));
-}
-
-void ASYNC_WAIT_CTX_free(ASYNC_WAIT_CTX *ctx)
-{
-    struct fd_lookup_st *curr;
-    struct fd_lookup_st *next;
-
-    if (ctx == NULL)
-        return;
-
-    curr = ctx->fds;
-    while (curr != NULL) {
-        if (!curr->del) {
-            /* Only try and cleanup if it hasn't been marked deleted */
-            if (curr->cleanup != NULL)
-                curr->cleanup(ctx, curr->key, curr->fd, curr->custom_data);
-        }
-        /* Always free the fd_lookup_st */
-        next = curr->next;
-        OPENSSL_free(curr);
-        curr = next;
-    }
-
-    OPENSSL_free(ctx);
-}
-int ASYNC_WAIT_CTX_set_wait_fd(ASYNC_WAIT_CTX *ctx, const void *key,
-                               OSSL_ASYNC_FD fd, void *custom_data,
-                               void (*cleanup)(ASYNC_WAIT_CTX *, const void *,
-                                               OSSL_ASYNC_FD, void *))
-{
-    struct fd_lookup_st *fdlookup;
-
-    fdlookup = OPENSSL_zalloc(sizeof *fdlookup);
-    if (fdlookup == NULL)
-        return 0;
-
-    fdlookup->key = key;
-    fdlookup->fd = fd;
-    fdlookup->custom_data = custom_data;
-    fdlookup->cleanup = cleanup;
-    fdlookup->add = 1;
-    fdlookup->next = ctx->fds;
-    ctx->fds = fdlookup;
-    ctx->numadd++;
-    return 1;
-}
-
-int ASYNC_WAIT_CTX_get_fd(ASYNC_WAIT_CTX *ctx, const void *key,
-                          OSSL_ASYNC_FD *fd, void **custom_data)
-{
-    struct fd_lookup_st *curr;
-
-    curr = ctx->fds;
-    while (curr != NULL) {
-        if (curr->del) {
-            /* This one has been marked deleted so do nothing */
-            curr = curr->next;
-            continue;
-        }
-        if (curr->key == key) {
-            *fd = curr->fd;
-            *custom_data = curr->custom_data;
-            return 1;
-        }
-        curr = curr->next;
-    }
-    return 0;
-}
-
-int ASYNC_WAIT_CTX_get_all_fds(ASYNC_WAIT_CTX *ctx, OSSL_ASYNC_FD *fd,
-                               size_t *numfds)
-{
-    struct fd_lookup_st *curr;
-
-    curr = ctx->fds;
-    *numfds = 0;
-    while (curr != NULL) {
-        if (curr->del) {
-            /* This one has been marked deleted so do nothing */
-            curr = curr->next;
-            continue;
-        }
-        if (fd != NULL) {
-            *fd = curr->fd;
-            fd++;
-        }
-        (*numfds)++;
-        curr = curr->next;
-    }
-    return 1;
-}
-
-int ASYNC_WAIT_CTX_get_changed_fds(ASYNC_WAIT_CTX *ctx, OSSL_ASYNC_FD *addfd,
-                                   size_t *numaddfds, OSSL_ASYNC_FD *delfd,
-                                   size_t *numdelfds)
-{
-    struct fd_lookup_st *curr;
-
-    *numaddfds = ctx->numadd;
-    *numdelfds = ctx->numdel;
-    if (addfd == NULL && delfd == NULL)
-        return 1;
-
-    curr = ctx->fds;
-
-    while (curr != NULL) {
-        /* We ignore fds that have been marked as both added and deleted */
-        if (curr->del && !curr->add && (delfd != NULL)) {
-            *delfd = curr->fd;
-            delfd++;
-        }
-        if (curr->add && !curr->del && (addfd != NULL)) {
-            *addfd = curr->fd;
-            addfd++;
-        }
-        curr = curr->next;
-    }
-
-    return 1;
-}
-
-int ASYNC_WAIT_CTX_clear_fd(ASYNC_WAIT_CTX *ctx, const void *key)
-{
-    struct fd_lookup_st *curr, *prev;
-
-    curr = ctx->fds;
-    prev = NULL;
-    while (curr != NULL) {
-        if (curr->del == 1) {
-            /* This one has been marked deleted already so do nothing */
-            curr = curr->next;
-            continue;
-        }
-        if (curr->key == key) {
-            /* If fd has just been added, remove it from the list */
-            if (curr->add == 1) {
-                if (ctx->fds == curr) {
-                    ctx->fds = curr->next;
-                } else {
-                    prev->next = curr->next;
-                }
-
-                /* It is responsibility of the caller to cleanup before calling
-                 * ASYNC_WAIT_CTX_clear_fd
-                 */
-                OPENSSL_free(curr);
-                ctx->numadd--;
-                return 1;
-            }
-
-            /*
-             * Mark it as deleted. We don't call cleanup if explicitly asked
-             * to clear an fd. We assume the caller is going to do that (if
-             * appropriate).
-             */
-            curr->del = 1;
-            ctx->numdel++;
-            return 1;
-        }
-        prev = curr;
-        curr = curr->next;
-    }
-    return 0;
-}
-
-void async_wait_ctx_reset_counts(ASYNC_WAIT_CTX *ctx)
-{
-    struct fd_lookup_st *curr, *prev = NULL;
-
-    ctx->numadd = 0;
-    ctx->numdel = 0;
-
-    curr = ctx->fds;
-
-    while (curr != NULL) {
-        if (curr->del) {
-            if (prev == NULL)
-                ctx->fds = curr->next;
-            else
-                prev->next = curr->next;
-            OPENSSL_free(curr);
-            if (prev == NULL)
-                curr = ctx->fds;
-            else
-                curr = prev->next;
-            continue;
-        }
-        if (curr->add) {
-            curr->add = 0;
-        }
-        prev = curr;
-        curr = curr->next;
-    }
-}
diff --git a/Cryptlib/OpenSSL/crypto/bio/b_addr.c b/Cryptlib/OpenSSL/crypto/bio/b_addr.c
deleted file mode 100644
index 0f1900db..00000000
--- a/Cryptlib/OpenSSL/crypto/bio/b_addr.c
+++ /dev/null
@@ -1,897 +0,0 @@
-/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <string.h>
-
-#include "bio_lcl.h"
-#include <openssl/crypto.h>
-
-#ifndef OPENSSL_NO_SOCK
-#include <openssl/err.h>
-#include <openssl/buffer.h>
-#include <internal/thread_once.h>
-#include <ctype.h>
-
-#ifdef _HPUX_SOURCE
-static const char *ossl_hstrerror(int herr)
-{
-    switch (herr) {
-    case -1:
-        return strerror(errno);
-    case 0:
-        return "No error";
-    case HOST_NOT_FOUND:
-        return "Host not found";
-    case NO_DATA:                /* NO_ADDRESS is a synonym */
-        return "No data";
-    case NO_RECOVERY:
-        return "Non recoverable error";
-    case TRY_AGAIN:
-        return "Try again";
-    default:
-        break;
-    }
-    return "unknown error";
-}
-# define hstrerror(e) ossl_hstrerror(e)
-#endif
-
-CRYPTO_RWLOCK *bio_lookup_lock;
-static CRYPTO_ONCE bio_lookup_init = CRYPTO_ONCE_STATIC_INIT;
-
-/*
- * Throughout this file and bio_lcl.h, the existence of the macro
- * AI_PASSIVE is used to detect the availability of struct addrinfo,
- * getnameinfo() and getaddrinfo().  If that macro doesn't exist,
- * we use our own implementation instead, using gethostbyname,
- * getservbyname and a few other.
- */
-
-/**********************************************************************
- *
- * Address structure
- *
- */
-
-BIO_ADDR *BIO_ADDR_new(void)
-{
-    BIO_ADDR *ret = OPENSSL_zalloc(sizeof(*ret));
-
-    if (ret == NULL) {
-        BIOerr(BIO_F_BIO_ADDR_NEW, ERR_R_MALLOC_FAILURE);
-        return NULL;
-    }
-
-    ret->sa.sa_family = AF_UNSPEC;
-    return ret;
-}
-
-void BIO_ADDR_free(BIO_ADDR *ap)
-{
-    OPENSSL_free(ap);
-}
-
-void BIO_ADDR_clear(BIO_ADDR *ap)
-{
-    memset(ap, 0, sizeof(*ap));
-    ap->sa.sa_family = AF_UNSPEC;
-}
-
-/*
- * BIO_ADDR_make - non-public routine to fill a BIO_ADDR with the contents
- * of a struct sockaddr.
- */
-int BIO_ADDR_make(BIO_ADDR *ap, const struct sockaddr *sa)
-{
-    if (sa->sa_family == AF_INET) {
-        ap->s_in = *(const struct sockaddr_in *)sa;
-        return 1;
-    }
-#ifdef AF_INET6
-    if (sa->sa_family == AF_INET6) {
-        ap->s_in6 = *(const struct sockaddr_in6 *)sa;
-        return 1;
-    }
-#endif
-#ifdef AF_UNIX
-    if (ap->sa.sa_family == AF_UNIX) {
-        ap->s_un = *(const struct sockaddr_un *)sa;
-        return 1;
-    }
-#endif
-
-    return 0;
-}
-
-int BIO_ADDR_rawmake(BIO_ADDR *ap, int family,
-                     const void *where, size_t wherelen,
-                     unsigned short port)
-{
-#ifdef AF_UNIX
-    if (family == AF_UNIX) {
-        if (wherelen + 1 > sizeof(ap->s_un.sun_path))
-            return 0;
-        memset(&ap->s_un, 0, sizeof(ap->s_un));
-        ap->s_un.sun_family = family;
-        strncpy(ap->s_un.sun_path, where, sizeof(ap->s_un.sun_path) - 1);
-        return 1;
-    }
-#endif
-    if (family == AF_INET) {
-        if (wherelen != sizeof(struct in_addr))
-            return 0;
-        memset(&ap->s_in, 0, sizeof(ap->s_in));
-        ap->s_in.sin_family = family;
-        ap->s_in.sin_port = port;
-        ap->s_in.sin_addr = *(struct in_addr *)where;
-        return 1;
-    }
-#ifdef AF_INET6
-    if (family == AF_INET6) {
-        if (wherelen != sizeof(struct in6_addr))
-            return 0;
-        memset(&ap->s_in6, 0, sizeof(ap->s_in6));
-        ap->s_in6.sin6_family = family;
-        ap->s_in6.sin6_port = port;
-        ap->s_in6.sin6_addr = *(struct in6_addr *)where;
-        return 1;
-    }
-#endif
-
-    return 0;
-}
-
-int BIO_ADDR_family(const BIO_ADDR *ap)
-{
-    return ap->sa.sa_family;
-}
-
-int BIO_ADDR_rawaddress(const BIO_ADDR *ap, void *p, size_t *l)
-{
-    size_t len = 0;
-    const void *addrptr = NULL;
-
-    if (ap->sa.sa_family == AF_INET) {
-        len = sizeof(ap->s_in.sin_addr);
-        addrptr = &ap->s_in.sin_addr;
-    }
-#ifdef AF_INET6
-    else if (ap->sa.sa_family == AF_INET6) {
-        len = sizeof(ap->s_in6.sin6_addr);
-        addrptr = &ap->s_in6.sin6_addr;
-    }
-#endif
-#ifdef AF_UNIX
-    else if (ap->sa.sa_family == AF_UNIX) {
-        len = strlen(ap->s_un.sun_path);
-        addrptr = &ap->s_un.sun_path;
-    }
-#endif
-
-    if (addrptr == NULL)
-        return 0;
-
-    if (p != NULL) {
-        memcpy(p, addrptr, len);
-    }
-    if (l != NULL)
-        *l = len;
-
-    return 1;
-}
-
-unsigned short BIO_ADDR_rawport(const BIO_ADDR *ap)
-{
-    if (ap->sa.sa_family == AF_INET)
-        return ap->s_in.sin_port;
-#ifdef AF_INET6
-    if (ap->sa.sa_family == AF_INET6)
-        return ap->s_in6.sin6_port;
-#endif
-    return 0;
-}
-
-/*-
- * addr_strings - helper function to get host and service names
- * @ap: the BIO_ADDR that has the input info
- * @numeric: 0 if actual names should be returned, 1 if the numeric
- * representation should be returned.
- * @hostname: a pointer to a pointer to a memory area to store the
- * host name or numeric representation.  Unused if NULL.
- * @service: a pointer to a pointer to a memory area to store the
- * service name or numeric representation.  Unused if NULL.
- *
- * The return value is 0 on failure, with the error code in the error
- * stack, and 1 on success.
- */
-static int addr_strings(const BIO_ADDR *ap, int numeric,
-                        char **hostname, char **service)
-{
-    if (BIO_sock_init() != 1)
-        return 0;
-
-    if (1) {
-#ifdef AI_PASSIVE
-        int ret = 0;
-        char host[NI_MAXHOST] = "", serv[NI_MAXSERV] = "";
-        int flags = 0;
-
-        if (numeric)
-            flags |= NI_NUMERICHOST | NI_NUMERICSERV;
-
-        if ((ret = getnameinfo(BIO_ADDR_sockaddr(ap),
-                               BIO_ADDR_sockaddr_size(ap),
-                               host, sizeof(host), serv, sizeof(serv),
-                               flags)) != 0) {
-# ifdef EAI_SYSTEM
-            if (ret == EAI_SYSTEM) {
-                SYSerr(SYS_F_GETNAMEINFO, get_last_socket_error());
-                BIOerr(BIO_F_ADDR_STRINGS, ERR_R_SYS_LIB);
-            } else
-# endif
-            {
-                BIOerr(BIO_F_ADDR_STRINGS, ERR_R_SYS_LIB);
-                ERR_add_error_data(1, gai_strerror(ret));
-            }
-            return 0;
-        }
-
-        /* VMS getnameinfo() has a bug, it doesn't fill in serv, which
-         * leaves it with whatever garbage that happens to be there.
-         * However, we initialise serv with the empty string (serv[0]
-         * is therefore NUL), so it gets real easy to detect when things
-         * didn't go the way one might expect.
-         */
-        if (serv[0] == '\0') {
-            BIO_snprintf(serv, sizeof(serv), "%d",
-                         ntohs(BIO_ADDR_rawport(ap)));
-        }
-
-        if (hostname != NULL)
-            *hostname = OPENSSL_strdup(host);
-        if (service != NULL)
-            *service = OPENSSL_strdup(serv);
-    } else {
-#endif
-        if (hostname != NULL)
-            *hostname = OPENSSL_strdup(inet_ntoa(ap->s_in.sin_addr));
-        if (service != NULL) {
-            char serv[6];        /* port is 16 bits => max 5 decimal digits */
-            BIO_snprintf(serv, sizeof(serv), "%d", ntohs(ap->s_in.sin_port));
-            *service = OPENSSL_strdup(serv);
-        }
-    }
-
-    if ((hostname != NULL && *hostname == NULL)
-            || (service != NULL && *service == NULL)) {
-        if (hostname != NULL) {
-            OPENSSL_free(*hostname);
-            *hostname = NULL;
-        }
-        if (service != NULL) {
-            OPENSSL_free(*service);
-            *service = NULL;
-        }
-        BIOerr(BIO_F_ADDR_STRINGS, ERR_R_MALLOC_FAILURE);
-        return 0;
-    }
-
-    return 1;
-}
-
-char *BIO_ADDR_hostname_string(const BIO_ADDR *ap, int numeric)
-{
-    char *hostname = NULL;
-
-    if (addr_strings(ap, numeric, &hostname, NULL))
-        return hostname;
-
-    return NULL;
-}
-
-char *BIO_ADDR_service_string(const BIO_ADDR *ap, int numeric)
-{
-    char *service = NULL;
-
-    if (addr_strings(ap, numeric, NULL, &service))
-        return service;
-
-    return NULL;
-}
-
-char *BIO_ADDR_path_string(const BIO_ADDR *ap)
-{
-#ifdef AF_UNIX
-    if (ap->sa.sa_family == AF_UNIX)
-        return OPENSSL_strdup(ap->s_un.sun_path);
-#endif
-    return NULL;
-}
-
-/*
- * BIO_ADDR_sockaddr - non-public routine to return the struct sockaddr
- * for a given BIO_ADDR.  In reality, this is simply a type safe cast.
- * The returned struct sockaddr is const, so it can't be tampered with.
- */
-const struct sockaddr *BIO_ADDR_sockaddr(const BIO_ADDR *ap)
-{
-    return &(ap->sa);
-}
-
-/*
- * BIO_ADDR_sockaddr_noconst - non-public function that does the same
- * as BIO_ADDR_sockaddr, but returns a non-const.  USE WITH CARE, as
- * it allows you to tamper with the data (and thereby the contents
- * of the input BIO_ADDR).
- */
-struct sockaddr *BIO_ADDR_sockaddr_noconst(BIO_ADDR *ap)
-{
-    return &(ap->sa);
-}
-
-/*
- * BIO_ADDR_sockaddr_size - non-public function that returns the size
- * of the struct sockaddr the BIO_ADDR is using.  If the protocol family
- * isn't set or is something other than AF_INET, AF_INET6 or AF_UNIX,
- * the size of the BIO_ADDR type is returned.
- */
-socklen_t BIO_ADDR_sockaddr_size(const BIO_ADDR *ap)
-{
-    if (ap->sa.sa_family == AF_INET)
-        return sizeof(ap->s_in);
-#ifdef AF_INET6
-    if (ap->sa.sa_family == AF_INET6)
-        return sizeof(ap->s_in6);
-#endif
-#ifdef AF_UNIX
-    if (ap->sa.sa_family == AF_UNIX)
-        return sizeof(ap->s_un);
-#endif
-    return sizeof(*ap);
-}
-
-/**********************************************************************
- *
- * Address info database
- *
- */
-
-const BIO_ADDRINFO *BIO_ADDRINFO_next(const BIO_ADDRINFO *bai)
-{
-    if (bai != NULL)
-        return bai->bai_next;
-    return NULL;
-}
-
-int BIO_ADDRINFO_family(const BIO_ADDRINFO *bai)
-{
-    if (bai != NULL)
-        return bai->bai_family;
-    return 0;
-}
-
-int BIO_ADDRINFO_socktype(const BIO_ADDRINFO *bai)
-{
-    if (bai != NULL)
-        return bai->bai_socktype;
-    return 0;
-}
-
-int BIO_ADDRINFO_protocol(const BIO_ADDRINFO *bai)
-{
-    if (bai != NULL) {
-        if (bai->bai_protocol != 0)
-            return bai->bai_protocol;
-
-#ifdef AF_UNIX
-        if (bai->bai_family == AF_UNIX)
-            return 0;
-#endif
-
-        switch (bai->bai_socktype) {
-        case SOCK_STREAM:
-            return IPPROTO_TCP;
-        case SOCK_DGRAM:
-            return IPPROTO_UDP;
-        default:
-            break;
-        }
-    }
-    return 0;
-}
-
-/*
- * BIO_ADDRINFO_sockaddr_size - non-public function that returns the size
- * of the struct sockaddr inside the BIO_ADDRINFO.
- */
-socklen_t BIO_ADDRINFO_sockaddr_size(const BIO_ADDRINFO *bai)
-{
-    if (bai != NULL)
-        return bai->bai_addrlen;
-    return 0;
-}
-
-/*
- * BIO_ADDRINFO_sockaddr - non-public function that returns bai_addr
- * as the struct sockaddr it is.
- */
-const struct sockaddr *BIO_ADDRINFO_sockaddr(const BIO_ADDRINFO *bai)
-{
-    if (bai != NULL)
-        return bai->bai_addr;
-    return NULL;
-}
-
-const BIO_ADDR *BIO_ADDRINFO_address(const BIO_ADDRINFO *bai)
-{
-    if (bai != NULL)
-        return (BIO_ADDR *)bai->bai_addr;
-    return NULL;
-}
-
-void BIO_ADDRINFO_free(BIO_ADDRINFO *bai)
-{
-    if (bai == NULL)
-        return;
-
-#ifdef AI_PASSIVE
-# ifdef AF_UNIX
-#  define _cond bai->bai_family != AF_UNIX
-# else
-#  define _cond 1
-# endif
-    if (_cond) {
-        freeaddrinfo(bai);
-        return;
-    }
-#endif
-
-    /* Free manually when we know that addrinfo_wrap() was used.
-     * See further comment above addrinfo_wrap()
-     */
-    while (bai != NULL) {
-        BIO_ADDRINFO *next = bai->bai_next;
-        OPENSSL_free(bai->bai_addr);
-        OPENSSL_free(bai);
-        bai = next;
-    }
-}
-
-/**********************************************************************
- *
- * Service functions
- *
- */
-
-/*-
- * The specs in hostserv can take these forms:
- *
- * host:service         => *host = "host", *service = "service"
- * host:*               => *host = "host", *service = NULL
- * host:                => *host = "host", *service = NULL
- * :service             => *host = NULL, *service = "service"
- * *:service            => *host = NULL, *service = "service"
- *
- * in case no : is present in the string, the result depends on
- * hostserv_prio, as follows:
- *
- * when hostserv_prio == BIO_PARSE_PRIO_HOST
- * host                 => *host = "host", *service untouched
- *
- * when hostserv_prio == BIO_PARSE_PRIO_SERV
- * service              => *host untouched, *service = "service"
- *
- */
-int BIO_parse_hostserv(const char *hostserv, char **host, char **service,
-                       enum BIO_hostserv_priorities hostserv_prio)
-{
-    const char *h = NULL; size_t hl = 0;
-    const char *p = NULL; size_t pl = 0;
-
-    if (*hostserv == '[') {
-        if ((p = strchr(hostserv, ']')) == NULL)
-            goto spec_err;
-        h = hostserv + 1;
-        hl = p - h;
-        p++;
-        if (*p == '\0')
-            p = NULL;
-        else if (*p != ':')
-            goto spec_err;
-        else {
-            p++;
-            pl = strlen(p);
-        }
-    } else {
-        const char *p2 = strrchr(hostserv, ':');
-        p = strchr(hostserv, ':');
-
-        /*-
-         * Check for more than one colon.  There are three possible
-         * interpretations:
-         * 1. IPv6 address with port number, last colon being separator.
-         * 2. IPv6 address only.
-         * 3. IPv6 address only if hostserv_prio == BIO_PARSE_PRIO_HOST,
-         *    IPv6 address and port number if hostserv_prio == BIO_PARSE_PRIO_SERV
-         * Because of this ambiguity, we currently choose to make it an
-         * error.
-         */
-        if (p != p2)
-            goto amb_err;
-
-        if (p != NULL) {
-            h = hostserv;
-            hl = p - h;
-            p++;
-            pl = strlen(p);
-        } else if (hostserv_prio == BIO_PARSE_PRIO_HOST) {
-            h = hostserv;
-            hl = strlen(h);
-        } else {
-            p = hostserv;
-            pl = strlen(p);
-        }
-    }
-
-    if (p != NULL && strchr(p, ':'))
-        goto spec_err;
-
-    if (h != NULL && host != NULL) {
-        if (hl == 0
-            || (hl == 1 && h[0] == '*')) {
-            *host = NULL;
-        } else {
-            *host = OPENSSL_strndup(h, hl);
-            if (*host == NULL)
-                goto memerr;
-        }
-    }
-    if (p != NULL && service != NULL) {
-        if (pl == 0
-            || (pl == 1 && p[0] == '*')) {
-            *service = NULL;
-        } else {
-            *service = OPENSSL_strndup(p, pl);
-            if (*service == NULL)
-                goto memerr;
-        }
-    }
-
-    return 1;
- amb_err:
-    BIOerr(BIO_F_BIO_PARSE_HOSTSERV, BIO_R_AMBIGUOUS_HOST_OR_SERVICE);
-    return 0;
- spec_err:
-    BIOerr(BIO_F_BIO_PARSE_HOSTSERV, BIO_R_MALFORMED_HOST_OR_SERVICE);
-    return 0;
- memerr:
-    BIOerr(BIO_F_BIO_PARSE_HOSTSERV, ERR_R_MALLOC_FAILURE);
-    return 0;
-}
-
-/* addrinfo_wrap is used to build our own addrinfo "chain".
- * (it has only one entry, so calling it a chain may be a stretch)
- * It should ONLY be called when getaddrinfo() and friends
- * aren't available, OR when dealing with a non IP protocol
- * family, such as AF_UNIX
- *
- * the return value is 1 on success, or 0 on failure, which
- * only happens if a memory allocation error occurred.
- */
-static int addrinfo_wrap(int family, int socktype,
-                         const void *where, size_t wherelen,
-                         unsigned short port,
-                         BIO_ADDRINFO **bai)
-{
-    OPENSSL_assert(bai != NULL);
-
-    *bai = OPENSSL_zalloc(sizeof(**bai));
-    if (*bai == NULL)
-        return 0;
-
-    (*bai)->bai_family = family;
-    (*bai)->bai_socktype = socktype;
-    if (socktype == SOCK_STREAM)
-        (*bai)->bai_protocol = IPPROTO_TCP;
-    if (socktype == SOCK_DGRAM)
-        (*bai)->bai_protocol = IPPROTO_UDP;
-#ifdef AF_UNIX
-    if (family == AF_UNIX)
-        (*bai)->bai_protocol = 0;
-#endif
-    {
-        /* Magic: We know that BIO_ADDR_sockaddr_noconst is really
-           just an advanced cast of BIO_ADDR* to struct sockaddr *
-           by the power of union, so while it may seem that we're
-           creating a memory leak here, we are not.  It will be
-           all right. */
-        BIO_ADDR *addr = BIO_ADDR_new();
-        if (addr != NULL) {
-            BIO_ADDR_rawmake(addr, family, where, wherelen, port);
-            (*bai)->bai_addr = BIO_ADDR_sockaddr_noconst(addr);
-        }
-    }
-    (*bai)->bai_next = NULL;
-    if ((*bai)->bai_addr == NULL) {
-        BIO_ADDRINFO_free(*bai);
-        *bai = NULL;
-        return 0;
-    }
-    return 1;
-}
-
-DEFINE_RUN_ONCE_STATIC(do_bio_lookup_init)
-{
-    OPENSSL_init_crypto(0, NULL);
-    bio_lookup_lock = CRYPTO_THREAD_lock_new();
-    return bio_lookup_lock != NULL;
-}
-
-/*-
- * BIO_lookup - look up the node and service you want to connect to.
- * @node: the node you want to connect to.
- * @service: the service you want to connect to.
- * @lookup_type: declare intent with the result, client or server.
- * @family: the address family you want to use.  Use AF_UNSPEC for any, or
- *  AF_INET, AF_INET6 or AF_UNIX.
- * @socktype: The socket type you want to use.  Can be SOCK_STREAM, SOCK_DGRAM
- *  or 0 for all.
- * @res: Storage place for the resulting list of returned addresses
- *
- * This will do a lookup of the node and service that you want to connect to.
- * It returns a linked list of different addresses you can try to connect to.
- *
- * When no longer needed you should call BIO_ADDRINFO_free() to free the result.
- *
- * The return value is 1 on success or 0 in case of error.
- */
-int BIO_lookup(const char *host, const char *service,
-               enum BIO_lookup_type lookup_type,
-               int family, int socktype, BIO_ADDRINFO **res)
-{
-    int ret = 0;                 /* Assume failure */
-
-    switch(family) {
-    case AF_INET:
-#ifdef AF_INET6
-    case AF_INET6:
-#endif
-#ifdef AF_UNIX
-    case AF_UNIX:
-#endif
-#ifdef AF_UNSPEC
-    case AF_UNSPEC:
-#endif
-        break;
-    default:
-        BIOerr(BIO_F_BIO_LOOKUP, BIO_R_UNSUPPORTED_PROTOCOL_FAMILY);
-        return 0;
-    }
-
-#ifdef AF_UNIX
-    if (family == AF_UNIX) {
-        if (addrinfo_wrap(family, socktype, host, strlen(host), 0, res))
-            return 1;
-        else
-            BIOerr(BIO_F_BIO_LOOKUP, ERR_R_MALLOC_FAILURE);
-        return 0;
-    }
-#endif
-
-    if (BIO_sock_init() != 1)
-        return 0;
-
-    if (1) {
-        int gai_ret = 0;
-#ifdef AI_PASSIVE
-        struct addrinfo hints;
-        memset(&hints, 0, sizeof hints);
-
-        hints.ai_family = family;
-        hints.ai_socktype = socktype;
-
-        if (lookup_type == BIO_LOOKUP_SERVER)
-            hints.ai_flags |= AI_PASSIVE;
-
-        /* Note that |res| SHOULD be a 'struct addrinfo **' thanks to
-         * macro magic in bio_lcl.h
-         */
-        switch ((gai_ret = getaddrinfo(host, service, &hints, res))) {
-# ifdef EAI_SYSTEM
-        case EAI_SYSTEM:
-            SYSerr(SYS_F_GETADDRINFO, get_last_socket_error());
-            BIOerr(BIO_F_BIO_LOOKUP, ERR_R_SYS_LIB);
-            break;
-# endif
-        case 0:
-            ret = 1;             /* Success */
-            break;
-        default:
-            BIOerr(BIO_F_BIO_LOOKUP, ERR_R_SYS_LIB);
-            ERR_add_error_data(1, gai_strerror(gai_ret));
-            break;
-        }
-    } else {
-#endif
-        const struct hostent *he;
-/*
- * Because struct hostent is defined for 32-bit pointers only with
- * VMS C, we need to make sure that '&he_fallback_address' and
- * '&he_fallback_addresses' are 32-bit pointers
- */
-#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
-# pragma pointer_size save
-# pragma pointer_size 32
-#endif
-        /* Windows doesn't seem to have in_addr_t */
-#ifdef OPENSSL_SYS_WINDOWS
-        static uint32_t he_fallback_address;
-        static const char *he_fallback_addresses[] =
-            { (char *)&he_fallback_address, NULL };
-#else
-        static in_addr_t he_fallback_address;
-        static const char *he_fallback_addresses[] =
-            { (char *)&he_fallback_address, NULL };
-#endif
-        static const struct hostent he_fallback =
-            { NULL, NULL, AF_INET, sizeof(he_fallback_address),
-              (char **)&he_fallback_addresses };
-#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
-# pragma pointer_size restore
-#endif
-
-        struct servent *se;
-        /* Apparently, on WIN64, s_proto and s_port have traded places... */
-#ifdef _WIN64
-        struct servent se_fallback = { NULL, NULL, NULL, 0 };
-#else
-        struct servent se_fallback = { NULL, NULL, 0, NULL };
-#endif
-
-        if (!RUN_ONCE(&bio_lookup_init, do_bio_lookup_init)) {
-            BIOerr(BIO_F_BIO_LOOKUP, ERR_R_MALLOC_FAILURE);
-            ret = 0;
-            goto err;
-        }
-
-        CRYPTO_THREAD_write_lock(bio_lookup_lock);
-        he_fallback_address = INADDR_ANY;
-        if (host == NULL) {
-            he = &he_fallback;
-            switch(lookup_type) {
-            case BIO_LOOKUP_CLIENT:
-                he_fallback_address = INADDR_LOOPBACK;
-                break;
-            case BIO_LOOKUP_SERVER:
-                he_fallback_address = INADDR_ANY;
-                break;
-            default:
-                OPENSSL_assert(("We forgot to handle a lookup type!" == 0));
-                break;
-            }
-        } else {
-            he = gethostbyname(host);
-
-            if (he == NULL) {
-#ifndef OPENSSL_SYS_WINDOWS
-                BIOerr(BIO_F_BIO_LOOKUP, ERR_R_SYS_LIB);
-                ERR_add_error_data(1, hstrerror(h_errno));
-#else
-                SYSerr(SYS_F_GETHOSTBYNAME, WSAGetLastError());
-#endif
-                ret = 0;
-                goto err;
-            }
-        }
-
-        if (service == NULL) {
-            se_fallback.s_port = 0;
-            se_fallback.s_proto = NULL;
-            se = &se_fallback;
-        } else {
-            char *endp = NULL;
-            long portnum = strtol(service, &endp, 10);
-
-/*
- * Because struct servent is defined for 32-bit pointers only with
- * VMS C, we need to make sure that 'proto' is a 32-bit pointer.
- */
-#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
-# pragma pointer_size save
-# pragma pointer_size 32
-#endif
-            char *proto = NULL;
-#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
-# pragma pointer_size restore
-#endif
-
-            switch (socktype) {
-            case SOCK_STREAM:
-                proto = "tcp";
-                break;
-            case SOCK_DGRAM:
-                proto = "udp";
-                break;
-            }
-
-            if (endp != service && *endp == '\0'
-                    && portnum > 0 && portnum < 65536) {
-                se_fallback.s_port = htons(portnum);
-                se_fallback.s_proto = proto;
-                se = &se_fallback;
-            } else if (endp == service) {
-                se = getservbyname(service, proto);
-
-                if (se == NULL) {
-#ifndef OPENSSL_SYS_WINDOWS
-                    BIOerr(BIO_F_BIO_LOOKUP, ERR_R_SYS_LIB);
-                    ERR_add_error_data(1, hstrerror(h_errno));
-#else
-                    SYSerr(SYS_F_GETSERVBYNAME, WSAGetLastError());
-#endif
-                    goto err;
-                }
-            } else {
-                BIOerr(BIO_F_BIO_LOOKUP, BIO_R_MALFORMED_HOST_OR_SERVICE);
-                goto err;
-            }
-        }
-
-        *res = NULL;
-
-        {
-/*
- * Because hostent::h_addr_list is an array of 32-bit pointers with VMS C,
- * we must make sure our iterator designates the same element type, hence
- * the pointer size dance.
- */
-#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
-# pragma pointer_size save
-# pragma pointer_size 32
-#endif
-            char **addrlistp;
-#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
-# pragma pointer_size restore
-#endif
-            size_t addresses;
-            BIO_ADDRINFO *tmp_bai = NULL;
-
-            /* The easiest way to create a linked list from an
-               array is to start from the back */
-            for(addrlistp = he->h_addr_list; *addrlistp != NULL;
-                addrlistp++)
-                ;
-
-            for(addresses = addrlistp - he->h_addr_list;
-                addrlistp--, addresses-- > 0; ) {
-                if (!addrinfo_wrap(he->h_addrtype, socktype,
-                                   *addrlistp, he->h_length,
-                                   se->s_port, &tmp_bai))
-                    goto addrinfo_malloc_err;
-                tmp_bai->bai_next = *res;
-                *res = tmp_bai;
-                continue;
-             addrinfo_malloc_err:
-                BIO_ADDRINFO_free(*res);
-                *res = NULL;
-                BIOerr(BIO_F_BIO_LOOKUP, ERR_R_MALLOC_FAILURE);
-                ret = 0;
-                goto err;
-            }
-
-            ret = 1;
-        }
-     err:
-        CRYPTO_THREAD_unlock(bio_lookup_lock);
-    }
-
-    return ret;
-}
-
-#endif /* OPENSSL_NO_SOCK */
diff --git a/Cryptlib/OpenSSL/crypto/bio/b_dump.c b/Cryptlib/OpenSSL/crypto/bio/b_dump.c
index a27954fa..ccf0e287 100644
--- a/Cryptlib/OpenSSL/crypto/bio/b_dump.c
+++ b/Cryptlib/OpenSSL/crypto/bio/b_dump.c
@@ -1,10 +1,59 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bio/b_dump.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 /*
@@ -12,6 +61,7 @@
  */
 
 #include <stdio.h>
+#include "cryptlib.h"
 #include "bio_lcl.h"
 
 #define TRUNCATE
@@ -54,20 +104,20 @@ int BIO_dump_indent_cb(int (*cb) (const void *data, size_t len, void *u),
     if ((rows * dump_width) < len)
         rows++;
     for (i = 0; i < rows; i++) {
-        OPENSSL_strlcpy(buf, str, sizeof buf);
+        BUF_strlcpy(buf, str, sizeof buf);
         BIO_snprintf(tmp, sizeof tmp, "%04x - ", i * dump_width);
-        OPENSSL_strlcat(buf, tmp, sizeof buf);
+        BUF_strlcat(buf, tmp, sizeof buf);
         for (j = 0; j < dump_width; j++) {
             if (((i * dump_width) + j) >= len) {
-                OPENSSL_strlcat(buf, "   ", sizeof buf);
+                BUF_strlcat(buf, "   ", sizeof buf);
             } else {
                 ch = ((unsigned char)*(s + i * dump_width + j)) & 0xff;
                 BIO_snprintf(tmp, sizeof tmp, "%02x%c", ch,
                              j == 7 ? '-' : ' ');
-                OPENSSL_strlcat(buf, tmp, sizeof buf);
+                BUF_strlcat(buf, tmp, sizeof buf);
             }
         }
-        OPENSSL_strlcat(buf, "  ", sizeof buf);
+        BUF_strlcat(buf, "  ", sizeof buf);
         for (j = 0; j < dump_width; j++) {
             if (((i * dump_width) + j) >= len)
                 break;
@@ -81,9 +131,9 @@ int BIO_dump_indent_cb(int (*cb) (const void *data, size_t len, void *u),
                          ? os_toebcdic[ch]
                          : '.');
 #endif
-            OPENSSL_strlcat(buf, tmp, sizeof buf);
+            BUF_strlcat(buf, tmp, sizeof buf);
         }
-        OPENSSL_strlcat(buf, "\n", sizeof buf);
+        BUF_strlcat(buf, "\n", sizeof buf);
         /*
          * if this is the last call then update the ddt_dump thing so that we
          * will move the selection point in the debug window
@@ -100,7 +150,7 @@ int BIO_dump_indent_cb(int (*cb) (const void *data, size_t len, void *u),
     return (ret);
 }
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 static int write_fp(const void *data, size_t len, void *fp)
 {
     return UP_fwrite(data, len, 1, fp);
diff --git a/Cryptlib/OpenSSL/crypto/bio/b_print.c b/Cryptlib/OpenSSL/crypto/bio/b_print.c
index f33caa2c..29da9036 100644
--- a/Cryptlib/OpenSSL/crypto/bio/b_print.c
+++ b/Cryptlib/OpenSSL/crypto/bio/b_print.c
@@ -1,17 +1,78 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bio/b_print.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* disable assert() unless BIO_DEBUG has been defined */
+#ifndef BIO_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
+
+/*
+ * Stolen from tjh's ssl/ssl_trc.c stuff.
  */
 
 #include <stdio.h>
 #include <string.h>
 #include <ctype.h>
-#include "internal/numbers.h"
-#include "internal/cryptlib.h"
+#include <assert.h>
+#include <limits.h>
+#include "cryptlib.h"
 #ifndef NO_SYS_TYPES_H
 # include <sys/types.h>
 #endif
@@ -24,6 +85,8 @@
 # endif
 #endif
 
+/***************************************************************************/
+
 /*
  * Copyright Patrick Powell 1995
  * This code is based on code written by Patrick Powell <papowell@astart.com>
@@ -31,6 +94,21 @@
  * on all source code distributions.
  */
 
+/*-
+ * This code contains numerious changes and enhancements which were
+ * made by lots of contributors over the last years to Patrick Powell's
+ * original code:
+ *
+ * o Patrick Powell <papowell@astart.com>      (1995)
+ * o Brandon Long <blong@fiction.net>          (1996, for Mutt)
+ * o Thomas Roessler <roessler@guug.de>        (1998, for Mutt)
+ * o Michael Elkins <me@cs.hmc.edu>            (1998, for Mutt)
+ * o Andrew Tridgell <tridge@samba.org>        (1998, for Samba)
+ * o Luke Mewburn <lukem@netbsd.org>           (1999, for LukemFTP)
+ * o Ralf S. Engelschall <rse@engelschall.com> (1999, for Pth)
+ * o ...                                       (for OpenSSL)
+ */
+
 #ifdef HAVE_LONG_DOUBLE
 # define LDOUBLE long double
 #else
@@ -53,12 +131,12 @@ static int fmtint(char **, char **, size_t *, size_t *,
                   LLONG, int, int, int, int);
 #ifndef OPENSSL_SYS_UEFI
 static int fmtfp(char **, char **, size_t *, size_t *,
-                 LDOUBLE, int, int, int, int);
+                 LDOUBLE, int, int, int);
 #endif
 static int doapr_outch(char **, char **, size_t *, size_t *, int);
-static int _dopr(char **sbuffer, char **buffer,
-                 size_t *maxlen, size_t *retlen, int *truncated,
-                 const char *format, va_list args);
+static int EFIAPI _dopr(char **sbuffer, char **buffer,
+			size_t *maxlen, size_t *retlen, int *truncated,
+			const char *format, ms_va_list args);
 
 /* format read states */
 #define DP_S_DEFAULT    0
@@ -71,19 +149,12 @@ static int _dopr(char **sbuffer, char **buffer,
 #define DP_S_DONE       7
 
 /* format flags - Bits */
-/* left-aligned padding */
 #define DP_F_MINUS      (1 << 0)
-/* print an explicit '+' for a value with positive sign */
 #define DP_F_PLUS       (1 << 1)
-/* print an explicit ' ' for a value with positive sign */
 #define DP_F_SPACE      (1 << 2)
-/* print 0/0x prefix for octal/hex and decimal point for floating point */
 #define DP_F_NUM        (1 << 3)
-/* print leading zeroes */
 #define DP_F_ZERO       (1 << 4)
-/* print HEX in UPPPERcase */
 #define DP_F_UP         (1 << 5)
-/* treat value as unsigned */
 #define DP_F_UNSIGNED   (1 << 6)
 
 /* conversion flags */
@@ -92,20 +163,15 @@ static int _dopr(char **sbuffer, char **buffer,
 #define DP_C_LDOUBLE    3
 #define DP_C_LLONG      4
 
-/* Floating point formats */
-#define F_FORMAT        0
-#define E_FORMAT        1
-#define G_FORMAT        2
-
 /* some handy macros */
 #define char_to_int(p) (p - '0')
 #define OSSL_MAX(p,q) ((p >= q) ? p : q)
 
-static int
+static int EFIAPI
 _dopr(char **sbuffer,
       char **buffer,
       size_t *maxlen,
-      size_t *retlen, int *truncated, const char *format, va_list args)
+      size_t *retlen, int *truncated, const char *format, ms_va_list args)
 {
     char ch;
     LLONG value;
@@ -170,7 +236,7 @@ _dopr(char **sbuffer,
                 min = 10 * min + char_to_int(ch);
                 ch = *format++;
             } else if (ch == '*') {
-                min = va_arg(args, int);
+                min = ms_va_arg(args, int);
                 ch = *format++;
                 state = DP_S_DOT;
             } else
@@ -190,7 +256,7 @@ _dopr(char **sbuffer,
                 max = 10 * max + char_to_int(ch);
                 ch = *format++;
             } else if (ch == '*') {
-                max = va_arg(args, int);
+                max = ms_va_arg(args, int);
                 ch = *format++;
                 state = DP_S_MOD;
             } else
@@ -231,16 +297,16 @@ _dopr(char **sbuffer,
             case 'i':
                 switch (cflags) {
                 case DP_C_SHORT:
-                    value = (short int)va_arg(args, int);
+                    value = (short int)ms_va_arg(args, int);
                     break;
                 case DP_C_LONG:
-                    value = va_arg(args, long int);
+                    value = ms_va_arg(args, long int);
                     break;
                 case DP_C_LLONG:
-                    value = va_arg(args, LLONG);
+                    value = ms_va_arg(args, LLONG);
                     break;
                 default:
-                    value = va_arg(args, int);
+                    value = ms_va_arg(args, int);
                     break;
                 }
                 if (!fmtint(sbuffer, buffer, &currlen, maxlen, value, 10, min,
@@ -256,16 +322,16 @@ _dopr(char **sbuffer,
                 flags |= DP_F_UNSIGNED;
                 switch (cflags) {
                 case DP_C_SHORT:
-                    value = (unsigned short int)va_arg(args, unsigned int);
+                    value = (unsigned short int)ms_va_arg(args, unsigned int);
                     break;
                 case DP_C_LONG:
-                    value = (LLONG) va_arg(args, unsigned long int);
+                    value = (LLONG) ms_va_arg(args, unsigned long int);
                     break;
                 case DP_C_LLONG:
-                    value = va_arg(args, unsigned LLONG);
+                    value = ms_va_arg(args, unsigned LLONG);
                     break;
                 default:
-                    value = (LLONG) va_arg(args, unsigned int);
+                    value = (LLONG) ms_va_arg(args, unsigned int);
                     break;
                 }
                 if (!fmtint(sbuffer, buffer, &currlen, maxlen, value,
@@ -276,43 +342,37 @@ _dopr(char **sbuffer,
 #ifndef OPENSSL_SYS_UEFI
             case 'f':
                 if (cflags == DP_C_LDOUBLE)
-                    fvalue = va_arg(args, LDOUBLE);
+                    fvalue = ms_va_arg(args, LDOUBLE);
                 else
-                    fvalue = va_arg(args, double);
+                    fvalue = ms_va_arg(args, double);
                 if (!fmtfp(sbuffer, buffer, &currlen, maxlen, fvalue, min, max,
-                           flags, F_FORMAT))
+                           flags))
                     return 0;
                 break;
             case 'E':
                 flags |= DP_F_UP;
             case 'e':
                 if (cflags == DP_C_LDOUBLE)
-                    fvalue = va_arg(args, LDOUBLE);
+                    fvalue = ms_va_arg(args, LDOUBLE);
                 else
-                    fvalue = va_arg(args, double);
-                if (!fmtfp(sbuffer, buffer, &currlen, maxlen, fvalue, min, max,
-                           flags, E_FORMAT))
-                    return 0;
+                    fvalue = ms_va_arg(args, double);
                 break;
             case 'G':
                 flags |= DP_F_UP;
             case 'g':
                 if (cflags == DP_C_LDOUBLE)
-                    fvalue = va_arg(args, LDOUBLE);
+                    fvalue = ms_va_arg(args, LDOUBLE);
                 else
-                    fvalue = va_arg(args, double);
-                if (!fmtfp(sbuffer, buffer, &currlen, maxlen, fvalue, min, max,
-                           flags, G_FORMAT))
-                    return 0;
+                    fvalue = ms_va_arg(args, double);
                 break;
 #endif
             case 'c':
                 if(!doapr_outch(sbuffer, buffer, &currlen, maxlen,
-                            va_arg(args, int)))
+                            ms_va_arg(args, int)))
                     return 0;
                 break;
             case 's':
-                strvalue = va_arg(args, char *);
+                strvalue = ms_va_arg(args, char *);
                 if (max < 0) {
                     if (buffer)
                         max = INT_MAX;
@@ -324,7 +384,7 @@ _dopr(char **sbuffer,
                     return 0;
                 break;
             case 'p':
-                value = (size_t)va_arg(args, void *);
+                value = (long)ms_va_arg(args, void *);
                 if (!fmtint(sbuffer, buffer, &currlen, maxlen,
                             value, 16, min, max, flags | DP_F_NUM))
                     return 0;
@@ -332,19 +392,19 @@ _dopr(char **sbuffer,
             case 'n':          /* XXX */
                 if (cflags == DP_C_SHORT) {
                     short int *num;
-                    num = va_arg(args, short int *);
+                    num = ms_va_arg(args, short int *);
                     *num = currlen;
                 } else if (cflags == DP_C_LONG) { /* XXX */
                     long int *num;
-                    num = va_arg(args, long int *);
+                    num = ms_va_arg(args, long int *);
                     *num = (long int)currlen;
                 } else if (cflags == DP_C_LLONG) { /* XXX */
                     LLONG *num;
-                    num = va_arg(args, LLONG *);
+                    num = ms_va_arg(args, LLONG *);
                     *num = (LLONG) currlen;
                 } else {
                     int *num;
-                    num = va_arg(args, int *);
+                    num = ms_va_arg(args, int *);
                     *num = currlen;
                 }
                 break;
@@ -399,37 +459,28 @@ fmtstr(char **sbuffer,
     if (value == 0)
         value = "<NULL>";
 
-    strln = OPENSSL_strnlen(value, max < 0 ? SIZE_MAX : (size_t)max);
+    strln = strlen(value);
+    if (strln > INT_MAX)
+        strln = INT_MAX;
 
     padlen = min - strln;
     if (min < 0 || padlen < 0)
         padlen = 0;
-    if (max >= 0) {
-        /*
-         * Calculate the maximum output including padding.
-         * Make sure max doesn't overflow into negativity
-         */
-        if (max < INT_MAX - padlen)
-            max += padlen;
-        else
-            max = INT_MAX;
-    }
     if (flags & DP_F_MINUS)
         padlen = -padlen;
 
-    while ((padlen > 0) && (max < 0 || cnt < max)) {
+    while ((padlen > 0) && (cnt < max)) {
         if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
             return 0;
         --padlen;
         ++cnt;
     }
-    while (strln > 0 && (max < 0 || cnt < max)) {
+    while (*value && (cnt < max)) {
         if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *value++))
             return 0;
-        --strln;
         ++cnt;
     }
-    while ((padlen < 0) && (max < 0 || cnt < max)) {
+    while ((padlen < 0) && (cnt < max)) {
         if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
             return 0;
         ++padlen;
@@ -459,7 +510,7 @@ fmtint(char **sbuffer,
     if (!(flags & DP_F_UNSIGNED)) {
         if (value < 0) {
             signvalue = '-';
-            uvalue = 0 - (unsigned LLONG)value;
+            uvalue = -value;
         } else if (flags & DP_F_PLUS)
             signvalue = '+';
         else if (flags & DP_F_SPACE)
@@ -571,28 +622,23 @@ static int
 fmtfp(char **sbuffer,
       char **buffer,
       size_t *currlen,
-      size_t *maxlen, LDOUBLE fvalue, int min, int max, int flags, int style)
+      size_t *maxlen, LDOUBLE fvalue, int min, int max, int flags)
 {
     int signvalue = 0;
     LDOUBLE ufvalue;
-    LDOUBLE tmpvalue;
     char iconvert[20];
     char fconvert[20];
-    char econvert[20];
     int iplace = 0;
     int fplace = 0;
-    int eplace = 0;
     int padlen = 0;
     int zpadlen = 0;
-    long exp = 0;
-    unsigned long intpart;
-    unsigned long fracpart;
-    unsigned long max10;
-    int realstyle;
+    long intpart;
+    long fracpart;
+    long max10;
 
     if (max < 0)
         max = 6;
-
+    ufvalue = abs_val(fvalue);
     if (fvalue < 0)
         signvalue = '-';
     else if (flags & DP_F_PLUS)
@@ -600,73 +646,7 @@ fmtfp(char **sbuffer,
     else if (flags & DP_F_SPACE)
         signvalue = ' ';
 
-    /*
-     * G_FORMAT sometimes prints like E_FORMAT and sometimes like F_FORMAT
-     * depending on the number to be printed. Work out which one it is and use
-     * that from here on.
-     */
-    if (style == G_FORMAT) {
-        if (fvalue == 0.0) {
-            realstyle = F_FORMAT;
-        } else if (fvalue < 0.0001) {
-            realstyle = E_FORMAT;
-        } else if ((max == 0 && fvalue >= 10)
-                    || (max > 0 && fvalue >= pow_10(max))) {
-            realstyle = E_FORMAT;
-        } else {
-            realstyle = F_FORMAT;
-        }
-    } else {
-        realstyle = style;
-    }
-
-    if (style != F_FORMAT) {
-        tmpvalue = fvalue;
-        /* Calculate the exponent */
-        if (fvalue != 0.0) {
-            while (tmpvalue < 1) {
-                tmpvalue *= 10;
-                exp--;
-            }
-            while (tmpvalue > 10) {
-                tmpvalue /= 10;
-                exp++;
-            }
-        }
-        if (style == G_FORMAT) {
-            /*
-             * In G_FORMAT the "precision" represents significant digits. We
-             * always have at least 1 significant digit.
-             */
-            if (max == 0)
-                max = 1;
-            /* Now convert significant digits to decimal places */
-            if (realstyle == F_FORMAT) {
-                max -= (exp + 1);
-                if (max < 0) {
-                    /*
-                     * Should not happen. If we're in F_FORMAT then exp < max?
-                     */
-                    return 0;
-                }
-            } else {
-                /*
-                 * In E_FORMAT there is always one significant digit in front
-                 * of the decimal point, so:
-                 * significant digits == 1 + decimal places
-                 */
-                max--;
-            }
-        }
-        if (realstyle == E_FORMAT)
-            fvalue = tmpvalue;
-    }
-    ufvalue = abs_val(fvalue);
-    if (ufvalue > ULONG_MAX) {
-        /* Number too big */
-        return 0;
-    }
-    intpart = (unsigned long)ufvalue;
+    intpart = (long)ufvalue;
 
     /*
      * sorry, we only support 9 digits past the decimal because of our
@@ -697,51 +677,16 @@ fmtfp(char **sbuffer,
     iconvert[iplace] = 0;
 
     /* convert fractional part */
-    while (fplace < max) {
-        if (style == G_FORMAT && fplace == 0 && (fracpart % 10) == 0) {
-            /* We strip trailing zeros in G_FORMAT */
-            max--;
-            fracpart = fracpart / 10;
-            if (fplace < max)
-                continue;
-            break;
-        }
+    do {
         fconvert[fplace++] = "0123456789"[fracpart % 10];
         fracpart = (fracpart / 10);
-    }
-
+    } while (fplace < max);
     if (fplace == sizeof fconvert)
         fplace--;
     fconvert[fplace] = 0;
 
-    /* convert exponent part */
-    if (realstyle == E_FORMAT) {
-        int tmpexp;
-        if (exp < 0)
-            tmpexp = -exp;
-        else
-            tmpexp = exp;
-
-        do {
-            econvert[eplace++] = "0123456789"[tmpexp % 10];
-            tmpexp = (tmpexp / 10);
-        } while (tmpexp > 0 && eplace < (int)sizeof(econvert));
-        /* Exponent is huge!! Too big to print */
-        if (tmpexp > 0)
-            return 0;
-        /* Add a leading 0 for single digit exponents */
-        if (eplace == 1)
-            econvert[eplace++] = '0';
-    }
-
-    /*
-     * -1 for decimal point (if we have one, i.e. max > 0),
-     * another -1 if we are printing a sign
-     */
-    padlen = min - iplace - max - (max > 0 ? 1 : 0) - ((signvalue) ? 1 : 0);
-    /* Take some off for exponent prefix "+e" and exponent */
-    if (realstyle == E_FORMAT)
-        padlen -= 2 + eplace;
+    /* -1 for decimal point, another -1 if we are printing a sign */
+    padlen = min - iplace - max - 1 - ((signvalue) ? 1 : 0);
     zpadlen = max - fplace;
     if (zpadlen < 0)
         zpadlen = 0;
@@ -795,28 +740,6 @@ fmtfp(char **sbuffer,
             return 0;
         --zpadlen;
     }
-    if (realstyle == E_FORMAT) {
-        char ech;
-
-        if ((flags & DP_F_UP) == 0)
-            ech = 'e';
-        else
-            ech = 'E';
-        if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ech))
-                return 0;
-        if (exp < 0) {
-            if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '-'))
-                    return 0;
-        } else {
-            if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '+'))
-                    return 0;
-        }
-        while (eplace > 0) {
-            if (!doapr_outch(sbuffer, buffer, currlen, maxlen,
-                             econvert[--eplace]))
-                return 0;
-        }
-    }
 
     while (padlen < 0) {
         if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
@@ -834,10 +757,10 @@ doapr_outch(char **sbuffer,
             char **buffer, size_t *currlen, size_t *maxlen, int c)
 {
     /* If we haven't at least one buffer, someone has doe a big booboo */
-    OPENSSL_assert(*sbuffer != NULL || buffer != NULL);
+    assert(*sbuffer != NULL || buffer != NULL);
 
     /* |currlen| must always be <= |*maxlen| */
-    OPENSSL_assert(*currlen <= *maxlen);
+    assert(*currlen <= *maxlen);
 
     if (buffer && *currlen == *maxlen) {
         if (*maxlen > INT_MAX - BUFFER_INC)
@@ -849,7 +772,7 @@ doapr_outch(char **sbuffer,
             if (*buffer == NULL)
                 return 0;
             if (*currlen > 0) {
-                OPENSSL_assert(*sbuffer != NULL);
+                assert(*sbuffer != NULL);
                 memcpy(*buffer, *sbuffer, *currlen);
             }
             *sbuffer = NULL;
@@ -874,20 +797,20 @@ doapr_outch(char **sbuffer,
 
 /***************************************************************************/
 
-int BIO_printf(BIO *bio, const char *format, ...)
+int EFIAPI BIO_printf(BIO *bio, const char *format, ...)
 {
-    va_list args;
+    ms_va_list args;
     int ret;
 
-    va_start(args, format);
+    ms_va_start(args, format);
 
     ret = BIO_vprintf(bio, format, args);
 
-    va_end(args);
+    ms_va_end(args);
     return (ret);
 }
 
-int BIO_vprintf(BIO *bio, const char *format, va_list args)
+int EFIAPI BIO_vprintf(BIO *bio, const char *format, ms_va_list args)
 {
     int ret;
     size_t retlen;
@@ -900,6 +823,7 @@ int BIO_vprintf(BIO *bio, const char *format, va_list args)
     int ignored;
 
     dynbuf = NULL;
+    CRYPTO_push_info("doapr()");
     if (!_dopr(&hugebufp, &dynbuf, &hugebufsize, &retlen, &ignored, format,
                 args)) {
         OPENSSL_free(dynbuf);
@@ -911,6 +835,7 @@ int BIO_vprintf(BIO *bio, const char *format, va_list args)
     } else {
         ret = BIO_write(bio, hugebuf, (int)retlen);
     }
+    CRYPTO_pop_info();
     return (ret);
 }
 
@@ -920,20 +845,20 @@ int BIO_vprintf(BIO *bio, const char *format, va_list args)
  * closely related to BIO_printf, and we need *some* name prefix ... (XXX the
  * function should be renamed, but to what?)
  */
-int BIO_snprintf(char *buf, size_t n, const char *format, ...)
+int EFIAPI BIO_snprintf(char *buf, size_t n, const char *format, ...)
 {
-    va_list args;
+    ms_va_list args;
     int ret;
 
-    va_start(args, format);
+    ms_va_start(args, format);
 
     ret = BIO_vsnprintf(buf, n, format, args);
 
-    va_end(args);
+    ms_va_end(args);
     return (ret);
 }
 
-int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args)
+int EFIAPI BIO_vsnprintf(char *buf, size_t n, const char *format, ms_va_list args)
 {
     size_t retlen;
     int truncated;
diff --git a/Cryptlib/OpenSSL/crypto/bio/b_sock.c b/Cryptlib/OpenSSL/crypto/bio/b_sock.c
index ac2c2d16..5bad0a2b 100644
--- a/Cryptlib/OpenSSL/crypto/bio/b_sock.c
+++ b/Cryptlib/OpenSSL/crypto/bio/b_sock.c
@@ -1,21 +1,76 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bio/b_sock.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <stdlib.h>
 #include <errno.h>
-#include "bio_lcl.h"
-#if defined(NETWARE_CLIB)
-# include <sys/ioctl.h>
+#define USE_SOCKETS
+#include "cryptlib.h"
+#include <openssl/bio.h>
+#if defined(OPENSSL_SYS_NETWARE) && defined(NETWARE_BSDSOCK)
+# include <netdb.h>
+# if defined(NETWARE_CLIB)
+#  include <sys/ioctl.h>
 NETDB_DEFINE_CONTEXT
+# endif
 #endif
 #ifndef OPENSSL_NO_SOCK
+# include <openssl/dso.h>
 # define SOCKET_PROTOCOL IPPROTO_TCP
 # ifdef SO_MAXCONN
 #  define MAX_LISTEN  SO_MAXCONN
@@ -24,93 +79,294 @@ NETDB_DEFINE_CONTEXT
 # else
 #  define MAX_LISTEN  32
 # endif
-# if defined(OPENSSL_SYS_WINDOWS)
+# if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))
 static int wsa_init_done = 0;
 # endif
 
-# if OPENSSL_API_COMPAT < 0x10100000L
+/*
+ * WSAAPI specifier is required to make indirect calls to run-time
+ * linked WinSock 2 functions used in this module, to be specific
+ * [get|free]addrinfo and getnameinfo. This is because WinSock uses
+ * uses non-C calling convention, __stdcall vs. __cdecl, on x86
+ * Windows. On non-WinSock platforms WSAAPI needs to be void.
+ */
+# ifndef WSAAPI
+#  define WSAAPI
+# endif
+
+# if 0
+static unsigned long BIO_ghbn_hits = 0L;
+static unsigned long BIO_ghbn_miss = 0L;
+
+#  define GHBN_NUM        4
+static struct ghbn_cache_st {
+    char name[129];
+    struct hostent *ent;
+    unsigned long order;
+} ghbn_cache[GHBN_NUM];
+# endif
+
+static int get_ip(const char *str, unsigned char *ip);
+# if 0
+static void ghbn_free(struct hostent *a);
+static struct hostent *ghbn_dup(struct hostent *a);
+# endif
 int BIO_get_host_ip(const char *str, unsigned char *ip)
 {
-    BIO_ADDRINFO *res = NULL;
-    int ret = 0;
+    int i;
+    int err = 1;
+    int locked = 0;
+    struct hostent *he;
 
+    i = get_ip(str, ip);
+    if (i < 0) {
+        BIOerr(BIO_F_BIO_GET_HOST_IP, BIO_R_INVALID_IP_ADDRESS);
+        goto err;
+    }
+
+    /*
+     * At this point, we have something that is most probably correct in some
+     * way, so let's init the socket.
+     */
     if (BIO_sock_init() != 1)
         return 0;               /* don't generate another error code here */
 
-    if (BIO_lookup(str, NULL, BIO_LOOKUP_CLIENT, AF_INET, SOCK_STREAM, &res)) {
-        size_t l;
-
-        if (BIO_ADDRINFO_family(res) != AF_INET) {
-            BIOerr(BIO_F_BIO_GET_HOST_IP,
-                   BIO_R_GETHOSTBYNAME_ADDR_IS_NOT_AF_INET);
-        } else {
-            BIO_ADDR_rawaddress(BIO_ADDRINFO_address(res), NULL, &l);
-            /* Because only AF_INET addresses will reach this far,
-               we can assert that l should be 4 */
-            OPENSSL_assert(l == 4);
+    /*
+     * If the string actually contained an IP address, we need not do
+     * anything more
+     */
+    if (i > 0)
+        return (1);
+
+    /* do a gethostbyname */
+    CRYPTO_w_lock(CRYPTO_LOCK_GETHOSTBYNAME);
+    locked = 1;
+    he = BIO_gethostbyname(str);
+    if (he == NULL) {
+        BIOerr(BIO_F_BIO_GET_HOST_IP, BIO_R_BAD_HOSTNAME_LOOKUP);
+        goto err;
+    }
 
-            BIO_ADDR_rawaddress(BIO_ADDRINFO_address(res), ip, &l);
-            ret = 1;
-        }
-        BIO_ADDRINFO_free(res);
-    } else {
-        ERR_add_error_data(2, "host=", str);
+    /* cast to short because of win16 winsock definition */
+    if ((short)he->h_addrtype != AF_INET) {
+        BIOerr(BIO_F_BIO_GET_HOST_IP,
+               BIO_R_GETHOSTBYNAME_ADDR_IS_NOT_AF_INET);
+        goto err;
     }
+    for (i = 0; i < 4; i++)
+        ip[i] = he->h_addr_list[0][i];
+    err = 0;
 
-    return ret;
+ err:
+    if (locked)
+        CRYPTO_w_unlock(CRYPTO_LOCK_GETHOSTBYNAME);
+    if (err) {
+        ERR_add_error_data(2, "host=", str);
+        return 0;
+    } else
+        return 1;
 }
 
 int BIO_get_port(const char *str, unsigned short *port_ptr)
 {
-    BIO_ADDRINFO *res = NULL;
-    int ret = 0;
+    int i;
+    struct servent *s;
 
     if (str == NULL) {
         BIOerr(BIO_F_BIO_GET_PORT, BIO_R_NO_PORT_DEFINED);
         return (0);
     }
-
-    if (BIO_sock_init() != 1)
-        return 0;               /* don't generate another error code here */
-
-    if (BIO_lookup(NULL, str, BIO_LOOKUP_CLIENT, AF_INET, SOCK_STREAM, &res)) {
-        if (BIO_ADDRINFO_family(res) != AF_INET) {
-            BIOerr(BIO_F_BIO_GET_PORT,
-                   BIO_R_ADDRINFO_ADDR_IS_NOT_AF_INET);
-        } else {
-            *port_ptr = ntohs(BIO_ADDR_rawport(BIO_ADDRINFO_address(res)));
-            ret = 1;
+    i = atoi(str);
+    if (i != 0)
+        *port_ptr = (unsigned short)i;
+    else {
+        CRYPTO_w_lock(CRYPTO_LOCK_GETSERVBYNAME);
+        /*
+         * Note: under VMS with SOCKETSHR, it seems like the first parameter
+         * is 'char *', instead of 'const char *'
+         */
+# ifndef CONST_STRICT
+        s = getservbyname((char *)str, "tcp");
+# else
+        s = getservbyname(str, "tcp");
+# endif
+        if (s != NULL)
+            *port_ptr = ntohs((unsigned short)s->s_port);
+        CRYPTO_w_unlock(CRYPTO_LOCK_GETSERVBYNAME);
+        if (s == NULL) {
+            if (strcmp(str, "http") == 0)
+                *port_ptr = 80;
+            else if (strcmp(str, "telnet") == 0)
+                *port_ptr = 23;
+            else if (strcmp(str, "socks") == 0)
+                *port_ptr = 1080;
+            else if (strcmp(str, "https") == 0)
+                *port_ptr = 443;
+            else if (strcmp(str, "ssl") == 0)
+                *port_ptr = 443;
+            else if (strcmp(str, "ftp") == 0)
+                *port_ptr = 21;
+            else if (strcmp(str, "gopher") == 0)
+                *port_ptr = 70;
+# if 0
+            else if (strcmp(str, "wais") == 0)
+                *port_ptr = 21;
+# endif
+            else {
+                SYSerr(SYS_F_GETSERVBYNAME, get_last_socket_error());
+                ERR_add_error_data(3, "service='", str, "'");
+                return (0);
+            }
         }
-        BIO_ADDRINFO_free(res);
-    } else {
-        ERR_add_error_data(2, "host=", str);
     }
-
-    return ret;
+    return (1);
 }
-# endif
 
 int BIO_sock_error(int sock)
 {
-    int j = 0, i;
-    socklen_t size = sizeof(j);
+    int j, i;
+    union {
+        size_t s;
+        int i;
+    } size;
+
+# if defined(OPENSSL_SYS_BEOS_R5)
+    return 0;
+# endif
 
+    /* heuristic way to adapt for platforms that expect 64-bit optlen */
+    size.s = 0, size.i = sizeof(j);
     /*
      * Note: under Windows the third parameter is of type (char *) whereas
      * under other systems it is (void *) if you don't have a cast it will
      * choke the compiler: if you do have a cast then you can either go for
      * (char *) or (void *).
      */
-    i = getsockopt(sock, SOL_SOCKET, SO_ERROR, (void *)&j, &size);
+    i = getsockopt(sock, SOL_SOCKET, SO_ERROR, (void *)&j, (void *)&size);
     if (i < 0)
-        return (get_last_socket_error());
+        return (1);
     else
         return (j);
 }
 
-# if OPENSSL_API_COMPAT < 0x10100000L
+# if 0
+long BIO_ghbn_ctrl(int cmd, int iarg, char *parg)
+{
+    int i;
+    char **p;
+
+    switch (cmd) {
+    case BIO_GHBN_CTRL_HITS:
+        return (BIO_ghbn_hits);
+        /* break; */
+    case BIO_GHBN_CTRL_MISSES:
+        return (BIO_ghbn_miss);
+        /* break; */
+    case BIO_GHBN_CTRL_CACHE_SIZE:
+        return (GHBN_NUM);
+        /* break; */
+    case BIO_GHBN_CTRL_GET_ENTRY:
+        if ((iarg >= 0) && (iarg < GHBN_NUM) && (ghbn_cache[iarg].order > 0)) {
+            p = (char **)parg;
+            if (p == NULL)
+                return (0);
+            *p = ghbn_cache[iarg].name;
+            ghbn_cache[iarg].name[128] = '\0';
+            return (1);
+        }
+        return (0);
+        /* break; */
+    case BIO_GHBN_CTRL_FLUSH:
+        for (i = 0; i < GHBN_NUM; i++)
+            ghbn_cache[i].order = 0;
+        break;
+    default:
+        return (0);
+    }
+    return (1);
+}
+# endif
+
+# if 0
+static struct hostent *ghbn_dup(struct hostent *a)
+{
+    struct hostent *ret;
+    int i, j;
+
+    MemCheck_off();
+    ret = (struct hostent *)OPENSSL_malloc(sizeof(struct hostent));
+    if (ret == NULL)
+        return (NULL);
+    memset(ret, 0, sizeof(struct hostent));
+
+    for (i = 0; a->h_aliases[i] != NULL; i++) ;
+    i++;
+    ret->h_aliases = (char **)OPENSSL_malloc(i * sizeof(char *));
+    if (ret->h_aliases == NULL)
+        goto err;
+    memset(ret->h_aliases, 0, i * sizeof(char *));
+
+    for (i = 0; a->h_addr_list[i] != NULL; i++) ;
+    i++;
+    ret->h_addr_list = (char **)OPENSSL_malloc(i * sizeof(char *));
+    if (ret->h_addr_list == NULL)
+        goto err;
+    memset(ret->h_addr_list, 0, i * sizeof(char *));
+
+    j = strlen(a->h_name) + 1;
+    if ((ret->h_name = OPENSSL_malloc(j)) == NULL)
+        goto err;
+    memcpy((char *)ret->h_name, a->h_name, j);
+    for (i = 0; a->h_aliases[i] != NULL; i++) {
+        j = strlen(a->h_aliases[i]) + 1;
+        if ((ret->h_aliases[i] = OPENSSL_malloc(j)) == NULL)
+            goto err;
+        memcpy(ret->h_aliases[i], a->h_aliases[i], j);
+    }
+    ret->h_length = a->h_length;
+    ret->h_addrtype = a->h_addrtype;
+    for (i = 0; a->h_addr_list[i] != NULL; i++) {
+        if ((ret->h_addr_list[i] = OPENSSL_malloc(a->h_length)) == NULL)
+            goto err;
+        memcpy(ret->h_addr_list[i], a->h_addr_list[i], a->h_length);
+    }
+    if (0) {
+ err:
+        if (ret != NULL)
+            ghbn_free(ret);
+        ret = NULL;
+    }
+    MemCheck_on();
+    return (ret);
+}
+
+static void ghbn_free(struct hostent *a)
+{
+    int i;
+
+    if (a == NULL)
+        return;
+
+    if (a->h_aliases != NULL) {
+        for (i = 0; a->h_aliases[i] != NULL; i++)
+            OPENSSL_free(a->h_aliases[i]);
+        OPENSSL_free(a->h_aliases);
+    }
+    if (a->h_addr_list != NULL) {
+        for (i = 0; a->h_addr_list[i] != NULL; i++)
+            OPENSSL_free(a->h_addr_list[i]);
+        OPENSSL_free(a->h_addr_list);
+    }
+    if (a->h_name != NULL)
+        OPENSSL_free(a->h_name);
+    OPENSSL_free(a);
+}
+
+# endif
+
 struct hostent *BIO_gethostbyname(const char *name)
 {
+# if 1
     /*
      * Caching gethostbyname() results forever is wrong, so we have to let
      * the true gethostbyname() worry about this
@@ -120,8 +376,83 @@ struct hostent *BIO_gethostbyname(const char *name)
 #  else
     return gethostbyname(name);
 #  endif
-}
+# else
+    struct hostent *ret;
+    int i, lowi = 0, j;
+    unsigned long low = (unsigned long)-1;
+
+#  if 0
+    /*
+     * It doesn't make sense to use locking here: The function interface is
+     * not thread-safe, because threads can never be sure when some other
+     * thread destroys the data they were given a pointer to.
+     */
+    CRYPTO_w_lock(CRYPTO_LOCK_GETHOSTBYNAME);
+#  endif
+    j = strlen(name);
+    if (j < 128) {
+        for (i = 0; i < GHBN_NUM; i++) {
+            if (low > ghbn_cache[i].order) {
+                low = ghbn_cache[i].order;
+                lowi = i;
+            }
+            if (ghbn_cache[i].order > 0) {
+                if (strncmp(name, ghbn_cache[i].name, 128) == 0)
+                    break;
+            }
+        }
+    } else
+        i = GHBN_NUM;
+
+    if (i == GHBN_NUM) {        /* no hit */
+        BIO_ghbn_miss++;
+        /*
+         * Note: under VMS with SOCKETSHR, it seems like the first parameter
+         * is 'char *', instead of 'const char *'
+         */
+#  ifndef CONST_STRICT
+        ret = gethostbyname((char *)name);
+#  else
+        ret = gethostbyname(name);
+#  endif
+
+        if (ret == NULL)
+            goto end;
+        if (j > 128) {          /* too big to cache */
+#  if 0
+            /*
+             * If we were trying to make this function thread-safe (which is
+             * bound to fail), we'd have to give up in this case (or allocate
+             * more memory).
+             */
+            ret = NULL;
+#  endif
+            goto end;
+        }
+
+        /* else add to cache */
+        if (ghbn_cache[lowi].ent != NULL)
+            ghbn_free(ghbn_cache[lowi].ent); /* XXX not thread-safe */
+        ghbn_cache[lowi].name[0] = '\0';
+
+        if ((ret = ghbn_cache[lowi].ent = ghbn_dup(ret)) == NULL) {
+            BIOerr(BIO_F_BIO_GETHOSTBYNAME, ERR_R_MALLOC_FAILURE);
+            goto end;
+        }
+        strncpy(ghbn_cache[lowi].name, name, 128);
+        ghbn_cache[lowi].order = BIO_ghbn_miss + BIO_ghbn_hits;
+    } else {
+        BIO_ghbn_hits++;
+        ret = ghbn_cache[i].ent;
+        ghbn_cache[i].order = BIO_ghbn_miss + BIO_ghbn_hits;
+    }
+ end:
+#  if 0
+    CRYPTO_w_unlock(CRYPTO_LOCK_GETHOSTBYNAME);
+#  endif
+    return (ret);
 # endif
+}
 
 int BIO_sock_init(void)
 {
@@ -135,7 +466,7 @@ int BIO_sock_init(void)
         memset(&wsa_state, 0, sizeof(wsa_state));
         /*
          * Not making wsa_state available to the rest of the code is formally
-         * wrong. But the structures we use are [believed to be] invariable
+         * wrong. But the structures we use are [beleived to be] invariable
          * among Winsock DLLs, while API availability is [expected to be]
          * probed at run-time with DSO_global_lookup.
          */
@@ -154,14 +485,40 @@ int BIO_sock_init(void)
         return (-1);
 # endif
 
+# if defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)
+    WORD wVerReq;
+    WSADATA wsaData;
+    int err;
+
+    if (!wsa_init_done) {
+        wsa_init_done = 1;
+        wVerReq = MAKEWORD(2, 0);
+        err = WSAStartup(wVerReq, &wsaData);
+        if (err != 0) {
+            SYSerr(SYS_F_WSASTARTUP, err);
+            BIOerr(BIO_F_BIO_SOCK_INIT, BIO_R_WSASTARTUP);
+            return (-1);
+        }
+    }
+# endif
+
     return (1);
 }
 
-void bio_sock_cleanup_int(void)
+void BIO_sock_cleanup(void)
 {
 # ifdef OPENSSL_SYS_WINDOWS
     if (wsa_init_done) {
         wsa_init_done = 0;
+#  if 0                         /* this call is claimed to be non-present in
+                                 * Winsock2 */
+        WSACancelBlockingCall();
+#  endif
+        WSACleanup();
+    }
+# elif defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)
+    if (wsa_init_done) {
+        wsa_init_done = 0;
         WSACleanup();
     }
 # endif
@@ -208,83 +565,369 @@ int BIO_socket_ioctl(int fd, long type, void *arg)
 }
 # endif                         /* __VMS_VER */
 
-# if OPENSSL_API_COMPAT < 0x10100000L
-int BIO_get_accept_socket(char *host, int bind_mode)
+/*
+ * The reason I have implemented this instead of using sscanf is because
+ * Visual C 1.52c gives an unresolved external when linking a DLL :-(
+ */
+static int get_ip(const char *str, unsigned char ip[4])
 {
-    int s = INVALID_SOCKET;
-    char *h = NULL, *p = NULL;
-    BIO_ADDRINFO *res = NULL;
+    unsigned int tmp[4];
+    int num = 0, c, ok = 0;
+
+    tmp[0] = tmp[1] = tmp[2] = tmp[3] = 0;
+
+    for (;;) {
+        c = *(str++);
+        if ((c >= '0') && (c <= '9')) {
+            ok = 1;
+            tmp[num] = tmp[num] * 10 + c - '0';
+            if (tmp[num] > 255)
+                return (0);
+        } else if (c == '.') {
+            if (!ok)
+                return (-1);
+            if (num == 3)
+                return (0);
+            num++;
+            ok = 0;
+        } else if (c == '\0' && (num == 3) && ok)
+            break;
+        else
+            return (0);
+    }
+    ip[0] = tmp[0];
+    ip[1] = tmp[1];
+    ip[2] = tmp[2];
+    ip[3] = tmp[3];
+    return (1);
+}
 
-    if (!BIO_parse_hostserv(host, &h, &p, BIO_PARSE_PRIO_SERV))
-        return INVALID_SOCKET;
+int BIO_get_accept_socket(char *host, int bind_mode)
+{
+    int ret = 0;
+    union {
+        struct sockaddr sa;
+        struct sockaddr_in sa_in;
+# if OPENSSL_USE_IPV6
+        struct sockaddr_in6 sa_in6;
+# endif
+    } server, client;
+    int s = INVALID_SOCKET, cs, addrlen;
+    unsigned char ip[4];
+    unsigned short port;
+    char *str = NULL, *e;
+    char *h, *p;
+    unsigned long l;
+    int err_num;
 
     if (BIO_sock_init() != 1)
-        return INVALID_SOCKET;
+        return (INVALID_SOCKET);
+
+    if ((str = BUF_strdup(host)) == NULL)
+        return (INVALID_SOCKET);
+
+    h = p = NULL;
+    h = str;
+    for (e = str; *e; e++) {
+        if (*e == ':') {
+            p = e;
+        } else if (*e == '/') {
+            *e = '\0';
+            break;
+        }
+    }
+    if (p)
+        *p++ = '\0';            /* points at last ':', '::port' is special
+                                 * [see below] */
+    else
+        p = h, h = NULL;
+
+# ifdef EAI_FAMILY
+    do {
+        static union {
+            void *p;
+            int (WSAAPI *f) (const char *, const char *,
+                             const struct addrinfo *, struct addrinfo **);
+        } p_getaddrinfo = {
+            NULL
+        };
+        static union {
+            void *p;
+            void (WSAAPI *f) (struct addrinfo *);
+        } p_freeaddrinfo = {
+            NULL
+        };
+        struct addrinfo *res, hint;
+
+        if (p_getaddrinfo.p == NULL) {
+            if ((p_getaddrinfo.p = DSO_global_lookup("getaddrinfo")) == NULL
+                || (p_freeaddrinfo.p =
+                    DSO_global_lookup("freeaddrinfo")) == NULL)
+                p_getaddrinfo.p = (void *)-1;
+        }
+        if (p_getaddrinfo.p == (void *)-1)
+            break;
 
-    if (BIO_lookup(h, p, BIO_LOOKUP_SERVER, AF_UNSPEC, SOCK_STREAM, &res) != 0)
-        goto err;
+        /*
+         * '::port' enforces IPv6 wildcard listener. Some OSes, e.g. Solaris,
+         * default to IPv6 without any hint. Also note that commonly IPv6
+         * wildchard socket can service IPv4 connections just as well...
+         */
+        memset(&hint, 0, sizeof(hint));
+        hint.ai_flags = AI_PASSIVE;
+        if (h) {
+            if (strchr(h, ':')) {
+                if (h[1] == '\0')
+                    h = NULL;
+#  if OPENSSL_USE_IPV6
+                hint.ai_family = AF_INET6;
+#  else
+                h = NULL;
+#  endif
+            } else if (h[0] == '*' && h[1] == '\0') {
+                hint.ai_family = AF_INET;
+                h = NULL;
+            }
+        }
 
-    if ((s = BIO_socket(BIO_ADDRINFO_family(res), BIO_ADDRINFO_socktype(res),
-                        BIO_ADDRINFO_protocol(res), 0)) == INVALID_SOCKET) {
-        s = INVALID_SOCKET;
+        if ((*p_getaddrinfo.f) (h, p, &hint, &res))
+            break;
+
+        addrlen = res->ai_addrlen <= sizeof(server) ?
+            res->ai_addrlen : sizeof(server);
+        memcpy(&server, res->ai_addr, addrlen);
+
+        (*p_freeaddrinfo.f) (res);
+        goto again;
+    } while (0);
+# endif
+
+    if (!BIO_get_port(p, &port))
         goto err;
+
+    memset((char *)&server, 0, sizeof(server));
+    server.sa_in.sin_family = AF_INET;
+    server.sa_in.sin_port = htons(port);
+    addrlen = sizeof(server.sa_in);
+
+    if (h == NULL || strcmp(h, "*") == 0)
+        server.sa_in.sin_addr.s_addr = INADDR_ANY;
+    else {
+        if (!BIO_get_host_ip(h, &(ip[0])))
+            goto err;
+        l = (unsigned long)
+            ((unsigned long)ip[0] << 24L) |
+            ((unsigned long)ip[1] << 16L) |
+            ((unsigned long)ip[2] << 8L) | ((unsigned long)ip[3]);
+        server.sa_in.sin_addr.s_addr = htonl(l);
     }
 
-    if (!BIO_listen(s, BIO_ADDRINFO_address(res),
-                    bind_mode ? BIO_SOCK_REUSEADDR : 0)) {
-        BIO_closesocket(s);
-        s = INVALID_SOCKET;
+ again:
+    s = socket(server.sa.sa_family, SOCK_STREAM, SOCKET_PROTOCOL);
+    if (s == INVALID_SOCKET) {
+        SYSerr(SYS_F_SOCKET, get_last_socket_error());
+        ERR_add_error_data(3, "port='", host, "'");
+        BIOerr(BIO_F_BIO_GET_ACCEPT_SOCKET, BIO_R_UNABLE_TO_CREATE_SOCKET);
+        goto err;
     }
+# ifdef SO_REUSEADDR
+    if (bind_mode == BIO_BIND_REUSEADDR) {
+        int i = 1;
 
+        ret = setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (char *)&i, sizeof(i));
+        bind_mode = BIO_BIND_NORMAL;
+    }
+# endif
+    if (bind(s, &server.sa, addrlen) == -1) {
+# ifdef SO_REUSEADDR
+        err_num = get_last_socket_error();
+        if ((bind_mode == BIO_BIND_REUSEADDR_IF_UNUSED) &&
+#  ifdef OPENSSL_SYS_WINDOWS
+            /*
+             * Some versions of Windows define EADDRINUSE to a dummy value.
+             */
+            (err_num == WSAEADDRINUSE))
+#  else
+            (err_num == EADDRINUSE))
+#  endif
+        {
+            client = server;
+            if (h == NULL || strcmp(h, "*") == 0) {
+#  if OPENSSL_USE_IPV6
+                if (client.sa.sa_family == AF_INET6) {
+                    memset(&client.sa_in6.sin6_addr, 0,
+                           sizeof(client.sa_in6.sin6_addr));
+                    client.sa_in6.sin6_addr.s6_addr[15] = 1;
+                } else
+#  endif
+                if (client.sa.sa_family == AF_INET) {
+                    client.sa_in.sin_addr.s_addr = htonl(0x7F000001);
+                } else
+                    goto err;
+            }
+            cs = socket(client.sa.sa_family, SOCK_STREAM, SOCKET_PROTOCOL);
+            if (cs != INVALID_SOCKET) {
+                int ii;
+                ii = connect(cs, &client.sa, addrlen);
+                closesocket(cs);
+                if (ii == INVALID_SOCKET) {
+                    bind_mode = BIO_BIND_REUSEADDR;
+                    closesocket(s);
+                    goto again;
+                }
+                /* else error */
+            }
+            /* else error */
+        }
+# endif
+        SYSerr(SYS_F_BIND, err_num);
+        ERR_add_error_data(3, "port='", host, "'");
+        BIOerr(BIO_F_BIO_GET_ACCEPT_SOCKET, BIO_R_UNABLE_TO_BIND_SOCKET);
+        goto err;
+    }
+    if (listen(s, MAX_LISTEN) == -1) {
+        SYSerr(SYS_F_BIND, get_last_socket_error());
+        ERR_add_error_data(3, "port='", host, "'");
+        BIOerr(BIO_F_BIO_GET_ACCEPT_SOCKET, BIO_R_UNABLE_TO_LISTEN_SOCKET);
+        goto err;
+    }
+    ret = 1;
  err:
-    BIO_ADDRINFO_free(res);
-    OPENSSL_free(h);
-    OPENSSL_free(p);
-
-    return s;
+    if (str != NULL)
+        OPENSSL_free(str);
+    if ((ret == 0) && (s != INVALID_SOCKET)) {
+        closesocket(s);
+        s = INVALID_SOCKET;
+    }
+    return (s);
 }
 
-int BIO_accept(int sock, char **ip_port)
+int BIO_accept(int sock, char **addr)
 {
-    BIO_ADDR res;
-    int ret = -1;
+    int ret = INVALID_SOCKET;
+    unsigned long l;
+    unsigned short port;
+    char *p;
 
-    ret = BIO_accept_ex(sock, &res, 0);
-    if (ret == (int)INVALID_SOCKET) {
-        if (BIO_sock_should_retry(ret)) {
-            ret = -2;
-            goto end;
-        }
+    struct {
+        /*
+         * As for following union. Trouble is that there are platforms
+         * that have socklen_t and there are platforms that don't, on
+         * some platforms socklen_t is int and on some size_t. So what
+         * one can do? One can cook #ifdef spaghetti, which is nothing
+         * but masochistic. Or one can do union between int and size_t.
+         * One naturally does it primarily for 64-bit platforms where
+         * sizeof(int) != sizeof(size_t). But would it work? Note that
+         * if size_t member is initialized to 0, then later int member
+         * assignment naturally does the job on little-endian platforms
+         * regardless accept's expectations! What about big-endians?
+         * If accept expects int*, then it works, and if size_t*, then
+         * length value would appear as unreasonably large. But this
+         * won't prevent it from filling in the address structure. The
+         * trouble of course would be if accept returns more data than
+         * actual buffer can accomodate and overwrite stack... That's
+         * where early OPENSSL_assert comes into picture. Besides, the
+         * only 64-bit big-endian platform found so far that expects
+         * size_t* is HP-UX, where stack grows towards higher address.
+         * <appro>
+         */
+        union {
+            size_t s;
+            int i;
+        } len;
+        union {
+            struct sockaddr sa;
+            struct sockaddr_in sa_in;
+# if OPENSSL_USE_IPV6
+            struct sockaddr_in6 sa_in6;
+# endif
+        } from;
+    } sa;
+
+    sa.len.s = 0;
+    sa.len.i = sizeof(sa.from);
+    memset(&sa.from, 0, sizeof(sa.from));
+    ret = accept(sock, &sa.from.sa, (void *)&sa.len);
+    if (sizeof(sa.len.i) != sizeof(sa.len.s) && sa.len.i == 0) {
+        OPENSSL_assert(sa.len.s <= sizeof(sa.from));
+        sa.len.i = (int)sa.len.s;
+        /* use sa.len.i from this point */
+    }
+    if (ret == INVALID_SOCKET) {
+        if (BIO_sock_should_retry(ret))
+            return -2;
         SYSerr(SYS_F_ACCEPT, get_last_socket_error());
         BIOerr(BIO_F_BIO_ACCEPT, BIO_R_ACCEPT_ERROR);
         goto end;
     }
 
-    if (ip_port != NULL) {
-        char *host = BIO_ADDR_hostname_string(&res, 1);
-        char *port = BIO_ADDR_service_string(&res, 1);
-        if (host != NULL && port != NULL)
-            *ip_port = OPENSSL_zalloc(strlen(host) + strlen(port) + 2);
-        else
-            *ip_port = NULL;
+    if (addr == NULL)
+        goto end;
 
-        if (*ip_port == NULL) {
-            BIOerr(BIO_F_BIO_ACCEPT, ERR_R_MALLOC_FAILURE);
-            BIO_closesocket(ret);
-            ret = (int)INVALID_SOCKET;
+# ifdef EAI_FAMILY
+    do {
+        char h[NI_MAXHOST], s[NI_MAXSERV];
+        size_t nl;
+        static union {
+            void *p;
+            int (WSAAPI *f) (const struct sockaddr *, size_t /* socklen_t */ ,
+                             char *, size_t, char *, size_t, int);
+        } p_getnameinfo = {
+            NULL
+        };
+        /*
+         * 2nd argument to getnameinfo is specified to be socklen_t.
+         * Unfortunately there is a number of environments where socklen_t is
+         * not defined. As it's passed by value, it's safe to pass it as
+         * size_t... <appro>
+         */
+
+        if (p_getnameinfo.p == NULL) {
+            if ((p_getnameinfo.p = DSO_global_lookup("getnameinfo")) == NULL)
+                p_getnameinfo.p = (void *)-1;
+        }
+        if (p_getnameinfo.p == (void *)-1)
+            break;
+
+        if ((*p_getnameinfo.f) (&sa.from.sa, sa.len.i, h, sizeof(h), s,
+                                sizeof(s), NI_NUMERICHOST | NI_NUMERICSERV))
+            break;
+        nl = strlen(h) + strlen(s) + 2;
+        p = *addr;
+        if (p) {
+            *p = '\0';
+            p = OPENSSL_realloc(p, nl);
         } else {
-            strcpy(*ip_port, host);
-            strcat(*ip_port, ":");
-            strcat(*ip_port, port);
+            p = OPENSSL_malloc(nl);
+        }
+        if (p == NULL) {
+            BIOerr(BIO_F_BIO_ACCEPT, ERR_R_MALLOC_FAILURE);
+            goto end;
+        }
+        *addr = p;
+        BIO_snprintf(*addr, nl, "%s:%s", h, s);
+        goto end;
+    } while (0);
+# endif
+    if (sa.from.sa.sa_family != AF_INET)
+        goto end;
+    l = ntohl(sa.from.sa_in.sin_addr.s_addr);
+    port = ntohs(sa.from.sa_in.sin_port);
+    if (*addr == NULL) {
+        if ((p = OPENSSL_malloc(24)) == NULL) {
+            BIOerr(BIO_F_BIO_ACCEPT, ERR_R_MALLOC_FAILURE);
+            goto end;
         }
-        OPENSSL_free(host);
-        OPENSSL_free(port);
+        *addr = p;
     }
-
+    BIO_snprintf(*addr, 24, "%d.%d.%d.%d:%d",
+                 (unsigned char)(l >> 24L) & 0xff,
+                 (unsigned char)(l >> 16L) & 0xff,
+                 (unsigned char)(l >> 8L) & 0xff,
+                 (unsigned char)(l) & 0xff, port);
  end:
-    return ret;
+    return (ret);
 }
-# endif
 
 int BIO_set_tcp_ndelay(int s, int on)
 {
@@ -312,70 +955,8 @@ int BIO_socket_nbio(int s, int mode)
 
     l = mode;
 # ifdef FIONBIO
-    l = mode;
-
     ret = BIO_socket_ioctl(s, FIONBIO, &l);
-# elif defined(F_GETFL) && defined(F_SETFL) && (defined(O_NONBLOCK) || defined(FNDELAY))
-    /* make sure this call always pushes an error level; BIO_socket_ioctl() does so, so we do too. */
-
-    l = fcntl(s, F_GETFL, 0);
-    if (l == -1) {
-        SYSerr(SYS_F_FCNTL, get_last_rtl_error());
-        ret = -1;
-    } else {
-#  if defined(O_NONBLOCK)
-        l &= ~O_NONBLOCK;
-#  else
-        l &= ~FNDELAY; /* BSD4.x */
-#  endif
-        if (mode) {
-#  if defined(O_NONBLOCK)
-            l |= O_NONBLOCK;
-#  else
-            l |= FNDELAY; /* BSD4.x */
-#  endif
-        }
-        ret = fcntl(s, F_SETFL, l);
-
-        if (ret < 0) {
-            SYSerr(SYS_F_FCNTL, get_last_rtl_error());
-        }
-    }
-# else
-    /* make sure this call always pushes an error level; BIO_socket_ioctl() does so, so we do too. */
-    BIOerr(BIO_F_BIO_SOCKET_NBIO, ERR_R_PASSED_INVALID_ARGUMENT);
 # endif
-
     return (ret == 0);
 }
-
-int BIO_sock_info(int sock,
-                  enum BIO_sock_info_type type, union BIO_sock_info_u *info)
-{
-    switch (type) {
-    case BIO_SOCK_INFO_ADDRESS:
-        {
-            socklen_t addr_len;
-            int ret = 0;
-            addr_len = sizeof(*info->addr);
-            ret = getsockname(sock, BIO_ADDR_sockaddr_noconst(info->addr),
-                              &addr_len);
-            if (ret == -1) {
-                SYSerr(SYS_F_GETSOCKNAME, get_last_socket_error());
-                BIOerr(BIO_F_BIO_SOCK_INFO, BIO_R_GETSOCKNAME_ERROR);
-                return 0;
-            }
-            if ((size_t)addr_len > sizeof(*info->addr)) {
-                BIOerr(BIO_F_BIO_SOCK_INFO, BIO_R_GETSOCKNAME_TRUNCATED_ADDRESS);
-                return 0;
-            }
-        }
-        break;
-    default:
-        BIOerr(BIO_F_BIO_SOCK_INFO, BIO_R_UNKNOWN_INFO_TYPE);
-        return 0;
-    }
-    return 1;
-}
-
 #endif
diff --git a/Cryptlib/OpenSSL/crypto/bio/b_sock2.c b/Cryptlib/OpenSSL/crypto/bio/b_sock2.c
deleted file mode 100644
index 7f4d89e5..00000000
--- a/Cryptlib/OpenSSL/crypto/bio/b_sock2.c
+++ /dev/null
@@ -1,270 +0,0 @@
-/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <errno.h>
-
-#include "bio_lcl.h"
-
-#include <openssl/err.h>
-
-#ifndef OPENSSL_NO_SOCK
-# ifdef SO_MAXCONN
-#  define MAX_LISTEN  SO_MAXCONN
-# elif defined(SOMAXCONN)
-#  define MAX_LISTEN  SOMAXCONN
-# else
-#  define MAX_LISTEN  32
-# endif
-
-/*-
- * BIO_socket - create a socket
- * @domain: the socket domain (AF_INET, AF_INET6, AF_UNIX, ...)
- * @socktype: the socket type (SOCK_STEAM, SOCK_DGRAM)
- * @protocol: the protocol to use (IPPROTO_TCP, IPPROTO_UDP)
- * @options: BIO socket options (currently unused)
- *
- * Creates a socket.  This should be called before calling any
- * of BIO_connect and BIO_listen.
- *
- * Returns the file descriptor on success or INVALID_SOCKET on failure.  On
- * failure errno is set, and a status is added to the OpenSSL error stack.
- */
-int BIO_socket(int domain, int socktype, int protocol, int options)
-{
-    int sock = -1;
-
-    if (BIO_sock_init() != 1)
-        return INVALID_SOCKET;
-
-    sock = socket(domain, socktype, protocol);
-    if (sock == -1) {
-        SYSerr(SYS_F_SOCKET, get_last_socket_error());
-        BIOerr(BIO_F_BIO_SOCKET, BIO_R_UNABLE_TO_CREATE_SOCKET);
-        return INVALID_SOCKET;
-    }
-
-    return sock;
-}
-
-/*-
- * BIO_connect - connect to an address
- * @sock: the socket to connect with
- * @addr: the address to connect to
- * @options: BIO socket options
- *
- * Connects to the address using the given socket and options.
- *
- * Options can be a combination of the following:
- * - BIO_SOCK_KEEPALIVE: enable regularly sending keep-alive messages.
- * - BIO_SOCK_NONBLOCK: Make the socket non-blocking.
- * - BIO_SOCK_NODELAY: don't delay small messages.
- *
- * options holds BIO socket options that can be used
- * You should call this for every address returned by BIO_lookup
- * until the connection is successful.
- *
- * Returns 1 on success or 0 on failure.  On failure errno is set
- * and an error status is added to the OpenSSL error stack.
- */
-int BIO_connect(int sock, const BIO_ADDR *addr, int options)
-{
-    int on = 1;
-
-    if (sock == -1) {
-        BIOerr(BIO_F_BIO_CONNECT, BIO_R_INVALID_SOCKET);
-        return 0;
-    }
-
-    if (!BIO_socket_nbio(sock, (options & BIO_SOCK_NONBLOCK) != 0))
-        return 0;
-
-    if (options & BIO_SOCK_KEEPALIVE) {
-        if (setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) != 0) {
-            SYSerr(SYS_F_SETSOCKOPT, get_last_socket_error());
-            BIOerr(BIO_F_BIO_CONNECT, BIO_R_UNABLE_TO_KEEPALIVE);
-            return 0;
-        }
-    }
-
-    if (options & BIO_SOCK_NODELAY) {
-        if (setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on)) != 0) {
-            SYSerr(SYS_F_SETSOCKOPT, get_last_socket_error());
-            BIOerr(BIO_F_BIO_CONNECT, BIO_R_UNABLE_TO_NODELAY);
-            return 0;
-        }
-    }
-
-    if (connect(sock, BIO_ADDR_sockaddr(addr),
-                BIO_ADDR_sockaddr_size(addr)) == -1) {
-        if (!BIO_sock_should_retry(-1)) {
-            SYSerr(SYS_F_CONNECT, get_last_socket_error());
-            BIOerr(BIO_F_BIO_CONNECT, BIO_R_CONNECT_ERROR);
-        }
-        return 0;
-    }
-    return 1;
-}
-
-/*-
- * BIO_listen - Creates a listen socket
- * @sock: the socket to listen with
- * @addr: local address to bind to
- * @options: BIO socket options
- *
- * Binds to the address using the given socket and options, then
- * starts listening for incoming connections.
- *
- * Options can be a combination of the following:
- * - BIO_SOCK_KEEPALIVE: enable regularly sending keep-alive messages.
- * - BIO_SOCK_NONBLOCK: Make the socket non-blocking.
- * - BIO_SOCK_NODELAY: don't delay small messages.
- * - BIO_SOCK_REUSEADDR: Try to reuse the address and port combination
- *   for a recently closed port.
- * - BIO_SOCK_V6_ONLY: When creating an IPv6 socket, make it listen only
- *   for IPv6 addresses and not IPv4 addresses mapped to IPv6.
- *
- * It's recommended that you set up both an IPv6 and IPv4 listen socket, and
- * then check both for new clients that connect to it.  You want to set up
- * the socket as non-blocking in that case since else it could hang.
- *
- * Not all operating systems support IPv4 addresses on an IPv6 socket, and for
- * others it's an option.  If you pass the BIO_LISTEN_V6_ONLY it will try to
- * create the IPv6 sockets to only listen for IPv6 connection.
- *
- * It could be that the first BIO_listen() call will listen to all the IPv6
- * and IPv4 addresses and that then trying to bind to the IPv4 address will
- * fail.  We can't tell the difference between already listening ourself to
- * it and someone else listening to it when failing and errno is EADDRINUSE, so
- * it's recommended to not give an error in that case if the first call was
- * successful.
- *
- * When restarting the program it could be that the port is still in use.  If
- * you set to BIO_SOCK_REUSEADDR option it will try to reuse the port anyway.
- * It's recommended that you use this.
- */
-int BIO_listen(int sock, const BIO_ADDR *addr, int options)
-{
-    int on = 1;
-    int socktype;
-    socklen_t socktype_len = sizeof(socktype);
-
-    if (sock == -1) {
-        BIOerr(BIO_F_BIO_LISTEN, BIO_R_INVALID_SOCKET);
-        return 0;
-    }
-
-    if (getsockopt(sock, SOL_SOCKET, SO_TYPE, &socktype, &socktype_len) != 0
-        || socktype_len != sizeof(socktype)) {
-        SYSerr(SYS_F_GETSOCKOPT, get_last_socket_error());
-        BIOerr(BIO_F_BIO_LISTEN, BIO_R_GETTING_SOCKTYPE);
-        return 0;
-    }
-
-    if (!BIO_socket_nbio(sock, (options & BIO_SOCK_NONBLOCK) != 0))
-        return 0;
-
-# ifndef OPENSSL_SYS_WINDOWS
-    /* SO_REUSEADDR has different behavior on Windows than on
-     * other operating systems, don't set it there. */
-    if (options & BIO_SOCK_REUSEADDR) {
-        if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) != 0) {
-            SYSerr(SYS_F_SETSOCKOPT, get_last_socket_error());
-            BIOerr(BIO_F_BIO_LISTEN, BIO_R_UNABLE_TO_REUSEADDR);
-            return 0;
-        }
-    }
-# endif
-
-    if (options & BIO_SOCK_KEEPALIVE) {
-        if (setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) != 0) {
-            SYSerr(SYS_F_SETSOCKOPT, get_last_socket_error());
-            BIOerr(BIO_F_BIO_LISTEN, BIO_R_UNABLE_TO_KEEPALIVE);
-            return 0;
-        }
-    }
-
-    if (options & BIO_SOCK_NODELAY) {
-        if (setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on)) != 0) {
-            SYSerr(SYS_F_SETSOCKOPT, get_last_socket_error());
-            BIOerr(BIO_F_BIO_LISTEN, BIO_R_UNABLE_TO_NODELAY);
-            return 0;
-        }
-    }
-
-# ifdef IPV6_V6ONLY
-    if ((options & BIO_SOCK_V6_ONLY) && BIO_ADDR_family(addr) == AF_INET6) {
-        if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) != 0) {
-            SYSerr(SYS_F_SETSOCKOPT, get_last_socket_error());
-            BIOerr(BIO_F_BIO_LISTEN, BIO_R_LISTEN_V6_ONLY);
-            return 0;
-        }
-    }
-# endif
-
-    if (bind(sock, BIO_ADDR_sockaddr(addr), BIO_ADDR_sockaddr_size(addr)) != 0) {
-        SYSerr(SYS_F_BIND, get_last_socket_error());
-        BIOerr(BIO_F_BIO_LISTEN, BIO_R_UNABLE_TO_BIND_SOCKET);
-        return 0;
-    }
-
-    if (socktype != SOCK_DGRAM && listen(sock, MAX_LISTEN) == -1) {
-        SYSerr(SYS_F_LISTEN, get_last_socket_error());
-        BIOerr(BIO_F_BIO_LISTEN, BIO_R_UNABLE_TO_LISTEN_SOCKET);
-        return 0;
-    }
-
-    return 1;
-}
-
-/*-
- * BIO_accept_ex - Accept new incoming connections
- * @sock: the listening socket
- * @addr: the BIO_ADDR to store the peer address in
- * @options: BIO socket options, applied on the accepted socket.
- *
- */
-int BIO_accept_ex(int accept_sock, BIO_ADDR *addr_, int options)
-{
-    socklen_t len;
-    int accepted_sock;
-    BIO_ADDR locaddr;
-    BIO_ADDR *addr = addr_ == NULL ? &locaddr : addr_;
-
-    len = sizeof(*addr);
-    accepted_sock = accept(accept_sock,
-                           BIO_ADDR_sockaddr_noconst(addr), &len);
-    if (accepted_sock == -1) {
-        if (!BIO_sock_should_retry(accepted_sock)) {
-            SYSerr(SYS_F_ACCEPT, get_last_socket_error());
-            BIOerr(BIO_F_BIO_ACCEPT_EX, BIO_R_ACCEPT_ERROR);
-        }
-        return INVALID_SOCKET;
-    }
-
-    if (!BIO_socket_nbio(accepted_sock, (options & BIO_SOCK_NONBLOCK) != 0)) {
-        closesocket(accepted_sock);
-        return INVALID_SOCKET;
-    }
-
-    return accepted_sock;
-}
-
-/*-
- * BIO_closesocket - Close a socket
- * @sock: the socket to close
- */
-int BIO_closesocket(int sock)
-{
-    if (closesocket(sock) < 0)
-        return 0;
-    return 1;
-}
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/bio/bf_buff.c b/Cryptlib/OpenSSL/crypto/bio/bf_buff.c
index b2a387b5..478fa16a 100644
--- a/Cryptlib/OpenSSL/crypto/bio/bf_buff.c
+++ b/Cryptlib/OpenSSL/crypto/bio/bf_buff.c
@@ -1,16 +1,65 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bio/bf_buff.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <errno.h>
-#include "bio_lcl.h"
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
+#include <openssl/bio.h>
 
 static int buffer_write(BIO *h, const char *buf, int num);
 static int buffer_read(BIO *h, char *buf, int size);
@@ -22,7 +71,7 @@ static int buffer_free(BIO *data);
 static long buffer_callback_ctrl(BIO *h, int cmd, bio_info_cb *fp);
 #define DEFAULT_BUFFER_SIZE     4096
 
-static const BIO_METHOD methods_buffer = {
+static BIO_METHOD methods_buffer = {
     BIO_TYPE_BUFFER,
     "buffer",
     buffer_write,
@@ -35,30 +84,35 @@ static const BIO_METHOD methods_buffer = {
     buffer_callback_ctrl,
 };
 
-const BIO_METHOD *BIO_f_buffer(void)
+BIO_METHOD *BIO_f_buffer(void)
 {
     return (&methods_buffer);
 }
 
 static int buffer_new(BIO *bi)
 {
-    BIO_F_BUFFER_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+    BIO_F_BUFFER_CTX *ctx;
 
+    ctx = (BIO_F_BUFFER_CTX *)OPENSSL_malloc(sizeof(BIO_F_BUFFER_CTX));
     if (ctx == NULL)
         return (0);
-    ctx->ibuf_size = DEFAULT_BUFFER_SIZE;
-    ctx->ibuf = OPENSSL_malloc(DEFAULT_BUFFER_SIZE);
+    ctx->ibuf = (char *)OPENSSL_malloc(DEFAULT_BUFFER_SIZE);
     if (ctx->ibuf == NULL) {
         OPENSSL_free(ctx);
         return (0);
     }
-    ctx->obuf_size = DEFAULT_BUFFER_SIZE;
-    ctx->obuf = OPENSSL_malloc(DEFAULT_BUFFER_SIZE);
+    ctx->obuf = (char *)OPENSSL_malloc(DEFAULT_BUFFER_SIZE);
     if (ctx->obuf == NULL) {
         OPENSSL_free(ctx->ibuf);
         OPENSSL_free(ctx);
         return (0);
     }
+    ctx->ibuf_size = DEFAULT_BUFFER_SIZE;
+    ctx->obuf_size = DEFAULT_BUFFER_SIZE;
+    ctx->ibuf_len = 0;
+    ctx->ibuf_off = 0;
+    ctx->obuf_len = 0;
+    ctx->obuf_off = 0;
 
     bi->init = 1;
     bi->ptr = (char *)ctx;
@@ -73,8 +127,10 @@ static int buffer_free(BIO *a)
     if (a == NULL)
         return (0);
     b = (BIO_F_BUFFER_CTX *)a->ptr;
-    OPENSSL_free(b->ibuf);
-    OPENSSL_free(b->obuf);
+    if (b->ibuf != NULL)
+        OPENSSL_free(b->ibuf);
+    if (b->obuf != NULL)
+        OPENSSL_free(b->obuf);
     OPENSSL_free(a->ptr);
     a->ptr = NULL;
     a->init = 0;
@@ -283,7 +339,8 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr)
             p1 = OPENSSL_malloc((int)num);
             if (p1 == NULL)
                 goto malloc_error;
-            OPENSSL_free(ctx->ibuf);
+            if (ctx->ibuf != NULL)
+                OPENSSL_free(ctx->ibuf);
             ctx->ibuf = p1;
         }
         ctx->ibuf_off = 0;
@@ -309,12 +366,12 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr)
         p1 = ctx->ibuf;
         p2 = ctx->obuf;
         if ((ibs > DEFAULT_BUFFER_SIZE) && (ibs != ctx->ibuf_size)) {
-            p1 = OPENSSL_malloc((int)num);
+            p1 = (char *)OPENSSL_malloc((int)num);
             if (p1 == NULL)
                 goto malloc_error;
         }
         if ((obs > DEFAULT_BUFFER_SIZE) && (obs != ctx->obuf_size)) {
-            p2 = OPENSSL_malloc((int)num);
+            p2 = (char *)OPENSSL_malloc((int)num);
             if (p2 == NULL) {
                 if (p1 != ctx->ibuf)
                     OPENSSL_free(p1);
@@ -357,6 +414,10 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr)
             if (ctx->obuf_len > 0) {
                 r = BIO_write(b->next_bio,
                               &(ctx->obuf[ctx->obuf_off]), ctx->obuf_len);
+#if 0
+                fprintf(stderr, "FLUSH [%3d] %3d -> %3d\n", ctx->obuf_off,
+                        ctx->obuf_len, r);
+#endif
                 BIO_copy_next_retry(b);
                 if (r <= 0)
                     return ((long)r);
@@ -365,6 +426,7 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr)
             } else {
                 ctx->obuf_len = 0;
                 ctx->obuf_off = 0;
+                ret = 1;
                 break;
             }
         }
diff --git a/Cryptlib/OpenSSL/crypto/bio/bf_lbuf.c b/Cryptlib/OpenSSL/crypto/bio/bf_lbuf.c
deleted file mode 100644
index b3c2b5ee..00000000
--- a/Cryptlib/OpenSSL/crypto/bio/bf_lbuf.c
+++ /dev/null
@@ -1,319 +0,0 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include <errno.h>
-#include "bio_lcl.h"
-#include "internal/cryptlib.h"
-#include <openssl/evp.h>
-
-static int linebuffer_write(BIO *h, const char *buf, int num);
-static int linebuffer_read(BIO *h, char *buf, int size);
-static int linebuffer_puts(BIO *h, const char *str);
-static int linebuffer_gets(BIO *h, char *str, int size);
-static long linebuffer_ctrl(BIO *h, int cmd, long arg1, void *arg2);
-static int linebuffer_new(BIO *h);
-static int linebuffer_free(BIO *data);
-static long linebuffer_callback_ctrl(BIO *h, int cmd, bio_info_cb *fp);
-
-/* A 10k maximum should be enough for most purposes */
-#define DEFAULT_LINEBUFFER_SIZE 1024*10
-
-/* #define DEBUG */
-
-static const BIO_METHOD methods_linebuffer = {
-    BIO_TYPE_LINEBUFFER,
-    "linebuffer",
-    linebuffer_write,
-    linebuffer_read,
-    linebuffer_puts,
-    linebuffer_gets,
-    linebuffer_ctrl,
-    linebuffer_new,
-    linebuffer_free,
-    linebuffer_callback_ctrl,
-};
-
-const BIO_METHOD *BIO_f_linebuffer(void)
-{
-    return (&methods_linebuffer);
-}
-
-typedef struct bio_linebuffer_ctx_struct {
-    char *obuf;                 /* the output char array */
-    int obuf_size;              /* how big is the output buffer */
-    int obuf_len;               /* how many bytes are in it */
-} BIO_LINEBUFFER_CTX;
-
-static int linebuffer_new(BIO *bi)
-{
-    BIO_LINEBUFFER_CTX *ctx;
-
-    ctx = OPENSSL_malloc(sizeof(*ctx));
-    if (ctx == NULL)
-        return (0);
-    ctx->obuf = OPENSSL_malloc(DEFAULT_LINEBUFFER_SIZE);
-    if (ctx->obuf == NULL) {
-        OPENSSL_free(ctx);
-        return (0);
-    }
-    ctx->obuf_size = DEFAULT_LINEBUFFER_SIZE;
-    ctx->obuf_len = 0;
-
-    bi->init = 1;
-    bi->ptr = (char *)ctx;
-    bi->flags = 0;
-    return (1);
-}
-
-static int linebuffer_free(BIO *a)
-{
-    BIO_LINEBUFFER_CTX *b;
-
-    if (a == NULL)
-        return (0);
-    b = (BIO_LINEBUFFER_CTX *)a->ptr;
-    OPENSSL_free(b->obuf);
-    OPENSSL_free(a->ptr);
-    a->ptr = NULL;
-    a->init = 0;
-    a->flags = 0;
-    return (1);
-}
-
-static int linebuffer_read(BIO *b, char *out, int outl)
-{
-    int ret = 0;
-
-    if (out == NULL)
-        return (0);
-    if (b->next_bio == NULL)
-        return (0);
-    ret = BIO_read(b->next_bio, out, outl);
-    BIO_clear_retry_flags(b);
-    BIO_copy_next_retry(b);
-    return (ret);
-}
-
-static int linebuffer_write(BIO *b, const char *in, int inl)
-{
-    int i, num = 0, foundnl;
-    BIO_LINEBUFFER_CTX *ctx;
-
-    if ((in == NULL) || (inl <= 0))
-        return (0);
-    ctx = (BIO_LINEBUFFER_CTX *)b->ptr;
-    if ((ctx == NULL) || (b->next_bio == NULL))
-        return (0);
-
-    BIO_clear_retry_flags(b);
-
-    do {
-        const char *p;
-
-        for (p = in; p < in + inl && *p != '\n'; p++) ;
-        if (*p == '\n') {
-            p++;
-            foundnl = 1;
-        } else
-            foundnl = 0;
-
-        /*
-         * If a NL was found and we already have text in the save buffer,
-         * concatenate them and write
-         */
-        while ((foundnl || p - in > ctx->obuf_size - ctx->obuf_len)
-               && ctx->obuf_len > 0) {
-            int orig_olen = ctx->obuf_len;
-
-            i = ctx->obuf_size - ctx->obuf_len;
-            if (p - in > 0) {
-                if (i >= p - in) {
-                    memcpy(&(ctx->obuf[ctx->obuf_len]), in, p - in);
-                    ctx->obuf_len += p - in;
-                    inl -= p - in;
-                    num += p - in;
-                    in = p;
-                } else {
-                    memcpy(&(ctx->obuf[ctx->obuf_len]), in, i);
-                    ctx->obuf_len += i;
-                    inl -= i;
-                    in += i;
-                    num += i;
-                }
-            }
-            i = BIO_write(b->next_bio, ctx->obuf, ctx->obuf_len);
-            if (i <= 0) {
-                ctx->obuf_len = orig_olen;
-                BIO_copy_next_retry(b);
-
-                if (i < 0)
-                    return ((num > 0) ? num : i);
-                if (i == 0)
-                    return (num);
-            }
-            if (i < ctx->obuf_len)
-                memmove(ctx->obuf, ctx->obuf + i, ctx->obuf_len - i);
-            ctx->obuf_len -= i;
-        }
-
-        /*
-         * Now that the save buffer is emptied, let's write the input buffer
-         * if a NL was found and there is anything to write.
-         */
-        if ((foundnl || p - in > ctx->obuf_size) && p - in > 0) {
-            i = BIO_write(b->next_bio, in, p - in);
-            if (i <= 0) {
-                BIO_copy_next_retry(b);
-                if (i < 0)
-                    return ((num > 0) ? num : i);
-                if (i == 0)
-                    return (num);
-            }
-            num += i;
-            in += i;
-            inl -= i;
-        }
-    }
-    while (foundnl && inl > 0);
-    /*
-     * We've written as much as we can.  The rest of the input buffer, if
-     * any, is text that doesn't and with a NL and therefore needs to be
-     * saved for the next trip.
-     */
-    if (inl > 0) {
-        memcpy(&(ctx->obuf[ctx->obuf_len]), in, inl);
-        ctx->obuf_len += inl;
-        num += inl;
-    }
-    return num;
-}
-
-static long linebuffer_ctrl(BIO *b, int cmd, long num, void *ptr)
-{
-    BIO *dbio;
-    BIO_LINEBUFFER_CTX *ctx;
-    long ret = 1;
-    char *p;
-    int r;
-    int obs;
-
-    ctx = (BIO_LINEBUFFER_CTX *)b->ptr;
-
-    switch (cmd) {
-    case BIO_CTRL_RESET:
-        ctx->obuf_len = 0;
-        if (b->next_bio == NULL)
-            return (0);
-        ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
-        break;
-    case BIO_CTRL_INFO:
-        ret = (long)ctx->obuf_len;
-        break;
-    case BIO_CTRL_WPENDING:
-        ret = (long)ctx->obuf_len;
-        if (ret == 0) {
-            if (b->next_bio == NULL)
-                return (0);
-            ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
-        }
-        break;
-    case BIO_C_SET_BUFF_SIZE:
-        obs = (int)num;
-        p = ctx->obuf;
-        if ((obs > DEFAULT_LINEBUFFER_SIZE) && (obs != ctx->obuf_size)) {
-            p = OPENSSL_malloc((int)num);
-            if (p == NULL)
-                goto malloc_error;
-        }
-        if (ctx->obuf != p) {
-            if (ctx->obuf_len > obs) {
-                ctx->obuf_len = obs;
-            }
-            memcpy(p, ctx->obuf, ctx->obuf_len);
-            OPENSSL_free(ctx->obuf);
-            ctx->obuf = p;
-            ctx->obuf_size = obs;
-        }
-        break;
-    case BIO_C_DO_STATE_MACHINE:
-        if (b->next_bio == NULL)
-            return (0);
-        BIO_clear_retry_flags(b);
-        ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
-        BIO_copy_next_retry(b);
-        break;
-
-    case BIO_CTRL_FLUSH:
-        if (b->next_bio == NULL)
-            return (0);
-        if (ctx->obuf_len <= 0) {
-            ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
-            break;
-        }
-
-        for (;;) {
-            BIO_clear_retry_flags(b);
-            if (ctx->obuf_len > 0) {
-                r = BIO_write(b->next_bio, ctx->obuf, ctx->obuf_len);
-                BIO_copy_next_retry(b);
-                if (r <= 0)
-                    return ((long)r);
-                if (r < ctx->obuf_len)
-                    memmove(ctx->obuf, ctx->obuf + r, ctx->obuf_len - r);
-                ctx->obuf_len -= r;
-            } else {
-                ctx->obuf_len = 0;
-                break;
-            }
-        }
-        ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
-        break;
-    case BIO_CTRL_DUP:
-        dbio = (BIO *)ptr;
-        if (!BIO_set_write_buffer_size(dbio, ctx->obuf_size))
-            ret = 0;
-        break;
-    default:
-        if (b->next_bio == NULL)
-            return (0);
-        ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
-        break;
-    }
-    return (ret);
- malloc_error:
-    BIOerr(BIO_F_LINEBUFFER_CTRL, ERR_R_MALLOC_FAILURE);
-    return (0);
-}
-
-static long linebuffer_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
-{
-    long ret = 1;
-
-    if (b->next_bio == NULL)
-        return (0);
-    switch (cmd) {
-    default:
-        ret = BIO_callback_ctrl(b->next_bio, cmd, fp);
-        break;
-    }
-    return (ret);
-}
-
-static int linebuffer_gets(BIO *b, char *buf, int size)
-{
-    if (b->next_bio == NULL)
-        return (0);
-    return (BIO_gets(b->next_bio, buf, size));
-}
-
-static int linebuffer_puts(BIO *b, const char *str)
-{
-    return (linebuffer_write(b, str, strlen(str)));
-}
diff --git a/Cryptlib/OpenSSL/crypto/bio/bf_nbio.c b/Cryptlib/OpenSSL/crypto/bio/bf_nbio.c
index 364d9fb5..4842bb4c 100644
--- a/Cryptlib/OpenSSL/crypto/bio/bf_nbio.c
+++ b/Cryptlib/OpenSSL/crypto/bio/bf_nbio.c
@@ -1,17 +1,66 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bio/bf_nbio.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <errno.h>
-#include "bio_lcl.h"
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/rand.h>
+#include <openssl/bio.h>
 
 /*
  * BIO_put and BIO_get both add to the digest, BIO_gets returns the digest
@@ -31,7 +80,7 @@ typedef struct nbio_test_st {
     int lwn;
 } NBIO_TEST;
 
-static const BIO_METHOD methods_nbiof = {
+static BIO_METHOD methods_nbiof = {
     BIO_TYPE_NBIO_TEST,
     "non-blocking IO test filter",
     nbiof_write,
@@ -44,7 +93,7 @@ static const BIO_METHOD methods_nbiof = {
     nbiof_callback_ctrl,
 };
 
-const BIO_METHOD *BIO_f_nbio_test(void)
+BIO_METHOD *BIO_f_nbio_test(void)
 {
     return (&methods_nbiof);
 }
@@ -53,12 +102,13 @@ static int nbiof_new(BIO *bi)
 {
     NBIO_TEST *nt;
 
-    if ((nt = OPENSSL_zalloc(sizeof(*nt))) == NULL)
+    if (!(nt = (NBIO_TEST *)OPENSSL_malloc(sizeof(NBIO_TEST))))
         return (0);
     nt->lrn = -1;
     nt->lwn = -1;
     bi->ptr = (char *)nt;
     bi->init = 1;
+    bi->flags = 0;
     return (1);
 }
 
@@ -66,7 +116,8 @@ static int nbiof_free(BIO *a)
 {
     if (a == NULL)
         return (0);
-    OPENSSL_free(a->ptr);
+    if (a->ptr != NULL)
+        OPENSSL_free(a->ptr);
     a->ptr = NULL;
     a->init = 0;
     a->flags = 0;
@@ -76,8 +127,10 @@ static int nbiof_free(BIO *a)
 static int nbiof_read(BIO *b, char *out, int outl)
 {
     int ret = 0;
+#if 1
     int num;
     unsigned char n;
+#endif
 
     if (out == NULL)
         return (0);
@@ -85,6 +138,7 @@ static int nbiof_read(BIO *b, char *out, int outl)
         return (0);
 
     BIO_clear_retry_flags(b);
+#if 1
     if (RAND_bytes(&n, 1) <= 0)
         return -1;
     num = (n & 0x07);
@@ -95,7 +149,9 @@ static int nbiof_read(BIO *b, char *out, int outl)
     if (num == 0) {
         ret = -1;
         BIO_set_retry_read(b);
-    } else {
+    } else
+#endif
+    {
         ret = BIO_read(b->next_bio, out, outl);
         if (ret < 0)
             BIO_copy_next_retry(b);
@@ -118,6 +174,7 @@ static int nbiof_write(BIO *b, const char *in, int inl)
 
     BIO_clear_retry_flags(b);
 
+#if 1
     if (nt->lwn > 0) {
         num = nt->lwn;
         nt->lwn = 0;
@@ -133,7 +190,9 @@ static int nbiof_write(BIO *b, const char *in, int inl)
     if (num == 0) {
         ret = -1;
         BIO_set_retry_write(b);
-    } else {
+    } else
+#endif
+    {
         ret = BIO_write(b->next_bio, in, inl);
         if (ret < 0) {
             BIO_copy_next_retry(b);
diff --git a/Cryptlib/OpenSSL/crypto/bio/bf_null.c b/Cryptlib/OpenSSL/crypto/bio/bf_null.c
index 0736b3f2..e0c79e82 100644
--- a/Cryptlib/OpenSSL/crypto/bio/bf_null.c
+++ b/Cryptlib/OpenSSL/crypto/bio/bf_null.c
@@ -1,16 +1,65 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bio/bf_null.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <errno.h>
-#include "bio_lcl.h"
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
+#include <openssl/bio.h>
 
 /*
  * BIO_put and BIO_get both add to the digest, BIO_gets returns the digest
@@ -24,7 +73,7 @@ static long nullf_ctrl(BIO *h, int cmd, long arg1, void *arg2);
 static int nullf_new(BIO *h);
 static int nullf_free(BIO *data);
 static long nullf_callback_ctrl(BIO *h, int cmd, bio_info_cb *fp);
-static const BIO_METHOD methods_nullf = {
+static BIO_METHOD methods_nullf = {
     BIO_TYPE_NULL_FILTER,
     "NULL filter",
     nullf_write,
@@ -37,7 +86,7 @@ static const BIO_METHOD methods_nullf = {
     nullf_callback_ctrl,
 };
 
-const BIO_METHOD *BIO_f_null(void)
+BIO_METHOD *BIO_f_null(void)
 {
     return (&methods_nullf);
 }
diff --git a/Cryptlib/OpenSSL/crypto/bio/bio_cb.c b/Cryptlib/OpenSSL/crypto/bio/bio_cb.c
index 69ea3d06..d3e86068 100644
--- a/Cryptlib/OpenSSL/crypto/bio/bio_cb.c
+++ b/Cryptlib/OpenSSL/crypto/bio/bio_cb.c
@@ -1,24 +1,73 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bio/bio_cb.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
-#include "bio_lcl.h"
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
+#include <openssl/bio.h>
 #include <openssl/err.h>
 
-long BIO_debug_callback(BIO *bio, int cmd, const char *argp,
-                        int argi, long argl, long ret)
+long MS_CALLBACK BIO_debug_callback(BIO *bio, int cmd, const char *argp,
+                                    int argi, long argl, long ret)
 {
     BIO *b;
-    char buf[256];
+    MS_STATIC char buf[256];
     char *p;
     long r = 1;
     int len;
@@ -27,11 +76,8 @@ long BIO_debug_callback(BIO *bio, int cmd, const char *argp,
     if (BIO_CB_RETURN & cmd)
         r = ret;
 
-    len = BIO_snprintf(buf, sizeof buf, "BIO[%p]: ", (void *)bio);
+    len = BIO_snprintf(buf,sizeof buf,"BIO[%p]: ",(void *)bio);
 
-    /* Ignore errors and continue printing the other information. */
-    if (len < 0)
-        len = 0;
     p = buf + len;
     p_maxlen = sizeof(buf) - len;
 
@@ -91,7 +137,7 @@ long BIO_debug_callback(BIO *bio, int cmd, const char *argp,
     b = (BIO *)bio->cb_arg;
     if (b != NULL)
         BIO_write(b, buf, strlen(buf));
-#if !defined(OPENSSL_NO_STDIO)
+#if !defined(OPENSSL_NO_STDIO) && !defined(OPENSSL_SYS_WIN16)
     else
         fputs(buf, stderr);
 #endif
diff --git a/Cryptlib/OpenSSL/crypto/bio/bio_err.c b/Cryptlib/OpenSSL/crypto/bio/bio_err.c
index 98c90d6e..d9007aa3 100644
--- a/Cryptlib/OpenSSL/crypto/bio/bio_err.c
+++ b/Cryptlib/OpenSSL/crypto/bio/bio_err.c
@@ -1,11 +1,62 @@
-/*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bio/bio_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2015 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
  */
 
 #include <stdio.h>
@@ -19,21 +70,17 @@
 # define ERR_REASON(reason) ERR_PACK(ERR_LIB_BIO,0,reason)
 
 static ERR_STRING_DATA BIO_str_functs[] = {
-    {ERR_FUNC(BIO_F_ACPT_STATE), "acpt_state"},
-    {ERR_FUNC(BIO_F_ADDR_STRINGS), "addr_strings"},
+    {ERR_FUNC(BIO_F_ACPT_STATE), "ACPT_STATE"},
     {ERR_FUNC(BIO_F_BIO_ACCEPT), "BIO_accept"},
-    {ERR_FUNC(BIO_F_BIO_ACCEPT_EX), "BIO_accept_ex"},
-    {ERR_FUNC(BIO_F_BIO_ADDR_NEW), "BIO_ADDR_new"},
+    {ERR_FUNC(BIO_F_BIO_BER_GET_HEADER), "BIO_BER_GET_HEADER"},
     {ERR_FUNC(BIO_F_BIO_CALLBACK_CTRL), "BIO_callback_ctrl"},
-    {ERR_FUNC(BIO_F_BIO_CONNECT), "BIO_connect"},
     {ERR_FUNC(BIO_F_BIO_CTRL), "BIO_ctrl"},
+    {ERR_FUNC(BIO_F_BIO_GETHOSTBYNAME), "BIO_gethostbyname"},
     {ERR_FUNC(BIO_F_BIO_GETS), "BIO_gets"},
+    {ERR_FUNC(BIO_F_BIO_GET_ACCEPT_SOCKET), "BIO_get_accept_socket"},
     {ERR_FUNC(BIO_F_BIO_GET_HOST_IP), "BIO_get_host_ip"},
-    {ERR_FUNC(BIO_F_BIO_GET_NEW_INDEX), "BIO_get_new_index"},
     {ERR_FUNC(BIO_F_BIO_GET_PORT), "BIO_get_port"},
-    {ERR_FUNC(BIO_F_BIO_LISTEN), "BIO_listen"},
-    {ERR_FUNC(BIO_F_BIO_LOOKUP), "BIO_lookup"},
-    {ERR_FUNC(BIO_F_BIO_MAKE_PAIR), "bio_make_pair"},
+    {ERR_FUNC(BIO_F_BIO_MAKE_PAIR), "BIO_MAKE_PAIR"},
     {ERR_FUNC(BIO_F_BIO_NEW), "BIO_new"},
     {ERR_FUNC(BIO_F_BIO_NEW_FILE), "BIO_new_file"},
     {ERR_FUNC(BIO_F_BIO_NEW_MEM_BUF), "BIO_new_mem_buf"},
@@ -41,70 +88,56 @@ static ERR_STRING_DATA BIO_str_functs[] = {
     {ERR_FUNC(BIO_F_BIO_NREAD0), "BIO_nread0"},
     {ERR_FUNC(BIO_F_BIO_NWRITE), "BIO_nwrite"},
     {ERR_FUNC(BIO_F_BIO_NWRITE0), "BIO_nwrite0"},
-    {ERR_FUNC(BIO_F_BIO_PARSE_HOSTSERV), "BIO_parse_hostserv"},
     {ERR_FUNC(BIO_F_BIO_PUTS), "BIO_puts"},
     {ERR_FUNC(BIO_F_BIO_READ), "BIO_read"},
-    {ERR_FUNC(BIO_F_BIO_SOCKET), "BIO_socket"},
-    {ERR_FUNC(BIO_F_BIO_SOCKET_NBIO), "BIO_socket_nbio"},
-    {ERR_FUNC(BIO_F_BIO_SOCK_INFO), "BIO_sock_info"},
     {ERR_FUNC(BIO_F_BIO_SOCK_INIT), "BIO_sock_init"},
     {ERR_FUNC(BIO_F_BIO_WRITE), "BIO_write"},
-    {ERR_FUNC(BIO_F_BUFFER_CTRL), "buffer_ctrl"},
-    {ERR_FUNC(BIO_F_CONN_CTRL), "conn_ctrl"},
-    {ERR_FUNC(BIO_F_CONN_STATE), "conn_state"},
-    {ERR_FUNC(BIO_F_DGRAM_SCTP_READ), "dgram_sctp_read"},
-    {ERR_FUNC(BIO_F_DGRAM_SCTP_WRITE), "dgram_sctp_write"},
-    {ERR_FUNC(BIO_F_FILE_CTRL), "file_ctrl"},
-    {ERR_FUNC(BIO_F_FILE_READ), "file_read"},
-    {ERR_FUNC(BIO_F_LINEBUFFER_CTRL), "linebuffer_ctrl"},
-    {ERR_FUNC(BIO_F_MEM_WRITE), "mem_write"},
+    {ERR_FUNC(BIO_F_BUFFER_CTRL), "BUFFER_CTRL"},
+    {ERR_FUNC(BIO_F_CONN_CTRL), "CONN_CTRL"},
+    {ERR_FUNC(BIO_F_CONN_STATE), "CONN_STATE"},
+    {ERR_FUNC(BIO_F_DGRAM_SCTP_READ), "DGRAM_SCTP_READ"},
+    {ERR_FUNC(BIO_F_DGRAM_SCTP_WRITE), "DGRAM_SCTP_WRITE"},
+    {ERR_FUNC(BIO_F_FILE_CTRL), "FILE_CTRL"},
+    {ERR_FUNC(BIO_F_FILE_READ), "FILE_READ"},
+    {ERR_FUNC(BIO_F_LINEBUFFER_CTRL), "LINEBUFFER_CTRL"},
+    {ERR_FUNC(BIO_F_MEM_READ), "MEM_READ"},
+    {ERR_FUNC(BIO_F_MEM_WRITE), "MEM_WRITE"},
     {ERR_FUNC(BIO_F_SSL_NEW), "SSL_new"},
+    {ERR_FUNC(BIO_F_WSASTARTUP), "WSASTARTUP"},
     {0, NULL}
 };
 
 static ERR_STRING_DATA BIO_str_reasons[] = {
     {ERR_REASON(BIO_R_ACCEPT_ERROR), "accept error"},
-    {ERR_REASON(BIO_R_ADDRINFO_ADDR_IS_NOT_AF_INET),
-     "addrinfo addr is not af inet"},
-    {ERR_REASON(BIO_R_AMBIGUOUS_HOST_OR_SERVICE),
-     "ambiguous host or service"},
     {ERR_REASON(BIO_R_BAD_FOPEN_MODE), "bad fopen mode"},
+    {ERR_REASON(BIO_R_BAD_HOSTNAME_LOOKUP), "bad hostname lookup"},
     {ERR_REASON(BIO_R_BROKEN_PIPE), "broken pipe"},
     {ERR_REASON(BIO_R_CONNECT_ERROR), "connect error"},
+    {ERR_REASON(BIO_R_EOF_ON_MEMORY_BIO), "EOF on memory BIO"},
+    {ERR_REASON(BIO_R_ERROR_SETTING_NBIO), "error setting nbio"},
+    {ERR_REASON(BIO_R_ERROR_SETTING_NBIO_ON_ACCEPTED_SOCKET),
+     "error setting nbio on accepted socket"},
+    {ERR_REASON(BIO_R_ERROR_SETTING_NBIO_ON_ACCEPT_SOCKET),
+     "error setting nbio on accept socket"},
     {ERR_REASON(BIO_R_GETHOSTBYNAME_ADDR_IS_NOT_AF_INET),
      "gethostbyname addr is not af inet"},
-    {ERR_REASON(BIO_R_GETSOCKNAME_ERROR), "getsockname error"},
-    {ERR_REASON(BIO_R_GETSOCKNAME_TRUNCATED_ADDRESS),
-     "getsockname truncated address"},
-    {ERR_REASON(BIO_R_GETTING_SOCKTYPE), "getting socktype"},
     {ERR_REASON(BIO_R_INVALID_ARGUMENT), "invalid argument"},
-    {ERR_REASON(BIO_R_INVALID_SOCKET), "invalid socket"},
+    {ERR_REASON(BIO_R_INVALID_IP_ADDRESS), "invalid ip address"},
     {ERR_REASON(BIO_R_IN_USE), "in use"},
-    {ERR_REASON(BIO_R_LISTEN_V6_ONLY), "listen v6 only"},
-    {ERR_REASON(BIO_R_LOOKUP_RETURNED_NOTHING), "lookup returned nothing"},
-    {ERR_REASON(BIO_R_MALFORMED_HOST_OR_SERVICE),
-     "malformed host or service"},
+    {ERR_REASON(BIO_R_KEEPALIVE), "keepalive"},
     {ERR_REASON(BIO_R_NBIO_CONNECT_ERROR), "nbio connect error"},
-    {ERR_REASON(BIO_R_NO_ACCEPT_ADDR_OR_SERVICE_SPECIFIED),
-     "no accept addr or service specified"},
-    {ERR_REASON(BIO_R_NO_HOSTNAME_OR_SERVICE_SPECIFIED),
-     "no hostname or service specified"},
+    {ERR_REASON(BIO_R_NO_ACCEPT_PORT_SPECIFIED), "no accept port specified"},
+    {ERR_REASON(BIO_R_NO_HOSTNAME_SPECIFIED), "no hostname specified"},
     {ERR_REASON(BIO_R_NO_PORT_DEFINED), "no port defined"},
+    {ERR_REASON(BIO_R_NO_PORT_SPECIFIED), "no port specified"},
     {ERR_REASON(BIO_R_NO_SUCH_FILE), "no such file"},
     {ERR_REASON(BIO_R_NULL_PARAMETER), "null parameter"},
+    {ERR_REASON(BIO_R_TAG_MISMATCH), "tag mismatch"},
     {ERR_REASON(BIO_R_UNABLE_TO_BIND_SOCKET), "unable to bind socket"},
     {ERR_REASON(BIO_R_UNABLE_TO_CREATE_SOCKET), "unable to create socket"},
-    {ERR_REASON(BIO_R_UNABLE_TO_KEEPALIVE), "unable to keepalive"},
     {ERR_REASON(BIO_R_UNABLE_TO_LISTEN_SOCKET), "unable to listen socket"},
-    {ERR_REASON(BIO_R_UNABLE_TO_NODELAY), "unable to nodelay"},
-    {ERR_REASON(BIO_R_UNABLE_TO_REUSEADDR), "unable to reuseaddr"},
-    {ERR_REASON(BIO_R_UNAVAILABLE_IP_FAMILY), "unavailable ip family"},
     {ERR_REASON(BIO_R_UNINITIALIZED), "uninitialized"},
-    {ERR_REASON(BIO_R_UNKNOWN_INFO_TYPE), "unknown info type"},
-    {ERR_REASON(BIO_R_UNSUPPORTED_IP_FAMILY), "unsupported ip family"},
     {ERR_REASON(BIO_R_UNSUPPORTED_METHOD), "unsupported method"},
-    {ERR_REASON(BIO_R_UNSUPPORTED_PROTOCOL_FAMILY),
-     "unsupported protocol family"},
     {ERR_REASON(BIO_R_WRITE_TO_READ_ONLY_BIO), "write to read only BIO"},
     {ERR_REASON(BIO_R_WSASTARTUP), "WSAStartup"},
     {0, NULL}
@@ -112,7 +145,7 @@ static ERR_STRING_DATA BIO_str_reasons[] = {
 
 #endif
 
-int ERR_load_BIO_strings(void)
+void ERR_load_BIO_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
 
@@ -121,5 +154,4 @@ int ERR_load_BIO_strings(void)
         ERR_load_strings(0, BIO_str_reasons);
     }
 #endif
-    return 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/bio/bio_lcl.h b/Cryptlib/OpenSSL/crypto/bio/bio_lcl.h
index 39178cf5..741884da 100644
--- a/Cryptlib/OpenSSL/crypto/bio/bio_lcl.h
+++ b/Cryptlib/OpenSSL/crypto/bio/bio_lcl.h
@@ -1,154 +1,4 @@
-/*
- * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#define USE_SOCKETS
-#include "e_os.h"
-
-/* BEGIN BIO_ADDRINFO/BIO_ADDR stuff. */
-
-#ifndef OPENSSL_NO_SOCK
-/*
- * Throughout this file and b_addr.c, the existence of the macro
- * AI_PASSIVE is used to detect the availability of struct addrinfo,
- * getnameinfo() and getaddrinfo().  If that macro doesn't exist,
- * we use our own implementation instead.
- */
-
-/*
- * It's imperative that these macros get defined before openssl/bio.h gets
- * included.  Otherwise, the AI_PASSIVE hack will not work properly.
- * For clarity, we check for internal/cryptlib.h since it's a common header
- * that also includes bio.h.
- */
-# ifdef HEADER_CRYPTLIB_H
-#  error internal/cryptlib.h included before bio_lcl.h
-# endif
-# ifdef HEADER_BIO_H
-#  error openssl/bio.h included before bio_lcl.h
-# endif
-
-/*
- * Undefine AF_UNIX on systems that define it but don't support it.
- */
-# if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_VMS)
-#  undef AF_UNIX
-# endif
-
-# ifdef AI_PASSIVE
-
-/*
- * There's a bug in VMS C header file netdb.h, where struct addrinfo
- * always is the P32 variant, but the functions that handle that structure,
- * such as getaddrinfo() and freeaddrinfo() adapt to the initial pointer
- * size.  The easiest workaround is to force struct addrinfo to be the
- * 64-bit variant when compiling in P64 mode.
- */
-#  if defined(OPENSSL_SYS_VMS) && __INITIAL_POINTER_SIZE == 64
-#   define addrinfo __addrinfo64
-#  endif
-
-#  define bio_addrinfo_st addrinfo
-#  define bai_family      ai_family
-#  define bai_socktype    ai_socktype
-#  define bai_protocol    ai_protocol
-#  define bai_addrlen     ai_addrlen
-#  define bai_addr        ai_addr
-#  define bai_next        ai_next
-# else
-struct bio_addrinfo_st {
-    int bai_family;
-    int bai_socktype;
-    int bai_protocol;
-    size_t bai_addrlen;
-    struct sockaddr *bai_addr;
-    struct bio_addrinfo_st *bai_next;
-};
-# endif
-
-union bio_addr_st {
-    struct sockaddr sa;
-# ifdef AF_INET6
-    struct sockaddr_in6 s_in6;
-# endif
-    struct sockaddr_in s_in;
-# ifdef AF_UNIX
-    struct sockaddr_un s_un;
-# endif
-};
-#endif
-
-/* END BIO_ADDRINFO/BIO_ADDR stuff. */
-
-#include "internal/cryptlib.h"
-#include <internal/bio.h>
-
-typedef struct bio_f_buffer_ctx_struct {
-    /*-
-     * Buffers are setup like this:
-     *
-     * <---------------------- size ----------------------->
-     * +---------------------------------------------------+
-     * | consumed | remaining          | free space        |
-     * +---------------------------------------------------+
-     * <-- off --><------- len ------->
-     */
-    /*- BIO *bio; *//*
-     * this is now in the BIO struct
-     */
-    int ibuf_size;              /* how big is the input buffer */
-    int obuf_size;              /* how big is the output buffer */
-    char *ibuf;                 /* the char array */
-    int ibuf_len;               /* how many bytes are in it */
-    int ibuf_off;               /* write/read offset */
-    char *obuf;                 /* the char array */
-    int obuf_len;               /* how many bytes are in it */
-    int obuf_off;               /* write/read offset */
-} BIO_F_BUFFER_CTX;
-
-struct bio_st {
-    const BIO_METHOD *method;
-    /* bio, mode, argp, argi, argl, ret */
-    long (*callback) (struct bio_st *, int, const char *, int, long, long);
-    char *cb_arg;               /* first argument for the callback */
-    int init;
-    int shutdown;
-    int flags;                  /* extra storage */
-    int retry_reason;
-    int num;
-    void *ptr;
-    struct bio_st *next_bio;    /* used by filter BIOs */
-    struct bio_st *prev_bio;    /* used by filter BIOs */
-    int references;
-    uint64_t num_read;
-    uint64_t num_write;
-    CRYPTO_EX_DATA ex_data;
-    CRYPTO_RWLOCK *lock;
-};
-
-#ifndef OPENSSL_NO_SOCK
-# ifdef OPENSSL_SYS_VMS
-typedef unsigned int socklen_t;
-# endif
-
-extern CRYPTO_RWLOCK *bio_lookup_lock;
-
-int BIO_ADDR_make(BIO_ADDR *ap, const struct sockaddr *sa);
-const struct sockaddr *BIO_ADDR_sockaddr(const BIO_ADDR *ap);
-struct sockaddr *BIO_ADDR_sockaddr_noconst(BIO_ADDR *ap);
-socklen_t BIO_ADDR_sockaddr_size(const BIO_ADDR *ap);
-socklen_t BIO_ADDRINFO_sockaddr_size(const BIO_ADDRINFO *bai);
-const struct sockaddr *BIO_ADDRINFO_sockaddr(const BIO_ADDRINFO *bai);
-#endif
-
-extern CRYPTO_RWLOCK *bio_type_lock;
-
-void bio_sock_cleanup_int(void);
+#include <openssl/bio.h>
 
 #if BIO_FLAGS_UPLINK==0
 /* Shortcut UPLINK calls on most platforms... */
@@ -183,6 +33,4 @@ void bio_sock_cleanup_int(void);
 #  define UP_lseek        lseek
 #  define UP_close        close
 # endif
-
 #endif
-
diff --git a/Cryptlib/OpenSSL/crypto/bio/bio_lib.c b/Cryptlib/OpenSSL/crypto/bio/bio_lib.c
index 62392c3a..07934f8a 100644
--- a/Cryptlib/OpenSSL/crypto/bio/bio_lib.c
+++ b/Cryptlib/OpenSSL/crypto/bio/bio_lib.c
@@ -1,53 +1,107 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bio/bio_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <errno.h>
 #include <openssl/crypto.h>
-#include "bio_lcl.h"
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
+#include <openssl/bio.h>
+#include <openssl/stack.h>
 
-BIO *BIO_new(const BIO_METHOD *method)
+BIO *BIO_new(BIO_METHOD *method)
 {
-    BIO *bio = OPENSSL_zalloc(sizeof(*bio));
+    BIO *ret = NULL;
 
-    if (bio == NULL) {
+    ret = (BIO *)OPENSSL_malloc(sizeof(BIO));
+    if (ret == NULL) {
         BIOerr(BIO_F_BIO_NEW, ERR_R_MALLOC_FAILURE);
         return (NULL);
     }
+    if (!BIO_set(ret, method)) {
+        OPENSSL_free(ret);
+        ret = NULL;
+    }
+    return (ret);
+}
 
+int BIO_set(BIO *bio, BIO_METHOD *method)
+{
     bio->method = method;
+    bio->callback = NULL;
+    bio->cb_arg = NULL;
+    bio->init = 0;
     bio->shutdown = 1;
+    bio->flags = 0;
+    bio->retry_reason = 0;
+    bio->num = 0;
+    bio->ptr = NULL;
+    bio->prev_bio = NULL;
+    bio->next_bio = NULL;
     bio->references = 1;
-
-    if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_BIO, bio, &bio->ex_data))
-        goto err;
-
-    bio->lock = CRYPTO_THREAD_lock_new();
-    if (bio->lock == NULL) {
-        BIOerr(BIO_F_BIO_NEW, ERR_R_MALLOC_FAILURE);
-        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_BIO, bio, &bio->ex_data);
-        goto err;
-    }
-
-    if (method->create != NULL && !method->create(bio)) {
-        BIOerr(BIO_F_BIO_NEW, ERR_R_INIT_FAIL);
-        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_BIO, bio, &bio->ex_data);
-        CRYPTO_THREAD_lock_free(bio->lock);
-        goto err;
-    }
-
-    return bio;
-
-err:
-    OPENSSL_free(bio);
-    return NULL;
+    bio->num_read = 0L;
+    bio->num_write = 0L;
+    CRYPTO_new_ex_data(CRYPTO_EX_INDEX_BIO, bio, &bio->ex_data);
+    if (method->create != NULL)
+        if (!method->create(bio)) {
+            CRYPTO_free_ex_data(CRYPTO_EX_INDEX_BIO, bio, &bio->ex_data);
+            return (0);
+        }
+    return (1);
 }
 
 int BIO_free(BIO *a)
@@ -55,59 +109,30 @@ int BIO_free(BIO *a)
     int i;
 
     if (a == NULL)
-        return 0;
-
-    if (CRYPTO_atomic_add(&a->references, -1, &i, a->lock) <= 0)
-        return 0;
+        return (0);
 
-    REF_PRINT_COUNT("BIO", a);
+    i = CRYPTO_add(&a->references, -1, CRYPTO_LOCK_BIO);
+#ifdef REF_PRINT
+    REF_PRINT("BIO", a);
+#endif
     if (i > 0)
-        return 1;
-    REF_ASSERT_ISNT(i < 0);
+        return (1);
+#ifdef REF_CHECK
+    if (i < 0) {
+        fprintf(stderr, "BIO_free, bad reference count\n");
+        abort();
+    }
+#endif
     if ((a->callback != NULL) &&
         ((i = (int)a->callback(a, BIO_CB_FREE, NULL, 0, 0L, 1L)) <= 0))
-        return i;
-
-    if ((a->method != NULL) && (a->method->destroy != NULL))
-        a->method->destroy(a);
+        return (i);
 
     CRYPTO_free_ex_data(CRYPTO_EX_INDEX_BIO, a, &a->ex_data);
 
-    CRYPTO_THREAD_lock_free(a->lock);
-
+    if ((a->method != NULL) && (a->method->destroy != NULL))
+        a->method->destroy(a);
     OPENSSL_free(a);
-
-    return 1;
-}
-
-void BIO_set_data(BIO *a, void *ptr)
-{
-    a->ptr = ptr;
-}
-
-void *BIO_get_data(BIO *a)
-{
-    return a->ptr;
-}
-
-void BIO_set_init(BIO *a, int init)
-{
-    a->init = init;
-}
-
-int BIO_get_init(BIO *a)
-{
-    return a->init;
-}
-
-void BIO_set_shutdown(BIO *a, int shut)
-{
-    a->shutdown = shut;
-}
-
-int BIO_get_shutdown(BIO *a)
-{
-    return a->shutdown;
+    return (1);
 }
 
 void BIO_vfree(BIO *a)
@@ -115,18 +140,6 @@ void BIO_vfree(BIO *a)
     BIO_free(a);
 }
 
-int BIO_up_ref(BIO *a)
-{
-    int i;
-
-    if (CRYPTO_atomic_add(&a->references, 1, &i, a->lock) <= 0)
-        return 0;
-
-    REF_PRINT_COUNT("BIO", a);
-    REF_ASSERT_ISNT(i < 2);
-    return ((i > 1) ? 1 : 0);
-}
-
 void BIO_clear_flags(BIO *b, int flags)
 {
     b->flags &= ~flags;
@@ -197,7 +210,7 @@ int BIO_read(BIO *b, void *out, int outl)
     i = b->method->bread(b, out, outl);
 
     if (i > 0)
-        b->num_read += (uint64_t)i;
+        b->num_read += (unsigned long)i;
 
     if (cb != NULL)
         i = (int)cb(b, BIO_CB_READ | BIO_CB_RETURN, out, outl, 0L, (long)i);
@@ -230,7 +243,7 @@ int BIO_write(BIO *b, const void *in, int inl)
     i = b->method->bwrite(b, in, inl);
 
     if (i > 0)
-        b->num_write += (uint64_t)i;
+        b->num_write += (unsigned long)i;
 
     if (cb != NULL)
         i = (int)cb(b, BIO_CB_WRITE | BIO_CB_RETURN, in, inl, 0L, (long)i);
@@ -260,7 +273,7 @@ int BIO_puts(BIO *b, const char *in)
     i = b->method->bputs(b, in);
 
     if (i > 0)
-        b->num_write += (uint64_t)i;
+        b->num_write += (unsigned long)i;
 
     if (cb != NULL)
         i = (int)cb(b, BIO_CB_PUTS | BIO_CB_RETURN, in, 0, 0L, (long)i);
@@ -314,9 +327,9 @@ long BIO_int_ctrl(BIO *b, int cmd, long larg, int iarg)
     return (BIO_ctrl(b, cmd, larg, (char *)&i));
 }
 
-void *BIO_ptr_ctrl(BIO *b, int cmd, long larg)
+char *BIO_ptr_ctrl(BIO *b, int cmd, long larg)
 {
-    void *p = NULL;
+    char *p = NULL;
 
     if (BIO_ctrl(b, cmd, larg, (char *)&p) <= 0)
         return (NULL);
@@ -455,16 +468,11 @@ int BIO_get_retry_reason(BIO *bio)
     return (bio->retry_reason);
 }
 
-void BIO_set_retry_reason(BIO *bio, int reason)
-{
-    bio->retry_reason = reason;
-}
-
 BIO *BIO_find_type(BIO *bio, int type)
 {
     int mt, mask;
 
-    if (bio == NULL)
+    if (!bio)
         return NULL;
     mask = type & 0xff;
     do {
@@ -484,16 +492,11 @@ BIO *BIO_find_type(BIO *bio, int type)
 
 BIO *BIO_next(BIO *b)
 {
-    if (b == NULL)
+    if (!b)
         return NULL;
     return b->next_bio;
 }
 
-void BIO_set_next(BIO *b, BIO *next)
-{
-    b->next_bio = next;
-}
-
 void BIO_free_all(BIO *bio)
 {
     BIO *b;
@@ -559,6 +562,13 @@ void BIO_copy_next_retry(BIO *b)
     b->retry_reason = b->next_bio->retry_reason;
 }
 
+int BIO_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+                         CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+{
+    return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_BIO, argl, argp,
+                                   new_func, dup_func, free_func);
+}
+
 int BIO_set_ex_data(BIO *bio, int idx, void *data)
 {
     return (CRYPTO_set_ex_data(&(bio->ex_data), idx, data));
@@ -569,32 +579,18 @@ void *BIO_get_ex_data(BIO *bio, int idx)
     return (CRYPTO_get_ex_data(&(bio->ex_data), idx));
 }
 
-uint64_t BIO_number_read(BIO *bio)
+unsigned long BIO_number_read(BIO *bio)
 {
     if (bio)
         return bio->num_read;
     return 0;
 }
 
-uint64_t BIO_number_written(BIO *bio)
+unsigned long BIO_number_written(BIO *bio)
 {
     if (bio)
         return bio->num_write;
     return 0;
 }
 
-void bio_free_ex_data(BIO *bio)
-{
-    CRYPTO_free_ex_data(CRYPTO_EX_INDEX_BIO, bio, &bio->ex_data);
-}
-
-void bio_cleanup(void)
-{
-#ifndef OPENSSL_NO_SOCK
-    bio_sock_cleanup_int();
-    CRYPTO_THREAD_lock_free(bio_lookup_lock);
-    bio_lookup_lock = NULL;
-#endif
-    CRYPTO_THREAD_lock_free(bio_type_lock);
-    bio_type_lock = NULL;
-}
+IMPLEMENT_STACK_OF(BIO)
diff --git a/Cryptlib/OpenSSL/crypto/bio/bio_meth.c b/Cryptlib/OpenSSL/crypto/bio/bio_meth.c
deleted file mode 100644
index c5f9f7e8..00000000
--- a/Cryptlib/OpenSSL/crypto/bio/bio_meth.c
+++ /dev/null
@@ -1,145 +0,0 @@
-/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include "bio_lcl.h"
-#include <internal/thread_once.h>
-
-CRYPTO_RWLOCK *bio_type_lock = NULL;
-static CRYPTO_ONCE bio_type_init = CRYPTO_ONCE_STATIC_INIT;
-
-DEFINE_RUN_ONCE_STATIC(do_bio_type_init)
-{
-    bio_type_lock = CRYPTO_THREAD_lock_new();
-    return bio_type_lock != NULL;
-}
-
-int BIO_get_new_index()
-{
-    static int bio_count = BIO_TYPE_START;
-    int newval;
-
-    if (!RUN_ONCE(&bio_type_init, do_bio_type_init)) {
-        BIOerr(BIO_F_BIO_GET_NEW_INDEX, ERR_R_MALLOC_FAILURE);
-        return -1;
-    }
-    if (!CRYPTO_atomic_add(&bio_count, 1, &newval, bio_type_lock))
-        return -1;
-    return newval;
-}
-
-BIO_METHOD *BIO_meth_new(int type, const char *name)
-{
-    BIO_METHOD *biom = OPENSSL_zalloc(sizeof(BIO_METHOD));
-
-    if (biom != NULL) {
-        biom->type = type;
-        biom->name = name;
-    }
-    return biom;
-}
-
-void BIO_meth_free(BIO_METHOD *biom)
-{
-    OPENSSL_free(biom);
-}
-
-int (*BIO_meth_get_write(BIO_METHOD *biom)) (BIO *, const char *, int)
-{
-    return biom->bwrite;
-}
-
-int BIO_meth_set_write(BIO_METHOD *biom,
-                       int (*bwrite) (BIO *, const char *, int))
-{
-    biom->bwrite = bwrite;
-    return 1;
-}
-
-int (*BIO_meth_get_read(BIO_METHOD *biom)) (BIO *, char *, int)
-{
-    return biom->bread;
-}
-
-int BIO_meth_set_read(BIO_METHOD *biom,
-                      int (*bread) (BIO *, char *, int))
-{
-    biom->bread = bread;
-    return 1;
-}
-
-int (*BIO_meth_get_puts(BIO_METHOD *biom)) (BIO *, const char *)
-{
-    return biom->bputs;
-}
-
-int BIO_meth_set_puts(BIO_METHOD *biom,
-                      int (*bputs) (BIO *, const char *))
-{
-    biom->bputs = bputs;
-    return 1;
-}
-
-int (*BIO_meth_get_gets(BIO_METHOD *biom)) (BIO *, char *, int)
-{
-    return biom->bgets;
-}
-
-int BIO_meth_set_gets(BIO_METHOD *biom,
-                      int (*bgets) (BIO *, char *, int))
-{
-    biom->bgets = bgets;
-    return 1;
-}
-
-long (*BIO_meth_get_ctrl(BIO_METHOD *biom)) (BIO *, int, long, void *)
-{
-    return biom->ctrl;
-}
-
-int BIO_meth_set_ctrl(BIO_METHOD *biom,
-                      long (*ctrl) (BIO *, int, long, void *))
-{
-    biom->ctrl = ctrl;
-    return 1;
-}
-
-int (*BIO_meth_get_create(BIO_METHOD *biom)) (BIO *)
-{
-    return biom->create;
-}
-
-int BIO_meth_set_create(BIO_METHOD *biom, int (*create) (BIO *))
-{
-    biom->create = create;
-    return 1;
-}
-
-int (*BIO_meth_get_destroy(BIO_METHOD *biom)) (BIO *)
-{
-    return biom->destroy;
-}
-
-int BIO_meth_set_destroy(BIO_METHOD *biom, int (*destroy) (BIO *))
-{
-    biom->destroy = destroy;
-    return 1;
-}
-
-long (*BIO_meth_get_callback_ctrl(BIO_METHOD *biom)) (BIO *, int, bio_info_cb *)
-{
-    return biom->callback_ctrl;
-}
-
-int BIO_meth_set_callback_ctrl(BIO_METHOD *biom,
-                               long (*callback_ctrl) (BIO *, int,
-                                                      bio_info_cb *))
-{
-    biom->callback_ctrl = callback_ctrl;
-    return 1;
-}
diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_acpt.c b/Cryptlib/OpenSSL/crypto/bio/bss_acpt.c
index 6fb971a5..4a5e39bd 100644
--- a/Cryptlib/OpenSSL/crypto/bio/bss_acpt.c
+++ b/Cryptlib/OpenSSL/crypto/bio/bss_acpt.c
@@ -1,35 +1,93 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bio/bss_acpt.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <errno.h>
-#include "bio_lcl.h"
+#define USE_SOCKETS
+#include "cryptlib.h"
+#include <openssl/bio.h>
 
 #ifndef OPENSSL_NO_SOCK
 
+# ifdef OPENSSL_SYS_WIN16
+#  define SOCKET_PROTOCOL 0     /* more microsoft stupidity */
+# else
+#  define SOCKET_PROTOCOL IPPROTO_TCP
+# endif
+
+# if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
+/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
+#  undef FIONBIO
+# endif
+
 typedef struct bio_accept_st {
     int state;
-    int accept_family;
-    int bind_mode;     /* Socket mode for BIO_listen */
-    int accepted_mode; /* Socket mode for BIO_accept (set on accepted sock) */
     char *param_addr;
-    char *param_serv;
-
     int accept_sock;
-
-    BIO_ADDRINFO *addr_first;
-    const BIO_ADDRINFO *addr_iter;
-    BIO_ADDR cache_accepting_addr;   /* Useful if we asked for port 0 */
-    char *cache_accepting_name, *cache_accepting_serv;
-    BIO_ADDR cache_peer_addr;
-    char *cache_peer_name, *cache_peer_serv;
-
+    int accept_nbio;
+    char *addr;
+    int nbio;
+    /*
+     * If 0, it means normal, if 1, do a connect on bind failure, and if
+     * there is no-one listening, bind with SO_REUSEADDR. If 2, always use
+     * SO_REUSEADDR.
+     */
+    int bind_mode;
     BIO *bio_chain;
 } BIO_ACCEPT;
 
@@ -45,13 +103,10 @@ static BIO_ACCEPT *BIO_ACCEPT_new(void);
 static void BIO_ACCEPT_free(BIO_ACCEPT *a);
 
 # define ACPT_S_BEFORE                   1
-# define ACPT_S_GET_ADDR                 2
-# define ACPT_S_CREATE_SOCKET            3
-# define ACPT_S_LISTEN                   4
-# define ACPT_S_ACCEPT                   5
-# define ACPT_S_OK                       6
+# define ACPT_S_GET_ACCEPT_SOCKET        2
+# define ACPT_S_OK                       3
 
-static const BIO_METHOD methods_acceptp = {
+static BIO_METHOD methods_acceptp = {
     BIO_TYPE_ACCEPT,
     "socket accept",
     acpt_write,
@@ -64,7 +119,7 @@ static const BIO_METHOD methods_acceptp = {
     NULL,
 };
 
-const BIO_METHOD *BIO_s_accept(void)
+BIO_METHOD *BIO_s_accept(void)
 {
     return (&methods_acceptp);
 }
@@ -74,7 +129,7 @@ static int acpt_new(BIO *bi)
     BIO_ACCEPT *ba;
 
     bi->init = 0;
-    bi->num = (int)INVALID_SOCKET;
+    bi->num = INVALID_SOCKET;
     bi->flags = 0;
     if ((ba = BIO_ACCEPT_new()) == NULL)
         return (0);
@@ -88,10 +143,12 @@ static BIO_ACCEPT *BIO_ACCEPT_new(void)
 {
     BIO_ACCEPT *ret;
 
-    if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL)
+    if ((ret = (BIO_ACCEPT *)OPENSSL_malloc(sizeof(BIO_ACCEPT))) == NULL)
         return (NULL);
-    ret->accept_family = BIO_FAMILY_IPANY;
-    ret->accept_sock = (int)INVALID_SOCKET;
+
+    memset(ret, 0, sizeof(BIO_ACCEPT));
+    ret->accept_sock = INVALID_SOCKET;
+    ret->bind_mode = BIO_BIND_NORMAL;
     return (ret);
 }
 
@@ -100,14 +157,12 @@ static void BIO_ACCEPT_free(BIO_ACCEPT *a)
     if (a == NULL)
         return;
 
-    OPENSSL_free(a->param_addr);
-    OPENSSL_free(a->param_serv);
-    BIO_ADDRINFO_free(a->addr_first);
-    OPENSSL_free(a->cache_accepting_name);
-    OPENSSL_free(a->cache_accepting_serv);
-    OPENSSL_free(a->cache_peer_name);
-    OPENSSL_free(a->cache_peer_serv);
-    BIO_free(a->bio_chain);
+    if (a->param_addr != NULL)
+        OPENSSL_free(a->param_addr);
+    if (a->addr != NULL)
+        OPENSSL_free(a->addr);
+    if (a->bio_chain != NULL)
+        BIO_free(a->bio_chain);
     OPENSSL_free(a);
 }
 
@@ -116,11 +171,11 @@ static void acpt_close_socket(BIO *bio)
     BIO_ACCEPT *c;
 
     c = (BIO_ACCEPT *)bio->ptr;
-    if (c->accept_sock != (int)INVALID_SOCKET) {
+    if (c->accept_sock != INVALID_SOCKET) {
         shutdown(c->accept_sock, 2);
         closesocket(c->accept_sock);
-        c->accept_sock = (int)INVALID_SOCKET;
-        bio->num = (int)INVALID_SOCKET;
+        c->accept_sock = INVALID_SOCKET;
+        bio->num = INVALID_SOCKET;
     }
 }
 
@@ -145,203 +200,102 @@ static int acpt_free(BIO *a)
 static int acpt_state(BIO *b, BIO_ACCEPT *c)
 {
     BIO *bio = NULL, *dbio;
-    int s = -1, ret = -1;
-
-    for (;;) {
-        switch (c->state) {
-        case ACPT_S_BEFORE:
-            if (c->param_addr == NULL && c->param_serv == NULL) {
-                BIOerr(BIO_F_ACPT_STATE, BIO_R_NO_ACCEPT_ADDR_OR_SERVICE_SPECIFIED);
-                ERR_add_error_data(4,
-                                   "hostname=", c->param_addr,
-                                   " service=", c->param_serv);
-                goto exit_loop;
-            }
-
-            /* Because we're starting a new bind, any cached name and serv
-             * are now obsolete and need to be cleaned out.
-             * QUESTION: should this be done in acpt_close_socket() instead?
-             */
-            OPENSSL_free(c->cache_accepting_name);
-            c->cache_accepting_name = NULL;
-            OPENSSL_free(c->cache_accepting_serv);
-            c->cache_accepting_serv = NULL;
-            OPENSSL_free(c->cache_peer_name);
-            c->cache_peer_name = NULL;
-            OPENSSL_free(c->cache_peer_serv);
-            c->cache_peer_serv = NULL;
-
-            c->state = ACPT_S_GET_ADDR;
-            break;
-
-        case ACPT_S_GET_ADDR:
-            {
-                int family = AF_UNSPEC;
-                switch (c->accept_family) {
-                case BIO_FAMILY_IPV6:
-                    if (1) { /* This is a trick we use to avoid bit rot.
-                              * at least the "else" part will always be
-                              * compiled.
-                              */
-#ifdef AF_INET6
-                        family = AF_INET6;
-                    } else {
-#endif
-                        BIOerr(BIO_F_ACPT_STATE, BIO_R_UNAVAILABLE_IP_FAMILY);
-                        goto exit_loop;
-                    }
-                    break;
-                case BIO_FAMILY_IPV4:
-                    family = AF_INET;
-                    break;
-                case BIO_FAMILY_IPANY:
-                    family = AF_UNSPEC;
-                    break;
-                default:
-                    BIOerr(BIO_F_ACPT_STATE, BIO_R_UNSUPPORTED_IP_FAMILY);
-                    goto exit_loop;
-                }
-                if (BIO_lookup(c->param_addr, c->param_serv, BIO_LOOKUP_SERVER,
-                               family, SOCK_STREAM, &c->addr_first) == 0)
-                    goto exit_loop;
-            }
-            if (c->addr_first == NULL) {
-                BIOerr(BIO_F_ACPT_STATE, BIO_R_LOOKUP_RETURNED_NOTHING);
-                goto exit_loop;
-            }
-            /* We're currently not iterating, but set this as preparation
-             * for possible future development in that regard
-             */
-            c->addr_iter = c->addr_first;
-            c->state = ACPT_S_CREATE_SOCKET;
-            break;
-
-        case ACPT_S_CREATE_SOCKET:
-            ret = BIO_socket(BIO_ADDRINFO_family(c->addr_iter),
-                             BIO_ADDRINFO_socktype(c->addr_iter),
-                             BIO_ADDRINFO_protocol(c->addr_iter), 0);
-            if (ret == (int)INVALID_SOCKET) {
-                SYSerr(SYS_F_SOCKET, get_last_socket_error());
-                ERR_add_error_data(4,
-                                   "hostname=", c->param_addr,
-                                   " service=", c->param_serv);
-                BIOerr(BIO_F_ACPT_STATE, BIO_R_UNABLE_TO_CREATE_SOCKET);
-                goto exit_loop;
-            }
-            c->accept_sock = ret;
-            b->num = ret;
-            c->state = ACPT_S_LISTEN;
-            break;
-
-        case ACPT_S_LISTEN:
-            {
-                if (!BIO_listen(c->accept_sock,
-                                BIO_ADDRINFO_address(c->addr_iter),
-                                c->bind_mode)) {
-                    BIO_closesocket(c->accept_sock);
-                    goto exit_loop;
-                }
-            }
-
-            {
-                union BIO_sock_info_u info;
-
-                info.addr = &c->cache_accepting_addr;
-                if (!BIO_sock_info(c->accept_sock, BIO_SOCK_INFO_ADDRESS,
-                                   &info)) {
-                    BIO_closesocket(c->accept_sock);
-                    goto exit_loop;
-                }
+    int s = -1;
+    int i;
+
+ again:
+    switch (c->state) {
+    case ACPT_S_BEFORE:
+        if (c->param_addr == NULL) {
+            BIOerr(BIO_F_ACPT_STATE, BIO_R_NO_ACCEPT_PORT_SPECIFIED);
+            return (-1);
+        }
+        s = BIO_get_accept_socket(c->param_addr, c->bind_mode);
+        if (s == INVALID_SOCKET)
+            return (-1);
+
+        if (c->accept_nbio) {
+            if (!BIO_socket_nbio(s, 1)) {
+                closesocket(s);
+                BIOerr(BIO_F_ACPT_STATE,
+                       BIO_R_ERROR_SETTING_NBIO_ON_ACCEPT_SOCKET);
+                return (-1);
             }
+        }
+        c->accept_sock = s;
+        b->num = s;
+        c->state = ACPT_S_GET_ACCEPT_SOCKET;
+        return (1);
+        /* break; */
+    case ACPT_S_GET_ACCEPT_SOCKET:
+        if (b->next_bio != NULL) {
+            c->state = ACPT_S_OK;
+            goto again;
+        }
+        BIO_clear_retry_flags(b);
+        b->retry_reason = 0;
+        i = BIO_accept(c->accept_sock, &(c->addr));
+
+        /* -2 return means we should retry */
+        if (i == -2) {
+            BIO_set_retry_special(b);
+            b->retry_reason = BIO_RR_ACCEPT;
+            return -1;
+        }
 
-            c->cache_accepting_name =
-                BIO_ADDR_hostname_string(&c->cache_accepting_addr, 1);
-            c->cache_accepting_serv =
-                BIO_ADDR_service_string(&c->cache_accepting_addr, 1);
-            c->state = ACPT_S_ACCEPT;
-            s = -1;
-            ret = 1;
-            goto end;
-
-        case ACPT_S_ACCEPT:
-            if (b->next_bio != NULL) {
-                c->state = ACPT_S_OK;
-                break;
-            }
-            BIO_clear_retry_flags(b);
-            b->retry_reason = 0;
-
-            s = BIO_accept_ex(c->accept_sock, &c->cache_peer_addr,
-                              c->accepted_mode);
-
-            /* If the returned socket is invalid, this might still be
-             * retryable
-             */
-            if (s < 0) {
-                if (BIO_sock_should_retry(s)) {
-                    BIO_set_retry_special(b);
-                    b->retry_reason = BIO_RR_ACCEPT;
-                    goto end;
-                }
-            }
+        if (i < 0)
+            return (i);
 
-            /* If it wasn't retryable, we fail */
-            if (s < 0) {
-                ret = s;
-                goto exit_loop;
-            }
+        bio = BIO_new_socket(i, BIO_CLOSE);
+        if (bio == NULL)
+            goto err;
 
-            bio = BIO_new_socket(s, BIO_CLOSE);
-            if (bio == NULL)
-                goto exit_loop;
-
-            BIO_set_callback(bio, BIO_get_callback(b));
-            BIO_set_callback_arg(bio, BIO_get_callback_arg(b));
-
-            /*
-             * If the accept BIO has an bio_chain, we dup it and put the new
-             * socket at the end.
-             */
-            if (c->bio_chain != NULL) {
-                if ((dbio = BIO_dup_chain(c->bio_chain)) == NULL)
-                    goto exit_loop;
-                if (!BIO_push(dbio, bio))
-                    goto exit_loop;
-                bio = dbio;
-            }
-            if (BIO_push(b, bio) == NULL)
-                goto exit_loop;
+        BIO_set_callback(bio, BIO_get_callback(b));
+        BIO_set_callback_arg(bio, BIO_get_callback_arg(b));
 
-            c->cache_peer_name =
-                BIO_ADDR_hostname_string(&c->cache_peer_addr, 1);
-            c->cache_peer_serv =
-                BIO_ADDR_service_string(&c->cache_peer_addr, 1);
-            c->state = ACPT_S_OK;
-            bio = NULL;
-            ret = 1;
-            goto end;
-
-        case ACPT_S_OK:
-            if (b->next_bio == NULL) {
-                c->state = ACPT_S_ACCEPT;
-                break;
+        if (c->nbio) {
+            if (!BIO_socket_nbio(i, 1)) {
+                BIOerr(BIO_F_ACPT_STATE,
+                       BIO_R_ERROR_SETTING_NBIO_ON_ACCEPTED_SOCKET);
+                goto err;
             }
-            ret = 1;
-            goto end;
+        }
 
-        default:
-            ret = 0;
-            goto end;
+        /*
+         * If the accept BIO has an bio_chain, we dup it and put the new
+         * socket at the end.
+         */
+        if (c->bio_chain != NULL) {
+            if ((dbio = BIO_dup_chain(c->bio_chain)) == NULL)
+                goto err;
+            if (!BIO_push(dbio, bio))
+                goto err;
+            bio = dbio;
+        }
+        if (BIO_push(b, bio) == NULL)
+            goto err;
+
+        c->state = ACPT_S_OK;
+        return (1);
+ err:
+        if (bio != NULL)
+            BIO_free(bio);
+        else if (s >= 0)
+            closesocket(s);
+        return (0);
+        /* break; */
+    case ACPT_S_OK:
+        if (b->next_bio == NULL) {
+            c->state = ACPT_S_GET_ACCEPT_SOCKET;
+            goto again;
         }
+        return (1);
+        /* break; */
+    default:
+        return (0);
+        /* break; */
     }
 
-  exit_loop:
-    if (bio != NULL)
-        BIO_free(bio);
-    else if (s >= 0)
-        BIO_closesocket(s);
-  end:
-    return ret;
 }
 
 static int acpt_read(BIO *b, char *out, int outl)
@@ -396,8 +350,6 @@ static long acpt_ctrl(BIO *b, int cmd, long num, void *ptr)
         ret = 0;
         data->state = ACPT_S_BEFORE;
         acpt_close_socket(b);
-        BIO_ADDRINFO_free(data->addr_first);
-        data->addr_first = NULL;
         b->flags = 0;
         break;
     case BIO_C_DO_STATE_MACHINE:
@@ -407,49 +359,27 @@ static long acpt_ctrl(BIO *b, int cmd, long num, void *ptr)
     case BIO_C_SET_ACCEPT:
         if (ptr != NULL) {
             if (num == 0) {
-                char *hold_serv = data->param_serv;
-                /* We affect the hostname regardless.  However, the input
-                 * string might contain a host:service spec, so we must
-                 * parse it, which might or might not affect the service
-                 */
-                OPENSSL_free(data->param_addr);
-                data->param_addr = NULL;
-                ret = BIO_parse_hostserv(ptr,
-                                         &data->param_addr,
-                                         &data->param_serv,
-                                         BIO_PARSE_PRIO_SERV);
-                if (hold_serv != data->param_serv)
-                    OPENSSL_free(hold_serv);
                 b->init = 1;
+                if (data->param_addr != NULL)
+                    OPENSSL_free(data->param_addr);
+                data->param_addr = BUF_strdup(ptr);
             } else if (num == 1) {
-                OPENSSL_free(data->param_serv);
-                data->param_serv = BUF_strdup(ptr);
-                b->init = 1;
+                data->accept_nbio = (ptr != NULL);
             } else if (num == 2) {
-                data->bind_mode |= BIO_SOCK_NONBLOCK;
-            } else if (num == 3) {
-                BIO_free(data->bio_chain);
+                if (data->bio_chain != NULL)
+                    BIO_free(data->bio_chain);
                 data->bio_chain = (BIO *)ptr;
-            } else if (num == 4) {
-                data->accept_family = *(int *)ptr;
-            }
-        } else {
-            if (num == 2) {
-                data->bind_mode &= ~BIO_SOCK_NONBLOCK;
             }
         }
         break;
     case BIO_C_SET_NBIO:
-        if (num != 0)
-            data->accepted_mode |= BIO_SOCK_NONBLOCK;
-        else
-            data->accepted_mode &= ~BIO_SOCK_NONBLOCK;
+        data->nbio = (int)num;
         break;
     case BIO_C_SET_FD:
         b->init = 1;
         b->num = *((int *)ptr);
         data->accept_sock = b->num;
-        data->state = ACPT_S_ACCEPT;
+        data->state = ACPT_S_GET_ACCEPT_SOCKET;
         b->shutdown = (int)num;
         b->init = 1;
         break;
@@ -464,35 +394,9 @@ static long acpt_ctrl(BIO *b, int cmd, long num, void *ptr)
         break;
     case BIO_C_GET_ACCEPT:
         if (b->init) {
-            if (num == 0 && ptr != NULL) {
-                pp = (char **)ptr;
-                *pp = data->cache_accepting_name;
-            } else if (num == 1 && ptr != NULL) {
+            if (ptr != NULL) {
                 pp = (char **)ptr;
-                *pp = data->cache_accepting_serv;
-            } else if (num == 2 && ptr != NULL) {
-                pp = (char **)ptr;
-                *pp = data->cache_peer_name;
-            } else if (num == 3 && ptr != NULL) {
-                pp = (char **)ptr;
-                *pp = data->cache_peer_serv;
-            } else if (num == 4) {
-                switch (BIO_ADDRINFO_family(data->addr_iter)) {
-#ifdef AF_INET6
-                case AF_INET6:
-                    ret = BIO_FAMILY_IPV6;
-                    break;
-#endif
-                case AF_INET:
-                    ret = BIO_FAMILY_IPV4;
-                    break;
-                case 0:
-                    ret = data->accept_family;
-                    break;
-                default:
-                    ret = -1;
-                    break;
-                }
+                *pp = data->param_addr;
             } else
                 ret = -1;
         } else
@@ -548,10 +452,12 @@ BIO *BIO_new_accept(const char *str)
     ret = BIO_new(BIO_s_accept());
     if (ret == NULL)
         return (NULL);
-    if (BIO_set_accept_name(ret, str))
+    if (BIO_set_accept_port(ret, str))
         return (ret);
-    BIO_free(ret);
-    return (NULL);
+    else {
+        BIO_free(ret);
+        return (NULL);
+    }
 }
 
 #endif
diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_bio.c b/Cryptlib/OpenSSL/crypto/bio/bss_bio.c
index de34f6bf..3dd81877 100644
--- a/Cryptlib/OpenSSL/crypto/bio/bss_bio.c
+++ b/Cryptlib/OpenSSL/crypto/bio/bss_bio.c
@@ -1,10 +1,56 @@
-/*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bio/bss_bio.c  */
+/* ====================================================================
+ * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 /*
@@ -15,17 +61,39 @@
  * See ssl/ssltest.c for some hints on how this can be used.
  */
 
+/* BIO_DEBUG implies BIO_PAIR_DEBUG */
+#ifdef BIO_DEBUG
+# ifndef BIO_PAIR_DEBUG
+#  define BIO_PAIR_DEBUG
+# endif
+#endif
+
+/* disable assert() unless BIO_PAIR_DEBUG has been defined */
+#ifndef BIO_PAIR_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
+
 #include <assert.h>
 #include <limits.h>
 #include <stdlib.h>
 #include <string.h>
 
-#include "bio_lcl.h"
+#include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/crypto.h>
 
 #include "e_os.h"
 
+/* VxWorks defines SSIZE_MAX with an empty value causing compile errors */
+#if defined(OPENSSL_SYS_VXWORKS)
+# undef SSIZE_MAX
+#endif
+#ifndef SSIZE_MAX
+# define SSIZE_MAX INT_MAX
+#endif
+
 static int bio_new(BIO *bio);
 static int bio_free(BIO *bio);
 static int bio_read(BIO *bio, char *buf, int size);
@@ -36,7 +104,7 @@ static int bio_puts(BIO *bio, const char *str);
 static int bio_make_pair(BIO *bio1, BIO *bio2);
 static void bio_destroy_pair(BIO *bio);
 
-static const BIO_METHOD methods_biop = {
+static BIO_METHOD methods_biop = {
     BIO_TYPE_BIO,
     "BIO pair",
     bio_write,
@@ -49,7 +117,7 @@ static const BIO_METHOD methods_biop = {
     NULL                        /* no bio_callback_ctrl */
 };
 
-const BIO_METHOD *BIO_s_bio(void)
+BIO_METHOD *BIO_s_bio(void)
 {
     return &methods_biop;
 }
@@ -74,13 +142,20 @@ struct bio_bio_st {
 
 static int bio_new(BIO *bio)
 {
-    struct bio_bio_st *b = OPENSSL_zalloc(sizeof(*b));
+    struct bio_bio_st *b;
 
+    b = OPENSSL_malloc(sizeof *b);
     if (b == NULL)
         return 0;
 
+    b->peer = NULL;
+    b->closed = 0;
+    b->len = 0;
+    b->offset = 0;
     /* enough for one TLS record (just a default) */
     b->size = 17 * 1024;
+    b->buf = NULL;
+    b->request = 0;
 
     bio->ptr = b;
     return 1;
@@ -99,7 +174,10 @@ static int bio_free(BIO *bio)
     if (b->peer)
         bio_destroy_pair(bio);
 
-    OPENSSL_free(b->buf);
+    if (b->buf != NULL) {
+        OPENSSL_free(b->buf);
+    }
+
     OPENSSL_free(b);
 
     return 1;
@@ -238,8 +316,8 @@ static ossl_ssize_t bio_nread(BIO *bio, char **buf, size_t num_)
     struct bio_bio_st *b, *peer_b;
     ossl_ssize_t num, available;
 
-    if (num_ > OSSL_SSIZE_MAX)
-        num = OSSL_SSIZE_MAX;
+    if (num_ > SSIZE_MAX)
+        num = SSIZE_MAX;
     else
         num = (ossl_ssize_t) num_;
 
@@ -394,8 +472,8 @@ static ossl_ssize_t bio_nwrite(BIO *bio, char **buf, size_t num_)
     struct bio_bio_st *b;
     ossl_ssize_t num, space;
 
-    if (num_ > OSSL_SSIZE_MAX)
-        num = OSSL_SSIZE_MAX;
+    if (num_ > SSIZE_MAX)
+        num = SSIZE_MAX;
     else
         num = (ossl_ssize_t) num_;
 
@@ -433,8 +511,10 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr)
             size_t new_size = num;
 
             if (b->size != new_size) {
-                OPENSSL_free(b->buf);
-                b->buf = NULL;
+                if (b->buf) {
+                    OPENSSL_free(b->buf);
+                    b->buf = NULL;
+                }
                 b->size = new_size;
             }
             ret = 1;
@@ -711,10 +791,14 @@ int BIO_new_bio_pair(BIO **bio1_p, size_t writebuf1,
 
  err:
     if (ret == 0) {
-        BIO_free(bio1);
-        bio1 = NULL;
-        BIO_free(bio2);
-        bio2 = NULL;
+        if (bio1) {
+            BIO_free(bio1);
+            bio1 = NULL;
+        }
+        if (bio2) {
+            BIO_free(bio2);
+            bio2 = NULL;
+        }
     }
 
     *bio1_p = bio1;
diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_conn.c b/Cryptlib/OpenSSL/crypto/bio/bss_conn.c
index dfd0988d..7d15ad29 100644
--- a/Cryptlib/OpenSSL/crypto/bio/bss_conn.c
+++ b/Cryptlib/OpenSSL/crypto/bio/bss_conn.c
@@ -1,28 +1,88 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bio/bss_conn.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <errno.h>
-
-#include "bio_lcl.h"
+#define USE_SOCKETS
+#include "cryptlib.h"
+#include <openssl/bio.h>
 
 #ifndef OPENSSL_NO_SOCK
 
+# ifdef OPENSSL_SYS_WIN16
+#  define SOCKET_PROTOCOL 0     /* more microsoft stupidity */
+# else
+#  define SOCKET_PROTOCOL IPPROTO_TCP
+# endif
+
+# if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
+/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
+#  undef FIONBIO
+# endif
+
 typedef struct bio_connect_st {
     int state;
-    int connect_family;
     char *param_hostname;
-    char *param_service;
-    int connect_mode;
-
-    BIO_ADDRINFO *addr_first;
-    const BIO_ADDRINFO *addr_iter;
+    char *param_port;
+    int nbio;
+    unsigned char ip[4];
+    unsigned short port;
+    struct sockaddr_in them;
     /*
      * int socket; this will be kept in bio->num so that it is compatible
      * with the bss_sock bio
@@ -48,14 +108,7 @@ static void conn_close_socket(BIO *data);
 BIO_CONNECT *BIO_CONNECT_new(void);
 void BIO_CONNECT_free(BIO_CONNECT *a);
 
-#define BIO_CONN_S_BEFORE                1
-#define BIO_CONN_S_GET_ADDR              2
-#define BIO_CONN_S_CREATE_SOCKET         3
-#define BIO_CONN_S_CONNECT               4
-#define BIO_CONN_S_OK                    5
-#define BIO_CONN_S_BLOCKED_CONNECT       6
-
-static const BIO_METHOD methods_connectp = {
+static BIO_METHOD methods_connectp = {
     BIO_TYPE_CONNECT,
     "socket connect",
     conn_write,
@@ -71,6 +124,8 @@ static const BIO_METHOD methods_connectp = {
 static int conn_state(BIO *b, BIO_CONNECT *c)
 {
     int ret = -1, i;
+    unsigned long l;
+    char *p, *q;
     int (*cb) (const BIO *, int, int) = NULL;
 
     if (c->info_callback != NULL)
@@ -79,103 +134,123 @@ static int conn_state(BIO *b, BIO_CONNECT *c)
     for (;;) {
         switch (c->state) {
         case BIO_CONN_S_BEFORE:
-            if (c->param_hostname == NULL && c->param_service == NULL) {
-                BIOerr(BIO_F_CONN_STATE, BIO_R_NO_HOSTNAME_OR_SERVICE_SPECIFIED);
-                ERR_add_error_data(4,
-                                   "hostname=", c->param_hostname,
-                                   " service=", c->param_service);
+            p = c->param_hostname;
+            if (p == NULL) {
+                BIOerr(BIO_F_CONN_STATE, BIO_R_NO_HOSTNAME_SPECIFIED);
                 goto exit_loop;
             }
-            c->state = BIO_CONN_S_GET_ADDR;
-            break;
-
-        case BIO_CONN_S_GET_ADDR:
-            {
-                int family = AF_UNSPEC;
-                switch (c->connect_family) {
-                case BIO_FAMILY_IPV6:
-                    if (1) { /* This is a trick we use to avoid bit rot.
-                              * at least the "else" part will always be
-                              * compiled.
-                              */
-#ifdef AF_INET6
-                        family = AF_INET6;
-                    } else {
-#endif
-                        BIOerr(BIO_F_CONN_STATE, BIO_R_UNAVAILABLE_IP_FAMILY);
-                        goto exit_loop;
-                    }
-                    break;
-                case BIO_FAMILY_IPV4:
-                    family = AF_INET;
+            for (; *p != '\0'; p++) {
+                if ((*p == ':') || (*p == '/'))
                     break;
-                case BIO_FAMILY_IPANY:
-                    family = AF_UNSPEC;
-                    break;
-                default:
-                    BIOerr(BIO_F_CONN_STATE, BIO_R_UNSUPPORTED_IP_FAMILY);
-                    goto exit_loop;
+            }
+
+            i = *p;
+            if ((i == ':') || (i == '/')) {
+
+                *(p++) = '\0';
+                if (i == ':') {
+                    for (q = p; *q; q++)
+                        if (*q == '/') {
+                            *q = '\0';
+                            break;
+                        }
+                    if (c->param_port != NULL)
+                        OPENSSL_free(c->param_port);
+                    c->param_port = BUF_strdup(p);
                 }
-                if (BIO_lookup(c->param_hostname, c->param_service,
-                               BIO_LOOKUP_CLIENT,
-                               family, SOCK_STREAM, &c->addr_first) == 0)
-                    goto exit_loop;
             }
-            if (c->addr_first == NULL) {
-                BIOerr(BIO_F_CONN_STATE, BIO_R_LOOKUP_RETURNED_NOTHING);
+
+            if (c->param_port == NULL) {
+                BIOerr(BIO_F_CONN_STATE, BIO_R_NO_PORT_SPECIFIED);
+                ERR_add_error_data(2, "host=", c->param_hostname);
                 goto exit_loop;
             }
-            c->addr_iter = c->addr_first;
+            c->state = BIO_CONN_S_GET_IP;
+            break;
+
+        case BIO_CONN_S_GET_IP:
+            if (BIO_get_host_ip(c->param_hostname, &(c->ip[0])) <= 0)
+                goto exit_loop;
+            c->state = BIO_CONN_S_GET_PORT;
+            break;
+
+        case BIO_CONN_S_GET_PORT:
+            if (c->param_port == NULL) {
+                /* abort(); */
+                goto exit_loop;
+            } else if (BIO_get_port(c->param_port, &c->port) <= 0)
+                goto exit_loop;
             c->state = BIO_CONN_S_CREATE_SOCKET;
             break;
 
         case BIO_CONN_S_CREATE_SOCKET:
-            ret = BIO_socket(BIO_ADDRINFO_family(c->addr_iter),
-                             BIO_ADDRINFO_socktype(c->addr_iter),
-                             BIO_ADDRINFO_protocol(c->addr_iter), 0);
-            if (ret == (int)INVALID_SOCKET) {
+            /* now setup address */
+            memset((char *)&c->them, 0, sizeof(c->them));
+            c->them.sin_family = AF_INET;
+            c->them.sin_port = htons((unsigned short)c->port);
+            l = (unsigned long)
+                ((unsigned long)c->ip[0] << 24L) |
+                ((unsigned long)c->ip[1] << 16L) |
+                ((unsigned long)c->ip[2] << 8L) | ((unsigned long)c->ip[3]);
+            c->them.sin_addr.s_addr = htonl(l);
+            c->state = BIO_CONN_S_CREATE_SOCKET;
+
+            ret = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
+            if (ret == INVALID_SOCKET) {
                 SYSerr(SYS_F_SOCKET, get_last_socket_error());
-                ERR_add_error_data(4,
-                                   "hostname=", c->param_hostname,
-                                   " service=", c->param_service);
+                ERR_add_error_data(4, "host=", c->param_hostname,
+                                   ":", c->param_port);
                 BIOerr(BIO_F_CONN_STATE, BIO_R_UNABLE_TO_CREATE_SOCKET);
                 goto exit_loop;
             }
             b->num = ret;
+            c->state = BIO_CONN_S_NBIO;
+            break;
+
+        case BIO_CONN_S_NBIO:
+            if (c->nbio) {
+                if (!BIO_socket_nbio(b->num, 1)) {
+                    BIOerr(BIO_F_CONN_STATE, BIO_R_ERROR_SETTING_NBIO);
+                    ERR_add_error_data(4, "host=",
+                                       c->param_hostname, ":", c->param_port);
+                    goto exit_loop;
+                }
+            }
             c->state = BIO_CONN_S_CONNECT;
+
+# if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
+            i = 1;
+            i = setsockopt(b->num, SOL_SOCKET, SO_KEEPALIVE, (char *)&i,
+                           sizeof(i));
+            if (i < 0) {
+                SYSerr(SYS_F_SOCKET, get_last_socket_error());
+                ERR_add_error_data(4, "host=", c->param_hostname,
+                                   ":", c->param_port);
+                BIOerr(BIO_F_CONN_STATE, BIO_R_KEEPALIVE);
+                goto exit_loop;
+            }
+# endif
             break;
 
         case BIO_CONN_S_CONNECT:
             BIO_clear_retry_flags(b);
-            ret = BIO_connect(b->num, BIO_ADDRINFO_address(c->addr_iter),
-                              BIO_SOCK_KEEPALIVE | c->connect_mode);
+            ret = connect(b->num,
+                          (struct sockaddr *)&c->them, sizeof(c->them));
             b->retry_reason = 0;
-            if (ret == 0) {
+            if (ret < 0) {
                 if (BIO_sock_should_retry(ret)) {
                     BIO_set_retry_special(b);
                     c->state = BIO_CONN_S_BLOCKED_CONNECT;
                     b->retry_reason = BIO_RR_CONNECT;
-                    ERR_clear_error();
-                } else if ((c->addr_iter = BIO_ADDRINFO_next(c->addr_iter))
-                           != NULL) {
-                    /*
-                     * if there are more addresses to try, do that first
-                     */
-                    BIO_closesocket(b->num);
-                    c->state = BIO_CONN_S_CREATE_SOCKET;
-                    ERR_clear_error();
-                    break;
                 } else {
                     SYSerr(SYS_F_CONNECT, get_last_socket_error());
-                    ERR_add_error_data(4,
-                                       "hostname=", c->param_hostname,
-                                       " service=", c->param_service);
+                    ERR_add_error_data(4, "host=",
+                                       c->param_hostname, ":", c->param_port);
                     BIOerr(BIO_F_CONN_STATE, BIO_R_CONNECT_ERROR);
                 }
                 goto exit_loop;
-            } else {
+            } else
                 c->state = BIO_CONN_S_OK;
-            }
             break;
 
         case BIO_CONN_S_BLOCKED_CONNECT:
@@ -183,9 +258,8 @@ static int conn_state(BIO *b, BIO_CONNECT *c)
             if (i) {
                 BIO_clear_retry_flags(b);
                 SYSerr(SYS_F_CONNECT, i);
-                ERR_add_error_data(4,
-                                   "hostname=", c->param_hostname,
-                                   " service=", c->param_service);
+                ERR_add_error_data(4, "host=",
+                                   c->param_hostname, ":", c->param_port);
                 BIOerr(BIO_F_CONN_STATE, BIO_R_NBIO_CONNECT_ERROR);
                 ret = 0;
                 goto exit_loop;
@@ -202,7 +276,7 @@ static int conn_state(BIO *b, BIO_CONNECT *c)
         }
 
         if (cb != NULL) {
-            if ((ret = cb((BIO *)b, c->state, ret)) == 0)
+            if (!(ret = cb((BIO *)b, c->state, ret)))
                 goto end;
         }
     }
@@ -219,10 +293,19 @@ BIO_CONNECT *BIO_CONNECT_new(void)
 {
     BIO_CONNECT *ret;
 
-    if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL)
+    if ((ret = (BIO_CONNECT *)OPENSSL_malloc(sizeof(BIO_CONNECT))) == NULL)
         return (NULL);
     ret->state = BIO_CONN_S_BEFORE;
-    ret->connect_family = BIO_FAMILY_IPANY;
+    ret->param_hostname = NULL;
+    ret->param_port = NULL;
+    ret->info_callback = NULL;
+    ret->nbio = 0;
+    ret->ip[0] = 0;
+    ret->ip[1] = 0;
+    ret->ip[2] = 0;
+    ret->ip[3] = 0;
+    ret->port = 0;
+    memset((char *)&ret->them, 0, sizeof(ret->them));
     return (ret);
 }
 
@@ -231,13 +314,14 @@ void BIO_CONNECT_free(BIO_CONNECT *a)
     if (a == NULL)
         return;
 
-    OPENSSL_free(a->param_hostname);
-    OPENSSL_free(a->param_service);
-    BIO_ADDRINFO_free(a->addr_first);
+    if (a->param_hostname != NULL)
+        OPENSSL_free(a->param_hostname);
+    if (a->param_port != NULL)
+        OPENSSL_free(a->param_port);
     OPENSSL_free(a);
 }
 
-const BIO_METHOD *BIO_s_connect(void)
+BIO_METHOD *BIO_s_connect(void)
 {
     return (&methods_connectp);
 }
@@ -245,7 +329,7 @@ const BIO_METHOD *BIO_s_connect(void)
 static int conn_new(BIO *bi)
 {
     bi->init = 0;
-    bi->num = (int)INVALID_SOCKET;
+    bi->num = INVALID_SOCKET;
     bi->flags = 0;
     if ((bi->ptr = (char *)BIO_CONNECT_new()) == NULL)
         return (0);
@@ -258,12 +342,12 @@ static void conn_close_socket(BIO *bio)
     BIO_CONNECT *c;
 
     c = (BIO_CONNECT *)bio->ptr;
-    if (bio->num != (int)INVALID_SOCKET) {
+    if (bio->num != INVALID_SOCKET) {
         /* Only do a shutdown if things were established */
         if (c->state == BIO_CONN_S_OK)
             shutdown(bio->num, 2);
-        BIO_closesocket(bio->num);
-        bio->num = (int)INVALID_SOCKET;
+        closesocket(bio->num);
+        bio->num = INVALID_SOCKET;
     }
 }
 
@@ -346,8 +430,6 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
         ret = 0;
         data->state = BIO_CONN_S_BEFORE;
         conn_close_socket(b);
-        BIO_ADDRINFO_free(data->addr_first);
-        data->addr_first = NULL;
         b->flags = 0;
         break;
     case BIO_C_DO_STATE_MACHINE:
@@ -360,33 +442,27 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
     case BIO_C_GET_CONNECT:
         if (ptr != NULL) {
             pptr = (const char **)ptr;
-            if (num == 0) {
-                *pptr = data->param_hostname;
-            } else if (num == 1) {
-                *pptr = data->param_service;
-            } else if (num == 2) {
-                *pptr = (const char *)BIO_ADDRINFO_address(data->addr_iter);
-            } else if (num == 3) {
-                switch (BIO_ADDRINFO_family(data->addr_iter)) {
-# ifdef AF_INET6
-                case AF_INET6:
-                    ret = BIO_FAMILY_IPV6;
-                    break;
-# endif
-                case AF_INET:
-                    ret = BIO_FAMILY_IPV4;
-                    break;
-                case 0:
-                    ret = data->connect_family;
-                    break;
-                default:
-                    ret = -1;
-                    break;
+        }
+
+        if (b->init) {
+            if (pptr != NULL) {
+                ret = 1;
+                if (num == 0) {
+                    *pptr = data->param_hostname;
+                } else if (num == 1) {
+                    *pptr = data->param_port;
+                } else if (num == 2) {
+                    *pptr = (char *)&(data->ip[0]);
+                } else {
+                    ret = 0;
                 }
-            } else {
-                ret = 0;
+            }
+            if (num == 3) {
+                ret = data->port;
             }
         } else {
+            if (pptr != NULL)
+                *pptr = "not initialized";
             ret = 0;
         }
         break;
@@ -394,46 +470,36 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
         if (ptr != NULL) {
             b->init = 1;
             if (num == 0) {
-                char *hold_service = data->param_service;
-                /* We affect the hostname regardless.  However, the input
-                 * string might contain a host:service spec, so we must
-                 * parse it, which might or might not affect the service
-                 */
-                OPENSSL_free(data->param_hostname);
-                data->param_hostname = NULL;
-                ret = BIO_parse_hostserv(ptr,
-                                         &data->param_hostname,
-                                         &data->param_service,
-                                         BIO_PARSE_PRIO_HOST);
-                if (hold_service != data->param_service)
-                    OPENSSL_free(hold_service);
+                if (data->param_hostname != NULL)
+                    OPENSSL_free(data->param_hostname);
+                data->param_hostname = BUF_strdup(ptr);
             } else if (num == 1) {
-                OPENSSL_free(data->param_service);
-                data->param_service = BUF_strdup(ptr);
+                if (data->param_port != NULL)
+                    OPENSSL_free(data->param_port);
+                data->param_port = BUF_strdup(ptr);
             } else if (num == 2) {
-                const BIO_ADDR *addr = (const BIO_ADDR *)ptr;
-                if (ret) {
-                    data->param_hostname = BIO_ADDR_hostname_string(addr, 1);
-                    data->param_service = BIO_ADDR_service_string(addr, 1);
-                    BIO_ADDRINFO_free(data->addr_first);
-                    data->addr_first = NULL;
-                    data->addr_iter = NULL;
-                }
+                char buf[16];
+                unsigned char *p = ptr;
+
+                BIO_snprintf(buf, sizeof buf, "%d.%d.%d.%d",
+                             p[0], p[1], p[2], p[3]);
+                if (data->param_hostname != NULL)
+                    OPENSSL_free(data->param_hostname);
+                data->param_hostname = BUF_strdup(buf);
+                memcpy(&(data->ip[0]), ptr, 4);
             } else if (num == 3) {
-                data->connect_family = *(int *)ptr;
-            } else {
-                ret = 0;
+                char buf[DECIMAL_SIZE(int) + 1];
+
+                BIO_snprintf(buf, sizeof buf, "%d", *(int *)ptr);
+                if (data->param_port != NULL)
+                    OPENSSL_free(data->param_port);
+                data->param_port = BUF_strdup(buf);
+                data->port = *(int *)ptr;
             }
         }
         break;
     case BIO_C_SET_NBIO:
-        if (num != 0)
-            data->connect_mode |= BIO_SOCK_NONBLOCK;
-        else
-            data->connect_mode &= ~BIO_SOCK_NONBLOCK;
-        break;
-    case BIO_C_SET_CONNECT_MODE:
-        data->connect_mode = (int)num;
+        data->nbio = (int)num;
         break;
     case BIO_C_GET_FD:
         if (b->init) {
@@ -459,12 +525,11 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
     case BIO_CTRL_DUP:
         {
             dbio = (BIO *)ptr;
+            if (data->param_port)
+                BIO_set_conn_port(dbio, data->param_port);
             if (data->param_hostname)
                 BIO_set_conn_hostname(dbio, data->param_hostname);
-            if (data->param_service)
-                BIO_set_conn_port(dbio, data->param_service);
-            BIO_set_conn_ip_family(dbio, data->connect_family);
-            BIO_set_conn_mode(dbio, data->connect_mode);
+            BIO_set_nbio(dbio, data->nbio);
             /*
              * FIXME: the cast of the function seems unlikely to be a good
              * idea
@@ -538,8 +603,10 @@ BIO *BIO_new_connect(const char *str)
         return (NULL);
     if (BIO_set_conn_hostname(ret, str))
         return (ret);
-    BIO_free(ret);
-    return (NULL);
+    else {
+        BIO_free(ret);
+        return (NULL);
+    }
 }
 
 #endif
diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_dgram.c b/Cryptlib/OpenSSL/crypto/bio/bss_dgram.c
index 6dfcc9ba..bdd7bf88 100644
--- a/Cryptlib/OpenSSL/crypto/bio/bss_dgram.c
+++ b/Cryptlib/OpenSSL/crypto/bio/bss_dgram.c
@@ -1,21 +1,70 @@
+/* crypto/bio/bio_dgram.c */
 /*
- * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * DTLS implementation written by Nagendra Modadugu
+ * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <errno.h>
+#define USE_SOCKETS
+#include "cryptlib.h"
 
-#include "bio_lcl.h"
+#include <openssl/bio.h>
 #ifndef OPENSSL_NO_DGRAM
 
-# if !(defined(_WIN32) || defined(OPENSSL_SYS_VMS))
-#  include <sys/time.h>
-# endif
 # if defined(OPENSSL_SYS_VMS)
 #  include <sys/timeb.h>
 # endif
@@ -45,6 +94,12 @@
          ((a)->s6_addr32[2] == htonl(0x0000ffff)))
 # endif
 
+# ifdef WATT32
+#  define sock_write SockWrite  /* Watt-32 uses same names */
+#  define sock_read  SockRead
+#  define sock_puts  SockPuts
+# endif
+
 static int dgram_write(BIO *h, const char *buf, int num);
 static int dgram_read(BIO *h, char *buf, int size);
 static int dgram_puts(BIO *h, const char *str);
@@ -70,7 +125,7 @@ static int BIO_dgram_should_retry(int s);
 
 static void get_current_time(struct timeval *t);
 
-static const BIO_METHOD methods_dgramp = {
+static BIO_METHOD methods_dgramp = {
     BIO_TYPE_DGRAM,
     "datagram socket",
     dgram_write,
@@ -84,7 +139,7 @@ static const BIO_METHOD methods_dgramp = {
 };
 
 # ifndef OPENSSL_NO_SCTP
-static const BIO_METHOD methods_dgramp_sctp = {
+static BIO_METHOD methods_dgramp_sctp = {
     BIO_TYPE_DGRAM_SCTP,
     "datagram sctp socket",
     dgram_sctp_write,
@@ -99,13 +154,18 @@ static const BIO_METHOD methods_dgramp_sctp = {
 # endif
 
 typedef struct bio_dgram_data_st {
-    BIO_ADDR peer;
+    union {
+        struct sockaddr sa;
+        struct sockaddr_in sa_in;
+# if OPENSSL_USE_IPV6
+        struct sockaddr_in6 sa_in6;
+# endif
+    } peer;
     unsigned int connected;
     unsigned int _errno;
     unsigned int mtu;
     struct timeval next_timeout;
     struct timeval socket_timeout;
-    unsigned int peekmode;
 } bio_dgram_data;
 
 # ifndef OPENSSL_NO_SCTP
@@ -116,7 +176,13 @@ typedef struct bio_dgram_sctp_save_message_st {
 } bio_dgram_sctp_save_message;
 
 typedef struct bio_dgram_sctp_data_st {
-    BIO_ADDR peer;
+    union {
+        struct sockaddr sa;
+        struct sockaddr_in sa_in;
+#  if OPENSSL_USE_IPV6
+        struct sockaddr_in6 sa_in6;
+#  endif
+    } peer;
     unsigned int connected;
     unsigned int _errno;
     unsigned int mtu;
@@ -134,7 +200,7 @@ typedef struct bio_dgram_sctp_data_st {
 } bio_dgram_sctp_data;
 # endif
 
-const BIO_METHOD *BIO_s_datagram(void)
+BIO_METHOD *BIO_s_datagram(void)
 {
     return (&methods_dgramp);
 }
@@ -152,11 +218,17 @@ BIO *BIO_new_dgram(int fd, int close_flag)
 
 static int dgram_new(BIO *bi)
 {
-    bio_dgram_data *data = OPENSSL_zalloc(sizeof(*data));
+    bio_dgram_data *data = NULL;
 
+    bi->init = 0;
+    bi->num = 0;
+    data = OPENSSL_malloc(sizeof(bio_dgram_data));
     if (data == NULL)
         return 0;
+    memset(data, 0x00, sizeof(bio_dgram_data));
     bi->ptr = data;
+
+    bi->flags = 0;
     return (1);
 }
 
@@ -170,7 +242,8 @@ static int dgram_free(BIO *a)
         return 0;
 
     data = (bio_dgram_data *)a->ptr;
-    OPENSSL_free(data);
+    if (data != NULL)
+        OPENSSL_free(data);
 
     return (1);
 }
@@ -181,7 +254,7 @@ static int dgram_clear(BIO *a)
         return (0);
     if (a->shutdown) {
         if (a->init) {
-            BIO_closesocket(a->num);
+            SHUTDOWN2(a->num);
         }
         a->init = 0;
         a->flags = 0;
@@ -244,7 +317,7 @@ static void dgram_adjust_rcv_timeout(BIO *b)
         }
 
         /*
-         * Adjust socket timeout if next handshake message timer will expire
+         * Adjust socket timeout if next handhake message timer will expire
          * earlier.
          */
         if ((data->socket_timeout.tv_sec == 0
@@ -298,22 +371,39 @@ static int dgram_read(BIO *b, char *out, int outl)
 {
     int ret = 0;
     bio_dgram_data *data = (bio_dgram_data *)b->ptr;
-    int flags = 0;
 
-    BIO_ADDR peer;
-    socklen_t len = sizeof(peer);
+    struct {
+        /*
+         * See commentary in b_sock.c. <appro>
+         */
+        union {
+            size_t s;
+            int i;
+        } len;
+        union {
+            struct sockaddr sa;
+            struct sockaddr_in sa_in;
+# if OPENSSL_USE_IPV6
+            struct sockaddr_in6 sa_in6;
+# endif
+        } peer;
+    } sa;
+
+    sa.len.s = 0;
+    sa.len.i = sizeof(sa.peer);
 
     if (out != NULL) {
         clear_socket_error();
-        memset(&peer, 0, sizeof(peer));
+        memset(&sa.peer, 0x00, sizeof(sa.peer));
         dgram_adjust_rcv_timeout(b);
-        if (data->peekmode)
-            flags = MSG_PEEK;
-        ret = recvfrom(b->num, out, outl, flags,
-                       BIO_ADDR_sockaddr_noconst(&peer), &len);
+        ret = recvfrom(b->num, out, outl, 0, &sa.peer.sa, (void *)&sa.len);
+        if (sizeof(sa.len.i) != sizeof(sa.len.s) && sa.len.i == 0) {
+            OPENSSL_assert(sa.len.s <= sizeof(sa.peer));
+            sa.len.i = (int)sa.len.s;
+        }
 
         if (!data->connected && ret >= 0)
-            BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &peer);
+            BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &sa.peer);
 
         BIO_clear_retry_flags(b);
         if (ret < 0) {
@@ -337,14 +427,18 @@ static int dgram_write(BIO *b, const char *in, int inl)
     if (data->connected)
         ret = writesocket(b->num, in, inl);
     else {
-        int peerlen = BIO_ADDR_sockaddr_size(&data->peer);
+        int peerlen = sizeof(data->peer);
 
+        if (data->peer.sa.sa_family == AF_INET)
+            peerlen = sizeof(data->peer.sa_in);
+# if OPENSSL_USE_IPV6
+        else if (data->peer.sa.sa_family == AF_INET6)
+            peerlen = sizeof(data->peer.sa_in6);
+# endif
 # if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK)
-        ret = sendto(b->num, (char *)in, inl, 0,
-                     BIO_ADDR_sockaddr(&data->peer), peerlen);
+        ret = sendto(b->num, (char *)in, inl, 0, &data->peer.sa, peerlen);
 # else
-        ret = sendto(b->num, in, inl, 0,
-                     BIO_ADDR_sockaddr(&data->peer), peerlen);
+        ret = sendto(b->num, in, inl, 0, &data->peer.sa, peerlen);
 # endif
     }
 
@@ -353,6 +447,13 @@ static int dgram_write(BIO *b, const char *in, int inl)
         if (BIO_dgram_should_retry(ret)) {
             BIO_set_retry_write(b);
             data->_errno = get_last_socket_error();
+
+# if 0                          /* higher layers are responsible for querying
+                                 * MTU, if necessary */
+            if (data->_errno == EMSGSIZE)
+                /* retrieve the new MTU */
+                BIO_ctrl(b, BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
+# endif
         }
     }
     return (ret);
@@ -362,31 +463,27 @@ static long dgram_get_mtu_overhead(bio_dgram_data *data)
 {
     long ret;
 
-    switch (BIO_ADDR_family(&data->peer)) {
+    switch (data->peer.sa.sa_family) {
     case AF_INET:
         /*
          * Assume this is UDP - 20 bytes for IP, 8 bytes for UDP
          */
         ret = 28;
         break;
-# ifdef AF_INET6
+# if OPENSSL_USE_IPV6
     case AF_INET6:
-        {
 #  ifdef IN6_IS_ADDR_V4MAPPED
-            struct in6_addr tmp_addr;
-            if (BIO_ADDR_rawaddress(&data->peer, &tmp_addr, NULL)
-                && IN6_IS_ADDR_V4MAPPED(&tmp_addr))
-                /*
-                 * Assume this is UDP - 20 bytes for IP, 8 bytes for UDP
-                 */
-                ret = 28;
-            else
+        if (IN6_IS_ADDR_V4MAPPED(&data->peer.sa_in6.sin6_addr))
+            /*
+             * Assume this is UDP - 20 bytes for IP, 8 bytes for UDP
+             */
+            ret = 28;
+        else
 #  endif
             /*
              * Assume this is UDP - 40 bytes for IP, 8 bytes for UDP
              */
             ret = 48;
-        }
         break;
 # endif
     default:
@@ -401,14 +498,20 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
 {
     long ret = 1;
     int *ip;
+    struct sockaddr *to = NULL;
     bio_dgram_data *data = NULL;
     int sockopt_val = 0;
-    int d_errno;
 # if defined(OPENSSL_SYS_LINUX) && (defined(IP_MTU_DISCOVER) || defined(IP_MTU))
     socklen_t sockopt_len;      /* assume that system supporting IP_MTU is
                                  * modern enough to define socklen_t */
     socklen_t addr_len;
-    BIO_ADDR addr;
+    union {
+        struct sockaddr sa;
+        struct sockaddr_in s4;
+#  if OPENSSL_USE_IPV6
+        struct sockaddr_in6 s6;
+#  endif
+    } addr;
 # endif
 
     data = (bio_dgram_data *)b->ptr;
@@ -451,13 +554,35 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
         ret = 1;
         break;
     case BIO_CTRL_DGRAM_CONNECT:
-        BIO_ADDR_make(&data->peer, BIO_ADDR_sockaddr((BIO_ADDR *)ptr));
+        to = (struct sockaddr *)ptr;
+# if 0
+        if (connect(b->num, to, sizeof(struct sockaddr)) < 0) {
+            perror("connect");
+            ret = 0;
+        } else {
+# endif
+            switch (to->sa_family) {
+            case AF_INET:
+                memcpy(&data->peer, to, sizeof(data->peer.sa_in));
+                break;
+# if OPENSSL_USE_IPV6
+            case AF_INET6:
+                memcpy(&data->peer, to, sizeof(data->peer.sa_in6));
+                break;
+# endif
+            default:
+                memcpy(&data->peer, to, sizeof(data->peer.sa));
+                break;
+            }
+# if 0
+        }
+# endif
         break;
         /* (Linux)kernel sets DF bit on outgoing IP packets */
     case BIO_CTRL_DGRAM_MTU_DISCOVER:
 # if defined(OPENSSL_SYS_LINUX) && defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DO)
         addr_len = (socklen_t) sizeof(addr);
-        memset(&addr, 0, sizeof(addr));
+        memset((void *)&addr, 0, sizeof(addr));
         if (getsockname(b->num, &addr.sa, &addr_len) < 0) {
             ret = 0;
             break;
@@ -481,14 +606,14 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
             ret = -1;
             break;
         }
-# else
         ret = -1;
-# endif
+# else
         break;
+# endif
     case BIO_CTRL_DGRAM_QUERY_MTU:
 # if defined(OPENSSL_SYS_LINUX) && defined(IP_MTU)
         addr_len = (socklen_t) sizeof(addr);
-        memset(&addr, 0, sizeof(addr));
+        memset((void *)&addr, 0, sizeof(addr));
         if (getsockname(b->num, &addr.sa, &addr_len) < 0) {
             ret = 0;
             break;
@@ -536,22 +661,18 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
         break;
     case BIO_CTRL_DGRAM_GET_FALLBACK_MTU:
         ret = -dgram_get_mtu_overhead(data);
-        switch (BIO_ADDR_family(&data->peer)) {
+        switch (data->peer.sa.sa_family) {
         case AF_INET:
             ret += 576;
             break;
 # if OPENSSL_USE_IPV6
         case AF_INET6:
-            {
 #  ifdef IN6_IS_ADDR_V4MAPPED
-                struct in6_addr tmp_addr;
-                if (BIO_ADDR_rawaddress(&data->peer, &tmp_addr, NULL)
-                    && IN6_IS_ADDR_V4MAPPED(&tmp_addr))
-                    ret += 576;
-                else
+            if (IN6_IS_ADDR_V4MAPPED(&data->peer.sa_in6.sin6_addr))
+                ret += 576;
+            else
 #  endif
-                    ret += 1280;
-            }
+                ret += 1280;
             break;
 # endif
         default:
@@ -561,29 +682,67 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
         break;
     case BIO_CTRL_DGRAM_GET_MTU:
         return data->mtu;
+        break;
     case BIO_CTRL_DGRAM_SET_MTU:
         data->mtu = num;
         ret = num;
         break;
     case BIO_CTRL_DGRAM_SET_CONNECTED:
-        if (ptr != NULL) {
+        to = (struct sockaddr *)ptr;
+
+        if (to != NULL) {
             data->connected = 1;
-            BIO_ADDR_make(&data->peer, BIO_ADDR_sockaddr((BIO_ADDR *)ptr));
+            switch (to->sa_family) {
+            case AF_INET:
+                memcpy(&data->peer, to, sizeof(data->peer.sa_in));
+                break;
+# if OPENSSL_USE_IPV6
+            case AF_INET6:
+                memcpy(&data->peer, to, sizeof(data->peer.sa_in6));
+                break;
+# endif
+            default:
+                memcpy(&data->peer, to, sizeof(data->peer.sa));
+                break;
+            }
         } else {
             data->connected = 0;
-            memset(&data->peer, 0, sizeof(data->peer));
+            memset(&(data->peer), 0x00, sizeof(data->peer));
         }
         break;
     case BIO_CTRL_DGRAM_GET_PEER:
-        ret = BIO_ADDR_sockaddr_size(&data->peer);
-        /* FIXME: if num < ret, we will only return part of an address.
-           That should bee an error, no? */
+        switch (data->peer.sa.sa_family) {
+        case AF_INET:
+            ret = sizeof(data->peer.sa_in);
+            break;
+# if OPENSSL_USE_IPV6
+        case AF_INET6:
+            ret = sizeof(data->peer.sa_in6);
+            break;
+# endif
+        default:
+            ret = sizeof(data->peer.sa);
+            break;
+        }
         if (num == 0 || num > ret)
             num = ret;
         memcpy(ptr, &data->peer, (ret = num));
         break;
     case BIO_CTRL_DGRAM_SET_PEER:
-        BIO_ADDR_make(&data->peer, BIO_ADDR_sockaddr((BIO_ADDR *)ptr));
+        to = (struct sockaddr *)ptr;
+        switch (to->sa_family) {
+        case AF_INET:
+            memcpy(&data->peer, to, sizeof(data->peer.sa_in));
+            break;
+# if OPENSSL_USE_IPV6
+        case AF_INET6:
+            memcpy(&data->peer, to, sizeof(data->peer.sa_in6));
+            break;
+# endif
+        default:
+            memcpy(&data->peer, to, sizeof(data->peer.sa));
+            break;
+        }
         break;
     case BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT:
         memcpy(&(data->next_timeout), ptr, sizeof(struct timeval));
@@ -706,11 +865,11 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
         /* fall-through */
     case BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP:
 # ifdef OPENSSL_SYS_WINDOWS
-        d_errno = (data->_errno == WSAETIMEDOUT);
+        if (data->_errno == WSAETIMEDOUT)
 # else
-        d_errno = (data->_errno == EAGAIN);
+        if (data->_errno == EAGAIN)
 # endif
-        if (d_errno) {
+        {
             ret = 1;
             data->_errno = 0;
         } else
@@ -783,9 +942,6 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
     case BIO_CTRL_DGRAM_GET_MTU_OVERHEAD:
         ret = dgram_get_mtu_overhead(data);
         break;
-    case BIO_CTRL_DGRAM_SET_PEEK_MODE:
-        data->peekmode = (unsigned int)num;
-        break;
     default:
         ret = 0;
         break;
@@ -803,7 +959,7 @@ static int dgram_puts(BIO *bp, const char *str)
 }
 
 # ifndef OPENSSL_NO_SCTP
-const BIO_METHOD *BIO_s_datagram_sctp(void)
+BIO_METHOD *BIO_s_datagram_sctp(void)
 {
     return (&methods_dgramp_sctp);
 }
@@ -854,13 +1010,16 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
      * connected socket won't use it.
      */
     sockopt_len = (socklen_t) (sizeof(sctp_assoc_t) + 256 * sizeof(uint8_t));
-    authchunks = OPENSSL_zalloc(sockopt_len);
-    if (authchunks == NULL) {
+    authchunks = OPENSSL_malloc(sockopt_len);
+    if (!authchunks) {
         BIO_vfree(bio);
         return (NULL);
     }
-    ret = getsockopt(fd, IPPROTO_SCTP, SCTP_LOCAL_AUTH_CHUNKS, authchunks,
+    memset(authchunks, 0, sizeof(sockopt_len));
+    ret =
+        getsockopt(fd, IPPROTO_SCTP, SCTP_LOCAL_AUTH_CHUNKS, authchunks,
                    &sockopt_len);
+
     if (ret < 0) {
         OPENSSL_free(authchunks);
         BIO_vfree(bio);
@@ -883,7 +1042,7 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
 
 #  ifdef SCTP_AUTHENTICATION_EVENT
 #   ifdef SCTP_EVENT
-    memset(&event, 0, sizeof(event));
+    memset(&event, 0, sizeof(struct sctp_event));
     event.se_assoc_id = 0;
     event.se_type = SCTP_AUTHENTICATION_EVENT;
     event.se_on = 1;
@@ -940,9 +1099,10 @@ static int dgram_sctp_new(BIO *bi)
 
     bi->init = 0;
     bi->num = 0;
-    data = OPENSSL_zalloc(sizeof(*data));
+    data = OPENSSL_malloc(sizeof(bio_dgram_sctp_data));
     if (data == NULL)
         return 0;
+    memset(data, 0x00, sizeof(bio_dgram_sctp_data));
 #  ifdef SCTP_PR_SCTP_NONE
     data->prinfo.pr_policy = SCTP_PR_SCTP_NONE;
 #  endif
@@ -963,7 +1123,8 @@ static int dgram_sctp_free(BIO *a)
 
     data = (bio_dgram_sctp_data *) a->ptr;
     if (data != NULL) {
-        OPENSSL_free(data->saved_message.data);
+        if (data->saved_message.data != NULL)
+            OPENSSL_free(data->saved_message.data);
         OPENSSL_free(data);
     }
 
@@ -1003,7 +1164,8 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
         clear_socket_error();
 
         do {
-            memset(&data->rcvinfo, 0, sizeof(data->rcvinfo));
+            memset(&data->rcvinfo, 0x00,
+                   sizeof(struct bio_dgram_sctp_rcvinfo));
             iov.iov_base = out;
             iov.iov_len = outl;
             msg.msg_name = NULL;
@@ -1072,13 +1234,9 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
                      * it can be sent now.
                      */
                     if (data->saved_message.length > 0) {
-                        i = dgram_sctp_write(data->saved_message.bio,
+                        dgram_sctp_write(data->saved_message.bio,
                                          data->saved_message.data,
                                          data->saved_message.length);
-                        if (i < 0) {
-                            ret = i;
-                            break;
-                        }
                         OPENSSL_free(data->saved_message.data);
                         data->saved_message.data = NULL;
                         data->saved_message.length = 0;
@@ -1086,7 +1244,7 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
 
                     /* disable sender dry event */
 #  ifdef SCTP_EVENT
-                    memset(&event, 0, sizeof(event));
+                    memset(&event, 0, sizeof(struct sctp_event));
                     event.se_assoc_id = 0;
                     event.se_type = SCTP_SENDER_DRY_EVENT;
                     event.se_on = 0;
@@ -1192,11 +1350,11 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
             optlen =
                 (socklen_t) (sizeof(sctp_assoc_t) + 256 * sizeof(uint8_t));
             authchunks = OPENSSL_malloc(optlen);
-            if (authchunks == NULL) {
+            if (!authchunks) {
                 BIOerr(BIO_F_DGRAM_SCTP_READ, ERR_R_MALLOC_FAILURE);
                 return -1;
             }
-            memset(authchunks, 0, optlen);
+            memset(authchunks, 0, sizeof(optlen));
             ii = getsockopt(b->num, IPPROTO_SCTP, SCTP_PEER_AUTH_CHUNKS,
                             authchunks, &optlen);
 
@@ -1223,14 +1381,6 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
     return (ret);
 }
 
-/*
- * dgram_sctp_write - send message on SCTP socket
- * @b: BIO to write to
- * @in: data to send
- * @inl: amount of bytes in @in to send
- *
- * Returns -1 on error or the sent amount of bytes on success
- */
 static int dgram_sctp_write(BIO *b, const char *in, int inl)
 {
     int ret;
@@ -1258,7 +1408,7 @@ static int dgram_sctp_write(BIO *b, const char *in, int inl)
      * parameters and flags.
      */
     if (in[0] != 23) {
-        memset(&handshake_sinfo, 0, sizeof(handshake_sinfo));
+        memset(&handshake_sinfo, 0x00, sizeof(struct bio_dgram_sctp_sndinfo));
 #  ifdef SCTP_SACK_IMMEDIATELY
         handshake_sinfo.snd_flags = SCTP_SACK_IMMEDIATELY;
 #  endif
@@ -1269,24 +1419,19 @@ static int dgram_sctp_write(BIO *b, const char *in, int inl)
      * If we have to send a shutdown alert message and the socket is not dry
      * yet, we have to save it and send it as soon as the socket gets dry.
      */
-    if (data->save_shutdown) {
-        ret = BIO_dgram_sctp_wait_for_dry(b);
-        if (ret < 0) {
+    if (data->save_shutdown && !BIO_dgram_sctp_wait_for_dry(b)) {
+        char *tmp;
+        data->saved_message.bio = b;
+        if (!(tmp = OPENSSL_malloc(inl))) {
+            BIOerr(BIO_F_DGRAM_SCTP_WRITE, ERR_R_MALLOC_FAILURE);
             return -1;
         }
-        if (ret == 0) {
-            char *tmp;
-            data->saved_message.bio = b;
-            if ((tmp = OPENSSL_malloc(inl)) == NULL) {
-                BIOerr(BIO_F_DGRAM_SCTP_WRITE, ERR_R_MALLOC_FAILURE);
-                return -1;
-            }
+        if (data->saved_message.data)
             OPENSSL_free(data->saved_message.data);
-            data->saved_message.data = tmp;
-            memcpy(data->saved_message.data, in, inl);
-            data->saved_message.length = inl;
-            return inl;
-        }
+        data->saved_message.data = tmp;
+        memcpy(data->saved_message.data, in, inl);
+        data->saved_message.length = inl;
+        return inl;
     }
 
     iov[0].iov_base = (char *)in;
@@ -1304,7 +1449,7 @@ static int dgram_sctp_write(BIO *b, const char *in, int inl)
     cmsg->cmsg_type = SCTP_SNDINFO;
     cmsg->cmsg_len = CMSG_LEN(sizeof(struct sctp_sndinfo));
     sndinfo = (struct sctp_sndinfo *)CMSG_DATA(cmsg);
-    memset(sndinfo, 0, sizeof(*sndinfo));
+    memset(sndinfo, 0, sizeof(struct sctp_sndinfo));
     sndinfo->snd_sid = sinfo->snd_sid;
     sndinfo->snd_flags = sinfo->snd_flags;
     sndinfo->snd_ppid = sinfo->snd_ppid;
@@ -1317,7 +1462,7 @@ static int dgram_sctp_write(BIO *b, const char *in, int inl)
     cmsg->cmsg_type = SCTP_PRINFO;
     cmsg->cmsg_len = CMSG_LEN(sizeof(struct sctp_prinfo));
     prinfo = (struct sctp_prinfo *)CMSG_DATA(cmsg);
-    memset(prinfo, 0, sizeof(*prinfo));
+    memset(prinfo, 0, sizeof(struct sctp_prinfo));
     prinfo->pr_policy = pinfo->pr_policy;
     prinfo->pr_value = pinfo->pr_value;
     msg.msg_controllen += CMSG_SPACE(sizeof(struct sctp_prinfo));
@@ -1327,7 +1472,7 @@ static int dgram_sctp_write(BIO *b, const char *in, int inl)
     cmsg->cmsg_type = SCTP_SNDRCV;
     cmsg->cmsg_len = CMSG_LEN(sizeof(struct sctp_sndrcvinfo));
     sndrcvinfo = (struct sctp_sndrcvinfo *)CMSG_DATA(cmsg);
-    memset(sndrcvinfo, 0, sizeof(*sndrcvinfo));
+    memset(sndrcvinfo, 0, sizeof(struct sctp_sndrcvinfo));
     sndrcvinfo->sinfo_stream = sinfo->snd_sid;
     sndrcvinfo->sinfo_flags = sinfo->snd_flags;
 #   ifdef __FreeBSD__
@@ -1424,7 +1569,7 @@ static long dgram_sctp_ctrl(BIO *b, int cmd, long num, void *ptr)
             ret = -1;
             break;
         }
-        memset(authkey, 0, sockopt_len);
+        memset(authkey, 0x00, sockopt_len);
         authkey->sca_keynumber = authkeyid.scact_keynumber + 1;
 #  ifndef __FreeBSD__
         /*
@@ -1604,24 +1749,10 @@ int BIO_dgram_sctp_notification_cb(BIO *b,
     return 0;
 }
 
-/*
- * BIO_dgram_sctp_wait_for_dry - Wait for SCTP SENDER_DRY event
- * @b: The BIO to check for the dry event
- *
- * Wait until the peer confirms all packets have been received, and so that
- * our kernel doesn't have anything to send anymore.  This is only received by
- * the peer's kernel, not the application.
- *
- * Returns:
- * -1 on error
- *  0 when not dry yet
- *  1 when dry
- */
 int BIO_dgram_sctp_wait_for_dry(BIO *b)
 {
     int is_dry = 0;
-    int sockflags = 0;
-    int n, ret;
+    int n, sockflags, ret;
     union sctp_notification snp;
     struct msghdr msg;
     struct iovec iov;
@@ -1635,7 +1766,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
 
     /* set sender dry event */
 #  ifdef SCTP_EVENT
-    memset(&event, 0, sizeof(event));
+    memset(&event, 0, sizeof(struct sctp_event));
     event.se_assoc_id = 0;
     event.se_type = SCTP_SENDER_DRY_EVENT;
     event.se_on = 1;
@@ -1658,7 +1789,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
         return -1;
 
     /* peek for notification */
-    memset(&snp, 0, sizeof(snp));
+    memset(&snp, 0x00, sizeof(union sctp_notification));
     iov.iov_base = (char *)&snp;
     iov.iov_len = sizeof(union sctp_notification);
     msg.msg_name = NULL;
@@ -1680,7 +1811,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
 
     /* if we find a notification, process it and try again if necessary */
     while (msg.msg_flags & MSG_NOTIFICATION) {
-        memset(&snp, 0, sizeof(snp));
+        memset(&snp, 0x00, sizeof(union sctp_notification));
         iov.iov_base = (char *)&snp;
         iov.iov_len = sizeof(union sctp_notification);
         msg.msg_name = NULL;
@@ -1705,7 +1836,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
 
             /* disable sender dry event */
 #  ifdef SCTP_EVENT
-            memset(&event, 0, sizeof(event));
+            memset(&event, 0, sizeof(struct sctp_event));
             event.se_assoc_id = 0;
             event.se_type = SCTP_SENDER_DRY_EVENT;
             event.se_on = 0;
@@ -1739,7 +1870,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
                                        (void *)&snp);
 
         /* found notification, peek again */
-        memset(&snp, 0, sizeof(snp));
+        memset(&snp, 0x00, sizeof(union sctp_notification));
         iov.iov_base = (char *)&snp;
         iov.iov_len = sizeof(union sctp_notification);
         msg.msg_name = NULL;
@@ -1785,7 +1916,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b)
 
     /* Check if there are any messages waiting to be read */
     do {
-        memset(&snp, 0, sizeof(snp));
+        memset(&snp, 0x00, sizeof(union sctp_notification));
         iov.iov_base = (char *)&snp;
         iov.iov_len = sizeof(union sctp_notification);
         msg.msg_name = NULL;
@@ -1808,7 +1939,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b)
                 dgram_sctp_handle_auth_free_key_event(b, &snp);
 #  endif
 
-            memset(&snp, 0, sizeof(snp));
+            memset(&snp, 0x00, sizeof(union sctp_notification));
             iov.iov_base = (char *)&snp;
             iov.iov_len = sizeof(union sctp_notification);
             msg.msg_name = NULL;
@@ -1871,6 +2002,12 @@ int BIO_dgram_non_fatal_error(int err)
 #  if defined(WSAEWOULDBLOCK)
     case WSAEWOULDBLOCK:
 #  endif
+
+#  if 0                         /* This appears to always be an error */
+#   if defined(WSAENOTCONN)
+    case WSAENOTCONN:
+#   endif
+#  endif
 # endif
 
 # ifdef EWOULDBLOCK
diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_fd.c b/Cryptlib/OpenSSL/crypto/bio/bss_fd.c
index 1e56cb62..5f4e3448 100644
--- a/Cryptlib/OpenSSL/crypto/bio/bss_fd.c
+++ b/Cryptlib/OpenSSL/crypto/bio/bss_fd.c
@@ -1,16 +1,65 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bio/bss_fd.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <errno.h>
-
-#include "bio_lcl.h"
+#define USE_SOCKETS
+#include "cryptlib.h"
 
 #if defined(OPENSSL_NO_POSIX_IO)
 /*
@@ -31,7 +80,7 @@ int BIO_fd_should_retry(int i)
     return 0;
 }
 
-const BIO_METHOD *BIO_s_fd(void)
+BIO_METHOD *BIO_s_fd(void)
 {
     return NULL;
 }
@@ -48,6 +97,8 @@ const BIO_METHOD *BIO_s_fd(void)
  * file descriptors can only be provided by application. Therefore
  * "UPLINK" calls are due...
  */
+# include "bio_lcl.h"
+
 static int fd_write(BIO *h, const char *buf, int num);
 static int fd_read(BIO *h, char *buf, int size);
 static int fd_puts(BIO *h, const char *str);
@@ -57,7 +108,7 @@ static int fd_new(BIO *h);
 static int fd_free(BIO *data);
 int BIO_fd_should_retry(int s);
 
-static const BIO_METHOD methods_fdp = {
+static BIO_METHOD methods_fdp = {
     BIO_TYPE_FD, "file descriptor",
     fd_write,
     fd_read,
@@ -69,7 +120,7 @@ static const BIO_METHOD methods_fdp = {
     NULL,
 };
 
-const BIO_METHOD *BIO_s_fd(void)
+BIO_METHOD *BIO_s_fd(void)
 {
     return (&methods_fdp);
 }
@@ -219,6 +270,12 @@ int BIO_fd_should_retry(int i)
     if ((i == 0) || (i == -1)) {
         err = get_last_sys_error();
 
+# if defined(OPENSSL_SYS_WINDOWS) && 0/* more microsoft stupidity? perhaps
+                                       * not? Ben 4/1/99 */
+        if ((i == -1) && (err == 0))
+            return (1);
+# endif
+
         return (BIO_fd_non_fatal_error(err));
     }
     return (0);
diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_file.c b/Cryptlib/OpenSSL/crypto/bio/bss_file.c
index 6af2d9cb..a6e3b3ac 100644
--- a/Cryptlib/OpenSSL/crypto/bio/bss_file.c
+++ b/Cryptlib/OpenSSL/crypto/bio/bss_file.c
@@ -1,10 +1,59 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bio/bss_file.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 /*-
@@ -36,19 +85,24 @@
 
 # include <stdio.h>
 # include <errno.h>
+# include "cryptlib.h"
 # include "bio_lcl.h"
 # include <openssl/err.h>
 
+# if defined(OPENSSL_SYS_NETWARE) && defined(NETWARE_CLIB)
+#  include <nwfileio.h>
+# endif
+
 # if !defined(OPENSSL_NO_STDIO)
 
-static int file_write(BIO *h, const char *buf, int num);
-static int file_read(BIO *h, char *buf, int size);
-static int file_puts(BIO *h, const char *str);
-static int file_gets(BIO *h, char *str, int size);
-static long file_ctrl(BIO *h, int cmd, long arg1, void *arg2);
-static int file_new(BIO *h);
-static int file_free(BIO *data);
-static const BIO_METHOD methods_filep = {
+static int MS_CALLBACK file_write(BIO *h, const char *buf, int num);
+static int MS_CALLBACK file_read(BIO *h, char *buf, int size);
+static int MS_CALLBACK file_puts(BIO *h, const char *str);
+static int MS_CALLBACK file_gets(BIO *h, char *str, int size);
+static long MS_CALLBACK file_ctrl(BIO *h, int cmd, long arg1, void *arg2);
+static int MS_CALLBACK file_new(BIO *h);
+static int MS_CALLBACK file_free(BIO *data);
+static BIO_METHOD methods_filep = {
     BIO_TYPE_FILE,
     "FILE pointer",
     file_write,
@@ -61,14 +115,61 @@ static const BIO_METHOD methods_filep = {
     NULL,
 };
 
+static FILE *file_fopen(const char *filename, const char *mode)
+{
+    FILE *file = NULL;
+
+#  if defined(_WIN32) && defined(CP_UTF8)
+    int sz, len_0 = (int)strlen(filename) + 1;
+    DWORD flags;
+
+    /*
+     * Basically there are three cases to cover: a) filename is
+     * pure ASCII string; b) actual UTF-8 encoded string and
+     * c) locale-ized string, i.e. one containing 8-bit
+     * characters that are meaningful in current system locale.
+     * If filename is pure ASCII or real UTF-8 encoded string,
+     * MultiByteToWideChar succeeds and _wfopen works. If
+     * filename is locale-ized string, chances are that
+     * MultiByteToWideChar fails reporting
+     * ERROR_NO_UNICODE_TRANSLATION, in which case we fall
+     * back to fopen...
+     */
+    if ((sz = MultiByteToWideChar(CP_UTF8, (flags = MB_ERR_INVALID_CHARS),
+                                  filename, len_0, NULL, 0)) > 0 ||
+        (GetLastError() == ERROR_INVALID_FLAGS &&
+         (sz = MultiByteToWideChar(CP_UTF8, (flags = 0),
+                                   filename, len_0, NULL, 0)) > 0)
+        ) {
+        WCHAR wmode[8];
+        WCHAR *wfilename = _alloca(sz * sizeof(WCHAR));
+
+        if (MultiByteToWideChar(CP_UTF8, flags,
+                                filename, len_0, wfilename, sz) &&
+            MultiByteToWideChar(CP_UTF8, 0, mode, strlen(mode) + 1,
+                                wmode, sizeof(wmode) / sizeof(wmode[0])) &&
+            (file = _wfopen(wfilename, wmode)) == NULL &&
+            (errno == ENOENT || errno == EBADF)
+            ) {
+            /*
+             * UTF-8 decode succeeded, but no file, filename
+             * could still have been locale-ized...
+             */
+            file = fopen(filename, mode);
+        }
+    } else if (GetLastError() == ERROR_NO_UNICODE_TRANSLATION) {
+        file = fopen(filename, mode);
+    }
+#  else
+    file = fopen(filename, mode);
+#  endif
+    return (file);
+}
+
 BIO *BIO_new_file(const char *filename, const char *mode)
 {
     BIO  *ret;
-    FILE *file = openssl_fopen(filename, mode);
-    int fp_flags = BIO_CLOSE;
-
-    if (strchr(mode, 'b') == NULL)
-        fp_flags |= BIO_FP_TEXT;
+    FILE *file = file_fopen(filename, mode);
 
     if (file == NULL) {
         SYSerr(SYS_F_FOPEN, get_last_sys_error());
@@ -90,7 +191,7 @@ BIO *BIO_new_file(const char *filename, const char *mode)
 
     BIO_clear_flags(ret, BIO_FLAGS_UPLINK); /* we did fopen -> we disengage
                                              * UPLINK */
-    BIO_set_fp(ret, file, fp_flags);
+    BIO_set_fp(ret, file, BIO_CLOSE);
     return (ret);
 }
 
@@ -101,18 +202,18 @@ BIO *BIO_new_fp(FILE *stream, int close_flag)
     if ((ret = BIO_new(BIO_s_file())) == NULL)
         return (NULL);
 
-    /* redundant flag, left for documentation purposes */
-    BIO_set_flags(ret, BIO_FLAGS_UPLINK);
+    BIO_set_flags(ret, BIO_FLAGS_UPLINK); /* redundant, left for
+                                           * documentation puposes */
     BIO_set_fp(ret, stream, close_flag);
     return (ret);
 }
 
-const BIO_METHOD *BIO_s_file(void)
+BIO_METHOD *BIO_s_file(void)
 {
     return (&methods_filep);
 }
 
-static int file_new(BIO *bi)
+static int MS_CALLBACK file_new(BIO *bi)
 {
     bi->init = 0;
     bi->num = 0;
@@ -121,7 +222,7 @@ static int file_new(BIO *bi)
     return (1);
 }
 
-static int file_free(BIO *a)
+static int MS_CALLBACK file_free(BIO *a)
 {
     if (a == NULL)
         return (0);
@@ -139,7 +240,7 @@ static int file_free(BIO *a)
     return (1);
 }
 
-static int file_read(BIO *b, char *out, int outl)
+static int MS_CALLBACK file_read(BIO *b, char *out, int outl)
 {
     int ret = 0;
 
@@ -150,7 +251,7 @@ static int file_read(BIO *b, char *out, int outl)
             ret = fread(out, 1, (int)outl, (FILE *)b->ptr);
         if (ret == 0
             && (b->flags & BIO_FLAGS_UPLINK) ? UP_ferror((FILE *)b->ptr) :
-                                               ferror((FILE *)b->ptr)) {
+            ferror((FILE *)b->ptr)) {
             SYSerr(SYS_F_FREAD, get_last_sys_error());
             BIOerr(BIO_F_FILE_READ, ERR_R_SYS_LIB);
             ret = -1;
@@ -159,7 +260,7 @@ static int file_read(BIO *b, char *out, int outl)
     return (ret);
 }
 
-static int file_write(BIO *b, const char *in, int inl)
+static int MS_CALLBACK file_write(BIO *b, const char *in, int inl)
 {
     int ret = 0;
 
@@ -180,7 +281,7 @@ static int file_write(BIO *b, const char *in, int inl)
     return (ret);
 }
 
-static long file_ctrl(BIO *b, int cmd, long num, void *ptr)
+static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
 {
     long ret = 1;
     FILE *fp = (FILE *)b->ptr;
@@ -217,11 +318,8 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr)
 #   if defined(__MINGW32__) && defined(__MSVCRT__) && !defined(_IOB_ENTRIES)
 #    define _IOB_ENTRIES 20
 #   endif
+#   if defined(_IOB_ENTRIES)
         /* Safety net to catch purely internal BIO_set_fp calls */
-#   if defined(_MSC_VER) && _MSC_VER>=1900
-        if (ptr == stdin || ptr == stdout || ptr == stderr)
-            BIO_clear_flags(b, BIO_FLAGS_UPLINK);
-#   elif defined(_IOB_ENTRIES)
         if ((size_t)ptr >= (size_t)stdin &&
             (size_t)ptr < (size_t)(stdin + _IOB_ENTRIES))
             BIO_clear_flags(b, BIO_FLAGS_UPLINK);
@@ -239,6 +337,13 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr)
                 _setmode(fd, _O_TEXT);
             else
                 _setmode(fd, _O_BINARY);
+#  elif defined(OPENSSL_SYS_NETWARE) && defined(NETWARE_CLIB)
+            int fd = fileno((FILE *)ptr);
+            /* Under CLib there are differences in file modes */
+            if (num & BIO_FP_TEXT)
+                setmode(fd, O_TEXT);
+            else
+                setmode(fd, O_BINARY);
 #  elif defined(OPENSSL_SYS_MSDOS)
             int fd = fileno((FILE *)ptr);
             /* Set correct text/binary mode */
@@ -252,7 +357,7 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr)
                 } else
                     _setmode(fd, _O_BINARY);
             }
-#  elif defined(OPENSSL_SYS_WIN32_CYGWIN)
+#  elif defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_WIN32_CYGWIN)
             int fd = fileno((FILE *)ptr);
             if (num & BIO_FP_TEXT)
                 setmode(fd, O_TEXT);
@@ -266,27 +371,33 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr)
         b->shutdown = (int)num & BIO_CLOSE;
         if (num & BIO_FP_APPEND) {
             if (num & BIO_FP_READ)
-                OPENSSL_strlcpy(p, "a+", sizeof p);
+                BUF_strlcpy(p, "a+", sizeof p);
             else
-                OPENSSL_strlcpy(p, "a", sizeof p);
+                BUF_strlcpy(p, "a", sizeof p);
         } else if ((num & BIO_FP_READ) && (num & BIO_FP_WRITE))
-            OPENSSL_strlcpy(p, "r+", sizeof p);
+            BUF_strlcpy(p, "r+", sizeof p);
         else if (num & BIO_FP_WRITE)
-            OPENSSL_strlcpy(p, "w", sizeof p);
+            BUF_strlcpy(p, "w", sizeof p);
         else if (num & BIO_FP_READ)
-            OPENSSL_strlcpy(p, "r", sizeof p);
+            BUF_strlcpy(p, "r", sizeof p);
         else {
             BIOerr(BIO_F_FILE_CTRL, BIO_R_BAD_FOPEN_MODE);
             ret = 0;
             break;
         }
-#  if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32_CYGWIN)
+#  if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_WIN32_CYGWIN)
         if (!(num & BIO_FP_TEXT))
             strcat(p, "b");
         else
             strcat(p, "t");
 #  endif
-        fp = openssl_fopen(ptr, p);
+#  if defined(OPENSSL_SYS_NETWARE)
+        if (!(num & BIO_FP_TEXT))
+            strcat(p, "b");
+        else
+            strcat(p, "t");
+#  endif
+        fp = file_fopen(ptr, p);
         if (fp == NULL) {
             SYSerr(SYS_F_FOPEN, get_last_sys_error());
             ERR_add_error_data(5, "fopen('", ptr, "','", p, "')");
@@ -333,7 +444,7 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr)
     return (ret);
 }
 
-static int file_gets(BIO *bp, char *buf, int size)
+static int MS_CALLBACK file_gets(BIO *bp, char *buf, int size)
 {
     int ret = 0;
 
@@ -351,7 +462,7 @@ static int file_gets(BIO *bp, char *buf, int size)
     return (ret);
 }
 
-static int file_puts(BIO *bp, const char *str)
+static int MS_CALLBACK file_puts(BIO *bp, const char *str)
 {
     int n, ret;
 
@@ -360,60 +471,6 @@ static int file_puts(BIO *bp, const char *str)
     return (ret);
 }
 
-#else
-
-static int file_write(BIO *b, const char *in, int inl)
-{
-    return -1;
-}
-static int file_read(BIO *b, char *out, int outl)
-{
-    return -1;
-}
-static int file_puts(BIO *bp, const char *str)
-{
-    return -1;
-}
-static int file_gets(BIO *bp, char *buf, int size)
-{
-    return 0;
-}
-static long file_ctrl(BIO *b, int cmd, long num, void *ptr)
-{
-    return 0;
-}
-static int file_new(BIO *bi)
-{
-    return 0;
-}
-static int file_free(BIO *a)
-{
-    return 0;
-}
-
-static const BIO_METHOD methods_filep = {
-    BIO_TYPE_FILE,
-    "FILE pointer",
-    file_write,
-    file_read,
-    file_puts,
-    file_gets,
-    file_ctrl,
-    file_new,
-    file_free,
-    NULL,
-};
-
-const BIO_METHOD *BIO_s_file(void)
-{
-    return (&methods_filep);
-}
-
-BIO *BIO_new_file(const char *filename, const char *mode)
-{
-    return NULL;
-}
-
 # endif                         /* OPENSSL_NO_STDIO */
 
 #endif                          /* HEADER_BSS_FILE_C */
diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_log.c b/Cryptlib/OpenSSL/crypto/bio/bss_log.c
index 6cbde4d2..1283a525 100644
--- a/Cryptlib/OpenSSL/crypto/bio/bss_log.c
+++ b/Cryptlib/OpenSSL/crypto/bio/bss_log.c
@@ -1,10 +1,56 @@
-/*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bio/bss_log.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 /*
@@ -19,8 +65,7 @@
 #include <stdio.h>
 #include <errno.h>
 
-#include "bio_lcl.h"
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 
 #if defined(OPENSSL_SYS_WINCE)
 #elif defined(OPENSSL_SYS_WIN32)
@@ -39,6 +84,8 @@ void *_malloc32(__size_t);
 #  endif                        /* __INITIAL_POINTER_SIZE == 64 */
 # endif                         /* __INITIAL_POINTER_SIZE && defined
                                  * _ANSI_C_SOURCE */
+#elif defined(__ultrix)
+# include <sys/syslog.h>
 #elif defined(OPENSSL_SYS_NETWARE)
 # define NO_SYSLOG
 #elif (!defined(MSDOS) || defined(WATT32)) && !defined(OPENSSL_SYS_VXWORKS) && !defined(NO_SYSLOG)
@@ -75,16 +122,16 @@ void *_malloc32(__size_t);
 #  define LOG_DAEMON      OPC$M_NM_NTWORK
 # endif
 
-static int slg_write(BIO *h, const char *buf, int num);
-static int slg_puts(BIO *h, const char *str);
-static long slg_ctrl(BIO *h, int cmd, long arg1, void *arg2);
-static int slg_new(BIO *h);
-static int slg_free(BIO *data);
+static int MS_CALLBACK slg_write(BIO *h, const char *buf, int num);
+static int MS_CALLBACK slg_puts(BIO *h, const char *str);
+static long MS_CALLBACK slg_ctrl(BIO *h, int cmd, long arg1, void *arg2);
+static int MS_CALLBACK slg_new(BIO *h);
+static int MS_CALLBACK slg_free(BIO *data);
 static void xopenlog(BIO *bp, char *name, int level);
 static void xsyslog(BIO *bp, int priority, const char *string);
 static void xcloselog(BIO *bp);
 
-static const BIO_METHOD methods_slg = {
+static BIO_METHOD methods_slg = {
     BIO_TYPE_MEM, "syslog",
     slg_write,
     NULL,
@@ -96,12 +143,12 @@ static const BIO_METHOD methods_slg = {
     NULL,
 };
 
-const BIO_METHOD *BIO_s_log(void)
+BIO_METHOD *BIO_s_log(void)
 {
     return (&methods_slg);
 }
 
-static int slg_new(BIO *bi)
+static int MS_CALLBACK slg_new(BIO *bi)
 {
     bi->init = 1;
     bi->num = 0;
@@ -110,7 +157,7 @@ static int slg_new(BIO *bi)
     return (1);
 }
 
-static int slg_free(BIO *a)
+static int MS_CALLBACK slg_free(BIO *a)
 {
     if (a == NULL)
         return (0);
@@ -118,7 +165,7 @@ static int slg_free(BIO *a)
     return (1);
 }
 
-static int slg_write(BIO *b, const char *in, int inl)
+static int MS_CALLBACK slg_write(BIO *b, const char *in, int inl)
 {
     int ret = inl;
     char *buf;
@@ -192,7 +239,7 @@ static int slg_write(BIO *b, const char *in, int inl)
         /* The default */
     };
 
-    if ((buf = OPENSSL_malloc(inl + 1)) == NULL) {
+    if ((buf = (char *)OPENSSL_malloc(inl + 1)) == NULL) {
         return (0);
     }
     strncpy(buf, in, inl);
@@ -210,7 +257,7 @@ static int slg_write(BIO *b, const char *in, int inl)
     return (ret);
 }
 
-static long slg_ctrl(BIO *b, int cmd, long num, void *ptr)
+static long MS_CALLBACK slg_ctrl(BIO *b, int cmd, long num, void *ptr)
 {
     switch (cmd) {
     case BIO_CTRL_SET:
@@ -223,7 +270,7 @@ static long slg_ctrl(BIO *b, int cmd, long num, void *ptr)
     return (0);
 }
 
-static int slg_puts(BIO *bp, const char *str)
+static int MS_CALLBACK slg_puts(BIO *bp, const char *str)
 {
     int n, ret;
 
@@ -275,7 +322,7 @@ static void xsyslog(BIO *bp, int priority, const char *string)
         break;
     }
 
-    sprintf(pidbuf, "[%lu] ", GetCurrentProcessId());
+    sprintf(pidbuf, "[%u] ", GetCurrentProcessId());
     lpszStrings[0] = pidbuf;
     lpszStrings[1] = string;
 
diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_mem.c b/Cryptlib/OpenSSL/crypto/bio/bss_mem.c
index 6dc075dc..b0394a96 100644
--- a/Cryptlib/OpenSSL/crypto/bio/bss_mem.c
+++ b/Cryptlib/OpenSSL/crypto/bio/bss_mem.c
@@ -1,16 +1,65 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bio/bss_mem.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <errno.h>
-#include "bio_lcl.h"
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
+#include <openssl/bio.h>
 
 static int mem_write(BIO *h, const char *buf, int num);
 static int mem_read(BIO *h, char *buf, int size);
@@ -18,12 +67,8 @@ static int mem_puts(BIO *h, const char *str);
 static int mem_gets(BIO *h, char *str, int size);
 static long mem_ctrl(BIO *h, int cmd, long arg1, void *arg2);
 static int mem_new(BIO *h);
-static int secmem_new(BIO *h);
 static int mem_free(BIO *data);
-static int mem_buf_free(BIO *data, int free_all);
-static int mem_buf_sync(BIO *h);
-
-static const BIO_METHOD mem_method = {
+static BIO_METHOD mem_method = {
     BIO_TYPE_MEM,
     "memory buffer",
     mem_write,
@@ -36,159 +81,87 @@ static const BIO_METHOD mem_method = {
     NULL,
 };
 
-static const BIO_METHOD secmem_method = {
-    BIO_TYPE_MEM,
-    "secure memory buffer",
-    mem_write,
-    mem_read,
-    mem_puts,
-    mem_gets,
-    mem_ctrl,
-    secmem_new,
-    mem_free,
-    NULL,
-};
-
-/* BIO memory stores buffer and read pointer  */
-typedef struct bio_buf_mem_st {
-    struct buf_mem_st *buf;   /* allocated buffer */
-    struct buf_mem_st *readp; /* read pointer */
-} BIO_BUF_MEM;
-
 /*
  * bio->num is used to hold the value to return on 'empty', if it is 0,
  * should_retry is not set
  */
 
-const BIO_METHOD *BIO_s_mem(void)
+BIO_METHOD *BIO_s_mem(void)
 {
     return (&mem_method);
 }
 
-const BIO_METHOD *BIO_s_secmem(void)
-{
-    return(&secmem_method);
-}
 
 BIO *BIO_new_mem_buf(const void *buf, int len)
 {
     BIO *ret;
     BUF_MEM *b;
-    BIO_BUF_MEM *bb;
     size_t sz;
 
-    if (buf == NULL) {
+    if (!buf) {
         BIOerr(BIO_F_BIO_NEW_MEM_BUF, BIO_R_NULL_PARAMETER);
         return NULL;
     }
     sz = (len < 0) ? strlen(buf) : (size_t)len;
-    if ((ret = BIO_new(BIO_s_mem())) == NULL)
+    if (!(ret = BIO_new(BIO_s_mem())))
         return NULL;
-    bb = (BIO_BUF_MEM *)ret->ptr;
-    b = bb->buf;
+    b = (BUF_MEM *)ret->ptr;
     /* Cast away const and trust in the MEM_RDONLY flag. */
     b->data = (void *)buf;
     b->length = sz;
     b->max = sz;
-    *bb->readp = *bb->buf;
     ret->flags |= BIO_FLAGS_MEM_RDONLY;
-    /* Since this is static data retrying won't help */
+    /* Since this is static data retrying wont help */
     ret->num = 0;
     return ret;
 }
 
-static int mem_init(BIO *bi, unsigned long flags)
+static int mem_new(BIO *bi)
 {
-    BIO_BUF_MEM *bb = OPENSSL_zalloc(sizeof(*bb));
+    BUF_MEM *b;
 
-    if (bb == NULL)
-        return 0;
-    if ((bb->buf = BUF_MEM_new_ex(flags)) == NULL) {
-        OPENSSL_free(bb);
-        return 0;
-    }
-    if ((bb->readp = OPENSSL_zalloc(sizeof(*bb->readp))) == NULL) {
-        BUF_MEM_free(bb->buf);
-        OPENSSL_free(bb);
-        return 0;
-    }
-    *bb->readp = *bb->buf;
+    if ((b = BUF_MEM_new()) == NULL)
+        return (0);
     bi->shutdown = 1;
     bi->init = 1;
     bi->num = -1;
-    bi->ptr = (char *)bb;
-    return 1;
-}
-
-static int mem_new(BIO *bi)
-{
-    return (mem_init(bi, 0L));
-}
-
-static int secmem_new(BIO *bi)
-{
-    return (mem_init(bi, BUF_MEM_FLAG_SECURE));
+    bi->ptr = (char *)b;
+    return (1);
 }
 
 static int mem_free(BIO *a)
 {
-    return (mem_buf_free(a, 1));
-}
-
-static int mem_buf_free(BIO *a, int free_all)
-{
     if (a == NULL)
         return (0);
     if (a->shutdown) {
         if ((a->init) && (a->ptr != NULL)) {
             BUF_MEM *b;
-            BIO_BUF_MEM *bb = (BIO_BUF_MEM *)a->ptr;
-
-            if (bb != NULL) {
-                b = bb->buf;
-                if (a->flags & BIO_FLAGS_MEM_RDONLY)
-                    b->data = NULL;
-                BUF_MEM_free(b);
-                if (free_all) {
-                    OPENSSL_free(bb->readp);
-                    OPENSSL_free(bb);
-                }
-            }
+            b = (BUF_MEM *)a->ptr;
+            if (a->flags & BIO_FLAGS_MEM_RDONLY)
+                b->data = NULL;
+            BUF_MEM_free(b);
             a->ptr = NULL;
         }
     }
     return (1);
 }
 
-/*
- * Reallocate memory buffer if read pointer differs
- */
-static int mem_buf_sync(BIO *b)
-{
-    if (b != NULL && b->init != 0 && b->ptr != NULL) {
-        BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr;
-
-        if (bbm->readp->data != bbm->buf->data) {
-            memmove(bbm->buf->data, bbm->readp->data, bbm->readp->length);
-            bbm->buf->length = bbm->readp->length;
-            bbm->readp->data = bbm->buf->data;
-        }
-    }
-    return (0);
-}
-
 static int mem_read(BIO *b, char *out, int outl)
 {
     int ret = -1;
-    BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr;
-    BUF_MEM *bm = bbm->readp;
+    BUF_MEM *bm;
 
+    bm = (BUF_MEM *)b->ptr;
     BIO_clear_retry_flags(b);
     ret = (outl >= 0 && (size_t)outl > bm->length) ? (int)bm->length : outl;
     if ((out != NULL) && (ret > 0)) {
         memcpy(out, bm->data, ret);
         bm->length -= ret;
-        bm->data += ret;
+        if (b->flags & BIO_FLAGS_MEM_RDONLY)
+            bm->data += ret;
+        else {
+            memmove(&(bm->data[0]), &(bm->data[ret]), bm->length);
+        }
     } else if (bm->length == 0) {
         ret = b->num;
         if (ret != 0)
@@ -201,23 +174,24 @@ static int mem_write(BIO *b, const char *in, int inl)
 {
     int ret = -1;
     int blen;
-    BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr;
+    BUF_MEM *bm;
 
+    bm = (BUF_MEM *)b->ptr;
     if (in == NULL) {
         BIOerr(BIO_F_MEM_WRITE, BIO_R_NULL_PARAMETER);
         goto end;
     }
+
     if (b->flags & BIO_FLAGS_MEM_RDONLY) {
         BIOerr(BIO_F_MEM_WRITE, BIO_R_WRITE_TO_READ_ONLY_BIO);
         goto end;
     }
+
     BIO_clear_retry_flags(b);
-    blen = bbm->readp->length;
-    mem_buf_sync(b);
-    if (BUF_MEM_grow_clean(bbm->buf, blen + inl) == 0)
+    blen = bm->length;
+    if (BUF_MEM_grow_clean(bm, blen + inl) != (blen + inl))
         goto end;
-    memcpy(bbm->buf->data + blen, in, inl);
-    *bbm->readp = *bbm->buf;
+    memcpy(&(bm->data[blen]), in, inl);
     ret = inl;
  end:
     return (ret);
@@ -227,32 +201,29 @@ static long mem_ctrl(BIO *b, int cmd, long num, void *ptr)
 {
     long ret = 1;
     char **pptr;
-    BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr;
-    BUF_MEM *bm;
+
+    BUF_MEM *bm = (BUF_MEM *)b->ptr;
 
     switch (cmd) {
     case BIO_CTRL_RESET:
-        bm = bbm->buf;
         if (bm->data != NULL) {
             /* For read only case reset to the start again */
-            if ((b->flags & BIO_FLAGS_MEM_RDONLY) || (b->flags & BIO_FLAGS_NONCLEAR_RST)) {
+            if (b->flags & BIO_FLAGS_MEM_RDONLY) {
+                bm->data -= bm->max - bm->length;
                 bm->length = bm->max;
             } else {
                 memset(bm->data, 0, bm->max);
                 bm->length = 0;
             }
-            *bbm->readp = *bbm->buf;
         }
         break;
     case BIO_CTRL_EOF:
-        bm = bbm->readp;
         ret = (long)(bm->length == 0);
         break;
     case BIO_C_SET_BUF_MEM_EOF_RETURN:
         b->num = (int)num;
         break;
     case BIO_CTRL_INFO:
-        bm = bbm->readp;
         ret = (long)bm->length;
         if (ptr != NULL) {
             pptr = (char **)ptr;
@@ -260,16 +231,12 @@ static long mem_ctrl(BIO *b, int cmd, long num, void *ptr)
         }
         break;
     case BIO_C_SET_BUF_MEM:
-        mem_buf_free(b, 0);
+        mem_free(b);
         b->shutdown = (int)num;
-        bbm->buf = ptr;
-        *bbm->readp = *bbm->buf;
-        b->ptr = bbm;
+        b->ptr = ptr;
         break;
     case BIO_C_GET_BUF_MEM_PTR:
         if (ptr != NULL) {
-            mem_buf_sync(b);
-            bm = bbm->readp;
             pptr = (char **)ptr;
             *pptr = (char *)bm;
         }
@@ -280,11 +247,11 @@ static long mem_ctrl(BIO *b, int cmd, long num, void *ptr)
     case BIO_CTRL_SET_CLOSE:
         b->shutdown = (int)num;
         break;
+
     case BIO_CTRL_WPENDING:
         ret = 0L;
         break;
     case BIO_CTRL_PENDING:
-        bm = bbm->readp;
         ret = (long)bm->length;
         break;
     case BIO_CTRL_DUP:
@@ -305,8 +272,7 @@ static int mem_gets(BIO *bp, char *buf, int size)
     int i, j;
     int ret = -1;
     char *p;
-    BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)bp->ptr;
-    BUF_MEM *bm = bbm->readp;
+    BUF_MEM *bm = (BUF_MEM *)bp->ptr;
 
     BIO_clear_retry_flags(bp);
     j = bm->length;
diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_null.c b/Cryptlib/OpenSSL/crypto/bio/bss_null.c
index e5c4adc8..6a03fa24 100644
--- a/Cryptlib/OpenSSL/crypto/bio/bss_null.c
+++ b/Cryptlib/OpenSSL/crypto/bio/bss_null.c
@@ -1,16 +1,65 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bio/bss_null.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <errno.h>
-#include "bio_lcl.h"
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
+#include <openssl/bio.h>
 
 static int null_write(BIO *h, const char *buf, int num);
 static int null_read(BIO *h, char *buf, int size);
@@ -19,7 +68,7 @@ static int null_gets(BIO *h, char *str, int size);
 static long null_ctrl(BIO *h, int cmd, long arg1, void *arg2);
 static int null_new(BIO *h);
 static int null_free(BIO *data);
-static const BIO_METHOD null_method = {
+static BIO_METHOD null_method = {
     BIO_TYPE_NULL,
     "NULL",
     null_write,
@@ -32,7 +81,7 @@ static const BIO_METHOD null_method = {
     NULL,
 };
 
-const BIO_METHOD *BIO_s_null(void)
+BIO_METHOD *BIO_s_null(void)
 {
     return (&null_method);
 }
diff --git a/Cryptlib/OpenSSL/crypto/bio/bss_sock.c b/Cryptlib/OpenSSL/crypto/bio/bss_sock.c
index 570e8985..6194d2c0 100644
--- a/Cryptlib/OpenSSL/crypto/bio/bss_sock.c
+++ b/Cryptlib/OpenSSL/crypto/bio/bss_sock.c
@@ -1,28 +1,72 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bio/bss_sock.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <errno.h>
 #define USE_SOCKETS
-#include "bio_lcl.h"
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 
 #ifndef OPENSSL_NO_SOCK
 
 # include <openssl/bio.h>
 
 # ifdef WATT32
-/* Watt-32 uses same names */
-#  undef sock_write
-#  undef sock_read
-#  undef sock_puts
-#  define sock_write SockWrite
+#  define sock_write SockWrite  /* Watt-32 uses same names */
 #  define sock_read  SockRead
 #  define sock_puts  SockPuts
 # endif
@@ -35,7 +79,7 @@ static int sock_new(BIO *h);
 static int sock_free(BIO *data);
 int BIO_sock_should_retry(int s);
 
-static const BIO_METHOD methods_sockp = {
+static BIO_METHOD methods_sockp = {
     BIO_TYPE_SOCKET,
     "socket",
     sock_write,
@@ -48,7 +92,7 @@ static const BIO_METHOD methods_sockp = {
     NULL,
 };
 
-const BIO_METHOD *BIO_s_socket(void)
+BIO_METHOD *BIO_s_socket(void)
 {
     return (&methods_sockp);
 }
@@ -79,7 +123,7 @@ static int sock_free(BIO *a)
         return (0);
     if (a->shutdown) {
         if (a->init) {
-            BIO_closesocket(a->num);
+            SHUTDOWN2(a->num);
         }
         a->init = 0;
         a->flags = 0;
@@ -171,6 +215,12 @@ int BIO_sock_should_retry(int i)
     if ((i == 0) || (i == -1)) {
         err = get_last_socket_error();
 
+# if defined(OPENSSL_SYS_WINDOWS) && 0/* more microsoft stupidity? perhaps
+                                       * not? Ben 4/1/99 */
+        if ((i == -1) && (err == 0))
+            return (1);
+# endif
+
         return (BIO_sock_non_fatal_error(err));
     }
     return (0);
@@ -179,10 +229,16 @@ int BIO_sock_should_retry(int i)
 int BIO_sock_non_fatal_error(int err)
 {
     switch (err) {
-# if defined(OPENSSL_SYS_WINDOWS)
+# if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_NETWARE)
 #  if defined(WSAEWOULDBLOCK)
     case WSAEWOULDBLOCK:
 #  endif
+
+#  if 0                         /* This appears to always be an error */
+#   if defined(WSAENOTCONN)
+    case WSAENOTCONN:
+#   endif
+#  endif
 # endif
 
 # ifdef EWOULDBLOCK
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn.h b/Cryptlib/OpenSSL/crypto/bn/bn.h
new file mode 100644
index 00000000..633d1b1f
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/bn/bn.h
@@ -0,0 +1,951 @@
+/* crypto/bn/bn.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * Portions of the attached software ("Contribution") are developed by
+ * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
+ *
+ * The Contribution is licensed pursuant to the Eric Young open source
+ * license provided above.
+ *
+ * The binary polynomial arithmetic software is originally written by
+ * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
+ *
+ */
+
+#ifndef HEADER_BN_H
+# define HEADER_BN_H
+
+# include <limits.h>
+# include <openssl/e_os2.h>
+# ifndef OPENSSL_NO_FP_API
+#  include <stdio.h>            /* FILE */
+# endif
+# include <openssl/ossl_typ.h>
+# include <openssl/crypto.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/*
+ * These preprocessor symbols control various aspects of the bignum headers
+ * and library code. They're not defined by any "normal" configuration, as
+ * they are intended for development and testing purposes. NB: defining all
+ * three can be useful for debugging application code as well as openssl
+ * itself. BN_DEBUG - turn on various debugging alterations to the bignum
+ * code BN_DEBUG_RAND - uses random poisoning of unused words to trip up
+ * mismanagement of bignum internals. You must also define BN_DEBUG.
+ */
+/* #define BN_DEBUG */
+/* #define BN_DEBUG_RAND */
+
+# ifndef OPENSSL_SMALL_FOOTPRINT
+#  define BN_MUL_COMBA
+#  define BN_SQR_COMBA
+#  define BN_RECURSION
+# endif
+
+/*
+ * This next option uses the C libraries (2 word)/(1 word) function. If it is
+ * not defined, I use my C version (which is slower). The reason for this
+ * flag is that when the particular C compiler library routine is used, and
+ * the library is linked with a different compiler, the library is missing.
+ * This mostly happens when the library is built with gcc and then linked
+ * using normal cc.  This would be a common occurrence because gcc normally
+ * produces code that is 2 times faster than system compilers for the big
+ * number stuff. For machines with only one compiler (or shared libraries),
+ * this should be on.  Again this in only really a problem on machines using
+ * "long long's", are 32bit, and are not using my assembler code.
+ */
+# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || \
+    defined(OPENSSL_SYS_WIN32) || defined(linux)
+#  ifndef BN_DIV2W
+#   define BN_DIV2W
+#  endif
+# endif
+
+/*
+ * assuming long is 64bit - this is the DEC Alpha unsigned long long is only
+ * 64 bits :-(, don't define BN_LLONG for the DEC Alpha
+ */
+# ifdef SIXTY_FOUR_BIT_LONG
+#  define BN_ULLONG       unsigned long long
+#  define BN_ULONG        unsigned long
+#  define BN_LONG         long
+#  define BN_BITS         128
+#  define BN_BYTES        8
+#  define BN_BITS2        64
+#  define BN_BITS4        32
+#  define BN_MASK         (0xffffffffffffffffffffffffffffffffLL)
+#  define BN_MASK2        (0xffffffffffffffffL)
+#  define BN_MASK2l       (0xffffffffL)
+#  define BN_MASK2h       (0xffffffff00000000L)
+#  define BN_MASK2h1      (0xffffffff80000000L)
+#  define BN_TBIT         (0x8000000000000000L)
+#  define BN_DEC_CONV     (10000000000000000000UL)
+#  define BN_DEC_FMT1     "%lu"
+#  define BN_DEC_FMT2     "%019lu"
+#  define BN_DEC_NUM      19
+#  define BN_HEX_FMT1     "%lX"
+#  define BN_HEX_FMT2     "%016lX"
+# endif
+
+/*
+ * This is where the long long data type is 64 bits, but long is 32. For
+ * machines where there are 64bit registers, this is the mode to use. IRIX,
+ * on R4000 and above should use this mode, along with the relevant assembler
+ * code :-).  Do NOT define BN_LLONG.
+ */
+# ifdef SIXTY_FOUR_BIT
+#  undef BN_LLONG
+#  undef BN_ULLONG
+#  define BN_ULONG        unsigned long long
+#  define BN_LONG         long long
+#  define BN_BITS         128
+#  define BN_BYTES        8
+#  define BN_BITS2        64
+#  define BN_BITS4        32
+#  define BN_MASK2        (0xffffffffffffffffLL)
+#  define BN_MASK2l       (0xffffffffL)
+#  define BN_MASK2h       (0xffffffff00000000LL)
+#  define BN_MASK2h1      (0xffffffff80000000LL)
+#  define BN_TBIT         (0x8000000000000000LL)
+#  define BN_DEC_CONV     (10000000000000000000ULL)
+#  define BN_DEC_FMT1     "%llu"
+#  define BN_DEC_FMT2     "%019llu"
+#  define BN_DEC_NUM      19
+#  define BN_HEX_FMT1     "%llX"
+#  define BN_HEX_FMT2     "%016llX"
+# endif
+
+# ifdef THIRTY_TWO_BIT
+#  ifdef BN_LLONG
+#   if defined(_WIN32) && !defined(__GNUC__)
+#    define BN_ULLONG     unsigned __int64
+#    define BN_MASK       (0xffffffffffffffffI64)
+#   else
+#    define BN_ULLONG     unsigned long long
+#    define BN_MASK       (0xffffffffffffffffLL)
+#   endif
+#  endif
+#  define BN_ULONG        unsigned int
+#  define BN_LONG         int
+#  define BN_BITS         64
+#  define BN_BYTES        4
+#  define BN_BITS2        32
+#  define BN_BITS4        16
+#  define BN_MASK2        (0xffffffffL)
+#  define BN_MASK2l       (0xffff)
+#  define BN_MASK2h1      (0xffff8000L)
+#  define BN_MASK2h       (0xffff0000L)
+#  define BN_TBIT         (0x80000000L)
+#  define BN_DEC_CONV     (1000000000L)
+#  define BN_DEC_FMT1     "%u"
+#  define BN_DEC_FMT2     "%09u"
+#  define BN_DEC_NUM      9
+#  define BN_HEX_FMT1     "%X"
+#  define BN_HEX_FMT2     "%08X"
+# endif
+
+# define BN_DEFAULT_BITS 1280
+
+# define BN_FLG_MALLOCED         0x01
+# define BN_FLG_STATIC_DATA      0x02
+
+/*
+ * avoid leaking exponent information through timing,
+ * BN_mod_exp_mont() will call BN_mod_exp_mont_consttime,
+ * BN_div() will call BN_div_no_branch,
+ * BN_mod_inverse() will call BN_mod_inverse_no_branch.
+ */
+# define BN_FLG_CONSTTIME        0x04
+
+# ifdef OPENSSL_NO_DEPRECATED
+/* deprecated name for the flag */
+#  define BN_FLG_EXP_CONSTTIME BN_FLG_CONSTTIME
+/*
+ * avoid leaking exponent information through timings
+ * (BN_mod_exp_mont() will call BN_mod_exp_mont_consttime)
+ */
+# endif
+
+# ifndef OPENSSL_NO_DEPRECATED
+#  define BN_FLG_FREE             0x8000
+                                       /* used for debuging */
+# endif
+# define BN_set_flags(b,n)       ((b)->flags|=(n))
+# define BN_get_flags(b,n)       ((b)->flags&(n))
+
+/*
+ * get a clone of a BIGNUM with changed flags, for *temporary* use only (the
+ * two BIGNUMs cannot not be used in parallel!)
+ */
+# define BN_with_flags(dest,b,n)  ((dest)->d=(b)->d, \
+                                  (dest)->top=(b)->top, \
+                                  (dest)->dmax=(b)->dmax, \
+                                  (dest)->neg=(b)->neg, \
+                                  (dest)->flags=(((dest)->flags & BN_FLG_MALLOCED) \
+                                                 |  ((b)->flags & ~BN_FLG_MALLOCED) \
+                                                 |  BN_FLG_STATIC_DATA \
+                                                 |  (n)))
+
+/* Already declared in ossl_typ.h */
+# if 0
+typedef struct bignum_st BIGNUM;
+/* Used for temp variables (declaration hidden in bn_lcl.h) */
+typedef struct bignum_ctx BN_CTX;
+typedef struct bn_blinding_st BN_BLINDING;
+typedef struct bn_mont_ctx_st BN_MONT_CTX;
+typedef struct bn_recp_ctx_st BN_RECP_CTX;
+typedef struct bn_gencb_st BN_GENCB;
+# endif
+
+struct bignum_st {
+    BN_ULONG *d;                /* Pointer to an array of 'BN_BITS2' bit
+                                 * chunks. */
+    int top;                    /* Index of last used d +1. */
+    /* The next are internal book keeping for bn_expand. */
+    int dmax;                   /* Size of the d array. */
+    int neg;                    /* one if the number is negative */
+    int flags;
+};
+
+/* Used for montgomery multiplication */
+struct bn_mont_ctx_st {
+    int ri;                     /* number of bits in R */
+    BIGNUM RR;                  /* used to convert to montgomery form */
+    BIGNUM N;                   /* The modulus */
+    BIGNUM Ni;                  /* R*(1/R mod N) - N*Ni = 1 (Ni is only
+                                 * stored for bignum algorithm) */
+    BN_ULONG n0[2];             /* least significant word(s) of Ni; (type
+                                 * changed with 0.9.9, was "BN_ULONG n0;"
+                                 * before) */
+    int flags;
+};
+
+/*
+ * Used for reciprocal division/mod functions It cannot be shared between
+ * threads
+ */
+struct bn_recp_ctx_st {
+    BIGNUM N;                   /* the divisor */
+    BIGNUM Nr;                  /* the reciprocal */
+    int num_bits;
+    int shift;
+    int flags;
+};
+
+/* Used for slow "generation" functions. */
+struct bn_gencb_st {
+    unsigned int ver;           /* To handle binary (in)compatibility */
+    void *arg;                  /* callback-specific data */
+    union {
+        /* if(ver==1) - handles old style callbacks */
+        void (*cb_1) (int, int, void *);
+        /* if(ver==2) - new callback style */
+        int (*cb_2) (int, int, BN_GENCB *);
+    } cb;
+};
+/* Wrapper function to make using BN_GENCB easier,  */
+int BN_GENCB_call(BN_GENCB *cb, int a, int b);
+/* Macro to populate a BN_GENCB structure with an "old"-style callback */
+# define BN_GENCB_set_old(gencb, callback, cb_arg) { \
+                BN_GENCB *tmp_gencb = (gencb); \
+                tmp_gencb->ver = 1; \
+                tmp_gencb->arg = (cb_arg); \
+                tmp_gencb->cb.cb_1 = (callback); }
+/* Macro to populate a BN_GENCB structure with a "new"-style callback */
+# define BN_GENCB_set(gencb, callback, cb_arg) { \
+                BN_GENCB *tmp_gencb = (gencb); \
+                tmp_gencb->ver = 2; \
+                tmp_gencb->arg = (cb_arg); \
+                tmp_gencb->cb.cb_2 = (callback); }
+
+# define BN_prime_checks 0      /* default: select number of iterations based
+                                 * on the size of the number */
+
+/*
+ * number of Miller-Rabin iterations for an error rate of less than 2^-80 for
+ * random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook of
+ * Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996];
+ * original paper: Damgaard, Landrock, Pomerance: Average case error
+ * estimates for the strong probable prime test. -- Math. Comp. 61 (1993)
+ * 177-194)
+ */
+# define BN_prime_checks_for_size(b) ((b) >= 1300 ?  2 : \
+                                (b) >=  850 ?  3 : \
+                                (b) >=  650 ?  4 : \
+                                (b) >=  550 ?  5 : \
+                                (b) >=  450 ?  6 : \
+                                (b) >=  400 ?  7 : \
+                                (b) >=  350 ?  8 : \
+                                (b) >=  300 ?  9 : \
+                                (b) >=  250 ? 12 : \
+                                (b) >=  200 ? 15 : \
+                                (b) >=  150 ? 18 : \
+                                /* b >= 100 */ 27)
+
+# define BN_num_bytes(a) ((BN_num_bits(a)+7)/8)
+
+/* Note that BN_abs_is_word didn't work reliably for w == 0 until 0.9.8 */
+# define BN_abs_is_word(a,w) ((((a)->top == 1) && ((a)->d[0] == (BN_ULONG)(w))) || \
+                                (((w) == 0) && ((a)->top == 0)))
+# define BN_is_zero(a)       ((a)->top == 0)
+# define BN_is_one(a)        (BN_abs_is_word((a),1) && !(a)->neg)
+# define BN_is_word(a,w)     (BN_abs_is_word((a),(w)) && (!(w) || !(a)->neg))
+# define BN_is_odd(a)        (((a)->top > 0) && ((a)->d[0] & 1))
+
+# define BN_one(a)       (BN_set_word((a),1))
+# define BN_zero_ex(a) \
+        do { \
+                BIGNUM *_tmp_bn = (a); \
+                _tmp_bn->top = 0; \
+                _tmp_bn->neg = 0; \
+        } while(0)
+# ifdef OPENSSL_NO_DEPRECATED
+#  define BN_zero(a)      BN_zero_ex(a)
+# else
+#  define BN_zero(a)      (BN_set_word((a),0))
+# endif
+
+const BIGNUM *BN_value_one(void);
+char *BN_options(void);
+BN_CTX *BN_CTX_new(void);
+# ifndef OPENSSL_NO_DEPRECATED
+void BN_CTX_init(BN_CTX *c);
+# endif
+void BN_CTX_free(BN_CTX *c);
+void BN_CTX_start(BN_CTX *ctx);
+BIGNUM *BN_CTX_get(BN_CTX *ctx);
+void BN_CTX_end(BN_CTX *ctx);
+int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
+int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
+int BN_rand_range(BIGNUM *rnd, const BIGNUM *range);
+int BN_pseudo_rand_range(BIGNUM *rnd, const BIGNUM *range);
+int BN_num_bits(const BIGNUM *a);
+int BN_num_bits_word(BN_ULONG);
+BIGNUM *BN_new(void);
+void BN_init(BIGNUM *);
+void BN_clear_free(BIGNUM *a);
+BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b);
+void BN_swap(BIGNUM *a, BIGNUM *b);
+BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
+int BN_bn2bin(const BIGNUM *a, unsigned char *to);
+BIGNUM *BN_mpi2bn(const unsigned char *s, int len, BIGNUM *ret);
+int BN_bn2mpi(const BIGNUM *a, unsigned char *to);
+int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
+int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
+/** BN_set_negative sets sign of a BIGNUM
+ * \param  b  pointer to the BIGNUM object
+ * \param  n  0 if the BIGNUM b should be positive and a value != 0 otherwise
+ */
+void BN_set_negative(BIGNUM *b, int n);
+/** BN_is_negative returns 1 if the BIGNUM is negative
+ * \param  a  pointer to the BIGNUM object
+ * \return 1 if a < 0 and 0 otherwise
+ */
+# define BN_is_negative(a) ((a)->neg != 0)
+
+int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
+           BN_CTX *ctx);
+# define BN_mod(rem,m,d,ctx) BN_div(NULL,(rem),(m),(d),(ctx))
+int BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx);
+int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
+               BN_CTX *ctx);
+int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+                     const BIGNUM *m);
+int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
+               BN_CTX *ctx);
+int BN_mod_sub_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+                     const BIGNUM *m);
+int BN_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
+               BN_CTX *ctx);
+int BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
+int BN_mod_lshift1(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
+int BN_mod_lshift1_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *m);
+int BN_mod_lshift(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m,
+                  BN_CTX *ctx);
+int BN_mod_lshift_quick(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m);
+
+BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w);
+BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w);
+int BN_mul_word(BIGNUM *a, BN_ULONG w);
+int BN_add_word(BIGNUM *a, BN_ULONG w);
+int BN_sub_word(BIGNUM *a, BN_ULONG w);
+int BN_set_word(BIGNUM *a, BN_ULONG w);
+BN_ULONG BN_get_word(const BIGNUM *a);
+
+int BN_cmp(const BIGNUM *a, const BIGNUM *b);
+void BN_free(BIGNUM *a);
+int BN_is_bit_set(const BIGNUM *a, int n);
+int BN_lshift(BIGNUM *r, const BIGNUM *a, int n);
+int BN_lshift1(BIGNUM *r, const BIGNUM *a);
+int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+
+int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+               const BIGNUM *m, BN_CTX *ctx);
+int BN_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+                              const BIGNUM *m, BN_CTX *ctx,
+                              BN_MONT_CTX *in_mont);
+int BN_mod_exp_mont_word(BIGNUM *r, BN_ULONG a, const BIGNUM *p,
+                         const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int BN_mod_exp2_mont(BIGNUM *r, const BIGNUM *a1, const BIGNUM *p1,
+                     const BIGNUM *a2, const BIGNUM *p2, const BIGNUM *m,
+                     BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                      const BIGNUM *m, BN_CTX *ctx);
+
+int BN_mask_bits(BIGNUM *a, int n);
+# ifndef OPENSSL_NO_FP_API
+int BN_print_fp(FILE *fp, const BIGNUM *a);
+# endif
+# ifdef HEADER_BIO_H
+int BN_print(BIO *fp, const BIGNUM *a);
+# else
+int BN_print(void *fp, const BIGNUM *a);
+# endif
+int BN_reciprocal(BIGNUM *r, const BIGNUM *m, int len, BN_CTX *ctx);
+int BN_rshift(BIGNUM *r, const BIGNUM *a, int n);
+int BN_rshift1(BIGNUM *r, const BIGNUM *a);
+void BN_clear(BIGNUM *a);
+BIGNUM *BN_dup(const BIGNUM *a);
+int BN_ucmp(const BIGNUM *a, const BIGNUM *b);
+int BN_set_bit(BIGNUM *a, int n);
+int BN_clear_bit(BIGNUM *a, int n);
+char *BN_bn2hex(const BIGNUM *a);
+char *BN_bn2dec(const BIGNUM *a);
+int BN_hex2bn(BIGNUM **a, const char *str);
+int BN_dec2bn(BIGNUM **a, const char *str);
+int BN_asc2bn(BIGNUM **a, const char *str);
+int BN_gcd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
+int BN_kronecker(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); /* returns
+                                                                  * -2 for
+                                                                  * error */
+BIGNUM *BN_mod_inverse(BIGNUM *ret,
+                       const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx);
+BIGNUM *BN_mod_sqrt(BIGNUM *ret,
+                    const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx);
+
+void BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords);
+
+/* Deprecated versions */
+# ifndef OPENSSL_NO_DEPRECATED
+BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe,
+                          const BIGNUM *add, const BIGNUM *rem,
+                          void (*callback) (int, int, void *), void *cb_arg);
+int BN_is_prime(const BIGNUM *p, int nchecks,
+                void (*callback) (int, int, void *),
+                BN_CTX *ctx, void *cb_arg);
+int BN_is_prime_fasttest(const BIGNUM *p, int nchecks,
+                         void (*callback) (int, int, void *), BN_CTX *ctx,
+                         void *cb_arg, int do_trial_division);
+# endif                         /* !defined(OPENSSL_NO_DEPRECATED) */
+
+/* Newer versions */
+int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add,
+                         const BIGNUM *rem, BN_GENCB *cb);
+int BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, BN_GENCB *cb);
+int BN_is_prime_fasttest_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx,
+                            int do_trial_division, BN_GENCB *cb);
+
+int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx);
+
+int BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
+                            const BIGNUM *Xp, const BIGNUM *Xp1,
+                            const BIGNUM *Xp2, const BIGNUM *e, BN_CTX *ctx,
+                            BN_GENCB *cb);
+int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, BIGNUM *Xp1,
+                              BIGNUM *Xp2, const BIGNUM *Xp, const BIGNUM *e,
+                              BN_CTX *ctx, BN_GENCB *cb);
+
+BN_MONT_CTX *BN_MONT_CTX_new(void);
+void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
+int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+                          BN_MONT_CTX *mont, BN_CTX *ctx);
+# define BN_to_montgomery(r,a,mont,ctx)  BN_mod_mul_montgomery(\
+        (r),(a),&((mont)->RR),(mont),(ctx))
+int BN_from_montgomery(BIGNUM *r, const BIGNUM *a,
+                       BN_MONT_CTX *mont, BN_CTX *ctx);
+void BN_MONT_CTX_free(BN_MONT_CTX *mont);
+int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx);
+BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from);
+BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock,
+                                    const BIGNUM *mod, BN_CTX *ctx);
+
+/* BN_BLINDING flags */
+# define BN_BLINDING_NO_UPDATE   0x00000001
+# define BN_BLINDING_NO_RECREATE 0x00000002
+
+BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod);
+void BN_BLINDING_free(BN_BLINDING *b);
+int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx);
+int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
+int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
+int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *);
+int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b,
+                          BN_CTX *);
+# ifndef OPENSSL_NO_DEPRECATED
+unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *);
+void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long);
+# endif
+CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *);
+unsigned long BN_BLINDING_get_flags(const BN_BLINDING *);
+void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long);
+BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
+                                      const BIGNUM *e, BIGNUM *m, BN_CTX *ctx,
+                                      int (*bn_mod_exp) (BIGNUM *r,
+                                                         const BIGNUM *a,
+                                                         const BIGNUM *p,
+                                                         const BIGNUM *m,
+                                                         BN_CTX *ctx,
+                                                         BN_MONT_CTX *m_ctx),
+                                      BN_MONT_CTX *m_ctx);
+
+# ifndef OPENSSL_NO_DEPRECATED
+void BN_set_params(int mul, int high, int low, int mont);
+int BN_get_params(int which);   /* 0, mul, 1 high, 2 low, 3 mont */
+# endif
+
+void BN_RECP_CTX_init(BN_RECP_CTX *recp);
+BN_RECP_CTX *BN_RECP_CTX_new(void);
+void BN_RECP_CTX_free(BN_RECP_CTX *recp);
+int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *rdiv, BN_CTX *ctx);
+int BN_mod_mul_reciprocal(BIGNUM *r, const BIGNUM *x, const BIGNUM *y,
+                          BN_RECP_CTX *recp, BN_CTX *ctx);
+int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                    const BIGNUM *m, BN_CTX *ctx);
+int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
+                BN_RECP_CTX *recp, BN_CTX *ctx);
+
+# ifndef OPENSSL_NO_EC2M
+
+/*
+ * Functions for arithmetic over binary polynomials represented by BIGNUMs.
+ * The BIGNUM::neg property of BIGNUMs representing binary polynomials is
+ * ignored. Note that input arguments are not const so that their bit arrays
+ * can be expanded to the appropriate size if needed.
+ */
+
+/*
+ * r = a + b
+ */
+int BN_GF2m_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
+#  define BN_GF2m_sub(r, a, b) BN_GF2m_add(r, a, b)
+/*
+ * r=a mod p
+ */
+int BN_GF2m_mod(BIGNUM *r, const BIGNUM *a, const BIGNUM *p);
+/* r = (a * b) mod p */
+int BN_GF2m_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+                    const BIGNUM *p, BN_CTX *ctx);
+/* r = (a * a) mod p */
+int BN_GF2m_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+/* r = (1 / b) mod p */
+int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *b, const BIGNUM *p, BN_CTX *ctx);
+/* r = (a / b) mod p */
+int BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+                    const BIGNUM *p, BN_CTX *ctx);
+/* r = (a ^ b) mod p */
+int BN_GF2m_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+                    const BIGNUM *p, BN_CTX *ctx);
+/* r = sqrt(a) mod p */
+int BN_GF2m_mod_sqrt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                     BN_CTX *ctx);
+/* r^2 + r = a mod p */
+int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                           BN_CTX *ctx);
+#  define BN_GF2m_cmp(a, b) BN_ucmp((a), (b))
+/*-
+ * Some functions allow for representation of the irreducible polynomials
+ * as an unsigned int[], say p.  The irreducible f(t) is then of the form:
+ *     t^p[0] + t^p[1] + ... + t^p[k]
+ * where m = p[0] > p[1] > ... > p[k] = 0.
+ */
+/* r = a mod p */
+int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const int p[]);
+/* r = (a * b) mod p */
+int BN_GF2m_mod_mul_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+                        const int p[], BN_CTX *ctx);
+/* r = (a * a) mod p */
+int BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const int p[],
+                        BN_CTX *ctx);
+/* r = (1 / b) mod p */
+int BN_GF2m_mod_inv_arr(BIGNUM *r, const BIGNUM *b, const int p[],
+                        BN_CTX *ctx);
+/* r = (a / b) mod p */
+int BN_GF2m_mod_div_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+                        const int p[], BN_CTX *ctx);
+/* r = (a ^ b) mod p */
+int BN_GF2m_mod_exp_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+                        const int p[], BN_CTX *ctx);
+/* r = sqrt(a) mod p */
+int BN_GF2m_mod_sqrt_arr(BIGNUM *r, const BIGNUM *a,
+                         const int p[], BN_CTX *ctx);
+/* r^2 + r = a mod p */
+int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a,
+                               const int p[], BN_CTX *ctx);
+int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max);
+int BN_GF2m_arr2poly(const int p[], BIGNUM *a);
+
+# endif
+
+/*
+ * faster mod functions for the 'NIST primes' 0 <= a < p^2
+ */
+int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+
+const BIGNUM *BN_get0_nist_prime_192(void);
+const BIGNUM *BN_get0_nist_prime_224(void);
+const BIGNUM *BN_get0_nist_prime_256(void);
+const BIGNUM *BN_get0_nist_prime_384(void);
+const BIGNUM *BN_get0_nist_prime_521(void);
+
+/* library internal functions */
+
+# define bn_expand(a,bits) \
+    ( \
+        bits > (INT_MAX - BN_BITS2 + 1) ? \
+            NULL \
+        : \
+            (((bits+BN_BITS2-1)/BN_BITS2) <= (a)->dmax) ? \
+                (a) \
+            : \
+                bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2) \
+    )
+
+# define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words)))
+BIGNUM *bn_expand2(BIGNUM *a, int words);
+# ifndef OPENSSL_NO_DEPRECATED
+BIGNUM *bn_dup_expand(const BIGNUM *a, int words); /* unused */
+# endif
+
+/*-
+ * Bignum consistency macros
+ * There is one "API" macro, bn_fix_top(), for stripping leading zeroes from
+ * bignum data after direct manipulations on the data. There is also an
+ * "internal" macro, bn_check_top(), for verifying that there are no leading
+ * zeroes. Unfortunately, some auditing is required due to the fact that
+ * bn_fix_top() has become an overabused duct-tape because bignum data is
+ * occasionally passed around in an inconsistent state. So the following
+ * changes have been made to sort this out;
+ * - bn_fix_top()s implementation has been moved to bn_correct_top()
+ * - if BN_DEBUG isn't defined, bn_fix_top() maps to bn_correct_top(), and
+ *   bn_check_top() is as before.
+ * - if BN_DEBUG *is* defined;
+ *   - bn_check_top() tries to pollute unused words even if the bignum 'top' is
+ *     consistent. (ed: only if BN_DEBUG_RAND is defined)
+ *   - bn_fix_top() maps to bn_check_top() rather than "fixing" anything.
+ * The idea is to have debug builds flag up inconsistent bignums when they
+ * occur. If that occurs in a bn_fix_top(), we examine the code in question; if
+ * the use of bn_fix_top() was appropriate (ie. it follows directly after code
+ * that manipulates the bignum) it is converted to bn_correct_top(), and if it
+ * was not appropriate, we convert it permanently to bn_check_top() and track
+ * down the cause of the bug. Eventually, no internal code should be using the
+ * bn_fix_top() macro. External applications and libraries should try this with
+ * their own code too, both in terms of building against the openssl headers
+ * with BN_DEBUG defined *and* linking with a version of OpenSSL built with it
+ * defined. This not only improves external code, it provides more test
+ * coverage for openssl's own code.
+ */
+
+# ifdef BN_DEBUG
+
+/* We only need assert() when debugging */
+#  include <assert.h>
+
+#  ifdef BN_DEBUG_RAND
+/* To avoid "make update" cvs wars due to BN_DEBUG, use some tricks */
+#   ifndef RAND_pseudo_bytes
+int RAND_pseudo_bytes(unsigned char *buf, int num);
+#    define BN_DEBUG_TRIX
+#   endif
+#   define bn_pollute(a) \
+        do { \
+                const BIGNUM *_bnum1 = (a); \
+                if(_bnum1->top < _bnum1->dmax) { \
+                        unsigned char _tmp_char; \
+                        /* We cast away const without the compiler knowing, any \
+                         * *genuinely* constant variables that aren't mutable \
+                         * wouldn't be constructed with top!=dmax. */ \
+                        BN_ULONG *_not_const; \
+                        memcpy(&_not_const, &_bnum1->d, sizeof(BN_ULONG*)); \
+                        /* Debug only - safe to ignore error return */ \
+                        RAND_pseudo_bytes(&_tmp_char, 1); \
+                        memset((unsigned char *)(_not_const + _bnum1->top), _tmp_char, \
+                                (_bnum1->dmax - _bnum1->top) * sizeof(BN_ULONG)); \
+                } \
+        } while(0)
+#   ifdef BN_DEBUG_TRIX
+#    undef RAND_pseudo_bytes
+#   endif
+#  else
+#   define bn_pollute(a)
+#  endif
+#  define bn_check_top(a) \
+        do { \
+                const BIGNUM *_bnum2 = (a); \
+                if (_bnum2 != NULL) { \
+                        assert((_bnum2->top == 0) || \
+                                (_bnum2->d[_bnum2->top - 1] != 0)); \
+                        bn_pollute(_bnum2); \
+                } \
+        } while(0)
+
+#  define bn_fix_top(a)           bn_check_top(a)
+
+#  define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2)
+#  define bn_wcheck_size(bn, words) \
+        do { \
+                const BIGNUM *_bnum2 = (bn); \
+                assert((words) <= (_bnum2)->dmax && (words) >= (_bnum2)->top); \
+                /* avoid unused variable warning with NDEBUG */ \
+                (void)(_bnum2); \
+        } while(0)
+
+# else                          /* !BN_DEBUG */
+
+#  define bn_pollute(a)
+#  define bn_check_top(a)
+#  define bn_fix_top(a)           bn_correct_top(a)
+#  define bn_check_size(bn, bits)
+#  define bn_wcheck_size(bn, words)
+
+# endif
+
+# define bn_correct_top(a) \
+        { \
+        BN_ULONG *ftl; \
+        int tmp_top = (a)->top; \
+        if (tmp_top > 0) \
+                { \
+                for (ftl= &((a)->d[tmp_top-1]); tmp_top > 0; tmp_top--) \
+                        if (*(ftl--)) break; \
+                (a)->top = tmp_top; \
+                } \
+        if ((a)->top == 0) \
+            (a)->neg = 0; \
+        bn_pollute(a); \
+        }
+
+BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num,
+                          BN_ULONG w);
+BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
+void bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, int num);
+BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d);
+BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
+                      int num);
+BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
+                      int num);
+
+/* Primes from RFC 2409 */
+BIGNUM *get_rfc2409_prime_768(BIGNUM *bn);
+BIGNUM *get_rfc2409_prime_1024(BIGNUM *bn);
+
+/* Primes from RFC 3526 */
+BIGNUM *get_rfc3526_prime_1536(BIGNUM *bn);
+BIGNUM *get_rfc3526_prime_2048(BIGNUM *bn);
+BIGNUM *get_rfc3526_prime_3072(BIGNUM *bn);
+BIGNUM *get_rfc3526_prime_4096(BIGNUM *bn);
+BIGNUM *get_rfc3526_prime_6144(BIGNUM *bn);
+BIGNUM *get_rfc3526_prime_8192(BIGNUM *bn);
+
+int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom);
+
+/* BEGIN ERROR CODES */
+/*
+ * The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+void ERR_load_BN_strings(void);
+
+/* Error codes for the BN functions. */
+
+/* Function codes. */
+# define BN_F_BNRAND                                      127
+# define BN_F_BN_BLINDING_CONVERT_EX                      100
+# define BN_F_BN_BLINDING_CREATE_PARAM                    128
+# define BN_F_BN_BLINDING_INVERT_EX                       101
+# define BN_F_BN_BLINDING_NEW                             102
+# define BN_F_BN_BLINDING_UPDATE                          103
+# define BN_F_BN_BN2DEC                                   104
+# define BN_F_BN_BN2HEX                                   105
+# define BN_F_BN_CTX_GET                                  116
+# define BN_F_BN_CTX_NEW                                  106
+# define BN_F_BN_CTX_START                                129
+# define BN_F_BN_DIV                                      107
+# define BN_F_BN_DIV_NO_BRANCH                            138
+# define BN_F_BN_DIV_RECP                                 130
+# define BN_F_BN_EXP                                      123
+# define BN_F_BN_EXPAND2                                  108
+# define BN_F_BN_EXPAND_INTERNAL                          120
+# define BN_F_BN_GF2M_MOD                                 131
+# define BN_F_BN_GF2M_MOD_EXP                             132
+# define BN_F_BN_GF2M_MOD_MUL                             133
+# define BN_F_BN_GF2M_MOD_SOLVE_QUAD                      134
+# define BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR                  135
+# define BN_F_BN_GF2M_MOD_SQR                             136
+# define BN_F_BN_GF2M_MOD_SQRT                            137
+# define BN_F_BN_LSHIFT                                   145
+# define BN_F_BN_MOD_EXP2_MONT                            118
+# define BN_F_BN_MOD_EXP_MONT                             109
+# define BN_F_BN_MOD_EXP_MONT_CONSTTIME                   124
+# define BN_F_BN_MOD_EXP_MONT_WORD                        117
+# define BN_F_BN_MOD_EXP_RECP                             125
+# define BN_F_BN_MOD_EXP_SIMPLE                           126
+# define BN_F_BN_MOD_INVERSE                              110
+# define BN_F_BN_MOD_INVERSE_NO_BRANCH                    139
+# define BN_F_BN_MOD_LSHIFT_QUICK                         119
+# define BN_F_BN_MOD_MUL_RECIPROCAL                       111
+# define BN_F_BN_MOD_SQRT                                 121
+# define BN_F_BN_MPI2BN                                   112
+# define BN_F_BN_NEW                                      113
+# define BN_F_BN_RAND                                     114
+# define BN_F_BN_RAND_RANGE                               122
+# define BN_F_BN_RSHIFT                                   146
+# define BN_F_BN_USUB                                     115
+
+/* Reason codes. */
+# define BN_R_ARG2_LT_ARG3                                100
+# define BN_R_BAD_RECIPROCAL                              101
+# define BN_R_BIGNUM_TOO_LONG                             114
+# define BN_R_BITS_TOO_SMALL                              118
+# define BN_R_CALLED_WITH_EVEN_MODULUS                    102
+# define BN_R_DIV_BY_ZERO                                 103
+# define BN_R_ENCODING_ERROR                              104
+# define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA                105
+# define BN_R_INPUT_NOT_REDUCED                           110
+# define BN_R_INVALID_LENGTH                              106
+# define BN_R_INVALID_RANGE                               115
+# define BN_R_INVALID_SHIFT                               119
+# define BN_R_NOT_A_SQUARE                                111
+# define BN_R_NOT_INITIALIZED                             107
+# define BN_R_NO_INVERSE                                  108
+# define BN_R_NO_SOLUTION                                 116
+# define BN_R_P_IS_NOT_PRIME                              112
+# define BN_R_TOO_MANY_ITERATIONS                         113
+# define BN_R_TOO_MANY_TEMPORARY_VARIABLES                109
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_add.c b/Cryptlib/OpenSSL/crypto/bn/bn_add.c
index 6479650a..2f3d1104 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_add.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_add.c
@@ -1,18 +1,69 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bn/bn_add.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
-#include "internal/cryptlib.h"
+#include <stdio.h>
+#include "cryptlib.h"
 #include "bn_lcl.h"
 
 /* r can == a or b */
 int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 {
+    const BIGNUM *tmp;
     int a_neg = a->neg, ret;
 
     bn_check_top(a);
@@ -27,8 +78,6 @@ int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
     if (a_neg ^ b->neg) {
         /* only one is negative */
         if (a_neg) {
-            const BIGNUM *tmp;
-
             tmp = a;
             a = b;
             b = tmp;
@@ -38,14 +87,14 @@ int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 
         if (BN_ucmp(a, b) < 0) {
             if (!BN_usub(r, b, a))
-                return 0;
+                return (0);
             r->neg = 1;
         } else {
             if (!BN_usub(r, a, b))
-                return 0;
+                return (0);
             r->neg = 0;
         }
-        return 1;
+        return (1);
     }
 
     ret = BN_uadd(r, a, b);
@@ -58,15 +107,13 @@ int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 {
     int max, min, dif;
-    const BN_ULONG *ap, *bp;
-    BN_ULONG *rp, carry, t1, t2;
+    BN_ULONG *ap, *bp, *rp, carry, t1, t2;
+    const BIGNUM *tmp;
 
     bn_check_top(a);
     bn_check_top(b);
 
     if (a->top < b->top) {
-        const BIGNUM *tmp;
-
         tmp = a;
         a = b;
         b = tmp;
@@ -87,17 +134,29 @@ int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
     carry = bn_add_words(rp, ap, bp, min);
     rp += min;
     ap += min;
-
-    while (dif) {
-        dif--;
-        t1 = *(ap++);
-        t2 = (t1 + carry) & BN_MASK2;
-        *(rp++) = t2;
-        carry &= (t2 == 0);
+    bp += min;
+
+    if (carry) {
+        while (dif) {
+            dif--;
+            t1 = *(ap++);
+            t2 = (t1 + 1) & BN_MASK2;
+            *(rp++) = t2;
+            if (t2) {
+                carry = 0;
+                break;
+            }
+        }
+        if (carry) {
+            /* carry != 0 => dif == 0 */
+            *rp = 1;
+            r->top++;
+        }
     }
-    *rp = carry;
-    r->top += carry;
-
+    if (dif && rp != ap)
+        while (dif--)
+            /* copy remaining words if ap != rp */
+            *(rp++) = *(ap++);
     r->neg = 0;
     bn_check_top(r);
     return 1;
@@ -107,8 +166,11 @@ int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 {
     int max, min, dif;
-    BN_ULONG t1, t2, borrow, *rp;
-    const BN_ULONG *ap, *bp;
+    register BN_ULONG t1, t2, *ap, *bp, *rp;
+    int i, carry;
+#if defined(IRIX_CC_BUG) && !defined(LINT)
+    int dummy;
+#endif
 
     bn_check_top(a);
     bn_check_top(b);
@@ -119,38 +181,86 @@ int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 
     if (dif < 0) {              /* hmm... should not be happening */
         BNerr(BN_F_BN_USUB, BN_R_ARG2_LT_ARG3);
-        return 0;
+        return (0);
     }
 
     if (bn_wexpand(r, max) == NULL)
-        return 0;
+        return (0);
 
     ap = a->d;
     bp = b->d;
     rp = r->d;
 
-    borrow = bn_sub_words(rp, ap, bp, min);
+#if 1
+    carry = 0;
+    for (i = min; i != 0; i--) {
+        t1 = *(ap++);
+        t2 = *(bp++);
+        if (carry) {
+            carry = (t1 <= t2);
+            t1 = (t1 - t2 - 1) & BN_MASK2;
+        } else {
+            carry = (t1 < t2);
+            t1 = (t1 - t2) & BN_MASK2;
+        }
+# if defined(IRIX_CC_BUG) && !defined(LINT)
+        dummy = t1;
+# endif
+        *(rp++) = t1 & BN_MASK2;
+    }
+#else
+    carry = bn_sub_words(rp, ap, bp, min);
     ap += min;
+    bp += min;
     rp += min;
-
-    while (dif) {
-        dif--;
-        t1 = *(ap++);
-        t2 = (t1 - borrow) & BN_MASK2;
-        *(rp++) = t2;
-        borrow &= (t1 == 0);
+#endif
+    if (carry) {                /* subtracted */
+        if (!dif)
+            /* error: a < b */
+            return 0;
+        while (dif) {
+            dif--;
+            t1 = *(ap++);
+            t2 = (t1 - 1) & BN_MASK2;
+            *(rp++) = t2;
+            if (t1)
+                break;
+        }
+    }
+#if 0
+    memcpy(rp, ap, sizeof(*rp) * (max - i));
+#else
+    if (rp != ap) {
+        for (;;) {
+            if (!dif--)
+                break;
+            rp[0] = ap[0];
+            if (!dif--)
+                break;
+            rp[1] = ap[1];
+            if (!dif--)
+                break;
+            rp[2] = ap[2];
+            if (!dif--)
+                break;
+            rp[3] = ap[3];
+            rp += 4;
+            ap += 4;
+        }
     }
+#endif
 
     r->top = max;
     r->neg = 0;
     bn_correct_top(r);
-    return 1;
+    return (1);
 }
 
 int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 {
     int max;
     int add = 0, neg = 0;
+    const BIGNUM *tmp;
 
     bn_check_top(a);
     bn_check_top(b);
@@ -163,8 +273,6 @@ int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
      */
     if (a->neg) {
         if (b->neg) {
-            const BIGNUM *tmp;
-
             tmp = a;
             a = b;
             b = tmp;
@@ -181,25 +289,25 @@ int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 
     if (add) {
         if (!BN_uadd(r, a, b))
-            return 0;
+            return (0);
         r->neg = neg;
-        return 1;
+        return (1);
     }
 
     /* We are actually doing a - b :-) */
 
     max = (a->top > b->top) ? a->top : b->top;
     if (bn_wexpand(r, max) == NULL)
-        return 0;
+        return (0);
     if (BN_ucmp(a, b) < 0) {
         if (!BN_usub(r, b, a))
-            return 0;
+            return (0);
         r->neg = 1;
     } else {
         if (!BN_usub(r, a, b))
-            return 0;
+            return (0);
         r->neg = 0;
     }
     bn_check_top(r);
-    return 1;
+    return (1);
 }
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_asm.c b/Cryptlib/OpenSSL/crypto/bn/bn_asm.c
index 39c6c213..03a33cff 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_asm.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_asm.c
@@ -1,15 +1,69 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bn/bn_asm.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
+#ifndef BN_DEBUG
+# undef NDEBUG                  /* avoid conflicting definitions */
+# define NDEBUG
+#endif
+
+#include <stdio.h>
 #include <assert.h>
-#include <openssl/crypto.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include "bn_lcl.h"
 
 #if defined(BN_LLONG) || defined(BN_UMULT_HIGH)
@@ -951,13 +1005,13 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
 
 /* hmm... is it faster just to do a multiply? */
 # undef bn_sqr_comba4
-# undef bn_sqr_comba8
 void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a)
 {
     BN_ULONG t[8];
     bn_sqr_normal(r, a, 4, t);
 }
 
+# undef bn_sqr_comba8
 void bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a)
 {
     BN_ULONG t[16];
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_blind.c b/Cryptlib/OpenSSL/crypto/bn/bn_blind.c
index 24d13830..d448daa3 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_blind.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_blind.c
@@ -1,14 +1,116 @@
-/*
- * Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bn/bn_blind.c */
+/* ====================================================================
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
-#include <openssl/opensslconf.h>
-#include "internal/cryptlib.h"
+#include <stdio.h>
+#include "cryptlib.h"
 #include "bn_lcl.h"
 
 #define BN_BLINDING_COUNTER     32
@@ -18,13 +120,16 @@ struct bn_blinding_st {
     BIGNUM *Ai;
     BIGNUM *e;
     BIGNUM *mod;                /* just a reference */
-    CRYPTO_THREAD_ID tid;
+#ifndef OPENSSL_NO_DEPRECATED
+    unsigned long thread_id;    /* added in OpenSSL 0.9.6j and 0.9.7b; used
+                                 * only by crypto/rsa/rsa_eay.c, rsa_lib.c */
+#endif
+    CRYPTO_THREADID tid;
     int counter;
     unsigned long flags;
     BN_MONT_CTX *m_ctx;
     int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                        const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
-    CRYPTO_RWLOCK *lock;
 };
 
 BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
@@ -33,25 +138,15 @@ BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
 
     bn_check_top(mod);
 
-    if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) {
+    if ((ret = (BN_BLINDING *)OPENSSL_malloc(sizeof(BN_BLINDING))) == NULL) {
         BNerr(BN_F_BN_BLINDING_NEW, ERR_R_MALLOC_FAILURE);
-        return NULL;
+        return (NULL);
     }
-
-    ret->lock = CRYPTO_THREAD_lock_new();
-    if (ret->lock == NULL) {
-        BNerr(BN_F_BN_BLINDING_NEW, ERR_R_MALLOC_FAILURE);
-        OPENSSL_free(ret);
-        return NULL;
-    }
-
-    BN_BLINDING_set_current_thread(ret);
-
+    memset(ret, 0, sizeof(BN_BLINDING));
     if (A != NULL) {
         if ((ret->A = BN_dup(A)) == NULL)
             goto err;
     }
-
     if (Ai != NULL) {
         if ((ret->Ai = BN_dup(Ai)) == NULL)
             goto err;
@@ -60,7 +155,6 @@ BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
     /* save a copy of mod in the BN_BLINDING structure */
     if ((ret->mod = BN_dup(mod)) == NULL)
         goto err;
-
     if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
         BN_set_flags(ret->mod, BN_FLG_CONSTTIME);
 
@@ -70,12 +164,12 @@ BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
      * use.
      */
     ret->counter = -1;
-
-    return ret;
-
+    CRYPTO_THREADID_current(&ret->tid);
+    return (ret);
  err:
-    BN_BLINDING_free(ret);
-    return NULL;
+    if (ret != NULL)
+        BN_BLINDING_free(ret);
+    return (NULL);
 }
 
 void BN_BLINDING_free(BN_BLINDING *r)
@@ -83,11 +177,14 @@ void BN_BLINDING_free(BN_BLINDING *r)
     if (r == NULL)
         return;
 
-    BN_free(r->A);
-    BN_free(r->Ai);
-    BN_free(r->e);
-    BN_free(r->mod);
-    CRYPTO_THREAD_lock_free(r->lock);
+    if (r->A != NULL)
+        BN_free(r->A);
+    if (r->Ai != NULL)
+        BN_free(r->Ai);
+    if (r->e != NULL)
+        BN_free(r->e);
+    if (r->mod != NULL)
+        BN_free(r->mod);
     OPENSSL_free(r);
 }
 
@@ -181,24 +278,21 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b,
     return (ret);
 }
 
-int BN_BLINDING_is_current_thread(BN_BLINDING *b)
-{
-    return CRYPTO_THREAD_compare_id(CRYPTO_THREAD_get_current_id(), b->tid);
-}
-
-void BN_BLINDING_set_current_thread(BN_BLINDING *b)
+#ifndef OPENSSL_NO_DEPRECATED
+unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *b)
 {
-    b->tid = CRYPTO_THREAD_get_current_id();
+    return b->thread_id;
 }
 
-int BN_BLINDING_lock(BN_BLINDING *b)
+void BN_BLINDING_set_thread_id(BN_BLINDING *b, unsigned long n)
 {
-    return CRYPTO_THREAD_write_lock(b->lock);
+    b->thread_id = n;
 }
+#endif
 
-int BN_BLINDING_unlock(BN_BLINDING *b)
+CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *b)
 {
-    return CRYPTO_THREAD_unlock(b->lock);
+    return &b->tid;
 }
 
 unsigned long BN_BLINDING_get_flags(const BN_BLINDING *b)
@@ -238,7 +332,8 @@ BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
         goto err;
 
     if (e != NULL) {
-        BN_free(ret->e);
+        if (ret->e != NULL)
+            BN_free(ret->e);
         ret->e = BN_dup(e);
     }
     if (ret->e == NULL)
@@ -250,19 +345,20 @@ BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
         ret->m_ctx = m_ctx;
 
     do {
-        int rv;
         if (!BN_rand_range(ret->A, ret->mod))
             goto err;
-        if (!int_bn_mod_inverse(ret->Ai, ret->A, ret->mod, ctx, &rv)) {
+        if (BN_mod_inverse(ret->Ai, ret->A, ret->mod, ctx) == NULL) {
             /*
              * this should almost never happen for good RSA keys
              */
-            if (rv) {
+            unsigned long error = ERR_peek_last_error();
+            if (ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
                 if (retry_counter-- == 0) {
                     BNerr(BN_F_BN_BLINDING_CREATE_PARAM,
                           BN_R_TOO_MANY_ITERATIONS);
                     goto err;
                 }
+                ERR_clear_error();
             } else
                 goto err;
         } else
@@ -280,7 +376,7 @@ BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
 
     return ret;
  err:
-    if (b == NULL) {
+    if (b == NULL && ret != NULL) {
         BN_BLINDING_free(ret);
         ret = NULL;
     }
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_const.c b/Cryptlib/OpenSSL/crypto/bn/bn_const.c
index 39dd6120..12c3208c 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_const.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_const.c
@@ -1,13 +1,7 @@
-/*
- * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
+/* crypto/bn/knownprimes.c */
+/* Insert boilerplate */
 
-#include <openssl/bn.h>
+#include "bn.h"
 
 /*-
  * "First Oakley Default Group" from RFC2409, section 6.1.
@@ -18,7 +12,7 @@
  * RFC2412 specifies a generator of of 22.
  */
 
-BIGNUM *BN_get_rfc2409_prime_768(BIGNUM *bn)
+BIGNUM *get_rfc2409_prime_768(BIGNUM *bn)
 {
     static const unsigned char RFC2409_PRIME_768[] = {
         0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
@@ -46,7 +40,7 @@ BIGNUM *BN_get_rfc2409_prime_768(BIGNUM *bn)
  * RFC2412 specifies a generator of 22.
  */
 
-BIGNUM *BN_get_rfc2409_prime_1024(BIGNUM *bn)
+BIGNUM *get_rfc2409_prime_1024(BIGNUM *bn)
 {
     static const unsigned char RFC2409_PRIME_1024[] = {
         0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
@@ -78,7 +72,7 @@ BIGNUM *BN_get_rfc2409_prime_1024(BIGNUM *bn)
  * RFC2312 specifies a generator of 22.
  */
 
-BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *bn)
+BIGNUM *get_rfc3526_prime_1536(BIGNUM *bn)
 {
     static const unsigned char RFC3526_PRIME_1536[] = {
         0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
@@ -117,7 +111,7 @@ BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *bn)
  * RFC3526 specifies a generator of 2.
  */
 
-BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM *bn)
+BIGNUM *get_rfc3526_prime_2048(BIGNUM *bn)
 {
     static const unsigned char RFC3526_PRIME_2048[] = {
         0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
@@ -164,7 +158,7 @@ BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM *bn)
  * RFC3526 specifies a generator of 2.
  */
 
-BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM *bn)
+BIGNUM *get_rfc3526_prime_3072(BIGNUM *bn)
 {
     static const unsigned char RFC3526_PRIME_3072[] = {
         0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
@@ -227,7 +221,7 @@ BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM *bn)
  * RFC3526 specifies a generator of 2.
  */
 
-BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM *bn)
+BIGNUM *get_rfc3526_prime_4096(BIGNUM *bn)
 {
     static const unsigned char RFC3526_PRIME_4096[] = {
         0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
@@ -306,7 +300,7 @@ BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM *bn)
  * RFC3526 specifies a generator of 2.
  */
 
-BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *bn)
+BIGNUM *get_rfc3526_prime_6144(BIGNUM *bn)
 {
     static const unsigned char RFC3526_PRIME_6144[] = {
         0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
@@ -417,7 +411,7 @@ BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *bn)
  * RFC3526 specifies a generator of 2.
  */
 
-BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *bn)
+BIGNUM *get_rfc3526_prime_8192(BIGNUM *bn)
 {
     static const unsigned char RFC3526_PRIME_8192[] = {
         0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_ctx.c b/Cryptlib/OpenSSL/crypto/bn/bn_ctx.c
index 68c04687..526c6a04 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_ctx.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_ctx.c
@@ -1,13 +1,69 @@
-/*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bn/bn_ctx.c */
+/* Written by Ulf Moeller for the OpenSSL project. */
+/* ====================================================================
+ * Copyright (c) 1998-2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
-#include "internal/cryptlib.h"
+#if !defined(BN_CTX_DEBUG) && !defined(BN_DEBUG)
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
+
+#include <stdio.h>
+#include <assert.h>
+
+#include "cryptlib.h"
 #include "bn_lcl.h"
 
 /*-
@@ -48,7 +104,10 @@ typedef struct bignum_pool {
 } BN_POOL;
 static void BN_POOL_init(BN_POOL *);
 static void BN_POOL_finish(BN_POOL *);
-static BIGNUM *BN_POOL_get(BN_POOL *, int);
+#ifndef OPENSSL_NO_DEPRECATED
+static void BN_POOL_reset(BN_POOL *);
+#endif
+static BIGNUM *BN_POOL_get(BN_POOL *);
 static void BN_POOL_release(BN_POOL *, unsigned int);
 
 /************/
@@ -64,6 +123,9 @@ typedef struct bignum_ctx_stack {
 } BN_STACK;
 static void BN_STACK_init(BN_STACK *);
 static void BN_STACK_finish(BN_STACK *);
+#ifndef OPENSSL_NO_DEPRECATED
+static void BN_STACK_reset(BN_STACK *);
+#endif
 static int BN_STACK_push(BN_STACK *, unsigned int);
 static unsigned int BN_STACK_pop(BN_STACK *);
 
@@ -83,8 +145,6 @@ struct bignum_ctx {
     int err_stack;
     /* Block "gets" until an "end" (compatibility behaviour) */
     int too_many;
-    /* Flags. */
-    int flags;
 };
 
 /* Enable this to find BN_CTX bugs */
@@ -130,27 +190,40 @@ static void ctxdbg(BN_CTX *ctx)
 # define CTXDBG_RET(ctx,ret)
 #endif
 
+/*
+ * This function is an evil legacy and should not be used. This
+ * implementation is WYSIWYG, though I've done my best.
+ */
+#ifndef OPENSSL_NO_DEPRECATED
+void BN_CTX_init(BN_CTX *ctx)
+{
+    /*
+     * Assume the caller obtained the context via BN_CTX_new() and so is
+     * trying to reset it for use. Nothing else makes sense, least of all
+     * binary compatibility from a time when they could declare a static
+     * variable.
+     */
+    BN_POOL_reset(&ctx->pool);
+    BN_STACK_reset(&ctx->stack);
+    ctx->used = 0;
+    ctx->err_stack = 0;
+    ctx->too_many = 0;
+}
+#endif
 
 BN_CTX *BN_CTX_new(void)
 {
-    BN_CTX *ret;
-
-    if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) {
+    BN_CTX *ret = OPENSSL_malloc(sizeof(BN_CTX));
+    if (!ret) {
         BNerr(BN_F_BN_CTX_NEW, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
     /* Initialise the structure */
     BN_POOL_init(&ret->pool);
     BN_STACK_init(&ret->stack);
-    return ret;
-}
-
-BN_CTX *BN_CTX_secure_new(void)
-{
-    BN_CTX *ret = BN_CTX_new();
-
-    if (ret != NULL)
-        ret->flags = BN_FLG_SECURE;
+    ret->used = 0;
+    ret->err_stack = 0;
+    ret->too_many = 0;
     return ret;
 }
 
@@ -212,11 +285,10 @@ void BN_CTX_end(BN_CTX *ctx)
 BIGNUM *BN_CTX_get(BN_CTX *ctx)
 {
     BIGNUM *ret;
-
     CTXDBG_ENTRY("BN_CTX_get", ctx);
     if (ctx->err_stack || ctx->too_many)
         return NULL;
-    if ((ret = BN_POOL_get(&ctx->pool, ctx->flags)) == NULL) {
+    if ((ret = BN_POOL_get(&ctx->pool)) == NULL) {
         /*
          * Setting too_many prevents repeated "get" attempts from cluttering
          * the error stack.
@@ -244,23 +316,32 @@ static void BN_STACK_init(BN_STACK *st)
 
 static void BN_STACK_finish(BN_STACK *st)
 {
-    OPENSSL_free(st->indexes);
-    st->indexes = NULL;
+    if (st->size)
+        OPENSSL_free(st->indexes);
 }
 
+#ifndef OPENSSL_NO_DEPRECATED
+static void BN_STACK_reset(BN_STACK *st)
+{
+    st->depth = 0;
+}
+#endif
 
 static int BN_STACK_push(BN_STACK *st, unsigned int idx)
 {
-    if (st->depth == st->size) {
+    if (st->depth == st->size)
         /* Need to expand */
-        unsigned int newsize =
-            st->size ? (st->size * 3 / 2) : BN_CTX_START_FRAMES;
-        unsigned int *newitems = OPENSSL_malloc(sizeof(*newitems) * newsize);
-        if (newitems == NULL)
+    {
+        unsigned int newsize = (st->size ?
+                                (st->size * 3 / 2) : BN_CTX_START_FRAMES);
+        unsigned int *newitems = OPENSSL_malloc(newsize *
+                                                sizeof(unsigned int));
+        if (!newitems)
             return 0;
         if (st->depth)
-            memcpy(newitems, st->indexes, sizeof(*newitems) * st->depth);
-        OPENSSL_free(st->indexes);
+            memcpy(newitems, st->indexes, st->depth * sizeof(unsigned int));
+        if (st->size)
+            OPENSSL_free(st->indexes);
         st->indexes = newitems;
         st->size = newsize;
     }
@@ -285,39 +366,55 @@ static void BN_POOL_init(BN_POOL *p)
 
 static void BN_POOL_finish(BN_POOL *p)
 {
-    unsigned int loop;
-    BIGNUM *bn;
-
     while (p->head) {
-        for (loop = 0, bn = p->head->vals; loop++ < BN_CTX_POOL_SIZE; bn++)
+        unsigned int loop = 0;
+        BIGNUM *bn = p->head->vals;
+        while (loop++ < BN_CTX_POOL_SIZE) {
             if (bn->d)
                 BN_clear_free(bn);
+            bn++;
+        }
         p->current = p->head->next;
         OPENSSL_free(p->head);
         p->head = p->current;
     }
 }
 
-
-static BIGNUM *BN_POOL_get(BN_POOL *p, int flag)
+#ifndef OPENSSL_NO_DEPRECATED
+static void BN_POOL_reset(BN_POOL *p)
 {
-    BIGNUM *bn;
-    unsigned int loop;
+    BN_POOL_ITEM *item = p->head;
+    while (item) {
+        unsigned int loop = 0;
+        BIGNUM *bn = item->vals;
+        while (loop++ < BN_CTX_POOL_SIZE) {
+            if (bn->d)
+                BN_clear(bn);
+            bn++;
+        }
+        item = item->next;
+    }
+    p->current = p->head;
+    p->used = 0;
+}
+#endif
 
-    /* Full; allocate a new pool item and link it in. */
+static BIGNUM *BN_POOL_get(BN_POOL *p)
+{
     if (p->used == p->size) {
-        BN_POOL_ITEM *item = OPENSSL_malloc(sizeof(*item));
-        if (item == NULL)
+        BIGNUM *bn;
+        unsigned int loop = 0;
+        BN_POOL_ITEM *item = OPENSSL_malloc(sizeof(BN_POOL_ITEM));
+        if (!item)
             return NULL;
-        for (loop = 0, bn = item->vals; loop++ < BN_CTX_POOL_SIZE; bn++) {
-            bn_init(bn);
-            if ((flag & BN_FLG_SECURE) != 0)
-                BN_set_flags(bn, BN_FLG_SECURE);
-        }
+        /* Initialise the structure */
+        bn = item->vals;
+        while (loop++ < BN_CTX_POOL_SIZE)
+            BN_init(bn++);
         item->prev = p->tail;
         item->next = NULL;
-
-        if (p->head == NULL)
+        /* Link it in */
+        if (!p->head)
             p->head = p->current = p->tail = item;
         else {
             p->tail->next = item;
@@ -329,7 +426,6 @@ static BIGNUM *BN_POOL_get(BN_POOL *p, int flag)
         /* Return the first bignum from the new pool */
         return item->vals;
     }
-
     if (!p->used)
         p->current = p->head;
     else if ((p->used % BN_CTX_POOL_SIZE) == 0)
@@ -340,11 +436,10 @@ static BIGNUM *BN_POOL_get(BN_POOL *p, int flag)
 static void BN_POOL_release(BN_POOL *p, unsigned int num)
 {
     unsigned int offset = (p->used - 1) % BN_CTX_POOL_SIZE;
-
     p->used -= num;
     while (num--) {
         bn_check_top(p->current->vals + offset);
-        if (offset == 0) {
+        if (!offset) {
             offset = BN_CTX_POOL_SIZE - 1;
             p->current = p->current->prev;
         } else
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_depr.c b/Cryptlib/OpenSSL/crypto/bn/bn_depr.c
index 7d89214b..34895f59 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_depr.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_depr.c
@@ -1,10 +1,56 @@
-/*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bn/bn_depr.c */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 /*
@@ -12,22 +58,22 @@
  * slurp this code if applications are using them directly.
  */
 
-#include <openssl/opensslconf.h>
-#if OPENSSL_API_COMPAT >= 0x00908000L
-NON_EMPTY_TRANSLATION_UNIT
-#else
+#include <stdio.h>
+#include <time.h>
+#include "cryptlib.h"
+#include "bn_lcl.h"
+#include <openssl/rand.h>
 
-# include <stdio.h>
-# include <time.h>
-# include "internal/cryptlib.h"
-# include "bn_lcl.h"
+static void *dummy = &dummy;
 
+#ifndef OPENSSL_NO_DEPRECATED
 BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe,
                           const BIGNUM *add, const BIGNUM *rem,
                           void (*callback) (int, int, void *), void *cb_arg)
 {
     BN_GENCB cb;
     BIGNUM *rnd = NULL;
+    int found = 0;
 
     BN_GENCB_set_old(&cb, callback, cb_arg);
 
@@ -40,10 +86,11 @@ BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe,
         goto err;
 
     /* we have a prime :-) */
-    return ret;
+    found = 1;
  err:
-    BN_free(rnd);
-    return NULL;
+    if (!found && (ret == NULL) && (rnd != NULL))
+        BN_free(rnd);
+    return (found ? rnd : NULL);
 }
 
 int BN_is_prime(const BIGNUM *a, int checks,
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_dh.c b/Cryptlib/OpenSSL/crypto/bn/bn_dh.c
deleted file mode 100644
index 17d05597..00000000
--- a/Cryptlib/OpenSSL/crypto/bn/bn_dh.c
+++ /dev/null
@@ -1,220 +0,0 @@
-/*
- * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include "bn_lcl.h"
-#include "e_os.h"
-
-#ifndef OPENSSL_NO_DH
-#include <openssl/dh.h>
-#include "internal/bn_dh.h"
-/* DH parameters from RFC5114 */
-
-# if BN_BITS2 == 64
-static const BN_ULONG dh1024_160_p[] = {
-    0xDF1FB2BC2E4A4371ULL, 0xE68CFDA76D4DA708ULL, 0x45BF37DF365C1A65ULL,
-    0xA151AF5F0DC8B4BDULL, 0xFAA31A4FF55BCCC0ULL, 0x4EFFD6FAE5644738ULL,
-    0x98488E9C219A7372ULL, 0xACCBDD7D90C4BD70ULL, 0x24975C3CD49B83BFULL,
-    0x13ECB4AEA9061123ULL, 0x9838EF1E2EE652C0ULL, 0x6073E28675A23D18ULL,
-    0x9A6A9DCA52D23B61ULL, 0x52C99FBCFB06A3C6ULL, 0xDE92DE5EAE5D54ECULL,
-    0xB10B8F96A080E01DULL
-};
-
-static const BN_ULONG dh1024_160_g[] = {
-    0x855E6EEB22B3B2E5ULL, 0x858F4DCEF97C2A24ULL, 0x2D779D5918D08BC8ULL,
-    0xD662A4D18E73AFA3ULL, 0x1DBF0A0169B6A28AULL, 0xA6A24C087A091F53ULL,
-    0x909D0D2263F80A76ULL, 0xD7FBD7D3B9A92EE1ULL, 0x5E91547F9E2749F4ULL,
-    0x160217B4B01B886AULL, 0x777E690F5504F213ULL, 0x266FEA1E5C41564BULL,
-    0xD6406CFF14266D31ULL, 0xF8104DD258AC507FULL, 0x6765A442EFB99905ULL,
-    0xA4D1CBD5C3FD3412ULL
-};
-
-static const BN_ULONG dh1024_160_q[] = {
-    0x64B7CB9D49462353ULL, 0x81A8DF278ABA4E7DULL, 0x00000000F518AA87ULL
-};
-
-static const BN_ULONG dh2048_224_p[] = {
-    0x0AC4DFFE0C10E64FULL, 0xCF9DE5384E71B81CULL, 0x7EF363E2FFA31F71ULL,
-    0xE3FB73C16B8E75B9ULL, 0xC9B53DCF4BA80A29ULL, 0x23F10B0E16E79763ULL,
-    0xC52172E413042E9BULL, 0xBE60E69CC928B2B9ULL, 0x80CD86A1B9E587E8ULL,
-    0x315D75E198C641A4ULL, 0xCDF93ACC44328387ULL, 0x15987D9ADC0A486DULL,
-    0x7310F7121FD5A074ULL, 0x278273C7DE31EFDCULL, 0x1602E714415D9330ULL,
-    0x81286130BC8985DBULL, 0xB3BF8A3170918836ULL, 0x6A00E0A0B9C49708ULL,
-    0xC6BA0B2C8BBC27BEULL, 0xC9F98D11ED34DBF6ULL, 0x7AD5B7D0B6C12207ULL,
-    0xD91E8FEF55B7394BULL, 0x9037C9EDEFDA4DF8ULL, 0x6D3F8152AD6AC212ULL,
-    0x1DE6B85A1274A0A6ULL, 0xEB3D688A309C180EULL, 0xAF9A3C407BA1DF15ULL,
-    0xE6FA141DF95A56DBULL, 0xB54B1597B61D0A75ULL, 0xA20D64E5683B9FD1ULL,
-    0xD660FAA79559C51FULL, 0xAD107E1E9123A9D0ULL
-};
-
-static const BN_ULONG dh2048_224_g[] = {
-    0x84B890D3191F2BFAULL, 0x81BC087F2A7065B3ULL, 0x19C418E1F6EC0179ULL,
-    0x7B5A0F1C71CFFF4CULL, 0xEDFE72FE9B6AA4BDULL, 0x81E1BCFE94B30269ULL,
-    0x566AFBB48D6C0191ULL, 0xB539CCE3409D13CDULL, 0x6AA21E7F5F2FF381ULL,
-    0xD9E263E4770589EFULL, 0x10E183EDD19963DDULL, 0xB70A8137150B8EEBULL,
-    0x051AE3D428C8F8ACULL, 0xBB77A86F0C1AB15BULL, 0x6E3025E316A330EFULL,
-    0x19529A45D6F83456ULL, 0xF180EB34118E98D1ULL, 0xB5F6C6B250717CBEULL,
-    0x09939D54DA7460CDULL, 0xE247150422EA1ED4ULL, 0xB8A762D0521BC98AULL,
-    0xF4D027275AC1348BULL, 0xC17669101999024AULL, 0xBE5E9001A8D66AD7ULL,
-    0xC57DB17C620A8652ULL, 0xAB739D7700C29F52ULL, 0xDD921F01A70C4AFAULL,
-    0xA6824A4E10B9A6F0ULL, 0x74866A08CFE4FFE3ULL, 0x6CDEBE7B89998CAFULL,
-    0x9DF30B5C8FFDAC50ULL, 0xAC4032EF4F2D9AE3ULL
-};
-
-static const BN_ULONG dh2048_224_q[] = {
-    0xBF389A99B36371EBULL, 0x1F80535A4738CEBCULL, 0xC58D93FE99717710ULL,
-    0x00000000801C0D34ULL
-};
-
-static const BN_ULONG dh2048_256_p[] = {
-    0xDB094AE91E1A1597ULL, 0x693877FAD7EF09CAULL, 0x6116D2276E11715FULL,
-    0xA4B54330C198AF12ULL, 0x75F26375D7014103ULL, 0xC3A3960A54E710C3ULL,
-    0xDED4010ABD0BE621ULL, 0xC0B857F689962856ULL, 0xB3CA3F7971506026ULL,
-    0x1CCACB83E6B486F6ULL, 0x67E144E514056425ULL, 0xF6A167B5A41825D9ULL,
-    0x3AD8347796524D8EULL, 0xF13C6D9A51BFA4ABULL, 0x2D52526735488A0EULL,
-    0xB63ACAE1CAA6B790ULL, 0x4FDB70C581B23F76ULL, 0xBC39A0BF12307F5CULL,
-    0xB941F54EB1E59BB8ULL, 0x6C5BFC11D45F9088ULL, 0x22E0B1EF4275BF7BULL,
-    0x91F9E6725B4758C0ULL, 0x5A8A9D306BCF67EDULL, 0x209E0C6497517ABDULL,
-    0x3BF4296D830E9A7CULL, 0x16C3D91134096FAAULL, 0xFAF7DF4561B2AA30ULL,
-    0xE00DF8F1D61957D4ULL, 0x5D2CEED4435E3B00ULL, 0x8CEEF608660DD0F2ULL,
-    0xFFBBD19C65195999ULL, 0x87A8E61DB4B6663CULL
-};
-
-static const BN_ULONG dh2048_256_g[] = {
-    0x664B4C0F6CC41659ULL, 0x5E2327CFEF98C582ULL, 0xD647D148D4795451ULL,
-    0x2F63078490F00EF8ULL, 0x184B523D1DB246C3ULL, 0xC7891428CDC67EB6ULL,
-    0x7FD028370DF92B52ULL, 0xB3353BBB64E0EC37ULL, 0xECD06E1557CD0915ULL,
-    0xB7D2BBD2DF016199ULL, 0xC8484B1E052588B9ULL, 0xDB2A3B7313D3FE14ULL,
-    0xD052B985D182EA0AULL, 0xA4BD1BFFE83B9C80ULL, 0xDFC967C1FB3F2E55ULL,
-    0xB5045AF2767164E1ULL, 0x1D14348F6F2F9193ULL, 0x64E67982428EBC83ULL,
-    0x8AC376D282D6ED38ULL, 0x777DE62AAAB8A862ULL, 0xDDF463E5E9EC144BULL,
-    0x0196F931C77A57F2ULL, 0xA55AE31341000A65ULL, 0x901228F8C28CBB18ULL,
-    0xBC3773BF7E8C6F62ULL, 0xBE3A6C1B0C6B47B1ULL, 0xFF4FED4AAC0BB555ULL,
-    0x10DBC15077BE463FULL, 0x07F4793A1A0BA125ULL, 0x4CA7B18F21EF2054ULL,
-    0x2E77506660EDBD48ULL, 0x3FB32C9B73134D0BULL
-};
-
-static const BN_ULONG dh2048_256_q[] = {
-    0xA308B0FE64F5FBD3ULL, 0x99B1A47D1EB3750BULL, 0xB447997640129DA2ULL,
-    0x8CF83642A709A097ULL
-};
-
-# elif BN_BITS2 == 32
-
-static const BN_ULONG dh1024_160_p[] = {
-    0x2E4A4371, 0xDF1FB2BC, 0x6D4DA708, 0xE68CFDA7, 0x365C1A65, 0x45BF37DF,
-    0x0DC8B4BD, 0xA151AF5F, 0xF55BCCC0, 0xFAA31A4F, 0xE5644738, 0x4EFFD6FA,
-    0x219A7372, 0x98488E9C, 0x90C4BD70, 0xACCBDD7D, 0xD49B83BF, 0x24975C3C,
-    0xA9061123, 0x13ECB4AE, 0x2EE652C0, 0x9838EF1E, 0x75A23D18, 0x6073E286,
-    0x52D23B61, 0x9A6A9DCA, 0xFB06A3C6, 0x52C99FBC, 0xAE5D54EC, 0xDE92DE5E,
-    0xA080E01D, 0xB10B8F96
-};
-
-static const BN_ULONG dh1024_160_g[] = {
-    0x22B3B2E5, 0x855E6EEB, 0xF97C2A24, 0x858F4DCE, 0x18D08BC8, 0x2D779D59,
-    0x8E73AFA3, 0xD662A4D1, 0x69B6A28A, 0x1DBF0A01, 0x7A091F53, 0xA6A24C08,
-    0x63F80A76, 0x909D0D22, 0xB9A92EE1, 0xD7FBD7D3, 0x9E2749F4, 0x5E91547F,
-    0xB01B886A, 0x160217B4, 0x5504F213, 0x777E690F, 0x5C41564B, 0x266FEA1E,
-    0x14266D31, 0xD6406CFF, 0x58AC507F, 0xF8104DD2, 0xEFB99905, 0x6765A442,
-    0xC3FD3412, 0xA4D1CBD5
-};
-
-static const BN_ULONG dh1024_160_q[] = {
-    0x49462353, 0x64B7CB9D, 0x8ABA4E7D, 0x81A8DF27, 0xF518AA87
-};
-
-static const BN_ULONG dh2048_224_p[] = {
-    0x0C10E64F, 0x0AC4DFFE, 0x4E71B81C, 0xCF9DE538, 0xFFA31F71, 0x7EF363E2,
-    0x6B8E75B9, 0xE3FB73C1, 0x4BA80A29, 0xC9B53DCF, 0x16E79763, 0x23F10B0E,
-    0x13042E9B, 0xC52172E4, 0xC928B2B9, 0xBE60E69C, 0xB9E587E8, 0x80CD86A1,
-    0x98C641A4, 0x315D75E1, 0x44328387, 0xCDF93ACC, 0xDC0A486D, 0x15987D9A,
-    0x1FD5A074, 0x7310F712, 0xDE31EFDC, 0x278273C7, 0x415D9330, 0x1602E714,
-    0xBC8985DB, 0x81286130, 0x70918836, 0xB3BF8A31, 0xB9C49708, 0x6A00E0A0,
-    0x8BBC27BE, 0xC6BA0B2C, 0xED34DBF6, 0xC9F98D11, 0xB6C12207, 0x7AD5B7D0,
-    0x55B7394B, 0xD91E8FEF, 0xEFDA4DF8, 0x9037C9ED, 0xAD6AC212, 0x6D3F8152,
-    0x1274A0A6, 0x1DE6B85A, 0x309C180E, 0xEB3D688A, 0x7BA1DF15, 0xAF9A3C40,
-    0xF95A56DB, 0xE6FA141D, 0xB61D0A75, 0xB54B1597, 0x683B9FD1, 0xA20D64E5,
-    0x9559C51F, 0xD660FAA7, 0x9123A9D0, 0xAD107E1E
-};
-
-static const BN_ULONG dh2048_224_g[] = {
-    0x191F2BFA, 0x84B890D3, 0x2A7065B3, 0x81BC087F, 0xF6EC0179, 0x19C418E1,
-    0x71CFFF4C, 0x7B5A0F1C, 0x9B6AA4BD, 0xEDFE72FE, 0x94B30269, 0x81E1BCFE,
-    0x8D6C0191, 0x566AFBB4, 0x409D13CD, 0xB539CCE3, 0x5F2FF381, 0x6AA21E7F,
-    0x770589EF, 0xD9E263E4, 0xD19963DD, 0x10E183ED, 0x150B8EEB, 0xB70A8137,
-    0x28C8F8AC, 0x051AE3D4, 0x0C1AB15B, 0xBB77A86F, 0x16A330EF, 0x6E3025E3,
-    0xD6F83456, 0x19529A45, 0x118E98D1, 0xF180EB34, 0x50717CBE, 0xB5F6C6B2,
-    0xDA7460CD, 0x09939D54, 0x22EA1ED4, 0xE2471504, 0x521BC98A, 0xB8A762D0,
-    0x5AC1348B, 0xF4D02727, 0x1999024A, 0xC1766910, 0xA8D66AD7, 0xBE5E9001,
-    0x620A8652, 0xC57DB17C, 0x00C29F52, 0xAB739D77, 0xA70C4AFA, 0xDD921F01,
-    0x10B9A6F0, 0xA6824A4E, 0xCFE4FFE3, 0x74866A08, 0x89998CAF, 0x6CDEBE7B,
-    0x8FFDAC50, 0x9DF30B5C, 0x4F2D9AE3, 0xAC4032EF
-};
-
-static const BN_ULONG dh2048_224_q[] = {
-    0xB36371EB, 0xBF389A99, 0x4738CEBC, 0x1F80535A, 0x99717710, 0xC58D93FE,
-    0x801C0D34
-};
-
-static const BN_ULONG dh2048_256_p[] = {
-    0x1E1A1597, 0xDB094AE9, 0xD7EF09CA, 0x693877FA, 0x6E11715F, 0x6116D227,
-    0xC198AF12, 0xA4B54330, 0xD7014103, 0x75F26375, 0x54E710C3, 0xC3A3960A,
-    0xBD0BE621, 0xDED4010A, 0x89962856, 0xC0B857F6, 0x71506026, 0xB3CA3F79,
-    0xE6B486F6, 0x1CCACB83, 0x14056425, 0x67E144E5, 0xA41825D9, 0xF6A167B5,
-    0x96524D8E, 0x3AD83477, 0x51BFA4AB, 0xF13C6D9A, 0x35488A0E, 0x2D525267,
-    0xCAA6B790, 0xB63ACAE1, 0x81B23F76, 0x4FDB70C5, 0x12307F5C, 0xBC39A0BF,
-    0xB1E59BB8, 0xB941F54E, 0xD45F9088, 0x6C5BFC11, 0x4275BF7B, 0x22E0B1EF,
-    0x5B4758C0, 0x91F9E672, 0x6BCF67ED, 0x5A8A9D30, 0x97517ABD, 0x209E0C64,
-    0x830E9A7C, 0x3BF4296D, 0x34096FAA, 0x16C3D911, 0x61B2AA30, 0xFAF7DF45,
-    0xD61957D4, 0xE00DF8F1, 0x435E3B00, 0x5D2CEED4, 0x660DD0F2, 0x8CEEF608,
-    0x65195999, 0xFFBBD19C, 0xB4B6663C, 0x87A8E61D
-};
-
-static const BN_ULONG dh2048_256_g[] = {
-    0x6CC41659, 0x664B4C0F, 0xEF98C582, 0x5E2327CF, 0xD4795451, 0xD647D148,
-    0x90F00EF8, 0x2F630784, 0x1DB246C3, 0x184B523D, 0xCDC67EB6, 0xC7891428,
-    0x0DF92B52, 0x7FD02837, 0x64E0EC37, 0xB3353BBB, 0x57CD0915, 0xECD06E15,
-    0xDF016199, 0xB7D2BBD2, 0x052588B9, 0xC8484B1E, 0x13D3FE14, 0xDB2A3B73,
-    0xD182EA0A, 0xD052B985, 0xE83B9C80, 0xA4BD1BFF, 0xFB3F2E55, 0xDFC967C1,
-    0x767164E1, 0xB5045AF2, 0x6F2F9193, 0x1D14348F, 0x428EBC83, 0x64E67982,
-    0x82D6ED38, 0x8AC376D2, 0xAAB8A862, 0x777DE62A, 0xE9EC144B, 0xDDF463E5,
-    0xC77A57F2, 0x0196F931, 0x41000A65, 0xA55AE313, 0xC28CBB18, 0x901228F8,
-    0x7E8C6F62, 0xBC3773BF, 0x0C6B47B1, 0xBE3A6C1B, 0xAC0BB555, 0xFF4FED4A,
-    0x77BE463F, 0x10DBC150, 0x1A0BA125, 0x07F4793A, 0x21EF2054, 0x4CA7B18F,
-    0x60EDBD48, 0x2E775066, 0x73134D0B, 0x3FB32C9B
-};
-
-static const BN_ULONG dh2048_256_q[] = {
-    0x64F5FBD3, 0xA308B0FE, 0x1EB3750B, 0x99B1A47D, 0x40129DA2, 0xB4479976,
-    0xA709A097, 0x8CF83642
-};
-
-# else
-#  error "unsupported BN_BITS2"
-# endif
-
-/* Macro to make a BIGNUM from static data */
-
-# define make_dh_bn(x) extern const BIGNUM _bignum_##x; \
-                       const BIGNUM _bignum_##x = { (BN_ULONG *) x, \
-                        OSSL_NELEM(x),\
-                        OSSL_NELEM(x),\
-                        0, BN_FLG_STATIC_DATA };
-
-
-make_dh_bn(dh1024_160_p)
-make_dh_bn(dh1024_160_g)
-make_dh_bn(dh1024_160_q)
-make_dh_bn(dh2048_224_p)
-make_dh_bn(dh2048_224_g)
-make_dh_bn(dh2048_224_q)
-make_dh_bn(dh2048_256_p)
-make_dh_bn(dh2048_256_g)
-make_dh_bn(dh2048_256_q)
-
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_div.c b/Cryptlib/OpenSSL/crypto/bn/bn_div.c
index 5e620b20..bc37671c 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_div.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_div.c
@@ -1,14 +1,64 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bn/bn_div.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
+#include <stdio.h>
 #include <openssl/bn.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include "bn_lcl.h"
 
 /* The old slow way */
@@ -130,7 +180,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
 # endif                         /* OPENSSL_NO_ASM */
 
 /*-
- * BN_div computes  dv := num / divisor, rounding towards
+ * BN_div computes  dv := num / divisor,  rounding towards
  * zero, and sets up rm  such that  dv*divisor + rm = num  holds.
  * Thus:
  *     dv->neg == num->neg ^ divisor->neg  (unless the result is zero)
@@ -254,9 +304,9 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
     wnump = &(snum->d[num_n - 1]);
 
     /* Setup to 'res' */
+    res->neg = (num->neg ^ divisor->neg);
     if (!bn_wexpand(res, (loop + 1)))
         goto err;
-    res->neg = (num->neg ^ divisor->neg);
     res->top = loop - no_branch;
     resp = &(res->d[loop - 1]);
 
@@ -278,9 +328,6 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
             res->top--;
     }
 
-    /* Increase the resp pointer so that we never create an invalid pointer. */
-    resp++;
-
     /*
      * if res->top == 0 then clear the neg value otherwise decrease the resp
      * pointer
@@ -290,7 +337,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
     else
         resp--;
 
-    for (i = 0; i < loop - 1; i++, wnump--) {
+    for (i = 0; i < loop - 1; i++, wnump--, resp--) {
         BN_ULONG q, l0;
         /*
          * the first part of the loop uses the top two words of snum and sdiv
@@ -315,6 +362,10 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
             q = (BN_ULONG)(((((BN_ULLONG) n0) << BN_BITS2) | n1) / d0);
 #   else
             q = bn_div_words(n0, n1, d0);
+#    ifdef BN_DEBUG_LEVITTE
+            fprintf(stderr, "DEBUG: bn_div_words(0x%08X,0x%08X,0x%08\
+X) -> 0x%08X\n", n0, n1, d0, q);
+#    endif
 #   endif
 
 #   ifndef REMAINDER_IS_ALREADY_CALCULATED
@@ -339,6 +390,10 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
             BN_ULONG t2l, t2h;
 
             q = bn_div_words(n0, n1, d0);
+#   ifdef BN_DEBUG_LEVITTE
+            fprintf(stderr, "DEBUG: bn_div_words(0x%08X,0x%08X,0x%08\
+X) -> 0x%08X\n", n0, n1, d0, q);
+#   endif
 #   ifndef REMAINDER_IS_ALREADY_CALCULATED
             rem = (n1 - q * d0) & BN_MASK2;
 #   endif
@@ -396,7 +451,6 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
                 (*wnump)++;
         }
         /* store part of the result */
-        resp--;
         *resp = q;
     }
     bn_correct_top(snum);
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_err.c b/Cryptlib/OpenSSL/crypto/bn/bn_err.c
index 5fe9db9e..e7a70382 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_err.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_err.c
@@ -1,11 +1,62 @@
-/*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bn/bn_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2015 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
  */
 
 #include <stdio.h>
@@ -19,7 +70,7 @@
 # define ERR_REASON(reason) ERR_PACK(ERR_LIB_BN,0,reason)
 
 static ERR_STRING_DATA BN_str_functs[] = {
-    {ERR_FUNC(BN_F_BNRAND), "bnrand"},
+    {ERR_FUNC(BN_F_BNRAND), "BNRAND"},
     {ERR_FUNC(BN_F_BN_BLINDING_CONVERT_EX), "BN_BLINDING_convert_ex"},
     {ERR_FUNC(BN_F_BN_BLINDING_CREATE_PARAM), "BN_BLINDING_create_param"},
     {ERR_FUNC(BN_F_BN_BLINDING_INVERT_EX), "BN_BLINDING_invert_ex"},
@@ -27,17 +78,15 @@ static ERR_STRING_DATA BN_str_functs[] = {
     {ERR_FUNC(BN_F_BN_BLINDING_UPDATE), "BN_BLINDING_update"},
     {ERR_FUNC(BN_F_BN_BN2DEC), "BN_bn2dec"},
     {ERR_FUNC(BN_F_BN_BN2HEX), "BN_bn2hex"},
-    {ERR_FUNC(BN_F_BN_COMPUTE_WNAF), "bn_compute_wNAF"},
     {ERR_FUNC(BN_F_BN_CTX_GET), "BN_CTX_get"},
     {ERR_FUNC(BN_F_BN_CTX_NEW), "BN_CTX_new"},
     {ERR_FUNC(BN_F_BN_CTX_START), "BN_CTX_start"},
     {ERR_FUNC(BN_F_BN_DIV), "BN_div"},
+    {ERR_FUNC(BN_F_BN_DIV_NO_BRANCH), "BN_div_no_branch"},
     {ERR_FUNC(BN_F_BN_DIV_RECP), "BN_div_recp"},
     {ERR_FUNC(BN_F_BN_EXP), "BN_exp"},
-    {ERR_FUNC(BN_F_BN_EXPAND_INTERNAL), "bn_expand_internal"},
-    {ERR_FUNC(BN_F_BN_GENCB_NEW), "BN_GENCB_new"},
-    {ERR_FUNC(BN_F_BN_GENERATE_DSA_NONCE), "BN_generate_dsa_nonce"},
-    {ERR_FUNC(BN_F_BN_GENERATE_PRIME_EX), "BN_generate_prime_ex"},
+    {ERR_FUNC(BN_F_BN_EXPAND2), "bn_expand2"},
+    {ERR_FUNC(BN_F_BN_EXPAND_INTERNAL), "BN_EXPAND_INTERNAL"},
     {ERR_FUNC(BN_F_BN_GF2M_MOD), "BN_GF2m_mod"},
     {ERR_FUNC(BN_F_BN_GF2M_MOD_EXP), "BN_GF2m_mod_exp"},
     {ERR_FUNC(BN_F_BN_GF2M_MOD_MUL), "BN_GF2m_mod_mul"},
@@ -55,13 +104,13 @@ static ERR_STRING_DATA BN_str_functs[] = {
     {ERR_FUNC(BN_F_BN_MOD_INVERSE), "BN_mod_inverse"},
     {ERR_FUNC(BN_F_BN_MOD_INVERSE_NO_BRANCH), "BN_mod_inverse_no_branch"},
     {ERR_FUNC(BN_F_BN_MOD_LSHIFT_QUICK), "BN_mod_lshift_quick"},
+    {ERR_FUNC(BN_F_BN_MOD_MUL_RECIPROCAL), "BN_mod_mul_reciprocal"},
     {ERR_FUNC(BN_F_BN_MOD_SQRT), "BN_mod_sqrt"},
     {ERR_FUNC(BN_F_BN_MPI2BN), "BN_mpi2bn"},
     {ERR_FUNC(BN_F_BN_NEW), "BN_new"},
     {ERR_FUNC(BN_F_BN_RAND), "BN_rand"},
     {ERR_FUNC(BN_F_BN_RAND_RANGE), "BN_rand_range"},
     {ERR_FUNC(BN_F_BN_RSHIFT), "BN_rshift"},
-    {ERR_FUNC(BN_F_BN_SET_WORDS), "bn_set_words"},
     {ERR_FUNC(BN_F_BN_USUB), "BN_usub"},
     {0, NULL}
 };
@@ -84,7 +133,6 @@ static ERR_STRING_DATA BN_str_reasons[] = {
     {ERR_REASON(BN_R_NOT_INITIALIZED), "not initialized"},
     {ERR_REASON(BN_R_NO_INVERSE), "no inverse"},
     {ERR_REASON(BN_R_NO_SOLUTION), "no solution"},
-    {ERR_REASON(BN_R_PRIVATE_KEY_TOO_LARGE), "private key too large"},
     {ERR_REASON(BN_R_P_IS_NOT_PRIME), "p is not prime"},
     {ERR_REASON(BN_R_TOO_MANY_ITERATIONS), "too many iterations"},
     {ERR_REASON(BN_R_TOO_MANY_TEMPORARY_VARIABLES),
@@ -94,7 +142,7 @@ static ERR_STRING_DATA BN_str_reasons[] = {
 
 #endif
 
-int ERR_load_BN_strings(void)
+void ERR_load_BN_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
 
@@ -103,5 +151,4 @@ int ERR_load_BN_strings(void)
         ERR_load_strings(0, BN_str_reasons);
     }
 #endif
-    return 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_exp.c b/Cryptlib/OpenSSL/crypto/bn/bn_exp.c
index feeb7649..195a7867 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_exp.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_exp.c
@@ -1,14 +1,116 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bn/bn_exp.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
-#include "internal/cryptlib.h"
-#include "internal/constant_time_locl.h"
+#include "cryptlib.h"
+#include "constant_time_locl.h"
 #include "bn_lcl.h"
 
 #include <stdlib.h>
@@ -46,7 +148,7 @@ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
     if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
         /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
         BNerr(BN_F_BN_EXP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-        return 0;
+        return -1;
     }
 
     BN_CTX_start(ctx);
@@ -98,7 +200,7 @@ int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
     bn_check_top(m);
 
     /*-
-     * For even modulus  m = 2^k*m_odd, it might make sense to compute
+     * For even modulus  m = 2^k*m_odd,  it might make sense to compute
      * a^p mod m_odd  and  a^p mod 2^k  separately (with Montgomery
      * exponentiation for the odd part), using appropriate exponent
      * reductions, and combine the results using the CRT.
@@ -178,7 +280,7 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
     if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
         /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
         BNerr(BN_F_BN_MOD_EXP_RECP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-        return 0;
+        return -1;
     }
 
     bits = BN_num_bits(p);
@@ -469,7 +571,7 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
         goto err;
     ret = 1;
  err:
-    if (in_mont == NULL)
+    if ((in_mont == NULL) && (mont != NULL))
         BN_MONT_CTX_free(mont);
     BN_CTX_end(ctx);
     bn_check_top(rr);
@@ -528,14 +630,6 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
 {
     int i, j;
     int width = 1 << window;
-    /*
-     * We declare table 'volatile' in order to discourage compiler
-     * from reordering loads from the table. Concern is that if
-     * reordered in specific manner loads might give away the
-     * information we are trying to conceal. Some would argue that
-     * compiler can reorder them anyway, but it can as well be
-     * argued that doing so would be violation of standard...
-     */
     volatile BN_ULONG *table = (volatile BN_ULONG *)buf;
 
     if (bn_wexpand(b, top) == NULL)
@@ -716,7 +810,8 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
     else
 #endif
         if ((powerbufFree =
-             OPENSSL_malloc(powerbufLen + MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH))
+             (unsigned char *)OPENSSL_malloc(powerbufLen +
+                                             MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH))
             == NULL)
         goto err;
 
@@ -1085,11 +1180,12 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
         goto err;
     ret = 1;
  err:
-    if (in_mont == NULL)
+    if ((in_mont == NULL) && (mont != NULL))
         BN_MONT_CTX_free(mont);
     if (powerbuf != NULL) {
         OPENSSL_cleanse(powerbuf, powerbufLen);
-        OPENSSL_free(powerbufFree);
+        if (powerbufFree)
+            OPENSSL_free(powerbufFree);
     }
     BN_CTX_end(ctx);
     return (ret);
@@ -1124,7 +1220,7 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
     if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
         /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
         BNerr(BN_F_BN_MOD_EXP_MONT_WORD, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-        return 0;
+        return -1;
     }
 
     bn_check_top(p);
@@ -1235,7 +1331,7 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
     }
     ret = 1;
  err:
-    if (in_mont == NULL)
+    if ((in_mont == NULL) && (mont != NULL))
         BN_MONT_CTX_free(mont);
     BN_CTX_end(ctx);
     bn_check_top(rr);
@@ -1255,7 +1351,7 @@ int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
     if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
         /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
         BNerr(BN_F_BN_MOD_EXP_SIMPLE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-        return 0;
+        return -1;
     }
 
     bits = BN_num_bits(p);
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_exp2.c b/Cryptlib/OpenSSL/crypto/bn/bn_exp2.c
index 5141c21f..43fd2044 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_exp2.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_exp2.c
@@ -1,14 +1,116 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bn/bn_exp2.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include "bn_lcl.h"
 
 #define TABLE_SIZE      32
@@ -193,7 +295,7 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
         goto err;
     ret = 1;
  err:
-    if (in_mont == NULL)
+    if ((in_mont == NULL) && (mont != NULL))
         BN_MONT_CTX_free(mont);
     BN_CTX_end(ctx);
     bn_check_top(rr);
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_gcd.c b/Cryptlib/OpenSSL/crypto/bn/bn_gcd.c
index e1aac131..ce59fe70 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_gcd.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_gcd.c
@@ -1,13 +1,115 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bn/bn_gcd.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include "bn_lcl.h"
 
 static BIGNUM *euclid(BIGNUM *a, BIGNUM *b);
@@ -124,25 +226,10 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
 BIGNUM *BN_mod_inverse(BIGNUM *in,
                        const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
 {
-    BIGNUM *rv;
-    int noinv;
-    rv = int_bn_mod_inverse(in, a, n, ctx, &noinv);
-    if (noinv)
-        BNerr(BN_F_BN_MOD_INVERSE, BN_R_NO_INVERSE);
-    return rv;
-}
-
-BIGNUM *int_bn_mod_inverse(BIGNUM *in,
-                           const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx,
-                           int *pnoinv)
-{
     BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL;
     BIGNUM *ret = NULL;
     int sign;
 
-    if (pnoinv)
-        *pnoinv = 0;
-
     if ((BN_get_flags(a, BN_FLG_CONSTTIME) != 0)
         || (BN_get_flags(n, BN_FLG_CONSTTIME) != 0)) {
         return BN_mod_inverse_no_branch(in, a, n, ctx);
@@ -189,11 +276,11 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
      *      sign*Y*a  ==  A   (mod |n|).
      */
 
-    if (BN_is_odd(n) && (BN_num_bits(n) <= 2048)) {
+    if (BN_is_odd(n) && (BN_num_bits(n) <= (BN_BITS <= 32 ? 450 : 2048))) {
         /*
          * Binary inversion algorithm; requires odd modulus. This is faster
          * than the general algorithm if the modulus is sufficiently small
-         * (about 400 .. 500 bits on 32-bit systems, but much more on 64-bit
+         * (about 400 .. 500 bits on 32-bit sytems, but much more on 64-bit
          * systems)
          */
         int shift;
@@ -370,7 +457,7 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
              * i.e.
              *        sign*(Y + D*X)*a  ==  B  (mod |n|).
              *
-             * So if we set  (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
+             * So if we set  (X, Y, sign) := (Y + D*X, X, -sign),  we arrive back at
              *      -sign*X*a  ==  B   (mod |n|),
              *       sign*Y*a  ==  A   (mod |n|).
              * Note that  X  and  Y  stay non-negative all the time.
@@ -435,8 +522,7 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
                 goto err;
         }
     } else {
-        if (pnoinv)
-            *pnoinv = 1;
+        BNerr(BN_F_BN_MOD_INVERSE, BN_R_NO_INVERSE);
         goto err;
     }
     ret = R;
@@ -457,6 +543,8 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
                                         BN_CTX *ctx)
 {
     BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL;
+    BIGNUM local_A, local_B;
+    BIGNUM *pA, *pB;
     BIGNUM *ret = NULL;
     int sign;
 
@@ -494,14 +582,11 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
          * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
          * BN_div_no_branch will be called eventually.
          */
-         {
-            BIGNUM local_B;
-            bn_init(&local_B);
-            BN_with_flags(&local_B, B, BN_FLG_CONSTTIME);
-            if (!BN_nnmod(B, &local_B, A, ctx))
-                goto err;
-            /* Ensure local_B goes out of scope before any further use of B */
-        }
+        pB = &local_B;
+        local_B.flags = 0;
+        BN_with_flags(pB, B, BN_FLG_CONSTTIME);
+        if (!BN_nnmod(B, pB, A, ctx))
+            goto err;
     }
     sign = -1;
     /*-
@@ -525,16 +610,13 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
          * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
          * BN_div_no_branch will be called eventually.
          */
-        {
-            BIGNUM local_A;
-            bn_init(&local_A);
-            BN_with_flags(&local_A, A, BN_FLG_CONSTTIME);
+        pA = &local_A;
+        local_A.flags = 0;
+        BN_with_flags(pA, A, BN_FLG_CONSTTIME);
 
-            /* (D, M) := (A/B, A%B) ... */
-            if (!BN_div(D, M, &local_A, B, ctx))
-                goto err;
-            /* Ensure local_A goes out of scope before any further use of A */
-        }
+        /* (D, M) := (A/B, A%B) ... */
+        if (!BN_div(D, M, pA, B, ctx))
+            goto err;
 
         /*-
          * Now
@@ -565,7 +647,7 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
          * i.e.
          *        sign*(Y + D*X)*a  ==  B  (mod |n|).
          *
-         * So if we set  (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
+         * So if we set  (X, Y, sign) := (Y + D*X, X, -sign),  we arrive back at
          *      -sign*X*a  ==  B   (mod |n|),
          *       sign*Y*a  ==  A   (mod |n|).
          * Note that  X  and  Y  stay non-negative all the time.
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_gf2m.c b/Cryptlib/OpenSSL/crypto/bn/bn_gf2m.c
index b1987f55..2c61da11 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_gf2m.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_gf2m.c
@@ -1,12 +1,4 @@
-/*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
+/* crypto/bn/bn_gf2m.c */
 /* ====================================================================
  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
  *
@@ -16,12 +8,91 @@
  *
  * The ECC Code is licensed pursuant to the OpenSSL open source
  * license provided below.
+ *
+ * In addition, Sun covenants to all licensees who provide a reciprocal
+ * covenant with respect to their own patents if any, not to sue under
+ * current and future patent claims necessarily infringed by the making,
+ * using, practicing, selling, offering for sale and/or otherwise
+ * disposing of the ECC Code as delivered hereunder (or portions thereof),
+ * provided that such covenant shall not apply:
+ *  1) for code that a licensee deletes from the ECC Code;
+ *  2) separates from the ECC Code; or
+ *  3) for infringements caused by:
+ *       i) the modification of the ECC Code or
+ *      ii) the combination of the ECC Code with other software or
+ *          devices where such combination causes the infringement.
+ *
+ * The software is originally written by Sheueling Chang Shantz and
+ * Douglas Stebila of Sun Microsystems Laboratories.
+ *
+ */
+
+/*
+ * NOTE: This file is licensed pursuant to the OpenSSL license below and may
+ * be modified; but after modifications, the above covenant may no longer
+ * apply! In such cases, the corresponding paragraph ["In addition, Sun
+ * covenants ... causes the infringement."] and this note can be edited out;
+ * but please keep the Sun copyright notice and attribution.
+ */
+
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
  */
 
 #include <assert.h>
 #include <limits.h>
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include "bn_lcl.h"
 
 #ifndef OPENSSL_NO_EC2M
@@ -401,8 +472,8 @@ int BN_GF2m_mod(BIGNUM *r, const BIGNUM *a, const BIGNUM *p)
     int arr[6];
     bn_check_top(a);
     bn_check_top(p);
-    ret = BN_GF2m_poly2arr(p, arr, OSSL_NELEM(arr));
-    if (!ret || ret > (int)OSSL_NELEM(arr)) {
+    ret = BN_GF2m_poly2arr(p, arr, sizeof(arr) / sizeof(arr[0]));
+    if (!ret || ret > (int)(sizeof(arr) / sizeof(arr[0]))) {
         BNerr(BN_F_BN_GF2M_MOD, BN_R_INVALID_LENGTH);
         return 0;
     }
@@ -479,7 +550,7 @@ int BN_GF2m_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
     bn_check_top(a);
     bn_check_top(b);
     bn_check_top(p);
-    if ((arr = OPENSSL_malloc(sizeof(*arr) * max)) == NULL)
+    if ((arr = (int *)OPENSSL_malloc(sizeof(int) * max)) == NULL)
         goto err;
     ret = BN_GF2m_poly2arr(p, arr, max);
     if (!ret || ret > max) {
@@ -489,7 +560,8 @@ int BN_GF2m_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
     ret = BN_GF2m_mod_mul_arr(r, a, b, arr, ctx);
     bn_check_top(r);
  err:
-    OPENSSL_free(arr);
+    if (arr)
+        OPENSSL_free(arr);
     return ret;
 }
 
@@ -537,7 +609,7 @@ int BN_GF2m_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 
     bn_check_top(a);
     bn_check_top(p);
-    if ((arr = OPENSSL_malloc(sizeof(*arr) * max)) == NULL)
+    if ((arr = (int *)OPENSSL_malloc(sizeof(int) * max)) == NULL)
         goto err;
     ret = BN_GF2m_poly2arr(p, arr, max);
     if (!ret || ret > max) {
@@ -547,7 +619,8 @@ int BN_GF2m_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
     ret = BN_GF2m_mod_sqr_arr(r, a, arr, ctx);
     bn_check_top(r);
  err:
-    OPENSSL_free(arr);
+    if (arr)
+        OPENSSL_free(arr);
     return ret;
 }
 
@@ -961,7 +1034,7 @@ int BN_GF2m_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
     bn_check_top(a);
     bn_check_top(b);
     bn_check_top(p);
-    if ((arr = OPENSSL_malloc(sizeof(*arr) * max)) == NULL)
+    if ((arr = (int *)OPENSSL_malloc(sizeof(int) * max)) == NULL)
         goto err;
     ret = BN_GF2m_poly2arr(p, arr, max);
     if (!ret || ret > max) {
@@ -971,7 +1044,8 @@ int BN_GF2m_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
     ret = BN_GF2m_mod_exp_arr(r, a, b, arr, ctx);
     bn_check_top(r);
  err:
-    OPENSSL_free(arr);
+    if (arr)
+        OPENSSL_free(arr);
     return ret;
 }
 
@@ -1020,7 +1094,7 @@ int BN_GF2m_mod_sqrt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
     int *arr = NULL;
     bn_check_top(a);
     bn_check_top(p);
-    if ((arr = OPENSSL_malloc(sizeof(*arr) * max)) == NULL)
+    if ((arr = (int *)OPENSSL_malloc(sizeof(int) * max)) == NULL)
         goto err;
     ret = BN_GF2m_poly2arr(p, arr, max);
     if (!ret || ret > max) {
@@ -1030,7 +1104,8 @@ int BN_GF2m_mod_sqrt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
     ret = BN_GF2m_mod_sqrt_arr(r, a, arr, ctx);
     bn_check_top(r);
  err:
-    OPENSSL_free(arr);
+    if (arr)
+        OPENSSL_free(arr);
     return ret;
 }
 
@@ -1089,7 +1164,7 @@ int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a_, const int p[],
         if (tmp == NULL)
             goto err;
         do {
-            if (!BN_rand(rho, p[0], BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
+            if (!BN_rand(rho, p[0], 0, 0))
                 goto err;
             if (!BN_GF2m_mod_arr(rho, rho, p))
                 goto err;
@@ -1150,7 +1225,7 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
     int *arr = NULL;
     bn_check_top(a);
     bn_check_top(p);
-    if ((arr = OPENSSL_malloc(sizeof(*arr) * max)) == NULL)
+    if ((arr = (int *)OPENSSL_malloc(sizeof(int) * max)) == NULL)
         goto err;
     ret = BN_GF2m_poly2arr(p, arr, max);
     if (!ret || ret > max) {
@@ -1160,7 +1235,8 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
     ret = BN_GF2m_mod_solve_quad_arr(r, a, arr, ctx);
     bn_check_top(r);
  err:
-    OPENSSL_free(arr);
+    if (arr)
+        OPENSSL_free(arr);
     return ret;
 }
 
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_intern.c b/Cryptlib/OpenSSL/crypto/bn/bn_intern.c
deleted file mode 100644
index 2c970647..00000000
--- a/Cryptlib/OpenSSL/crypto/bn/bn_intern.c
+++ /dev/null
@@ -1,210 +0,0 @@
-/*
- * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include "internal/cryptlib.h"
-#include "bn_lcl.h"
-
-/*
- * Determine the modified width-(w+1) Non-Adjacent Form (wNAF) of 'scalar'.
- * This is an array  r[]  of values that are either zero or odd with an
- * absolute value less than  2^w  satisfying
- *     scalar = \sum_j r[j]*2^j
- * where at most one of any  w+1  consecutive digits is non-zero
- * with the exception that the most significant digit may be only
- * w-1 zeros away from that next non-zero digit.
- */
-signed char *bn_compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len)
-{
-    int window_val;
-    signed char *r = NULL;
-    int sign = 1;
-    int bit, next_bit, mask;
-    size_t len = 0, j;
-
-    if (BN_is_zero(scalar)) {
-        r = OPENSSL_malloc(1);
-        if (r == NULL) {
-            BNerr(BN_F_BN_COMPUTE_WNAF, ERR_R_MALLOC_FAILURE);
-            goto err;
-        }
-        r[0] = 0;
-        *ret_len = 1;
-        return r;
-    }
-
-    if (w <= 0 || w > 7) {      /* 'signed char' can represent integers with
-                                 * absolute values less than 2^7 */
-        BNerr(BN_F_BN_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
-        goto err;
-    }
-    bit = 1 << w;               /* at most 128 */
-    next_bit = bit << 1;        /* at most 256 */
-    mask = next_bit - 1;        /* at most 255 */
-
-    if (BN_is_negative(scalar)) {
-        sign = -1;
-    }
-
-    if (scalar->d == NULL || scalar->top == 0) {
-        BNerr(BN_F_BN_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
-        goto err;
-    }
-
-    len = BN_num_bits(scalar);
-    r = OPENSSL_malloc(len + 1); /*
-                                  * Modified wNAF may be one digit longer than binary representation
-                                  * (*ret_len will be set to the actual length, i.e. at most
-                                  * BN_num_bits(scalar) + 1)
-                                  */
-    if (r == NULL) {
-        BNerr(BN_F_BN_COMPUTE_WNAF, ERR_R_MALLOC_FAILURE);
-        goto err;
-    }
-    window_val = scalar->d[0] & mask;
-    j = 0;
-    while ((window_val != 0) || (j + w + 1 < len)) { /* if j+w+1 >= len,
-                                                      * window_val will not
-                                                      * increase */
-        int digit = 0;
-
-        /* 0 <= window_val <= 2^(w+1) */
-
-        if (window_val & 1) {
-            /* 0 < window_val < 2^(w+1) */
-
-            if (window_val & bit) {
-                digit = window_val - next_bit; /* -2^w < digit < 0 */
-
-#if 1                           /* modified wNAF */
-                if (j + w + 1 >= len) {
-                    /*
-                     * Special case for generating modified wNAFs:
-                     * no new bits will be added into window_val,
-                     * so using a positive digit here will decrease
-                     * the total length of the representation
-                     */
-
-                    digit = window_val & (mask >> 1); /* 0 < digit < 2^w */
-                }
-#endif
-            } else {
-                digit = window_val; /* 0 < digit < 2^w */
-            }
-
-            if (digit <= -bit || digit >= bit || !(digit & 1)) {
-                BNerr(BN_F_BN_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
-                goto err;
-            }
-
-            window_val -= digit;
-
-            /*
-             * now window_val is 0 or 2^(w+1) in standard wNAF generation;
-             * for modified window NAFs, it may also be 2^w
-             */
-            if (window_val != 0 && window_val != next_bit
-                && window_val != bit) {
-                BNerr(BN_F_BN_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
-                goto err;
-            }
-        }
-
-        r[j++] = sign * digit;
-
-        window_val >>= 1;
-        window_val += bit * BN_is_bit_set(scalar, j + w);
-
-        if (window_val > next_bit) {
-            BNerr(BN_F_BN_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
-            goto err;
-        }
-    }
-
-    if (j > len + 1) {
-        BNerr(BN_F_BN_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
-        goto err;
-    }
-    *ret_len = j;
-    return r;
-
- err:
-    OPENSSL_free(r);
-    return NULL;
-}
-
-int bn_get_top(const BIGNUM *a)
-{
-    return a->top;
-}
-
-void bn_set_top(BIGNUM *a, int top)
-{
-    a->top = top;
-}
-
-int bn_get_dmax(const BIGNUM *a)
-{
-    return a->dmax;
-}
-
-void bn_set_all_zero(BIGNUM *a)
-{
-    int i;
-
-    for (i = a->top; i < a->dmax; i++)
-        a->d[i] = 0;
-}
-
-int bn_copy_words(BN_ULONG *out, const BIGNUM *in, int size)
-{
-    if (in->top > size)
-        return 0;
-
-    memset(out, 0, sizeof(*out) * size);
-    if (in->d != NULL)
-        memcpy(out, in->d, sizeof(*out) * in->top);
-    return 1;
-}
-
-BN_ULONG *bn_get_words(const BIGNUM *a)
-{
-    return a->d;
-}
-
-void bn_set_static_words(BIGNUM *a, BN_ULONG *words, int size)
-{
-    a->d = words;
-    a->dmax = a->top = size;
-    a->neg = 0;
-    a->flags |= BN_FLG_STATIC_DATA;
-    bn_correct_top(a);
-}
-
-int bn_set_words(BIGNUM *a, BN_ULONG *words, int num_words)
-{
-    if (bn_wexpand(a, num_words) == NULL) {
-        BNerr(BN_F_BN_SET_WORDS, ERR_R_MALLOC_FAILURE);
-        return 0;
-    }
-
-    memcpy(a->d, words, sizeof(BN_ULONG) * num_words);
-    a->top = num_words;
-    bn_correct_top(a);
-    return 1;
-}
-
-size_t bn_sizeof_BIGNUM(void)
-{
-    return sizeof(BIGNUM);
-}
-
-BIGNUM *bn_array_el(BIGNUM *base, int el)
-{
-    return &base[el];
-}
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_kron.c b/Cryptlib/OpenSSL/crypto/bn/bn_kron.c
index b9bc6cca..88d731ac 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_kron.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_kron.c
@@ -1,13 +1,59 @@
-/*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bn/bn_kron.c */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include "bn_lcl.h"
 
 /* least significant word */
@@ -46,7 +92,7 @@ int BN_kronecker(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
         goto end;
 
     /*
-     * Kronecker symbol, implemented according to Henri Cohen,
+     * Kronecker symbol, imlemented according to Henri Cohen,
      * "A Course in Computational Algebraic Number Theory"
      * (algorithm 1.4.10).
      */
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_lcl.h b/Cryptlib/OpenSSL/crypto/bn/bn_lcl.h
index 5fb38145..00f4f099 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_lcl.h
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_lcl.h
@@ -1,267 +1,123 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bn/bn_lcl.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #ifndef HEADER_BN_LCL_H
 # define HEADER_BN_LCL_H
 
-/*
- * The EDK2 build doesn't use bn_conf.h; it sets THIRTY_TWO_BIT or
- * SIXTY_FOUR_BIT in its own environment since it doesn't re-run our
- * Configure script and needs to support both 32-bit and 64-bit.
- */
-# include <openssl/opensslconf.h>
-
-# if !defined(OPENSSL_SYS_UEFI)
-#  include "internal/bn_conf.h"
-# endif
-
-# include "internal/bn_int.h"
+# include <openssl/bn.h>
 
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
-/*
- * These preprocessor symbols control various aspects of the bignum headers
- * and library code. They're not defined by any "normal" configuration, as
- * they are intended for development and testing purposes. NB: defining all
- * three can be useful for debugging application code as well as openssl
- * itself. BN_DEBUG - turn on various debugging alterations to the bignum
- * code BN_DEBUG_RAND - uses random poisoning of unused words to trip up
- * mismanagement of bignum internals. You must also define BN_DEBUG.
- */
-/* #define BN_DEBUG */
-/* #define BN_DEBUG_RAND */
-
-# ifndef OPENSSL_SMALL_FOOTPRINT
-#  define BN_MUL_COMBA
-#  define BN_SQR_COMBA
-#  define BN_RECURSION
-# endif
-
-/*
- * This next option uses the C libraries (2 word)/(1 word) function. If it is
- * not defined, I use my C version (which is slower). The reason for this
- * flag is that when the particular C compiler library routine is used, and
- * the library is linked with a different compiler, the library is missing.
- * This mostly happens when the library is built with gcc and then linked
- * using normal cc.  This would be a common occurrence because gcc normally
- * produces code that is 2 times faster than system compilers for the big
- * number stuff. For machines with only one compiler (or shared libraries),
- * this should be on.  Again this in only really a problem on machines using
- * "long long's", are 32bit, and are not using my assembler code.
- */
-# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || \
-    defined(OPENSSL_SYS_WIN32) || defined(linux)
-#  define BN_DIV2W
-# endif
-
-/*
- * 64-bit processor with LP64 ABI
- */
-# ifdef SIXTY_FOUR_BIT_LONG
-#  define BN_ULLONG       unsigned long long
-#  define BN_BITS4        32
-#  define BN_MASK2        (0xffffffffffffffffL)
-#  define BN_MASK2l       (0xffffffffL)
-#  define BN_MASK2h       (0xffffffff00000000L)
-#  define BN_MASK2h1      (0xffffffff80000000L)
-#  define BN_DEC_CONV     (10000000000000000000UL)
-#  define BN_DEC_NUM      19
-#  define BN_DEC_FMT1     "%lu"
-#  define BN_DEC_FMT2     "%019lu"
-# endif
-
-/*
- * 64-bit processor other than LP64 ABI
- */
-# ifdef SIXTY_FOUR_BIT
-#  undef BN_LLONG
-#  undef BN_ULLONG
-#  define BN_BITS4        32
-#  define BN_MASK2        (0xffffffffffffffffLL)
-#  define BN_MASK2l       (0xffffffffL)
-#  define BN_MASK2h       (0xffffffff00000000LL)
-#  define BN_MASK2h1      (0xffffffff80000000LL)
-#  define BN_DEC_CONV     (10000000000000000000ULL)
-#  define BN_DEC_NUM      19
-#  define BN_DEC_FMT1     "%llu"
-#  define BN_DEC_FMT2     "%019llu"
-# endif
-
-# ifdef THIRTY_TWO_BIT
-#  ifdef BN_LLONG
-#   if defined(_WIN32) && !defined(__GNUC__)
-#    define BN_ULLONG     unsigned __int64
-#   else
-#    define BN_ULLONG     unsigned long long
-#   endif
-#  endif
-#  define BN_BITS4        16
-#  define BN_MASK2        (0xffffffffL)
-#  define BN_MASK2l       (0xffff)
-#  define BN_MASK2h1      (0xffff8000L)
-#  define BN_MASK2h       (0xffff0000L)
-#  define BN_DEC_CONV     (1000000000L)
-#  define BN_DEC_NUM      9
-#  define BN_DEC_FMT1     "%u"
-#  define BN_DEC_FMT2     "%09u"
-# endif
-
-
-/*-
- * Bignum consistency macros
- * There is one "API" macro, bn_fix_top(), for stripping leading zeroes from
- * bignum data after direct manipulations on the data. There is also an
- * "internal" macro, bn_check_top(), for verifying that there are no leading
- * zeroes. Unfortunately, some auditing is required due to the fact that
- * bn_fix_top() has become an overabused duct-tape because bignum data is
- * occasionally passed around in an inconsistent state. So the following
- * changes have been made to sort this out;
- * - bn_fix_top()s implementation has been moved to bn_correct_top()
- * - if BN_DEBUG isn't defined, bn_fix_top() maps to bn_correct_top(), and
- *   bn_check_top() is as before.
- * - if BN_DEBUG *is* defined;
- *   - bn_check_top() tries to pollute unused words even if the bignum 'top' is
- *     consistent. (ed: only if BN_DEBUG_RAND is defined)
- *   - bn_fix_top() maps to bn_check_top() rather than "fixing" anything.
- * The idea is to have debug builds flag up inconsistent bignums when they
- * occur. If that occurs in a bn_fix_top(), we examine the code in question; if
- * the use of bn_fix_top() was appropriate (ie. it follows directly after code
- * that manipulates the bignum) it is converted to bn_correct_top(), and if it
- * was not appropriate, we convert it permanently to bn_check_top() and track
- * down the cause of the bug. Eventually, no internal code should be using the
- * bn_fix_top() macro. External applications and libraries should try this with
- * their own code too, both in terms of building against the openssl headers
- * with BN_DEBUG defined *and* linking with a version of OpenSSL built with it
- * defined. This not only improves external code, it provides more test
- * coverage for openssl's own code.
- */
-
-# ifdef BN_DEBUG
-
-#  ifdef BN_DEBUG_RAND
-/* To avoid "make update" cvs wars due to BN_DEBUG, use some tricks */
-#   ifndef RAND_bytes
-int RAND_bytes(unsigned char *buf, int num);
-#    define BN_DEBUG_TRIX
-#   endif
-#   define bn_pollute(a) \
-        do { \
-            const BIGNUM *_bnum1 = (a); \
-            if (_bnum1->top < _bnum1->dmax) { \
-                unsigned char _tmp_char; \
-                /* We cast away const without the compiler knowing, any \
-                 * *genuinely* constant variables that aren't mutable \
-                 * wouldn't be constructed with top!=dmax. */ \
-                BN_ULONG *_not_const; \
-                memcpy(&_not_const, &_bnum1->d, sizeof(_not_const)); \
-                RAND_bytes(&_tmp_char, 1); /* Debug only - safe to ignore error return */\
-                memset(_not_const + _bnum1->top, _tmp_char, \
-                       sizeof(*_not_const) * (_bnum1->dmax - _bnum1->top)); \
-            } \
-        } while(0)
-#   ifdef BN_DEBUG_TRIX
-#    undef RAND_bytes
-#   endif
-#  else
-#   define bn_pollute(a)
-#  endif
-#  define bn_check_top(a) \
-        do { \
-                const BIGNUM *_bnum2 = (a); \
-                if (_bnum2 != NULL) { \
-                        OPENSSL_assert(((_bnum2->top == 0) && !_bnum2->neg) || \
-                                (_bnum2->top && (_bnum2->d[_bnum2->top - 1] != 0))); \
-                        bn_pollute(_bnum2); \
-                } \
-        } while(0)
-
-#  define bn_fix_top(a)           bn_check_top(a)
-
-#  define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2)
-#  define bn_wcheck_size(bn, words) \
-        do { \
-                const BIGNUM *_bnum2 = (bn); \
-                OPENSSL_assert((words) <= (_bnum2)->dmax && \
-                        (words) >= (_bnum2)->top); \
-                /* avoid unused variable warning with NDEBUG */ \
-                (void)(_bnum2); \
-        } while(0)
-
-# else                          /* !BN_DEBUG */
-
-#  define bn_pollute(a)
-#  define bn_check_top(a)
-#  define bn_fix_top(a)           bn_correct_top(a)
-#  define bn_check_size(bn, bits)
-#  define bn_wcheck_size(bn, words)
-
-# endif
-
-BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num,
-                          BN_ULONG w);
-BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
-void bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, int num);
-BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d);
-BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-                      int num);
-BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-                      int num);
-
-struct bignum_st {
-    BN_ULONG *d;                /* Pointer to an array of 'BN_BITS2' bit
-                                 * chunks. */
-    int top;                    /* Index of last used d +1. */
-    /* The next are internal book keeping for bn_expand. */
-    int dmax;                   /* Size of the d array. */
-    int neg;                    /* one if the number is negative */
-    int flags;
-};
-
-/* Used for montgomery multiplication */
-struct bn_mont_ctx_st {
-    int ri;                     /* number of bits in R */
-    BIGNUM RR;                  /* used to convert to montgomery form */
-    BIGNUM N;                   /* The modulus */
-    BIGNUM Ni;                  /* R*(1/R mod N) - N*Ni = 1 (Ni is only
-                                 * stored for bignum algorithm) */
-    BN_ULONG n0[2];             /* least significant word(s) of Ni; (type
-                                 * changed with 0.9.9, was "BN_ULONG n0;"
-                                 * before) */
-    int flags;
-};
-
-/*
- * Used for reciprocal division/mod functions It cannot be shared between
- * threads
- */
-struct bn_recp_ctx_st {
-    BIGNUM N;                   /* the divisor */
-    BIGNUM Nr;                  /* the reciprocal */
-    int num_bits;
-    int shift;
-    int flags;
-};
-
-/* Used for slow "generation" functions. */
-struct bn_gencb_st {
-    unsigned int ver;           /* To handle binary (in)compatibility */
-    void *arg;                  /* callback-specific data */
-    union {
-        /* if (ver==1) - handles old style callbacks */
-        void (*cb_1) (int, int, void *);
-        /* if (ver==2) - new callback style */
-        int (*cb_2) (int, int, BN_GENCB *);
-    } cb;
-};
-
 /*-
  * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
  *
@@ -287,11 +143,23 @@ struct bn_gencb_st {
  * (with draws in between).  Very small exponents are often selected
  * with low Hamming weight, so we use  w = 1  for b <= 23.
  */
-# define BN_window_bits_for_exponent_size(b) \
+# if 1
+#  define BN_window_bits_for_exponent_size(b) \
                 ((b) > 671 ? 6 : \
                  (b) > 239 ? 5 : \
                  (b) >  79 ? 4 : \
                  (b) >  23 ? 3 : 1)
+# else
+/*
+ * Old SSLeay/OpenSSL table. Maximum window size was 5, so this table differs
+ * for b==1024; but it coincides for other interesting values (b==160,
+ * b==512).
+ */
+#  define BN_window_bits_for_exponent_size(b) \
+                ((b) > 255 ? 5 : \
+                 (b) > 127 ? 4 : \
+                 (b) >  17 ? 3 : 1)
+# endif
 
 /*
  * BN_mod_exp_mont_conttime is based on the assumption that the L1 data cache
@@ -426,8 +294,8 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
 #   endif
 #  elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG))
 #   if defined(__GNUC__) && __GNUC__>=2
-#    if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16
-      /* "h" constraint is not an option on R6 and was removed in 4.4 */
+#    if __GNUC__>4 || (__GNUC__>=4 && __GNUC_MINOR__>=4)
+                                     /* "h" constraint is no more since 4.4 */
 #     define BN_UMULT_HIGH(a,b)          (((__uint128_t)(a)*(b))>>64)
 #     define BN_UMULT_LOHI(low,high,a,b) ({     \
         __uint128_t ret=(__uint128_t)(a)*(b);   \
@@ -633,10 +501,10 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
         }
 # endif                         /* !BN_LLONG */
 
-void BN_RECP_CTX_init(BN_RECP_CTX *recp);
-void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
+# if defined(OPENSSL_DOING_MAKEDEPEND) && defined(OPENSSL_FIPS)
+#  undef bn_div_words
+# endif
 
-void bn_init(BIGNUM *a);
 void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb);
 void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
 void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
@@ -662,26 +530,6 @@ BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
 int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
                 const BN_ULONG *np, const BN_ULONG *n0, int num);
 
-BIGNUM *int_bn_mod_inverse(BIGNUM *in,
-                           const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx,
-                           int *noinv);
-
-int bn_probable_prime_dh(BIGNUM *rnd, int bits,
-                         const BIGNUM *add, const BIGNUM *rem, BN_CTX *ctx);
-int bn_probable_prime_dh_retry(BIGNUM *rnd, int bits, BN_CTX *ctx);
-int bn_probable_prime_dh_coprime(BIGNUM *rnd, int bits, BN_CTX *ctx);
-
-static ossl_inline BIGNUM *bn_expand(BIGNUM *a, int bits)
-{
-    if (bits > (INT_MAX - BN_BITS2 + 1))
-        return NULL;
-
-    if (((bits+BN_BITS2-1)/BN_BITS2) <= (a)->dmax)
-        return a;
-
-    return bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2);
-}
-
 #ifdef  __cplusplus
 }
 #endif
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_lib.c b/Cryptlib/OpenSSL/crypto/bn/bn_lib.c
index 17d34c31..2671f35c 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_lib.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_lib.c
@@ -1,20 +1,76 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bn/bn_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
+#ifndef BN_DEBUG
+# undef NDEBUG                  /* avoid conflicting definitions */
+# define NDEBUG
+#endif
+
 #include <assert.h>
 #include <limits.h>
-#include "internal/cryptlib.h"
+#include <stdio.h>
+#include "cryptlib.h"
 #include "bn_lcl.h"
-#include <openssl/opensslconf.h>
+
+const char BN_version[] = "Big Number" OPENSSL_VERSION_PTEXT;
 
 /* This stuff appears to be completely unused, so is deprecated */
-#if OPENSSL_API_COMPAT < 0x00908000L
+#ifndef OPENSSL_NO_DEPRECATED
 /*-
  * For a 32 bit machine
  * 2 -   4 ==  128
@@ -168,15 +224,6 @@ int BN_num_bits(const BIGNUM *a)
     return ((i * BN_BITS2) + BN_num_bits_word(a->d[i]));
 }
 
-static void bn_free_d(BIGNUM *a)
-{
-    if (BN_get_flags(a, BN_FLG_SECURE))
-        OPENSSL_secure_free(a->d);
-    else
-        OPENSSL_free(a->d);
-}
-
-
 void BN_clear_free(BIGNUM *a)
 {
     int i;
@@ -186,11 +233,11 @@ void BN_clear_free(BIGNUM *a)
     bn_check_top(a);
     if (a->d != NULL) {
         OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
-        if (!BN_get_flags(a, BN_FLG_STATIC_DATA))
-            bn_free_d(a);
+        if (!(BN_get_flags(a, BN_FLG_STATIC_DATA)))
+            OPENSSL_free(a->d);
     }
     i = BN_get_flags(a, BN_FLG_MALLOCED);
-    OPENSSL_cleanse(a, sizeof(*a));
+    OPENSSL_cleanse(a, sizeof(BIGNUM));
     if (i)
         OPENSSL_free(a);
 }
@@ -200,23 +247,21 @@ void BN_free(BIGNUM *a)
     if (a == NULL)
         return;
     bn_check_top(a);
-    if (!BN_get_flags(a, BN_FLG_STATIC_DATA))
-        bn_free_d(a);
+    if ((a->d != NULL) && !(BN_get_flags(a, BN_FLG_STATIC_DATA)))
+        OPENSSL_free(a->d);
     if (a->flags & BN_FLG_MALLOCED)
         OPENSSL_free(a);
     else {
-#if OPENSSL_API_COMPAT < 0x00908000L
+#ifndef OPENSSL_NO_DEPRECATED
         a->flags |= BN_FLG_FREE;
 #endif
         a->d = NULL;
     }
 }
 
-void bn_init(BIGNUM *a)
+void BN_init(BIGNUM *a)
 {
-    static BIGNUM nilbn;
-
-    *a = nilbn;
+    memset(a, 0, sizeof(BIGNUM));
     bn_check_top(a);
 }
 
@@ -224,24 +269,20 @@ BIGNUM *BN_new(void)
 {
     BIGNUM *ret;
 
-    if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) {
+    if ((ret = (BIGNUM *)OPENSSL_malloc(sizeof(BIGNUM))) == NULL) {
         BNerr(BN_F_BN_NEW, ERR_R_MALLOC_FAILURE);
         return (NULL);
     }
     ret->flags = BN_FLG_MALLOCED;
+    ret->top = 0;
+    ret->neg = 0;
+    ret->dmax = 0;
+    ret->d = NULL;
     bn_check_top(ret);
     return (ret);
 }
 
- BIGNUM *BN_secure_new(void)
- {
-     BIGNUM *ret = BN_new();
-     if (ret != NULL)
-         ret->flags |= BN_FLG_SECURE;
-     return (ret);
- }
-
-/* This is used by bn_expand2() */
+/* This is used both by bn_expand2() and bn_dup_expand() */
 /* The caller MUST check that words > b->dmax before calling this */
 static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
 {
@@ -259,14 +300,20 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
         BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
         return (NULL);
     }
-    if (BN_get_flags(b, BN_FLG_SECURE))
-        a = A = OPENSSL_secure_zalloc(words * sizeof(*a));
-    else
-        a = A = OPENSSL_zalloc(words * sizeof(*a));
+    a = A = (BN_ULONG *)OPENSSL_malloc(sizeof(BN_ULONG) * words);
     if (A == NULL) {
         BNerr(BN_F_BN_EXPAND_INTERNAL, ERR_R_MALLOC_FAILURE);
         return (NULL);
     }
+#ifdef PURIFY
+    /*
+     * Valgrind complains in BN_consttime_swap because we process the whole
+     * array even if it's not initialised yet. This doesn't matter in that
+     * function - what's important is constant time operation (we're not
+     * actually going to use the data)
+     */
+    memset(a, 0, sizeof(BN_ULONG) * words);
+#endif
 
 #if 1
     B = b->d;
@@ -277,7 +324,7 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
              * The fact that the loop is unrolled
              * 4-wise is a tribute to Intel. It's
              * the one that doesn't have enough
-             * registers to accommodate more data.
+             * registers to accomodate more data.
              * I'd unroll it 8-wise otherwise:-)
              *
              *              <appro@fy.chalmers.se>
@@ -292,6 +339,11 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
             A[2] = a2;
             A[3] = a3;
         }
+        /*
+         * workaround for ultrix cc: without 'case 0', the optimizer does
+         * the switch table by doing a=top&3; a--; goto jump_table[a];
+         * which fails for top== 0
+         */
         switch (b->top & 3) {
         case 3:
             A[2] = B[2];
@@ -300,12 +352,11 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
         case 1:
             A[0] = B[0];
         case 0:
-            /* Without the "case 0" some old optimizers got this wrong. */
             ;
         }
     }
 #else
-    memset(A, 0, sizeof(*A) * words);
+    memset(A, 0, sizeof(BN_ULONG) * words);
     memcpy(A, b->d, sizeof(b->d[0]) * b->top);
 #endif
 
@@ -313,6 +364,58 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
 }
 
 /*
+ * This is an internal function that can be used instead of bn_expand2() when
+ * there is a need to copy BIGNUMs instead of only expanding the data part,
+ * while still expanding them. Especially useful when needing to expand
+ * BIGNUMs that are declared 'const' and should therefore not be changed. The
+ * reason to use this instead of a BN_dup() followed by a bn_expand2() is
+ * memory allocation overhead.  A BN_dup() followed by a bn_expand2() will
+ * allocate new memory for the BIGNUM data twice, and free it once, while
+ * bn_dup_expand() makes sure allocation is made only once.
+ */
+
+#ifndef OPENSSL_NO_DEPRECATED
+BIGNUM *bn_dup_expand(const BIGNUM *b, int words)
+{
+    BIGNUM *r = NULL;
+
+    bn_check_top(b);
+
+    /*
+     * This function does not work if words <= b->dmax && top < words because
+     * BN_dup() does not preserve 'dmax'! (But bn_dup_expand() is not used
+     * anywhere yet.)
+     */
+
+    if (words > b->dmax) {
+        BN_ULONG *a = bn_expand_internal(b, words);
+
+        if (a) {
+            r = BN_new();
+            if (r) {
+                r->top = b->top;
+                r->dmax = words;
+                r->neg = b->neg;
+                r->d = a;
+            } else {
+                /* r == NULL, BN_new failure */
+                OPENSSL_free(a);
+            }
+        }
+        /*
+         * If a == NULL, there was an error in allocation in
+         * bn_expand_internal(), and NULL should be returned
+         */
+    } else {
+        r = BN_dup(b);
+    }
+
+    bn_check_top(r);
+    return r;
+}
+#endif
+
+/*
  * This is an internal function that should not be used in applications. It
  * ensures that 'b' has enough room for a 'words' word number and initialises
  * any unused part of b->d with leading zeros. It is mostly used by the
@@ -328,14 +431,35 @@ BIGNUM *bn_expand2(BIGNUM *b, int words)
         BN_ULONG *a = bn_expand_internal(b, words);
         if (!a)
             return NULL;
-        if (b->d) {
-            OPENSSL_cleanse(b->d, b->dmax * sizeof(b->d[0]));
-            bn_free_d(b);
-        }
+        if (b->d)
+            OPENSSL_free(b->d);
         b->d = a;
         b->dmax = words;
     }
 
+/* None of this should be necessary because of what b->top means! */
+#if 0
+    /*
+     * NB: bn_wexpand() calls this only if the BIGNUM really has to grow
+     */
+    if (b->top < b->dmax) {
+        int i;
+        BN_ULONG *A = &(b->d[b->top]);
+        for (i = (b->dmax - b->top) >> 3; i > 0; i--, A += 8) {
+            A[0] = 0;
+            A[1] = 0;
+            A[2] = 0;
+            A[3] = 0;
+            A[4] = 0;
+            A[5] = 0;
+            A[6] = 0;
+            A[7] = 0;
+        }
+        for (i = (b->dmax - b->top) & 7; i > 0; i--, A++)
+            A[0] = 0;
+        assert(A == &(b->d[b->dmax]));
+    }
+#endif
     bn_check_top(b);
     return b;
 }
@@ -348,7 +472,7 @@ BIGNUM *BN_dup(const BIGNUM *a)
         return NULL;
     bn_check_top(a);
 
-    t = BN_get_flags(a, BN_FLG_SECURE) ? BN_secure_new() : BN_new();
+    t = BN_new();
     if (t == NULL)
         return NULL;
     if (!BN_copy(t, a)) {
@@ -372,6 +496,9 @@ BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
     if (bn_wexpand(a, b->top) == NULL)
         return (NULL);
 
+    if (!a || !b || !a->d || !b->d)
+        return (NULL);
+
 #if 1
     A = a->d;
     B = b->d;
@@ -445,7 +572,7 @@ void BN_clear(BIGNUM *a)
 {
     bn_check_top(a);
     if (a->d != NULL)
-        OPENSSL_cleanse(a->d, sizeof(*a->d) * a->dmax);
+        OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
     a->top = 0;
     a->neg = 0;
 }
@@ -484,9 +611,7 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
     if (ret == NULL)
         return (NULL);
     bn_check_top(ret);
-    /* Skip leading zero's. */
-    for ( ; len > 0 && *s == 0; s++, len--)
-        continue;
+    l = 0;
     n = len;
     if (n == 0) {
         ret->top = 0;
@@ -495,12 +620,12 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
     i = ((n - 1) / BN_BYTES) + 1;
     m = ((n - 1) % (BN_BYTES));
     if (bn_wexpand(ret, (int)i) == NULL) {
-        BN_free(bn);
+        if (bn)
+            BN_free(bn);
         return NULL;
     }
     ret->top = i;
     ret->neg = 0;
-    l = 0;
     while (n--) {
         l = (l << 8L) | *(s++);
         if (m-- == 0) {
@@ -518,106 +643,18 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
 }
 
 /* ignore negative */
-static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
-{
-    int i;
-    BN_ULONG l;
-
-    bn_check_top(a);
-    i = BN_num_bytes(a);
-    if (tolen == -1)
-        tolen = i;
-    else if (tolen < i)
-        return -1;
-    /* Add leading zeroes if necessary */
-    if (tolen > i) {
-        memset(to, 0, tolen - i);
-        to += tolen - i;
-    }
-    while (i--) {
-        l = a->d[i / BN_BYTES];
-        *(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
-    }
-    return tolen;
-}
-
-int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
-{
-    if (tolen < 0)
-        return -1;
-    return bn2binpad(a, to, tolen);
-}
-
 int BN_bn2bin(const BIGNUM *a, unsigned char *to)
 {
-    return bn2binpad(a, to, -1);
-}
-
-BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret)
-{
-    unsigned int i, m;
-    unsigned int n;
+    int n, i;
     BN_ULONG l;
-    BIGNUM *bn = NULL;
-
-    if (ret == NULL)
-        ret = bn = BN_new();
-    if (ret == NULL)
-        return (NULL);
-    bn_check_top(ret);
-    s += len;
-    /* Skip trailing zeroes. */
-    for ( ; len > 0 && s[-1] == 0; s--, len--)
-        continue;
-    n = len;
-    if (n == 0) {
-        ret->top = 0;
-        return ret;
-    }
-    i = ((n - 1) / BN_BYTES) + 1;
-    m = ((n - 1) % (BN_BYTES));
-    if (bn_wexpand(ret, (int)i) == NULL) {
-        BN_free(bn);
-        return NULL;
-    }
-    ret->top = i;
-    ret->neg = 0;
-    l = 0;
-    while (n--) {
-        s--;
-        l = (l << 8L) | *s;
-        if (m-- == 0) {
-            ret->d[--i] = l;
-            l = 0;
-            m = BN_BYTES - 1;
-        }
-    }
-    /*
-     * need to call this due to clear byte at top if avoiding having the top
-     * bit set (-ve number)
-     */
-    bn_correct_top(ret);
-    return ret;
-}
 
-int BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen)
-{
-    int i;
-    BN_ULONG l;
     bn_check_top(a);
-    i = BN_num_bytes(a);
-    if (tolen < i)
-        return -1;
-    /* Add trailing zeroes if necessary */
-    if (tolen > i)
-        memset(to + i, 0, tolen - i);
-    to += i;
+    n = i = BN_num_bytes(a);
     while (i--) {
         l = a->d[i / BN_BYTES];
-        to--;
-        *to = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
+        *(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
     }
-    return tolen;
+    return (n);
 }
 
 int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
@@ -793,9 +830,9 @@ int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
 
 /*
  * Here follows a specialised variants of bn_cmp_words().  It has the
- * capability of performing the operation on arrays of different sizes. The
+ * property of performing the operation on arrays of different sizes. The
  * sizes of those arrays is expressed through cl, which is the common length
- * ( basically, min(len(a),len(b)) ), and dl, which is the delta between the
+ * ( basicall, min(len(a),len(b)) ), and dl, which is the delta between the
  * two lengths, calculated as len(a)-len(b). All lengths are the number of
  * BN_ULONGs...
  */
@@ -880,158 +917,3 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
     }
 #undef BN_CONSTTIME_SWAP
 }
-
-/* Bits of security, see SP800-57 */
-
-int BN_security_bits(int L, int N)
-{
-    int secbits, bits;
-    if (L >= 15360)
-        secbits = 256;
-    else if (L >= 7690)
-        secbits = 192;
-    else if (L >= 3072)
-        secbits = 128;
-    else if (L >= 2048)
-        secbits = 112;
-    else if (L >= 1024)
-        secbits = 80;
-    else
-        return 0;
-    if (N == -1)
-        return secbits;
-    bits = N / 2;
-    if (bits < 80)
-        return 0;
-    return bits >= secbits ? secbits : bits;
-}
-
-void BN_zero_ex(BIGNUM *a)
-{
-    a->top = 0;
-    a->neg = 0;
-}
-
-int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w)
-{
-    return ((a->top == 1) && (a->d[0] == w)) || ((w == 0) && (a->top == 0));
-}
-
-int BN_is_zero(const BIGNUM *a)
-{
-    return a->top == 0;
-}
-
-int BN_is_one(const BIGNUM *a)
-{
-    return BN_abs_is_word(a, 1) && !a->neg;
-}
-
-int BN_is_word(const BIGNUM *a, const BN_ULONG w)
-{
-    return BN_abs_is_word(a, w) && (!w || !a->neg);
-}
-
-int BN_is_odd(const BIGNUM *a)
-{
-    return (a->top > 0) && (a->d[0] & 1);
-}
-
-int BN_is_negative(const BIGNUM *a)
-{
-    return (a->neg != 0);
-}
-
-int BN_to_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
-                     BN_CTX *ctx)
-{
-    return BN_mod_mul_montgomery(r, a, &(mont->RR), mont, ctx);
-}
-
-void BN_with_flags(BIGNUM *dest, const BIGNUM *b, int flags)
-{
-    dest->d = b->d;
-    dest->top = b->top;
-    dest->dmax = b->dmax;
-    dest->neg = b->neg;
-    dest->flags = ((dest->flags & BN_FLG_MALLOCED)
-                   | (b->flags & ~BN_FLG_MALLOCED)
-                   | BN_FLG_STATIC_DATA | flags);
-}
-
-BN_GENCB *BN_GENCB_new(void)
-{
-    BN_GENCB *ret;
-
-    if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) {
-        BNerr(BN_F_BN_GENCB_NEW, ERR_R_MALLOC_FAILURE);
-        return (NULL);
-    }
-
-    return ret;
-}
-
-void BN_GENCB_free(BN_GENCB *cb)
-{
-    if (cb == NULL)
-        return;
-    OPENSSL_free(cb);
-}
-
-void BN_set_flags(BIGNUM *b, int n)
-{
-    b->flags |= n;
-}
-
-int BN_get_flags(const BIGNUM *b, int n)
-{
-    return b->flags & n;
-}
-
-/* Populate a BN_GENCB structure with an "old"-style callback */
-void BN_GENCB_set_old(BN_GENCB *gencb, void (*callback) (int, int, void *),
-                      void *cb_arg)
-{
-    BN_GENCB *tmp_gencb = gencb;
-    tmp_gencb->ver = 1;
-    tmp_gencb->arg = cb_arg;
-    tmp_gencb->cb.cb_1 = callback;
-}
-
-/* Populate a BN_GENCB structure with a "new"-style callback */
-void BN_GENCB_set(BN_GENCB *gencb, int (*callback) (int, int, BN_GENCB *),
-                  void *cb_arg)
-{
-    BN_GENCB *tmp_gencb = gencb;
-    tmp_gencb->ver = 2;
-    tmp_gencb->arg = cb_arg;
-    tmp_gencb->cb.cb_2 = callback;
-}
-
-void *BN_GENCB_get_arg(BN_GENCB *cb)
-{
-    return cb->arg;
-}
-
-BIGNUM *bn_wexpand(BIGNUM *a, int words)
-{
-    return (words <= a->dmax) ? a : bn_expand2(a, words);
-}
-
-void bn_correct_top(BIGNUM *a)
-{
-    BN_ULONG *ftl;
-    int tmp_top = a->top;
-
-    if (tmp_top > 0) {
-        for (ftl = &(a->d[tmp_top]); tmp_top > 0; tmp_top--) {
-            ftl--;
-            if (*ftl != 0)
-                break;
-        }
-        a->top = tmp_top;
-    }
-    if (a->top == 0)
-        a->neg = 0;
-    bn_pollute(a);
-}
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_mod.c b/Cryptlib/OpenSSL/crypto/bn/bn_mod.c
index 13b583f7..ffbce890 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_mod.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_mod.c
@@ -1,15 +1,129 @@
+/* crypto/bn/bn_mod.c */
 /*
- * Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
+ * for the OpenSSL project.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include "bn_lcl.h"
 
+#if 0                           /* now just a #define */
+int BN_mod(BIGNUM *rem, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx)
+{
+    return (BN_div(NULL, rem, m, d, ctx));
+    /* note that  rem->neg == m->neg  (unless the remainder is zero) */
+}
+#endif
+
 int BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx)
 {
     /*
@@ -148,7 +262,8 @@ int BN_mod_lshift(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m,
     ret = BN_mod_lshift_quick(r, r, n, (abs_m ? abs_m : m));
     bn_check_top(r);
 
-    BN_free(abs_m);
+    if (abs_m)
+        BN_free(abs_m);
     return ret;
 }
 
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_mont.c b/Cryptlib/OpenSSL/crypto/bn/bn_mont.c
index 6d37279a..be95bd55 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_mont.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_mont.c
@@ -1,10 +1,112 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bn/bn_mont.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 /*
@@ -14,7 +116,8 @@
  * sections 3.8 and 4.2 in http://security.ece.orst.edu/koc/papers/r01rsasw.pdf
  */
 
-#include "internal/cryptlib.h"
+#include <stdio.h>
+#include "cryptlib.h"
 #include "bn_lcl.h"
 
 #define MONT_WORD               /* use the faster word-based algorithm */
@@ -94,15 +197,36 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
     rp = r->d;
 
     /* clear the top words of T */
-    i = max - r->top;
-    if (i)
-        memset(&rp[r->top], 0, sizeof(*rp) * i);
+# if 1
+    for (i = r->top; i < max; i++) /* memset? XXX */
+        rp[i] = 0;
+# else
+    memset(&(rp[r->top]), 0, (max - r->top) * sizeof(BN_ULONG));
+# endif
 
     r->top = max;
     n0 = mont->n0[0];
 
+# ifdef BN_COUNT
+    fprintf(stderr, "word BN_from_montgomery_word %d * %d\n", nl, nl);
+# endif
     for (carry = 0, i = 0; i < nl; i++, rp++) {
+# ifdef __TANDEM
+        {
+            long long t1;
+            long long t2;
+            long long t3;
+            t1 = rp[0] * (n0 & 0177777);
+            t2 = 037777600000l;
+            t2 = n0 & t2;
+            t3 = rp[0] & 0177777;
+            t2 = (t3 * t2) & BN_MASK2;
+            t1 = t1 + t2;
+            v = bn_mul_add_words(rp, np, nl, (BN_ULONG)t1);
+        }
+# else
         v = bn_mul_add_words(rp, np, nl, (rp[0] * n0) & BN_MASK2);
+# endif
         v = (v + carry + rp[nl]) & BN_MASK2;
         carry |= (v != rp[nl]);
         carry &= (v <= rp[nl]);
@@ -214,7 +338,7 @@ BN_MONT_CTX *BN_MONT_CTX_new(void)
 {
     BN_MONT_CTX *ret;
 
-    if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL)
+    if ((ret = (BN_MONT_CTX *)OPENSSL_malloc(sizeof(BN_MONT_CTX))) == NULL)
         return (NULL);
 
     BN_MONT_CTX_init(ret);
@@ -225,9 +349,9 @@ BN_MONT_CTX *BN_MONT_CTX_new(void)
 void BN_MONT_CTX_init(BN_MONT_CTX *ctx)
 {
     ctx->ri = 0;
-    bn_init(&(ctx->RR));
-    bn_init(&(ctx->N));
-    bn_init(&(ctx->Ni));
+    BN_init(&(ctx->RR));
+    BN_init(&(ctx->N));
+    BN_init(&(ctx->Ni));
     ctx->n0[0] = ctx->n0[1] = 0;
     ctx->flags = 0;
 }
@@ -265,7 +389,7 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
         BIGNUM tmod;
         BN_ULONG buf[2];
 
-        bn_init(&tmod);
+        BN_init(&tmod);
         tmod.d = buf;
         tmod.dmax = 2;
         tmod.neg = 0;
@@ -395,14 +519,14 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from)
     return (to);
 }
 
-BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, CRYPTO_RWLOCK *lock,
+BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock,
                                     const BIGNUM *mod, BN_CTX *ctx)
 {
     BN_MONT_CTX *ret;
 
-    CRYPTO_THREAD_read_lock(lock);
+    CRYPTO_r_lock(lock);
     ret = *pmont;
-    CRYPTO_THREAD_unlock(lock);
+    CRYPTO_r_unlock(lock);
     if (ret)
         return ret;
 
@@ -415,7 +539,7 @@ BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, CRYPTO_RWLOCK *lock,
      * (the losers throw away the work they've done).
      */
     ret = BN_MONT_CTX_new();
-    if (ret == NULL)
+    if (!ret)
         return NULL;
     if (!BN_MONT_CTX_set(ret, mod, ctx)) {
         BN_MONT_CTX_free(ret);
@@ -423,12 +547,12 @@ BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, CRYPTO_RWLOCK *lock,
     }
 
     /* The locked compare-and-set, after the local work is done. */
-    CRYPTO_THREAD_write_lock(lock);
+    CRYPTO_w_lock(lock);
     if (*pmont) {
         BN_MONT_CTX_free(ret);
         ret = *pmont;
     } else
         *pmont = ret;
-    CRYPTO_THREAD_unlock(lock);
+    CRYPTO_w_unlock(lock);
     return ret;
 }
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_mpi.c b/Cryptlib/OpenSSL/crypto/bn/bn_mpi.c
index 043e21d2..3bd40bbd 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_mpi.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_mpi.c
@@ -1,14 +1,63 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bn/bn_mpi.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include "bn_lcl.h"
 
 int BN_bn2mpi(const BIGNUM *a, unsigned char *d)
@@ -39,48 +88,41 @@ int BN_bn2mpi(const BIGNUM *a, unsigned char *d)
     return (num + 4 + ext);
 }
 
-BIGNUM *BN_mpi2bn(const unsigned char *d, int n, BIGNUM *ain)
+BIGNUM *BN_mpi2bn(const unsigned char *d, int n, BIGNUM *a)
 {
     long len;
     int neg = 0;
-    BIGNUM *a = NULL;
 
     if (n < 4) {
         BNerr(BN_F_BN_MPI2BN, BN_R_INVALID_LENGTH);
-        return NULL;
+        return (NULL);
     }
     len = ((long)d[0] << 24) | ((long)d[1] << 16) | ((int)d[2] << 8) | (int)
         d[3];
     if ((len + 4) != n) {
         BNerr(BN_F_BN_MPI2BN, BN_R_ENCODING_ERROR);
-        return NULL;
+        return (NULL);
     }
 
-    if (ain == NULL)
+    if (a == NULL)
         a = BN_new();
-    else
-        a = ain;
-
     if (a == NULL)
-        return NULL;
+        return (NULL);
 
     if (len == 0) {
         a->neg = 0;
         a->top = 0;
-        return a;
+        return (a);
     }
     d += 4;
     if ((*d) & 0x80)
         neg = 1;
-    if (BN_bin2bn(d, (int)len, a) == NULL) {
-        if (ain == NULL)
-            BN_free(a);
-        return NULL;
-    }
+    if (BN_bin2bn(d, (int)len, a) == NULL)
+        return (NULL);
     a->neg = neg;
     if (neg) {
         BN_clear_bit(a, BN_num_bits(a) - 1);
     }
     bn_check_top(a);
-    return a;
+    return (a);
 }
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_mul.c b/Cryptlib/OpenSSL/crypto/bn/bn_mul.c
index 4a0a9505..3c618dc3 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_mul.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_mul.c
@@ -1,14 +1,69 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bn/bn_mul.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
+#ifndef BN_DEBUG
+# undef NDEBUG                  /* avoid conflicting definitions */
+# define NDEBUG
+#endif
+
+#include <stdio.h>
 #include <assert.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include "bn_lcl.h"
 
 #if defined(OPENSSL_NO_ASM) || !defined(OPENSSL_BN_ASM_PART_WORDS)
@@ -16,7 +71,7 @@
  * Here follows specialised variants of bn_add_words() and bn_sub_words().
  * They have the property performing operations on arrays of different sizes.
  * The sizes of those arrays is expressed through cl, which is the common
- * length ( basically, min(len(a),len(b)) ), and dl, which is the delta
+ * length ( basicall, min(len(a),len(b)) ), and dl, which is the delta
  * between the two lengths, calculated as len(a)-len(b). All lengths are the
  * number of BN_ULONGs...  For the operations that require a result array as
  * parameter, it must have the length cl+abs(dl). These functions should
@@ -41,6 +96,10 @@ BN_ULONG bn_sub_part_words(BN_ULONG *r,
     b += cl;
 
     if (dl < 0) {
+# ifdef BN_COUNT
+        fprintf(stderr, "  bn_sub_part_words %d + %d (dl < 0, c = %d)\n", cl,
+                dl, c);
+# endif
         for (;;) {
             t = b[0];
             r[0] = (0 - t - c) & BN_MASK2;
@@ -75,6 +134,10 @@ BN_ULONG bn_sub_part_words(BN_ULONG *r,
         }
     } else {
         int save_dl = dl;
+# ifdef BN_COUNT
+        fprintf(stderr, "  bn_sub_part_words %d + %d (dl > 0, c = %d)\n", cl,
+                dl, c);
+# endif
         while (c) {
             t = a[0];
             r[0] = (t - c) & BN_MASK2;
@@ -109,6 +172,10 @@ BN_ULONG bn_sub_part_words(BN_ULONG *r,
             r += 4;
         }
         if (dl > 0) {
+# ifdef BN_COUNT
+            fprintf(stderr, "  bn_sub_part_words %d + %d (dl > 0, c == 0)\n",
+                    cl, dl);
+# endif
             if (save_dl > dl) {
                 switch (save_dl - dl) {
                 case 1:
@@ -129,6 +196,10 @@ BN_ULONG bn_sub_part_words(BN_ULONG *r,
             }
         }
         if (dl > 0) {
+# ifdef BN_COUNT
+            fprintf(stderr, "  bn_sub_part_words %d + %d (dl > 0, copy)\n",
+                    cl, dl);
+# endif
             for (;;) {
                 r[0] = a[0];
                 if (--dl <= 0)
@@ -170,6 +241,10 @@ BN_ULONG bn_add_part_words(BN_ULONG *r,
 
     if (dl < 0) {
         int save_dl = dl;
+#ifdef BN_COUNT
+        fprintf(stderr, "  bn_add_part_words %d + %d (dl < 0, c = %d)\n", cl,
+                dl, c);
+#endif
         while (c) {
             l = (c + b[0]) & BN_MASK2;
             c = (l < c);
@@ -200,6 +275,10 @@ BN_ULONG bn_add_part_words(BN_ULONG *r,
             r += 4;
         }
         if (dl < 0) {
+#ifdef BN_COUNT
+            fprintf(stderr, "  bn_add_part_words %d + %d (dl < 0, c == 0)\n",
+                    cl, dl);
+#endif
             if (save_dl < dl) {
                 switch (dl - save_dl) {
                 case 1:
@@ -220,6 +299,10 @@ BN_ULONG bn_add_part_words(BN_ULONG *r,
             }
         }
         if (dl < 0) {
+#ifdef BN_COUNT
+            fprintf(stderr, "  bn_add_part_words %d + %d (dl < 0, copy)\n",
+                    cl, dl);
+#endif
             for (;;) {
                 r[0] = b[0];
                 if (++dl >= 0)
@@ -240,6 +323,9 @@ BN_ULONG bn_add_part_words(BN_ULONG *r,
         }
     } else {
         int save_dl = dl;
+#ifdef BN_COUNT
+        fprintf(stderr, "  bn_add_part_words %d + %d (dl > 0)\n", cl, dl);
+#endif
         while (c) {
             t = (a[0] + c) & BN_MASK2;
             c = (t < c);
@@ -269,6 +355,10 @@ BN_ULONG bn_add_part_words(BN_ULONG *r,
             a += 4;
             r += 4;
         }
+#ifdef BN_COUNT
+        fprintf(stderr, "  bn_add_part_words %d + %d (dl > 0, c == 0)\n", cl,
+                dl);
+#endif
         if (dl > 0) {
             if (save_dl > dl) {
                 switch (save_dl - dl) {
@@ -290,6 +380,10 @@ BN_ULONG bn_add_part_words(BN_ULONG *r,
             }
         }
         if (dl > 0) {
+#ifdef BN_COUNT
+            fprintf(stderr, "  bn_add_part_words %d + %d (dl > 0, copy)\n",
+                    cl, dl);
+#endif
             for (;;) {
                 r[0] = a[0];
                 if (--dl <= 0)
@@ -338,6 +432,9 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
     unsigned int neg, zero;
     BN_ULONG ln, lo, *p;
 
+# ifdef BN_COUNT
+    fprintf(stderr, " bn_mul_recursive %d%+d * %d%+d\n", n2, dna, n2, dnb);
+# endif
 # ifdef BN_MUL_COMBA
 #  if 0
     if (n2 == 4) {
@@ -404,7 +501,7 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
         if (!zero)
             bn_mul_comba4(&(t[n2]), t, &(t[n]));
         else
-            memset(&t[n2], 0, sizeof(*t) * 8);
+            memset(&(t[n2]), 0, 8 * sizeof(BN_ULONG));
 
         bn_mul_comba4(r, a, b);
         bn_mul_comba4(&(r[n2]), &(a[n]), &(b[n]));
@@ -414,7 +511,7 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
         if (!zero)
             bn_mul_comba8(&(t[n2]), t, &(t[n]));
         else
-            memset(&t[n2], 0, sizeof(*t) * 16);
+            memset(&(t[n2]), 0, 16 * sizeof(BN_ULONG));
 
         bn_mul_comba8(r, a, b);
         bn_mul_comba8(&(r[n2]), &(a[n]), &(b[n]));
@@ -425,7 +522,7 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
         if (!zero)
             bn_mul_recursive(&(t[n2]), t, &(t[n]), n, 0, 0, p);
         else
-            memset(&t[n2], 0, sizeof(*t) * n2);
+            memset(&(t[n2]), 0, n2 * sizeof(BN_ULONG));
         bn_mul_recursive(r, a, b, n, 0, 0, p);
         bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]), n, dna, dnb, p);
     }
@@ -484,6 +581,10 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
     int c1, c2, neg;
     BN_ULONG ln, lo, *p;
 
+# ifdef BN_COUNT
+    fprintf(stderr, " bn_mul_part_recursive (%d%+d) * (%d%+d)\n",
+            n, tna, n, tnb);
+# endif
     if (n < 8) {
         bn_mul_normal(r, a, n + tna, b, n + tnb);
         return;
@@ -530,14 +631,14 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
         bn_mul_comba4(&(t[n2]), t, &(t[n]));
         bn_mul_comba4(r, a, b);
         bn_mul_normal(&(r[n2]), &(a[n]), tn, &(b[n]), tn);
-        memset(&r[n2 + tn * 2], 0, sizeof(*r) * (n2 - tn * 2));
+        memset(&(r[n2 + tn * 2]), 0, sizeof(BN_ULONG) * (n2 - tn * 2));
     } else
 # endif
     if (n == 8) {
         bn_mul_comba8(&(t[n2]), t, &(t[n]));
         bn_mul_comba8(r, a, b);
         bn_mul_normal(&(r[n2]), &(a[n]), tna, &(b[n]), tnb);
-        memset(&r[n2 + tna + tnb], 0, sizeof(*r) * (n2 - tna - tnb));
+        memset(&(r[n2 + tna + tnb]), 0, sizeof(BN_ULONG) * (n2 - tna - tnb));
     } else {
         p = &(t[n2 * 2]);
         bn_mul_recursive(&(t[n2]), t, &(t[n]), n, 0, 0, p);
@@ -553,7 +654,7 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
         if (j == 0) {
             bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]),
                              i, tna - i, tnb - i, p);
-            memset(&r[n2 + i * 2], 0, sizeof(*r) * (n2 - i * 2));
+            memset(&(r[n2 + i * 2]), 0, sizeof(BN_ULONG) * (n2 - i * 2));
         } else if (j > 0) {     /* eg, n == 16, i == 8 and tn == 11 */
             bn_mul_part_recursive(&(r[n2]), &(a[n]), &(b[n]),
                                   i, tna - i, tnb - i, p);
@@ -561,7 +662,7 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
                    sizeof(BN_ULONG) * (n2 - tna - tnb));
         } else {                /* (j < 0) eg, n == 16, i == 8 and tn == 5 */
 
-            memset(&r[n2], 0, sizeof(*r) * n2);
+            memset(&(r[n2]), 0, sizeof(BN_ULONG) * n2);
             if (tna < BN_MUL_RECURSIVE_SIZE_NORMAL
                 && tnb < BN_MUL_RECURSIVE_SIZE_NORMAL) {
                 bn_mul_normal(&(r[n2]), &(a[n]), tna, &(b[n]), tnb);
@@ -640,6 +741,10 @@ void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
 {
     int n = n2 / 2;
 
+# ifdef BN_COUNT
+    fprintf(stderr, " bn_mul_low_recursive %d * %d\n", n2, n2);
+# endif
+
     bn_mul_recursive(r, a, b, n, 0, 0, &(t[0]));
     if (n >= BN_MUL_LOW_RECURSIVE_SIZE_NORMAL) {
         bn_mul_low_recursive(&(t[0]), &(a[0]), &(b[n]), n, &(t[n2]));
@@ -668,6 +773,9 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
     int neg, oneg, zero;
     BN_ULONG ll, lc, *lp, *mp;
 
+# ifdef BN_COUNT
+    fprintf(stderr, " bn_mul_high %d * %d\n", n2, n2);
+# endif
     n = n2 / 2;
 
     /* Calculate (al-ah)*(bh-bl) */
@@ -729,8 +837,9 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
      */
     if (l != NULL) {
         lp = &(t[n2 + n]);
-        bn_add_words(lp, &(r[0]), &(l[0]), n);
+        c1 = (int)(bn_add_words(lp, &(r[0]), &(l[0]), n));
     } else {
+        c1 = 0;
         lp = &(r[0]);
     }
 
@@ -838,6 +947,10 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
     int j = 0, k;
 #endif
 
+#ifdef BN_COUNT
+    fprintf(stderr, "BN_mul %d * %d\n", a->top, b->top);
+#endif
+
     bn_check_top(a);
     bn_check_top(b);
     bn_check_top(r);
@@ -857,6 +970,7 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
             goto err;
     } else
         rr = r;
+    rr->neg = a->neg ^ b->neg;
 
 #if defined(BN_MUL_COMBA) || defined(BN_RECURSION)
     i = al - bl;
@@ -968,7 +1082,6 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 #if defined(BN_MUL_COMBA) || defined(BN_RECURSION)
  end:
 #endif
-    rr->neg = a->neg ^ b->neg;
     bn_correct_top(rr);
     if (r != rr && BN_copy(r, rr) == NULL)
         goto err;
@@ -984,6 +1097,10 @@ void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb)
 {
     BN_ULONG *rr;
 
+#ifdef BN_COUNT
+    fprintf(stderr, " bn_mul_normal %d * %d\n", na, nb);
+#endif
+
     if (na < nb) {
         int itmp;
         BN_ULONG *ltmp;
@@ -1024,6 +1141,9 @@ void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb)
 
 void bn_mul_low_normal(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
 {
+#ifdef BN_COUNT
+    fprintf(stderr, " bn_mul_low_normal %d * %d\n", n, n);
+#endif
     bn_mul_words(r, a, n, b[0]);
 
     for (;;) {
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_nist.c b/Cryptlib/OpenSSL/crypto/bn/bn_nist.c
index 53598f97..4a45404c 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_nist.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_nist.c
@@ -1,14 +1,63 @@
+/* crypto/bn/bn_nist.c */
 /*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Nils Larsch for the OpenSSL project
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include "bn_lcl.h"
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 
 #define BN_NIST_192_TOP (192+BN_BITS2-1)/BN_BITS2
 #define BN_NIST_224_TOP (224+BN_BITS2-1)/BN_BITS2
@@ -330,8 +379,8 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
     PTR_SIZE_INT mask;
     static const BIGNUM _bignum_nist_p_192_sqr = {
         (BN_ULONG *)_nist_p_192_sqr,
-        OSSL_NELEM(_nist_p_192_sqr),
-        OSSL_NELEM(_nist_p_192_sqr),
+        sizeof(_nist_p_192_sqr) / sizeof(_nist_p_192_sqr[0]),
+        sizeof(_nist_p_192_sqr) / sizeof(_nist_p_192_sqr[0]),
         0, BN_FLG_STATIC_DATA
     };
 
@@ -475,8 +524,8 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
     } u;
     static const BIGNUM _bignum_nist_p_224_sqr = {
         (BN_ULONG *)_nist_p_224_sqr,
-        OSSL_NELEM(_nist_p_224_sqr),
-        OSSL_NELEM(_nist_p_224_sqr),
+        sizeof(_nist_p_224_sqr) / sizeof(_nist_p_224_sqr[0]),
+        sizeof(_nist_p_224_sqr) / sizeof(_nist_p_224_sqr[0]),
         0, BN_FLG_STATIC_DATA
     };
 
@@ -596,7 +645,7 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 #endif
     } else if (carry < 0) {
         /*
-         * it's a bit more complicated logic in this case. if bn_add_words
+         * it's a bit more comlicated logic in this case. if bn_add_words
          * yields no carry, then result has to be adjusted by unconditionally
          * *adding* the modulus. but if it does, then result has to be
          * compared to the modulus and conditionally adjusted by
@@ -656,8 +705,8 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
     } u;
     static const BIGNUM _bignum_nist_p_256_sqr = {
         (BN_ULONG *)_nist_p_256_sqr,
-        OSSL_NELEM(_nist_p_256_sqr),
-        OSSL_NELEM(_nist_p_256_sqr),
+        sizeof(_nist_p_256_sqr) / sizeof(_nist_p_256_sqr[0]),
+        sizeof(_nist_p_256_sqr) / sizeof(_nist_p_256_sqr[0]),
         0, BN_FLG_STATIC_DATA
     };
 
@@ -902,8 +951,8 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
     } u;
     static const BIGNUM _bignum_nist_p_384_sqr = {
         (BN_ULONG *)_nist_p_384_sqr,
-        OSSL_NELEM(_nist_p_384_sqr),
-        OSSL_NELEM(_nist_p_384_sqr),
+        sizeof(_nist_p_384_sqr) / sizeof(_nist_p_384_sqr[0]),
+        sizeof(_nist_p_384_sqr) / sizeof(_nist_p_384_sqr[0]),
         0, BN_FLG_STATIC_DATA
     };
 
@@ -1160,8 +1209,8 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
     PTR_SIZE_INT mask;
     static const BIGNUM _bignum_nist_p_521_sqr = {
         (BN_ULONG *)_nist_p_521_sqr,
-        OSSL_NELEM(_nist_p_521_sqr),
-        OSSL_NELEM(_nist_p_521_sqr),
+        sizeof(_nist_p_521_sqr) / sizeof(_nist_p_521_sqr[0]),
+        sizeof(_nist_p_521_sqr) / sizeof(_nist_p_521_sqr[0]),
         0, BN_FLG_STATIC_DATA
     };
 
@@ -1190,20 +1239,9 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                  top - (BN_NIST_521_TOP - 1), BN_NIST_521_TOP);
     /* ... and right shift */
     for (val = t_d[0], i = 0; i < BN_NIST_521_TOP - 1; i++) {
-#if 0
-        /*
-         * MSC ARM compiler [version 2013, presumably even earlier,
-         * much earlier] miscompiles this code, but not one in
-         * #else section. See RT#3541.
-         */
-        tmp = val >> BN_NIST_521_RSHIFT;
-        val = t_d[i + 1];
-        t_d[i] = (tmp | val << BN_NIST_521_LSHIFT) & BN_MASK2;
-#else
         t_d[i] = (val >> BN_NIST_521_RSHIFT |
                   (tmp = t_d[i + 1]) << BN_NIST_521_LSHIFT) & BN_MASK2;
         val = tmp;
-#endif
     }
     t_d[i] = val >> BN_NIST_521_RSHIFT;
     /* lower 521 bits */
@@ -1222,18 +1260,3 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 
     return 1;
 }
-
-int (*BN_nist_mod_func(const BIGNUM *p)) (BIGNUM *r, const BIGNUM *a,
-                                          const BIGNUM *field, BN_CTX *ctx) {
-    if (BN_ucmp(&_bignum_nist_p_192, p) == 0)
-        return BN_nist_mod_192;
-    if (BN_ucmp(&_bignum_nist_p_224, p) == 0)
-        return BN_nist_mod_224;
-    if (BN_ucmp(&_bignum_nist_p_256, p) == 0)
-        return BN_nist_mod_256;
-    if (BN_ucmp(&_bignum_nist_p_384, p) == 0)
-        return BN_nist_mod_384;
-    if (BN_ucmp(&_bignum_nist_p_521, p) == 0)
-        return BN_nist_mod_521;
-    return 0;
-}
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_prime.c b/Cryptlib/OpenSSL/crypto/bn/bn_prime.c
index 7103acfe..4dab3bba 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_prime.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_prime.c
@@ -1,18 +1,125 @@
-/*
- * WARNING: do not edit!
- * Generated by crypto/bn/bn_prime.pl
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bn/bn_prime.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <time.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include "bn_lcl.h"
+#include <openssl/rand.h>
+
+/*
+ * NB: these functions have been "upgraded", the deprecated versions (which
+ * are compatibility wrappers using these functions) are in bn_depr.c. -
+ * Geoff
+ */
 
 /*
  * The quick sieve algorithm approach to weeding out primes is Philip
@@ -25,56 +132,11 @@ static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
                    const BIGNUM *a1_odd, int k, BN_CTX *ctx,
                    BN_MONT_CTX *mont);
 static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods);
-static int probable_prime_dh_safe(BIGNUM *rnd, int bits,
-                                  const BIGNUM *add, const BIGNUM *rem,
-                                  BN_CTX *ctx);
-
-static const int prime_offsets[480] = {
-    13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83,
-    89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163,
-    167, 169, 173, 179, 181, 191, 193, 197, 199, 211, 221, 223, 227, 229,
-    233, 239, 241, 247, 251, 257, 263, 269, 271, 277, 281, 283, 289, 293,
-    299, 307, 311, 313, 317, 323, 331, 337, 347, 349, 353, 359, 361, 367,
-    373, 377, 379, 383, 389, 391, 397, 401, 403, 409, 419, 421, 431, 433,
-    437, 439, 443, 449, 457, 461, 463, 467, 479, 481, 487, 491, 493, 499,
-    503, 509, 521, 523, 527, 529, 533, 541, 547, 551, 557, 559, 563, 569,
-    571, 577, 587, 589, 593, 599, 601, 607, 611, 613, 617, 619, 629, 631,
-    641, 643, 647, 653, 659, 661, 667, 673, 677, 683, 689, 691, 697, 701,
-    703, 709, 713, 719, 727, 731, 733, 739, 743, 751, 757, 761, 767, 769,
-    773, 779, 787, 793, 797, 799, 809, 811, 817, 821, 823, 827, 829, 839,
-    841, 851, 853, 857, 859, 863, 871, 877, 881, 883, 887, 893, 899, 901,
-    907, 911, 919, 923, 929, 937, 941, 943, 947, 949, 953, 961, 967, 971,
-    977, 983, 989, 991, 997, 1003, 1007, 1009, 1013, 1019, 1021, 1027, 1031,
-    1033, 1037, 1039, 1049, 1051, 1061, 1063, 1069, 1073, 1079, 1081, 1087,
-    1091, 1093, 1097, 1103, 1109, 1117, 1121, 1123, 1129, 1139, 1147, 1151,
-    1153, 1157, 1159, 1163, 1171, 1181, 1187, 1189, 1193, 1201, 1207, 1213,
-    1217, 1219, 1223, 1229, 1231, 1237, 1241, 1247, 1249, 1259, 1261, 1271,
-    1273, 1277, 1279, 1283, 1289, 1291, 1297, 1301, 1303, 1307, 1313, 1319,
-    1321, 1327, 1333, 1339, 1343, 1349, 1357, 1361, 1363, 1367, 1369, 1373,
-    1381, 1387, 1391, 1399, 1403, 1409, 1411, 1417, 1423, 1427, 1429, 1433,
-    1439, 1447, 1451, 1453, 1457, 1459, 1469, 1471, 1481, 1483, 1487, 1489,
-    1493, 1499, 1501, 1511, 1513, 1517, 1523, 1531, 1537, 1541, 1543, 1549,
-    1553, 1559, 1567, 1571, 1577, 1579, 1583, 1591, 1597, 1601, 1607, 1609,
-    1613, 1619, 1621, 1627, 1633, 1637, 1643, 1649, 1651, 1657, 1663, 1667,
-    1669, 1679, 1681, 1691, 1693, 1697, 1699, 1703, 1709, 1711, 1717, 1721,
-    1723, 1733, 1739, 1741, 1747, 1751, 1753, 1759, 1763, 1769, 1777, 1781,
-    1783, 1787, 1789, 1801, 1807, 1811, 1817, 1819, 1823, 1829, 1831, 1843,
-    1847, 1849, 1853, 1861, 1867, 1871, 1873, 1877, 1879, 1889, 1891, 1901,
-    1907, 1909, 1913, 1919, 1921, 1927, 1931, 1933, 1937, 1943, 1949, 1951,
-    1957, 1961, 1963, 1973, 1979, 1987, 1993, 1997, 1999, 2003, 2011, 2017,
-    2021, 2027, 2029, 2033, 2039, 2041, 2047, 2053, 2059, 2063, 2069, 2071,
-    2077, 2081, 2083, 2087, 2089, 2099, 2111, 2113, 2117, 2119, 2129, 2131,
-    2137, 2141, 2143, 2147, 2153, 2159, 2161, 2171, 2173, 2179, 2183, 2197,
-    2201, 2203, 2207, 2209, 2213, 2221, 2227, 2231, 2237, 2239, 2243, 2249,
-    2251, 2257, 2263, 2267, 2269, 2273, 2279, 2281, 2287, 2291, 2293, 2297,
-    2309, 2311
-};
-
-static const int prime_offset_count = 480;
-static const int prime_multiplier = 2310;
-static const int prime_multiplier_bits = 11; /* 2^|prime_multiplier_bits| <=
-                                              * |prime_multiplier| */
-static const int first_prime_index = 5;
+static int probable_prime_dh(BIGNUM *rnd, int bits,
+                             const BIGNUM *add, const BIGNUM *rem,
+                             BN_CTX *ctx);
+static int probable_prime_dh_safe(BIGNUM *rnd, int bits, const BIGNUM *add,
+                                  const BIGNUM *rem, BN_CTX *ctx);
 
 int BN_GENCB_call(BN_GENCB *cb, int a, int b)
 {
@@ -108,20 +170,9 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
     prime_t *mods = NULL;
     int checks = BN_prime_checks_for_size(bits);
 
-    if (bits < 2) {
-        /* There are no prime numbers this small. */
-        BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
-        return 0;
-    } else if (bits == 2 && safe) {
-        /* The smallest safe prime (7) is three bits. */
-        BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
-        return 0;
-    }
-
-    mods = OPENSSL_zalloc(sizeof(*mods) * NUMPRIMES);
+    mods = OPENSSL_malloc(sizeof(*mods) * NUMPRIMES);
     if (mods == NULL)
         goto err;
-
     ctx = BN_CTX_new();
     if (ctx == NULL)
         goto err;
@@ -139,11 +190,11 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
             if (!probable_prime_dh_safe(ret, bits, add, rem, ctx))
                 goto err;
         } else {
-            if (!bn_probable_prime_dh(ret, bits, add, rem, ctx))
+            if (!probable_prime_dh(ret, bits, add, rem, ctx))
                 goto err;
         }
     }
-
+    /* if (BN_mod_word(ret,(BN_ULONG)3) == 1) goto loop; */
     if (!BN_GENCB_call(cb, 0, c1++))
         /* aborted */
         goto err;
@@ -184,9 +235,10 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
     found = 1;
  err:
     OPENSSL_free(mods);
-    if (ctx != NULL)
+    if (ctx != NULL) {
         BN_CTX_end(ctx);
-    BN_CTX_free(ctx);
+        BN_CTX_free(ctx);
+    }
     bn_check_top(ret);
     return found;
 }
@@ -218,13 +270,9 @@ int BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed,
         /* a is even => a is prime if and only if a == 2 */
         return BN_is_word(a, 2);
     if (do_trial_division) {
-        for (i = 1; i < NUMPRIMES; i++) {
-            BN_ULONG mod = BN_mod_word(a, primes[i]);
-            if (mod == (BN_ULONG)-1)
-                goto err;
-            if (mod == 0)
+        for (i = 1; i < NUMPRIMES; i++)
+            if (BN_mod_word(a, primes[i]) == 0)
                 return 0;
-        }
         if (!BN_GENCB_call(cb, 1, -1))
             goto err;
     }
@@ -300,88 +348,12 @@ int BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed,
         if (ctx_passed == NULL)
             BN_CTX_free(ctx);
     }
-    BN_MONT_CTX_free(mont);
+    if (mont != NULL)
+        BN_MONT_CTX_free(mont);
 
     return (ret);
 }
 
-int bn_probable_prime_dh_retry(BIGNUM *rnd, int bits, BN_CTX *ctx)
-{
-    int i;
-    int ret = 0;
-
- loop:
-    if (!BN_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
-        goto err;
-
-    /* we now have a random number 'rand' to test. */
-
-    for (i = 1; i < NUMPRIMES; i++) {
-        /* check that rnd is a prime */
-        BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
-        if (mod == (BN_ULONG)-1)
-            goto err;
-        if (mod <= 1) {
-            goto loop;
-        }
-    }
-    ret = 1;
-
- err:
-    bn_check_top(rnd);
-    return (ret);
-}
-
-int bn_probable_prime_dh_coprime(BIGNUM *rnd, int bits, BN_CTX *ctx)
-{
-    int i;
-    BIGNUM *offset_index;
-    BIGNUM *offset_count;
-    int ret = 0;
-
-    OPENSSL_assert(bits > prime_multiplier_bits);
-
-    BN_CTX_start(ctx);
-    if ((offset_index = BN_CTX_get(ctx)) == NULL)
-        goto err;
-    if ((offset_count = BN_CTX_get(ctx)) == NULL)
-        goto err;
-
-    if (!BN_add_word(offset_count, prime_offset_count))
-        goto err;
-
- loop:
-    if (!BN_rand(rnd, bits - prime_multiplier_bits,
-                 BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
-        goto err;
-    if (BN_is_bit_set(rnd, bits))
-        goto loop;
-    if (!BN_rand_range(offset_index, offset_count))
-        goto err;
-
-    if (!BN_mul_word(rnd, prime_multiplier)
-        || !BN_add_word(rnd, prime_offsets[BN_get_word(offset_index)]))
-        goto err;
-
-    /* we now have a random number 'rand' to test. */
-
-    /* skip coprimes */
-    for (i = first_prime_index; i < NUMPRIMES; i++) {
-        /* check that rnd is a prime */
-        BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
-        if (mod == (BN_ULONG)-1)
-            goto err;
-        if (mod <= 1)
-            goto loop;
-    }
-    ret = 1;
-
- err:
-    BN_CTX_end(ctx);
-    bn_check_top(rnd);
-    return ret;
-}
-
 static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
                    const BIGNUM *a1_odd, int k, BN_CTX *ctx,
                    BN_MONT_CTX *mont)
@@ -412,87 +384,37 @@ static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
 static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods)
 {
     int i;
-    BN_ULONG delta;
-    BN_ULONG maxdelta = BN_MASK2 - primes[NUMPRIMES - 1];
-    char is_single_word = bits <= BN_BITS2;
+    BN_ULONG delta, maxdelta;
 
  again:
-    if (!BN_rand(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD))
+    if (!BN_rand(rnd, bits, 1, 1))
         return (0);
-    /* we now have a random number 'rnd' to test. */
-    for (i = 1; i < NUMPRIMES; i++) {
-        BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
-        if (mod == (BN_ULONG)-1)
-            return 0;
-        mods[i] = (prime_t) mod;
-    }
-    /*
-     * If bits is so small that it fits into a single word then we
-     * additionally don't want to exceed that many bits.
-     */
-    if (is_single_word) {
-        BN_ULONG size_limit;
-
-        if (bits == BN_BITS2) {
-            /*
-             * Shifting by this much has undefined behaviour so we do it a
-             * different way
-             */
-            size_limit = ~((BN_ULONG)0) - BN_get_word(rnd);
-        } else {
-            size_limit = (((BN_ULONG)1) << bits) - BN_get_word(rnd) - 1;
-        }
-        if (size_limit < maxdelta)
-            maxdelta = size_limit;
-    }
+    /* we now have a random number 'rand' to test. */
+    for (i = 1; i < NUMPRIMES; i++)
+        mods[i] = (prime_t) BN_mod_word(rnd, (BN_ULONG)primes[i]);
+    maxdelta = BN_MASK2 - primes[NUMPRIMES - 1];
     delta = 0;
- loop:
-    if (is_single_word) {
-        BN_ULONG rnd_word = BN_get_word(rnd);
-
-        /*-
-         * In the case that the candidate prime is a single word then
-         * we check that:
-         *   1) It's greater than primes[i] because we shouldn't reject
-         *      3 as being a prime number because it's a multiple of
-         *      three.
-         *   2) That it's not a multiple of a known prime. We don't
-         *      check that rnd-1 is also coprime to all the known
-         *      primes because there aren't many small primes where
-         *      that's true.
+ loop:for (i = 1; i < NUMPRIMES; i++) {
+        /*
+         * check that rnd is not a prime and also that gcd(rnd-1,primes) == 1
+         * (except for 2)
          */
-        for (i = 1; i < NUMPRIMES && primes[i] < rnd_word; i++) {
-            if ((mods[i] + delta) % primes[i] == 0) {
-                delta += 2;
-                if (delta > maxdelta)
-                    goto again;
-                goto loop;
-            }
-        }
-    } else {
-        for (i = 1; i < NUMPRIMES; i++) {
-            /*
-             * check that rnd is not a prime and also that gcd(rnd-1,primes)
-             * == 1 (except for 2)
-             */
-            if (((mods[i] + delta) % primes[i]) <= 1) {
-                delta += 2;
-                if (delta > maxdelta)
-                    goto again;
-                goto loop;
-            }
+        if (((mods[i] + delta) % primes[i]) <= 1) {
+            delta += 2;
+            if (delta > maxdelta)
+                goto again;
+            goto loop;
         }
     }
     if (!BN_add_word(rnd, delta))
         return (0);
-    if (BN_num_bits(rnd) != bits)
-        goto again;
     bn_check_top(rnd);
     return (1);
 }
 
-int bn_probable_prime_dh(BIGNUM *rnd, int bits,
-                         const BIGNUM *add, const BIGNUM *rem, BN_CTX *ctx)
+static int probable_prime_dh(BIGNUM *rnd, int bits,
+                             const BIGNUM *add, const BIGNUM *rem,
+                             BN_CTX *ctx)
 {
     int i, ret = 0;
     BIGNUM *t1;
@@ -501,7 +423,7 @@ int bn_probable_prime_dh(BIGNUM *rnd, int bits,
     if ((t1 = BN_CTX_get(ctx)) == NULL)
         goto err;
 
-    if (!BN_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
+    if (!BN_rand(rnd, bits, 0, 1))
         goto err;
 
     /* we need ((rnd-rem) % add) == 0 */
@@ -520,20 +442,15 @@ int bn_probable_prime_dh(BIGNUM *rnd, int bits,
 
     /* we now have a random number 'rand' to test. */
 
- loop:
-    for (i = 1; i < NUMPRIMES; i++) {
+ loop:for (i = 1; i < NUMPRIMES; i++) {
         /* check that rnd is a prime */
-        BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
-        if (mod == (BN_ULONG)-1)
-            goto err;
-        if (mod <= 1) {
+        if (BN_mod_word(rnd, (BN_ULONG)primes[i]) <= 1) {
             if (!BN_add(rnd, rnd, add))
                 goto err;
             goto loop;
         }
     }
     ret = 1;
-
  err:
     BN_CTX_end(ctx);
     bn_check_top(rnd);
@@ -557,7 +474,7 @@ static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd,
     if (!BN_rshift1(qadd, padd))
         goto err;
 
-    if (!BN_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
+    if (!BN_rand(q, bits, 0, 1))
         goto err;
 
     /* we need ((rnd-rem) % add) == 0 */
@@ -581,17 +498,13 @@ static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd,
     if (!BN_add_word(p, 1))
         goto err;
 
- loop:
-    for (i = 1; i < NUMPRIMES; i++) {
+ loop:for (i = 1; i < NUMPRIMES; i++) {
         /* check that p and q are prime */
         /*
          * check that for p and q gcd(p-1,primes) == 1 (except for 2)
          */
-        BN_ULONG pmod = BN_mod_word(p, (BN_ULONG)primes[i]);
-        BN_ULONG qmod = BN_mod_word(q, (BN_ULONG)primes[i]);
-        if (pmod == (BN_ULONG)-1 || qmod == (BN_ULONG)-1)
-            goto err;
-        if (pmod == 0 || qmod == 0) {
+        if ((BN_mod_word(p, (BN_ULONG)primes[i]) == 0) ||
+            (BN_mod_word(q, (BN_ULONG)primes[i]) == 0)) {
             if (!BN_add(p, p, padd))
                 goto err;
             if (!BN_add(q, q, qadd))
@@ -600,7 +513,6 @@ static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd,
         }
     }
     ret = 1;
-
  err:
     BN_CTX_end(ctx);
     bn_check_top(p);
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_prime.h b/Cryptlib/OpenSSL/crypto/bn/bn_prime.h
index 41440fa4..5cf0de16 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_prime.h
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_prime.h
@@ -1,274 +1,326 @@
-/*
- * WARNING: do not edit!
- * Generated by crypto/bn/bn_prime.pl
+/* Auto generated by bn_prime.pl */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
-typedef unsigned short prime_t;
+#ifndef EIGHT_BIT
 # define NUMPRIMES 2048
-
-static const prime_t primes[2048] = {
-
-       2,    3,    5,    7,   11,   13,   17,   19, 
-      23,   29,   31,   37,   41,   43,   47,   53, 
-      59,   61,   67,   71,   73,   79,   83,   89, 
-      97,  101,  103,  107,  109,  113,  127,  131, 
-     137,  139,  149,  151,  157,  163,  167,  173, 
-     179,  181,  191,  193,  197,  199,  211,  223, 
-     227,  229,  233,  239,  241,  251,  257,  263, 
-     269,  271,  277,  281,  283,  293,  307,  311, 
-     313,  317,  331,  337,  347,  349,  353,  359, 
-     367,  373,  379,  383,  389,  397,  401,  409, 
-     419,  421,  431,  433,  439,  443,  449,  457, 
-     461,  463,  467,  479,  487,  491,  499,  503, 
-     509,  521,  523,  541,  547,  557,  563,  569, 
-     571,  577,  587,  593,  599,  601,  607,  613, 
-     617,  619,  631,  641,  643,  647,  653,  659, 
-     661,  673,  677,  683,  691,  701,  709,  719, 
-     727,  733,  739,  743,  751,  757,  761,  769, 
-     773,  787,  797,  809,  811,  821,  823,  827, 
-     829,  839,  853,  857,  859,  863,  877,  881, 
-     883,  887,  907,  911,  919,  929,  937,  941, 
-     947,  953,  967,  971,  977,  983,  991,  997, 
-    1009, 1013, 1019, 1021, 1031, 1033, 1039, 1049, 
-    1051, 1061, 1063, 1069, 1087, 1091, 1093, 1097, 
-    1103, 1109, 1117, 1123, 1129, 1151, 1153, 1163, 
-    1171, 1181, 1187, 1193, 1201, 1213, 1217, 1223, 
-    1229, 1231, 1237, 1249, 1259, 1277, 1279, 1283, 
-    1289, 1291, 1297, 1301, 1303, 1307, 1319, 1321, 
-    1327, 1361, 1367, 1373, 1381, 1399, 1409, 1423, 
-    1427, 1429, 1433, 1439, 1447, 1451, 1453, 1459, 
-    1471, 1481, 1483, 1487, 1489, 1493, 1499, 1511, 
-    1523, 1531, 1543, 1549, 1553, 1559, 1567, 1571, 
-    1579, 1583, 1597, 1601, 1607, 1609, 1613, 1619, 
-    1621, 1627, 1637, 1657, 1663, 1667, 1669, 1693, 
-    1697, 1699, 1709, 1721, 1723, 1733, 1741, 1747, 
-    1753, 1759, 1777, 1783, 1787, 1789, 1801, 1811, 
-    1823, 1831, 1847, 1861, 1867, 1871, 1873, 1877, 
-    1879, 1889, 1901, 1907, 1913, 1931, 1933, 1949, 
-    1951, 1973, 1979, 1987, 1993, 1997, 1999, 2003, 
-    2011, 2017, 2027, 2029, 2039, 2053, 2063, 2069, 
-    2081, 2083, 2087, 2089, 2099, 2111, 2113, 2129, 
-    2131, 2137, 2141, 2143, 2153, 2161, 2179, 2203, 
-    2207, 2213, 2221, 2237, 2239, 2243, 2251, 2267, 
-    2269, 2273, 2281, 2287, 2293, 2297, 2309, 2311, 
-    2333, 2339, 2341, 2347, 2351, 2357, 2371, 2377, 
-    2381, 2383, 2389, 2393, 2399, 2411, 2417, 2423, 
-    2437, 2441, 2447, 2459, 2467, 2473, 2477, 2503, 
-    2521, 2531, 2539, 2543, 2549, 2551, 2557, 2579, 
-    2591, 2593, 2609, 2617, 2621, 2633, 2647, 2657, 
-    2659, 2663, 2671, 2677, 2683, 2687, 2689, 2693, 
-    2699, 2707, 2711, 2713, 2719, 2729, 2731, 2741, 
-    2749, 2753, 2767, 2777, 2789, 2791, 2797, 2801, 
-    2803, 2819, 2833, 2837, 2843, 2851, 2857, 2861, 
-    2879, 2887, 2897, 2903, 2909, 2917, 2927, 2939, 
-    2953, 2957, 2963, 2969, 2971, 2999, 3001, 3011, 
-    3019, 3023, 3037, 3041, 3049, 3061, 3067, 3079, 
-    3083, 3089, 3109, 3119, 3121, 3137, 3163, 3167, 
-    3169, 3181, 3187, 3191, 3203, 3209, 3217, 3221, 
-    3229, 3251, 3253, 3257, 3259, 3271, 3299, 3301, 
-    3307, 3313, 3319, 3323, 3329, 3331, 3343, 3347, 
-    3359, 3361, 3371, 3373, 3389, 3391, 3407, 3413, 
-    3433, 3449, 3457, 3461, 3463, 3467, 3469, 3491, 
-    3499, 3511, 3517, 3527, 3529, 3533, 3539, 3541, 
-    3547, 3557, 3559, 3571, 3581, 3583, 3593, 3607, 
-    3613, 3617, 3623, 3631, 3637, 3643, 3659, 3671, 
-    3673, 3677, 3691, 3697, 3701, 3709, 3719, 3727, 
-    3733, 3739, 3761, 3767, 3769, 3779, 3793, 3797, 
-    3803, 3821, 3823, 3833, 3847, 3851, 3853, 3863, 
-    3877, 3881, 3889, 3907, 3911, 3917, 3919, 3923, 
-    3929, 3931, 3943, 3947, 3967, 3989, 4001, 4003, 
-    4007, 4013, 4019, 4021, 4027, 4049, 4051, 4057, 
-    4073, 4079, 4091, 4093, 4099, 4111, 4127, 4129, 
-    4133, 4139, 4153, 4157, 4159, 4177, 4201, 4211, 
-    4217, 4219, 4229, 4231, 4241, 4243, 4253, 4259, 
-    4261, 4271, 4273, 4283, 4289, 4297, 4327, 4337, 
-    4339, 4349, 4357, 4363, 4373, 4391, 4397, 4409, 
-    4421, 4423, 4441, 4447, 4451, 4457, 4463, 4481, 
-    4483, 4493, 4507, 4513, 4517, 4519, 4523, 4547, 
-    4549, 4561, 4567, 4583, 4591, 4597, 4603, 4621, 
-    4637, 4639, 4643, 4649, 4651, 4657, 4663, 4673, 
-    4679, 4691, 4703, 4721, 4723, 4729, 4733, 4751, 
-    4759, 4783, 4787, 4789, 4793, 4799, 4801, 4813, 
-    4817, 4831, 4861, 4871, 4877, 4889, 4903, 4909, 
-    4919, 4931, 4933, 4937, 4943, 4951, 4957, 4967, 
-    4969, 4973, 4987, 4993, 4999, 5003, 5009, 5011, 
-    5021, 5023, 5039, 5051, 5059, 5077, 5081, 5087, 
-    5099, 5101, 5107, 5113, 5119, 5147, 5153, 5167, 
-    5171, 5179, 5189, 5197, 5209, 5227, 5231, 5233, 
-    5237, 5261, 5273, 5279, 5281, 5297, 5303, 5309, 
-    5323, 5333, 5347, 5351, 5381, 5387, 5393, 5399, 
-    5407, 5413, 5417, 5419, 5431, 5437, 5441, 5443, 
-    5449, 5471, 5477, 5479, 5483, 5501, 5503, 5507, 
-    5519, 5521, 5527, 5531, 5557, 5563, 5569, 5573, 
-    5581, 5591, 5623, 5639, 5641, 5647, 5651, 5653, 
-    5657, 5659, 5669, 5683, 5689, 5693, 5701, 5711, 
-    5717, 5737, 5741, 5743, 5749, 5779, 5783, 5791, 
-    5801, 5807, 5813, 5821, 5827, 5839, 5843, 5849, 
-    5851, 5857, 5861, 5867, 5869, 5879, 5881, 5897, 
-    5903, 5923, 5927, 5939, 5953, 5981, 5987, 6007, 
-    6011, 6029, 6037, 6043, 6047, 6053, 6067, 6073, 
-    6079, 6089, 6091, 6101, 6113, 6121, 6131, 6133, 
-    6143, 6151, 6163, 6173, 6197, 6199, 6203, 6211, 
-    6217, 6221, 6229, 6247, 6257, 6263, 6269, 6271, 
-    6277, 6287, 6299, 6301, 6311, 6317, 6323, 6329, 
-    6337, 6343, 6353, 6359, 6361, 6367, 6373, 6379, 
-    6389, 6397, 6421, 6427, 6449, 6451, 6469, 6473, 
-    6481, 6491, 6521, 6529, 6547, 6551, 6553, 6563, 
-    6569, 6571, 6577, 6581, 6599, 6607, 6619, 6637, 
-    6653, 6659, 6661, 6673, 6679, 6689, 6691, 6701, 
-    6703, 6709, 6719, 6733, 6737, 6761, 6763, 6779, 
-    6781, 6791, 6793, 6803, 6823, 6827, 6829, 6833, 
-    6841, 6857, 6863, 6869, 6871, 6883, 6899, 6907, 
-    6911, 6917, 6947, 6949, 6959, 6961, 6967, 6971, 
-    6977, 6983, 6991, 6997, 7001, 7013, 7019, 7027, 
-    7039, 7043, 7057, 7069, 7079, 7103, 7109, 7121, 
-    7127, 7129, 7151, 7159, 7177, 7187, 7193, 7207, 
-    7211, 7213, 7219, 7229, 7237, 7243, 7247, 7253, 
-    7283, 7297, 7307, 7309, 7321, 7331, 7333, 7349, 
-    7351, 7369, 7393, 7411, 7417, 7433, 7451, 7457, 
-    7459, 7477, 7481, 7487, 7489, 7499, 7507, 7517, 
-    7523, 7529, 7537, 7541, 7547, 7549, 7559, 7561, 
-    7573, 7577, 7583, 7589, 7591, 7603, 7607, 7621, 
-    7639, 7643, 7649, 7669, 7673, 7681, 7687, 7691, 
-    7699, 7703, 7717, 7723, 7727, 7741, 7753, 7757, 
-    7759, 7789, 7793, 7817, 7823, 7829, 7841, 7853, 
-    7867, 7873, 7877, 7879, 7883, 7901, 7907, 7919, 
-    7927, 7933, 7937, 7949, 7951, 7963, 7993, 8009, 
-    8011, 8017, 8039, 8053, 8059, 8069, 8081, 8087, 
-    8089, 8093, 8101, 8111, 8117, 8123, 8147, 8161, 
-    8167, 8171, 8179, 8191, 8209, 8219, 8221, 8231, 
-    8233, 8237, 8243, 8263, 8269, 8273, 8287, 8291, 
-    8293, 8297, 8311, 8317, 8329, 8353, 8363, 8369, 
-    8377, 8387, 8389, 8419, 8423, 8429, 8431, 8443, 
-    8447, 8461, 8467, 8501, 8513, 8521, 8527, 8537, 
-    8539, 8543, 8563, 8573, 8581, 8597, 8599, 8609, 
-    8623, 8627, 8629, 8641, 8647, 8663, 8669, 8677, 
-    8681, 8689, 8693, 8699, 8707, 8713, 8719, 8731, 
-    8737, 8741, 8747, 8753, 8761, 8779, 8783, 8803, 
-    8807, 8819, 8821, 8831, 8837, 8839, 8849, 8861, 
-    8863, 8867, 8887, 8893, 8923, 8929, 8933, 8941, 
-    8951, 8963, 8969, 8971, 8999, 9001, 9007, 9011, 
-    9013, 9029, 9041, 9043, 9049, 9059, 9067, 9091, 
-    9103, 9109, 9127, 9133, 9137, 9151, 9157, 9161, 
-    9173, 9181, 9187, 9199, 9203, 9209, 9221, 9227, 
-    9239, 9241, 9257, 9277, 9281, 9283, 9293, 9311, 
-    9319, 9323, 9337, 9341, 9343, 9349, 9371, 9377, 
-    9391, 9397, 9403, 9413, 9419, 9421, 9431, 9433, 
-    9437, 9439, 9461, 9463, 9467, 9473, 9479, 9491, 
-    9497, 9511, 9521, 9533, 9539, 9547, 9551, 9587, 
-    9601, 9613, 9619, 9623, 9629, 9631, 9643, 9649, 
-    9661, 9677, 9679, 9689, 9697, 9719, 9721, 9733, 
-    9739, 9743, 9749, 9767, 9769, 9781, 9787, 9791, 
-    9803, 9811, 9817, 9829, 9833, 9839, 9851, 9857, 
-    9859, 9871, 9883, 9887, 9901, 9907, 9923, 9929, 
-    9931, 9941, 9949, 9967, 9973, 10007, 10009, 10037, 
-    10039, 10061, 10067, 10069, 10079, 10091, 10093, 10099, 
-    10103, 10111, 10133, 10139, 10141, 10151, 10159, 10163, 
-    10169, 10177, 10181, 10193, 10211, 10223, 10243, 10247, 
-    10253, 10259, 10267, 10271, 10273, 10289, 10301, 10303, 
-    10313, 10321, 10331, 10333, 10337, 10343, 10357, 10369, 
-    10391, 10399, 10427, 10429, 10433, 10453, 10457, 10459, 
-    10463, 10477, 10487, 10499, 10501, 10513, 10529, 10531, 
-    10559, 10567, 10589, 10597, 10601, 10607, 10613, 10627, 
-    10631, 10639, 10651, 10657, 10663, 10667, 10687, 10691, 
-    10709, 10711, 10723, 10729, 10733, 10739, 10753, 10771, 
-    10781, 10789, 10799, 10831, 10837, 10847, 10853, 10859, 
-    10861, 10867, 10883, 10889, 10891, 10903, 10909, 10937, 
-    10939, 10949, 10957, 10973, 10979, 10987, 10993, 11003, 
-    11027, 11047, 11057, 11059, 11069, 11071, 11083, 11087, 
-    11093, 11113, 11117, 11119, 11131, 11149, 11159, 11161, 
-    11171, 11173, 11177, 11197, 11213, 11239, 11243, 11251, 
-    11257, 11261, 11273, 11279, 11287, 11299, 11311, 11317, 
-    11321, 11329, 11351, 11353, 11369, 11383, 11393, 11399, 
-    11411, 11423, 11437, 11443, 11447, 11467, 11471, 11483, 
-    11489, 11491, 11497, 11503, 11519, 11527, 11549, 11551, 
-    11579, 11587, 11593, 11597, 11617, 11621, 11633, 11657, 
-    11677, 11681, 11689, 11699, 11701, 11717, 11719, 11731, 
-    11743, 11777, 11779, 11783, 11789, 11801, 11807, 11813, 
-    11821, 11827, 11831, 11833, 11839, 11863, 11867, 11887, 
-    11897, 11903, 11909, 11923, 11927, 11933, 11939, 11941, 
-    11953, 11959, 11969, 11971, 11981, 11987, 12007, 12011, 
-    12037, 12041, 12043, 12049, 12071, 12073, 12097, 12101, 
-    12107, 12109, 12113, 12119, 12143, 12149, 12157, 12161, 
-    12163, 12197, 12203, 12211, 12227, 12239, 12241, 12251, 
-    12253, 12263, 12269, 12277, 12281, 12289, 12301, 12323, 
-    12329, 12343, 12347, 12373, 12377, 12379, 12391, 12401, 
-    12409, 12413, 12421, 12433, 12437, 12451, 12457, 12473, 
-    12479, 12487, 12491, 12497, 12503, 12511, 12517, 12527, 
-    12539, 12541, 12547, 12553, 12569, 12577, 12583, 12589, 
-    12601, 12611, 12613, 12619, 12637, 12641, 12647, 12653, 
-    12659, 12671, 12689, 12697, 12703, 12713, 12721, 12739, 
-    12743, 12757, 12763, 12781, 12791, 12799, 12809, 12821, 
-    12823, 12829, 12841, 12853, 12889, 12893, 12899, 12907, 
-    12911, 12917, 12919, 12923, 12941, 12953, 12959, 12967, 
-    12973, 12979, 12983, 13001, 13003, 13007, 13009, 13033, 
-    13037, 13043, 13049, 13063, 13093, 13099, 13103, 13109, 
-    13121, 13127, 13147, 13151, 13159, 13163, 13171, 13177, 
-    13183, 13187, 13217, 13219, 13229, 13241, 13249, 13259, 
-    13267, 13291, 13297, 13309, 13313, 13327, 13331, 13337, 
-    13339, 13367, 13381, 13397, 13399, 13411, 13417, 13421, 
-    13441, 13451, 13457, 13463, 13469, 13477, 13487, 13499, 
-    13513, 13523, 13537, 13553, 13567, 13577, 13591, 13597, 
-    13613, 13619, 13627, 13633, 13649, 13669, 13679, 13681, 
-    13687, 13691, 13693, 13697, 13709, 13711, 13721, 13723, 
-    13729, 13751, 13757, 13759, 13763, 13781, 13789, 13799, 
-    13807, 13829, 13831, 13841, 13859, 13873, 13877, 13879, 
-    13883, 13901, 13903, 13907, 13913, 13921, 13931, 13933, 
-    13963, 13967, 13997, 13999, 14009, 14011, 14029, 14033, 
-    14051, 14057, 14071, 14081, 14083, 14087, 14107, 14143, 
-    14149, 14153, 14159, 14173, 14177, 14197, 14207, 14221, 
-    14243, 14249, 14251, 14281, 14293, 14303, 14321, 14323, 
-    14327, 14341, 14347, 14369, 14387, 14389, 14401, 14407, 
-    14411, 14419, 14423, 14431, 14437, 14447, 14449, 14461, 
-    14479, 14489, 14503, 14519, 14533, 14537, 14543, 14549, 
-    14551, 14557, 14561, 14563, 14591, 14593, 14621, 14627, 
-    14629, 14633, 14639, 14653, 14657, 14669, 14683, 14699, 
-    14713, 14717, 14723, 14731, 14737, 14741, 14747, 14753, 
-    14759, 14767, 14771, 14779, 14783, 14797, 14813, 14821, 
-    14827, 14831, 14843, 14851, 14867, 14869, 14879, 14887, 
-    14891, 14897, 14923, 14929, 14939, 14947, 14951, 14957, 
-    14969, 14983, 15013, 15017, 15031, 15053, 15061, 15073, 
-    15077, 15083, 15091, 15101, 15107, 15121, 15131, 15137, 
-    15139, 15149, 15161, 15173, 15187, 15193, 15199, 15217, 
-    15227, 15233, 15241, 15259, 15263, 15269, 15271, 15277, 
-    15287, 15289, 15299, 15307, 15313, 15319, 15329, 15331, 
-    15349, 15359, 15361, 15373, 15377, 15383, 15391, 15401, 
-    15413, 15427, 15439, 15443, 15451, 15461, 15467, 15473, 
-    15493, 15497, 15511, 15527, 15541, 15551, 15559, 15569, 
-    15581, 15583, 15601, 15607, 15619, 15629, 15641, 15643, 
-    15647, 15649, 15661, 15667, 15671, 15679, 15683, 15727, 
-    15731, 15733, 15737, 15739, 15749, 15761, 15767, 15773, 
-    15787, 15791, 15797, 15803, 15809, 15817, 15823, 15859, 
-    15877, 15881, 15887, 15889, 15901, 15907, 15913, 15919, 
-    15923, 15937, 15959, 15971, 15973, 15991, 16001, 16007, 
-    16033, 16057, 16061, 16063, 16067, 16069, 16073, 16087, 
-    16091, 16097, 16103, 16111, 16127, 16139, 16141, 16183, 
-    16187, 16189, 16193, 16217, 16223, 16229, 16231, 16249, 
-    16253, 16267, 16273, 16301, 16319, 16333, 16339, 16349, 
-    16361, 16363, 16369, 16381, 16411, 16417, 16421, 16427, 
-    16433, 16447, 16451, 16453, 16477, 16481, 16487, 16493, 
-    16519, 16529, 16547, 16553, 16561, 16567, 16573, 16603, 
-    16607, 16619, 16631, 16633, 16649, 16651, 16657, 16661, 
-    16673, 16691, 16693, 16699, 16703, 16729, 16741, 16747, 
-    16759, 16763, 16787, 16811, 16823, 16829, 16831, 16843, 
-    16871, 16879, 16883, 16889, 16901, 16903, 16921, 16927, 
-    16931, 16937, 16943, 16963, 16979, 16981, 16987, 16993, 
-    17011, 17021, 17027, 17029, 17033, 17041, 17047, 17053, 
-    17077, 17093, 17099, 17107, 17117, 17123, 17137, 17159, 
-    17167, 17183, 17189, 17191, 17203, 17207, 17209, 17231, 
-    17239, 17257, 17291, 17293, 17299, 17317, 17321, 17327, 
-    17333, 17341, 17351, 17359, 17377, 17383, 17387, 17389, 
-    17393, 17401, 17417, 17419, 17431, 17443, 17449, 17467, 
-    17471, 17477, 17483, 17489, 17491, 17497, 17509, 17519, 
-    17539, 17551, 17569, 17573, 17579, 17581, 17597, 17599, 
-    17609, 17623, 17627, 17657, 17659, 17669, 17681, 17683, 
-    17707, 17713, 17729, 17737, 17747, 17749, 17761, 17783, 
-    17789, 17791, 17807, 17827, 17837, 17839, 17851, 17863, 
+typedef unsigned short prime_t;
+#else
+# define NUMPRIMES 54
+typedef unsigned char prime_t;
+#endif
+static const prime_t primes[NUMPRIMES] = {
+    2, 3, 5, 7, 11, 13, 17, 19,
+    23, 29, 31, 37, 41, 43, 47, 53,
+    59, 61, 67, 71, 73, 79, 83, 89,
+    97, 101, 103, 107, 109, 113, 127, 131,
+    137, 139, 149, 151, 157, 163, 167, 173,
+    179, 181, 191, 193, 197, 199, 211, 223,
+    227, 229, 233, 239, 241, 251,
+#ifndef EIGHT_BIT
+    257, 263,
+    269, 271, 277, 281, 283, 293, 307, 311,
+    313, 317, 331, 337, 347, 349, 353, 359,
+    367, 373, 379, 383, 389, 397, 401, 409,
+    419, 421, 431, 433, 439, 443, 449, 457,
+    461, 463, 467, 479, 487, 491, 499, 503,
+    509, 521, 523, 541, 547, 557, 563, 569,
+    571, 577, 587, 593, 599, 601, 607, 613,
+    617, 619, 631, 641, 643, 647, 653, 659,
+    661, 673, 677, 683, 691, 701, 709, 719,
+    727, 733, 739, 743, 751, 757, 761, 769,
+    773, 787, 797, 809, 811, 821, 823, 827,
+    829, 839, 853, 857, 859, 863, 877, 881,
+    883, 887, 907, 911, 919, 929, 937, 941,
+    947, 953, 967, 971, 977, 983, 991, 997,
+    1009, 1013, 1019, 1021, 1031, 1033, 1039, 1049,
+    1051, 1061, 1063, 1069, 1087, 1091, 1093, 1097,
+    1103, 1109, 1117, 1123, 1129, 1151, 1153, 1163,
+    1171, 1181, 1187, 1193, 1201, 1213, 1217, 1223,
+    1229, 1231, 1237, 1249, 1259, 1277, 1279, 1283,
+    1289, 1291, 1297, 1301, 1303, 1307, 1319, 1321,
+    1327, 1361, 1367, 1373, 1381, 1399, 1409, 1423,
+    1427, 1429, 1433, 1439, 1447, 1451, 1453, 1459,
+    1471, 1481, 1483, 1487, 1489, 1493, 1499, 1511,
+    1523, 1531, 1543, 1549, 1553, 1559, 1567, 1571,
+    1579, 1583, 1597, 1601, 1607, 1609, 1613, 1619,
+    1621, 1627, 1637, 1657, 1663, 1667, 1669, 1693,
+    1697, 1699, 1709, 1721, 1723, 1733, 1741, 1747,
+    1753, 1759, 1777, 1783, 1787, 1789, 1801, 1811,
+    1823, 1831, 1847, 1861, 1867, 1871, 1873, 1877,
+    1879, 1889, 1901, 1907, 1913, 1931, 1933, 1949,
+    1951, 1973, 1979, 1987, 1993, 1997, 1999, 2003,
+    2011, 2017, 2027, 2029, 2039, 2053, 2063, 2069,
+    2081, 2083, 2087, 2089, 2099, 2111, 2113, 2129,
+    2131, 2137, 2141, 2143, 2153, 2161, 2179, 2203,
+    2207, 2213, 2221, 2237, 2239, 2243, 2251, 2267,
+    2269, 2273, 2281, 2287, 2293, 2297, 2309, 2311,
+    2333, 2339, 2341, 2347, 2351, 2357, 2371, 2377,
+    2381, 2383, 2389, 2393, 2399, 2411, 2417, 2423,
+    2437, 2441, 2447, 2459, 2467, 2473, 2477, 2503,
+    2521, 2531, 2539, 2543, 2549, 2551, 2557, 2579,
+    2591, 2593, 2609, 2617, 2621, 2633, 2647, 2657,
+    2659, 2663, 2671, 2677, 2683, 2687, 2689, 2693,
+    2699, 2707, 2711, 2713, 2719, 2729, 2731, 2741,
+    2749, 2753, 2767, 2777, 2789, 2791, 2797, 2801,
+    2803, 2819, 2833, 2837, 2843, 2851, 2857, 2861,
+    2879, 2887, 2897, 2903, 2909, 2917, 2927, 2939,
+    2953, 2957, 2963, 2969, 2971, 2999, 3001, 3011,
+    3019, 3023, 3037, 3041, 3049, 3061, 3067, 3079,
+    3083, 3089, 3109, 3119, 3121, 3137, 3163, 3167,
+    3169, 3181, 3187, 3191, 3203, 3209, 3217, 3221,
+    3229, 3251, 3253, 3257, 3259, 3271, 3299, 3301,
+    3307, 3313, 3319, 3323, 3329, 3331, 3343, 3347,
+    3359, 3361, 3371, 3373, 3389, 3391, 3407, 3413,
+    3433, 3449, 3457, 3461, 3463, 3467, 3469, 3491,
+    3499, 3511, 3517, 3527, 3529, 3533, 3539, 3541,
+    3547, 3557, 3559, 3571, 3581, 3583, 3593, 3607,
+    3613, 3617, 3623, 3631, 3637, 3643, 3659, 3671,
+    3673, 3677, 3691, 3697, 3701, 3709, 3719, 3727,
+    3733, 3739, 3761, 3767, 3769, 3779, 3793, 3797,
+    3803, 3821, 3823, 3833, 3847, 3851, 3853, 3863,
+    3877, 3881, 3889, 3907, 3911, 3917, 3919, 3923,
+    3929, 3931, 3943, 3947, 3967, 3989, 4001, 4003,
+    4007, 4013, 4019, 4021, 4027, 4049, 4051, 4057,
+    4073, 4079, 4091, 4093, 4099, 4111, 4127, 4129,
+    4133, 4139, 4153, 4157, 4159, 4177, 4201, 4211,
+    4217, 4219, 4229, 4231, 4241, 4243, 4253, 4259,
+    4261, 4271, 4273, 4283, 4289, 4297, 4327, 4337,
+    4339, 4349, 4357, 4363, 4373, 4391, 4397, 4409,
+    4421, 4423, 4441, 4447, 4451, 4457, 4463, 4481,
+    4483, 4493, 4507, 4513, 4517, 4519, 4523, 4547,
+    4549, 4561, 4567, 4583, 4591, 4597, 4603, 4621,
+    4637, 4639, 4643, 4649, 4651, 4657, 4663, 4673,
+    4679, 4691, 4703, 4721, 4723, 4729, 4733, 4751,
+    4759, 4783, 4787, 4789, 4793, 4799, 4801, 4813,
+    4817, 4831, 4861, 4871, 4877, 4889, 4903, 4909,
+    4919, 4931, 4933, 4937, 4943, 4951, 4957, 4967,
+    4969, 4973, 4987, 4993, 4999, 5003, 5009, 5011,
+    5021, 5023, 5039, 5051, 5059, 5077, 5081, 5087,
+    5099, 5101, 5107, 5113, 5119, 5147, 5153, 5167,
+    5171, 5179, 5189, 5197, 5209, 5227, 5231, 5233,
+    5237, 5261, 5273, 5279, 5281, 5297, 5303, 5309,
+    5323, 5333, 5347, 5351, 5381, 5387, 5393, 5399,
+    5407, 5413, 5417, 5419, 5431, 5437, 5441, 5443,
+    5449, 5471, 5477, 5479, 5483, 5501, 5503, 5507,
+    5519, 5521, 5527, 5531, 5557, 5563, 5569, 5573,
+    5581, 5591, 5623, 5639, 5641, 5647, 5651, 5653,
+    5657, 5659, 5669, 5683, 5689, 5693, 5701, 5711,
+    5717, 5737, 5741, 5743, 5749, 5779, 5783, 5791,
+    5801, 5807, 5813, 5821, 5827, 5839, 5843, 5849,
+    5851, 5857, 5861, 5867, 5869, 5879, 5881, 5897,
+    5903, 5923, 5927, 5939, 5953, 5981, 5987, 6007,
+    6011, 6029, 6037, 6043, 6047, 6053, 6067, 6073,
+    6079, 6089, 6091, 6101, 6113, 6121, 6131, 6133,
+    6143, 6151, 6163, 6173, 6197, 6199, 6203, 6211,
+    6217, 6221, 6229, 6247, 6257, 6263, 6269, 6271,
+    6277, 6287, 6299, 6301, 6311, 6317, 6323, 6329,
+    6337, 6343, 6353, 6359, 6361, 6367, 6373, 6379,
+    6389, 6397, 6421, 6427, 6449, 6451, 6469, 6473,
+    6481, 6491, 6521, 6529, 6547, 6551, 6553, 6563,
+    6569, 6571, 6577, 6581, 6599, 6607, 6619, 6637,
+    6653, 6659, 6661, 6673, 6679, 6689, 6691, 6701,
+    6703, 6709, 6719, 6733, 6737, 6761, 6763, 6779,
+    6781, 6791, 6793, 6803, 6823, 6827, 6829, 6833,
+    6841, 6857, 6863, 6869, 6871, 6883, 6899, 6907,
+    6911, 6917, 6947, 6949, 6959, 6961, 6967, 6971,
+    6977, 6983, 6991, 6997, 7001, 7013, 7019, 7027,
+    7039, 7043, 7057, 7069, 7079, 7103, 7109, 7121,
+    7127, 7129, 7151, 7159, 7177, 7187, 7193, 7207,
+    7211, 7213, 7219, 7229, 7237, 7243, 7247, 7253,
+    7283, 7297, 7307, 7309, 7321, 7331, 7333, 7349,
+    7351, 7369, 7393, 7411, 7417, 7433, 7451, 7457,
+    7459, 7477, 7481, 7487, 7489, 7499, 7507, 7517,
+    7523, 7529, 7537, 7541, 7547, 7549, 7559, 7561,
+    7573, 7577, 7583, 7589, 7591, 7603, 7607, 7621,
+    7639, 7643, 7649, 7669, 7673, 7681, 7687, 7691,
+    7699, 7703, 7717, 7723, 7727, 7741, 7753, 7757,
+    7759, 7789, 7793, 7817, 7823, 7829, 7841, 7853,
+    7867, 7873, 7877, 7879, 7883, 7901, 7907, 7919,
+    7927, 7933, 7937, 7949, 7951, 7963, 7993, 8009,
+    8011, 8017, 8039, 8053, 8059, 8069, 8081, 8087,
+    8089, 8093, 8101, 8111, 8117, 8123, 8147, 8161,
+    8167, 8171, 8179, 8191, 8209, 8219, 8221, 8231,
+    8233, 8237, 8243, 8263, 8269, 8273, 8287, 8291,
+    8293, 8297, 8311, 8317, 8329, 8353, 8363, 8369,
+    8377, 8387, 8389, 8419, 8423, 8429, 8431, 8443,
+    8447, 8461, 8467, 8501, 8513, 8521, 8527, 8537,
+    8539, 8543, 8563, 8573, 8581, 8597, 8599, 8609,
+    8623, 8627, 8629, 8641, 8647, 8663, 8669, 8677,
+    8681, 8689, 8693, 8699, 8707, 8713, 8719, 8731,
+    8737, 8741, 8747, 8753, 8761, 8779, 8783, 8803,
+    8807, 8819, 8821, 8831, 8837, 8839, 8849, 8861,
+    8863, 8867, 8887, 8893, 8923, 8929, 8933, 8941,
+    8951, 8963, 8969, 8971, 8999, 9001, 9007, 9011,
+    9013, 9029, 9041, 9043, 9049, 9059, 9067, 9091,
+    9103, 9109, 9127, 9133, 9137, 9151, 9157, 9161,
+    9173, 9181, 9187, 9199, 9203, 9209, 9221, 9227,
+    9239, 9241, 9257, 9277, 9281, 9283, 9293, 9311,
+    9319, 9323, 9337, 9341, 9343, 9349, 9371, 9377,
+    9391, 9397, 9403, 9413, 9419, 9421, 9431, 9433,
+    9437, 9439, 9461, 9463, 9467, 9473, 9479, 9491,
+    9497, 9511, 9521, 9533, 9539, 9547, 9551, 9587,
+    9601, 9613, 9619, 9623, 9629, 9631, 9643, 9649,
+    9661, 9677, 9679, 9689, 9697, 9719, 9721, 9733,
+    9739, 9743, 9749, 9767, 9769, 9781, 9787, 9791,
+    9803, 9811, 9817, 9829, 9833, 9839, 9851, 9857,
+    9859, 9871, 9883, 9887, 9901, 9907, 9923, 9929,
+    9931, 9941, 9949, 9967, 9973, 10007, 10009, 10037,
+    10039, 10061, 10067, 10069, 10079, 10091, 10093, 10099,
+    10103, 10111, 10133, 10139, 10141, 10151, 10159, 10163,
+    10169, 10177, 10181, 10193, 10211, 10223, 10243, 10247,
+    10253, 10259, 10267, 10271, 10273, 10289, 10301, 10303,
+    10313, 10321, 10331, 10333, 10337, 10343, 10357, 10369,
+    10391, 10399, 10427, 10429, 10433, 10453, 10457, 10459,
+    10463, 10477, 10487, 10499, 10501, 10513, 10529, 10531,
+    10559, 10567, 10589, 10597, 10601, 10607, 10613, 10627,
+    10631, 10639, 10651, 10657, 10663, 10667, 10687, 10691,
+    10709, 10711, 10723, 10729, 10733, 10739, 10753, 10771,
+    10781, 10789, 10799, 10831, 10837, 10847, 10853, 10859,
+    10861, 10867, 10883, 10889, 10891, 10903, 10909, 10937,
+    10939, 10949, 10957, 10973, 10979, 10987, 10993, 11003,
+    11027, 11047, 11057, 11059, 11069, 11071, 11083, 11087,
+    11093, 11113, 11117, 11119, 11131, 11149, 11159, 11161,
+    11171, 11173, 11177, 11197, 11213, 11239, 11243, 11251,
+    11257, 11261, 11273, 11279, 11287, 11299, 11311, 11317,
+    11321, 11329, 11351, 11353, 11369, 11383, 11393, 11399,
+    11411, 11423, 11437, 11443, 11447, 11467, 11471, 11483,
+    11489, 11491, 11497, 11503, 11519, 11527, 11549, 11551,
+    11579, 11587, 11593, 11597, 11617, 11621, 11633, 11657,
+    11677, 11681, 11689, 11699, 11701, 11717, 11719, 11731,
+    11743, 11777, 11779, 11783, 11789, 11801, 11807, 11813,
+    11821, 11827, 11831, 11833, 11839, 11863, 11867, 11887,
+    11897, 11903, 11909, 11923, 11927, 11933, 11939, 11941,
+    11953, 11959, 11969, 11971, 11981, 11987, 12007, 12011,
+    12037, 12041, 12043, 12049, 12071, 12073, 12097, 12101,
+    12107, 12109, 12113, 12119, 12143, 12149, 12157, 12161,
+    12163, 12197, 12203, 12211, 12227, 12239, 12241, 12251,
+    12253, 12263, 12269, 12277, 12281, 12289, 12301, 12323,
+    12329, 12343, 12347, 12373, 12377, 12379, 12391, 12401,
+    12409, 12413, 12421, 12433, 12437, 12451, 12457, 12473,
+    12479, 12487, 12491, 12497, 12503, 12511, 12517, 12527,
+    12539, 12541, 12547, 12553, 12569, 12577, 12583, 12589,
+    12601, 12611, 12613, 12619, 12637, 12641, 12647, 12653,
+    12659, 12671, 12689, 12697, 12703, 12713, 12721, 12739,
+    12743, 12757, 12763, 12781, 12791, 12799, 12809, 12821,
+    12823, 12829, 12841, 12853, 12889, 12893, 12899, 12907,
+    12911, 12917, 12919, 12923, 12941, 12953, 12959, 12967,
+    12973, 12979, 12983, 13001, 13003, 13007, 13009, 13033,
+    13037, 13043, 13049, 13063, 13093, 13099, 13103, 13109,
+    13121, 13127, 13147, 13151, 13159, 13163, 13171, 13177,
+    13183, 13187, 13217, 13219, 13229, 13241, 13249, 13259,
+    13267, 13291, 13297, 13309, 13313, 13327, 13331, 13337,
+    13339, 13367, 13381, 13397, 13399, 13411, 13417, 13421,
+    13441, 13451, 13457, 13463, 13469, 13477, 13487, 13499,
+    13513, 13523, 13537, 13553, 13567, 13577, 13591, 13597,
+    13613, 13619, 13627, 13633, 13649, 13669, 13679, 13681,
+    13687, 13691, 13693, 13697, 13709, 13711, 13721, 13723,
+    13729, 13751, 13757, 13759, 13763, 13781, 13789, 13799,
+    13807, 13829, 13831, 13841, 13859, 13873, 13877, 13879,
+    13883, 13901, 13903, 13907, 13913, 13921, 13931, 13933,
+    13963, 13967, 13997, 13999, 14009, 14011, 14029, 14033,
+    14051, 14057, 14071, 14081, 14083, 14087, 14107, 14143,
+    14149, 14153, 14159, 14173, 14177, 14197, 14207, 14221,
+    14243, 14249, 14251, 14281, 14293, 14303, 14321, 14323,
+    14327, 14341, 14347, 14369, 14387, 14389, 14401, 14407,
+    14411, 14419, 14423, 14431, 14437, 14447, 14449, 14461,
+    14479, 14489, 14503, 14519, 14533, 14537, 14543, 14549,
+    14551, 14557, 14561, 14563, 14591, 14593, 14621, 14627,
+    14629, 14633, 14639, 14653, 14657, 14669, 14683, 14699,
+    14713, 14717, 14723, 14731, 14737, 14741, 14747, 14753,
+    14759, 14767, 14771, 14779, 14783, 14797, 14813, 14821,
+    14827, 14831, 14843, 14851, 14867, 14869, 14879, 14887,
+    14891, 14897, 14923, 14929, 14939, 14947, 14951, 14957,
+    14969, 14983, 15013, 15017, 15031, 15053, 15061, 15073,
+    15077, 15083, 15091, 15101, 15107, 15121, 15131, 15137,
+    15139, 15149, 15161, 15173, 15187, 15193, 15199, 15217,
+    15227, 15233, 15241, 15259, 15263, 15269, 15271, 15277,
+    15287, 15289, 15299, 15307, 15313, 15319, 15329, 15331,
+    15349, 15359, 15361, 15373, 15377, 15383, 15391, 15401,
+    15413, 15427, 15439, 15443, 15451, 15461, 15467, 15473,
+    15493, 15497, 15511, 15527, 15541, 15551, 15559, 15569,
+    15581, 15583, 15601, 15607, 15619, 15629, 15641, 15643,
+    15647, 15649, 15661, 15667, 15671, 15679, 15683, 15727,
+    15731, 15733, 15737, 15739, 15749, 15761, 15767, 15773,
+    15787, 15791, 15797, 15803, 15809, 15817, 15823, 15859,
+    15877, 15881, 15887, 15889, 15901, 15907, 15913, 15919,
+    15923, 15937, 15959, 15971, 15973, 15991, 16001, 16007,
+    16033, 16057, 16061, 16063, 16067, 16069, 16073, 16087,
+    16091, 16097, 16103, 16111, 16127, 16139, 16141, 16183,
+    16187, 16189, 16193, 16217, 16223, 16229, 16231, 16249,
+    16253, 16267, 16273, 16301, 16319, 16333, 16339, 16349,
+    16361, 16363, 16369, 16381, 16411, 16417, 16421, 16427,
+    16433, 16447, 16451, 16453, 16477, 16481, 16487, 16493,
+    16519, 16529, 16547, 16553, 16561, 16567, 16573, 16603,
+    16607, 16619, 16631, 16633, 16649, 16651, 16657, 16661,
+    16673, 16691, 16693, 16699, 16703, 16729, 16741, 16747,
+    16759, 16763, 16787, 16811, 16823, 16829, 16831, 16843,
+    16871, 16879, 16883, 16889, 16901, 16903, 16921, 16927,
+    16931, 16937, 16943, 16963, 16979, 16981, 16987, 16993,
+    17011, 17021, 17027, 17029, 17033, 17041, 17047, 17053,
+    17077, 17093, 17099, 17107, 17117, 17123, 17137, 17159,
+    17167, 17183, 17189, 17191, 17203, 17207, 17209, 17231,
+    17239, 17257, 17291, 17293, 17299, 17317, 17321, 17327,
+    17333, 17341, 17351, 17359, 17377, 17383, 17387, 17389,
+    17393, 17401, 17417, 17419, 17431, 17443, 17449, 17467,
+    17471, 17477, 17483, 17489, 17491, 17497, 17509, 17519,
+    17539, 17551, 17569, 17573, 17579, 17581, 17597, 17599,
+    17609, 17623, 17627, 17657, 17659, 17669, 17681, 17683,
+    17707, 17713, 17729, 17737, 17747, 17749, 17761, 17783,
+    17789, 17791, 17807, 17827, 17837, 17839, 17851, 17863,
+#endif
 };
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_print.c b/Cryptlib/OpenSSL/crypto/bn/bn_print.c
index a16bde86..f121fb6e 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_print.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_print.c
@@ -1,16 +1,65 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bn/bn_print.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <ctype.h>
 #include <limits.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/buffer.h>
 #include "bn_lcl.h"
 
@@ -64,8 +113,8 @@ char *BN_bn2dec(const BIGNUM *a)
     /*-
      * get an upper bound for the length of the decimal integer
      * num <= (BN_num_bits(a) + 1) * log(2)
-     *     <= 3 * BN_num_bits(a) * 0.101 + log(2) + 1     (rounding error)
-     *     <= 3 * BN_num_bits(a) / 10 + 3 * BN_num_bits / 1000 + 1 + 1
+     *     <= 3 * BN_num_bits(a) * 0.1001 + log(2) + 1     (rounding error)
+     *     <= BN_num_bits(a)/10 + BN_num_bits/1000 + 1 + 1
      */
     i = BN_num_bits(a) * 3;
     num = (i / 10 + i / 1000 + 1) + 1;
@@ -115,12 +164,16 @@ char *BN_bn2dec(const BIGNUM *a)
     }
     ok = 1;
  err:
-    OPENSSL_free(bn_data);
-    BN_free(t);
-    if (ok)
-        return buf;
-    OPENSSL_free(buf);
-    return NULL;
+    if (bn_data != NULL)
+        OPENSSL_free(bn_data);
+    if (t != NULL)
+        BN_free(t);
+    if (!ok && buf) {
+        OPENSSL_free(buf);
+        buf = NULL;
+    }
+
+    return (buf);
 }
 
 int BN_hex2bn(BIGNUM **bn, const char *a)
@@ -141,7 +194,7 @@ int BN_hex2bn(BIGNUM **bn, const char *a)
     for (i = 0; i <= (INT_MAX/4) && isxdigit((unsigned char)a[i]); i++)
         continue;
 
-    if (i == 0 || i > INT_MAX/4)
+    if (i > INT_MAX/4)
         goto err;
 
     num = i + neg;
@@ -169,8 +222,13 @@ int BN_hex2bn(BIGNUM **bn, const char *a)
         l = 0;
         for (;;) {
             c = a[j - m];
-            k = OPENSSL_hexchar2int(c);
-            if (k < 0)
+            if ((c >= '0') && (c <= '9'))
+                k = c - '0';
+            else if ((c >= 'a') && (c <= 'f'))
+                k = c - 'a' + 10;
+            else if ((c >= 'A') && (c <= 'F'))
+                k = c - 'A' + 10;
+            else
                 k = 0;          /* paranoia */
             l = (l << 4) | k;
 
@@ -213,7 +271,7 @@ int BN_dec2bn(BIGNUM **bn, const char *a)
     for (i = 0; i <= (INT_MAX/4) && isdigit((unsigned char)a[i]); i++)
         continue;
 
-    if (i == 0 || i > INT_MAX/4)
+    if (i > INT_MAX/4)
         goto err;
 
     num = i + neg;
@@ -245,9 +303,8 @@ int BN_dec2bn(BIGNUM **bn, const char *a)
         l += *a - '0';
         a++;
         if (++j == BN_DEC_NUM) {
-            if (!BN_mul_word(ret, BN_DEC_CONV)
-                || !BN_add_word(ret, l))
-                goto err;
+            BN_mul_word(ret, BN_DEC_CONV);
+            BN_add_word(ret, l);
             l = 0;
             j = 0;
         }
@@ -286,7 +343,8 @@ int BN_asc2bn(BIGNUM **bn, const char *a)
     return 1;
 }
 
-# ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_BIO
+# ifndef OPENSSL_NO_FP_API
 int BN_print_fp(FILE *fp, const BIGNUM *a)
 {
     BIO *b;
@@ -325,6 +383,7 @@ int BN_print(BIO *bp, const BIGNUM *a)
  end:
     return (ret);
 }
+#endif
 
 char *BN_options(void)
 {
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_rand.c b/Cryptlib/OpenSSL/crypto/bn/bn_rand.c
index 9ce4c5f6..60d3f226 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_rand.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_rand.c
@@ -1,18 +1,119 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bn/bn_rand.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <time.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include "bn_lcl.h"
 #include <openssl/rand.h>
-#include <openssl/sha.h>
 
 static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
 {
@@ -21,7 +122,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
     time_t tim;
 
     if (bits == 0) {
-        if (top != BN_RAND_TOP_ANY || bottom != BN_RAND_BOTTOM_ANY)
+        if (top != -1 || bottom != 0)
             goto toosmall;
         BN_zero(rnd);
         return 1;
@@ -33,7 +134,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
     bit = (bits - 1) % 8;
     mask = 0xff << (bit + 1);
 
-    buf = OPENSSL_malloc(bytes);
+    buf = (unsigned char *)OPENSSL_malloc(bytes);
     if (buf == NULL) {
         BNerr(BN_F_BNRAND, ERR_R_MALLOC_FAILURE);
         goto err;
@@ -43,9 +144,11 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
     time(&tim);
     RAND_add(&tim, sizeof(tim), 0.0);
 
+    /* We ignore the value of pseudorand and always call RAND_bytes */
     if (RAND_bytes(buf, bytes) <= 0)
         goto err;
 
+#if 1
     if (pseudorand == 2) {
         /*
          * generate patterns that are more likely to trigger BN library bugs
@@ -54,7 +157,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
         unsigned char c;
 
         for (i = 0; i < bytes; i++) {
-            if (RAND_bytes(&c, 1) <= 0)
+            if (RAND_pseudo_bytes(&c, 1) < 0)
                 goto err;
             if (c >= 128 && i > 0)
                 buf[i] = buf[i - 1];
@@ -64,6 +167,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
                 buf[i] = 255;
         }
     }
+#endif
 
     if (top >= 0) {
         if (top) {
@@ -84,7 +188,10 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
         goto err;
     ret = 1;
  err:
-    OPENSSL_clear_free(buf, bytes);
+    if (buf != NULL) {
+        OPENSSL_cleanse(buf, bytes);
+        OPENSSL_free(buf);
+    }
     bn_check_top(rnd);
     return (ret);
 
@@ -103,10 +210,12 @@ int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom)
     return bnrand(1, rnd, bits, top, bottom);
 }
 
+#if 1
 int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom)
 {
     return bnrand(2, rnd, bits, top, bottom);
 }
+#endif
 
 /* random number r:  0 <= r < range */
 static int bn_rand_range(int pseudo, BIGNUM *r, const BIGNUM *range)
@@ -133,7 +242,7 @@ static int bn_rand_range(int pseudo, BIGNUM *r, const BIGNUM *range)
          * than range
          */
         do {
-            if (!bn_rand(r, n + 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY))
+            if (!bn_rand(r, n + 1, -1, 0))
                 return 0;
             /*
              * If r < 3*range, use r := r MOD range (which is either r, r -
@@ -159,7 +268,7 @@ static int bn_rand_range(int pseudo, BIGNUM *r, const BIGNUM *range)
     } else {
         do {
             /* range = 11..._2  or  range = 101..._2 */
-            if (!bn_rand(r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY))
+            if (!bn_rand(r, n, -1, 0))
                 return 0;
 
             if (!--count) {
@@ -183,76 +292,3 @@ int BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range)
 {
     return bn_rand_range(1, r, range);
 }
-
-/*
- * BN_generate_dsa_nonce generates a random number 0 <= out < range. Unlike
- * BN_rand_range, it also includes the contents of |priv| and |message| in
- * the generation so that an RNG failure isn't fatal as long as |priv|
- * remains secret. This is intended for use in DSA and ECDSA where an RNG
- * weakness leads directly to private key exposure unless this function is
- * used.
- */
-int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
-                          const BIGNUM *priv, const unsigned char *message,
-                          size_t message_len, BN_CTX *ctx)
-{
-    SHA512_CTX sha;
-    /*
-     * We use 512 bits of random data per iteration to ensure that we have at
-     * least |range| bits of randomness.
-     */
-    unsigned char random_bytes[64];
-    unsigned char digest[SHA512_DIGEST_LENGTH];
-    unsigned done, todo;
-    /* We generate |range|+8 bytes of random output. */
-    const unsigned num_k_bytes = BN_num_bytes(range) + 8;
-    unsigned char private_bytes[96];
-    unsigned char *k_bytes;
-    int ret = 0;
-
-    k_bytes = OPENSSL_malloc(num_k_bytes);
-    if (k_bytes == NULL)
-        goto err;
-
-    /* We copy |priv| into a local buffer to avoid exposing its length. */
-    todo = sizeof(priv->d[0]) * priv->top;
-    if (todo > sizeof(private_bytes)) {
-        /*
-         * No reasonable DSA or ECDSA key should have a private key this
-         * large and we don't handle this case in order to avoid leaking the
-         * length of the private key.
-         */
-        BNerr(BN_F_BN_GENERATE_DSA_NONCE, BN_R_PRIVATE_KEY_TOO_LARGE);
-        goto err;
-    }
-    memcpy(private_bytes, priv->d, todo);
-    memset(private_bytes + todo, 0, sizeof(private_bytes) - todo);
-
-    for (done = 0; done < num_k_bytes;) {
-        if (RAND_bytes(random_bytes, sizeof(random_bytes)) != 1)
-            goto err;
-        SHA512_Init(&sha);
-        SHA512_Update(&sha, &done, sizeof(done));
-        SHA512_Update(&sha, private_bytes, sizeof(private_bytes));
-        SHA512_Update(&sha, message, message_len);
-        SHA512_Update(&sha, random_bytes, sizeof(random_bytes));
-        SHA512_Final(digest, &sha);
-
-        todo = num_k_bytes - done;
-        if (todo > SHA512_DIGEST_LENGTH)
-            todo = SHA512_DIGEST_LENGTH;
-        memcpy(k_bytes + done, digest, todo);
-        done += todo;
-    }
-
-    if (!BN_bin2bn(k_bytes, num_k_bytes, out))
-        goto err;
-    if (BN_mod(out, out, range, ctx) != 1)
-        goto err;
-    ret = 1;
-
- err:
-    OPENSSL_free(k_bytes);
-    OPENSSL_cleanse(private_bytes, sizeof(private_bytes));
-    return ret;
-}
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_recp.c b/Cryptlib/OpenSSL/crypto/bn/bn_recp.c
index 20585b9d..f047040e 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_recp.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_recp.c
@@ -1,31 +1,82 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bn/bn_recp.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
-#include "internal/cryptlib.h"
+#include <stdio.h>
+#include "cryptlib.h"
 #include "bn_lcl.h"
 
 void BN_RECP_CTX_init(BN_RECP_CTX *recp)
 {
-    memset(recp, 0, sizeof(*recp));
-    bn_init(&(recp->N));
-    bn_init(&(recp->Nr));
+    BN_init(&(recp->N));
+    BN_init(&(recp->Nr));
+    recp->num_bits = 0;
+    recp->shift = 0;
+    recp->flags = 0;
 }
 
 BN_RECP_CTX *BN_RECP_CTX_new(void)
 {
     BN_RECP_CTX *ret;
 
-    if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL)
+    if ((ret = (BN_RECP_CTX *)OPENSSL_malloc(sizeof(BN_RECP_CTX))) == NULL)
         return (NULL);
 
-    bn_init(&(ret->N));
-    bn_init(&(ret->Nr));
+    BN_RECP_CTX_init(ret);
     ret->flags = BN_FLG_MALLOCED;
     return (ret);
 }
@@ -148,6 +199,7 @@ int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
         goto err;
     r->neg = 0;
 
+#if 1
     j = 0;
     while (BN_ucmp(r, &(recp->N)) >= 0) {
         if (j++ > 2) {
@@ -159,6 +211,7 @@ int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
         if (!BN_add_word(d, 1))
             goto err;
     }
+#endif
 
     r->neg = BN_is_zero(r) ? 0 : m->neg;
     d->neg = m->neg ^ recp->N.neg;
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_shift.c b/Cryptlib/OpenSSL/crypto/bn/bn_shift.c
index 6a1eec80..9673d9a3 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_shift.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_shift.c
@@ -1,13 +1,63 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bn/bn_shift.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
-#include "internal/cryptlib.h"
+#include <stdio.h>
+#include "cryptlib.h"
 #include "bn_lcl.h"
 
 int BN_lshift1(BIGNUM *r, const BIGNUM *a)
@@ -74,8 +124,6 @@ int BN_rshift1(BIGNUM *r, const BIGNUM *a)
         c = (t & 1) ? BN_TBIT : 0;
     }
     r->top = j;
-    if (!r->top)
-        r->neg = 0; /* don't allow negative zero */
     bn_check_top(r);
     return (1);
 }
@@ -94,10 +142,10 @@ int BN_lshift(BIGNUM *r, const BIGNUM *a, int n)
         return 0;
     }
 
+    r->neg = a->neg;
     nw = n / BN_BITS2;
     if (bn_wexpand(r, a->top + nw + 1) == NULL)
         return (0);
-    r->neg = a->neg;
     lb = n % BN_BITS2;
     rb = BN_BITS2 - lb;
     f = a->d;
@@ -112,7 +160,10 @@ int BN_lshift(BIGNUM *r, const BIGNUM *a, int n)
             t[nw + i + 1] |= (l >> rb) & BN_MASK2;
             t[nw + i] = (l << lb) & BN_MASK2;
         }
-    memset(t, 0, sizeof(*t) * nw);
+    memset(t, 0, nw * sizeof(t[0]));
+    /*
+     * for (i=0; i<nw; i++) t[i]=0;
+     */
     r->top = a->top + nw + 1;
     bn_correct_top(r);
     bn_check_top(r);
@@ -142,9 +193,9 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
     }
     i = (BN_num_bits(a) - n + (BN_BITS2 - 1)) / BN_BITS2;
     if (r != a) {
+        r->neg = a->neg;
         if (bn_wexpand(r, i) == NULL)
             return (0);
-        r->neg = a->neg;
     } else {
         if (n == 0)
             return 1;           /* or the copying loop will go berserk */
@@ -168,8 +219,6 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
         if ((l = (l >> rb) & BN_MASK2))
             *(t) = l;
     }
-    if (!r->top)
-        r->neg = 0; /* don't allow negative zero */
     bn_check_top(r);
     return (1);
 }
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_sqr.c b/Cryptlib/OpenSSL/crypto/bn/bn_sqr.c
index 44e7332a..256d26e8 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_sqr.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_sqr.c
@@ -1,13 +1,63 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bn/bn_sqr.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
-#include "internal/cryptlib.h"
+#include <stdio.h>
+#include "cryptlib.h"
 #include "bn_lcl.h"
 
 /* r must not be a */
@@ -20,6 +70,9 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
     int ret = 0;
     BIGNUM *tmp, *rr;
 
+#ifdef BN_COUNT
+    fprintf(stderr, "BN_sqr %d * %d\n", a->top, a->top);
+#endif
     bn_check_top(a);
 
     al = a->top;
@@ -155,6 +208,9 @@ void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2, BN_ULONG *t)
     int zero, c1;
     BN_ULONG ln, lo, *p;
 
+# ifdef BN_COUNT
+    fprintf(stderr, " bn_sqr_recursive %d * %d\n", n2, n2);
+# endif
     if (n2 == 4) {
 # ifndef BN_SQR_COMBA
         bn_sqr_normal(r, a, 4, t);
@@ -190,7 +246,7 @@ void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2, BN_ULONG *t)
     if (!zero)
         bn_sqr_recursive(&(t[n2]), t, n, p);
     else
-        memset(&t[n2], 0, sizeof(*t) * n2);
+        memset(&(t[n2]), 0, n2 * sizeof(BN_ULONG));
     bn_sqr_recursive(r, a, n, p);
     bn_sqr_recursive(&(r[n2]), &(a[n]), n, p);
 
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_sqrt.c b/Cryptlib/OpenSSL/crypto/bn/bn_sqrt.c
index 84376c78..232af99a 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_sqrt.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_sqrt.c
@@ -1,13 +1,63 @@
+/* crypto/bn/bn_sqrt.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Lenka Fibikova <fibikova@exp-math.uni-essen.de> and Bodo
+ * Moeller for the OpenSSL project.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include "bn_lcl.h"
 
 BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
@@ -348,8 +398,9 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 
  end:
     if (err) {
-        if (ret != in)
+        if (ret != NULL && ret != in) {
             BN_clear_free(ret);
+        }
         ret = NULL;
     }
     BN_CTX_end(ctx);
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_srp.c b/Cryptlib/OpenSSL/crypto/bn/bn_srp.c
deleted file mode 100644
index 58b1691e..00000000
--- a/Cryptlib/OpenSSL/crypto/bn/bn_srp.c
+++ /dev/null
@@ -1,545 +0,0 @@
-/*
- * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include "bn_lcl.h"
-#include "e_os.h"
-
-#ifndef OPENSSL_NO_SRP
-
-#include <openssl/srp.h>
-#include <internal/bn_srp.h>
-
-# if (BN_BYTES == 8)
-#  if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__)
-#   define bn_pack4(a1,a2,a3,a4) ((a1##UI64<<48)|(a2##UI64<<32)|(a3##UI64<<16)|a4##UI64)
-#  elif defined(__arch64__)
-#   define bn_pack4(a1,a2,a3,a4) ((a1##UL<<48)|(a2##UL<<32)|(a3##UL<<16)|a4##UL)
-#  else
-#   define bn_pack4(a1,a2,a3,a4) ((a1##ULL<<48)|(a2##ULL<<32)|(a3##ULL<<16)|a4##ULL)
-#  endif
-# elif (BN_BYTES == 4)
-#  define bn_pack4(a1,a2,a3,a4)  ((a3##UL<<16)|a4##UL), ((a1##UL<<16)|a2##UL)
-# else
-#  error "unsupported BN_BYTES"
-# endif
-
-static const BN_ULONG bn_group_1024_value[] = {
-    bn_pack4(0x9FC6, 0x1D2F, 0xC0EB, 0x06E3),
-    bn_pack4(0xFD51, 0x38FE, 0x8376, 0x435B),
-    bn_pack4(0x2FD4, 0xCBF4, 0x976E, 0xAA9A),
-    bn_pack4(0x68ED, 0xBC3C, 0x0572, 0x6CC0),
-    bn_pack4(0xC529, 0xF566, 0x660E, 0x57EC),
-    bn_pack4(0x8255, 0x9B29, 0x7BCF, 0x1885),
-    bn_pack4(0xCE8E, 0xF4AD, 0x69B1, 0x5D49),
-    bn_pack4(0x5DC7, 0xD7B4, 0x6154, 0xD6B6),
-    bn_pack4(0x8E49, 0x5C1D, 0x6089, 0xDAD1),
-    bn_pack4(0xE0D5, 0xD8E2, 0x50B9, 0x8BE4),
-    bn_pack4(0x383B, 0x4813, 0xD692, 0xC6E0),
-    bn_pack4(0xD674, 0xDF74, 0x96EA, 0x81D3),
-    bn_pack4(0x9EA2, 0x314C, 0x9C25, 0x6576),
-    bn_pack4(0x6072, 0x6187, 0x75FF, 0x3C0B),
-    bn_pack4(0x9C33, 0xF80A, 0xFA8F, 0xC5E8),
-    bn_pack4(0xEEAF, 0x0AB9, 0xADB3, 0x8DD6)
-};
-
-const BIGNUM bn_group_1024 = {
-    (BN_ULONG *)bn_group_1024_value,
-    OSSL_NELEM(bn_group_1024_value),
-    OSSL_NELEM(bn_group_1024_value),
-    0,
-    BN_FLG_STATIC_DATA
-};
-
-static const BN_ULONG bn_group_1536_value[] = {
-    bn_pack4(0xCF76, 0xE3FE, 0xD135, 0xF9BB),
-    bn_pack4(0x1518, 0x0F93, 0x499A, 0x234D),
-    bn_pack4(0x8CE7, 0xA28C, 0x2442, 0xC6F3),
-    bn_pack4(0x5A02, 0x1FFF, 0x5E91, 0x479E),
-    bn_pack4(0x7F8A, 0x2FE9, 0xB8B5, 0x292E),
-    bn_pack4(0x837C, 0x264A, 0xE3A9, 0xBEB8),
-    bn_pack4(0xE442, 0x734A, 0xF7CC, 0xB7AE),
-    bn_pack4(0x6577, 0x2E43, 0x7D6C, 0x7F8C),
-    bn_pack4(0xDB2F, 0xD53D, 0x24B7, 0xC486),
-    bn_pack4(0x6EDF, 0x0195, 0x3934, 0x9627),
-    bn_pack4(0x158B, 0xFD3E, 0x2B9C, 0x8CF5),
-    bn_pack4(0x764E, 0x3F4B, 0x53DD, 0x9DA1),
-    bn_pack4(0x4754, 0x8381, 0xDBC5, 0xB1FC),
-    bn_pack4(0x9B60, 0x9E0B, 0xE3BA, 0xB63D),
-    bn_pack4(0x8134, 0xB1C8, 0xB979, 0x8914),
-    bn_pack4(0xDF02, 0x8A7C, 0xEC67, 0xF0D0),
-    bn_pack4(0x80B6, 0x55BB, 0x9A22, 0xE8DC),
-    bn_pack4(0x1558, 0x903B, 0xA0D0, 0xF843),
-    bn_pack4(0x51C6, 0xA94B, 0xE460, 0x7A29),
-    bn_pack4(0x5F4F, 0x5F55, 0x6E27, 0xCBDE),
-    bn_pack4(0xBEEE, 0xA961, 0x4B19, 0xCC4D),
-    bn_pack4(0xDBA5, 0x1DF4, 0x99AC, 0x4C80),
-    bn_pack4(0xB1F1, 0x2A86, 0x17A4, 0x7BBB),
-    bn_pack4(0x9DEF, 0x3CAF, 0xB939, 0x277A)
-};
-
-const BIGNUM bn_group_1536 = {
-    (BN_ULONG *)bn_group_1536_value,
-    OSSL_NELEM(bn_group_1536_value),
-    OSSL_NELEM(bn_group_1536_value),
-    0,
-    BN_FLG_STATIC_DATA
-};
-
-static const BN_ULONG bn_group_2048_value[] = {
-    bn_pack4(0x0FA7, 0x111F, 0x9E4A, 0xFF73),
-    bn_pack4(0x9B65, 0xE372, 0xFCD6, 0x8EF2),
-    bn_pack4(0x35DE, 0x236D, 0x525F, 0x5475),
-    bn_pack4(0x94B5, 0xC803, 0xD89F, 0x7AE4),
-    bn_pack4(0x71AE, 0x35F8, 0xE9DB, 0xFBB6),
-    bn_pack4(0x2A56, 0x98F3, 0xA8D0, 0xC382),
-    bn_pack4(0x9CCC, 0x041C, 0x7BC3, 0x08D8),
-    bn_pack4(0xAF87, 0x4E73, 0x03CE, 0x5329),
-    bn_pack4(0x6160, 0x2790, 0x04E5, 0x7AE6),
-    bn_pack4(0x032C, 0xFBDB, 0xF52F, 0xB378),
-    bn_pack4(0x5EA7, 0x7A27, 0x75D2, 0xECFA),
-    bn_pack4(0x5445, 0x23B5, 0x24B0, 0xD57D),
-    bn_pack4(0x5B9D, 0x32E6, 0x88F8, 0x7748),
-    bn_pack4(0xF1D2, 0xB907, 0x8717, 0x461A),
-    bn_pack4(0x76BD, 0x207A, 0x436C, 0x6481),
-    bn_pack4(0xCA97, 0xB43A, 0x23FB, 0x8016),
-    bn_pack4(0x1D28, 0x1E44, 0x6B14, 0x773B),
-    bn_pack4(0x7359, 0xD041, 0xD5C3, 0x3EA7),
-    bn_pack4(0xA80D, 0x740A, 0xDBF4, 0xFF74),
-    bn_pack4(0x55F9, 0x7993, 0xEC97, 0x5EEA),
-    bn_pack4(0x2918, 0xA996, 0x2F0B, 0x93B8),
-    bn_pack4(0x661A, 0x05FB, 0xD5FA, 0xAAE8),
-    bn_pack4(0xCF60, 0x9517, 0x9A16, 0x3AB3),
-    bn_pack4(0xE808, 0x3969, 0xEDB7, 0x67B0),
-    bn_pack4(0xCD7F, 0x48A9, 0xDA04, 0xFD50),
-    bn_pack4(0xD523, 0x12AB, 0x4B03, 0x310D),
-    bn_pack4(0x8193, 0xE075, 0x7767, 0xA13D),
-    bn_pack4(0xA373, 0x29CB, 0xB4A0, 0x99ED),
-    bn_pack4(0xFC31, 0x9294, 0x3DB5, 0x6050),
-    bn_pack4(0xAF72, 0xB665, 0x1987, 0xEE07),
-    bn_pack4(0xF166, 0xDE5E, 0x1389, 0x582F),
-    bn_pack4(0xAC6B, 0xDB41, 0x324A, 0x9A9B)
-};
-
-const BIGNUM bn_group_2048 = {
-    (BN_ULONG *)bn_group_2048_value,
-    OSSL_NELEM(bn_group_2048_value),
-    OSSL_NELEM(bn_group_2048_value),
-    0,
-    BN_FLG_STATIC_DATA
-};
-
-static const BN_ULONG bn_group_3072_value[] = {
-    bn_pack4(0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF),
-    bn_pack4(0x4B82, 0xD120, 0xA93A, 0xD2CA),
-    bn_pack4(0x43DB, 0x5BFC, 0xE0FD, 0x108E),
-    bn_pack4(0x08E2, 0x4FA0, 0x74E5, 0xAB31),
-    bn_pack4(0x7709, 0x88C0, 0xBAD9, 0x46E2),
-    bn_pack4(0xBBE1, 0x1757, 0x7A61, 0x5D6C),
-    bn_pack4(0x521F, 0x2B18, 0x177B, 0x200C),
-    bn_pack4(0xD876, 0x0273, 0x3EC8, 0x6A64),
-    bn_pack4(0xF12F, 0xFA06, 0xD98A, 0x0864),
-    bn_pack4(0xCEE3, 0xD226, 0x1AD2, 0xEE6B),
-    bn_pack4(0x1E8C, 0x94E0, 0x4A25, 0x619D),
-    bn_pack4(0xABF5, 0xAE8C, 0xDB09, 0x33D7),
-    bn_pack4(0xB397, 0x0F85, 0xA6E1, 0xE4C7),
-    bn_pack4(0x8AEA, 0x7157, 0x5D06, 0x0C7D),
-    bn_pack4(0xECFB, 0x8504, 0x58DB, 0xEF0A),
-    bn_pack4(0xA855, 0x21AB, 0xDF1C, 0xBA64),
-    bn_pack4(0xAD33, 0x170D, 0x0450, 0x7A33),
-    bn_pack4(0x1572, 0x8E5A, 0x8AAA, 0xC42D),
-    bn_pack4(0x15D2, 0x2618, 0x98FA, 0x0510),
-    bn_pack4(0x3995, 0x497C, 0xEA95, 0x6AE5),
-    bn_pack4(0xDE2B, 0xCBF6, 0x9558, 0x1718),
-    bn_pack4(0xB5C5, 0x5DF0, 0x6F4C, 0x52C9),
-    bn_pack4(0x9B27, 0x83A2, 0xEC07, 0xA28F),
-    bn_pack4(0xE39E, 0x772C, 0x180E, 0x8603),
-    bn_pack4(0x3290, 0x5E46, 0x2E36, 0xCE3B),
-    bn_pack4(0xF174, 0x6C08, 0xCA18, 0x217C),
-    bn_pack4(0x670C, 0x354E, 0x4ABC, 0x9804),
-    bn_pack4(0x9ED5, 0x2907, 0x7096, 0x966D),
-    bn_pack4(0x1C62, 0xF356, 0x2085, 0x52BB),
-    bn_pack4(0x8365, 0x5D23, 0xDCA3, 0xAD96),
-    bn_pack4(0x6916, 0x3FA8, 0xFD24, 0xCF5F),
-    bn_pack4(0x98DA, 0x4836, 0x1C55, 0xD39A),
-    bn_pack4(0xC200, 0x7CB8, 0xA163, 0xBF05),
-    bn_pack4(0x4928, 0x6651, 0xECE4, 0x5B3D),
-    bn_pack4(0xAE9F, 0x2411, 0x7C4B, 0x1FE6),
-    bn_pack4(0xEE38, 0x6BFB, 0x5A89, 0x9FA5),
-    bn_pack4(0x0BFF, 0x5CB6, 0xF406, 0xB7ED),
-    bn_pack4(0xF44C, 0x42E9, 0xA637, 0xED6B),
-    bn_pack4(0xE485, 0xB576, 0x625E, 0x7EC6),
-    bn_pack4(0x4FE1, 0x356D, 0x6D51, 0xC245),
-    bn_pack4(0x302B, 0x0A6D, 0xF25F, 0x1437),
-    bn_pack4(0xEF95, 0x19B3, 0xCD3A, 0x431B),
-    bn_pack4(0x514A, 0x0879, 0x8E34, 0x04DD),
-    bn_pack4(0x020B, 0xBEA6, 0x3B13, 0x9B22),
-    bn_pack4(0x2902, 0x4E08, 0x8A67, 0xCC74),
-    bn_pack4(0xC4C6, 0x628B, 0x80DC, 0x1CD1),
-    bn_pack4(0xC90F, 0xDAA2, 0x2168, 0xC234),
-    bn_pack4(0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF)
-};
-
-const BIGNUM bn_group_3072 = {
-    (BN_ULONG *)bn_group_3072_value,
-    OSSL_NELEM(bn_group_3072_value),
-    OSSL_NELEM(bn_group_3072_value),
-    0,
-    BN_FLG_STATIC_DATA
-};
-
-static const BN_ULONG bn_group_4096_value[] = {
-    bn_pack4(0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF),
-    bn_pack4(0x4DF4, 0x35C9, 0x3406, 0x3199),
-    bn_pack4(0x86FF, 0xB7DC, 0x90A6, 0xC08F),
-    bn_pack4(0x93B4, 0xEA98, 0x8D8F, 0xDDC1),
-    bn_pack4(0xD006, 0x9127, 0xD5B0, 0x5AA9),
-    bn_pack4(0xB81B, 0xDD76, 0x2170, 0x481C),
-    bn_pack4(0x1F61, 0x2970, 0xCEE2, 0xD7AF),
-    bn_pack4(0x233B, 0xA186, 0x515B, 0xE7ED),
-    bn_pack4(0x99B2, 0x964F, 0xA090, 0xC3A2),
-    bn_pack4(0x287C, 0x5947, 0x4E6B, 0xC05D),
-    bn_pack4(0x2E8E, 0xFC14, 0x1FBE, 0xCAA6),
-    bn_pack4(0xDBBB, 0xC2DB, 0x04DE, 0x8EF9),
-    bn_pack4(0x2583, 0xE9CA, 0x2AD4, 0x4CE8),
-    bn_pack4(0x1A94, 0x6834, 0xB615, 0x0BDA),
-    bn_pack4(0x99C3, 0x2718, 0x6AF4, 0xE23C),
-    bn_pack4(0x8871, 0x9A10, 0xBDBA, 0x5B26),
-    bn_pack4(0x1A72, 0x3C12, 0xA787, 0xE6D7),
-    bn_pack4(0x4B82, 0xD120, 0xA921, 0x0801),
-    bn_pack4(0x43DB, 0x5BFC, 0xE0FD, 0x108E),
-    bn_pack4(0x08E2, 0x4FA0, 0x74E5, 0xAB31),
-    bn_pack4(0x7709, 0x88C0, 0xBAD9, 0x46E2),
-    bn_pack4(0xBBE1, 0x1757, 0x7A61, 0x5D6C),
-    bn_pack4(0x521F, 0x2B18, 0x177B, 0x200C),
-    bn_pack4(0xD876, 0x0273, 0x3EC8, 0x6A64),
-    bn_pack4(0xF12F, 0xFA06, 0xD98A, 0x0864),
-    bn_pack4(0xCEE3, 0xD226, 0x1AD2, 0xEE6B),
-    bn_pack4(0x1E8C, 0x94E0, 0x4A25, 0x619D),
-    bn_pack4(0xABF5, 0xAE8C, 0xDB09, 0x33D7),
-    bn_pack4(0xB397, 0x0F85, 0xA6E1, 0xE4C7),
-    bn_pack4(0x8AEA, 0x7157, 0x5D06, 0x0C7D),
-    bn_pack4(0xECFB, 0x8504, 0x58DB, 0xEF0A),
-    bn_pack4(0xA855, 0x21AB, 0xDF1C, 0xBA64),
-    bn_pack4(0xAD33, 0x170D, 0x0450, 0x7A33),
-    bn_pack4(0x1572, 0x8E5A, 0x8AAA, 0xC42D),
-    bn_pack4(0x15D2, 0x2618, 0x98FA, 0x0510),
-    bn_pack4(0x3995, 0x497C, 0xEA95, 0x6AE5),
-    bn_pack4(0xDE2B, 0xCBF6, 0x9558, 0x1718),
-    bn_pack4(0xB5C5, 0x5DF0, 0x6F4C, 0x52C9),
-    bn_pack4(0x9B27, 0x83A2, 0xEC07, 0xA28F),
-    bn_pack4(0xE39E, 0x772C, 0x180E, 0x8603),
-    bn_pack4(0x3290, 0x5E46, 0x2E36, 0xCE3B),
-    bn_pack4(0xF174, 0x6C08, 0xCA18, 0x217C),
-    bn_pack4(0x670C, 0x354E, 0x4ABC, 0x9804),
-    bn_pack4(0x9ED5, 0x2907, 0x7096, 0x966D),
-    bn_pack4(0x1C62, 0xF356, 0x2085, 0x52BB),
-    bn_pack4(0x8365, 0x5D23, 0xDCA3, 0xAD96),
-    bn_pack4(0x6916, 0x3FA8, 0xFD24, 0xCF5F),
-    bn_pack4(0x98DA, 0x4836, 0x1C55, 0xD39A),
-    bn_pack4(0xC200, 0x7CB8, 0xA163, 0xBF05),
-    bn_pack4(0x4928, 0x6651, 0xECE4, 0x5B3D),
-    bn_pack4(0xAE9F, 0x2411, 0x7C4B, 0x1FE6),
-    bn_pack4(0xEE38, 0x6BFB, 0x5A89, 0x9FA5),
-    bn_pack4(0x0BFF, 0x5CB6, 0xF406, 0xB7ED),
-    bn_pack4(0xF44C, 0x42E9, 0xA637, 0xED6B),
-    bn_pack4(0xE485, 0xB576, 0x625E, 0x7EC6),
-    bn_pack4(0x4FE1, 0x356D, 0x6D51, 0xC245),
-    bn_pack4(0x302B, 0x0A6D, 0xF25F, 0x1437),
-    bn_pack4(0xEF95, 0x19B3, 0xCD3A, 0x431B),
-    bn_pack4(0x514A, 0x0879, 0x8E34, 0x04DD),
-    bn_pack4(0x020B, 0xBEA6, 0x3B13, 0x9B22),
-    bn_pack4(0x2902, 0x4E08, 0x8A67, 0xCC74),
-    bn_pack4(0xC4C6, 0x628B, 0x80DC, 0x1CD1),
-    bn_pack4(0xC90F, 0xDAA2, 0x2168, 0xC234),
-    bn_pack4(0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF)
-};
-
-const BIGNUM bn_group_4096 = {
-    (BN_ULONG *)bn_group_4096_value,
-    OSSL_NELEM(bn_group_4096_value),
-    OSSL_NELEM(bn_group_4096_value),
-    0,
-    BN_FLG_STATIC_DATA
-};
-
-static const BN_ULONG bn_group_6144_value[] = {
-    bn_pack4(0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF),
-    bn_pack4(0xE694, 0xF91E, 0x6DCC, 0x4024),
-    bn_pack4(0x12BF, 0x2D5B, 0x0B74, 0x74D6),
-    bn_pack4(0x043E, 0x8F66, 0x3F48, 0x60EE),
-    bn_pack4(0x387F, 0xE8D7, 0x6E3C, 0x0468),
-    bn_pack4(0xDA56, 0xC9EC, 0x2EF2, 0x9632),
-    bn_pack4(0xEB19, 0xCCB1, 0xA313, 0xD55C),
-    bn_pack4(0xF550, 0xAA3D, 0x8A1F, 0xBFF0),
-    bn_pack4(0x06A1, 0xD58B, 0xB7C5, 0xDA76),
-    bn_pack4(0xA797, 0x15EE, 0xF29B, 0xE328),
-    bn_pack4(0x14CC, 0x5ED2, 0x0F80, 0x37E0),
-    bn_pack4(0xCC8F, 0x6D7E, 0xBF48, 0xE1D8),
-    bn_pack4(0x4BD4, 0x07B2, 0x2B41, 0x54AA),
-    bn_pack4(0x0F1D, 0x45B7, 0xFF58, 0x5AC5),
-    bn_pack4(0x23A9, 0x7A7E, 0x36CC, 0x88BE),
-    bn_pack4(0x59E7, 0xC97F, 0xBEC7, 0xE8F3),
-    bn_pack4(0xB5A8, 0x4031, 0x900B, 0x1C9E),
-    bn_pack4(0xD55E, 0x702F, 0x4698, 0x0C82),
-    bn_pack4(0xF482, 0xD7CE, 0x6E74, 0xFEF6),
-    bn_pack4(0xF032, 0xEA15, 0xD172, 0x1D03),
-    bn_pack4(0x5983, 0xCA01, 0xC64B, 0x92EC),
-    bn_pack4(0x6FB8, 0xF401, 0x378C, 0xD2BF),
-    bn_pack4(0x3320, 0x5151, 0x2BD7, 0xAF42),
-    bn_pack4(0xDB7F, 0x1447, 0xE6CC, 0x254B),
-    bn_pack4(0x44CE, 0x6CBA, 0xCED4, 0xBB1B),
-    bn_pack4(0xDA3E, 0xDBEB, 0xCF9B, 0x14ED),
-    bn_pack4(0x1797, 0x27B0, 0x865A, 0x8918),
-    bn_pack4(0xB06A, 0x53ED, 0x9027, 0xD831),
-    bn_pack4(0xE5DB, 0x382F, 0x4130, 0x01AE),
-    bn_pack4(0xF8FF, 0x9406, 0xAD9E, 0x530E),
-    bn_pack4(0xC975, 0x1E76, 0x3DBA, 0x37BD),
-    bn_pack4(0xC1D4, 0xDCB2, 0x6026, 0x46DE),
-    bn_pack4(0x36C3, 0xFAB4, 0xD27C, 0x7026),
-    bn_pack4(0x4DF4, 0x35C9, 0x3402, 0x8492),
-    bn_pack4(0x86FF, 0xB7DC, 0x90A6, 0xC08F),
-    bn_pack4(0x93B4, 0xEA98, 0x8D8F, 0xDDC1),
-    bn_pack4(0xD006, 0x9127, 0xD5B0, 0x5AA9),
-    bn_pack4(0xB81B, 0xDD76, 0x2170, 0x481C),
-    bn_pack4(0x1F61, 0x2970, 0xCEE2, 0xD7AF),
-    bn_pack4(0x233B, 0xA186, 0x515B, 0xE7ED),
-    bn_pack4(0x99B2, 0x964F, 0xA090, 0xC3A2),
-    bn_pack4(0x287C, 0x5947, 0x4E6B, 0xC05D),
-    bn_pack4(0x2E8E, 0xFC14, 0x1FBE, 0xCAA6),
-    bn_pack4(0xDBBB, 0xC2DB, 0x04DE, 0x8EF9),
-    bn_pack4(0x2583, 0xE9CA, 0x2AD4, 0x4CE8),
-    bn_pack4(0x1A94, 0x6834, 0xB615, 0x0BDA),
-    bn_pack4(0x99C3, 0x2718, 0x6AF4, 0xE23C),
-    bn_pack4(0x8871, 0x9A10, 0xBDBA, 0x5B26),
-    bn_pack4(0x1A72, 0x3C12, 0xA787, 0xE6D7),
-    bn_pack4(0x4B82, 0xD120, 0xA921, 0x0801),
-    bn_pack4(0x43DB, 0x5BFC, 0xE0FD, 0x108E),
-    bn_pack4(0x08E2, 0x4FA0, 0x74E5, 0xAB31),
-    bn_pack4(0x7709, 0x88C0, 0xBAD9, 0x46E2),
-    bn_pack4(0xBBE1, 0x1757, 0x7A61, 0x5D6C),
-    bn_pack4(0x521F, 0x2B18, 0x177B, 0x200C),
-    bn_pack4(0xD876, 0x0273, 0x3EC8, 0x6A64),
-    bn_pack4(0xF12F, 0xFA06, 0xD98A, 0x0864),
-    bn_pack4(0xCEE3, 0xD226, 0x1AD2, 0xEE6B),
-    bn_pack4(0x1E8C, 0x94E0, 0x4A25, 0x619D),
-    bn_pack4(0xABF5, 0xAE8C, 0xDB09, 0x33D7),
-    bn_pack4(0xB397, 0x0F85, 0xA6E1, 0xE4C7),
-    bn_pack4(0x8AEA, 0x7157, 0x5D06, 0x0C7D),
-    bn_pack4(0xECFB, 0x8504, 0x58DB, 0xEF0A),
-    bn_pack4(0xA855, 0x21AB, 0xDF1C, 0xBA64),
-    bn_pack4(0xAD33, 0x170D, 0x0450, 0x7A33),
-    bn_pack4(0x1572, 0x8E5A, 0x8AAA, 0xC42D),
-    bn_pack4(0x15D2, 0x2618, 0x98FA, 0x0510),
-    bn_pack4(0x3995, 0x497C, 0xEA95, 0x6AE5),
-    bn_pack4(0xDE2B, 0xCBF6, 0x9558, 0x1718),
-    bn_pack4(0xB5C5, 0x5DF0, 0x6F4C, 0x52C9),
-    bn_pack4(0x9B27, 0x83A2, 0xEC07, 0xA28F),
-    bn_pack4(0xE39E, 0x772C, 0x180E, 0x8603),
-    bn_pack4(0x3290, 0x5E46, 0x2E36, 0xCE3B),
-    bn_pack4(0xF174, 0x6C08, 0xCA18, 0x217C),
-    bn_pack4(0x670C, 0x354E, 0x4ABC, 0x9804),
-    bn_pack4(0x9ED5, 0x2907, 0x7096, 0x966D),
-    bn_pack4(0x1C62, 0xF356, 0x2085, 0x52BB),
-    bn_pack4(0x8365, 0x5D23, 0xDCA3, 0xAD96),
-    bn_pack4(0x6916, 0x3FA8, 0xFD24, 0xCF5F),
-    bn_pack4(0x98DA, 0x4836, 0x1C55, 0xD39A),
-    bn_pack4(0xC200, 0x7CB8, 0xA163, 0xBF05),
-    bn_pack4(0x4928, 0x6651, 0xECE4, 0x5B3D),
-    bn_pack4(0xAE9F, 0x2411, 0x7C4B, 0x1FE6),
-    bn_pack4(0xEE38, 0x6BFB, 0x5A89, 0x9FA5),
-    bn_pack4(0x0BFF, 0x5CB6, 0xF406, 0xB7ED),
-    bn_pack4(0xF44C, 0x42E9, 0xA637, 0xED6B),
-    bn_pack4(0xE485, 0xB576, 0x625E, 0x7EC6),
-    bn_pack4(0x4FE1, 0x356D, 0x6D51, 0xC245),
-    bn_pack4(0x302B, 0x0A6D, 0xF25F, 0x1437),
-    bn_pack4(0xEF95, 0x19B3, 0xCD3A, 0x431B),
-    bn_pack4(0x514A, 0x0879, 0x8E34, 0x04DD),
-    bn_pack4(0x020B, 0xBEA6, 0x3B13, 0x9B22),
-    bn_pack4(0x2902, 0x4E08, 0x8A67, 0xCC74),
-    bn_pack4(0xC4C6, 0x628B, 0x80DC, 0x1CD1),
-    bn_pack4(0xC90F, 0xDAA2, 0x2168, 0xC234),
-    bn_pack4(0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF)
-};
-
-const BIGNUM bn_group_6144 = {
-    (BN_ULONG *)bn_group_6144_value,
-    OSSL_NELEM(bn_group_6144_value),
-    OSSL_NELEM(bn_group_6144_value),
-    0,
-    BN_FLG_STATIC_DATA
-};
-
-static const BN_ULONG bn_group_8192_value[] = {
-    bn_pack4(0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF),
-    bn_pack4(0x60C9, 0x80DD, 0x98ED, 0xD3DF),
-    bn_pack4(0xC81F, 0x56E8, 0x80B9, 0x6E71),
-    bn_pack4(0x9E30, 0x50E2, 0x7656, 0x94DF),
-    bn_pack4(0x9558, 0xE447, 0x5677, 0xE9AA),
-    bn_pack4(0xC919, 0x0DA6, 0xFC02, 0x6E47),
-    bn_pack4(0x889A, 0x002E, 0xD5EE, 0x382B),
-    bn_pack4(0x4009, 0x438B, 0x481C, 0x6CD7),
-    bn_pack4(0x3590, 0x46F4, 0xEB87, 0x9F92),
-    bn_pack4(0xFAF3, 0x6BC3, 0x1ECF, 0xA268),
-    bn_pack4(0xB1D5, 0x10BD, 0x7EE7, 0x4D73),
-    bn_pack4(0xF9AB, 0x4819, 0x5DED, 0x7EA1),
-    bn_pack4(0x64F3, 0x1CC5, 0x0846, 0x851D),
-    bn_pack4(0x4597, 0xE899, 0xA025, 0x5DC1),
-    bn_pack4(0xDF31, 0x0EE0, 0x74AB, 0x6A36),
-    bn_pack4(0x6D2A, 0x13F8, 0x3F44, 0xF82D),
-    bn_pack4(0x062B, 0x3CF5, 0xB3A2, 0x78A6),
-    bn_pack4(0x7968, 0x3303, 0xED5B, 0xDD3A),
-    bn_pack4(0xFA9D, 0x4B7F, 0xA2C0, 0x87E8),
-    bn_pack4(0x4BCB, 0xC886, 0x2F83, 0x85DD),
-    bn_pack4(0x3473, 0xFC64, 0x6CEA, 0x306B),
-    bn_pack4(0x13EB, 0x57A8, 0x1A23, 0xF0C7),
-    bn_pack4(0x2222, 0x2E04, 0xA403, 0x7C07),
-    bn_pack4(0xE3FD, 0xB8BE, 0xFC84, 0x8AD9),
-    bn_pack4(0x238F, 0x16CB, 0xE39D, 0x652D),
-    bn_pack4(0x3423, 0xB474, 0x2BF1, 0xC978),
-    bn_pack4(0x3AAB, 0x639C, 0x5AE4, 0xF568),
-    bn_pack4(0x2576, 0xF693, 0x6BA4, 0x2466),
-    bn_pack4(0x741F, 0xA7BF, 0x8AFC, 0x47ED),
-    bn_pack4(0x3BC8, 0x32B6, 0x8D9D, 0xD300),
-    bn_pack4(0xD8BE, 0xC4D0, 0x73B9, 0x31BA),
-    bn_pack4(0x3877, 0x7CB6, 0xA932, 0xDF8C),
-    bn_pack4(0x74A3, 0x926F, 0x12FE, 0xE5E4),
-    bn_pack4(0xE694, 0xF91E, 0x6DBE, 0x1159),
-    bn_pack4(0x12BF, 0x2D5B, 0x0B74, 0x74D6),
-    bn_pack4(0x043E, 0x8F66, 0x3F48, 0x60EE),
-    bn_pack4(0x387F, 0xE8D7, 0x6E3C, 0x0468),
-    bn_pack4(0xDA56, 0xC9EC, 0x2EF2, 0x9632),
-    bn_pack4(0xEB19, 0xCCB1, 0xA313, 0xD55C),
-    bn_pack4(0xF550, 0xAA3D, 0x8A1F, 0xBFF0),
-    bn_pack4(0x06A1, 0xD58B, 0xB7C5, 0xDA76),
-    bn_pack4(0xA797, 0x15EE, 0xF29B, 0xE328),
-    bn_pack4(0x14CC, 0x5ED2, 0x0F80, 0x37E0),
-    bn_pack4(0xCC8F, 0x6D7E, 0xBF48, 0xE1D8),
-    bn_pack4(0x4BD4, 0x07B2, 0x2B41, 0x54AA),
-    bn_pack4(0x0F1D, 0x45B7, 0xFF58, 0x5AC5),
-    bn_pack4(0x23A9, 0x7A7E, 0x36CC, 0x88BE),
-    bn_pack4(0x59E7, 0xC97F, 0xBEC7, 0xE8F3),
-    bn_pack4(0xB5A8, 0x4031, 0x900B, 0x1C9E),
-    bn_pack4(0xD55E, 0x702F, 0x4698, 0x0C82),
-    bn_pack4(0xF482, 0xD7CE, 0x6E74, 0xFEF6),
-    bn_pack4(0xF032, 0xEA15, 0xD172, 0x1D03),
-    bn_pack4(0x5983, 0xCA01, 0xC64B, 0x92EC),
-    bn_pack4(0x6FB8, 0xF401, 0x378C, 0xD2BF),
-    bn_pack4(0x3320, 0x5151, 0x2BD7, 0xAF42),
-    bn_pack4(0xDB7F, 0x1447, 0xE6CC, 0x254B),
-    bn_pack4(0x44CE, 0x6CBA, 0xCED4, 0xBB1B),
-    bn_pack4(0xDA3E, 0xDBEB, 0xCF9B, 0x14ED),
-    bn_pack4(0x1797, 0x27B0, 0x865A, 0x8918),
-    bn_pack4(0xB06A, 0x53ED, 0x9027, 0xD831),
-    bn_pack4(0xE5DB, 0x382F, 0x4130, 0x01AE),
-    bn_pack4(0xF8FF, 0x9406, 0xAD9E, 0x530E),
-    bn_pack4(0xC975, 0x1E76, 0x3DBA, 0x37BD),
-    bn_pack4(0xC1D4, 0xDCB2, 0x6026, 0x46DE),
-    bn_pack4(0x36C3, 0xFAB4, 0xD27C, 0x7026),
-    bn_pack4(0x4DF4, 0x35C9, 0x3402, 0x8492),
-    bn_pack4(0x86FF, 0xB7DC, 0x90A6, 0xC08F),
-    bn_pack4(0x93B4, 0xEA98, 0x8D8F, 0xDDC1),
-    bn_pack4(0xD006, 0x9127, 0xD5B0, 0x5AA9),
-    bn_pack4(0xB81B, 0xDD76, 0x2170, 0x481C),
-    bn_pack4(0x1F61, 0x2970, 0xCEE2, 0xD7AF),
-    bn_pack4(0x233B, 0xA186, 0x515B, 0xE7ED),
-    bn_pack4(0x99B2, 0x964F, 0xA090, 0xC3A2),
-    bn_pack4(0x287C, 0x5947, 0x4E6B, 0xC05D),
-    bn_pack4(0x2E8E, 0xFC14, 0x1FBE, 0xCAA6),
-    bn_pack4(0xDBBB, 0xC2DB, 0x04DE, 0x8EF9),
-    bn_pack4(0x2583, 0xE9CA, 0x2AD4, 0x4CE8),
-    bn_pack4(0x1A94, 0x6834, 0xB615, 0x0BDA),
-    bn_pack4(0x99C3, 0x2718, 0x6AF4, 0xE23C),
-    bn_pack4(0x8871, 0x9A10, 0xBDBA, 0x5B26),
-    bn_pack4(0x1A72, 0x3C12, 0xA787, 0xE6D7),
-    bn_pack4(0x4B82, 0xD120, 0xA921, 0x0801),
-    bn_pack4(0x43DB, 0x5BFC, 0xE0FD, 0x108E),
-    bn_pack4(0x08E2, 0x4FA0, 0x74E5, 0xAB31),
-    bn_pack4(0x7709, 0x88C0, 0xBAD9, 0x46E2),
-    bn_pack4(0xBBE1, 0x1757, 0x7A61, 0x5D6C),
-    bn_pack4(0x521F, 0x2B18, 0x177B, 0x200C),
-    bn_pack4(0xD876, 0x0273, 0x3EC8, 0x6A64),
-    bn_pack4(0xF12F, 0xFA06, 0xD98A, 0x0864),
-    bn_pack4(0xCEE3, 0xD226, 0x1AD2, 0xEE6B),
-    bn_pack4(0x1E8C, 0x94E0, 0x4A25, 0x619D),
-    bn_pack4(0xABF5, 0xAE8C, 0xDB09, 0x33D7),
-    bn_pack4(0xB397, 0x0F85, 0xA6E1, 0xE4C7),
-    bn_pack4(0x8AEA, 0x7157, 0x5D06, 0x0C7D),
-    bn_pack4(0xECFB, 0x8504, 0x58DB, 0xEF0A),
-    bn_pack4(0xA855, 0x21AB, 0xDF1C, 0xBA64),
-    bn_pack4(0xAD33, 0x170D, 0x0450, 0x7A33),
-    bn_pack4(0x1572, 0x8E5A, 0x8AAA, 0xC42D),
-    bn_pack4(0x15D2, 0x2618, 0x98FA, 0x0510),
-    bn_pack4(0x3995, 0x497C, 0xEA95, 0x6AE5),
-    bn_pack4(0xDE2B, 0xCBF6, 0x9558, 0x1718),
-    bn_pack4(0xB5C5, 0x5DF0, 0x6F4C, 0x52C9),
-    bn_pack4(0x9B27, 0x83A2, 0xEC07, 0xA28F),
-    bn_pack4(0xE39E, 0x772C, 0x180E, 0x8603),
-    bn_pack4(0x3290, 0x5E46, 0x2E36, 0xCE3B),
-    bn_pack4(0xF174, 0x6C08, 0xCA18, 0x217C),
-    bn_pack4(0x670C, 0x354E, 0x4ABC, 0x9804),
-    bn_pack4(0x9ED5, 0x2907, 0x7096, 0x966D),
-    bn_pack4(0x1C62, 0xF356, 0x2085, 0x52BB),
-    bn_pack4(0x8365, 0x5D23, 0xDCA3, 0xAD96),
-    bn_pack4(0x6916, 0x3FA8, 0xFD24, 0xCF5F),
-    bn_pack4(0x98DA, 0x4836, 0x1C55, 0xD39A),
-    bn_pack4(0xC200, 0x7CB8, 0xA163, 0xBF05),
-    bn_pack4(0x4928, 0x6651, 0xECE4, 0x5B3D),
-    bn_pack4(0xAE9F, 0x2411, 0x7C4B, 0x1FE6),
-    bn_pack4(0xEE38, 0x6BFB, 0x5A89, 0x9FA5),
-    bn_pack4(0x0BFF, 0x5CB6, 0xF406, 0xB7ED),
-    bn_pack4(0xF44C, 0x42E9, 0xA637, 0xED6B),
-    bn_pack4(0xE485, 0xB576, 0x625E, 0x7EC6),
-    bn_pack4(0x4FE1, 0x356D, 0x6D51, 0xC245),
-    bn_pack4(0x302B, 0x0A6D, 0xF25F, 0x1437),
-    bn_pack4(0xEF95, 0x19B3, 0xCD3A, 0x431B),
-    bn_pack4(0x514A, 0x0879, 0x8E34, 0x04DD),
-    bn_pack4(0x020B, 0xBEA6, 0x3B13, 0x9B22),
-    bn_pack4(0x2902, 0x4E08, 0x8A67, 0xCC74),
-    bn_pack4(0xC4C6, 0x628B, 0x80DC, 0x1CD1),
-    bn_pack4(0xC90F, 0xDAA2, 0x2168, 0xC234),
-    bn_pack4(0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF)
-};
-
-const BIGNUM bn_group_8192 = {
-    (BN_ULONG *)bn_group_8192_value,
-    OSSL_NELEM(bn_group_8192_value),
-    OSSL_NELEM(bn_group_8192_value),
-    0,
-    BN_FLG_STATIC_DATA
-};
-
-static const BN_ULONG bn_generator_19_value[] = { 19 };
-
-const BIGNUM bn_generator_19 = {
-    (BN_ULONG *)bn_generator_19_value,
-    1,
-    1,
-    0,
-    BN_FLG_STATIC_DATA
-};
-static const BN_ULONG bn_generator_5_value[] = { 5 };
-
-const BIGNUM bn_generator_5 = {
-    (BN_ULONG *)bn_generator_5_value,
-    1,
-    1,
-    0,
-    BN_FLG_STATIC_DATA
-};
-static const BN_ULONG bn_generator_2_value[] = { 2 };
-
-const BIGNUM bn_generator_2 = {
-    (BN_ULONG *)bn_generator_2_value,
-    1,
-    1,
-    0,
-    BN_FLG_STATIC_DATA
-};
-
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_word.c b/Cryptlib/OpenSSL/crypto/bn/bn_word.c
index 1af13a53..9b5f9cb9 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_word.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_word.c
@@ -1,13 +1,63 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/bn/bn_word.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
-#include "internal/cryptlib.h"
+#include <stdio.h>
+#include "cryptlib.h"
 #include "bn_lcl.h"
 
 BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w)
@@ -89,8 +139,6 @@ BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w)
     if ((a->top > 0) && (a->d[a->top - 1] == 0))
         a->top--;
     ret >>= j;
-    if (!a->top)
-        a->neg = 0; /* don't allow negative zero */
     bn_check_top(a);
     return (ret);
 }
diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_x931p.c b/Cryptlib/OpenSSL/crypto/bn/bn_x931p.c
index 40734cb2..efa48bdf 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_x931p.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_x931p.c
@@ -1,15 +1,64 @@
+/* bn_x931p.c */
 /*
- * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2005.
+ */
+/* ====================================================================
+ * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <openssl/bn.h>
-#include "bn_lcl.h"
 
 /* X9.31 routines for prime derivation */
 
@@ -21,7 +70,7 @@
 static int bn_x931_derive_pi(BIGNUM *pi, const BIGNUM *Xpi, BN_CTX *ctx,
                              BN_GENCB *cb)
 {
-    int i = 0, is_prime;
+    int i = 0;
     if (!BN_copy(pi, Xpi))
         return 0;
     if (!BN_is_odd(pi) && !BN_add_word(pi, 1))
@@ -29,11 +78,8 @@ static int bn_x931_derive_pi(BIGNUM *pi, const BIGNUM *Xpi, BN_CTX *ctx,
     for (;;) {
         i++;
         BN_GENCB_call(cb, 0, i);
-        /* NB 27 MR is specified in X9.31 */
-        is_prime = BN_is_prime_fasttest_ex(pi, 27, ctx, 1, cb);
-        if (is_prime < 0)
-            return 0;
-        if (is_prime)
+        /* NB 27 MR is specificed in X9.31 */
+        if (BN_is_prime_fasttest_ex(pi, 27, ctx, 1, cb))
             break;
         if (!BN_add_word(pi, 2))
             return 0;
@@ -74,9 +120,6 @@ int BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
 
     pm1 = BN_CTX_get(ctx);
 
-    if (pm1 == NULL)
-        goto err;
-
     if (!bn_x931_derive_pi(p1, Xp1, ctx, cb))
         goto err;
 
@@ -125,18 +168,14 @@ int BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
             goto err;
         if (!BN_gcd(t, pm1, e, ctx))
             goto err;
-        if (BN_is_one(t)) {
+        if (BN_is_one(t)
             /*
              * X9.31 specifies 8 MR and 1 Lucas test or any prime test
              * offering similar or better guarantees 50 MR is considerably
              * better.
              */
-            int r = BN_is_prime_fasttest_ex(p, 50, ctx, 1, cb);
-            if (r < 0)
-                goto err;
-            if (r)
-                break;
-        }
+            && BN_is_prime_fasttest_ex(p, 50, ctx, 1, cb))
+            break;
         if (!BN_add(p, p, p1p2))
             goto err;
     }
@@ -153,8 +192,8 @@ int BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
 }
 
 /*
- * Generate pair of parameters Xp, Xq for X9.31 prime generation. Note: nbits
- * parameter is sum of number of bits in both.
+ * Generate pair of paramters Xp, Xq for X9.31 prime generation. Note: nbits
+ * paramter is sum of number of bits in both.
  */
 
 int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx)
@@ -173,14 +212,14 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx)
      * - 1. By setting the top two bits we ensure that the lower bound is
      * exceeded.
      */
-    if (!BN_rand(Xp, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY))
+    if (!BN_rand(Xp, nbits, 1, 0))
         goto err;
 
     BN_CTX_start(ctx);
     t = BN_CTX_get(ctx);
 
     for (i = 0; i < 1000; i++) {
-        if (!BN_rand(Xq, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY))
+        if (!BN_rand(Xq, nbits, 1, 0))
             goto err;
         /* Check that |Xp - Xq| > 2^(nbits - 100) */
         BN_sub(t, Xp, Xq);
@@ -221,9 +260,9 @@ int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
     if (!Xp2)
         Xp2 = BN_CTX_get(ctx);
 
-    if (!BN_rand(Xp1, 101, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
+    if (!BN_rand(Xp1, 101, 0, 0))
         goto error;
-    if (!BN_rand(Xp2, 101, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
+    if (!BN_rand(Xp2, 101, 0, 0))
         goto error;
     if (!BN_X931_derive_prime_ex(p, p1, p2, Xp, Xp1, Xp2, e, ctx, cb))
         goto error;
diff --git a/Cryptlib/OpenSSL/crypto/bn/rsaz_exp.c b/Cryptlib/OpenSSL/crypto/bn/rsaz_exp.c
deleted file mode 100644
index 1a70f6ca..00000000
--- a/Cryptlib/OpenSSL/crypto/bn/rsaz_exp.c
+++ /dev/null
@@ -1,352 +0,0 @@
-/*
- * Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*****************************************************************************
-*                                                                            *
-*  Copyright (c) 2012, Intel Corporation                                     *
-*                                                                            *
-*  All rights reserved.                                                      *
-*                                                                            *
-*  Redistribution and use in source and binary forms, with or without        *
-*  modification, are permitted provided that the following conditions are    *
-*  met:                                                                      *
-*                                                                            *
-*  *  Redistributions of source code must retain the above copyright         *
-*     notice, this list of conditions and the following disclaimer.          *
-*                                                                            *
-*  *  Redistributions in binary form must reproduce the above copyright      *
-*     notice, this list of conditions and the following disclaimer in the    *
-*     documentation and/or other materials provided with the                 *
-*     distribution.                                                          *
-*                                                                            *
-*  *  Neither the name of the Intel Corporation nor the names of its         *
-*     contributors may be used to endorse or promote products derived from   *
-*     this software without specific prior written permission.               *
-*                                                                            *
-*                                                                            *
-*  THIS SOFTWARE IS PROVIDED BY INTEL CORPORATION ""AS IS"" AND ANY          *
-*  EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE         *
-*  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR        *
-*  PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL CORPORATION OR            *
-*  CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,     *
-*  EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,       *
-*  PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR        *
-*  PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF    *
-*  LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING      *
-*  NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS        *
-*  SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.              *
-*                                                                            *
-******************************************************************************
-* Developers and authors:                                                    *
-* Shay Gueron (1, 2), and Vlad Krasnov (1)                                   *
-* (1) Intel Corporation, Israel Development Center, Haifa, Israel            *
-* (2) University of Haifa, Israel                                            *
-*****************************************************************************/
-
-#include <openssl/opensslconf.h>
-#include "rsaz_exp.h"
-
-#ifndef RSAZ_ENABLED
-NON_EMPTY_TRANSLATION_UNIT
-#else
-
-/*
- * See crypto/bn/asm/rsaz-avx2.pl for further details.
- */
-void rsaz_1024_norm2red_avx2(void *red, const void *norm);
-void rsaz_1024_mul_avx2(void *ret, const void *a, const void *b,
-                        const void *n, BN_ULONG k);
-void rsaz_1024_sqr_avx2(void *ret, const void *a, const void *n, BN_ULONG k,
-                        int cnt);
-void rsaz_1024_scatter5_avx2(void *tbl, const void *val, int i);
-void rsaz_1024_gather5_avx2(void *val, const void *tbl, int i);
-void rsaz_1024_red2norm_avx2(void *norm, const void *red);
-
-#if defined(__GNUC__)
-# define ALIGN64        __attribute__((aligned(64)))
-#elif defined(_MSC_VER)
-# define ALIGN64        __declspec(align(64))
-#elif defined(__SUNPRO_C)
-# define ALIGN64
-# pragma align 64(one,two80)
-#else
-/* not fatal, might hurt performance a little */
-# define ALIGN64
-#endif
-
-ALIGN64 static const BN_ULONG one[40] = {
-    1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
-};
-
-ALIGN64 static const BN_ULONG two80[40] = {
-    0, 0, 1 << 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
-};
-
-void RSAZ_1024_mod_exp_avx2(BN_ULONG result_norm[16],
-                            const BN_ULONG base_norm[16],
-                            const BN_ULONG exponent[16],
-                            const BN_ULONG m_norm[16], const BN_ULONG RR[16],
-                            BN_ULONG k0)
-{
-    unsigned char storage[320 * 3 + 32 * 9 * 16 + 64]; /* 5.5KB */
-    unsigned char *p_str = storage + (64 - ((size_t)storage % 64));
-    unsigned char *a_inv, *m, *result;
-    unsigned char *table_s = p_str + 320 * 3;
-    unsigned char *R2 = table_s; /* borrow */
-    int index;
-    int wvalue;
-
-    if ((((size_t)p_str & 4095) + 320) >> 12) {
-        result = p_str;
-        a_inv = p_str + 320;
-        m = p_str + 320 * 2;    /* should not cross page */
-    } else {
-        m = p_str;              /* should not cross page */
-        result = p_str + 320;
-        a_inv = p_str + 320 * 2;
-    }
-
-    rsaz_1024_norm2red_avx2(m, m_norm);
-    rsaz_1024_norm2red_avx2(a_inv, base_norm);
-    rsaz_1024_norm2red_avx2(R2, RR);
-
-    rsaz_1024_mul_avx2(R2, R2, R2, m, k0);
-    rsaz_1024_mul_avx2(R2, R2, two80, m, k0);
-
-    /* table[0] = 1 */
-    rsaz_1024_mul_avx2(result, R2, one, m, k0);
-    /* table[1] = a_inv^1 */
-    rsaz_1024_mul_avx2(a_inv, a_inv, R2, m, k0);
-
-    rsaz_1024_scatter5_avx2(table_s, result, 0);
-    rsaz_1024_scatter5_avx2(table_s, a_inv, 1);
-
-    /* table[2] = a_inv^2 */
-    rsaz_1024_sqr_avx2(result, a_inv, m, k0, 1);
-    rsaz_1024_scatter5_avx2(table_s, result, 2);
-#if 0
-    /* this is almost 2x smaller and less than 1% slower */
-    for (index = 3; index < 32; index++) {
-        rsaz_1024_mul_avx2(result, result, a_inv, m, k0);
-        rsaz_1024_scatter5_avx2(table_s, result, index);
-    }
-#else
-    /* table[4] = a_inv^4 */
-    rsaz_1024_sqr_avx2(result, result, m, k0, 1);
-    rsaz_1024_scatter5_avx2(table_s, result, 4);
-    /* table[8] = a_inv^8 */
-    rsaz_1024_sqr_avx2(result, result, m, k0, 1);
-    rsaz_1024_scatter5_avx2(table_s, result, 8);
-    /* table[16] = a_inv^16 */
-    rsaz_1024_sqr_avx2(result, result, m, k0, 1);
-    rsaz_1024_scatter5_avx2(table_s, result, 16);
-    /* table[17] = a_inv^17 */
-    rsaz_1024_mul_avx2(result, result, a_inv, m, k0);
-    rsaz_1024_scatter5_avx2(table_s, result, 17);
-
-    /* table[3] */
-    rsaz_1024_gather5_avx2(result, table_s, 2);
-    rsaz_1024_mul_avx2(result, result, a_inv, m, k0);
-    rsaz_1024_scatter5_avx2(table_s, result, 3);
-    /* table[6] */
-    rsaz_1024_sqr_avx2(result, result, m, k0, 1);
-    rsaz_1024_scatter5_avx2(table_s, result, 6);
-    /* table[12] */
-    rsaz_1024_sqr_avx2(result, result, m, k0, 1);
-    rsaz_1024_scatter5_avx2(table_s, result, 12);
-    /* table[24] */
-    rsaz_1024_sqr_avx2(result, result, m, k0, 1);
-    rsaz_1024_scatter5_avx2(table_s, result, 24);
-    /* table[25] */
-    rsaz_1024_mul_avx2(result, result, a_inv, m, k0);
-    rsaz_1024_scatter5_avx2(table_s, result, 25);
-
-    /* table[5] */
-    rsaz_1024_gather5_avx2(result, table_s, 4);
-    rsaz_1024_mul_avx2(result, result, a_inv, m, k0);
-    rsaz_1024_scatter5_avx2(table_s, result, 5);
-    /* table[10] */
-    rsaz_1024_sqr_avx2(result, result, m, k0, 1);
-    rsaz_1024_scatter5_avx2(table_s, result, 10);
-    /* table[20] */
-    rsaz_1024_sqr_avx2(result, result, m, k0, 1);
-    rsaz_1024_scatter5_avx2(table_s, result, 20);
-    /* table[21] */
-    rsaz_1024_mul_avx2(result, result, a_inv, m, k0);
-    rsaz_1024_scatter5_avx2(table_s, result, 21);
-
-    /* table[7] */
-    rsaz_1024_gather5_avx2(result, table_s, 6);
-    rsaz_1024_mul_avx2(result, result, a_inv, m, k0);
-    rsaz_1024_scatter5_avx2(table_s, result, 7);
-    /* table[14] */
-    rsaz_1024_sqr_avx2(result, result, m, k0, 1);
-    rsaz_1024_scatter5_avx2(table_s, result, 14);
-    /* table[28] */
-    rsaz_1024_sqr_avx2(result, result, m, k0, 1);
-    rsaz_1024_scatter5_avx2(table_s, result, 28);
-    /* table[29] */
-    rsaz_1024_mul_avx2(result, result, a_inv, m, k0);
-    rsaz_1024_scatter5_avx2(table_s, result, 29);
-
-    /* table[9] */
-    rsaz_1024_gather5_avx2(result, table_s, 8);
-    rsaz_1024_mul_avx2(result, result, a_inv, m, k0);
-    rsaz_1024_scatter5_avx2(table_s, result, 9);
-    /* table[18] */
-    rsaz_1024_sqr_avx2(result, result, m, k0, 1);
-    rsaz_1024_scatter5_avx2(table_s, result, 18);
-    /* table[19] */
-    rsaz_1024_mul_avx2(result, result, a_inv, m, k0);
-    rsaz_1024_scatter5_avx2(table_s, result, 19);
-
-    /* table[11] */
-    rsaz_1024_gather5_avx2(result, table_s, 10);
-    rsaz_1024_mul_avx2(result, result, a_inv, m, k0);
-    rsaz_1024_scatter5_avx2(table_s, result, 11);
-    /* table[22] */
-    rsaz_1024_sqr_avx2(result, result, m, k0, 1);
-    rsaz_1024_scatter5_avx2(table_s, result, 22);
-    /* table[23] */
-    rsaz_1024_mul_avx2(result, result, a_inv, m, k0);
-    rsaz_1024_scatter5_avx2(table_s, result, 23);
-
-    /* table[13] */
-    rsaz_1024_gather5_avx2(result, table_s, 12);
-    rsaz_1024_mul_avx2(result, result, a_inv, m, k0);
-    rsaz_1024_scatter5_avx2(table_s, result, 13);
-    /* table[26] */
-    rsaz_1024_sqr_avx2(result, result, m, k0, 1);
-    rsaz_1024_scatter5_avx2(table_s, result, 26);
-    /* table[27] */
-    rsaz_1024_mul_avx2(result, result, a_inv, m, k0);
-    rsaz_1024_scatter5_avx2(table_s, result, 27);
-
-    /* table[15] */
-    rsaz_1024_gather5_avx2(result, table_s, 14);
-    rsaz_1024_mul_avx2(result, result, a_inv, m, k0);
-    rsaz_1024_scatter5_avx2(table_s, result, 15);
-    /* table[30] */
-    rsaz_1024_sqr_avx2(result, result, m, k0, 1);
-    rsaz_1024_scatter5_avx2(table_s, result, 30);
-    /* table[31] */
-    rsaz_1024_mul_avx2(result, result, a_inv, m, k0);
-    rsaz_1024_scatter5_avx2(table_s, result, 31);
-#endif
-
-    /* load first window */
-    p_str = (unsigned char *)exponent;
-    wvalue = p_str[127] >> 3;
-    rsaz_1024_gather5_avx2(result, table_s, wvalue);
-
-    index = 1014;
-
-    while (index > -1) {        /* loop for the remaining 127 windows */
-
-        rsaz_1024_sqr_avx2(result, result, m, k0, 5);
-
-        wvalue = (p_str[(index / 8) + 1] << 8) | p_str[index / 8];
-        wvalue = (wvalue >> (index % 8)) & 31;
-        index -= 5;
-
-        rsaz_1024_gather5_avx2(a_inv, table_s, wvalue); /* borrow a_inv */
-        rsaz_1024_mul_avx2(result, result, a_inv, m, k0);
-    }
-
-    /* square four times */
-    rsaz_1024_sqr_avx2(result, result, m, k0, 4);
-
-    wvalue = p_str[0] & 15;
-
-    rsaz_1024_gather5_avx2(a_inv, table_s, wvalue); /* borrow a_inv */
-    rsaz_1024_mul_avx2(result, result, a_inv, m, k0);
-
-    /* from Montgomery */
-    rsaz_1024_mul_avx2(result, result, one, m, k0);
-
-    rsaz_1024_red2norm_avx2(result_norm, result);
-
-    OPENSSL_cleanse(storage, sizeof(storage));
-}
-
-/*
- * See crypto/bn/rsaz-x86_64.pl for further details.
- */
-void rsaz_512_mul(void *ret, const void *a, const void *b, const void *n,
-                  BN_ULONG k);
-void rsaz_512_mul_scatter4(void *ret, const void *a, const void *n,
-                           BN_ULONG k, const void *tbl, unsigned int power);
-void rsaz_512_mul_gather4(void *ret, const void *a, const void *tbl,
-                          const void *n, BN_ULONG k, unsigned int power);
-void rsaz_512_mul_by_one(void *ret, const void *a, const void *n, BN_ULONG k);
-void rsaz_512_sqr(void *ret, const void *a, const void *n, BN_ULONG k,
-                  int cnt);
-void rsaz_512_scatter4(void *tbl, const BN_ULONG *val, int power);
-void rsaz_512_gather4(BN_ULONG *val, const void *tbl, int power);
-
-void RSAZ_512_mod_exp(BN_ULONG result[8],
-                      const BN_ULONG base[8], const BN_ULONG exponent[8],
-                      const BN_ULONG m[8], BN_ULONG k0, const BN_ULONG RR[8])
-{
-    unsigned char storage[16 * 8 * 8 + 64 * 2 + 64]; /* 1.2KB */
-    unsigned char *table = storage + (64 - ((size_t)storage % 64));
-    BN_ULONG *a_inv = (BN_ULONG *)(table + 16 * 8 * 8);
-    BN_ULONG *temp = (BN_ULONG *)(table + 16 * 8 * 8 + 8 * 8);
-    unsigned char *p_str = (unsigned char *)exponent;
-    int index;
-    unsigned int wvalue;
-
-    /* table[0] = 1_inv */
-    temp[0] = 0 - m[0];
-    temp[1] = ~m[1];
-    temp[2] = ~m[2];
-    temp[3] = ~m[3];
-    temp[4] = ~m[4];
-    temp[5] = ~m[5];
-    temp[6] = ~m[6];
-    temp[7] = ~m[7];
-    rsaz_512_scatter4(table, temp, 0);
-
-    /* table [1] = a_inv^1 */
-    rsaz_512_mul(a_inv, base, RR, m, k0);
-    rsaz_512_scatter4(table, a_inv, 1);
-
-    /* table [2] = a_inv^2 */
-    rsaz_512_sqr(temp, a_inv, m, k0, 1);
-    rsaz_512_scatter4(table, temp, 2);
-
-    for (index = 3; index < 16; index++)
-        rsaz_512_mul_scatter4(temp, a_inv, m, k0, table, index);
-
-    /* load first window */
-    wvalue = p_str[63];
-
-    rsaz_512_gather4(temp, table, wvalue >> 4);
-    rsaz_512_sqr(temp, temp, m, k0, 4);
-    rsaz_512_mul_gather4(temp, temp, table, m, k0, wvalue & 0xf);
-
-    for (index = 62; index >= 0; index--) {
-        wvalue = p_str[index];
-
-        rsaz_512_sqr(temp, temp, m, k0, 4);
-        rsaz_512_mul_gather4(temp, temp, table, m, k0, wvalue >> 4);
-
-        rsaz_512_sqr(temp, temp, m, k0, 4);
-        rsaz_512_mul_gather4(temp, temp, table, m, k0, wvalue & 0x0f);
-    }
-
-    /* from Montgomery */
-    rsaz_512_mul_by_one(result, temp, m, k0);
-
-    OPENSSL_cleanse(storage, sizeof(storage));
-}
-
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/bn/rsaz_exp.h b/Cryptlib/OpenSSL/crypto/bn/rsaz_exp.h
index 9501cc80..229e181f 100644
--- a/Cryptlib/OpenSSL/crypto/bn/rsaz_exp.h
+++ b/Cryptlib/OpenSSL/crypto/bn/rsaz_exp.h
@@ -1,12 +1,3 @@
-/*
- * Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
 /*****************************************************************************
 *                                                                            *
 *  Copyright (c) 2012, Intel Corporation                                     *
diff --git a/Cryptlib/OpenSSL/crypto/buffer/buf_err.c b/Cryptlib/OpenSSL/crypto/buffer/buf_err.c
index a6a2ab88..631eec38 100644
--- a/Cryptlib/OpenSSL/crypto/buffer/buf_err.c
+++ b/Cryptlib/OpenSSL/crypto/buffer/buf_err.c
@@ -1,11 +1,62 @@
-/*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/buffer/buf_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
  */
 
 #include <stdio.h>
@@ -19,9 +70,12 @@
 # define ERR_REASON(reason) ERR_PACK(ERR_LIB_BUF,0,reason)
 
 static ERR_STRING_DATA BUF_str_functs[] = {
+    {ERR_FUNC(BUF_F_BUF_MEMDUP), "BUF_memdup"},
     {ERR_FUNC(BUF_F_BUF_MEM_GROW), "BUF_MEM_grow"},
     {ERR_FUNC(BUF_F_BUF_MEM_GROW_CLEAN), "BUF_MEM_grow_clean"},
     {ERR_FUNC(BUF_F_BUF_MEM_NEW), "BUF_MEM_new"},
+    {ERR_FUNC(BUF_F_BUF_STRDUP), "BUF_strdup"},
+    {ERR_FUNC(BUF_F_BUF_STRNDUP), "BUF_strndup"},
     {0, NULL}
 };
 
@@ -31,7 +85,7 @@ static ERR_STRING_DATA BUF_str_reasons[] = {
 
 #endif
 
-int ERR_load_BUF_strings(void)
+void ERR_load_BUF_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
 
@@ -40,5 +94,4 @@ int ERR_load_BUF_strings(void)
         ERR_load_strings(0, BUF_str_reasons);
     }
 #endif
-    return 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/buffer/buf_str.c b/Cryptlib/OpenSSL/crypto/buffer/buf_str.c
new file mode 100644
index 00000000..fa0d608e
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/buffer/buf_str.c
@@ -0,0 +1,137 @@
+/* crypto/buffer/buffer.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <limits.h>
+#include <openssl/buffer.h>
+
+size_t BUF_strnlen(const char *str, size_t maxlen)
+{
+    const char *p;
+
+    for (p = str; maxlen-- != 0 && *p != '\0'; ++p) ;
+
+    return p - str;
+}
+
+char *BUF_strdup(const char *str)
+{
+    if (str == NULL)
+        return NULL;
+    return BUF_strndup(str, strlen(str));
+}
+
+char *BUF_strndup(const char *str, size_t siz)
+{
+    char *ret;
+
+    if (str == NULL)
+        return NULL;
+
+    siz = BUF_strnlen(str, siz);
+
+    if (siz >= INT_MAX)
+        return NULL;
+
+    ret = OPENSSL_malloc(siz + 1);
+    if (ret == NULL) {
+        BUFerr(BUF_F_BUF_STRNDUP, ERR_R_MALLOC_FAILURE);
+        return NULL;
+    }
+
+    memcpy(ret, str, siz);
+    ret[siz] = '\0';
+
+    return (ret);
+}
+
+void *BUF_memdup(const void *data, size_t siz)
+{
+    void *ret;
+
+    if (data == NULL || siz >= INT_MAX)
+        return NULL;
+
+    ret = OPENSSL_malloc(siz);
+    if (ret == NULL) {
+        BUFerr(BUF_F_BUF_MEMDUP, ERR_R_MALLOC_FAILURE);
+        return NULL;
+    }
+    return memcpy(ret, data, siz);
+}
+
+size_t BUF_strlcpy(char *dst, const char *src, size_t size)
+{
+    size_t l = 0;
+    for (; size > 1 && *src; size--) {
+        *dst++ = *src++;
+        l++;
+    }
+    if (size)
+        *dst = '\0';
+    return l + strlen(src);
+}
+
+size_t BUF_strlcat(char *dst, const char *src, size_t size)
+{
+    size_t l = 0;
+    for (; size > 0 && *dst; size--, dst++)
+        l++;
+    return l + BUF_strlcpy(dst, src, size);
+}
diff --git a/Cryptlib/OpenSSL/crypto/buffer/buffer.c b/Cryptlib/OpenSSL/crypto/buffer/buffer.c
index 6b0bd4a4..eff3e081 100644
--- a/Cryptlib/OpenSSL/crypto/buffer/buffer.c
+++ b/Cryptlib/OpenSSL/crypto/buffer/buffer.c
@@ -1,14 +1,63 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/buffer/buffer.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/buffer.h>
 
 /*
@@ -18,25 +67,18 @@
  */
 #define LIMIT_BEFORE_EXPANSION 0x5ffffffc
 
-BUF_MEM *BUF_MEM_new_ex(unsigned long flags)
-{
-    BUF_MEM *ret;
-
-    ret = BUF_MEM_new();
-    if (ret != NULL)
-        ret->flags = flags;
-    return (ret);
-}
-
 BUF_MEM *BUF_MEM_new(void)
 {
     BUF_MEM *ret;
 
-    ret = OPENSSL_zalloc(sizeof(*ret));
+    ret = OPENSSL_malloc(sizeof(BUF_MEM));
     if (ret == NULL) {
         BUFerr(BUF_F_BUF_MEM_NEW, ERR_R_MALLOC_FAILURE);
         return (NULL);
     }
+    ret->length = 0;
+    ret->max = 0;
+    ret->data = NULL;
     return (ret);
 }
 
@@ -46,30 +88,13 @@ void BUF_MEM_free(BUF_MEM *a)
         return;
 
     if (a->data != NULL) {
-        if (a->flags & BUF_MEM_FLAG_SECURE)
-            OPENSSL_secure_free(a->data);
-        else
-            OPENSSL_clear_free(a->data, a->max);
+        OPENSSL_cleanse(a->data, a->max);
+        OPENSSL_free(a->data);
     }
     OPENSSL_free(a);
 }
 
-/* Allocate a block of secure memory; copy over old data if there
- * was any, and then free it. */
-static char *sec_alloc_realloc(BUF_MEM *str, size_t len)
-{
-    char *ret;
-
-    ret = OPENSSL_secure_malloc(len);
-    if (str->data != NULL) {
-        if (ret != NULL)
-            memcpy(ret, str->data, str->length);
-        OPENSSL_secure_free(str->data);
-    }
-    return (ret);
-}
-
-size_t BUF_MEM_grow(BUF_MEM *str, size_t len)
+int BUF_MEM_grow(BUF_MEM *str, size_t len)
 {
     char *ret;
     size_t n;
@@ -79,8 +104,7 @@ size_t BUF_MEM_grow(BUF_MEM *str, size_t len)
         return (len);
     }
     if (str->max >= len) {
-        if (str->data != NULL)
-            memset(&str->data[str->length], 0, len - str->length);
+        memset(&str->data[str->length], 0, len - str->length);
         str->length = len;
         return (len);
     }
@@ -90,8 +114,8 @@ size_t BUF_MEM_grow(BUF_MEM *str, size_t len)
         return 0;
     }
     n = (len + 3) / 3 * 4;
-    if ((str->flags & BUF_MEM_FLAG_SECURE))
-        ret = sec_alloc_realloc(str, n);
+    if (str->data == NULL)
+        ret = OPENSSL_malloc(n);
     else
         ret = OPENSSL_realloc(str->data, n);
     if (ret == NULL) {
@@ -106,14 +130,13 @@ size_t BUF_MEM_grow(BUF_MEM *str, size_t len)
     return (len);
 }
 
-size_t BUF_MEM_grow_clean(BUF_MEM *str, size_t len)
+int BUF_MEM_grow_clean(BUF_MEM *str, size_t len)
 {
     char *ret;
     size_t n;
 
     if (str->length >= len) {
-        if (str->data != NULL)
-            memset(&str->data[len], 0, str->length - len);
+        memset(&str->data[len], 0, str->length - len);
         str->length = len;
         return (len);
     }
@@ -128,10 +151,10 @@ size_t BUF_MEM_grow_clean(BUF_MEM *str, size_t len)
         return 0;
     }
     n = (len + 3) / 3 * 4;
-    if ((str->flags & BUF_MEM_FLAG_SECURE))
-        ret = sec_alloc_realloc(str, n);
+    if (str->data == NULL)
+        ret = OPENSSL_malloc(n);
     else
-        ret = OPENSSL_clear_realloc(str->data, str->max, n);
+        ret = OPENSSL_realloc_clean(str->data, str->max, n);
     if (ret == NULL) {
         BUFerr(BUF_F_BUF_MEM_GROW_CLEAN, ERR_R_MALLOC_FAILURE);
         len = 0;
diff --git a/Cryptlib/OpenSSL/crypto/cmac/cm_ameth.c b/Cryptlib/OpenSSL/crypto/cmac/cm_ameth.c
index a58454a0..bf933e08 100644
--- a/Cryptlib/OpenSSL/crypto/cmac/cm_ameth.c
+++ b/Cryptlib/OpenSSL/crypto/cmac/cm_ameth.c
@@ -1,17 +1,61 @@
 /*
- * Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2010.
+ */
+/* ====================================================================
+ * Copyright (c) 2010 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/cmac.h>
-#include "internal/asn1_int.h"
+#include "asn1_locl.h"
 
 /*
  * CMAC "ASN1" method. This is just here to indicate the maximum CMAC output
@@ -25,8 +69,9 @@ static int cmac_size(const EVP_PKEY *pkey)
 
 static void cmac_key_free(EVP_PKEY *pkey)
 {
-    CMAC_CTX *cmctx = EVP_PKEY_get0(pkey);
-    CMAC_CTX_free(cmctx);
+    CMAC_CTX *cmctx = (CMAC_CTX *)pkey->pkey.ptr;
+    if (cmctx)
+        CMAC_CTX_free(cmctx);
 }
 
 const EVP_PKEY_ASN1_METHOD cmac_asn1_meth = {
@@ -42,7 +87,7 @@ const EVP_PKEY_ASN1_METHOD cmac_asn1_meth = {
     0, 0, 0,
 
     cmac_size,
-    0, 0,
+    0,
     0, 0, 0, 0, 0, 0, 0,
 
     cmac_key_free,
diff --git a/Cryptlib/OpenSSL/crypto/cmac/cm_pmeth.c b/Cryptlib/OpenSSL/crypto/cmac/cm_pmeth.c
index 10748f14..a2300df1 100644
--- a/Cryptlib/OpenSSL/crypto/cmac/cm_pmeth.c
+++ b/Cryptlib/OpenSSL/crypto/cmac/cm_pmeth.c
@@ -1,26 +1,70 @@
 /*
- * Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2010.
+ */
+/* ====================================================================
+ * Copyright (c) 2010 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include <openssl/evp.h>
 #include <openssl/cmac.h>
-#include "internal/evp_int.h"
+#include "evp_locl.h"
 
 /* The context structure and "key" is simply a CMAC_CTX */
 
 static int pkey_cmac_init(EVP_PKEY_CTX *ctx)
 {
     ctx->data = CMAC_CTX_new();
-    if (ctx->data == NULL)
+    if (!ctx->data)
         return 0;
     ctx->keygen_info_count = 0;
     return 1;
@@ -44,7 +88,7 @@ static int pkey_cmac_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
 {
     CMAC_CTX *cmkey = CMAC_CTX_new();
     CMAC_CTX *cmctx = ctx->data;
-    if (cmkey == NULL)
+    if (!cmkey)
         return 0;
     if (!CMAC_CTX_copy(cmkey, cmctx)) {
         CMAC_CTX_free(cmkey);
@@ -57,7 +101,7 @@ static int pkey_cmac_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
 
 static int int_update(EVP_MD_CTX *ctx, const void *data, size_t count)
 {
-    if (!CMAC_Update(EVP_MD_CTX_pkey_ctx(ctx)->data, data, count))
+    if (!CMAC_Update(ctx->pctx->data, data, count))
         return 0;
     return 1;
 }
@@ -65,7 +109,7 @@ static int int_update(EVP_MD_CTX *ctx, const void *data, size_t count)
 static int cmac_signctx_init(EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx)
 {
     EVP_MD_CTX_set_flags(mctx, EVP_MD_CTX_FLAG_NO_INIT);
-    EVP_MD_CTX_set_update_fn(mctx, int_update);
+    mctx->update = int_update;
     return 1;
 }
 
@@ -113,17 +157,28 @@ static int pkey_cmac_ctrl_str(EVP_PKEY_CTX *ctx,
     if (!value) {
         return 0;
     }
-    if (strcmp(type, "cipher") == 0) {
+    if (!strcmp(type, "key")) {
+        void *p = (void *)value;
+        return pkey_cmac_ctrl(ctx, EVP_PKEY_CTRL_SET_MAC_KEY, strlen(p), p);
+    }
+    if (!strcmp(type, "cipher")) {
         const EVP_CIPHER *c;
         c = EVP_get_cipherbyname(value);
         if (!c)
             return 0;
         return pkey_cmac_ctrl(ctx, EVP_PKEY_CTRL_CIPHER, -1, (void *)c);
     }
-    if (strcmp(type, "key") == 0)
-        return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_SET_MAC_KEY, value);
-    if (strcmp(type, "hexkey") == 0)
-        return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_SET_MAC_KEY, value);
+    if (!strcmp(type, "hexkey")) {
+        unsigned char *key;
+        int r;
+        long keylen;
+        key = string_to_hex(value, &keylen);
+        if (!key)
+            return 0;
+        r = pkey_cmac_ctrl(ctx, EVP_PKEY_CTRL_SET_MAC_KEY, keylen, key);
+        OPENSSL_free(key);
+        return r;
+    }
     return -2;
 }
 
diff --git a/Cryptlib/OpenSSL/crypto/cmac/cmac.c b/Cryptlib/OpenSSL/crypto/cmac/cmac.c
index c4f13a06..2954b6eb 100644
--- a/Cryptlib/OpenSSL/crypto/cmac/cmac.c
+++ b/Cryptlib/OpenSSL/crypto/cmac/cmac.c
@@ -1,21 +1,70 @@
+/* crypto/cmac/cmac.c */
 /*
- * Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2010 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  */
 
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/cmac.h>
 
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
+
 struct CMAC_CTX_st {
     /* Cipher context to use */
-    EVP_CIPHER_CTX *cctx;
+    EVP_CIPHER_CTX cctx;
     /* Keys k1 and k2 */
     unsigned char k1[EVP_MAX_BLOCK_LENGTH];
     unsigned char k2[EVP_MAX_BLOCK_LENGTH];
@@ -29,38 +78,40 @@ struct CMAC_CTX_st {
 
 /* Make temporary keys K1 and K2 */
 
-static void make_kn(unsigned char *k1, const unsigned char *l, int bl)
+static void make_kn(unsigned char *k1, unsigned char *l, int bl)
 {
     int i;
-    unsigned char c = l[0], carry = c >> 7, cnext;
-
     /* Shift block to left, including carry */
-    for (i = 0; i < bl - 1; i++, c = cnext)
-        k1[i] = (c << 1) | ((cnext = l[i + 1]) >> 7);
-
+    for (i = 0; i < bl; i++) {
+        k1[i] = l[i] << 1;
+        if (i < bl - 1 && l[i + 1] & 0x80)
+            k1[i] |= 1;
+    }
     /* If MSB set fixup with R */
-    k1[i] = (c << 1) ^ ((0 - carry) & (bl == 16 ? 0x87 : 0x1b));
+    if (l[0] & 0x80)
+        k1[bl - 1] ^= bl == 16 ? 0x87 : 0x1b;
 }
 
 CMAC_CTX *CMAC_CTX_new(void)
 {
     CMAC_CTX *ctx;
-
-    ctx = OPENSSL_malloc(sizeof(*ctx));
-    if (ctx == NULL)
-        return NULL;
-    ctx->cctx = EVP_CIPHER_CTX_new();
-    if (ctx->cctx == NULL) {
-        OPENSSL_free(ctx);
+    ctx = OPENSSL_malloc(sizeof(CMAC_CTX));
+    if (!ctx)
         return NULL;
-    }
+    EVP_CIPHER_CTX_init(&ctx->cctx);
     ctx->nlast_block = -1;
     return ctx;
 }
 
 void CMAC_CTX_cleanup(CMAC_CTX *ctx)
 {
-    EVP_CIPHER_CTX_free(ctx->cctx);
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode() && !ctx->cctx.engine) {
+        FIPS_cmac_ctx_cleanup(ctx);
+        return;
+    }
+#endif
+    EVP_CIPHER_CTX_cleanup(&ctx->cctx);
     OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH);
     OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH);
     OPENSSL_cleanse(ctx->k2, EVP_MAX_BLOCK_LENGTH);
@@ -70,7 +121,7 @@ void CMAC_CTX_cleanup(CMAC_CTX *ctx)
 
 EVP_CIPHER_CTX *CMAC_CTX_get0_cipher_ctx(CMAC_CTX *ctx)
 {
-    return ctx->cctx;
+    return &ctx->cctx;
 }
 
 void CMAC_CTX_free(CMAC_CTX *ctx)
@@ -86,9 +137,9 @@ int CMAC_CTX_copy(CMAC_CTX *out, const CMAC_CTX *in)
     int bl;
     if (in->nlast_block == -1)
         return 0;
-    if (!EVP_CIPHER_CTX_copy(out->cctx, in->cctx))
+    if (!EVP_CIPHER_CTX_copy(&out->cctx, &in->cctx))
         return 0;
-    bl = EVP_CIPHER_CTX_block_size(in->cctx);
+    bl = EVP_CIPHER_CTX_block_size(&in->cctx);
     memcpy(out->k1, in->k1, bl);
     memcpy(out->k2, in->k2, bl);
     memcpy(out->tbl, in->tbl, bl);
@@ -100,38 +151,62 @@ int CMAC_CTX_copy(CMAC_CTX *out, const CMAC_CTX *in)
 int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen,
               const EVP_CIPHER *cipher, ENGINE *impl)
 {
-    static const unsigned char zero_iv[EVP_MAX_BLOCK_LENGTH] = { 0 };
+    static unsigned char zero_iv[EVP_MAX_BLOCK_LENGTH];
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode()) {
+        /* If we have an ENGINE need to allow non FIPS */
+        if ((impl || ctx->cctx.engine)
+            && !(ctx->cctx.flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) {
+            EVPerr(EVP_F_CMAC_INIT, EVP_R_DISABLED_FOR_FIPS);
+            return 0;
+        }
+
+        /* Switch to FIPS cipher implementation if possible */
+        if (cipher != NULL) {
+            const EVP_CIPHER *fcipher;
+            fcipher = FIPS_get_cipherbynid(EVP_CIPHER_nid(cipher));
+            if (fcipher != NULL)
+                cipher = fcipher;
+        }
+        /*
+         * Other algorithm blocking will be done in FIPS_cmac_init, via
+         * FIPS_cipherinit().
+         */
+        if (!impl && !ctx->cctx.engine)
+            return FIPS_cmac_init(ctx, key, keylen, cipher, NULL);
+    }
+#endif
     /* All zeros means restart */
     if (!key && !cipher && !impl && keylen == 0) {
         /* Not initialised */
         if (ctx->nlast_block == -1)
             return 0;
-        if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, NULL, zero_iv))
+        if (!EVP_EncryptInit_ex(&ctx->cctx, NULL, NULL, NULL, zero_iv))
             return 0;
-        memset(ctx->tbl, 0, EVP_CIPHER_CTX_block_size(ctx->cctx));
+        memset(ctx->tbl, 0, EVP_CIPHER_CTX_block_size(&ctx->cctx));
         ctx->nlast_block = 0;
         return 1;
     }
-    /* Initialise context */
-    if (cipher && !EVP_EncryptInit_ex(ctx->cctx, cipher, impl, NULL, NULL))
+    /* Initialiase context */
+    if (cipher && !EVP_EncryptInit_ex(&ctx->cctx, cipher, impl, NULL, NULL))
         return 0;
     /* Non-NULL key means initialisation complete */
     if (key) {
         int bl;
-        if (!EVP_CIPHER_CTX_cipher(ctx->cctx))
+        if (!EVP_CIPHER_CTX_cipher(&ctx->cctx))
             return 0;
-        if (!EVP_CIPHER_CTX_set_key_length(ctx->cctx, keylen))
+        if (!EVP_CIPHER_CTX_set_key_length(&ctx->cctx, keylen))
             return 0;
-        if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, key, zero_iv))
+        if (!EVP_EncryptInit_ex(&ctx->cctx, NULL, NULL, key, zero_iv))
             return 0;
-        bl = EVP_CIPHER_CTX_block_size(ctx->cctx);
-        if (!EVP_Cipher(ctx->cctx, ctx->tbl, zero_iv, bl))
+        bl = EVP_CIPHER_CTX_block_size(&ctx->cctx);
+        if (!EVP_Cipher(&ctx->cctx, ctx->tbl, zero_iv, bl))
             return 0;
         make_kn(ctx->k1, ctx->tbl, bl);
         make_kn(ctx->k2, ctx->k1, bl);
         OPENSSL_cleanse(ctx->tbl, bl);
         /* Reset context again ready for first data block */
-        if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, NULL, zero_iv))
+        if (!EVP_EncryptInit_ex(&ctx->cctx, NULL, NULL, NULL, zero_iv))
             return 0;
         /* Zero tbl so resume works */
         memset(ctx->tbl, 0, bl);
@@ -144,11 +219,15 @@ int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen)
 {
     const unsigned char *data = in;
     size_t bl;
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode() && !ctx->cctx.engine)
+        return FIPS_cmac_update(ctx, in, dlen);
+#endif
     if (ctx->nlast_block == -1)
         return 0;
     if (dlen == 0)
         return 1;
-    bl = EVP_CIPHER_CTX_block_size(ctx->cctx);
+    bl = EVP_CIPHER_CTX_block_size(&ctx->cctx);
     /* Copy into partial block if we need to */
     if (ctx->nlast_block > 0) {
         size_t nleft;
@@ -163,12 +242,12 @@ int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen)
             return 1;
         data += nleft;
         /* Else not final block so encrypt it */
-        if (!EVP_Cipher(ctx->cctx, ctx->tbl, ctx->last_block, bl))
+        if (!EVP_Cipher(&ctx->cctx, ctx->tbl, ctx->last_block, bl))
             return 0;
     }
     /* Encrypt all but one of the complete blocks left */
     while (dlen > bl) {
-        if (!EVP_Cipher(ctx->cctx, ctx->tbl, data, bl))
+        if (!EVP_Cipher(&ctx->cctx, ctx->tbl, data, bl))
             return 0;
         dlen -= bl;
         data += bl;
@@ -183,9 +262,13 @@ int CMAC_Update(CMAC_CTX *ctx, const void *in, size_t dlen)
 int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen)
 {
     int i, bl, lb;
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode() && !ctx->cctx.engine)
+        return FIPS_cmac_final(ctx, out, poutlen);
+#endif
     if (ctx->nlast_block == -1)
         return 0;
-    bl = EVP_CIPHER_CTX_block_size(ctx->cctx);
+    bl = EVP_CIPHER_CTX_block_size(&ctx->cctx);
     *poutlen = (size_t)bl;
     if (!out)
         return 1;
@@ -201,7 +284,7 @@ int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen)
         for (i = 0; i < bl; i++)
             out[i] = ctx->last_block[i] ^ ctx->k2[i];
     }
-    if (!EVP_Cipher(ctx->cctx, out, out, bl)) {
+    if (!EVP_Cipher(&ctx->cctx, out, out, bl)) {
         OPENSSL_cleanse(out, bl);
         return 0;
     }
@@ -213,11 +296,11 @@ int CMAC_resume(CMAC_CTX *ctx)
     if (ctx->nlast_block == -1)
         return 0;
     /*
-     * The buffer "tbl" contains the last fully encrypted block which is the
+     * The buffer "tbl" containes the last fully encrypted block which is the
      * last IV (or all zeroes if no last encrypted block). The last block has
-     * not been modified since CMAC_final(). So reinitialising using the last
+     * not been modified since CMAC_final(). So reinitliasing using the last
      * decrypted block will allow CMAC to continue after calling
      * CMAC_Final().
      */
-    return EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, NULL, ctx->tbl);
+    return EVP_EncryptInit_ex(&ctx->cctx, NULL, NULL, NULL, ctx->tbl);
 }
diff --git a/Cryptlib/OpenSSL/crypto/comp/c_rle.c b/Cryptlib/OpenSSL/crypto/comp/c_rle.c
new file mode 100644
index 00000000..e9aabbd1
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/comp/c_rle.c
@@ -0,0 +1,62 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/objects.h>
+#include <openssl/comp.h>
+
+static int rle_compress_block(COMP_CTX *ctx, unsigned char *out,
+                              unsigned int olen, unsigned char *in,
+                              unsigned int ilen);
+static int rle_expand_block(COMP_CTX *ctx, unsigned char *out,
+                            unsigned int olen, unsigned char *in,
+                            unsigned int ilen);
+
+static COMP_METHOD rle_method = {
+    NID_rle_compression,
+    LN_rle_compression,
+    NULL,
+    NULL,
+    rle_compress_block,
+    rle_expand_block,
+    NULL,
+    NULL,
+};
+
+COMP_METHOD *COMP_rle(void)
+{
+    return (&rle_method);
+}
+
+static int rle_compress_block(COMP_CTX *ctx, unsigned char *out,
+                              unsigned int olen, unsigned char *in,
+                              unsigned int ilen)
+{
+    /* int i; */
+
+    if (ilen == 0 || olen < (ilen - 1)) {
+        /* ZZZZZZZZZZZZZZZZZZZZZZ */
+        return (-1);
+    }
+
+    *(out++) = 0;
+    memcpy(out, in, ilen);
+    return (ilen + 1);
+}
+
+static int rle_expand_block(COMP_CTX *ctx, unsigned char *out,
+                            unsigned int olen, unsigned char *in,
+                            unsigned int ilen)
+{
+    int i;
+
+    if (olen < (ilen - 1)) {
+        /* ZZZZZZZZZZZZZZZZZZZZZZ */
+        return (-1);
+    }
+
+    i = *(in++);
+    if (i == 0) {
+        memcpy(out, in, ilen - 1);
+    }
+    return (ilen - 1);
+}
diff --git a/Cryptlib/OpenSSL/crypto/comp/c_zlib.c b/Cryptlib/OpenSSL/crypto/comp/c_zlib.c
index 2f38c2e9..9c32614d 100644
--- a/Cryptlib/OpenSSL/crypto/comp/c_zlib.c
+++ b/Cryptlib/OpenSSL/crypto/comp/c_zlib.c
@@ -1,21 +1,9 @@
-/*
- * Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <openssl/objects.h>
-#include "internal/comp.h"
+#include <openssl/comp.h>
 #include <openssl/err.h>
-#include "internal/cryptlib_int.h"
-#include "internal/bio.h"
-#include "comp_lcl.h"
 
 COMP_METHOD *COMP_zlib(void);
 
@@ -26,6 +14,8 @@ static COMP_METHOD zlib_method_nozlib = {
     NULL,
     NULL,
     NULL,
+    NULL,
+    NULL,
 };
 
 #ifndef ZLIB
@@ -43,12 +33,14 @@ static int zlib_stateful_expand_block(COMP_CTX *ctx, unsigned char *out,
                                       unsigned int olen, unsigned char *in,
                                       unsigned int ilen);
 
-/* memory allocations functions for zlib initialisation */
+/* memory allocations functions for zlib intialization */
 static void *zlib_zalloc(void *opaque, unsigned int no, unsigned int size)
 {
     void *p;
 
-    p = OPENSSL_zalloc(no * size);
+    p = OPENSSL_malloc(no * size);
+    if (p)
+        memset(p, 0, no * size);
     return p;
 }
 
@@ -57,6 +49,28 @@ static void zlib_zfree(void *opaque, void *address)
     OPENSSL_free(address);
 }
 
+# if 0
+static int zlib_compress_block(COMP_CTX *ctx, unsigned char *out,
+                               unsigned int olen, unsigned char *in,
+                               unsigned int ilen);
+static int zlib_expand_block(COMP_CTX *ctx, unsigned char *out,
+                             unsigned int olen, unsigned char *in,
+                             unsigned int ilen);
+
+static int zz_uncompress(Bytef *dest, uLongf * destLen, const Bytef *source,
+                         uLong sourceLen);
+
+static COMP_METHOD zlib_stateless_method = {
+    NID_zlib_compression,
+    LN_zlib_compression,
+    NULL,
+    NULL,
+    zlib_compress_block,
+    zlib_expand_block,
+    NULL,
+    NULL,
+};
+# endif
 
 static COMP_METHOD zlib_stateful_method = {
     NID_zlib_compression,
@@ -64,7 +78,9 @@ static COMP_METHOD zlib_stateful_method = {
     zlib_stateful_init,
     zlib_stateful_finish,
     zlib_stateful_compress_block,
-    zlib_stateful_expand_block
+    zlib_stateful_expand_block,
+    NULL,
+    NULL,
 };
 
 /*
@@ -79,7 +95,7 @@ static COMP_METHOD zlib_stateful_method = {
                                  * OPENSSL_SYS_WIN32) */
 
 # ifdef ZLIB_SHARED
-#  include "internal/dso.h"
+#  include <openssl/dso.h>
 
 /* Function pointers */
 typedef int (*compress_ft) (Bytef *dest, uLongf * destLen,
@@ -120,10 +136,13 @@ struct zlib_state {
     z_stream ostream;
 };
 
+static int zlib_stateful_ex_idx = -1;
+
 static int zlib_stateful_init(COMP_CTX *ctx)
 {
     int err;
-    struct zlib_state *state = OPENSSL_zalloc(sizeof(*state));
+    struct zlib_state *state =
+        (struct zlib_state *)OPENSSL_malloc(sizeof(struct zlib_state));
 
     if (state == NULL)
         goto err;
@@ -133,6 +152,8 @@ static int zlib_stateful_init(COMP_CTX *ctx)
     state->istream.opaque = Z_NULL;
     state->istream.next_in = Z_NULL;
     state->istream.next_out = Z_NULL;
+    state->istream.avail_in = 0;
+    state->istream.avail_out = 0;
     err = inflateInit_(&state->istream, ZLIB_VERSION, sizeof(z_stream));
     if (err != Z_OK)
         goto err;
@@ -142,24 +163,31 @@ static int zlib_stateful_init(COMP_CTX *ctx)
     state->ostream.opaque = Z_NULL;
     state->ostream.next_in = Z_NULL;
     state->ostream.next_out = Z_NULL;
+    state->ostream.avail_in = 0;
+    state->ostream.avail_out = 0;
     err = deflateInit_(&state->ostream, Z_DEFAULT_COMPRESSION,
                        ZLIB_VERSION, sizeof(z_stream));
     if (err != Z_OK)
         goto err;
 
-    ctx->data = state;
+    CRYPTO_new_ex_data(CRYPTO_EX_INDEX_COMP, ctx, &ctx->ex_data);
+    CRYPTO_set_ex_data(&ctx->ex_data, zlib_stateful_ex_idx, state);
     return 1;
  err:
-    OPENSSL_free(state);
+    if (state)
+        OPENSSL_free(state);
     return 0;
 }
 
 static void zlib_stateful_finish(COMP_CTX *ctx)
 {
-    struct zlib_state *state = ctx->data;
+    struct zlib_state *state =
+        (struct zlib_state *)CRYPTO_get_ex_data(&ctx->ex_data,
+                                                zlib_stateful_ex_idx);
     inflateEnd(&state->istream);
     deflateEnd(&state->ostream);
     OPENSSL_free(state);
+    CRYPTO_free_ex_data(CRYPTO_EX_INDEX_COMP, ctx, &ctx->ex_data);
 }
 
 static int zlib_stateful_compress_block(COMP_CTX *ctx, unsigned char *out,
@@ -167,7 +195,9 @@ static int zlib_stateful_compress_block(COMP_CTX *ctx, unsigned char *out,
                                         unsigned int ilen)
 {
     int err = Z_OK;
-    struct zlib_state *state = ctx->data;
+    struct zlib_state *state =
+        (struct zlib_state *)CRYPTO_get_ex_data(&ctx->ex_data,
+                                                zlib_stateful_ex_idx);
 
     if (state == NULL)
         return -1;
@@ -180,6 +210,11 @@ static int zlib_stateful_compress_block(COMP_CTX *ctx, unsigned char *out,
         err = deflate(&state->ostream, Z_SYNC_FLUSH);
     if (err != Z_OK)
         return -1;
+# ifdef DEBUG_ZLIB
+    fprintf(stderr, "compress(%4d)->%4d %s\n",
+            ilen, olen - state->ostream.avail_out,
+            (ilen != olen - state->ostream.avail_out) ? "zlib" : "clear");
+# endif
     return olen - state->ostream.avail_out;
 }
 
@@ -188,7 +223,10 @@ static int zlib_stateful_expand_block(COMP_CTX *ctx, unsigned char *out,
                                       unsigned int ilen)
 {
     int err = Z_OK;
-    struct zlib_state *state = ctx->data;
+
+    struct zlib_state *state =
+        (struct zlib_state *)CRYPTO_get_ex_data(&ctx->ex_data,
+                                                zlib_stateful_ex_idx);
 
     if (state == NULL)
         return 0;
@@ -201,9 +239,105 @@ static int zlib_stateful_expand_block(COMP_CTX *ctx, unsigned char *out,
         err = inflate(&state->istream, Z_SYNC_FLUSH);
     if (err != Z_OK)
         return -1;
+# ifdef DEBUG_ZLIB
+    fprintf(stderr, "expand(%4d)->%4d %s\n",
+            ilen, olen - state->istream.avail_out,
+            (ilen != olen - state->istream.avail_out) ? "zlib" : "clear");
+# endif
     return olen - state->istream.avail_out;
 }
 
+# if 0
+static int zlib_compress_block(COMP_CTX *ctx, unsigned char *out,
+                               unsigned int olen, unsigned char *in,
+                               unsigned int ilen)
+{
+    unsigned long l;
+    int i;
+    int clear = 1;
+
+    if (ilen > 128) {
+        out[0] = 1;
+        l = olen - 1;
+        i = compress(&(out[1]), &l, in, (unsigned long)ilen);
+        if (i != Z_OK)
+            return (-1);
+        if (ilen > l) {
+            clear = 0;
+            l++;
+        }
+    }
+    if (clear) {
+        out[0] = 0;
+        memcpy(&(out[1]), in, ilen);
+        l = ilen + 1;
+    }
+#  ifdef DEBUG_ZLIB
+    fprintf(stderr, "compress(%4d)->%4d %s\n",
+            ilen, (int)l, (clear) ? "clear" : "zlib");
+#  endif
+    return ((int)l);
+}
+
+static int zlib_expand_block(COMP_CTX *ctx, unsigned char *out,
+                             unsigned int olen, unsigned char *in,
+                             unsigned int ilen)
+{
+    unsigned long l;
+    int i;
+
+    if (in[0]) {
+        l = olen;
+        i = zz_uncompress(out, &l, &(in[1]), (unsigned long)ilen - 1);
+        if (i != Z_OK)
+            return (-1);
+    } else {
+        memcpy(out, &(in[1]), ilen - 1);
+        l = ilen - 1;
+    }
+#  ifdef DEBUG_ZLIB
+    fprintf(stderr, "expand  (%4d)->%4d %s\n",
+            ilen, (int)l, in[0] ? "zlib" : "clear");
+#  endif
+    return ((int)l);
+}
+
+static int zz_uncompress(Bytef *dest, uLongf * destLen, const Bytef *source,
+                         uLong sourceLen)
+{
+    z_stream stream;
+    int err;
+
+    stream.next_in = (Bytef *)source;
+    stream.avail_in = (uInt) sourceLen;
+    /* Check for source > 64K on 16-bit machine: */
+    if ((uLong) stream.avail_in != sourceLen)
+        return Z_BUF_ERROR;
+
+    stream.next_out = dest;
+    stream.avail_out = (uInt) * destLen;
+    if ((uLong) stream.avail_out != *destLen)
+        return Z_BUF_ERROR;
+
+    stream.zalloc = (alloc_func) 0;
+    stream.zfree = (free_func) 0;
+
+    err = inflateInit_(&stream, ZLIB_VERSION, sizeof(z_stream));
+    if (err != Z_OK)
+        return err;
+
+    err = inflate(&stream, Z_FINISH);
+    if (err != Z_STREAM_END) {
+        inflateEnd(&stream);
+        return err;
+    }
+    *destLen = stream.total_out;
+
+    err = inflateEnd(&stream);
+    return err;
+}
+# endif
+
 #endif
 
 COMP_METHOD *COMP_zlib(void)
@@ -211,19 +345,12 @@ COMP_METHOD *COMP_zlib(void)
     COMP_METHOD *meth = &zlib_method_nozlib;
 
 #ifdef ZLIB_SHARED
-    /* LIBZ may be externally defined, and we should respect that value */
-# ifndef LIBZ
-#  if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
-#   define LIBZ "ZLIB1"
-#  elif defined(OPENSSL_SYS_VMS)
-#   define LIBZ "LIBZ"
-#  else
-#   define LIBZ "z"
-#  endif
-# endif
-
     if (!zlib_loaded) {
-        zlib_dso = DSO_load(NULL, LIBZ, NULL, 0);
+# if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
+        zlib_dso = DSO_load(NULL, "ZLIB1", NULL, 0);
+# else
+        zlib_dso = DSO_load(NULL, "z", NULL, 0);
+# endif
         if (zlib_dso != NULL) {
             p_compress = (compress_ft) DSO_bind_func(zlib_dso, "compress");
             p_inflateEnd
@@ -242,24 +369,39 @@ COMP_METHOD *COMP_zlib(void)
                 && p_inflateInit_ && p_deflateEnd
                 && p_deflate && p_deflateInit_ && p_zError)
                 zlib_loaded++;
-
-            if (!OPENSSL_init_crypto(OPENSSL_INIT_ZLIB, NULL)) {
-                comp_zlib_cleanup_int();
-                return meth;
-            }
-            if (zlib_loaded)
-                meth = &zlib_stateful_method;
         }
     }
 #endif
-#if defined(ZLIB)
-    meth = &zlib_stateful_method;
+#ifdef ZLIB_SHARED
+    if (zlib_loaded)
+#endif
+#if defined(ZLIB) || defined(ZLIB_SHARED)
+    {
+        /*
+         * init zlib_stateful_ex_idx here so that in a multi-process
+         * application it's enough to intialize openssl before forking (idx
+         * will be inherited in all the children)
+         */
+        if (zlib_stateful_ex_idx == -1) {
+            CRYPTO_w_lock(CRYPTO_LOCK_COMP);
+            if (zlib_stateful_ex_idx == -1)
+                zlib_stateful_ex_idx =
+                    CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_COMP,
+                                            0, NULL, NULL, NULL, NULL);
+            CRYPTO_w_unlock(CRYPTO_LOCK_COMP);
+            if (zlib_stateful_ex_idx == -1)
+                goto err;
+        }
+
+        meth = &zlib_stateful_method;
+    }
+ err:
 #endif
 
     return (meth);
 }
 
-void comp_zlib_cleanup_int(void)
+void COMP_zlib_cleanup(void)
 {
 #ifdef ZLIB_SHARED
     if (zlib_dso != NULL)
@@ -294,7 +436,7 @@ static int bio_zlib_write(BIO *b, const char *in, int inl);
 static long bio_zlib_ctrl(BIO *b, int cmd, long num, void *ptr);
 static long bio_zlib_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp);
 
-static const BIO_METHOD bio_meth_zlib = {
+static BIO_METHOD bio_meth_zlib = {
     BIO_TYPE_COMP,
     "zlib",
     bio_zlib_write,
@@ -307,7 +449,7 @@ static const BIO_METHOD bio_meth_zlib = {
     bio_zlib_callback_ctrl
 };
 
-const BIO_METHOD *BIO_f_zlib(void)
+BIO_METHOD *BIO_f_zlib(void)
 {
     return &bio_meth_zlib;
 }
@@ -322,21 +464,32 @@ static int bio_zlib_new(BIO *bi)
         return 0;
     }
 # endif
-    ctx = OPENSSL_zalloc(sizeof(*ctx));
-    if (ctx == NULL) {
+    ctx = OPENSSL_malloc(sizeof(BIO_ZLIB_CTX));
+    if (!ctx) {
         COMPerr(COMP_F_BIO_ZLIB_NEW, ERR_R_MALLOC_FAILURE);
         return 0;
     }
+    ctx->ibuf = NULL;
+    ctx->obuf = NULL;
     ctx->ibufsize = ZLIB_DEFAULT_BUFSIZE;
     ctx->obufsize = ZLIB_DEFAULT_BUFSIZE;
     ctx->zin.zalloc = Z_NULL;
     ctx->zin.zfree = Z_NULL;
+    ctx->zin.next_in = NULL;
+    ctx->zin.avail_in = 0;
+    ctx->zin.next_out = NULL;
+    ctx->zin.avail_out = 0;
     ctx->zout.zalloc = Z_NULL;
     ctx->zout.zfree = Z_NULL;
+    ctx->zout.next_in = NULL;
+    ctx->zout.avail_in = 0;
+    ctx->zout.next_out = NULL;
+    ctx->zout.avail_out = 0;
+    ctx->odone = 0;
     ctx->comp_level = Z_DEFAULT_COMPRESSION;
-    BIO_set_init(bi, 1);
-    BIO_set_data(bi, ctx);
-
+    bi->init = 1;
+    bi->ptr = (char *)ctx;
+    bi->flags = 0;
     return 1;
 }
 
@@ -345,7 +498,7 @@ static int bio_zlib_free(BIO *bi)
     BIO_ZLIB_CTX *ctx;
     if (!bi)
         return 0;
-    ctx = BIO_get_data(bi);
+    ctx = (BIO_ZLIB_CTX *) bi->ptr;
     if (ctx->ibuf) {
         /* Destroy decompress context */
         inflateEnd(&ctx->zin);
@@ -357,9 +510,9 @@ static int bio_zlib_free(BIO *bi)
         OPENSSL_free(ctx->obuf);
     }
     OPENSSL_free(ctx);
-    BIO_set_data(bi, NULL);
-    BIO_set_init(bi, 0);
-
+    bi->ptr = NULL;
+    bi->init = 0;
+    bi->flags = 0;
     return 1;
 }
 
@@ -368,16 +521,14 @@ static int bio_zlib_read(BIO *b, char *out, int outl)
     BIO_ZLIB_CTX *ctx;
     int ret;
     z_stream *zin;
-    BIO *next = BIO_next(b);
-
     if (!out || !outl)
         return 0;
-    ctx = BIO_get_data(b);
+    ctx = (BIO_ZLIB_CTX *) b->ptr;
     zin = &ctx->zin;
     BIO_clear_retry_flags(b);
     if (!ctx->ibuf) {
         ctx->ibuf = OPENSSL_malloc(ctx->ibufsize);
-        if (ctx->ibuf == NULL) {
+        if (!ctx->ibuf) {
             COMPerr(COMP_F_BIO_ZLIB_READ, ERR_R_MALLOC_FAILURE);
             return 0;
         }
@@ -407,7 +558,7 @@ static int bio_zlib_read(BIO *b, char *out, int outl)
          * No data in input buffer try to read some in, if an error then
          * return the total data read.
          */
-        ret = BIO_read(next, ctx->ibuf, ctx->ibufsize);
+        ret = BIO_read(b->next_bio, ctx->ibuf, ctx->ibufsize);
         if (ret <= 0) {
             /* Total data read */
             int tot = outl - zin->avail_out;
@@ -426,11 +577,9 @@ static int bio_zlib_write(BIO *b, const char *in, int inl)
     BIO_ZLIB_CTX *ctx;
     int ret;
     z_stream *zout;
-    BIO *next = BIO_next(b);
-
     if (!in || !inl)
         return 0;
-    ctx = BIO_get_data(b);
+    ctx = (BIO_ZLIB_CTX *) b->ptr;
     if (ctx->odone)
         return 0;
     zout = &ctx->zout;
@@ -438,7 +587,7 @@ static int bio_zlib_write(BIO *b, const char *in, int inl)
     if (!ctx->obuf) {
         ctx->obuf = OPENSSL_malloc(ctx->obufsize);
         /* Need error here */
-        if (ctx->obuf == NULL) {
+        if (!ctx->obuf) {
             COMPerr(COMP_F_BIO_ZLIB_WRITE, ERR_R_MALLOC_FAILURE);
             return 0;
         }
@@ -454,7 +603,7 @@ static int bio_zlib_write(BIO *b, const char *in, int inl)
     for (;;) {
         /* If data in output buffer write it first */
         while (ctx->ocount) {
-            ret = BIO_write(next, ctx->optr, ctx->ocount);
+            ret = BIO_write(b->next_bio, ctx->optr, ctx->ocount);
             if (ret <= 0) {
                 /* Total data written */
                 int tot = inl - zout->avail_in;
@@ -493,9 +642,7 @@ static int bio_zlib_flush(BIO *b)
     BIO_ZLIB_CTX *ctx;
     int ret;
     z_stream *zout;
-    BIO *next = BIO_next(b);
-
-    ctx = BIO_get_data(b);
+    ctx = (BIO_ZLIB_CTX *) b->ptr;
     /* If no data written or already flush show success */
     if (!ctx->obuf || (ctx->odone && !ctx->ocount))
         return 1;
@@ -507,7 +654,7 @@ static int bio_zlib_flush(BIO *b)
     for (;;) {
         /* If data in output buffer write it first */
         while (ctx->ocount) {
-            ret = BIO_write(next, ctx->optr, ctx->ocount);
+            ret = BIO_write(b->next_bio, ctx->optr, ctx->ocount);
             if (ret <= 0) {
                 BIO_copy_next_retry(b);
                 return ret;
@@ -542,11 +689,9 @@ static long bio_zlib_ctrl(BIO *b, int cmd, long num, void *ptr)
     BIO_ZLIB_CTX *ctx;
     int ret, *ip;
     int ibs, obs;
-    BIO *next = BIO_next(b);
-
-    if (next == NULL)
+    if (!b->next_bio)
         return 0;
-    ctx = BIO_get_data(b);
+    ctx = (BIO_ZLIB_CTX *) b->ptr;
     switch (cmd) {
 
     case BIO_CTRL_RESET:
@@ -558,7 +703,7 @@ static long bio_zlib_ctrl(BIO *b, int cmd, long num, void *ptr)
     case BIO_CTRL_FLUSH:
         ret = bio_zlib_flush(b);
         if (ret > 0)
-            ret = BIO_flush(next);
+            ret = BIO_flush(b->next_bio);
         break;
 
     case BIO_C_SET_BUFF_SIZE:
@@ -576,14 +721,18 @@ static long bio_zlib_ctrl(BIO *b, int cmd, long num, void *ptr)
         }
 
         if (ibs != -1) {
-            OPENSSL_free(ctx->ibuf);
-            ctx->ibuf = NULL;
+            if (ctx->ibuf) {
+                OPENSSL_free(ctx->ibuf);
+                ctx->ibuf = NULL;
+            }
             ctx->ibufsize = ibs;
         }
 
         if (obs != -1) {
-            OPENSSL_free(ctx->obuf);
-            ctx->obuf = NULL;
+            if (ctx->obuf) {
+                OPENSSL_free(ctx->obuf);
+                ctx->obuf = NULL;
+            }
             ctx->obufsize = obs;
         }
         ret = 1;
@@ -591,12 +740,12 @@ static long bio_zlib_ctrl(BIO *b, int cmd, long num, void *ptr)
 
     case BIO_C_DO_STATE_MACHINE:
         BIO_clear_retry_flags(b);
-        ret = BIO_ctrl(next, cmd, num, ptr);
+        ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         BIO_copy_next_retry(b);
         break;
 
     default:
-        ret = BIO_ctrl(next, cmd, num, ptr);
+        ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         break;
 
     }
@@ -606,10 +755,9 @@ static long bio_zlib_ctrl(BIO *b, int cmd, long num, void *ptr)
 
 static long bio_zlib_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
 {
-    BIO *next = BIO_next(b);
-    if (next == NULL)
+    if (!b->next_bio)
         return 0;
-    return BIO_callback_ctrl(next, cmd, fp);
+    return BIO_callback_ctrl(b->next_bio, cmd, fp);
 }
 
 #endif
diff --git a/Cryptlib/OpenSSL/crypto/comp/comp_err.c b/Cryptlib/OpenSSL/crypto/comp/comp_err.c
index 8e2e6956..8ca159b6 100644
--- a/Cryptlib/OpenSSL/crypto/comp/comp_err.c
+++ b/Cryptlib/OpenSSL/crypto/comp/comp_err.c
@@ -1,11 +1,62 @@
-/*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/comp/comp_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
  */
 
 #include <stdio.h>
@@ -19,10 +70,10 @@
 # define ERR_REASON(reason) ERR_PACK(ERR_LIB_COMP,0,reason)
 
 static ERR_STRING_DATA COMP_str_functs[] = {
-    {ERR_FUNC(COMP_F_BIO_ZLIB_FLUSH), "bio_zlib_flush"},
-    {ERR_FUNC(COMP_F_BIO_ZLIB_NEW), "bio_zlib_new"},
-    {ERR_FUNC(COMP_F_BIO_ZLIB_READ), "bio_zlib_read"},
-    {ERR_FUNC(COMP_F_BIO_ZLIB_WRITE), "bio_zlib_write"},
+    {ERR_FUNC(COMP_F_BIO_ZLIB_FLUSH), "BIO_ZLIB_FLUSH"},
+    {ERR_FUNC(COMP_F_BIO_ZLIB_NEW), "BIO_ZLIB_NEW"},
+    {ERR_FUNC(COMP_F_BIO_ZLIB_READ), "BIO_ZLIB_READ"},
+    {ERR_FUNC(COMP_F_BIO_ZLIB_WRITE), "BIO_ZLIB_WRITE"},
     {0, NULL}
 };
 
@@ -35,7 +86,7 @@ static ERR_STRING_DATA COMP_str_reasons[] = {
 
 #endif
 
-int ERR_load_COMP_strings(void)
+void ERR_load_COMP_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
 
@@ -44,5 +95,4 @@ int ERR_load_COMP_strings(void)
         ERR_load_strings(0, COMP_str_reasons);
     }
 #endif
-    return 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/comp/comp_lcl.h b/Cryptlib/OpenSSL/crypto/comp/comp_lcl.h
deleted file mode 100644
index aa45fca2..00000000
--- a/Cryptlib/OpenSSL/crypto/comp/comp_lcl.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-struct comp_method_st {
-    int type;                   /* NID for compression library */
-    const char *name;           /* A text string to identify the library */
-    int (*init) (COMP_CTX *ctx);
-    void (*finish) (COMP_CTX *ctx);
-    int (*compress) (COMP_CTX *ctx,
-                     unsigned char *out, unsigned int olen,
-                     unsigned char *in, unsigned int ilen);
-    int (*expand) (COMP_CTX *ctx,
-                   unsigned char *out, unsigned int olen,
-                   unsigned char *in, unsigned int ilen);
-};
-
-struct comp_ctx_st {
-    struct comp_method_st *meth;
-    unsigned long compress_in;
-    unsigned long compress_out;
-    unsigned long expand_in;
-    unsigned long expand_out;
-    void* data;
-};
diff --git a/Cryptlib/OpenSSL/crypto/comp/comp_lib.c b/Cryptlib/OpenSSL/crypto/comp/comp_lib.c
index 32afd0db..bd4eb7a1 100644
--- a/Cryptlib/OpenSSL/crypto/comp/comp_lib.c
+++ b/Cryptlib/OpenSSL/crypto/comp/comp_lib.c
@@ -1,25 +1,18 @@
-/*
- * Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <openssl/objects.h>
 #include <openssl/comp.h>
-#include "comp_lcl.h"
 
 COMP_CTX *COMP_CTX_new(COMP_METHOD *meth)
 {
     COMP_CTX *ret;
 
-    if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL)
+    if ((ret = (COMP_CTX *)OPENSSL_malloc(sizeof(COMP_CTX))) == NULL) {
+        /* ZZZZZZZZZZZZZZZZ */
         return (NULL);
+    }
+    memset(ret, 0, sizeof(COMP_CTX));
     ret->meth = meth;
     if ((ret->meth->init != NULL) && !ret->meth->init(ret)) {
         OPENSSL_free(ret);
@@ -28,21 +21,6 @@ COMP_CTX *COMP_CTX_new(COMP_METHOD *meth)
     return (ret);
 }
 
-const COMP_METHOD *COMP_CTX_get_method(const COMP_CTX *ctx)
-{
-    return ctx->meth;
-}
-
-int COMP_get_type(const COMP_METHOD *meth)
-{
-    return meth->type;
-}
-
-const char *COMP_get_name(const COMP_METHOD *meth)
-{
-    return meth->name;
-}
-
 void COMP_CTX_free(COMP_CTX *ctx)
 {
     if (ctx == NULL)
@@ -59,6 +37,7 @@ int COMP_compress_block(COMP_CTX *ctx, unsigned char *out, int olen,
 {
     int ret;
     if (ctx->meth->compress == NULL) {
+        /* ZZZZZZZZZZZZZZZZZ */
         return (-1);
     }
     ret = ctx->meth->compress(ctx, out, olen, in, ilen);
@@ -75,6 +54,7 @@ int COMP_expand_block(COMP_CTX *ctx, unsigned char *out, int olen,
     int ret;
 
     if (ctx->meth->expand == NULL) {
+        /* ZZZZZZZZZZZZZZZZZ */
         return (-1);
     }
     ret = ctx->meth->expand(ctx, out, olen, in, ilen);
@@ -84,8 +64,3 @@ int COMP_expand_block(COMP_CTX *ctx, unsigned char *out, int olen,
     }
     return (ret);
 }
-
-int COMP_CTX_get_type(const COMP_CTX* comp)
-{
-    return comp->meth ? comp->meth->type : NID_undef;
-}
diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_api.c b/Cryptlib/OpenSSL/crypto/conf/conf_api.c
index 5535416a..4cf75533 100644
--- a/Cryptlib/OpenSSL/crypto/conf/conf_api.c
+++ b/Cryptlib/OpenSSL/crypto/conf/conf_api.c
@@ -1,22 +1,81 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* conf_api.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 /* Part of the code in here was originally in conf.c, which is now removed */
 
+#ifndef CONF_DEBUG
+# undef NDEBUG                  /* avoid conflicting definitions */
+# define NDEBUG
+#endif
+
+#include <assert.h>
 #include <stdlib.h>
 #include <string.h>
 #include <openssl/conf.h>
 #include <openssl/conf_api.h>
 #include "e_os.h"
 
-static void value_free_hash(const CONF_VALUE *a, LHASH_OF(CONF_VALUE) *conf);
+static void value_free_hash_doall_arg(CONF_VALUE *a,
+                                      LHASH_OF(CONF_VALUE) *conf);
 static void value_free_stack_doall(CONF_VALUE *a);
+static IMPLEMENT_LHASH_DOALL_ARG_FN(value_free_hash, CONF_VALUE,
+                                    LHASH_OF(CONF_VALUE))
+static IMPLEMENT_LHASH_DOALL_FN(value_free_stack, CONF_VALUE)
 
 /* Up until OpenSSL 0.9.5a, this was get_section */
 CONF_VALUE *_CONF_get_section(const CONF *conf, const char *section)
@@ -98,11 +157,35 @@ char *_CONF_get_string(const CONF *conf, const char *section,
         return (getenv(name));
 }
 
+#if 0                           /* There's no way to provide error checking
+                                 * with this function, so force implementors
+                                 * of the higher levels to get a string and
+                                 * read the number themselves. */
+long _CONF_get_number(CONF *conf, char *section, char *name)
+{
+    char *str;
+    long ret = 0;
+
+    str = _CONF_get_string(conf, section, name);
+    if (str == NULL)
+        return (0);
+    for (;;) {
+        if (conf->meth->is_number(conf, *str))
+            ret = ret * 10 + conf->meth->to_int(conf, *str);
+        else
+            return (ret);
+        str++;
+    }
+}
+#endif
+
 static unsigned long conf_value_hash(const CONF_VALUE *v)
 {
-    return (OPENSSL_LH_strhash(v->section) << 2) ^ OPENSSL_LH_strhash(v->name);
+    return (lh_strhash(v->section) << 2) ^ lh_strhash(v->name);
 }
 
+static IMPLEMENT_LHASH_HASH_FN(conf_value, CONF_VALUE)
+
 static int conf_value_cmp(const CONF_VALUE *a, const CONF_VALUE *b)
 {
     int i;
@@ -122,42 +205,43 @@ static int conf_value_cmp(const CONF_VALUE *a, const CONF_VALUE *b)
         return ((a->name == NULL) ? -1 : 1);
 }
 
+static IMPLEMENT_LHASH_COMP_FN(conf_value, CONF_VALUE)
+
 int _CONF_new_data(CONF *conf)
 {
     if (conf == NULL) {
         return 0;
     }
-    if (conf->data == NULL) {
-        conf->data = lh_CONF_VALUE_new(conf_value_hash, conf_value_cmp);
-        if (conf->data == NULL)
+    if (conf->data == NULL)
+        if ((conf->data = lh_CONF_VALUE_new()) == NULL) {
             return 0;
-    }
+        }
     return 1;
 }
 
-typedef LHASH_OF(CONF_VALUE) LH_CONF_VALUE;
-
-IMPLEMENT_LHASH_DOALL_ARG_CONST(CONF_VALUE, LH_CONF_VALUE);
-
 void _CONF_free_data(CONF *conf)
 {
     if (conf == NULL || conf->data == NULL)
         return;
 
-    /* evil thing to make sure the 'OPENSSL_free()' works as expected */
-    lh_CONF_VALUE_set_down_load(conf->data, 0);
-    lh_CONF_VALUE_doall_LH_CONF_VALUE(conf->data, value_free_hash, conf->data);
+    lh_CONF_VALUE_down_load(conf->data) = 0; /* evil thing to make * sure the
+                                              * 'OPENSSL_free()' works as *
+                                              * expected */
+    lh_CONF_VALUE_doall_arg(conf->data,
+                            LHASH_DOALL_ARG_FN(value_free_hash),
+                            LHASH_OF(CONF_VALUE), conf->data);
 
     /*
      * We now have only 'section' entries in the hash table. Due to problems
      * with
      */
 
-    lh_CONF_VALUE_doall(conf->data, value_free_stack_doall);
+    lh_CONF_VALUE_doall(conf->data, LHASH_DOALL_FN(value_free_stack));
     lh_CONF_VALUE_free(conf->data);
 }
 
-static void value_free_hash(const CONF_VALUE *a, LHASH_OF(CONF_VALUE) *conf)
+static void value_free_hash_doall_arg(CONF_VALUE *a,
+                                      LHASH_OF(CONF_VALUE) *conf)
 {
     if (a->name != NULL)
         (void)lh_CONF_VALUE_delete(conf, a);
@@ -179,7 +263,8 @@ static void value_free_stack_doall(CONF_VALUE *a)
         OPENSSL_free(vv->name);
         OPENSSL_free(vv);
     }
-    sk_CONF_VALUE_free(sk);
+    if (sk != NULL)
+        sk_CONF_VALUE_free(sk);
     OPENSSL_free(a->section);
     OPENSSL_free(a);
 }
@@ -188,12 +273,12 @@ static void value_free_stack_doall(CONF_VALUE *a)
 CONF_VALUE *_CONF_new_section(CONF *conf, const char *section)
 {
     STACK_OF(CONF_VALUE) *sk = NULL;
-    int i;
+    int ok = 0, i;
     CONF_VALUE *v = NULL, *vv;
 
     if ((sk = sk_CONF_VALUE_new_null()) == NULL)
         goto err;
-    if ((v = OPENSSL_malloc(sizeof(*v))) == NULL)
+    if ((v = OPENSSL_malloc(sizeof(CONF_VALUE))) == NULL)
         goto err;
     i = strlen(section) + 1;
     if ((v->section = OPENSSL_malloc(i)) == NULL)
@@ -205,10 +290,16 @@ CONF_VALUE *_CONF_new_section(CONF *conf, const char *section)
 
     vv = lh_CONF_VALUE_insert(conf->data, v);
     OPENSSL_assert(vv == NULL);
-    return v;
-
+    ok = 1;
  err:
-    sk_CONF_VALUE_free(sk);
-    OPENSSL_free(v);
-    return NULL;
+    if (!ok) {
+        if (sk != NULL)
+            sk_CONF_VALUE_free(sk);
+        if (v != NULL)
+            OPENSSL_free(v);
+        v = NULL;
+    }
+    return (v);
 }
+
+IMPLEMENT_STACK_OF(CONF_VALUE)
diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_def.c b/Cryptlib/OpenSSL/crypto/conf/conf_def.c
index 8861b3a5..3d308c7e 100644
--- a/Cryptlib/OpenSSL/crypto/conf/conf_def.c
+++ b/Cryptlib/OpenSSL/crypto/conf/conf_def.c
@@ -1,17 +1,66 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/conf/conf.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 /* Part of the code in here was originally in conf.c, which is now removed */
 
 #include <stdio.h>
 #include <string.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/stack.h>
 #include <openssl/lhash.h>
 #include <openssl/conf.h>
@@ -39,6 +88,8 @@ static int def_dump(const CONF *conf, BIO *bp);
 static int def_is_number(const CONF *conf, char c);
 static int def_to_int(const CONF *conf, char c);
 
+const char CONF_def_version[] = "CONF_def" OPENSSL_VERSION_PTEXT;
+
 static CONF_METHOD default_method = {
     "OpenSSL default",
     def_create,
@@ -79,8 +130,8 @@ static CONF *def_create(CONF_METHOD *meth)
 {
     CONF *ret;
 
-    ret = OPENSSL_malloc(sizeof(*ret));
-    if (ret != NULL)
+    ret = OPENSSL_malloc(sizeof(CONF) + sizeof(unsigned short *));
+    if (ret)
         if (meth->init(ret) == 0) {
             OPENSSL_free(ret);
             ret = NULL;
@@ -94,7 +145,7 @@ static int def_init_default(CONF *conf)
         return 0;
 
     conf->meth = &default_method;
-    conf->meth_data = (void *)CONF_type_default;
+    conf->meth_data = CONF_type_default;
     conf->data = NULL;
 
     return 1;
@@ -131,6 +182,10 @@ static int def_destroy_data(CONF *conf)
 
 static int def_load(CONF *conf, const char *name, long *line)
 {
+#ifdef OPENSSL_NO_STDIO
+    CONFerr(CONF_F_DEF_LOAD, ERR_R_SYS_LIB);
+    return 0;
+#else
     int ret;
     BIO *in = NULL;
 
@@ -151,6 +206,7 @@ static int def_load(CONF *conf, const char *name, long *line)
     BIO_free(in);
 
     return ret;
+#endif
 }
 
 static int def_load_bio(CONF *conf, BIO *in, long *line)
@@ -174,7 +230,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
         goto err;
     }
 
-    section = OPENSSL_strdup("default");
+    section = BUF_strdup("default");
     if (section == NULL) {
         CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE);
         goto err;
@@ -305,19 +361,19 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
             p++;
             *p = '\0';
 
-            if ((v = OPENSSL_malloc(sizeof(*v))) == NULL) {
+            if (!(v = (CONF_VALUE *)OPENSSL_malloc(sizeof(CONF_VALUE)))) {
                 CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE);
                 goto err;
             }
             if (psection == NULL)
                 psection = section;
-            v->name = OPENSSL_malloc(strlen(pname) + 1);
+            v->name = (char *)OPENSSL_malloc(strlen(pname) + 1);
             v->value = NULL;
             if (v->name == NULL) {
                 CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE);
                 goto err;
             }
-            OPENSSL_strlcpy(v->name, pname, strlen(pname) + 1);
+            BUF_strlcpy(v->name, pname, strlen(pname) + 1);
             if (!str_copy(conf, psection, &(v->value), start))
                 goto err;
 
@@ -332,31 +388,53 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
                 }
             } else
                 tv = sv;
+#if 1
             if (_CONF_add_string(conf, tv, v) == 0) {
                 CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE);
                 goto err;
             }
+#else
+            v->section = tv->section;
+            if (!sk_CONF_VALUE_push(ts, v)) {
+                CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE);
+                goto err;
+            }
+            vv = (CONF_VALUE *)lh_insert(conf->data, v);
+            if (vv != NULL) {
+                sk_CONF_VALUE_delete_ptr(ts, vv);
+                OPENSSL_free(vv->name);
+                OPENSSL_free(vv->value);
+                OPENSSL_free(vv);
+            }
+#endif
             v = NULL;
         }
     }
-    BUF_MEM_free(buff);
-    OPENSSL_free(section);
+    if (buff != NULL)
+        BUF_MEM_free(buff);
+    if (section != NULL)
+        OPENSSL_free(section);
     return (1);
  err:
-    BUF_MEM_free(buff);
-    OPENSSL_free(section);
+    if (buff != NULL)
+        BUF_MEM_free(buff);
+    if (section != NULL)
+        OPENSSL_free(section);
     if (line != NULL)
         *line = eline;
     BIO_snprintf(btmp, sizeof btmp, "%ld", eline);
     ERR_add_error_data(2, "line ", btmp);
-    if (h != conf->data) {
+    if ((h != conf->data) && (conf->data != NULL)) {
         CONF_free(conf->data);
         conf->data = NULL;
     }
     if (v != NULL) {
-        OPENSSL_free(v->name);
-        OPENSSL_free(v->value);
-        OPENSSL_free(v);
+        if (v->name != NULL)
+            OPENSSL_free(v->name);
+        if (v->value != NULL)
+            OPENSSL_free(v->value);
+        if (v != NULL)
+            OPENSSL_free(v);
     }
     return (0);
 }
@@ -536,12 +614,14 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
             buf->data[to++] = *(from++);
     }
     buf->data[to] = '\0';
-    OPENSSL_free(*pto);
+    if (*pto != NULL)
+        OPENSSL_free(*pto);
     *pto = buf->data;
     OPENSSL_free(buf);
     return (1);
  err:
-    BUF_MEM_free(buf);
+    if (buf != NULL)
+        BUF_MEM_free(buf);
     return (0);
 }
 
@@ -603,7 +683,7 @@ static char *scan_dquote(CONF *conf, char *p)
     return (p);
 }
 
-static void dump_value_doall_arg(const CONF_VALUE *a, BIO *out)
+static void dump_value_doall_arg(CONF_VALUE *a, BIO *out)
 {
     if (a->name)
         BIO_printf(out, "[%s] %s=%s\n", a->section, a->name, a->value);
@@ -611,11 +691,12 @@ static void dump_value_doall_arg(const CONF_VALUE *a, BIO *out)
         BIO_printf(out, "[[%s]]\n", a->section);
 }
 
-IMPLEMENT_LHASH_DOALL_ARG_CONST(CONF_VALUE, BIO);
+static IMPLEMENT_LHASH_DOALL_ARG_FN(dump_value, CONF_VALUE, BIO)
 
 static int def_dump(const CONF *conf, BIO *out)
 {
-    lh_CONF_VALUE_doall_BIO(conf->data, dump_value_doall_arg, out);
+    lh_CONF_VALUE_doall_arg(conf->data, LHASH_DOALL_ARG_FN(dump_value),
+                            BIO, out);
     return 1;
 }
 
diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_def.h b/Cryptlib/OpenSSL/crypto/conf/conf_def.h
index da4767e1..48b34421 100644
--- a/Cryptlib/OpenSSL/crypto/conf/conf_def.h
+++ b/Cryptlib/OpenSSL/crypto/conf/conf_def.h
@@ -1,12 +1,64 @@
-/*
- * WARNING: do not edit!
- * Generated by crypto/conf/keysets.pl
+/* crypto/conf/conf_def.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  *
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/*
+ * THIS FILE WAS AUTOMAGICALLY GENERATED! Please modify and use keysets.pl to
+ * regenerate it.
  */
 
 #define CONF_NUMBER             1
@@ -27,38 +79,38 @@
 #define CONF_ALPHA_NUMERIC_PUNCT (CONF_ALPHA|CONF_NUMBER|CONF_UNDER| \
                                         CONF_PUNCTUATION)
 
-#define KEYTYPES(c)             ((const unsigned short *)((c)->meth_data))
+#define KEYTYPES(c)             ((unsigned short *)((c)->meth_data))
 #ifndef CHARSET_EBCDIC
-# define IS_COMMENT(c,a)         (KEYTYPES(c)[(a)&0xff]&CONF_COMMENT)
-# define IS_FCOMMENT(c,a)        (KEYTYPES(c)[(a)&0xff]&CONF_FCOMMENT)
-# define IS_EOF(c,a)             (KEYTYPES(c)[(a)&0xff]&CONF_EOF)
-# define IS_ESC(c,a)             (KEYTYPES(c)[(a)&0xff]&CONF_ESC)
-# define IS_NUMBER(c,a)          (KEYTYPES(c)[(a)&0xff]&CONF_NUMBER)
-# define IS_WS(c,a)              (KEYTYPES(c)[(a)&0xff]&CONF_WS)
-# define IS_ALPHA_NUMERIC(c,a)   (KEYTYPES(c)[(a)&0xff]&CONF_ALPHA_NUMERIC)
+# define IS_COMMENT(c,a)        (KEYTYPES(c)[(a)&0xff]&CONF_COMMENT)
+# define IS_FCOMMENT(c,a)       (KEYTYPES(c)[(a)&0xff]&CONF_FCOMMENT)
+# define IS_EOF(c,a)            (KEYTYPES(c)[(a)&0xff]&CONF_EOF)
+# define IS_ESC(c,a)            (KEYTYPES(c)[(a)&0xff]&CONF_ESC)
+# define IS_NUMBER(c,a)         (KEYTYPES(c)[(a)&0xff]&CONF_NUMBER)
+# define IS_WS(c,a)             (KEYTYPES(c)[(a)&0xff]&CONF_WS)
+# define IS_ALPHA_NUMERIC(c,a)  (KEYTYPES(c)[(a)&0xff]&CONF_ALPHA_NUMERIC)
 # define IS_ALPHA_NUMERIC_PUNCT(c,a) \
                                 (KEYTYPES(c)[(a)&0xff]&CONF_ALPHA_NUMERIC_PUNCT)
-# define IS_QUOTE(c,a)           (KEYTYPES(c)[(a)&0xff]&CONF_QUOTE)
-# define IS_DQUOTE(c,a)          (KEYTYPES(c)[(a)&0xff]&CONF_DQUOTE)
-# define IS_HIGHBIT(c,a)         (KEYTYPES(c)[(a)&0xff]&CONF_HIGHBIT)
+# define IS_QUOTE(c,a)          (KEYTYPES(c)[(a)&0xff]&CONF_QUOTE)
+# define IS_DQUOTE(c,a)         (KEYTYPES(c)[(a)&0xff]&CONF_DQUOTE)
+# define IS_HIGHBIT(c,a)        (KEYTYPES(c)[(a)&0xff]&CONF_HIGHBIT)
 
-#else                           /* CHARSET_EBCDIC */
+#else /*CHARSET_EBCDIC*/
 
-# define IS_COMMENT(c,a)         (KEYTYPES(c)[os_toascii[a & 0xff]]&CONF_COMMENT)
-# define IS_FCOMMENT(c,a)        (KEYTYPES(c)[os_toascii[a & 0xff]]&CONF_FCOMMENT)
-# define IS_EOF(c,a)             (KEYTYPES(c)[os_toascii[a & 0xff]]&CONF_EOF)
-# define IS_ESC(c,a)             (KEYTYPES(c)[os_toascii[a & 0xff]]&CONF_ESC)
-# define IS_NUMBER(c,a)          (KEYTYPES(c)[os_toascii[a & 0xff]]&CONF_NUMBER)
-# define IS_WS(c,a)              (KEYTYPES(c)[os_toascii[a & 0xff]]&CONF_WS)
-# define IS_ALPHA_NUMERIC(c,a)   (KEYTYPES(c)[os_toascii[a & 0xff]]&CONF_ALPHA_NUMERIC)
+# define IS_COMMENT(c,a)        (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_COMMENT)
+# define IS_FCOMMENT(c,a)       (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_FCOMMENT)
+# define IS_EOF(c,a)            (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_EOF)
+# define IS_ESC(c,a)            (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_ESC)
+# define IS_NUMBER(c,a)         (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_NUMBER)
+# define IS_WS(c,a)             (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_WS)
+# define IS_ALPHA_NUMERIC(c,a)  (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_ALPHA_NUMERIC)
 # define IS_ALPHA_NUMERIC_PUNCT(c,a) \
-                                (KEYTYPES(c)[os_toascii[a & 0xff]]&CONF_ALPHA_NUMERIC_PUNCT)
-# define IS_QUOTE(c,a)           (KEYTYPES(c)[os_toascii[a & 0xff]]&CONF_QUOTE)
-# define IS_DQUOTE(c,a)          (KEYTYPES(c)[os_toascii[a & 0xff]]&CONF_DQUOTE)
-# define IS_HIGHBIT(c,a)         (KEYTYPES(c)[os_toascii[a & 0xff]]&CONF_HIGHBIT)
-#endif                          /* CHARSET_EBCDIC */
+                                (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_ALPHA_NUMERIC_PUNCT)
+# define IS_QUOTE(c,a)          (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_QUOTE)
+# define IS_DQUOTE(c,a)         (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_DQUOTE)
+# define IS_HIGHBIT(c,a)        (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_HIGHBIT)
+#endif /*CHARSET_EBCDIC*/
 
-static const unsigned short CONF_type_default[256] = {
+static unsigned short CONF_type_default[256] = {
     0x0008, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
     0x0000, 0x0010, 0x0010, 0x0000, 0x0000, 0x0010, 0x0000, 0x0000,
     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
@@ -93,7 +145,7 @@ static const unsigned short CONF_type_default[256] = {
     0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000,
 };
 
-static const unsigned short CONF_type_win32[256] = {
+static unsigned short CONF_type_win32[256] = {
     0x0008, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
     0x0000, 0x0010, 0x0010, 0x0000, 0x0000, 0x0010, 0x0000, 0x0000,
     0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_err.c b/Cryptlib/OpenSSL/crypto/conf/conf_err.c
index b583c057..bb5e2fe2 100644
--- a/Cryptlib/OpenSSL/crypto/conf/conf_err.c
+++ b/Cryptlib/OpenSSL/crypto/conf/conf_err.c
@@ -1,11 +1,62 @@
-/*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/conf/conf_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
  */
 
 #include <stdio.h>
@@ -21,15 +72,18 @@
 static ERR_STRING_DATA CONF_str_functs[] = {
     {ERR_FUNC(CONF_F_CONF_DUMP_FP), "CONF_dump_fp"},
     {ERR_FUNC(CONF_F_CONF_LOAD), "CONF_load"},
+    {ERR_FUNC(CONF_F_CONF_LOAD_BIO), "CONF_load_bio"},
     {ERR_FUNC(CONF_F_CONF_LOAD_FP), "CONF_load_fp"},
+    {ERR_FUNC(CONF_F_CONF_MODULES_LOAD), "CONF_modules_load"},
     {ERR_FUNC(CONF_F_CONF_PARSE_LIST), "CONF_parse_list"},
-    {ERR_FUNC(CONF_F_DEF_LOAD), "def_load"},
-    {ERR_FUNC(CONF_F_DEF_LOAD_BIO), "def_load_bio"},
-    {ERR_FUNC(CONF_F_MODULE_INIT), "module_init"},
-    {ERR_FUNC(CONF_F_MODULE_LOAD_DSO), "module_load_dso"},
-    {ERR_FUNC(CONF_F_MODULE_RUN), "module_run"},
+    {ERR_FUNC(CONF_F_DEF_LOAD), "DEF_LOAD"},
+    {ERR_FUNC(CONF_F_DEF_LOAD_BIO), "DEF_LOAD_BIO"},
+    {ERR_FUNC(CONF_F_MODULE_INIT), "MODULE_INIT"},
+    {ERR_FUNC(CONF_F_MODULE_LOAD_DSO), "MODULE_LOAD_DSO"},
+    {ERR_FUNC(CONF_F_MODULE_RUN), "MODULE_RUN"},
     {ERR_FUNC(CONF_F_NCONF_DUMP_BIO), "NCONF_dump_bio"},
     {ERR_FUNC(CONF_F_NCONF_DUMP_FP), "NCONF_dump_fp"},
+    {ERR_FUNC(CONF_F_NCONF_GET_NUMBER), "NCONF_get_number"},
     {ERR_FUNC(CONF_F_NCONF_GET_NUMBER_E), "NCONF_get_number_e"},
     {ERR_FUNC(CONF_F_NCONF_GET_SECTION), "NCONF_get_section"},
     {ERR_FUNC(CONF_F_NCONF_GET_STRING), "NCONF_get_string"},
@@ -37,7 +91,7 @@ static ERR_STRING_DATA CONF_str_functs[] = {
     {ERR_FUNC(CONF_F_NCONF_LOAD_BIO), "NCONF_load_bio"},
     {ERR_FUNC(CONF_F_NCONF_LOAD_FP), "NCONF_load_fp"},
     {ERR_FUNC(CONF_F_NCONF_NEW), "NCONF_new"},
-    {ERR_FUNC(CONF_F_STR_COPY), "str_copy"},
+    {ERR_FUNC(CONF_F_STR_COPY), "STR_COPY"},
     {0, NULL}
 };
 
@@ -47,6 +101,7 @@ static ERR_STRING_DATA CONF_str_reasons[] = {
     {ERR_REASON(CONF_R_MISSING_CLOSE_SQUARE_BRACKET),
      "missing close square bracket"},
     {ERR_REASON(CONF_R_MISSING_EQUAL_SIGN), "missing equal sign"},
+    {ERR_REASON(CONF_R_MISSING_FINISH_FUNCTION), "missing finish function"},
     {ERR_REASON(CONF_R_MISSING_INIT_FUNCTION), "missing init function"},
     {ERR_REASON(CONF_R_MODULE_INITIALIZATION_ERROR),
      "module initialization error"},
@@ -66,7 +121,7 @@ static ERR_STRING_DATA CONF_str_reasons[] = {
 
 #endif
 
-int ERR_load_CONF_strings(void)
+void ERR_load_CONF_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
 
@@ -75,5 +130,4 @@ int ERR_load_CONF_strings(void)
         ERR_load_strings(0, CONF_str_reasons);
     }
 #endif
-    return 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_lib.c b/Cryptlib/OpenSSL/crypto/conf/conf_lib.c
index 35321149..b3b29adb 100644
--- a/Cryptlib/OpenSSL/crypto/conf/conf_lib.c
+++ b/Cryptlib/OpenSSL/crypto/conf/conf_lib.c
@@ -1,21 +1,70 @@
+/* conf_lib.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include <string.h>
-#include <internal/conf.h>
 #include <openssl/crypto.h>
 #include <openssl/err.h>
 #include <openssl/conf.h>
 #include <openssl/conf_api.h>
 #include <openssl/lhash.h>
-#include "e_os.h"
+
+const char CONF_version[] = "CONF" OPENSSL_VERSION_PTEXT;
 
 static CONF_METHOD *default_CONF_method = NULL;
 
@@ -41,6 +90,7 @@ int CONF_set_default_method(CONF_METHOD *meth)
     return 1;
 }
 
+#ifndef OPENSSL_NO_STDIO
 LHASH_OF(CONF_VALUE) *CONF_load(LHASH_OF(CONF_VALUE) *conf, const char *file,
                                 long *eline)
 {
@@ -62,14 +112,15 @@ LHASH_OF(CONF_VALUE) *CONF_load(LHASH_OF(CONF_VALUE) *conf, const char *file,
 
     return ltmp;
 }
+#endif
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 LHASH_OF(CONF_VALUE) *CONF_load_fp(LHASH_OF(CONF_VALUE) *conf, FILE *fp,
                                    long *eline)
 {
     BIO *btmp;
     LHASH_OF(CONF_VALUE) *ltmp;
-    if ((btmp = BIO_new_fp(fp, BIO_NOCLOSE)) == NULL) {
+    if (!(btmp = BIO_new_fp(fp, BIO_NOCLOSE))) {
         CONFerr(CONF_F_CONF_LOAD_FP, ERR_R_BUF_LIB);
         return NULL;
     }
@@ -145,13 +196,13 @@ void CONF_free(LHASH_OF(CONF_VALUE) *conf)
     NCONF_free_data(&ctmp);
 }
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 int CONF_dump_fp(LHASH_OF(CONF_VALUE) *conf, FILE *out)
 {
     BIO *btmp;
     int ret;
 
-    if ((btmp = BIO_new_fp(out, BIO_NOCLOSE)) == NULL) {
+    if (!(btmp = BIO_new_fp(out, BIO_NOCLOSE))) {
         CONFerr(CONF_F_CONF_DUMP_FP, ERR_R_BUF_LIB);
         return 0;
     }
@@ -206,6 +257,7 @@ void NCONF_free_data(CONF *conf)
     conf->meth->destroy_data(conf);
 }
 
+#ifndef OPENSSL_NO_STDIO
 int NCONF_load(CONF *conf, const char *file, long *eline)
 {
     if (conf == NULL) {
@@ -215,13 +267,14 @@ int NCONF_load(CONF *conf, const char *file, long *eline)
 
     return conf->meth->load(conf, file, eline);
 }
+#endif
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 int NCONF_load_fp(CONF *conf, FILE *fp, long *eline)
 {
     BIO *btmp;
     int ret;
-    if ((btmp = BIO_new_fp(fp, BIO_NOCLOSE)) == NULL) {
+    if (!(btmp = BIO_new_fp(fp, BIO_NOCLOSE))) {
         CONFerr(CONF_F_NCONF_LOAD_FP, ERR_R_BUF_LIB);
         return 0;
     }
@@ -287,6 +340,9 @@ int NCONF_get_number_e(const CONF *conf, const char *group, const char *name,
         return 0;
     }
 
+    if (conf == NULL)
+        return 0;
+
     str = NCONF_get_string(conf, group, name);
 
     if (str == NULL)
@@ -300,12 +356,12 @@ int NCONF_get_number_e(const CONF *conf, const char *group, const char *name,
     return 1;
 }
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 int NCONF_dump_fp(const CONF *conf, FILE *out)
 {
     BIO *btmp;
     int ret;
-    if ((btmp = BIO_new_fp(out, BIO_NOCLOSE)) == NULL) {
+    if (!(btmp = BIO_new_fp(out, BIO_NOCLOSE))) {
         CONFerr(CONF_F_NCONF_DUMP_FP, ERR_R_BUF_LIB);
         return 0;
     }
@@ -325,41 +381,18 @@ int NCONF_dump_bio(const CONF *conf, BIO *out)
     return conf->meth->dump(conf, out);
 }
 
-/*
- * These routines call the C malloc/free, to avoid intermixing with
- * OpenSSL function pointers before the library is initialized.
- */
-OPENSSL_INIT_SETTINGS *OPENSSL_INIT_new(void)
-{
-    OPENSSL_INIT_SETTINGS *ret = malloc(sizeof(*ret));
-
-    if (ret != NULL)
-        memset(ret, 0, sizeof(*ret));
-    return ret;
-}
-
-
-#ifndef OPENSSL_NO_STDIO
-int OPENSSL_INIT_set_config_appname(OPENSSL_INIT_SETTINGS *settings,
-                                    const char *appname)
+/* This function should be avoided */
+#if 0
+long NCONF_get_number(CONF *conf, char *group, char *name)
 {
-    char *newappname = NULL;
+    int status;
+    long ret = 0;
 
-    if (appname != NULL) {
-        newappname = strdup(appname);
-        if (newappname == NULL)
-            return 0;
+    status = NCONF_get_number_e(conf, group, name, &ret);
+    if (status == 0) {
+        /* This function does not believe in errors... */
+        ERR_get_error();
     }
-
-    free(settings->appname);
-    settings->appname = newappname;
-
-    return 1;
+    return ret;
 }
 #endif
-
-void OPENSSL_INIT_free(OPENSSL_INIT_SETTINGS *settings)
-{
-    free(settings->appname);
-    free(settings);
-}
diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_mall.c b/Cryptlib/OpenSSL/crypto/conf/conf_mall.c
index 4e7a434e..b4dbd662 100644
--- a/Cryptlib/OpenSSL/crypto/conf/conf_mall.c
+++ b/Cryptlib/OpenSSL/crypto/conf/conf_mall.c
@@ -1,19 +1,72 @@
+/* conf_mall.c */
 /*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Stephen Henson (steve@openssl.org) for the OpenSSL project
+ * 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <openssl/crypto.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/conf.h>
+#include <openssl/dso.h>
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
-#include <openssl/engine.h>
+#ifndef OPENSSL_NO_ENGINE
+# include <openssl/engine.h>
+#endif
 
 /* Load all OpenSSL builtin modules */
 
@@ -21,7 +74,6 @@ void OPENSSL_load_builtin_modules(void)
 {
     /* Add builtin modules here */
     ASN1_add_oid_module();
-    ASN1_add_stable_module();
 #ifndef OPENSSL_NO_ENGINE
     ENGINE_add_conf_module();
 #endif
diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_mod.c b/Cryptlib/OpenSSL/crypto/conf/conf_mod.c
index 31f838e0..13d93ea0 100644
--- a/Cryptlib/OpenSSL/crypto/conf/conf_mod.c
+++ b/Cryptlib/OpenSSL/crypto/conf/conf_mod.c
@@ -1,18 +1,68 @@
+/* conf_mod.c */
 /*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Stephen Henson (steve@openssl.org) for the OpenSSL project
+ * 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <ctype.h>
 #include <openssl/crypto.h>
-#include "internal/cryptlib.h"
-#include "internal/conf.h"
-#include "internal/dso.h"
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/dso.h>
 #include <openssl/x509.h>
 
 #define DSO_mod_init_name "OPENSSL_init"
@@ -56,16 +106,16 @@ static STACK_OF(CONF_IMODULE) *initialized_modules = NULL;
 
 static void module_free(CONF_MODULE *md);
 static void module_finish(CONF_IMODULE *imod);
-static int module_run(const CONF *cnf, const char *name, const char *value,
+static int module_run(const CONF *cnf, char *name, char *value,
                       unsigned long flags);
 static CONF_MODULE *module_add(DSO *dso, const char *name,
                                conf_init_func *ifunc,
                                conf_finish_func *ffunc);
-static CONF_MODULE *module_find(const char *name);
-static int module_init(CONF_MODULE *pmod, const char *name, const char *value,
+static CONF_MODULE *module_find(char *name);
+static int module_init(CONF_MODULE *pmod, char *name, char *value,
                        const CONF *cnf);
-static CONF_MODULE *module_load_dso(const CONF *cnf, const char *name,
-                                    const char *value);
+static CONF_MODULE *module_load_dso(const CONF *cnf, char *name, char *value,
+                                    unsigned long flags);
 
 /* Main function: load modules from a CONF structure */
 
@@ -109,6 +159,7 @@ int CONF_modules_load(const CONF *cnf, const char *appname,
 
 }
 
+#ifndef OPENSSL_NO_STDIO
 int CONF_modules_load_file(const char *filename, const char *appname,
                            unsigned long flags)
 {
@@ -116,7 +167,7 @@ int CONF_modules_load_file(const char *filename, const char *appname,
     CONF *conf = NULL;
     int ret = 0;
     conf = NCONF_new(NULL);
-    if (conf == NULL)
+    if (!conf)
         goto err;
 
     if (filename == NULL) {
@@ -144,8 +195,9 @@ int CONF_modules_load_file(const char *filename, const char *appname,
 
     return ret;
 }
+#endif
 
-static int module_run(const CONF *cnf, const char *name, const char *value,
+static int module_run(const CONF *cnf, char *name, char *value,
                       unsigned long flags)
 {
     CONF_MODULE *md;
@@ -155,7 +207,7 @@ static int module_run(const CONF *cnf, const char *name, const char *value,
 
     /* Module not found: try to load DSO */
     if (!md && !(flags & CONF_MFLAGS_NO_DSO))
-        md = module_load_dso(cnf, name, value);
+        md = module_load_dso(cnf, name, value, flags);
 
     if (!md) {
         if (!(flags & CONF_MFLAGS_SILENT)) {
@@ -181,13 +233,13 @@ static int module_run(const CONF *cnf, const char *name, const char *value,
 }
 
 /* Load a module from a DSO */
-static CONF_MODULE *module_load_dso(const CONF *cnf,
-                                    const char *name, const char *value)
+static CONF_MODULE *module_load_dso(const CONF *cnf, char *name, char *value,
+                                    unsigned long flags)
 {
     DSO *dso = NULL;
     conf_init_func *ifunc;
     conf_finish_func *ffunc;
-    const char *path = NULL;
+    char *path = NULL;
     int errcode = 0;
     CONF_MODULE *md;
     /* Look for alternative path in module section */
@@ -216,7 +268,8 @@ static CONF_MODULE *module_load_dso(const CONF *cnf,
     return md;
 
  err:
-    DSO_free(dso);
+    if (dso)
+        DSO_free(dso);
     CONFerr(CONF_F_MODULE_LOAD_DSO, errcode);
     ERR_add_error_data(4, "module=", name, ", path=", path);
     return NULL;
@@ -231,21 +284,21 @@ static CONF_MODULE *module_add(DSO *dso, const char *name,
         supported_modules = sk_CONF_MODULE_new_null();
     if (supported_modules == NULL)
         return NULL;
-    tmod = OPENSSL_zalloc(sizeof(*tmod));
+    tmod = OPENSSL_malloc(sizeof(CONF_MODULE));
     if (tmod == NULL)
         return NULL;
 
     tmod->dso = dso;
-    tmod->name = OPENSSL_strdup(name);
-    tmod->init = ifunc;
-    tmod->finish = ffunc;
+    tmod->name = BUF_strdup(name);
     if (tmod->name == NULL) {
         OPENSSL_free(tmod);
         return NULL;
     }
+    tmod->init = ifunc;
+    tmod->finish = ffunc;
+    tmod->links = 0;
 
     if (!sk_CONF_MODULE_push(supported_modules, tmod)) {
-        OPENSSL_free(tmod->name);
         OPENSSL_free(tmod);
         return NULL;
     }
@@ -259,7 +312,7 @@ static CONF_MODULE *module_add(DSO *dso, const char *name,
  * initialized more than once.
  */
 
-static CONF_MODULE *module_find(const char *name)
+static CONF_MODULE *module_find(char *name)
 {
     CONF_MODULE *tmod;
     int i, nchar;
@@ -273,7 +326,7 @@ static CONF_MODULE *module_find(const char *name)
 
     for (i = 0; i < sk_CONF_MODULE_num(supported_modules); i++) {
         tmod = sk_CONF_MODULE_value(supported_modules, i);
-        if (strncmp(tmod->name, name, nchar) == 0)
+        if (!strncmp(tmod->name, name, nchar))
             return tmod;
     }
 
@@ -282,7 +335,7 @@ static CONF_MODULE *module_find(const char *name)
 }
 
 /* initialize a module */
-static int module_init(CONF_MODULE *pmod, const char *name, const char *value,
+static int module_init(CONF_MODULE *pmod, char *name, char *value,
                        const CONF *cnf)
 {
     int ret = 1;
@@ -290,13 +343,13 @@ static int module_init(CONF_MODULE *pmod, const char *name, const char *value,
     CONF_IMODULE *imod = NULL;
 
     /* Otherwise add initialized module to list */
-    imod = OPENSSL_malloc(sizeof(*imod));
-    if (imod == NULL)
+    imod = OPENSSL_malloc(sizeof(CONF_IMODULE));
+    if (!imod)
         goto err;
 
     imod->pmod = pmod;
-    imod->name = OPENSSL_strdup(name);
-    imod->value = OPENSSL_strdup(value);
+    imod->name = BUF_strdup(name);
+    imod->value = BUF_strdup(value);
     imod->usr_data = NULL;
 
     if (!imod->name || !imod->value)
@@ -336,8 +389,10 @@ static int module_init(CONF_MODULE *pmod, const char *name, const char *value,
 
  memerr:
     if (imod) {
-        OPENSSL_free(imod->name);
-        OPENSSL_free(imod->value);
+        if (imod->name)
+            OPENSSL_free(imod->name);
+        if (imod->value)
+            OPENSSL_free(imod->value);
         OPENSSL_free(imod);
     }
 
@@ -375,7 +430,8 @@ void CONF_modules_unload(int all)
 /* unload a single module */
 static void module_free(CONF_MODULE *md)
 {
-    DSO_free(md->dso);
+    if (md->dso)
+        DSO_free(md->dso);
     OPENSSL_free(md->name);
     OPENSSL_free(md);
 }
@@ -397,8 +453,6 @@ void CONF_modules_finish(void)
 
 static void module_finish(CONF_IMODULE *imod)
 {
-    if (!imod)
-        return;
     if (imod->pmod->finish)
         imod->pmod->finish(imod);
     imod->pmod->links--;
@@ -418,7 +472,7 @@ int CONF_module_add(const char *name, conf_init_func *ifunc,
         return 0;
 }
 
-void conf_modules_free_int(void)
+void CONF_modules_free(void)
 {
     CONF_modules_finish();
     CONF_modules_unload(1);
@@ -480,7 +534,7 @@ char *CONF_get1_default_config_file(void)
 
     file = getenv("OPENSSL_CONF");
     if (file)
-        return OPENSSL_strdup(file);
+        return BUF_strdup(file);
 
     len = strlen(X509_get_default_cert_area());
 #ifndef OPENSSL_SYS_VMS
@@ -490,13 +544,13 @@ char *CONF_get1_default_config_file(void)
 
     file = OPENSSL_malloc(len + 1);
 
-    if (file == NULL)
+    if (!file)
         return NULL;
-    OPENSSL_strlcpy(file, X509_get_default_cert_area(), len + 1);
+    BUF_strlcpy(file, X509_get_default_cert_area(), len + 1);
 #ifndef OPENSSL_SYS_VMS
-    OPENSSL_strlcat(file, "/", len + 1);
+    BUF_strlcat(file, "/", len + 1);
 #endif
-    OPENSSL_strlcat(file, OPENSSL_CONF, len + 1);
+    BUF_strlcat(file, OPENSSL_CONF, len + 1);
 
     return file;
 }
diff --git a/Cryptlib/OpenSSL/crypto/conf/conf_sap.c b/Cryptlib/OpenSSL/crypto/conf/conf_sap.c
index bed95abe..a25b6365 100644
--- a/Cryptlib/OpenSSL/crypto/conf/conf_sap.c
+++ b/Cryptlib/OpenSSL/crypto/conf/conf_sap.c
@@ -1,19 +1,72 @@
+/* conf_sap.c */
 /*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Stephen Henson (steve@openssl.org) for the OpenSSL project
+ * 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <openssl/crypto.h>
-#include "internal/cryptlib.h"
-#include <internal/conf.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/dso.h>
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
-#include <openssl/engine.h>
+#ifndef OPENSSL_NO_ENGINE
+# include <openssl/engine.h>
+#endif
 
 /*
  * This is the automatic configuration loader: it is called automatically by
@@ -23,19 +76,7 @@
 
 static int openssl_configured = 0;
 
-#if OPENSSL_API_COMPAT < 0x10100000L
-void OPENSSL_config(const char *appname)
-{
-    OPENSSL_INIT_SETTINGS settings;
-
-    memset(&settings, 0, sizeof(settings));
-    if (appname != NULL)
-        settings.appname = strdup(appname);
-    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, &settings);
-}
-#endif
-
-void openssl_config_int(const char *appname)
+void OPENSSL_config(const char *config_name)
 {
     if (openssl_configured)
         return;
@@ -46,15 +87,15 @@ void openssl_config_int(const char *appname)
     ENGINE_load_builtin_engines();
 #endif
     ERR_clear_error();
-#ifndef OPENSSL_SYS_UEFI
-    CONF_modules_load_file(NULL, appname,
+#ifndef OPENSSL_NO_STDIO
+    CONF_modules_load_file(NULL, config_name,
                                CONF_MFLAGS_DEFAULT_SECTION |
                                CONF_MFLAGS_IGNORE_MISSING_FILE);
 #endif
     openssl_configured = 1;
 }
 
-void openssl_no_config_int(void)
+void OPENSSL_no_config()
 {
     openssl_configured = 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/constant_time_locl.h b/Cryptlib/OpenSSL/crypto/constant_time_locl.h
new file mode 100644
index 00000000..c786aea9
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/constant_time_locl.h
@@ -0,0 +1,211 @@
+/* crypto/constant_time_locl.h */
+/*-
+ * Utilities for constant-time cryptography.
+ *
+ * Author: Emilia Kasper (emilia@openssl.org)
+ * Based on previous work by Bodo Moeller, Emilia Kasper, Adam Langley
+ * (Google).
+ * ====================================================================
+ * Copyright (c) 2014 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_CONSTANT_TIME_LOCL_H
+# define HEADER_CONSTANT_TIME_LOCL_H
+
+# include "e_os.h"              /* For 'inline' */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*-
+ * The boolean methods return a bitmask of all ones (0xff...f) for true
+ * and 0 for false. This is useful for choosing a value based on the result
+ * of a conditional in constant time. For example,
+ *
+ * if (a < b) {
+ *   c = a;
+ * } else {
+ *   c = b;
+ * }
+ *
+ * can be written as
+ *
+ * unsigned int lt = constant_time_lt(a, b);
+ * c = constant_time_select(lt, a, b);
+ */
+
+/*
+ * Returns the given value with the MSB copied to all the other
+ * bits. Uses the fact that arithmetic shift shifts-in the sign bit.
+ * However, this is not ensured by the C standard so you may need to
+ * replace this with something else on odd CPUs.
+ */
+static inline unsigned int constant_time_msb(unsigned int a);
+
+/*
+ * Returns 0xff..f if a < b and 0 otherwise.
+ */
+static inline unsigned int constant_time_lt(unsigned int a, unsigned int b);
+/* Convenience method for getting an 8-bit mask. */
+static inline unsigned char constant_time_lt_8(unsigned int a,
+                                               unsigned int b);
+
+/*
+ * Returns 0xff..f if a >= b and 0 otherwise.
+ */
+static inline unsigned int constant_time_ge(unsigned int a, unsigned int b);
+/* Convenience method for getting an 8-bit mask. */
+static inline unsigned char constant_time_ge_8(unsigned int a,
+                                               unsigned int b);
+
+/*
+ * Returns 0xff..f if a == 0 and 0 otherwise.
+ */
+static inline unsigned int constant_time_is_zero(unsigned int a);
+/* Convenience method for getting an 8-bit mask. */
+static inline unsigned char constant_time_is_zero_8(unsigned int a);
+
+/*
+ * Returns 0xff..f if a == b and 0 otherwise.
+ */
+static inline unsigned int constant_time_eq(unsigned int a, unsigned int b);
+/* Convenience method for getting an 8-bit mask. */
+static inline unsigned char constant_time_eq_8(unsigned int a,
+                                               unsigned int b);
+/* Signed integers. */
+static inline unsigned int constant_time_eq_int(int a, int b);
+/* Convenience method for getting an 8-bit mask. */
+static inline unsigned char constant_time_eq_int_8(int a, int b);
+
+/*-
+ * Returns (mask & a) | (~mask & b).
+ *
+ * When |mask| is all 1s or all 0s (as returned by the methods above),
+ * the select methods return either |a| (if |mask| is nonzero) or |b|
+ * (if |mask| is zero).
+ */
+static inline unsigned int constant_time_select(unsigned int mask,
+                                                unsigned int a,
+                                                unsigned int b);
+/* Convenience method for unsigned chars. */
+static inline unsigned char constant_time_select_8(unsigned char mask,
+                                                   unsigned char a,
+                                                   unsigned char b);
+/* Convenience method for signed integers. */
+static inline int constant_time_select_int(unsigned int mask, int a, int b);
+
+static inline unsigned int constant_time_msb(unsigned int a)
+{
+    return 0 - (a >> (sizeof(a) * 8 - 1));
+}
+
+static inline unsigned int constant_time_lt(unsigned int a, unsigned int b)
+{
+    return constant_time_msb(a ^ ((a ^ b) | ((a - b) ^ b)));
+}
+
+static inline unsigned char constant_time_lt_8(unsigned int a, unsigned int b)
+{
+    return (unsigned char)(constant_time_lt(a, b));
+}
+
+static inline unsigned int constant_time_ge(unsigned int a, unsigned int b)
+{
+    return ~constant_time_lt(a, b);
+}
+
+static inline unsigned char constant_time_ge_8(unsigned int a, unsigned int b)
+{
+    return (unsigned char)(constant_time_ge(a, b));
+}
+
+static inline unsigned int constant_time_is_zero(unsigned int a)
+{
+    return constant_time_msb(~a & (a - 1));
+}
+
+static inline unsigned char constant_time_is_zero_8(unsigned int a)
+{
+    return (unsigned char)(constant_time_is_zero(a));
+}
+
+static inline unsigned int constant_time_eq(unsigned int a, unsigned int b)
+{
+    return constant_time_is_zero(a ^ b);
+}
+
+static inline unsigned char constant_time_eq_8(unsigned int a, unsigned int b)
+{
+    return (unsigned char)(constant_time_eq(a, b));
+}
+
+static inline unsigned int constant_time_eq_int(int a, int b)
+{
+    return constant_time_eq((unsigned)(a), (unsigned)(b));
+}
+
+static inline unsigned char constant_time_eq_int_8(int a, int b)
+{
+    return constant_time_eq_8((unsigned)(a), (unsigned)(b));
+}
+
+static inline unsigned int constant_time_select(unsigned int mask,
+                                                unsigned int a,
+                                                unsigned int b)
+{
+    return (mask & a) | (~mask & b);
+}
+
+static inline unsigned char constant_time_select_8(unsigned char mask,
+                                                   unsigned char a,
+                                                   unsigned char b)
+{
+    return (unsigned char)(constant_time_select(mask, a, b));
+}
+
+static inline int constant_time_select_int(unsigned int mask, int a, int b)
+{
+    return (int)(constant_time_select(mask, (unsigned)(a), (unsigned)(b)));
+}
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif                          /* HEADER_CONSTANT_TIME_LOCL_H */
diff --git a/Cryptlib/OpenSSL/crypto/cpt_err.c b/Cryptlib/OpenSSL/crypto/cpt_err.c
index c28dcf19..a5138381 100644
--- a/Cryptlib/OpenSSL/crypto/cpt_err.c
+++ b/Cryptlib/OpenSSL/crypto/cpt_err.c
@@ -1,11 +1,62 @@
-/*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/cpt_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
  */
 
 #include <stdio.h>
@@ -19,30 +70,29 @@
 # define ERR_REASON(reason) ERR_PACK(ERR_LIB_CRYPTO,0,reason)
 
 static ERR_STRING_DATA CRYPTO_str_functs[] = {
-    {ERR_FUNC(CRYPTO_F_CRYPTO_DUP_EX_DATA), "CRYPTO_dup_ex_data"},
-    {ERR_FUNC(CRYPTO_F_CRYPTO_FREE_EX_DATA), "CRYPTO_free_ex_data"},
     {ERR_FUNC(CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX), "CRYPTO_get_ex_new_index"},
-    {ERR_FUNC(CRYPTO_F_CRYPTO_MEMDUP), "CRYPTO_memdup"},
-    {ERR_FUNC(CRYPTO_F_CRYPTO_NEW_EX_DATA), "CRYPTO_new_ex_data"},
+    {ERR_FUNC(CRYPTO_F_CRYPTO_GET_NEW_DYNLOCKID), "CRYPTO_get_new_dynlockid"},
+    {ERR_FUNC(CRYPTO_F_CRYPTO_GET_NEW_LOCKID), "CRYPTO_get_new_lockid"},
     {ERR_FUNC(CRYPTO_F_CRYPTO_SET_EX_DATA), "CRYPTO_set_ex_data"},
+    {ERR_FUNC(CRYPTO_F_DEF_ADD_INDEX), "DEF_ADD_INDEX"},
+    {ERR_FUNC(CRYPTO_F_DEF_GET_CLASS), "DEF_GET_CLASS"},
     {ERR_FUNC(CRYPTO_F_FIPS_MODE_SET), "FIPS_mode_set"},
-    {ERR_FUNC(CRYPTO_F_GET_AND_LOCK), "get_and_lock"},
-    {ERR_FUNC(CRYPTO_F_OPENSSL_BUF2HEXSTR), "OPENSSL_buf2hexstr"},
-    {ERR_FUNC(CRYPTO_F_OPENSSL_HEXSTR2BUF), "OPENSSL_hexstr2buf"},
-    {ERR_FUNC(CRYPTO_F_OPENSSL_INIT_CRYPTO), "OPENSSL_init_crypto"},
+    {ERR_FUNC(CRYPTO_F_INT_DUP_EX_DATA), "INT_DUP_EX_DATA"},
+    {ERR_FUNC(CRYPTO_F_INT_FREE_EX_DATA), "INT_FREE_EX_DATA"},
+    {ERR_FUNC(CRYPTO_F_INT_NEW_EX_DATA), "INT_NEW_EX_DATA"},
     {0, NULL}
 };
 
 static ERR_STRING_DATA CRYPTO_str_reasons[] = {
     {ERR_REASON(CRYPTO_R_FIPS_MODE_NOT_SUPPORTED), "fips mode not supported"},
-    {ERR_REASON(CRYPTO_R_ILLEGAL_HEX_DIGIT), "illegal hex digit"},
-    {ERR_REASON(CRYPTO_R_ODD_NUMBER_OF_DIGITS), "odd number of digits"},
+    {ERR_REASON(CRYPTO_R_NO_DYNLOCK_CREATE_CALLBACK),
+     "no dynlock create callback"},
     {0, NULL}
 };
 
 #endif
 
-int ERR_load_CRYPTO_strings(void)
+void ERR_load_CRYPTO_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
 
@@ -51,5 +101,4 @@ int ERR_load_CRYPTO_strings(void)
         ERR_load_strings(0, CRYPTO_str_reasons);
     }
 #endif
-    return 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/cryptlib.c b/Cryptlib/OpenSSL/crypto/cryptlib.c
index 01b8ce5e..23f58fa9 100644
--- a/Cryptlib/OpenSSL/crypto/cryptlib.c
+++ b/Cryptlib/OpenSSL/crypto/cryptlib.c
@@ -1,31 +1,682 @@
-/*
- * Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/cryptlib.c */
+/* ====================================================================
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
-
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
 /* ====================================================================
  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
  * ECDH support in OpenSSL originally developed by
  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
  */
 
-#include "internal/cryptlib_int.h"
+#include "cryptlib.h"
 #include <openssl/safestack.h>
 
+#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN16)
+static double SSLeay_MSVC5_hack = 0.0; /* and for VC1.5 */
+#endif
+
+DECLARE_STACK_OF(CRYPTO_dynlock)
+
+/* real #defines in crypto.h, keep these upto date */
+static const char *const lock_names[CRYPTO_NUM_LOCKS] = {
+    "<<ERROR>>",
+    "err",
+    "ex_data",
+    "x509",
+    "x509_info",
+    "x509_pkey",
+    "x509_crl",
+    "x509_req",
+    "dsa",
+    "rsa",
+    "evp_pkey",
+    "x509_store",
+    "ssl_ctx",
+    "ssl_cert",
+    "ssl_session",
+    "ssl_sess_cert",
+    "ssl",
+    "ssl_method",
+    "rand",
+    "rand2",
+    "debug_malloc",
+    "BIO",
+    "gethostbyname",
+    "getservbyname",
+    "readdir",
+    "RSA_blinding",
+    "dh",
+    "debug_malloc2",
+    "dso",
+    "dynlock",
+    "engine",
+    "ui",
+    "ecdsa",
+    "ec",
+    "ecdh",
+    "bn",
+    "ec_pre_comp",
+    "store",
+    "comp",
+    "fips",
+    "fips2",
+#if CRYPTO_NUM_LOCKS != 41
+# error "Inconsistency between crypto.h and cryptlib.c"
+#endif
+};
+
+/*
+ * This is for applications to allocate new type names in the non-dynamic
+ * array of lock names.  These are numbered with positive numbers.
+ */
+static STACK_OF(OPENSSL_STRING) *app_locks = NULL;
+
+/*
+ * For applications that want a more dynamic way of handling threads, the
+ * following stack is used.  These are externally numbered with negative
+ * numbers.
+ */
+static STACK_OF(CRYPTO_dynlock) *dyn_locks = NULL;
+
+static void (MS_FAR *locking_callback) (int mode, int type,
+                                        const char *file, int line) = 0;
+static int (MS_FAR *add_lock_callback) (int *pointer, int amount,
+                                        int type, const char *file,
+                                        int line) = 0;
+#ifndef OPENSSL_NO_DEPRECATED
+static unsigned long (MS_FAR *id_callback) (void) = 0;
+#endif
+static void (MS_FAR *threadid_callback) (CRYPTO_THREADID *) = 0;
+static struct CRYPTO_dynlock_value *(MS_FAR *dynlock_create_callback)
+ (const char *file, int line) = 0;
+static void (MS_FAR *dynlock_lock_callback) (int mode,
+                                             struct CRYPTO_dynlock_value *l,
+                                             const char *file, int line) = 0;
+static void (MS_FAR *dynlock_destroy_callback) (struct CRYPTO_dynlock_value
+                                                *l, const char *file,
+                                                int line) = 0;
+
+int CRYPTO_get_new_lockid(char *name)
+{
+    char *str;
+    int i;
+
+#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN16)
+    /*
+     * A hack to make Visual C++ 5.0 work correctly when linking as a DLL
+     * using /MT. Without this, the application cannot use any floating point
+     * printf's. It also seems to be needed for Visual C 1.5 (win16)
+     */
+    SSLeay_MSVC5_hack = (double)name[0] * (double)name[1];
+#endif
+
+    if ((app_locks == NULL)
+        && ((app_locks = sk_OPENSSL_STRING_new_null()) == NULL)) {
+        CRYPTOerr(CRYPTO_F_CRYPTO_GET_NEW_LOCKID, ERR_R_MALLOC_FAILURE);
+        return (0);
+    }
+    if ((str = BUF_strdup(name)) == NULL) {
+        CRYPTOerr(CRYPTO_F_CRYPTO_GET_NEW_LOCKID, ERR_R_MALLOC_FAILURE);
+        return (0);
+    }
+    i = sk_OPENSSL_STRING_push(app_locks, str);
+    if (!i)
+        OPENSSL_free(str);
+    else
+        i += CRYPTO_NUM_LOCKS;  /* gap of one :-) */
+    return (i);
+}
+
+int CRYPTO_num_locks(void)
+{
+    return CRYPTO_NUM_LOCKS;
+}
+
+int CRYPTO_get_new_dynlockid(void)
+{
+    int i = 0;
+    CRYPTO_dynlock *pointer = NULL;
+
+    if (dynlock_create_callback == NULL) {
+        CRYPTOerr(CRYPTO_F_CRYPTO_GET_NEW_DYNLOCKID,
+                  CRYPTO_R_NO_DYNLOCK_CREATE_CALLBACK);
+        return (0);
+    }
+    CRYPTO_w_lock(CRYPTO_LOCK_DYNLOCK);
+    if ((dyn_locks == NULL)
+        && ((dyn_locks = sk_CRYPTO_dynlock_new_null()) == NULL)) {
+        CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK);
+        CRYPTOerr(CRYPTO_F_CRYPTO_GET_NEW_DYNLOCKID, ERR_R_MALLOC_FAILURE);
+        return (0);
+    }
+    CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK);
+
+    pointer = (CRYPTO_dynlock *) OPENSSL_malloc(sizeof(CRYPTO_dynlock));
+    if (pointer == NULL) {
+        CRYPTOerr(CRYPTO_F_CRYPTO_GET_NEW_DYNLOCKID, ERR_R_MALLOC_FAILURE);
+        return (0);
+    }
+    pointer->references = 1;
+    pointer->data = dynlock_create_callback(OPENSSL_FILE, OPENSSL_LINE);
+    if (pointer->data == NULL) {
+        OPENSSL_free(pointer);
+        CRYPTOerr(CRYPTO_F_CRYPTO_GET_NEW_DYNLOCKID, ERR_R_MALLOC_FAILURE);
+        return (0);
+    }
+
+    CRYPTO_w_lock(CRYPTO_LOCK_DYNLOCK);
+    /* First, try to find an existing empty slot */
+    i = sk_CRYPTO_dynlock_find(dyn_locks, NULL);
+    /* If there was none, push, thereby creating a new one */
+    if (i == -1)
+        /*
+         * Since sk_push() returns the number of items on the stack, not the
+         * location of the pushed item, we need to transform the returned
+         * number into a position, by decreasing it.
+         */
+        i = sk_CRYPTO_dynlock_push(dyn_locks, pointer) - 1;
+    else
+        /*
+         * If we found a place with a NULL pointer, put our pointer in it.
+         */
+        (void)sk_CRYPTO_dynlock_set(dyn_locks, i, pointer);
+    CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK);
+
+    if (i == -1) {
+        dynlock_destroy_callback(pointer->data, OPENSSL_FILE, OPENSSL_LINE);
+        OPENSSL_free(pointer);
+    } else
+        i += 1;                 /* to avoid 0 */
+    return -i;
+}
+
+void CRYPTO_destroy_dynlockid(int i)
+{
+    CRYPTO_dynlock *pointer = NULL;
+    if (i)
+        i = -i - 1;
+    if (dynlock_destroy_callback == NULL)
+        return;
+
+    CRYPTO_w_lock(CRYPTO_LOCK_DYNLOCK);
+
+    if (dyn_locks == NULL || i >= sk_CRYPTO_dynlock_num(dyn_locks)) {
+        CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK);
+        return;
+    }
+    pointer = sk_CRYPTO_dynlock_value(dyn_locks, i);
+    if (pointer != NULL) {
+        --pointer->references;
+#ifdef REF_CHECK
+        if (pointer->references < 0) {
+            fprintf(stderr,
+                    "CRYPTO_destroy_dynlockid, bad reference count\n");
+            abort();
+        } else
+#endif
+        if (pointer->references <= 0) {
+            (void)sk_CRYPTO_dynlock_set(dyn_locks, i, NULL);
+        } else
+            pointer = NULL;
+    }
+    CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK);
+
+    if (pointer) {
+        dynlock_destroy_callback(pointer->data, OPENSSL_FILE, OPENSSL_LINE);
+        OPENSSL_free(pointer);
+    }
+}
+
+struct CRYPTO_dynlock_value *CRYPTO_get_dynlock_value(int i)
+{
+    CRYPTO_dynlock *pointer = NULL;
+    if (i)
+        i = -i - 1;
+
+    CRYPTO_w_lock(CRYPTO_LOCK_DYNLOCK);
+
+    if (dyn_locks != NULL && i < sk_CRYPTO_dynlock_num(dyn_locks))
+        pointer = sk_CRYPTO_dynlock_value(dyn_locks, i);
+    if (pointer)
+        pointer->references++;
+
+    CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK);
+
+    if (pointer)
+        return pointer->data;
+    return NULL;
+}
+
+struct CRYPTO_dynlock_value *(*CRYPTO_get_dynlock_create_callback(void))
+ (const char *file, int line) {
+    return (dynlock_create_callback);
+}
+
+void (*CRYPTO_get_dynlock_lock_callback(void)) (int mode,
+                                                struct CRYPTO_dynlock_value
+                                                *l, const char *file,
+                                                int line) {
+    return (dynlock_lock_callback);
+}
+
+void (*CRYPTO_get_dynlock_destroy_callback(void))
+ (struct CRYPTO_dynlock_value *l, const char *file, int line) {
+    return (dynlock_destroy_callback);
+}
+
+void CRYPTO_set_dynlock_create_callback(struct CRYPTO_dynlock_value *(*func)
+                                         (const char *file, int line))
+{
+    dynlock_create_callback = func;
+}
+
+void CRYPTO_set_dynlock_lock_callback(void (*func) (int mode,
+                                                    struct
+                                                    CRYPTO_dynlock_value *l,
+                                                    const char *file,
+                                                    int line))
+{
+    dynlock_lock_callback = func;
+}
+
+void CRYPTO_set_dynlock_destroy_callback(void (*func)
+                                          (struct CRYPTO_dynlock_value *l,
+                                           const char *file, int line))
+{
+    dynlock_destroy_callback = func;
+}
+
+void (*CRYPTO_get_locking_callback(void)) (int mode, int type,
+                                           const char *file, int line) {
+    return (locking_callback);
+}
+
+int (*CRYPTO_get_add_lock_callback(void)) (int *num, int mount, int type,
+                                           const char *file, int line) {
+    return (add_lock_callback);
+}
+
+void CRYPTO_set_locking_callback(void (*func) (int mode, int type,
+                                               const char *file, int line))
+{
+    /*
+     * Calling this here ensures initialisation before any threads are
+     * started.
+     */
+    OPENSSL_init();
+    locking_callback = func;
+}
+
+void CRYPTO_set_add_lock_callback(int (*func) (int *num, int mount, int type,
+                                               const char *file, int line))
+{
+    add_lock_callback = func;
+}
+
+/*
+ * the memset() here and in set_pointer() seem overkill, but for the sake of
+ * CRYPTO_THREADID_cmp() this avoids any platform silliness that might cause
+ * two "equal" THREADID structs to not be memcmp()-identical.
+ */
+void CRYPTO_THREADID_set_numeric(CRYPTO_THREADID *id, unsigned long val)
+{
+    memset(id, 0, sizeof(*id));
+    id->val = val;
+}
+
+static const unsigned char hash_coeffs[] = { 3, 5, 7, 11, 13, 17, 19, 23 };
+
+void CRYPTO_THREADID_set_pointer(CRYPTO_THREADID *id, void *ptr)
+{
+    unsigned char *dest = (void *)&id->val;
+    unsigned int accum = 0;
+    unsigned char dnum = sizeof(id->val);
+
+    memset(id, 0, sizeof(*id));
+    id->ptr = ptr;
+    if (sizeof(id->val) >= sizeof(id->ptr)) {
+        /*
+         * 'ptr' can be embedded in 'val' without loss of uniqueness
+         */
+        id->val = (unsigned long)id->ptr;
+        return;
+    }
+    /*
+     * hash ptr ==> val. Each byte of 'val' gets the mod-256 total of a
+     * linear function over the bytes in 'ptr', the co-efficients of which
+     * are a sequence of low-primes (hash_coeffs is an 8-element cycle) - the
+     * starting prime for the sequence varies for each byte of 'val' (unique
+     * polynomials unless pointers are >64-bit). For added spice, the totals
+     * accumulate rather than restarting from zero, and the index of the
+     * 'val' byte is added each time (position dependence). If I was a
+     * black-belt, I'd scan big-endian pointers in reverse to give low-order
+     * bits more play, but this isn't crypto and I'd prefer nobody mistake it
+     * as such. Plus I'm lazy.
+     */
+    while (dnum--) {
+        const unsigned char *src = (void *)&id->ptr;
+        unsigned char snum = sizeof(id->ptr);
+        while (snum--)
+            accum += *(src++) * hash_coeffs[(snum + dnum) & 7];
+        accum += dnum;
+        *(dest++) = accum & 255;
+    }
+}
+
+int CRYPTO_THREADID_set_callback(void (*func) (CRYPTO_THREADID *))
+{
+    if (threadid_callback)
+        return 0;
+    threadid_callback = func;
+    return 1;
+}
+
+void (*CRYPTO_THREADID_get_callback(void)) (CRYPTO_THREADID *) {
+    return threadid_callback;
+}
+
+void CRYPTO_THREADID_current(CRYPTO_THREADID *id)
+{
+    if (threadid_callback) {
+        threadid_callback(id);
+        return;
+    }
+#ifndef OPENSSL_NO_DEPRECATED
+    /* If the deprecated callback was set, fall back to that */
+    if (id_callback) {
+        CRYPTO_THREADID_set_numeric(id, id_callback());
+        return;
+    }
+#endif
+    /* Else pick a backup */
+#ifdef OPENSSL_SYS_WIN16
+    CRYPTO_THREADID_set_numeric(id, (unsigned long)GetCurrentTask());
+#elif defined(OPENSSL_SYS_WIN32)
+    CRYPTO_THREADID_set_numeric(id, (unsigned long)GetCurrentThreadId());
+#elif defined(OPENSSL_SYS_BEOS)
+    CRYPTO_THREADID_set_numeric(id, (unsigned long)find_thread(NULL));
+#else
+    /* For everything else, default to using the address of 'errno' */
+    CRYPTO_THREADID_set_pointer(id, (void *)&errno);
+#endif
+}
+
+int CRYPTO_THREADID_cmp(const CRYPTO_THREADID *a, const CRYPTO_THREADID *b)
+{
+    return memcmp(a, b, sizeof(*a));
+}
+
+void CRYPTO_THREADID_cpy(CRYPTO_THREADID *dest, const CRYPTO_THREADID *src)
+{
+    memcpy(dest, src, sizeof(*src));
+}
+
+unsigned long CRYPTO_THREADID_hash(const CRYPTO_THREADID *id)
+{
+    return id->val;
+}
+
+#ifndef OPENSSL_NO_DEPRECATED
+unsigned long (*CRYPTO_get_id_callback(void)) (void) {
+    return (id_callback);
+}
+
+void CRYPTO_set_id_callback(unsigned long (*func) (void))
+{
+    id_callback = func;
+}
+
+unsigned long CRYPTO_thread_id(void)
+{
+    unsigned long ret = 0;
+
+    if (id_callback == NULL) {
+# ifdef OPENSSL_SYS_WIN16
+        ret = (unsigned long)GetCurrentTask();
+# elif defined(OPENSSL_SYS_WIN32)
+        ret = (unsigned long)GetCurrentThreadId();
+# elif defined(GETPID_IS_MEANINGLESS)
+        ret = 1L;
+# elif defined(OPENSSL_SYS_BEOS)
+        ret = (unsigned long)find_thread(NULL);
+# else
+        ret = (unsigned long)getpid();
+# endif
+    } else
+        ret = id_callback();
+    return (ret);
+}
+#endif
+
+void CRYPTO_lock(int mode, int type, const char *file, int line)
+{
+#ifdef LOCK_DEBUG
+    {
+        CRYPTO_THREADID id;
+        char *rw_text, *operation_text;
+
+        if (mode & CRYPTO_LOCK)
+            operation_text = "lock  ";
+        else if (mode & CRYPTO_UNLOCK)
+            operation_text = "unlock";
+        else
+            operation_text = "ERROR ";
+
+        if (mode & CRYPTO_READ)
+            rw_text = "r";
+        else if (mode & CRYPTO_WRITE)
+            rw_text = "w";
+        else
+            rw_text = "ERROR";
+
+        CRYPTO_THREADID_current(&id);
+        fprintf(stderr, "lock:%08lx:(%s)%s %-18s %s:%d\n",
+                CRYPTO_THREADID_hash(&id), rw_text, operation_text,
+                CRYPTO_get_lock_name(type), file, line);
+    }
+#endif
+    if (type < 0) {
+        if (dynlock_lock_callback != NULL) {
+            struct CRYPTO_dynlock_value *pointer
+                = CRYPTO_get_dynlock_value(type);
+
+            OPENSSL_assert(pointer != NULL);
+
+            dynlock_lock_callback(mode, pointer, file, line);
+
+            CRYPTO_destroy_dynlockid(type);
+        }
+    } else if (locking_callback != NULL)
+        locking_callback(mode, type, file, line);
+}
+
+int CRYPTO_add_lock(int *pointer, int amount, int type, const char *file,
+                    int line)
+{
+    int ret = 0;
+
+    if (add_lock_callback != NULL) {
+#ifdef LOCK_DEBUG
+        int before = *pointer;
+#endif
+
+        ret = add_lock_callback(pointer, amount, type, file, line);
+#ifdef LOCK_DEBUG
+        {
+            CRYPTO_THREADID id;
+            CRYPTO_THREADID_current(&id);
+            fprintf(stderr, "ladd:%08lx:%2d+%2d->%2d %-18s %s:%d\n",
+                    CRYPTO_THREADID_hash(&id), before, amount, ret,
+                    CRYPTO_get_lock_name(type), file, line);
+        }
+#endif
+    } else {
+        CRYPTO_lock(CRYPTO_LOCK | CRYPTO_WRITE, type, file, line);
+
+        ret = *pointer + amount;
+#ifdef LOCK_DEBUG
+        {
+            CRYPTO_THREADID id;
+            CRYPTO_THREADID_current(&id);
+            fprintf(stderr, "ladd:%08lx:%2d+%2d->%2d %-18s %s:%d\n",
+                    CRYPTO_THREADID_hash(&id),
+                    *pointer, amount, ret,
+                    CRYPTO_get_lock_name(type), file, line);
+        }
+#endif
+        *pointer = ret;
+        CRYPTO_lock(CRYPTO_UNLOCK | CRYPTO_WRITE, type, file, line);
+    }
+    return (ret);
+}
+
+const char *CRYPTO_get_lock_name(int type)
+{
+    if (type < 0)
+        return ("dynamic");
+    else if (type < CRYPTO_NUM_LOCKS)
+        return (lock_names[type]);
+    else if (type - CRYPTO_NUM_LOCKS > sk_OPENSSL_STRING_num(app_locks))
+        return ("ERROR");
+    else
+        return (sk_OPENSSL_STRING_value(app_locks, type - CRYPTO_NUM_LOCKS));
+}
+
 #if     defined(__i386)   || defined(__i386__)   || defined(_M_IX86) || \
+        defined(__INTEL__) || \
         defined(__x86_64) || defined(__x86_64__) || \
         defined(_M_AMD64) || defined(_M_X64)
 
 extern unsigned int OPENSSL_ia32cap_P[4];
+unsigned long *OPENSSL_ia32cap_loc(void)
+{
+    if (sizeof(long) == 4)
+        /*
+         * If 32-bit application pulls address of OPENSSL_ia32cap_P[0]
+         * clear second element to maintain the illusion that vector
+         * is 32-bit.
+         */
+        OPENSSL_ia32cap_P[1] = 0;
+
+    OPENSSL_ia32cap_P[2] = 0;
+
+    return (unsigned long *)OPENSSL_ia32cap_P;
+}
 
 # if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM) && !defined(I386_ONLY)
 #include <stdio.h>
 #  define OPENSSL_CPUID_SETUP
-typedef uint64_t IA32CAP;
+#  if defined(_WIN32)
+typedef unsigned __int64 IA32CAP;
+#  else
+typedef unsigned long long IA32CAP;
+#  endif
 void OPENSSL_cpuid_setup(void)
 {
     static int trigger = 0;
@@ -76,6 +727,12 @@ void OPENSSL_cpuid_setup(void)
 # else
 unsigned int OPENSSL_ia32cap_P[4];
 # endif
+
+#else
+unsigned long *OPENSSL_ia32cap_loc(void)
+{
+    return NULL;
+}
 #endif
 int OPENSSL_NONPIC_relocated = 0;
 #if !defined(OPENSSL_CPUID_SETUP) && !defined(OPENSSL_CPUID_OBJ)
@@ -84,6 +741,53 @@ void OPENSSL_cpuid_setup(void)
 }
 #endif
 
+#if (defined(_WIN32) || defined(__CYGWIN__)) && defined(_WINDLL)
+# ifdef __CYGWIN__
+/* pick DLL_[PROCESS|THREAD]_[ATTACH|DETACH] definitions */
+#  include <windows.h>
+/*
+ * this has side-effect of _WIN32 getting defined, which otherwise is
+ * mutually exclusive with __CYGWIN__...
+ */
+# endif
+
+/*
+ * All we really need to do is remove the 'error' state when a thread
+ * detaches
+ */
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
+{
+    switch (fdwReason) {
+    case DLL_PROCESS_ATTACH:
+        OPENSSL_cpuid_setup();
+# if defined(_WIN32_WINNT)
+        {
+            IMAGE_DOS_HEADER *dos_header = (IMAGE_DOS_HEADER *) hinstDLL;
+            IMAGE_NT_HEADERS *nt_headers;
+
+            if (dos_header->e_magic == IMAGE_DOS_SIGNATURE) {
+                nt_headers = (IMAGE_NT_HEADERS *) ((char *)dos_header
+                                                   + dos_header->e_lfanew);
+                if (nt_headers->Signature == IMAGE_NT_SIGNATURE &&
+                    hinstDLL !=
+                    (HINSTANCE) (nt_headers->OptionalHeader.ImageBase))
+                    OPENSSL_NONPIC_relocated = 1;
+            }
+        }
+# endif
+        break;
+    case DLL_THREAD_ATTACH:
+        break;
+    case DLL_THREAD_DETACH:
+        break;
+    case DLL_PROCESS_DETACH:
+        break;
+    }
+    return (TRUE);
+}
+#endif
+
 #if defined(_WIN32) && !defined(__CYGWIN__)
 # include <tchar.h>
 # include <signal.h>
@@ -106,15 +810,15 @@ int OPENSSL_isservice(void)
     WCHAR *name;
     static union {
         void *p;
-        FARPROC f;
+        int (*f) (void);
     } _OPENSSL_isservice = {
         NULL
     };
 
     if (_OPENSSL_isservice.p == NULL) {
-        HANDLE mod = GetModuleHandle(NULL);
-        if (mod != NULL)
-            _OPENSSL_isservice.f = GetProcAddress(mod, "_OPENSSL_isservice");
+        HANDLE h = GetModuleHandle(NULL);
+        if (h != NULL)
+            _OPENSSL_isservice.p = GetProcAddress(h, "_OPENSSL_isservice");
         if (_OPENSSL_isservice.p == NULL)
             _OPENSSL_isservice.p = (void *)-1;
     }
@@ -162,7 +866,7 @@ int OPENSSL_isservice(void)
 }
 # endif
 
-void OPENSSL_showfatal(const char *fmta, ...)
+void EFIAPI OPENSSL_showfatal(const char *fmta, ...)
 {
     va_list ap;
     TCHAR buf[256];
@@ -197,9 +901,12 @@ void OPENSSL_showfatal(const char *fmta, ...)
                 fmt = (const TCHAR *)L"no stack?";
                 break;
             }
+# ifndef OPENSSL_NO_MULTIBYTE
             if (!MultiByteToWideChar(CP_ACP, 0, fmta, len_0, fmtw, len_0))
+# endif
                 for (i = 0; i < len_0; i++)
                     fmtw[i] = (WCHAR)fmta[i];
+
             for (i = 0; i < len_0; i++) {
                 if (fmtw[i] == L'%')
                     do {
@@ -240,8 +947,8 @@ void OPENSSL_showfatal(const char *fmta, ...)
         } while (0);
 
     va_start(ap, fmta);
-    _vsntprintf(buf, OSSL_NELEM(buf) - 1, fmt, ap);
-    buf[OSSL_NELEM(buf) - 1] = _T('\0');
+    _vsntprintf(buf, sizeof(buf) / sizeof(TCHAR) - 1, fmt, ap);
+    buf[sizeof(buf) / sizeof(TCHAR) - 1] = _T('\0');
     va_end(ap);
 
 # if defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0333
@@ -272,7 +979,7 @@ void OPENSSL_showfatal(const char *fmta, ...)
         MessageBox(NULL, buf, _T("OpenSSL: FATAL"), MB_OK | MB_ICONERROR);
 }
 #else
-void OPENSSL_showfatal(const char *fmta, ...)
+void EFIAPI OPENSSL_showfatal(const char *fmta, ...)
 {
 #ifndef OPENSSL_NO_STDIO
     va_list ap;
@@ -289,10 +996,11 @@ int OPENSSL_isservice(void)
 }
 #endif
 
-void OPENSSL_die(const char *message, const char *file, int line)
+void OpenSSLDie(const char *file, int line, const char *assertion)
 {
-    OPENSSL_showfatal("%s:%d: OpenSSL internal error: %s\n",
-                      file, line, message);
+    OPENSSL_showfatal
+        ("%s(%d): OpenSSL internal error, assertion failed: %s\n", file, line,
+         assertion);
 #if !defined(_WIN32) || defined(__CYGWIN__)
     abort();
 #else
@@ -306,27 +1014,14 @@ void OPENSSL_die(const char *message, const char *file, int line)
 #endif
 }
 
-#if !defined(OPENSSL_CPUID_OBJ)
-/* volatile unsigned char* pointers are there because
- * 1. Accessing a variable declared volatile via a pointer
- *    that lacks a volatile qualifier causes undefined behavior.
- * 2. When the variable itself is not volatile the compiler is
- *    not required to keep all those reads and can convert
- *    this into canonical memcmp() which doesn't read the whole block.
- * Pointers to volatile resolve the first problem fully. The second
- * problem cannot be resolved in any Standard-compliant way but this
- * works the problem around. Compilers typically react to
- * pointers to volatile by preserving the reads and writes through them.
- * The latter is not required by the Standard if the memory pointed to
- * is not volatile.
- * Pointers themselves are volatile in the function signature to work
- * around a subtle bug in gcc 4.6+ which causes writes through
- * pointers to volatile to not be emitted in some rare,
- * never needed in real life, pieces of code.
- */
-int CRYPTO_memcmp(const volatile void * volatile in_a,
-                  const volatile void * volatile in_b,
-                  size_t len)
+#ifndef OPENSSL_NO_STDIO
+void *OPENSSL_stderr(void)
+{
+    return stderr;
+}
+#endif
+
+int CRYPTO_memcmp(const volatile void *in_a, const volatile void *in_b, size_t len)
 {
     size_t i;
     const volatile unsigned char *a = in_a;
@@ -338,4 +1033,3 @@ int CRYPTO_memcmp(const volatile void * volatile in_a,
 
     return x;
 }
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/cryptlib.h b/Cryptlib/OpenSSL/crypto/cryptlib.h
new file mode 100644
index 00000000..2bce19ff
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/cryptlib.h
@@ -0,0 +1,113 @@
+/* crypto/cryptlib.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_CRYPTLIB_H
+# define HEADER_CRYPTLIB_H
+
+# include <stdlib.h>
+# include <string.h>
+
+# include "e_os.h"
+
+# ifdef OPENSSL_USE_APPLINK
+#  define BIO_FLAGS_UPLINK 0x8000
+#  include "ms/uplink.h"
+# endif
+
+# include <openssl/crypto.h>
+# include <openssl/buffer.h>
+# include <openssl/bio.h>
+# include <openssl/err.h>
+# include <openssl/opensslconf.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+# ifndef OPENSSL_SYS_VMS
+#  define X509_CERT_AREA          OPENSSLDIR
+#  define X509_CERT_DIR           OPENSSLDIR "/certs"
+#  define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
+#  define X509_PRIVATE_DIR        OPENSSLDIR "/private"
+# else
+#  define X509_CERT_AREA          "SSLROOT:[000000]"
+#  define X509_CERT_DIR           "SSLCERTS:"
+#  define X509_CERT_FILE          "SSLCERTS:cert.pem"
+#  define X509_PRIVATE_DIR        "SSLPRIVATE:"
+# endif
+
+# define X509_CERT_DIR_EVP        "SSL_CERT_DIR"
+# define X509_CERT_FILE_EVP       "SSL_CERT_FILE"
+
+/* size of string representations */
+# define DECIMAL_SIZE(type)      ((sizeof(type)*8+2)/3+1)
+# define HEX_SIZE(type)          (sizeof(type)*2)
+
+void OPENSSL_cpuid_setup(void);
+extern unsigned int OPENSSL_ia32cap_P[];
+void EFIAPI OPENSSL_showfatal(const char *fmta, ...);
+#ifndef OPENSSL_NO_STDIO
+void *OPENSSL_stderr(void);
+#endif
+extern int OPENSSL_NONPIC_relocated;
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/cversion.c b/Cryptlib/OpenSSL/crypto/cversion.c
index 96d8a5b5..bfff6995 100644
--- a/Cryptlib/OpenSSL/crypto/cversion.c
+++ b/Cryptlib/OpenSSL/crypto/cversion.c
@@ -1,28 +1,72 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/cversion.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 
 #ifndef NO_WINDOWS_BRAINDEATH
 # include "buildinf.h"
 #endif
 
-unsigned long OpenSSL_version_num(void)
-{
-    return OPENSSL_VERSION_NUMBER;
-}
-
-const char *OpenSSL_version(int t)
+const char *SSLeay_version(int t)
 {
-    if (t == OPENSSL_VERSION)
+    if (t == SSLEAY_VERSION)
         return OPENSSL_VERSION_TEXT;
-    if (t == OPENSSL_BUILT_ON) {
+    if (t == SSLEAY_BUILT_ON) {
 #ifdef DATE
 # ifdef OPENSSL_USE_BUILD_DATE
         return (DATE);
@@ -33,33 +77,31 @@ const char *OpenSSL_version(int t)
         return ("built on: date not available");
 #endif
     }
-    if (t == OPENSSL_CFLAGS) {
+    if (t == SSLEAY_CFLAGS) {
 #ifdef CFLAGS
         return (CFLAGS);
 #else
         return ("compiler: information not available");
 #endif
     }
-    if (t == OPENSSL_PLATFORM) {
+    if (t == SSLEAY_PLATFORM) {
 #ifdef PLATFORM
         return (PLATFORM);
 #else
         return ("platform: information not available");
 #endif
     }
-    if (t == OPENSSL_DIR) {
+    if (t == SSLEAY_DIR) {
 #ifdef OPENSSLDIR
         return "OPENSSLDIR: \"" OPENSSLDIR "\"";
 #else
         return "OPENSSLDIR: N/A";
 #endif
     }
-    if (t == OPENSSL_ENGINES_DIR) {
-#ifdef ENGINESDIR
-        return "ENGINESDIR: \"" ENGINESDIR "\"";
-#else
-        return "ENGINESDIR: N/A";
-#endif
-    }
     return ("not available");
 }
+
+unsigned long SSLeay(void)
+{
+    return (SSLEAY_VERSION_NUMBER);
+}
diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_ameth.c b/Cryptlib/OpenSSL/crypto/dh/dh_ameth.c
index cd77867d..45582835 100644
--- a/Cryptlib/OpenSSL/crypto/dh/dh_ameth.c
+++ b/Cryptlib/OpenSSL/crypto/dh/dh_ameth.c
@@ -1,21 +1,73 @@
 /*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2006.
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
-#include "dh_locl.h"
+#include <openssl/dh.h>
 #include <openssl/bn.h>
-#include "internal/asn1_int.h"
-#include "internal/evp_int.h"
-#include <openssl/cms.h>
+#include "asn1_locl.h"
+#ifndef OPENSSL_NO_CMS
+# include <openssl/cms.h>
+#endif
+
+extern const EVP_PKEY_ASN1_METHOD dhx_asn1_meth;
 
 /*
  * i2d/d2i like DH parameter functions which use the appropriate routine for
@@ -47,8 +99,8 @@ static int dh_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
     const unsigned char *p, *pm;
     int pklen, pmlen;
     int ptype;
-    const void *pval;
-    const ASN1_STRING *pstr;
+    void *pval;
+    ASN1_STRING *pstr;
     X509_ALGOR *palg;
     ASN1_INTEGER *public_key = NULL;
 
@@ -67,18 +119,18 @@ static int dh_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
     pm = pstr->data;
     pmlen = pstr->length;
 
-    if ((dh = d2i_dhp(pkey, &pm, pmlen)) == NULL) {
+    if (!(dh = d2i_dhp(pkey, &pm, pmlen))) {
         DHerr(DH_F_DH_PUB_DECODE, DH_R_DECODE_ERROR);
         goto err;
     }
 
-    if ((public_key = d2i_ASN1_INTEGER(NULL, &p, pklen)) == NULL) {
+    if (!(public_key = d2i_ASN1_INTEGER(NULL, &p, pklen))) {
         DHerr(DH_F_DH_PUB_DECODE, DH_R_DECODE_ERROR);
         goto err;
     }
 
     /* We have parameters now set public key */
-    if ((dh->pub_key = ASN1_INTEGER_to_BN(public_key, NULL)) == NULL) {
+    if (!(dh->pub_key = ASN1_INTEGER_to_BN(public_key, NULL))) {
         DHerr(DH_F_DH_PUB_DECODE, DH_R_BN_DECODE_ERROR);
         goto err;
     }
@@ -88,8 +140,10 @@ static int dh_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
     return 1;
 
  err:
-    ASN1_INTEGER_free(public_key);
-    DH_free(dh);
+    if (public_key)
+        ASN1_INTEGER_free(public_key);
+    if (dh)
+        DH_free(dh);
     return 0;
 
 }
@@ -106,7 +160,7 @@ static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
     dh = pkey->pkey.dh;
 
     str = ASN1_STRING_new();
-    if (str == NULL) {
+    if (!str) {
         DHerr(DH_F_DH_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
         goto err;
     }
@@ -135,26 +189,28 @@ static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
         return 1;
 
  err:
-    OPENSSL_free(penc);
-    ASN1_STRING_free(str);
+    if (penc)
+        OPENSSL_free(penc);
+    if (str)
+        ASN1_STRING_free(str);
 
     return 0;
 }
 
 /*
  * PKCS#8 DH is defined in PKCS#11 of all places. It is similar to DH in that
- * the AlgorithmIdentifier contains the parameters, the private key is
- * explicitly included and the pubkey must be recalculated.
+ * the AlgorithmIdentifier contains the paramaters, the private key is
+ * explcitly included and the pubkey must be recalculated.
  */
 
-static int dh_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
+static int dh_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
 {
     const unsigned char *p, *pm;
     int pklen, pmlen;
     int ptype;
-    const void *pval;
-    const ASN1_STRING *pstr;
-    const X509_ALGOR *palg;
+    void *pval;
+    ASN1_STRING *pstr;
+    X509_ALGOR *palg;
     ASN1_INTEGER *privkey = NULL;
 
     DH *dh = NULL;
@@ -166,18 +222,17 @@ static int dh_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
 
     if (ptype != V_ASN1_SEQUENCE)
         goto decerr;
-    if ((privkey = d2i_ASN1_INTEGER(NULL, &p, pklen)) == NULL)
+
+    if (!(privkey = d2i_ASN1_INTEGER(NULL, &p, pklen)))
         goto decerr;
 
     pstr = pval;
     pm = pstr->data;
     pmlen = pstr->length;
-    if ((dh = d2i_dhp(pkey, &pm, pmlen)) == NULL)
+    if (!(dh = d2i_dhp(pkey, &pm, pmlen)))
         goto decerr;
-
     /* We have parameters now set private key */
-    if ((dh->priv_key = BN_secure_new()) == NULL
-        || !ASN1_INTEGER_to_BN(privkey, dh->priv_key)) {
+    if (!(dh->priv_key = ASN1_INTEGER_to_BN(privkey, NULL))) {
         DHerr(DH_F_DH_PRIV_DECODE, DH_R_BN_ERROR);
         goto dherr;
     }
@@ -208,7 +263,7 @@ static int dh_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
 
     params = ASN1_STRING_new();
 
-    if (params == NULL) {
+    if (!params) {
         DHerr(DH_F_DH_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
         goto err;
     }
@@ -240,18 +295,29 @@ static int dh_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
     return 1;
 
  err:
-    OPENSSL_free(dp);
-    ASN1_STRING_free(params);
-    ASN1_STRING_clear_free(prkey);
+    if (dp != NULL)
+        OPENSSL_free(dp);
+    if (params != NULL)
+        ASN1_STRING_free(params);
+    if (prkey != NULL)
+        ASN1_STRING_clear_free(prkey);
     return 0;
 }
 
+static void update_buflen(const BIGNUM *b, size_t *pbuflen)
+{
+    size_t i;
+    if (!b)
+        return;
+    if (*pbuflen < (i = (size_t)BN_num_bytes(b)))
+        *pbuflen = i;
+}
+
 static int dh_param_decode(EVP_PKEY *pkey,
                            const unsigned char **pder, int derlen)
 {
     DH *dh;
-
-    if ((dh = d2i_dhp(pkey, pder, derlen)) == NULL) {
+    if (!(dh = d2i_dhp(pkey, pder, derlen))) {
         DHerr(DH_F_DH_PARAM_DECODE, ERR_R_DH_LIB);
         return 0;
     }
@@ -264,10 +330,15 @@ static int dh_param_encode(const EVP_PKEY *pkey, unsigned char **pder)
     return i2d_dhp(pkey, pkey->pkey.dh, pder);
 }
 
-static int do_dh_print(BIO *bp, const DH *x, int indent, int ptype)
+static int do_dh_print(BIO *bp, const DH *x, int indent,
+                       ASN1_PCTX *ctx, int ptype)
 {
-    int reason = ERR_R_BUF_LIB;
+    unsigned char *m = NULL;
+    int reason = ERR_R_BUF_LIB, ret = 0;
+    size_t buf_len = 0;
+
     const char *ktype = NULL;
+
     BIGNUM *priv_key, *pub_key;
 
     if (ptype == 2)
@@ -280,12 +351,20 @@ static int do_dh_print(BIO *bp, const DH *x, int indent, int ptype)
     else
         pub_key = NULL;
 
-    if (x->p == NULL || (ptype == 2 && priv_key == NULL)
-            || (ptype > 0 && pub_key == NULL)) {
+    update_buflen(x->p, &buf_len);
+
+    if (buf_len == 0) {
         reason = ERR_R_PASSED_NULL_PARAMETER;
         goto err;
     }
 
+    update_buflen(x->g, &buf_len);
+    update_buflen(x->q, &buf_len);
+    update_buflen(x->j, &buf_len);
+    update_buflen(x->counter, &buf_len);
+    update_buflen(pub_key, &buf_len);
+    update_buflen(priv_key, &buf_len);
+
     if (ptype == 2)
         ktype = "DH Private-Key";
     else if (ptype == 1)
@@ -293,23 +372,29 @@ static int do_dh_print(BIO *bp, const DH *x, int indent, int ptype)
     else
         ktype = "DH Parameters";
 
+    m = OPENSSL_malloc(buf_len + 10);
+    if (m == NULL) {
+        reason = ERR_R_MALLOC_FAILURE;
+        goto err;
+    }
+
     BIO_indent(bp, indent, 128);
     if (BIO_printf(bp, "%s: (%d bit)\n", ktype, BN_num_bits(x->p)) <= 0)
         goto err;
     indent += 4;
 
-    if (!ASN1_bn_print(bp, "private-key:", priv_key, NULL, indent))
+    if (!ASN1_bn_print(bp, "private-key:", priv_key, m, indent))
         goto err;
-    if (!ASN1_bn_print(bp, "public-key:", pub_key, NULL, indent))
+    if (!ASN1_bn_print(bp, "public-key:", pub_key, m, indent))
         goto err;
 
-    if (!ASN1_bn_print(bp, "prime:", x->p, NULL, indent))
+    if (!ASN1_bn_print(bp, "prime:", x->p, m, indent))
         goto err;
-    if (!ASN1_bn_print(bp, "generator:", x->g, NULL, indent))
+    if (!ASN1_bn_print(bp, "generator:", x->g, m, indent))
         goto err;
-    if (x->q && !ASN1_bn_print(bp, "subgroup order:", x->q, NULL, indent))
+    if (x->q && !ASN1_bn_print(bp, "subgroup order:", x->q, m, indent))
         goto err;
-    if (x->j && !ASN1_bn_print(bp, "subgroup factor:", x->j, NULL, indent))
+    if (x->j && !ASN1_bn_print(bp, "subgroup factor:", x->j, m, indent))
         goto err;
     if (x->seed) {
         int i;
@@ -328,7 +413,7 @@ static int do_dh_print(BIO *bp, const DH *x, int indent, int ptype)
         if (BIO_write(bp, "\n", 1) <= 0)
             return (0);
     }
-    if (x->counter && !ASN1_bn_print(bp, "counter:", x->counter, NULL, indent))
+    if (x->counter && !ASN1_bn_print(bp, "counter:", x->counter, m, indent))
         goto err;
     if (x->length != 0) {
         BIO_indent(bp, indent, 128);
@@ -337,11 +422,14 @@ static int do_dh_print(BIO *bp, const DH *x, int indent, int ptype)
             goto err;
     }
 
-    return 1;
-
+    ret = 1;
+    if (0) {
  err:
-    DHerr(DH_F_DO_DH_PRINT, reason);
-    return 0;
+        DHerr(DH_F_DO_DH_PRINT, reason);
+    }
+    if (m != NULL)
+        OPENSSL_free(m);
+    return (ret);
 }
 
 static int int_dh_size(const EVP_PKEY *pkey)
@@ -354,11 +442,6 @@ static int dh_bits(const EVP_PKEY *pkey)
     return BN_num_bits(pkey->pkey.dh->p);
 }
 
-static int dh_security_bits(const EVP_PKEY *pkey)
-{
-    return DH_security_bits(pkey->pkey.dh);
-}
-
 static int dh_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b)
 {
     if (BN_cmp(a->pkey.dh->p, b->pkey.dh->p) ||
@@ -380,7 +463,8 @@ static int int_dh_bn_cpy(BIGNUM **dst, const BIGNUM *src)
             return 0;
     } else
         a = NULL;
-    BN_free(*dst);
+    if (*dst)
+        BN_free(*dst);
     *dst = a;
     return 1;
 }
@@ -398,11 +482,13 @@ static int int_dh_param_copy(DH *to, const DH *from, int is_x942)
             return 0;
         if (!int_dh_bn_cpy(&to->j, from->j))
             return 0;
-        OPENSSL_free(to->seed);
-        to->seed = NULL;
-        to->seedlen = 0;
+        if (to->seed) {
+            OPENSSL_free(to->seed);
+            to->seed = NULL;
+            to->seedlen = 0;
+        }
         if (from->seed) {
-            to->seed = OPENSSL_memdup(from->seed, from->seedlen);
+            to->seed = BUF_memdup(from->seed, from->seedlen);
             if (!to->seed)
                 return 0;
             to->seedlen = from->seedlen;
@@ -416,7 +502,7 @@ DH *DHparams_dup(DH *dh)
 {
     DH *ret;
     ret = DH_new();
-    if (ret == NULL)
+    if (!ret)
         return NULL;
     if (!int_dh_param_copy(ret, dh, -1)) {
         DH_free(ret);
@@ -427,11 +513,6 @@ DH *DHparams_dup(DH *dh)
 
 static int dh_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from)
 {
-    if (to->pkey.dh == NULL) {
-        to->pkey.dh = DH_new();
-        if (to->pkey.dh == NULL)
-            return 0;
-    }
     return int_dh_param_copy(to->pkey.dh, from->pkey.dh,
                              from->ameth == &dhx_asn1_meth);
 }
@@ -456,24 +537,24 @@ static int dh_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
 static int dh_param_print(BIO *bp, const EVP_PKEY *pkey, int indent,
                           ASN1_PCTX *ctx)
 {
-    return do_dh_print(bp, pkey->pkey.dh, indent, 0);
+    return do_dh_print(bp, pkey->pkey.dh, indent, ctx, 0);
 }
 
 static int dh_public_print(BIO *bp, const EVP_PKEY *pkey, int indent,
                            ASN1_PCTX *ctx)
 {
-    return do_dh_print(bp, pkey->pkey.dh, indent, 1);
+    return do_dh_print(bp, pkey->pkey.dh, indent, ctx, 1);
 }
 
 static int dh_private_print(BIO *bp, const EVP_PKEY *pkey, int indent,
                             ASN1_PCTX *ctx)
 {
-    return do_dh_print(bp, pkey->pkey.dh, indent, 2);
+    return do_dh_print(bp, pkey->pkey.dh, indent, ctx, 2);
 }
 
 int DHparams_print(BIO *bp, const DH *x)
 {
-    return do_dh_print(bp, x, 4, 0);
+    return do_dh_print(bp, x, 4, NULL, 0);
 }
 
 #ifndef OPENSSL_NO_CMS
@@ -522,7 +603,6 @@ const EVP_PKEY_ASN1_METHOD dh_asn1_meth = {
 
     int_dh_size,
     dh_bits,
-    dh_security_bits,
 
     dh_param_decode,
     dh_param_encode,
@@ -555,7 +635,6 @@ const EVP_PKEY_ASN1_METHOD dhx_asn1_meth = {
 
     int_dh_size,
     dh_bits,
-    dh_security_bits,
 
     dh_param_decode,
     dh_param_encode,
@@ -574,9 +653,9 @@ const EVP_PKEY_ASN1_METHOD dhx_asn1_meth = {
 static int dh_cms_set_peerkey(EVP_PKEY_CTX *pctx,
                               X509_ALGOR *alg, ASN1_BIT_STRING *pubkey)
 {
-    const ASN1_OBJECT *aoid;
+    ASN1_OBJECT *aoid;
     int atype;
-    const void *aval;
+    void *aval;
     ASN1_INTEGER *public_key = NULL;
     int rv = 0;
     EVP_PKEY *pkpeer = NULL, *pk = NULL;
@@ -600,32 +679,35 @@ static int dh_cms_set_peerkey(EVP_PKEY_CTX *pctx,
     dhpeer = DHparams_dup(pk->pkey.dh);
     /* We have parameters now set public key */
     plen = ASN1_STRING_length(pubkey);
-    p = ASN1_STRING_get0_data(pubkey);
+    p = ASN1_STRING_data(pubkey);
     if (!p || !plen)
         goto err;
 
-    if ((public_key = d2i_ASN1_INTEGER(NULL, &p, plen)) == NULL) {
+    if (!(public_key = d2i_ASN1_INTEGER(NULL, &p, plen))) {
         DHerr(DH_F_DH_CMS_SET_PEERKEY, DH_R_DECODE_ERROR);
         goto err;
     }
 
     /* We have parameters now set public key */
-    if ((dhpeer->pub_key = ASN1_INTEGER_to_BN(public_key, NULL)) == NULL) {
+    if (!(dhpeer->pub_key = ASN1_INTEGER_to_BN(public_key, NULL))) {
         DHerr(DH_F_DH_CMS_SET_PEERKEY, DH_R_BN_DECODE_ERROR);
         goto err;
     }
 
     pkpeer = EVP_PKEY_new();
-    if (pkpeer == NULL)
+    if (!pkpeer)
         goto err;
     EVP_PKEY_assign(pkpeer, pk->ameth->pkey_id, dhpeer);
     dhpeer = NULL;
     if (EVP_PKEY_derive_set_peer(pctx, pkpeer) > 0)
         rv = 1;
  err:
-    ASN1_INTEGER_free(public_key);
-    EVP_PKEY_free(pkpeer);
-    DH_free(dhpeer);
+    if (public_key)
+        ASN1_INTEGER_free(public_key);
+    if (pkpeer)
+        EVP_PKEY_free(pkpeer);
+    if (dhpeer)
+        DH_free(dhpeer);
     return rv;
 }
 
@@ -690,7 +772,7 @@ static int dh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri)
 
     if (ukm) {
         dukmlen = ASN1_STRING_length(ukm);
-        dukm = OPENSSL_memdup(ASN1_STRING_get0_data(ukm), dukmlen);
+        dukm = BUF_memdup(ASN1_STRING_data(ukm), dukmlen);
         if (!dukm)
             goto err;
     }
@@ -701,8 +783,10 @@ static int dh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri)
 
     rv = 1;
  err:
-    X509_ALGOR_free(kekalg);
-    OPENSSL_free(dukm);
+    if (kekalg)
+        X509_ALGOR_free(kekalg);
+    if (dukm)
+        OPENSSL_free(dukm);
     return rv;
 }
 
@@ -741,7 +825,7 @@ static int dh_cms_encrypt(CMS_RecipientInfo *ri)
     EVP_CIPHER_CTX *ctx;
     int keylen;
     X509_ALGOR *talg, *wrap_alg = NULL;
-    const ASN1_OBJECT *aoid;
+    ASN1_OBJECT *aoid;
     ASN1_BIT_STRING *pubkey;
     ASN1_STRING *wrap_str;
     ASN1_OCTET_STRING *ukm;
@@ -762,7 +846,8 @@ static int dh_cms_encrypt(CMS_RecipientInfo *ri)
     X509_ALGOR_get0(&aoid, NULL, NULL, talg);
     /* Is everything uninitialised? */
     if (aoid == OBJ_nid2obj(NID_undef)) {
-        ASN1_INTEGER *pubk = BN_to_ASN1_INTEGER(pkey->pkey.dh->pub_key, NULL);
+        ASN1_INTEGER *pubk;
+        pubk = BN_to_ASN1_INTEGER(pkey->pkey.dh->pub_key, NULL);
         if (!pubk)
             goto err;
         /* Set the key */
@@ -780,7 +865,7 @@ static int dh_cms_encrypt(CMS_RecipientInfo *ri)
                         V_ASN1_UNDEF, NULL);
     }
 
-    /* See if custom parameters set */
+    /* See if custom paraneters set */
     kdf_type = EVP_PKEY_CTX_get_dh_kdf_type(pctx);
     if (kdf_type <= 0)
         goto err;
@@ -816,11 +901,11 @@ static int dh_cms_encrypt(CMS_RecipientInfo *ri)
     /* Package wrap algorithm in an AlgorithmIdentifier */
 
     wrap_alg = X509_ALGOR_new();
-    if (wrap_alg == NULL)
+    if (!wrap_alg)
         goto err;
     wrap_alg->algorithm = OBJ_nid2obj(wrap_nid);
     wrap_alg->parameter = ASN1_TYPE_new();
-    if (wrap_alg->parameter == NULL)
+    if (!wrap_alg->parameter)
         goto err;
     if (EVP_CIPHER_param_to_asn1(ctx, wrap_alg->parameter) <= 0)
         goto err;
@@ -834,7 +919,7 @@ static int dh_cms_encrypt(CMS_RecipientInfo *ri)
 
     if (ukm) {
         dukmlen = ASN1_STRING_length(ukm);
-        dukm = OPENSSL_memdup(ASN1_STRING_get0_data(ukm), dukmlen);
+        dukm = BUF_memdup(ASN1_STRING_data(ukm), dukmlen);
         if (!dukm)
             goto err;
     }
@@ -852,7 +937,7 @@ static int dh_cms_encrypt(CMS_RecipientInfo *ri)
     if (!penc || !penclen)
         goto err;
     wrap_str = ASN1_STRING_new();
-    if (wrap_str == NULL)
+    if (!wrap_str)
         goto err;
     ASN1_STRING_set0(wrap_str, penc, penclen);
     penc = NULL;
@@ -862,8 +947,10 @@ static int dh_cms_encrypt(CMS_RecipientInfo *ri)
     rv = 1;
 
  err:
-    OPENSSL_free(penc);
-    X509_ALGOR_free(wrap_alg);
+    if (penc)
+        OPENSSL_free(penc);
+    if (wrap_alg)
+        X509_ALGOR_free(wrap_alg);
     return rv;
 }
 
diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_asn1.c b/Cryptlib/OpenSSL/crypto/dh/dh_asn1.c
index 7c72fd64..f4702143 100644
--- a/Cryptlib/OpenSSL/crypto/dh/dh_asn1.c
+++ b/Cryptlib/OpenSSL/crypto/dh/dh_asn1.c
@@ -1,16 +1,66 @@
+/* dh_asn1.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/bn.h>
-#include "dh_locl.h"
+#include <openssl/dh.h>
 #include <openssl/objects.h>
 #include <openssl/asn1t.h>
 
@@ -20,7 +70,7 @@ static int dh_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
 {
     if (operation == ASN1_OP_NEW_PRE) {
         *pval = (ASN1_VALUE *)DH_new();
-        if (*pval != NULL)
+        if (*pval)
             return 2;
         return 0;
     } else if (operation == ASN1_OP_FREE_PRE) {
@@ -60,7 +110,7 @@ typedef struct {
 ASN1_SEQUENCE(DHvparams) = {
         ASN1_SIMPLE(int_dhvparams, seed, ASN1_BIT_STRING),
         ASN1_SIMPLE(int_dhvparams, counter, BIGNUM)
-} static_ASN1_SEQUENCE_END_name(int_dhvparams, DHvparams)
+} ASN1_SEQUENCE_END_name(int_dhvparams, DHvparams)
 
 ASN1_SEQUENCE(DHxparams) = {
         ASN1_SIMPLE(int_dhx942_dh, p, BIGNUM),
@@ -68,7 +118,7 @@ ASN1_SEQUENCE(DHxparams) = {
         ASN1_SIMPLE(int_dhx942_dh, q, BIGNUM),
         ASN1_OPT(int_dhx942_dh, j, BIGNUM),
         ASN1_OPT(int_dhx942_dh, vparams, DHvparams),
-} static_ASN1_SEQUENCE_END_name(int_dhx942_dh, DHxparams)
+} ASN1_SEQUENCE_END_name(int_dhx942_dh, DHxparams)
 
 int_dhx942_dh *d2i_int_dhx(int_dhx942_dh **a,
                            const unsigned char **pp, long length);
@@ -76,23 +126,24 @@ int i2d_int_dhx(const int_dhx942_dh *a, unsigned char **pp);
 
 IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(int_dhx942_dh, DHxparams, int_dhx)
 
-/* Application public function: read in X9.42 DH parameters into DH structure */
+/* Application leve function: read in X9.42 DH parameters into DH structure */
 
 DH *d2i_DHxparams(DH **a, const unsigned char **pp, long length)
 {
     int_dhx942_dh *dhx = NULL;
     DH *dh = NULL;
     dh = DH_new();
-    if (dh == NULL)
+    if (!dh)
         return NULL;
     dhx = d2i_int_dhx(NULL, pp, length);
-    if (dhx == NULL) {
+    if (!dhx) {
         DH_free(dh);
         return NULL;
     }
 
     if (a) {
-        DH_free(*a);
+        if (*a)
+            DH_free(*a);
         *a = dh;
     }
 
diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_check.c b/Cryptlib/OpenSSL/crypto/dh/dh_check.c
index 3b0fa590..02770411 100644
--- a/Cryptlib/OpenSSL/crypto/dh/dh_check.c
+++ b/Cryptlib/OpenSSL/crypto/dh/dh_check.c
@@ -1,56 +1,65 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/dh/dh_check.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/bn.h>
-#include "dh_locl.h"
-
-/*-
- * Check that p and g are suitable enough
- *
- * p is odd
- * 1 < g < p - 1
- */
-
-int DH_check_params(const DH *dh, int *ret)
-{
-    int ok = 0;
-    BIGNUM *tmp = NULL;
-    BN_CTX *ctx = NULL;
-
-    *ret = 0;
-    ctx = BN_CTX_new();
-    if (ctx == NULL)
-        goto err;
-    BN_CTX_start(ctx);
-    tmp = BN_CTX_get(ctx);
-    if (tmp == NULL)
-        goto err;
-
-    if (!BN_is_odd(dh->p))
-        *ret |= DH_CHECK_P_NOT_PRIME;
-    if (BN_is_negative(dh->g) || BN_is_zero(dh->g) || BN_is_one(dh->g))
-        *ret |= DH_NOT_SUITABLE_GENERATOR;
-    if (BN_copy(tmp, dh->p) == NULL || !BN_sub_word(tmp, 1))
-        goto err;
-    if (BN_cmp(dh->g, tmp) >= 0)
-        *ret |= DH_NOT_SUITABLE_GENERATOR;
-
-    ok = 1;
- err:
-    if (ctx != NULL) {
-        BN_CTX_end(ctx);
-        BN_CTX_free(ctx);
-    }
-    return (ok);
-}
+#include <openssl/dh.h>
 
 /*-
  * Check that p is a safe prime and
@@ -64,7 +73,7 @@ int DH_check_params(const DH *dh, int *ret)
 
 int DH_check(const DH *dh, int *ret)
 {
-    int ok = 0, r;
+    int ok = 0;
     BN_CTX *ctx = NULL;
     BN_ULONG l;
     BIGNUM *t1 = NULL, *t2 = NULL;
@@ -93,10 +102,7 @@ int DH_check(const DH *dh, int *ret)
             if (!BN_is_one(t1))
                 *ret |= DH_NOT_SUITABLE_GENERATOR;
         }
-        r = BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL);
-        if (r < 0)
-            goto err;
-        if (!r)
+        if (!BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL))
             *ret |= DH_CHECK_Q_NOT_PRIME;
         /* Check p == 1 mod q  i.e. q divides p - 1 */
         if (!BN_div(t1, t2, dh->p, dh->q, ctx))
@@ -108,31 +114,29 @@ int DH_check(const DH *dh, int *ret)
 
     } else if (BN_is_word(dh->g, DH_GENERATOR_2)) {
         l = BN_mod_word(dh->p, 24);
-        if (l == (BN_ULONG)-1)
-            goto err;
         if (l != 11)
             *ret |= DH_NOT_SUITABLE_GENERATOR;
-    } else if (BN_is_word(dh->g, DH_GENERATOR_5)) {
+    }
+#if 0
+    else if (BN_is_word(dh->g, DH_GENERATOR_3)) {
+        l = BN_mod_word(dh->p, 12);
+        if (l != 5)
+            *ret |= DH_NOT_SUITABLE_GENERATOR;
+    }
+#endif
+    else if (BN_is_word(dh->g, DH_GENERATOR_5)) {
         l = BN_mod_word(dh->p, 10);
-        if (l == (BN_ULONG)-1)
-            goto err;
         if ((l != 3) && (l != 7))
             *ret |= DH_NOT_SUITABLE_GENERATOR;
     } else
         *ret |= DH_UNABLE_TO_CHECK_GENERATOR;
 
-    r = BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL);
-    if (r < 0)
-        goto err;
-    if (!r)
+    if (!BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL))
         *ret |= DH_CHECK_P_NOT_PRIME;
     else if (!dh->q) {
         if (!BN_rshift1(t1, dh->p))
             goto err;
-        r = BN_is_prime_ex(t1, BN_prime_checks, ctx, NULL);
-        if (r < 0)
-            goto err;
-	if (!r)
+        if (!BN_is_prime_ex(t1, BN_prime_checks, ctx, NULL))
             *ret |= DH_CHECK_P_NOT_SAFE_PRIME;
     }
     ok = 1;
diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_depr.c b/Cryptlib/OpenSSL/crypto/dh/dh_depr.c
index f8ed1b74..b6221199 100644
--- a/Cryptlib/OpenSSL/crypto/dh/dh_depr.c
+++ b/Cryptlib/OpenSSL/crypto/dh/dh_depr.c
@@ -1,45 +1,81 @@
-/*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/dh/dh_depr.c */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 /* This file contains deprecated functions as wrappers to the new ones */
 
-#include <openssl/opensslconf.h>
-#if OPENSSL_API_COMPAT >= 0x00908000L
-NON_EMPTY_TRANSLATION_UNIT
-#else
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/dh.h>
 
-# include <stdio.h>
-# include "internal/cryptlib.h"
-# include <openssl/bn.h>
-# include <openssl/dh.h>
+static void *dummy = &dummy;
 
+#ifndef OPENSSL_NO_DEPRECATED
 DH *DH_generate_parameters(int prime_len, int generator,
                            void (*callback) (int, int, void *), void *cb_arg)
 {
-    BN_GENCB *cb;
+    BN_GENCB cb;
     DH *ret = NULL;
 
     if ((ret = DH_new()) == NULL)
         return NULL;
-    cb = BN_GENCB_new();
-    if (cb == NULL) {
-        DH_free(ret);
-        return NULL;
-    }
 
-    BN_GENCB_set_old(cb, callback, cb_arg);
+    BN_GENCB_set_old(&cb, callback, cb_arg);
 
-    if (DH_generate_parameters_ex(ret, prime_len, generator, cb)) {
-        BN_GENCB_free(cb);
+    if (DH_generate_parameters_ex(ret, prime_len, generator, &cb))
         return ret;
-    }
-    BN_GENCB_free(cb);
     DH_free(ret);
     return NULL;
 }
diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_err.c b/Cryptlib/OpenSSL/crypto/dh/dh_err.c
index 4e21f284..b890cca8 100644
--- a/Cryptlib/OpenSSL/crypto/dh/dh_err.c
+++ b/Cryptlib/OpenSSL/crypto/dh/dh_err.c
@@ -1,11 +1,62 @@
-/*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/dh/dh_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2013 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
  */
 
 #include <stdio.h>
@@ -19,25 +70,26 @@
 # define ERR_REASON(reason) ERR_PACK(ERR_LIB_DH,0,reason)
 
 static ERR_STRING_DATA DH_str_functs[] = {
-    {ERR_FUNC(DH_F_COMPUTE_KEY), "compute_key"},
+    {ERR_FUNC(DH_F_COMPUTE_KEY), "COMPUTE_KEY"},
     {ERR_FUNC(DH_F_DHPARAMS_PRINT_FP), "DHparams_print_fp"},
-    {ERR_FUNC(DH_F_DH_BUILTIN_GENPARAMS), "dh_builtin_genparams"},
-    {ERR_FUNC(DH_F_DH_CMS_DECRYPT), "dh_cms_decrypt"},
-    {ERR_FUNC(DH_F_DH_CMS_SET_PEERKEY), "dh_cms_set_peerkey"},
-    {ERR_FUNC(DH_F_DH_CMS_SET_SHARED_INFO), "dh_cms_set_shared_info"},
-    {ERR_FUNC(DH_F_DH_METH_DUP), "DH_meth_dup"},
-    {ERR_FUNC(DH_F_DH_METH_NEW), "DH_meth_new"},
-    {ERR_FUNC(DH_F_DH_METH_SET1_NAME), "DH_meth_set1_name"},
+    {ERR_FUNC(DH_F_DH_BUILTIN_GENPARAMS), "DH_BUILTIN_GENPARAMS"},
+    {ERR_FUNC(DH_F_DH_CMS_DECRYPT), "DH_CMS_DECRYPT"},
+    {ERR_FUNC(DH_F_DH_CMS_SET_PEERKEY), "DH_CMS_SET_PEERKEY"},
+    {ERR_FUNC(DH_F_DH_CMS_SET_SHARED_INFO), "DH_CMS_SET_SHARED_INFO"},
+    {ERR_FUNC(DH_F_DH_COMPUTE_KEY), "DH_compute_key"},
+    {ERR_FUNC(DH_F_DH_GENERATE_KEY), "DH_generate_key"},
+    {ERR_FUNC(DH_F_DH_GENERATE_PARAMETERS_EX), "DH_generate_parameters_ex"},
     {ERR_FUNC(DH_F_DH_NEW_METHOD), "DH_new_method"},
-    {ERR_FUNC(DH_F_DH_PARAM_DECODE), "dh_param_decode"},
-    {ERR_FUNC(DH_F_DH_PRIV_DECODE), "dh_priv_decode"},
-    {ERR_FUNC(DH_F_DH_PRIV_ENCODE), "dh_priv_encode"},
-    {ERR_FUNC(DH_F_DH_PUB_DECODE), "dh_pub_decode"},
-    {ERR_FUNC(DH_F_DH_PUB_ENCODE), "dh_pub_encode"},
-    {ERR_FUNC(DH_F_DO_DH_PRINT), "do_dh_print"},
-    {ERR_FUNC(DH_F_GENERATE_KEY), "generate_key"},
-    {ERR_FUNC(DH_F_PKEY_DH_DERIVE), "pkey_dh_derive"},
-    {ERR_FUNC(DH_F_PKEY_DH_KEYGEN), "pkey_dh_keygen"},
+    {ERR_FUNC(DH_F_DH_PARAM_DECODE), "DH_PARAM_DECODE"},
+    {ERR_FUNC(DH_F_DH_PRIV_DECODE), "DH_PRIV_DECODE"},
+    {ERR_FUNC(DH_F_DH_PRIV_ENCODE), "DH_PRIV_ENCODE"},
+    {ERR_FUNC(DH_F_DH_PUB_DECODE), "DH_PUB_DECODE"},
+    {ERR_FUNC(DH_F_DH_PUB_ENCODE), "DH_PUB_ENCODE"},
+    {ERR_FUNC(DH_F_DO_DH_PRINT), "DO_DH_PRINT"},
+    {ERR_FUNC(DH_F_GENERATE_KEY), "GENERATE_KEY"},
+    {ERR_FUNC(DH_F_GENERATE_PARAMETERS), "GENERATE_PARAMETERS"},
+    {ERR_FUNC(DH_F_PKEY_DH_DERIVE), "PKEY_DH_DERIVE"},
+    {ERR_FUNC(DH_F_PKEY_DH_KEYGEN), "PKEY_DH_KEYGEN"},
     {0, NULL}
 };
 
@@ -49,7 +101,9 @@ static ERR_STRING_DATA DH_str_reasons[] = {
     {ERR_REASON(DH_R_INVALID_PUBKEY), "invalid public key"},
     {ERR_REASON(DH_R_KDF_PARAMETER_ERROR), "kdf parameter error"},
     {ERR_REASON(DH_R_KEYS_NOT_SET), "keys not set"},
+    {ERR_REASON(DH_R_KEY_SIZE_TOO_SMALL), "key size too small"},
     {ERR_REASON(DH_R_MODULUS_TOO_LARGE), "modulus too large"},
+    {ERR_REASON(DH_R_NON_FIPS_METHOD), "non fips method"},
     {ERR_REASON(DH_R_NO_PARAMETERS_SET), "no parameters set"},
     {ERR_REASON(DH_R_NO_PRIVATE_VALUE), "no private value"},
     {ERR_REASON(DH_R_PARAMETER_ENCODING_ERROR), "parameter encoding error"},
@@ -60,7 +114,7 @@ static ERR_STRING_DATA DH_str_reasons[] = {
 
 #endif
 
-int ERR_load_DH_strings(void)
+void ERR_load_DH_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
 
@@ -69,5 +123,4 @@ int ERR_load_DH_strings(void)
         ERR_load_strings(0, DH_str_reasons);
     }
 #endif
-    return 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_gen.c b/Cryptlib/OpenSSL/crypto/dh/dh_gen.c
index 27ecb983..5bedb665 100644
--- a/Cryptlib/OpenSSL/crypto/dh/dh_gen.c
+++ b/Cryptlib/OpenSSL/crypto/dh/dh_gen.c
@@ -1,10 +1,59 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/dh/dh_gen.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 /*
@@ -13,9 +62,13 @@
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/bn.h>
-#include "dh_locl.h"
+#include <openssl/dh.h>
+
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
 
 static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
                                 BN_GENCB *cb);
@@ -23,8 +76,19 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
 int DH_generate_parameters_ex(DH *ret, int prime_len, int generator,
                               BN_GENCB *cb)
 {
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD)
+        && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) {
+        DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD);
+        return 0;
+    }
+#endif
     if (ret->meth->generate_params)
         return ret->meth->generate_params(ret, prime_len, generator, cb);
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode())
+        return FIPS_dh_generate_parameters_ex(ret, prime_len, generator, cb);
+#endif
     return dh_builtin_genparams(ret, prime_len, generator, cb);
 }
 
@@ -87,7 +151,17 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
         if (!BN_set_word(t2, 11))
             goto err;
         g = 2;
-    } else if (generator == DH_GENERATOR_5) {
+    }
+#if 0                           /* does not work for safe primes */
+    else if (generator == DH_GENERATOR_3) {
+        if (!BN_set_word(t1, 12))
+            goto err;
+        if (!BN_set_word(t2, 5))
+            goto err;
+        g = 3;
+    }
+#endif
+    else if (generator == DH_GENERATOR_5) {
         if (!BN_set_word(t1, 10))
             goto err;
         if (!BN_set_word(t2, 3))
diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_kdf.c b/Cryptlib/OpenSSL/crypto/dh/dh_kdf.c
deleted file mode 100644
index 2782eeee..00000000
--- a/Cryptlib/OpenSSL/crypto/dh/dh_kdf.c
+++ /dev/null
@@ -1,150 +0,0 @@
-/*
- * Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <e_os.h>
-
-#ifndef OPENSSL_NO_CMS
-#include <string.h>
-#include <openssl/dh.h>
-#include <openssl/evp.h>
-#include <openssl/asn1.h>
-#include <openssl/cms.h>
-
-
-/* Key derivation from X9.42/RFC2631 */
-/* Uses CMS functions, hence the #ifdef wrapper. */
-
-#define DH_KDF_MAX      (1L << 30)
-
-/* Skip past an ASN1 structure: for OBJECT skip content octets too */
-
-static int skip_asn1(unsigned char **pp, long *plen, int exptag)
-{
-    const unsigned char *q = *pp;
-    int i, tag, xclass;
-    long tmplen;
-    i = ASN1_get_object(&q, &tmplen, &tag, &xclass, *plen);
-    if (i & 0x80)
-        return 0;
-    if (tag != exptag || xclass != V_ASN1_UNIVERSAL)
-        return 0;
-    if (tag == V_ASN1_OBJECT)
-        q += tmplen;
-    *plen -= q - *pp;
-    *pp = (unsigned char *)q;
-    return 1;
-}
-
-/*
- * Encode the DH shared info structure, return an offset to the counter value
- * so we can update the structure without reencoding it.
- */
-
-static int dh_sharedinfo_encode(unsigned char **pder, unsigned char **pctr,
-                                ASN1_OBJECT *key_oid, size_t outlen,
-                                const unsigned char *ukm, size_t ukmlen)
-{
-    unsigned char *p;
-    int derlen;
-    long tlen;
-    /* "magic" value to check offset is sane */
-    static unsigned char ctr[4] = { 0xF3, 0x17, 0x22, 0x53 };
-    X509_ALGOR atmp;
-    ASN1_OCTET_STRING ctr_oct, ukm_oct, *pukm_oct;
-    ASN1_TYPE ctr_atype;
-    if (ukmlen > DH_KDF_MAX || outlen > DH_KDF_MAX)
-        return 0;
-    ctr_oct.data = ctr;
-    ctr_oct.length = 4;
-    ctr_oct.flags = 0;
-    ctr_oct.type = V_ASN1_OCTET_STRING;
-    ctr_atype.type = V_ASN1_OCTET_STRING;
-    ctr_atype.value.octet_string = &ctr_oct;
-    atmp.algorithm = key_oid;
-    atmp.parameter = &ctr_atype;
-    if (ukm) {
-        ukm_oct.type = V_ASN1_OCTET_STRING;
-        ukm_oct.flags = 0;
-        ukm_oct.data = (unsigned char *)ukm;
-        ukm_oct.length = ukmlen;
-        pukm_oct = &ukm_oct;
-    } else
-        pukm_oct = NULL;
-    derlen = CMS_SharedInfo_encode(pder, &atmp, pukm_oct, outlen);
-    if (derlen <= 0)
-        return 0;
-    p = *pder;
-    tlen = derlen;
-    if (!skip_asn1(&p, &tlen, V_ASN1_SEQUENCE))
-        return 0;
-    if (!skip_asn1(&p, &tlen, V_ASN1_SEQUENCE))
-        return 0;
-    if (!skip_asn1(&p, &tlen, V_ASN1_OBJECT))
-        return 0;
-    if (!skip_asn1(&p, &tlen, V_ASN1_OCTET_STRING))
-        return 0;
-    if (CRYPTO_memcmp(p, ctr, 4))
-        return 0;
-    *pctr = p;
-    return derlen;
-}
-
-int DH_KDF_X9_42(unsigned char *out, size_t outlen,
-                 const unsigned char *Z, size_t Zlen,
-                 ASN1_OBJECT *key_oid,
-                 const unsigned char *ukm, size_t ukmlen, const EVP_MD *md)
-{
-    EVP_MD_CTX *mctx = NULL;
-    int rv = 0;
-    unsigned int i;
-    size_t mdlen;
-    unsigned char *der = NULL, *ctr;
-    int derlen;
-    if (Zlen > DH_KDF_MAX)
-        return 0;
-    mctx = EVP_MD_CTX_new();
-    if (mctx == NULL)
-        return 0;
-    mdlen = EVP_MD_size(md);
-    derlen = dh_sharedinfo_encode(&der, &ctr, key_oid, outlen, ukm, ukmlen);
-    if (derlen == 0)
-        goto err;
-    for (i = 1;; i++) {
-        unsigned char mtmp[EVP_MAX_MD_SIZE];
-        if (!EVP_DigestInit_ex(mctx, md, NULL)
-            || !EVP_DigestUpdate(mctx, Z, Zlen))
-            goto err;
-        ctr[3] = i & 0xFF;
-        ctr[2] = (i >> 8) & 0xFF;
-        ctr[1] = (i >> 16) & 0xFF;
-        ctr[0] = (i >> 24) & 0xFF;
-        if (!EVP_DigestUpdate(mctx, der, derlen))
-            goto err;
-        if (outlen >= mdlen) {
-            if (!EVP_DigestFinal(mctx, out, NULL))
-                goto err;
-            outlen -= mdlen;
-            if (outlen == 0)
-                break;
-            out += mdlen;
-        } else {
-            if (!EVP_DigestFinal(mctx, mtmp, NULL))
-                goto err;
-            memcpy(out, mtmp, outlen);
-            OPENSSL_cleanse(mtmp, mdlen);
-            break;
-        }
-    }
-    rv = 1;
- err:
-    OPENSSL_free(der);
-    EVP_MD_CTX_free(mctx);
-    return rv;
-}
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_key.c b/Cryptlib/OpenSSL/crypto/dh/dh_key.c
index 204e5a7a..387558f1 100644
--- a/Cryptlib/OpenSSL/crypto/dh/dh_key.c
+++ b/Cryptlib/OpenSSL/crypto/dh/dh_key.c
@@ -1,16 +1,66 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/dh/dh_key.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
-#include "dh_locl.h"
-#include "internal/bn_int.h"
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rand.h>
+#include <openssl/dh.h>
 
 static int generate_key(DH *dh);
 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
@@ -22,11 +72,25 @@ static int dh_finish(DH *dh);
 
 int DH_generate_key(DH *dh)
 {
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
+        && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) {
+        DHerr(DH_F_DH_GENERATE_KEY, DH_R_NON_FIPS_METHOD);
+        return 0;
+    }
+#endif
     return dh->meth->generate_key(dh);
 }
 
 int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
 {
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
+        && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) {
+        DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD);
+        return 0;
+    }
+#endif
     return dh->meth->compute_key(key, pub_key, dh);
 }
 
@@ -51,7 +115,7 @@ static DH_METHOD dh_ossl = {
     dh_bn_mod_exp,
     dh_init,
     dh_finish,
-    DH_FLAG_FIPS_METHOD,
+    0,
     NULL,
     NULL
 };
@@ -75,7 +139,7 @@ static int generate_key(DH *dh)
         goto err;
 
     if (dh->priv_key == NULL) {
-        priv_key = BN_secure_new();
+        priv_key = BN_new();
         if (priv_key == NULL)
             goto err;
         generate_new_key = 1;
@@ -91,7 +155,7 @@ static int generate_key(DH *dh)
 
     if (dh->flags & DH_FLAG_CACHE_MONT_P) {
         mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
-                                      dh->lock, dh->p, ctx);
+                                      CRYPTO_LOCK_DH, dh->p, ctx);
         if (!mont)
             goto err;
     }
@@ -106,24 +170,24 @@ static int generate_key(DH *dh)
         } else {
             /* secret exponent length */
             l = dh->length ? dh->length : BN_num_bits(dh->p) - 1;
-            if (!BN_rand(priv_key, l, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
+            if (!BN_rand(priv_key, l, 0, 0))
                 goto err;
         }
     }
 
     {
-        BIGNUM *prk = BN_new();
+        BIGNUM local_prk;
+        BIGNUM *prk;
 
-        if (prk == NULL)
-            goto err;
-        BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
+        if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
+            BN_init(&local_prk);
+            prk = &local_prk;
+            BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
+        } else
+            prk = priv_key;
 
-        if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) {
-            BN_free(prk);
+        if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont))
             goto err;
-        }
-        /* We MUST free prk before any further use of priv_key */
-        BN_free(prk);
     }
 
     dh->pub_key = pub_key;
@@ -133,9 +197,9 @@ static int generate_key(DH *dh)
     if (ok != 1)
         DHerr(DH_F_GENERATE_KEY, ERR_R_BN_LIB);
 
-    if (pub_key != dh->pub_key)
+    if ((pub_key != NULL) && (dh->pub_key == NULL))
         BN_free(pub_key);
-    if (priv_key != dh->priv_key)
+    if ((priv_key != NULL) && (dh->priv_key == NULL))
         BN_free(priv_key);
     BN_CTX_free(ctx);
     return (ok);
@@ -169,8 +233,11 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
 
     if (dh->flags & DH_FLAG_CACHE_MONT_P) {
         mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
-                                      dh->lock, dh->p, ctx);
-        BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
+                                      CRYPTO_LOCK_DH, dh->p, ctx);
+        if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
+            /* XXX */
+            BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
+        }
         if (!mont)
             goto err;
     }
@@ -199,7 +266,15 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
                          const BIGNUM *a, const BIGNUM *p,
                          const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
 {
-    return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
+    /*
+     * If a is only one word long and constant time is false, use the faster
+     * exponenentiation function.
+     */
+    if (a->top == 1 && ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0)) {
+        BN_ULONG A = a->d[0];
+        return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
+    } else
+        return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
 }
 
 static int dh_init(DH *dh)
@@ -210,6 +285,7 @@ static int dh_init(DH *dh)
 
 static int dh_finish(DH *dh)
 {
-    BN_MONT_CTX_free(dh->method_mont_p);
+    if (dh->method_mont_p)
+        BN_MONT_CTX_free(dh->method_mont_p);
     return (1);
 }
diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_lib.c b/Cryptlib/OpenSSL/crypto/dh/dh_lib.c
index adf17715..bebc160e 100644
--- a/Cryptlib/OpenSSL/crypto/dh/dh_lib.c
+++ b/Cryptlib/OpenSSL/crypto/dh/dh_lib.c
@@ -1,17 +1,74 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/dh/dh_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/bn.h>
-#include "dh_locl.h"
-#include <openssl/engine.h>
+#include <openssl/dh.h>
+#ifndef OPENSSL_NO_ENGINE
+# include <openssl/engine.h>
+#endif
+
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
+
+const char DH_version[] = "Diffie-Hellman" OPENSSL_VERSION_PTEXT;
 
 static const DH_METHOD *default_DH_method = NULL;
 
@@ -22,8 +79,16 @@ void DH_set_default_method(const DH_METHOD *meth)
 
 const DH_METHOD *DH_get_default_method(void)
 {
-    if (!default_DH_method)
+    if (!default_DH_method) {
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode())
+            return FIPS_dh_openssl();
+        else
+            return DH_OpenSSL();
+#else
         default_DH_method = DH_OpenSSL();
+#endif
+    }
     return default_DH_method;
 }
 
@@ -38,8 +103,10 @@ int DH_set_method(DH *dh, const DH_METHOD *meth)
     if (mtmp->finish)
         mtmp->finish(dh);
 #ifndef OPENSSL_NO_ENGINE
-    ENGINE_finish(dh->engine);
-    dh->engine = NULL;
+    if (dh->engine) {
+        ENGINE_finish(dh->engine);
+        dh->engine = NULL;
+    }
 #endif
     dh->meth = meth;
     if (meth->init)
@@ -54,102 +121,132 @@ DH *DH_new(void)
 
 DH *DH_new_method(ENGINE *engine)
 {
-    DH *ret = OPENSSL_zalloc(sizeof(*ret));
+    DH *ret;
 
+    ret = (DH *)OPENSSL_malloc(sizeof(DH));
     if (ret == NULL) {
         DHerr(DH_F_DH_NEW_METHOD, ERR_R_MALLOC_FAILURE);
-        return NULL;
-    }
-
-    ret->references = 1;
-    ret->lock = CRYPTO_THREAD_lock_new();
-    if (ret->lock == NULL) {
-        DHerr(DH_F_DH_NEW_METHOD, ERR_R_MALLOC_FAILURE);
-        OPENSSL_free(ret);
-        return NULL;
+        return (NULL);
     }
 
     ret->meth = DH_get_default_method();
 #ifndef OPENSSL_NO_ENGINE
-    ret->flags = ret->meth->flags;  /* early default init */
     if (engine) {
         if (!ENGINE_init(engine)) {
             DHerr(DH_F_DH_NEW_METHOD, ERR_R_ENGINE_LIB);
-            goto err;
+            OPENSSL_free(ret);
+            return NULL;
         }
         ret->engine = engine;
     } else
         ret->engine = ENGINE_get_default_DH();
     if (ret->engine) {
         ret->meth = ENGINE_get_DH(ret->engine);
-        if (ret->meth == NULL) {
+        if (!ret->meth) {
             DHerr(DH_F_DH_NEW_METHOD, ERR_R_ENGINE_LIB);
-            goto err;
+            ENGINE_finish(ret->engine);
+            OPENSSL_free(ret);
+            return NULL;
         }
     }
 #endif
 
-    ret->flags = ret->meth->flags;
-
-    if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data))
-        goto err;
-
+    ret->pad = 0;
+    ret->version = 0;
+    ret->p = NULL;
+    ret->g = NULL;
+    ret->length = 0;
+    ret->pub_key = NULL;
+    ret->priv_key = NULL;
+    ret->q = NULL;
+    ret->j = NULL;
+    ret->seed = NULL;
+    ret->seedlen = 0;
+    ret->counter = NULL;
+    ret->method_mont_p = NULL;
+    ret->references = 1;
+    ret->flags = ret->meth->flags & ~DH_FLAG_NON_FIPS_ALLOW;
+    CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data);
     if ((ret->meth->init != NULL) && !ret->meth->init(ret)) {
-        DHerr(DH_F_DH_NEW_METHOD, ERR_R_INIT_FAIL);
-err:
-        DH_free(ret);
+#ifndef OPENSSL_NO_ENGINE
+        if (ret->engine)
+            ENGINE_finish(ret->engine);
+#endif
+        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data);
+        OPENSSL_free(ret);
         ret = NULL;
     }
-
-    return ret;
+    return (ret);
 }
 
 void DH_free(DH *r)
 {
     int i;
-
     if (r == NULL)
         return;
-
-    CRYPTO_atomic_add(&r->references, -1, &i, r->lock);
-    REF_PRINT_COUNT("DH", r);
+    i = CRYPTO_add(&r->references, -1, CRYPTO_LOCK_DH);
+#ifdef REF_PRINT
+    REF_PRINT("DH", r);
+#endif
     if (i > 0)
         return;
-    REF_ASSERT_ISNT(i < 0);
+#ifdef REF_CHECK
+    if (i < 0) {
+        fprintf(stderr, "DH_free, bad reference count\n");
+        abort();
+    }
+#endif
 
     if (r->meth->finish)
         r->meth->finish(r);
 #ifndef OPENSSL_NO_ENGINE
-    ENGINE_finish(r->engine);
+    if (r->engine)
+        ENGINE_finish(r->engine);
 #endif
 
     CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, r, &r->ex_data);
 
-    CRYPTO_THREAD_lock_free(r->lock);
-
-    BN_clear_free(r->p);
-    BN_clear_free(r->g);
-    BN_clear_free(r->q);
-    BN_clear_free(r->j);
-    OPENSSL_free(r->seed);
-    BN_clear_free(r->counter);
-    BN_clear_free(r->pub_key);
-    BN_clear_free(r->priv_key);
+    if (r->p != NULL)
+        BN_clear_free(r->p);
+    if (r->g != NULL)
+        BN_clear_free(r->g);
+    if (r->q != NULL)
+        BN_clear_free(r->q);
+    if (r->j != NULL)
+        BN_clear_free(r->j);
+    if (r->seed)
+        OPENSSL_free(r->seed);
+    if (r->counter != NULL)
+        BN_clear_free(r->counter);
+    if (r->pub_key != NULL)
+        BN_clear_free(r->pub_key);
+    if (r->priv_key != NULL)
+        BN_clear_free(r->priv_key);
     OPENSSL_free(r);
 }
 
 int DH_up_ref(DH *r)
 {
-    int i;
-
-    if (CRYPTO_atomic_add(&r->references, 1, &i, r->lock) <= 0)
-        return 0;
-
-    REF_PRINT_COUNT("DH", r);
-    REF_ASSERT_ISNT(i < 2);
+    int i = CRYPTO_add(&r->references, 1, CRYPTO_LOCK_DH);
+#ifdef REF_PRINT
+    REF_PRINT("DH", r);
+#endif
+#ifdef REF_CHECK
+    if (i < 2) {
+        fprintf(stderr, "DH_up, bad reference count\n");
+        abort();
+    }
+#endif
     return ((i > 1) ? 1 : 0);
 }
 
+int DH_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+                        CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+{
+    return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_DH, argl, argp,
+                                   new_func, dup_func, free_func);
+}
+
 int DH_set_ex_data(DH *d, int idx, void *arg)
 {
     return (CRYPTO_set_ex_data(&d->ex_data, idx, arg));
@@ -160,125 +257,7 @@ void *DH_get_ex_data(DH *d, int idx)
     return (CRYPTO_get_ex_data(&d->ex_data, idx));
 }
 
-int DH_bits(const DH *dh)
-{
-    return BN_num_bits(dh->p);
-}
-
 int DH_size(const DH *dh)
 {
     return (BN_num_bytes(dh->p));
 }
-
-int DH_security_bits(const DH *dh)
-{
-    int N;
-    if (dh->q)
-        N = BN_num_bits(dh->q);
-    else if (dh->length)
-        N = dh->length;
-    else
-        N = -1;
-    return BN_security_bits(BN_num_bits(dh->p), N);
-}
-
-
-void DH_get0_pqg(const DH *dh,
-                 const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
-{
-    if (p != NULL)
-        *p = dh->p;
-    if (q != NULL)
-        *q = dh->q;
-    if (g != NULL)
-        *g = dh->g;
-}
-
-int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
-{
-    /* If the fields p and g in d are NULL, the corresponding input
-     * parameters MUST be non-NULL.  q may remain NULL.
-     */
-    if ((dh->p == NULL && p == NULL)
-        || (dh->g == NULL && g == NULL))
-        return 0;
-
-    if (p != NULL) {
-        BN_free(dh->p);
-        dh->p = p;
-    }
-    if (q != NULL) {
-        BN_free(dh->q);
-        dh->q = q;
-    }
-    if (g != NULL) {
-        BN_free(dh->g);
-        dh->g = g;
-    }
-
-    if (q != NULL) {
-        dh->length = BN_num_bits(q);
-    }
-
-    return 1;
-}
-
-long DH_get_length(const DH *dh)
-{
-    return dh->length;
-}
-
-int DH_set_length(DH *dh, long length)
-{
-    dh->length = length;
-    return 1;
-}
-
-void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key)
-{
-    if (pub_key != NULL)
-        *pub_key = dh->pub_key;
-    if (priv_key != NULL)
-        *priv_key = dh->priv_key;
-}
-
-int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
-{
-    /* If the field pub_key in dh is NULL, the corresponding input
-     * parameters MUST be non-NULL.  The priv_key field may
-     * be left NULL.
-     */
-    if (dh->pub_key == NULL && pub_key == NULL)
-        return 0;
-
-    if (pub_key != NULL) {
-        BN_free(dh->pub_key);
-        dh->pub_key = pub_key;
-    }
-    if (priv_key != NULL) {
-        BN_free(dh->priv_key);
-        dh->priv_key = priv_key;
-    }
-
-    return 1;
-}
-
-void DH_clear_flags(DH *dh, int flags)
-{
-    dh->flags &= ~flags;
-}
-
-int DH_test_flags(const DH *dh, int flags)
-{
-    return dh->flags & flags;
-}
-
-void DH_set_flags(DH *dh, int flags)
-{
-    dh->flags |= flags;
-}
-
-ENGINE *DH_get0_engine(DH *dh)
-{
-    return dh->engine;
-}
diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_locl.h b/Cryptlib/OpenSSL/crypto/dh/dh_locl.h
deleted file mode 100644
index 19301c31..00000000
--- a/Cryptlib/OpenSSL/crypto/dh/dh_locl.h
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/dh.h>
-
-struct dh_st {
-    /*
-     * This first argument is used to pick up errors when a DH is passed
-     * instead of a EVP_PKEY
-     */
-    int pad;
-    int version;
-    BIGNUM *p;
-    BIGNUM *g;
-    long length;                /* optional */
-    BIGNUM *pub_key;            /* g^x % p */
-    BIGNUM *priv_key;           /* x */
-    int flags;
-    BN_MONT_CTX *method_mont_p;
-    /* Place holders if we want to do X9.42 DH */
-    BIGNUM *q;
-    BIGNUM *j;
-    unsigned char *seed;
-    int seedlen;
-    BIGNUM *counter;
-    int references;
-    CRYPTO_EX_DATA ex_data;
-    const DH_METHOD *meth;
-    ENGINE *engine;
-    CRYPTO_RWLOCK *lock;
-};
-
-struct dh_method {
-    char *name;
-    /* Methods here */
-    int (*generate_key) (DH *dh);
-    int (*compute_key) (unsigned char *key, const BIGNUM *pub_key, DH *dh);
-
-    /* Can be null */
-    int (*bn_mod_exp) (const DH *dh, BIGNUM *r, const BIGNUM *a,
-                       const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
-                       BN_MONT_CTX *m_ctx);
-    int (*init) (DH *dh);
-    int (*finish) (DH *dh);
-    int flags;
-    char *app_data;
-    /* If this is non-NULL, it will be used to generate parameters */
-    int (*generate_params) (DH *dh, int prime_len, int generator,
-                            BN_GENCB *cb);
-};
diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_meth.c b/Cryptlib/OpenSSL/crypto/dh/dh_meth.c
deleted file mode 100644
index ce6114c1..00000000
--- a/Cryptlib/OpenSSL/crypto/dh/dh_meth.c
+++ /dev/null
@@ -1,173 +0,0 @@
-/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include "dh_locl.h"
-#include <string.h>
-#include <openssl/err.h>
-
-DH_METHOD *DH_meth_new(const char *name, int flags)
-{
-    DH_METHOD *dhm = OPENSSL_zalloc(sizeof(*dhm));
-
-    if (dhm != NULL) {
-        dhm->flags = flags;
-
-        dhm->name = OPENSSL_strdup(name);
-        if (dhm->name != NULL)
-            return dhm;
-
-        OPENSSL_free(dhm);
-    }
-
-    DHerr(DH_F_DH_METH_NEW, ERR_R_MALLOC_FAILURE);
-    return NULL;
-}
-
-void DH_meth_free(DH_METHOD *dhm)
-{
-    if (dhm != NULL) {
-        OPENSSL_free(dhm->name);
-        OPENSSL_free(dhm);
-    }
-}
-
-DH_METHOD *DH_meth_dup(const DH_METHOD *dhm)
-{
-    DH_METHOD *ret = OPENSSL_malloc(sizeof(*ret));
-
-    if (ret != NULL) {
-        memcpy(ret, dhm, sizeof(*dhm));
-
-        ret->name = OPENSSL_strdup(dhm->name);
-        if (ret->name != NULL)
-            return ret;
-
-        OPENSSL_free(ret);
-    }
-
-    DHerr(DH_F_DH_METH_DUP, ERR_R_MALLOC_FAILURE);
-    return NULL;
-}
-
-const char *DH_meth_get0_name(const DH_METHOD *dhm)
-{
-    return dhm->name;
-}
-
-int DH_meth_set1_name(DH_METHOD *dhm, const char *name)
-{
-    char *tmpname = OPENSSL_strdup(name);
-
-    if (tmpname == NULL) {
-        DHerr(DH_F_DH_METH_SET1_NAME, ERR_R_MALLOC_FAILURE);
-        return 0;
-    }
-
-    OPENSSL_free(dhm->name);
-    dhm->name = tmpname;
-
-    return 1;
-}
-
-int DH_meth_get_flags(DH_METHOD *dhm)
-{
-    return dhm->flags;
-}
-
-int DH_meth_set_flags(DH_METHOD *dhm, int flags)
-{
-    dhm->flags = flags;
-    return 1;
-}
-
-void *DH_meth_get0_app_data(const DH_METHOD *dhm)
-{
-    return dhm->app_data;
-}
-
-int DH_meth_set0_app_data(DH_METHOD *dhm, void *app_data)
-{
-    dhm->app_data = app_data;
-    return 1;
-}
-
-int (*DH_meth_get_generate_key(const DH_METHOD *dhm)) (DH *)
-{
-    return dhm->generate_key;
-}
-
-int DH_meth_set_generate_key(DH_METHOD *dhm, int (*generate_key) (DH *))
-{
-    dhm->generate_key = generate_key;
-    return 1;
-}
-
-int (*DH_meth_get_compute_key(const DH_METHOD *dhm))
-        (unsigned char *key, const BIGNUM *pub_key, DH *dh)
-{
-    return dhm->compute_key;
-}
-
-int DH_meth_set_compute_key(DH_METHOD *dhm,
-        int (*compute_key) (unsigned char *key, const BIGNUM *pub_key, DH *dh))
-{
-    dhm->compute_key = compute_key;
-    return 1;
-}
-
-
-int (*DH_meth_get_bn_mod_exp(const DH_METHOD *dhm))
-    (const DH *, BIGNUM *, const BIGNUM *, const BIGNUM *, const BIGNUM *,
-     BN_CTX *, BN_MONT_CTX *)
-{
-    return dhm->bn_mod_exp;
-}
-
-int DH_meth_set_bn_mod_exp(DH_METHOD *dhm,
-    int (*bn_mod_exp) (const DH *, BIGNUM *, const BIGNUM *, const BIGNUM *,
-                       const BIGNUM *, BN_CTX *, BN_MONT_CTX *))
-{
-    dhm->bn_mod_exp = bn_mod_exp;
-    return 1;
-}
-
-int (*DH_meth_get_init(const DH_METHOD *dhm))(DH *)
-{
-    return dhm->init;
-}
-
-int DH_meth_set_init(DH_METHOD *dhm, int (*init)(DH *))
-{
-    dhm->init = init;
-    return 1;
-}
-
-int (*DH_meth_get_finish(const DH_METHOD *dhm)) (DH *)
-{
-    return dhm->finish;
-}
-
-int DH_meth_set_finish(DH_METHOD *dhm, int (*finish) (DH *))
-{
-    dhm->finish = finish;
-    return 1;
-}
-
-int (*DH_meth_get_generate_params(const DH_METHOD *dhm))
-        (DH *, int, int, BN_GENCB *)
-{
-    return dhm->generate_params;
-}
-
-int DH_meth_set_generate_params(DH_METHOD *dhm,
-        int (*generate_params) (DH *, int, int, BN_GENCB *))
-{
-    dhm->generate_params = generate_params;
-    return 1;
-}
diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_pmeth.c b/Cryptlib/OpenSSL/crypto/dh/dh_pmeth.c
index c3e03c7a..926be98e 100644
--- a/Cryptlib/OpenSSL/crypto/dh/dh_pmeth.c
+++ b/Cryptlib/OpenSSL/crypto/dh/dh_pmeth.c
@@ -1,22 +1,73 @@
 /*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2006.
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
 #include <openssl/evp.h>
-#include "dh_locl.h"
+#include <openssl/dh.h>
 #include <openssl/bn.h>
-#include <openssl/dsa.h>
+#ifndef OPENSSL_NO_DSA
+# include <openssl/dsa.h>
+#endif
 #include <openssl/objects.h>
-#include "internal/evp_int.h"
+#include "evp_locl.h"
 
 /* DH pkey context structure */
 
@@ -47,14 +98,22 @@ typedef struct {
 static int pkey_dh_init(EVP_PKEY_CTX *ctx)
 {
     DH_PKEY_CTX *dctx;
-
-    dctx = OPENSSL_zalloc(sizeof(*dctx));
-    if (dctx == NULL)
+    dctx = OPENSSL_malloc(sizeof(DH_PKEY_CTX));
+    if (!dctx)
         return 0;
     dctx->prime_len = 1024;
     dctx->subprime_len = -1;
     dctx->generator = 2;
+    dctx->use_dsa = 0;
+    dctx->md = NULL;
+    dctx->rfc5114_param = 0;
+
     dctx->kdf_type = EVP_PKEY_DH_KDF_NONE;
+    dctx->kdf_oid = NULL;
+    dctx->kdf_md = NULL;
+    dctx->kdf_ukm = NULL;
+    dctx->kdf_ukmlen = 0;
+    dctx->kdf_outlen = 0;
 
     ctx->data = dctx;
     ctx->keygen_info = dctx->gentmp;
@@ -63,17 +122,6 @@ static int pkey_dh_init(EVP_PKEY_CTX *ctx)
     return 1;
 }
 
-static void pkey_dh_cleanup(EVP_PKEY_CTX *ctx)
-{
-    DH_PKEY_CTX *dctx = ctx->data;
-    if (dctx != NULL) {
-        OPENSSL_free(dctx->kdf_ukm);
-        ASN1_OBJECT_free(dctx->kdf_oid);
-        OPENSSL_free(dctx);
-    }
-}
-
-
 static int pkey_dh_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
 {
     DH_PKEY_CTX *dctx, *sctx;
@@ -90,19 +138,29 @@ static int pkey_dh_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
 
     dctx->kdf_type = sctx->kdf_type;
     dctx->kdf_oid = OBJ_dup(sctx->kdf_oid);
-    if (dctx->kdf_oid == NULL)
+    if (!dctx->kdf_oid)
         return 0;
     dctx->kdf_md = sctx->kdf_md;
-    if (sctx->kdf_ukm != NULL) {
-        dctx->kdf_ukm = OPENSSL_memdup(sctx->kdf_ukm, sctx->kdf_ukmlen);
-        if (dctx->kdf_ukm == NULL)
-          return 0;
+    if (dctx->kdf_ukm) {
+        dctx->kdf_ukm = BUF_memdup(sctx->kdf_ukm, sctx->kdf_ukmlen);
         dctx->kdf_ukmlen = sctx->kdf_ukmlen;
     }
     dctx->kdf_outlen = sctx->kdf_outlen;
     return 1;
 }
 
+static void pkey_dh_cleanup(EVP_PKEY_CTX *ctx)
+{
+    DH_PKEY_CTX *dctx = ctx->data;
+    if (dctx) {
+        if (dctx->kdf_ukm)
+            OPENSSL_free(dctx->kdf_ukm);
+        if (dctx->kdf_oid)
+            ASN1_OBJECT_free(dctx->kdf_oid);
+        OPENSSL_free(dctx);
+    }
+}
+
 static int pkey_dh_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 {
     DH_PKEY_CTX *dctx = ctx->data;
@@ -177,7 +235,8 @@ static int pkey_dh_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
         return 1;
 
     case EVP_PKEY_CTRL_DH_KDF_UKM:
-        OPENSSL_free(dctx->kdf_ukm);
+        if (dctx->kdf_ukm)
+            OPENSSL_free(dctx->kdf_ukm);
         dctx->kdf_ukm = p2;
         if (p2)
             dctx->kdf_ukmlen = p1;
@@ -190,7 +249,8 @@ static int pkey_dh_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
         return dctx->kdf_ukmlen;
 
     case EVP_PKEY_CTRL_DH_KDF_OID:
-        ASN1_OBJECT_free(dctx->kdf_oid);
+        if (dctx->kdf_oid)
+            ASN1_OBJECT_free(dctx->kdf_oid);
         dctx->kdf_oid = p2;
         return 1;
 
@@ -207,12 +267,12 @@ static int pkey_dh_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 static int pkey_dh_ctrl_str(EVP_PKEY_CTX *ctx,
                             const char *type, const char *value)
 {
-    if (strcmp(type, "dh_paramgen_prime_len") == 0) {
+    if (!strcmp(type, "dh_paramgen_prime_len")) {
         int len;
         len = atoi(value);
         return EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, len);
     }
-    if (strcmp(type, "dh_rfc5114") == 0) {
+    if (!strcmp(type, "dh_rfc5114")) {
         DH_PKEY_CTX *dctx = ctx->data;
         int len;
         len = atoi(value);
@@ -221,17 +281,17 @@ static int pkey_dh_ctrl_str(EVP_PKEY_CTX *ctx,
         dctx->rfc5114_param = len;
         return 1;
     }
-    if (strcmp(type, "dh_paramgen_generator") == 0) {
+    if (!strcmp(type, "dh_paramgen_generator")) {
         int len;
         len = atoi(value);
         return EVP_PKEY_CTX_set_dh_paramgen_generator(ctx, len);
     }
-    if (strcmp(type, "dh_paramgen_subprime_len") == 0) {
+    if (!strcmp(type, "dh_paramgen_subprime_len")) {
         int len;
         len = atoi(value);
         return EVP_PKEY_CTX_set_dh_paramgen_subprime_len(ctx, len);
     }
-    if (strcmp(type, "dh_paramgen_type") == 0) {
+    if (!strcmp(type, "dh_paramgen_type")) {
         int typ;
         typ = atoi(value);
         return EVP_PKEY_CTX_set_dh_paramgen_type(ctx, typ);
@@ -264,7 +324,7 @@ static DSA *dsa_dh_generate(DH_PKEY_CTX *dctx, BN_GENCB *pcb)
     if (dctx->use_dsa > 2)
         return NULL;
     ret = DSA_new();
-    if (ret == NULL)
+    if (!ret)
         return NULL;
     if (subprime_len == -1) {
         if (prime_len >= 2048)
@@ -297,7 +357,7 @@ static int pkey_dh_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
 {
     DH *dh = NULL;
     DH_PKEY_CTX *dctx = ctx->data;
-    BN_GENCB *pcb;
+    BN_GENCB *pcb, cb;
     int ret;
     if (dctx->rfc5114_param) {
         switch (dctx->rfc5114_param) {
@@ -321,9 +381,7 @@ static int pkey_dh_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
     }
 
     if (ctx->pkey_gencb) {
-        pcb = BN_GENCB_new();
-        if (pcb == NULL)
-            return 0;
+        pcb = &cb;
         evp_pkey_set_cb_translate(pcb, ctx);
     } else
         pcb = NULL;
@@ -331,8 +389,7 @@ static int pkey_dh_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
     if (dctx->use_dsa) {
         DSA *dsa_dh;
         dsa_dh = dsa_dh_generate(dctx, pcb);
-        BN_GENCB_free(pcb);
-        if (dsa_dh == NULL)
+        if (!dsa_dh)
             return 0;
         dh = DSA_dup_DH(dsa_dh);
         DSA_free(dsa_dh);
@@ -343,13 +400,11 @@ static int pkey_dh_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
     }
 #endif
     dh = DH_new();
-    if (dh == NULL) {
-        BN_GENCB_free(pcb);
+    if (!dh)
         return 0;
-    }
     ret = DH_generate_parameters_ex(dh,
                                     dctx->prime_len, dctx->generator, pcb);
-    BN_GENCB_free(pcb);
+
     if (ret)
         EVP_PKEY_assign_DH(pkey, dh);
     else
@@ -365,7 +420,7 @@ static int pkey_dh_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
         return 0;
     }
     dh = DH_new();
-    if (dh == NULL)
+    if (!dh)
         return 0;
     EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, dh);
     /* Note: if error return, pkey is freed by parent routine */
@@ -400,7 +455,6 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
     }
 #ifndef OPENSSL_NO_CMS
     else if (dctx->kdf_type == EVP_PKEY_DH_KDF_X9_42) {
-
         unsigned char *Z = NULL;
         size_t Zlen = 0;
         if (!dctx->kdf_outlen || !dctx->kdf_oid)
@@ -414,7 +468,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
         ret = 0;
         Zlen = DH_size(dh);
         Z = OPENSSL_malloc(Zlen);
-        if (Z == NULL) {
+        if (!Z) {
             goto err;
         }
         if (DH_compute_key_padded(Z, dhpub, dh) <= 0)
@@ -425,7 +479,10 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
         *keylen = dctx->kdf_outlen;
         ret = 1;
  err:
-        OPENSSL_clear_free(Z, Zlen);
+        if (Z) {
+            OPENSSL_cleanse(Z, Zlen);
+            OPENSSL_free(Z);
+        }
         return ret;
     }
 #endif
diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_prn.c b/Cryptlib/OpenSSL/crypto/dh/dh_prn.c
index 283fb0f4..5d6c3a37 100644
--- a/Cryptlib/OpenSSL/crypto/dh/dh_prn.c
+++ b/Cryptlib/OpenSSL/crypto/dh/dh_prn.c
@@ -1,18 +1,67 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/asn1/t_pkey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/dh.h>
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 int DHparams_print_fp(FILE *fp, const DH *x)
 {
     BIO *b;
diff --git a/Cryptlib/OpenSSL/crypto/dh/dh_rfc5114.c b/Cryptlib/OpenSSL/crypto/dh/dh_rfc5114.c
index c4a21959..e96e2aa3 100644
--- a/Cryptlib/OpenSSL/crypto/dh/dh_rfc5114.c
+++ b/Cryptlib/OpenSSL/crypto/dh/dh_rfc5114.c
@@ -1,40 +1,284 @@
 /*
- * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2011.
+ */
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
-#include "dh_locl.h"
+#include "cryptlib.h"
+#include <openssl/dh.h>
 #include <openssl/bn.h>
-#include "internal/bn_dh.h"
+
+/* DH parameters from RFC5114 */
+
+#if BN_BITS2 == 64
+static const BN_ULONG dh1024_160_p[] = {
+    0xDF1FB2BC2E4A4371ULL, 0xE68CFDA76D4DA708ULL, 0x45BF37DF365C1A65ULL,
+    0xA151AF5F0DC8B4BDULL, 0xFAA31A4FF55BCCC0ULL, 0x4EFFD6FAE5644738ULL,
+    0x98488E9C219A7372ULL, 0xACCBDD7D90C4BD70ULL, 0x24975C3CD49B83BFULL,
+    0x13ECB4AEA9061123ULL, 0x9838EF1E2EE652C0ULL, 0x6073E28675A23D18ULL,
+    0x9A6A9DCA52D23B61ULL, 0x52C99FBCFB06A3C6ULL, 0xDE92DE5EAE5D54ECULL,
+    0xB10B8F96A080E01DULL
+};
+
+static const BN_ULONG dh1024_160_g[] = {
+    0x855E6EEB22B3B2E5ULL, 0x858F4DCEF97C2A24ULL, 0x2D779D5918D08BC8ULL,
+    0xD662A4D18E73AFA3ULL, 0x1DBF0A0169B6A28AULL, 0xA6A24C087A091F53ULL,
+    0x909D0D2263F80A76ULL, 0xD7FBD7D3B9A92EE1ULL, 0x5E91547F9E2749F4ULL,
+    0x160217B4B01B886AULL, 0x777E690F5504F213ULL, 0x266FEA1E5C41564BULL,
+    0xD6406CFF14266D31ULL, 0xF8104DD258AC507FULL, 0x6765A442EFB99905ULL,
+    0xA4D1CBD5C3FD3412ULL
+};
+
+static const BN_ULONG dh1024_160_q[] = {
+    0x64B7CB9D49462353ULL, 0x81A8DF278ABA4E7DULL, 0x00000000F518AA87ULL
+};
+
+static const BN_ULONG dh2048_224_p[] = {
+    0x0AC4DFFE0C10E64FULL, 0xCF9DE5384E71B81CULL, 0x7EF363E2FFA31F71ULL,
+    0xE3FB73C16B8E75B9ULL, 0xC9B53DCF4BA80A29ULL, 0x23F10B0E16E79763ULL,
+    0xC52172E413042E9BULL, 0xBE60E69CC928B2B9ULL, 0x80CD86A1B9E587E8ULL,
+    0x315D75E198C641A4ULL, 0xCDF93ACC44328387ULL, 0x15987D9ADC0A486DULL,
+    0x7310F7121FD5A074ULL, 0x278273C7DE31EFDCULL, 0x1602E714415D9330ULL,
+    0x81286130BC8985DBULL, 0xB3BF8A3170918836ULL, 0x6A00E0A0B9C49708ULL,
+    0xC6BA0B2C8BBC27BEULL, 0xC9F98D11ED34DBF6ULL, 0x7AD5B7D0B6C12207ULL,
+    0xD91E8FEF55B7394BULL, 0x9037C9EDEFDA4DF8ULL, 0x6D3F8152AD6AC212ULL,
+    0x1DE6B85A1274A0A6ULL, 0xEB3D688A309C180EULL, 0xAF9A3C407BA1DF15ULL,
+    0xE6FA141DF95A56DBULL, 0xB54B1597B61D0A75ULL, 0xA20D64E5683B9FD1ULL,
+    0xD660FAA79559C51FULL, 0xAD107E1E9123A9D0ULL
+};
+
+static const BN_ULONG dh2048_224_g[] = {
+    0x84B890D3191F2BFAULL, 0x81BC087F2A7065B3ULL, 0x19C418E1F6EC0179ULL,
+    0x7B5A0F1C71CFFF4CULL, 0xEDFE72FE9B6AA4BDULL, 0x81E1BCFE94B30269ULL,
+    0x566AFBB48D6C0191ULL, 0xB539CCE3409D13CDULL, 0x6AA21E7F5F2FF381ULL,
+    0xD9E263E4770589EFULL, 0x10E183EDD19963DDULL, 0xB70A8137150B8EEBULL,
+    0x051AE3D428C8F8ACULL, 0xBB77A86F0C1AB15BULL, 0x6E3025E316A330EFULL,
+    0x19529A45D6F83456ULL, 0xF180EB34118E98D1ULL, 0xB5F6C6B250717CBEULL,
+    0x09939D54DA7460CDULL, 0xE247150422EA1ED4ULL, 0xB8A762D0521BC98AULL,
+    0xF4D027275AC1348BULL, 0xC17669101999024AULL, 0xBE5E9001A8D66AD7ULL,
+    0xC57DB17C620A8652ULL, 0xAB739D7700C29F52ULL, 0xDD921F01A70C4AFAULL,
+    0xA6824A4E10B9A6F0ULL, 0x74866A08CFE4FFE3ULL, 0x6CDEBE7B89998CAFULL,
+    0x9DF30B5C8FFDAC50ULL, 0xAC4032EF4F2D9AE3ULL
+};
+
+static const BN_ULONG dh2048_224_q[] = {
+    0xBF389A99B36371EBULL, 0x1F80535A4738CEBCULL, 0xC58D93FE99717710ULL,
+    0x00000000801C0D34ULL
+};
+
+static const BN_ULONG dh2048_256_p[] = {
+    0xDB094AE91E1A1597ULL, 0x693877FAD7EF09CAULL, 0x6116D2276E11715FULL,
+    0xA4B54330C198AF12ULL, 0x75F26375D7014103ULL, 0xC3A3960A54E710C3ULL,
+    0xDED4010ABD0BE621ULL, 0xC0B857F689962856ULL, 0xB3CA3F7971506026ULL,
+    0x1CCACB83E6B486F6ULL, 0x67E144E514056425ULL, 0xF6A167B5A41825D9ULL,
+    0x3AD8347796524D8EULL, 0xF13C6D9A51BFA4ABULL, 0x2D52526735488A0EULL,
+    0xB63ACAE1CAA6B790ULL, 0x4FDB70C581B23F76ULL, 0xBC39A0BF12307F5CULL,
+    0xB941F54EB1E59BB8ULL, 0x6C5BFC11D45F9088ULL, 0x22E0B1EF4275BF7BULL,
+    0x91F9E6725B4758C0ULL, 0x5A8A9D306BCF67EDULL, 0x209E0C6497517ABDULL,
+    0x3BF4296D830E9A7CULL, 0x16C3D91134096FAAULL, 0xFAF7DF4561B2AA30ULL,
+    0xE00DF8F1D61957D4ULL, 0x5D2CEED4435E3B00ULL, 0x8CEEF608660DD0F2ULL,
+    0xFFBBD19C65195999ULL, 0x87A8E61DB4B6663CULL
+};
+
+static const BN_ULONG dh2048_256_g[] = {
+    0x664B4C0F6CC41659ULL, 0x5E2327CFEF98C582ULL, 0xD647D148D4795451ULL,
+    0x2F63078490F00EF8ULL, 0x184B523D1DB246C3ULL, 0xC7891428CDC67EB6ULL,
+    0x7FD028370DF92B52ULL, 0xB3353BBB64E0EC37ULL, 0xECD06E1557CD0915ULL,
+    0xB7D2BBD2DF016199ULL, 0xC8484B1E052588B9ULL, 0xDB2A3B7313D3FE14ULL,
+    0xD052B985D182EA0AULL, 0xA4BD1BFFE83B9C80ULL, 0xDFC967C1FB3F2E55ULL,
+    0xB5045AF2767164E1ULL, 0x1D14348F6F2F9193ULL, 0x64E67982428EBC83ULL,
+    0x8AC376D282D6ED38ULL, 0x777DE62AAAB8A862ULL, 0xDDF463E5E9EC144BULL,
+    0x0196F931C77A57F2ULL, 0xA55AE31341000A65ULL, 0x901228F8C28CBB18ULL,
+    0xBC3773BF7E8C6F62ULL, 0xBE3A6C1B0C6B47B1ULL, 0xFF4FED4AAC0BB555ULL,
+    0x10DBC15077BE463FULL, 0x07F4793A1A0BA125ULL, 0x4CA7B18F21EF2054ULL,
+    0x2E77506660EDBD48ULL, 0x3FB32C9B73134D0BULL
+};
+
+static const BN_ULONG dh2048_256_q[] = {
+    0xA308B0FE64F5FBD3ULL, 0x99B1A47D1EB3750BULL, 0xB447997640129DA2ULL,
+    0x8CF83642A709A097ULL
+};
+
+#elif BN_BITS2 == 32
+
+static const BN_ULONG dh1024_160_p[] = {
+    0x2E4A4371, 0xDF1FB2BC, 0x6D4DA708, 0xE68CFDA7, 0x365C1A65, 0x45BF37DF,
+    0x0DC8B4BD, 0xA151AF5F, 0xF55BCCC0, 0xFAA31A4F, 0xE5644738, 0x4EFFD6FA,
+    0x219A7372, 0x98488E9C, 0x90C4BD70, 0xACCBDD7D, 0xD49B83BF, 0x24975C3C,
+    0xA9061123, 0x13ECB4AE, 0x2EE652C0, 0x9838EF1E, 0x75A23D18, 0x6073E286,
+    0x52D23B61, 0x9A6A9DCA, 0xFB06A3C6, 0x52C99FBC, 0xAE5D54EC, 0xDE92DE5E,
+    0xA080E01D, 0xB10B8F96
+};
+
+static const BN_ULONG dh1024_160_g[] = {
+    0x22B3B2E5, 0x855E6EEB, 0xF97C2A24, 0x858F4DCE, 0x18D08BC8, 0x2D779D59,
+    0x8E73AFA3, 0xD662A4D1, 0x69B6A28A, 0x1DBF0A01, 0x7A091F53, 0xA6A24C08,
+    0x63F80A76, 0x909D0D22, 0xB9A92EE1, 0xD7FBD7D3, 0x9E2749F4, 0x5E91547F,
+    0xB01B886A, 0x160217B4, 0x5504F213, 0x777E690F, 0x5C41564B, 0x266FEA1E,
+    0x14266D31, 0xD6406CFF, 0x58AC507F, 0xF8104DD2, 0xEFB99905, 0x6765A442,
+    0xC3FD3412, 0xA4D1CBD5
+};
+
+static const BN_ULONG dh1024_160_q[] = {
+    0x49462353, 0x64B7CB9D, 0x8ABA4E7D, 0x81A8DF27, 0xF518AA87
+};
+
+static const BN_ULONG dh2048_224_p[] = {
+    0x0C10E64F, 0x0AC4DFFE, 0x4E71B81C, 0xCF9DE538, 0xFFA31F71, 0x7EF363E2,
+    0x6B8E75B9, 0xE3FB73C1, 0x4BA80A29, 0xC9B53DCF, 0x16E79763, 0x23F10B0E,
+    0x13042E9B, 0xC52172E4, 0xC928B2B9, 0xBE60E69C, 0xB9E587E8, 0x80CD86A1,
+    0x98C641A4, 0x315D75E1, 0x44328387, 0xCDF93ACC, 0xDC0A486D, 0x15987D9A,
+    0x1FD5A074, 0x7310F712, 0xDE31EFDC, 0x278273C7, 0x415D9330, 0x1602E714,
+    0xBC8985DB, 0x81286130, 0x70918836, 0xB3BF8A31, 0xB9C49708, 0x6A00E0A0,
+    0x8BBC27BE, 0xC6BA0B2C, 0xED34DBF6, 0xC9F98D11, 0xB6C12207, 0x7AD5B7D0,
+    0x55B7394B, 0xD91E8FEF, 0xEFDA4DF8, 0x9037C9ED, 0xAD6AC212, 0x6D3F8152,
+    0x1274A0A6, 0x1DE6B85A, 0x309C180E, 0xEB3D688A, 0x7BA1DF15, 0xAF9A3C40,
+    0xF95A56DB, 0xE6FA141D, 0xB61D0A75, 0xB54B1597, 0x683B9FD1, 0xA20D64E5,
+    0x9559C51F, 0xD660FAA7, 0x9123A9D0, 0xAD107E1E
+};
+
+static const BN_ULONG dh2048_224_g[] = {
+    0x191F2BFA, 0x84B890D3, 0x2A7065B3, 0x81BC087F, 0xF6EC0179, 0x19C418E1,
+    0x71CFFF4C, 0x7B5A0F1C, 0x9B6AA4BD, 0xEDFE72FE, 0x94B30269, 0x81E1BCFE,
+    0x8D6C0191, 0x566AFBB4, 0x409D13CD, 0xB539CCE3, 0x5F2FF381, 0x6AA21E7F,
+    0x770589EF, 0xD9E263E4, 0xD19963DD, 0x10E183ED, 0x150B8EEB, 0xB70A8137,
+    0x28C8F8AC, 0x051AE3D4, 0x0C1AB15B, 0xBB77A86F, 0x16A330EF, 0x6E3025E3,
+    0xD6F83456, 0x19529A45, 0x118E98D1, 0xF180EB34, 0x50717CBE, 0xB5F6C6B2,
+    0xDA7460CD, 0x09939D54, 0x22EA1ED4, 0xE2471504, 0x521BC98A, 0xB8A762D0,
+    0x5AC1348B, 0xF4D02727, 0x1999024A, 0xC1766910, 0xA8D66AD7, 0xBE5E9001,
+    0x620A8652, 0xC57DB17C, 0x00C29F52, 0xAB739D77, 0xA70C4AFA, 0xDD921F01,
+    0x10B9A6F0, 0xA6824A4E, 0xCFE4FFE3, 0x74866A08, 0x89998CAF, 0x6CDEBE7B,
+    0x8FFDAC50, 0x9DF30B5C, 0x4F2D9AE3, 0xAC4032EF
+};
+
+static const BN_ULONG dh2048_224_q[] = {
+    0xB36371EB, 0xBF389A99, 0x4738CEBC, 0x1F80535A, 0x99717710, 0xC58D93FE,
+    0x801C0D34
+};
+
+static const BN_ULONG dh2048_256_p[] = {
+    0x1E1A1597, 0xDB094AE9, 0xD7EF09CA, 0x693877FA, 0x6E11715F, 0x6116D227,
+    0xC198AF12, 0xA4B54330, 0xD7014103, 0x75F26375, 0x54E710C3, 0xC3A3960A,
+    0xBD0BE621, 0xDED4010A, 0x89962856, 0xC0B857F6, 0x71506026, 0xB3CA3F79,
+    0xE6B486F6, 0x1CCACB83, 0x14056425, 0x67E144E5, 0xA41825D9, 0xF6A167B5,
+    0x96524D8E, 0x3AD83477, 0x51BFA4AB, 0xF13C6D9A, 0x35488A0E, 0x2D525267,
+    0xCAA6B790, 0xB63ACAE1, 0x81B23F76, 0x4FDB70C5, 0x12307F5C, 0xBC39A0BF,
+    0xB1E59BB8, 0xB941F54E, 0xD45F9088, 0x6C5BFC11, 0x4275BF7B, 0x22E0B1EF,
+    0x5B4758C0, 0x91F9E672, 0x6BCF67ED, 0x5A8A9D30, 0x97517ABD, 0x209E0C64,
+    0x830E9A7C, 0x3BF4296D, 0x34096FAA, 0x16C3D911, 0x61B2AA30, 0xFAF7DF45,
+    0xD61957D4, 0xE00DF8F1, 0x435E3B00, 0x5D2CEED4, 0x660DD0F2, 0x8CEEF608,
+    0x65195999, 0xFFBBD19C, 0xB4B6663C, 0x87A8E61D
+};
+
+static const BN_ULONG dh2048_256_g[] = {
+    0x6CC41659, 0x664B4C0F, 0xEF98C582, 0x5E2327CF, 0xD4795451, 0xD647D148,
+    0x90F00EF8, 0x2F630784, 0x1DB246C3, 0x184B523D, 0xCDC67EB6, 0xC7891428,
+    0x0DF92B52, 0x7FD02837, 0x64E0EC37, 0xB3353BBB, 0x57CD0915, 0xECD06E15,
+    0xDF016199, 0xB7D2BBD2, 0x052588B9, 0xC8484B1E, 0x13D3FE14, 0xDB2A3B73,
+    0xD182EA0A, 0xD052B985, 0xE83B9C80, 0xA4BD1BFF, 0xFB3F2E55, 0xDFC967C1,
+    0x767164E1, 0xB5045AF2, 0x6F2F9193, 0x1D14348F, 0x428EBC83, 0x64E67982,
+    0x82D6ED38, 0x8AC376D2, 0xAAB8A862, 0x777DE62A, 0xE9EC144B, 0xDDF463E5,
+    0xC77A57F2, 0x0196F931, 0x41000A65, 0xA55AE313, 0xC28CBB18, 0x901228F8,
+    0x7E8C6F62, 0xBC3773BF, 0x0C6B47B1, 0xBE3A6C1B, 0xAC0BB555, 0xFF4FED4A,
+    0x77BE463F, 0x10DBC150, 0x1A0BA125, 0x07F4793A, 0x21EF2054, 0x4CA7B18F,
+    0x60EDBD48, 0x2E775066, 0x73134D0B, 0x3FB32C9B
+};
+
+static const BN_ULONG dh2048_256_q[] = {
+    0x64F5FBD3, 0xA308B0FE, 0x1EB3750B, 0x99B1A47D, 0x40129DA2, 0xB4479976,
+    0xA709A097, 0x8CF83642
+};
+
+#else
+# error "unsupported BN_BITS2"
+#endif
+
+/* Macro to make a BIGNUM from static data */
+
+#define make_dh_bn(x) static const BIGNUM _bignum_##x = { (BN_ULONG *) x, \
+                        sizeof(x)/sizeof(BN_ULONG),\
+                        sizeof(x)/sizeof(BN_ULONG),\
+                        0, BN_FLG_STATIC_DATA }
 
 /*
  * Macro to make a DH structure from BIGNUM data. NB: although just copying
- * the BIGNUM static pointers would be more efficient, we can't do that
- * because they get wiped using BN_clear_free() when DH_free() is called.
+ * the BIGNUM static pointers would be more efficient we can't as they get
+ * wiped using BN_clear_free() when DH_free() is called.
  */
 
 #define make_dh(x) \
-DH *DH_get_##x(void) \
-{ \
-    DH *dh = DH_new(); \
-\
-    if (dh == NULL) \
-        return NULL; \
-    dh->p = BN_dup(&_bignum_dh##x##_p); \
-    dh->g = BN_dup(&_bignum_dh##x##_g); \
-    dh->q = BN_dup(&_bignum_dh##x##_q); \
-    if (dh->p == NULL || dh->q == NULL || dh->g == NULL) {\
-        DH_free(dh); \
-        return NULL; \
-    } \
-    return dh; \
-}
+DH * DH_get_##x(void) \
+        { \
+        DH *dh; \
+        make_dh_bn(dh##x##_p); \
+        make_dh_bn(dh##x##_q); \
+        make_dh_bn(dh##x##_g); \
+        dh = DH_new(); \
+        if (!dh) \
+                return NULL; \
+        dh->p = BN_dup(&_bignum_dh##x##_p); \
+        dh->g = BN_dup(&_bignum_dh##x##_g); \
+        dh->q = BN_dup(&_bignum_dh##x##_q); \
+        if (!dh->p || !dh->q || !dh->g) \
+                { \
+                DH_free(dh); \
+                return NULL; \
+                } \
+        return dh; \
+        }
 
 make_dh(1024_160)
 make_dh(2048_224)
diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_beos.c b/Cryptlib/OpenSSL/crypto/dso/dso_beos.c
new file mode 100644
index 00000000..68ebcd8a
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/dso/dso_beos.c
@@ -0,0 +1,253 @@
+/* dso_beos.c */
+/*
+ * Written by Marcin Konicki (ahwayakchih@neoni.net) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
+
+#if !defined(OPENSSL_SYS_BEOS)
+DSO_METHOD *DSO_METHOD_beos(void)
+{
+    return NULL;
+}
+#else
+
+# include <kernel/image.h>
+
+static int beos_load(DSO *dso);
+static int beos_unload(DSO *dso);
+static void *beos_bind_var(DSO *dso, const char *symname);
+static DSO_FUNC_TYPE beos_bind_func(DSO *dso, const char *symname);
+# if 0
+static int beos_unbind_var(DSO *dso, char *symname, void *symptr);
+static int beos_unbind_func(DSO *dso, char *symname, DSO_FUNC_TYPE symptr);
+static int beos_init(DSO *dso);
+static int beos_finish(DSO *dso);
+static long beos_ctrl(DSO *dso, int cmd, long larg, void *parg);
+# endif
+static char *beos_name_converter(DSO *dso, const char *filename);
+
+static DSO_METHOD dso_meth_beos = {
+    "OpenSSL 'beos' shared library method",
+    beos_load,
+    beos_unload,
+    beos_bind_var,
+    beos_bind_func,
+/* For now, "unbind" doesn't exist */
+# if 0
+    NULL,                       /* unbind_var */
+    NULL,                       /* unbind_func */
+# endif
+    NULL,                       /* ctrl */
+    beos_name_converter,
+    NULL,                       /* init */
+    NULL                        /* finish */
+};
+
+DSO_METHOD *DSO_METHOD_beos(void)
+{
+    return (&dso_meth_beos);
+}
+
+/*
+ * For this DSO_METHOD, our meth_data STACK will contain; (i) a pointer to
+ * the handle (image_id) returned from load_add_on().
+ */
+
+static int beos_load(DSO *dso)
+{
+    image_id id;
+    /* See applicable comments from dso_dl.c */
+    char *filename = DSO_convert_filename(dso, NULL);
+
+    if (filename == NULL) {
+        DSOerr(DSO_F_BEOS_LOAD, DSO_R_NO_FILENAME);
+        goto err;
+    }
+    id = load_add_on(filename);
+    if (id < 1) {
+        DSOerr(DSO_F_BEOS_LOAD, DSO_R_LOAD_FAILED);
+        ERR_add_error_data(3, "filename(", filename, ")");
+        goto err;
+    }
+    if (!sk_push(dso->meth_data, (char *)id)) {
+        DSOerr(DSO_F_BEOS_LOAD, DSO_R_STACK_ERROR);
+        goto err;
+    }
+    /* Success */
+    dso->loaded_filename = filename;
+    return (1);
+ err:
+    /* Cleanup ! */
+    if (filename != NULL)
+        OPENSSL_free(filename);
+    if (id > 0)
+        unload_add_on(id);
+    return (0);
+}
+
+static int beos_unload(DSO *dso)
+{
+    image_id id;
+    if (dso == NULL) {
+        DSOerr(DSO_F_BEOS_UNLOAD, ERR_R_PASSED_NULL_PARAMETER);
+        return (0);
+    }
+    if (sk_num(dso->meth_data) < 1)
+        return (1);
+    id = (image_id) sk_pop(dso->meth_data);
+    if (id < 1) {
+        DSOerr(DSO_F_BEOS_UNLOAD, DSO_R_NULL_HANDLE);
+        return (0);
+    }
+    if (unload_add_on(id) != B_OK) {
+        DSOerr(DSO_F_BEOS_UNLOAD, DSO_R_UNLOAD_FAILED);
+        /*
+         * We should push the value back onto the stack in case of a retry.
+         */
+        sk_push(dso->meth_data, (char *)id);
+        return (0);
+    }
+    return (1);
+}
+
+static void *beos_bind_var(DSO *dso, const char *symname)
+{
+    image_id id;
+    void *sym;
+
+    if ((dso == NULL) || (symname == NULL)) {
+        DSOerr(DSO_F_BEOS_BIND_VAR, ERR_R_PASSED_NULL_PARAMETER);
+        return (NULL);
+    }
+    if (sk_num(dso->meth_data) < 1) {
+        DSOerr(DSO_F_BEOS_BIND_VAR, DSO_R_STACK_ERROR);
+        return (NULL);
+    }
+    id = (image_id) sk_value(dso->meth_data, sk_num(dso->meth_data) - 1);
+    if (id < 1) {
+        DSOerr(DSO_F_BEOS_BIND_VAR, DSO_R_NULL_HANDLE);
+        return (NULL);
+    }
+    if (get_image_symbol(id, symname, B_SYMBOL_TYPE_DATA, &sym) != B_OK) {
+        DSOerr(DSO_F_BEOS_BIND_VAR, DSO_R_SYM_FAILURE);
+        ERR_add_error_data(3, "symname(", symname, ")");
+        return (NULL);
+    }
+    return (sym);
+}
+
+static DSO_FUNC_TYPE beos_bind_func(DSO *dso, const char *symname)
+{
+    image_id id;
+    void *sym;
+
+    if ((dso == NULL) || (symname == NULL)) {
+        DSOerr(DSO_F_BEOS_BIND_FUNC, ERR_R_PASSED_NULL_PARAMETER);
+        return (NULL);
+    }
+    if (sk_num(dso->meth_data) < 1) {
+        DSOerr(DSO_F_BEOS_BIND_FUNC, DSO_R_STACK_ERROR);
+        return (NULL);
+    }
+    id = (image_id) sk_value(dso->meth_data, sk_num(dso->meth_data) - 1);
+    if (id < 1) {
+        DSOerr(DSO_F_BEOS_BIND_FUNC, DSO_R_NULL_HANDLE);
+        return (NULL);
+    }
+    if (get_image_symbol(id, symname, B_SYMBOL_TYPE_TEXT, &sym) != B_OK) {
+        DSOerr(DSO_F_BEOS_BIND_FUNC, DSO_R_SYM_FAILURE);
+        ERR_add_error_data(3, "symname(", symname, ")");
+        return (NULL);
+    }
+    return ((DSO_FUNC_TYPE)sym);
+}
+
+/* This one is the same as the one in dlfcn */
+static char *beos_name_converter(DSO *dso, const char *filename)
+{
+    char *translated;
+    int len, rsize, transform;
+
+    len = strlen(filename);
+    rsize = len + 1;
+    transform = (strstr(filename, "/") == NULL);
+    if (transform) {
+        /* We will convert this to "%s.so" or "lib%s.so" */
+        rsize += 3;             /* The length of ".so" */
+        if ((DSO_flags(dso) & DSO_FLAG_NAME_TRANSLATION_EXT_ONLY) == 0)
+            rsize += 3;         /* The length of "lib" */
+    }
+    translated = OPENSSL_malloc(rsize);
+    if (translated == NULL) {
+        DSOerr(DSO_F_BEOS_NAME_CONVERTER, DSO_R_NAME_TRANSLATION_FAILED);
+        return (NULL);
+    }
+    if (transform) {
+        if ((DSO_flags(dso) & DSO_FLAG_NAME_TRANSLATION_EXT_ONLY) == 0)
+            sprintf(translated, "lib%s.so", filename);
+        else
+            sprintf(translated, "%s.so", filename);
+    } else
+        sprintf(translated, "%s", filename);
+    return (translated);
+}
+
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_dl.c b/Cryptlib/OpenSSL/crypto/dso/dso_dl.c
index d80bf562..ceedf66e 100644
--- a/Cryptlib/OpenSSL/crypto/dso/dso_dl.c
+++ b/Cryptlib/OpenSSL/crypto/dso/dso_dl.c
@@ -1,15 +1,72 @@
+/* dso_dl.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
-#include "dso_locl.h"
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
 
-#ifdef DSO_DL
+#ifndef DSO_DL
+DSO_METHOD *DSO_METHOD_dl(void)
+{
+    return NULL;
+}
+#else
 
 # include <dl.h>
 
@@ -18,7 +75,15 @@
 
 static int dl_load(DSO *dso);
 static int dl_unload(DSO *dso);
+static void *dl_bind_var(DSO *dso, const char *symname);
 static DSO_FUNC_TYPE dl_bind_func(DSO *dso, const char *symname);
+# if 0
+static int dl_unbind_var(DSO *dso, char *symname, void *symptr);
+static int dl_unbind_func(DSO *dso, char *symname, DSO_FUNC_TYPE symptr);
+static int dl_init(DSO *dso);
+static int dl_finish(DSO *dso);
+static int dl_ctrl(DSO *dso, int cmd, long larg, void *parg);
+# endif
 static char *dl_name_converter(DSO *dso, const char *filename);
 static char *dl_merger(DSO *dso, const char *filespec1,
                        const char *filespec2);
@@ -29,7 +94,13 @@ static DSO_METHOD dso_meth_dl = {
     "OpenSSL 'dl' shared library method",
     dl_load,
     dl_unload,
+    dl_bind_var,
     dl_bind_func,
+/* For now, "unbind" doesn't exist */
+# if 0
+    NULL,                       /* unbind_var */
+    NULL,                       /* unbind_func */
+# endif
     NULL,                       /* ctrl */
     dl_name_converter,
     dl_merger,
@@ -39,9 +110,9 @@ static DSO_METHOD dso_meth_dl = {
     dl_globallookup
 };
 
-DSO_METHOD *DSO_METHOD_openssl(void)
+DSO_METHOD *DSO_METHOD_dl(void)
 {
-    return &dso_meth_dl;
+    return (&dso_meth_dl);
 }
 
 /*
@@ -56,7 +127,7 @@ static int dl_load(DSO *dso)
     /*
      * We don't do any fancy retries or anything, just take the method's (or
      * DSO's if it has the callback set) best translation of the
-     * platform-independent filename and try once with that.
+     * platform-independant filename and try once with that.
      */
     char *filename = DSO_convert_filename(dso, NULL);
 
@@ -68,10 +139,8 @@ static int dl_load(DSO *dso)
                    (dso->flags & DSO_FLAG_NO_NAME_TRANSLATION ? 0 :
                     DYNAMIC_PATH), 0L);
     if (ptr == NULL) {
-        char errbuf[160];
         DSOerr(DSO_F_DL_LOAD, DSO_R_LOAD_FAILED);
-        if (openssl_strerror_r(errno, errbuf, sizeof(errbuf)))
-            ERR_add_error_data(4, "filename(", filename, "): ", errbuf);
+        ERR_add_error_data(4, "filename(", filename, "): ", strerror(errno));
         goto err;
     }
     if (!sk_push(dso->meth_data, (char *)ptr)) {
@@ -86,7 +155,8 @@ static int dl_load(DSO *dso)
     return (1);
  err:
     /* Cleanup! */
-    OPENSSL_free(filename);
+    if (filename != NULL)
+        OPENSSL_free(filename);
     if (ptr != NULL)
         shl_unload(ptr);
     return (0);
@@ -115,6 +185,32 @@ static int dl_unload(DSO *dso)
     return (1);
 }
 
+static void *dl_bind_var(DSO *dso, const char *symname)
+{
+    shl_t ptr;
+    void *sym;
+
+    if ((dso == NULL) || (symname == NULL)) {
+        DSOerr(DSO_F_DL_BIND_VAR, ERR_R_PASSED_NULL_PARAMETER);
+        return (NULL);
+    }
+    if (sk_num(dso->meth_data) < 1) {
+        DSOerr(DSO_F_DL_BIND_VAR, DSO_R_STACK_ERROR);
+        return (NULL);
+    }
+    ptr = (shl_t) sk_value(dso->meth_data, sk_num(dso->meth_data) - 1);
+    if (ptr == NULL) {
+        DSOerr(DSO_F_DL_BIND_VAR, DSO_R_NULL_HANDLE);
+        return (NULL);
+    }
+    if (shl_findsym(&ptr, symname, TYPE_UNDEFINED, &sym) < 0) {
+        DSOerr(DSO_F_DL_BIND_VAR, DSO_R_SYM_FAILURE);
+        ERR_add_error_data(4, "symname(", symname, "): ", strerror(errno));
+        return (NULL);
+    }
+    return (sym);
+}
+
 static DSO_FUNC_TYPE dl_bind_func(DSO *dso, const char *symname)
 {
     shl_t ptr;
@@ -134,10 +230,8 @@ static DSO_FUNC_TYPE dl_bind_func(DSO *dso, const char *symname)
         return (NULL);
     }
     if (shl_findsym(&ptr, symname, TYPE_UNDEFINED, &sym) < 0) {
-        char errbuf[160];
         DSOerr(DSO_F_DL_BIND_FUNC, DSO_R_SYM_FAILURE);
-        if (openssl_strerror_r(errno, errbuf, sizeof(errbuf)))
-            ERR_add_error_data(4, "symname(", symname, "): ", errbuf);
+        ERR_add_error_data(4, "symname(", symname, "): ", strerror(errno));
         return (NULL);
     }
     return ((DSO_FUNC_TYPE)sym);
@@ -156,21 +250,23 @@ static char *dl_merger(DSO *dso, const char *filespec1, const char *filespec2)
      * if the second file specification is missing.
      */
     if (!filespec2 || filespec1[0] == '/') {
-        merged = OPENSSL_strdup(filespec1);
-        if (merged == NULL) {
+        merged = OPENSSL_malloc(strlen(filespec1) + 1);
+        if (!merged) {
             DSOerr(DSO_F_DL_MERGER, ERR_R_MALLOC_FAILURE);
             return (NULL);
         }
+        strcpy(merged, filespec1);
     }
     /*
      * If the first file specification is missing, the second one rules.
      */
     else if (!filespec1) {
-        merged = OPENSSL_strdup(filespec2);
-        if (merged == NULL) {
+        merged = OPENSSL_malloc(strlen(filespec2) + 1);
+        if (!merged) {
             DSOerr(DSO_F_DL_MERGER, ERR_R_MALLOC_FAILURE);
             return (NULL);
         }
+        strcpy(merged, filespec2);
     } else
         /*
          * This part isn't as trivial as it looks.  It assumes that the
@@ -185,12 +281,12 @@ static char *dl_merger(DSO *dso, const char *filespec1, const char *filespec2)
         spec2len = (filespec2 ? strlen(filespec2) : 0);
         len = spec2len + (filespec1 ? strlen(filespec1) : 0);
 
-        if (spec2len && filespec2[spec2len - 1] == '/') {
+        if (filespec2 && filespec2[spec2len - 1] == '/') {
             spec2len--;
             len--;
         }
         merged = OPENSSL_malloc(len + 2);
-        if (merged == NULL) {
+        if (!merged) {
             DSOerr(DSO_F_DL_MERGER, ERR_R_MALLOC_FAILURE);
             return (NULL);
         }
@@ -206,8 +302,13 @@ static char *dl_merger(DSO *dso, const char *filespec1, const char *filespec2)
  * unlikely that both the "dl" *and* "dlfcn" variants are being compiled at
  * the same time, there's no great duplicating the code. Figuring out an
  * elegant way to share one copy of the code would be more difficult and
- * would not leave the implementations independent.
+ * would not leave the implementations independant.
  */
+# if defined(__hpux)
+static const char extension[] = ".sl";
+# else
+static const char extension[] = ".so";
+# endif
 static char *dl_name_converter(DSO *dso, const char *filename)
 {
     char *translated;
@@ -218,7 +319,7 @@ static char *dl_name_converter(DSO *dso, const char *filename)
     transform = (strstr(filename, "/") == NULL);
     {
         /* We will convert this to "%s.s?" or "lib%s.s?" */
-        rsize += strlen(DSO_EXTENSION); /* The length of ".s?" */
+        rsize += strlen(extension); /* The length of ".s?" */
         if ((DSO_flags(dso) & DSO_FLAG_NAME_TRANSLATION_EXT_ONLY) == 0)
             rsize += 3;         /* The length of "lib" */
     }
@@ -229,9 +330,9 @@ static char *dl_name_converter(DSO *dso, const char *filename)
     }
     if (transform) {
         if ((DSO_flags(dso) & DSO_FLAG_NAME_TRANSLATION_EXT_ONLY) == 0)
-            sprintf(translated, "lib%s%s", filename, DSO_EXTENSION);
+            sprintf(translated, "lib%s%s", filename, extension);
         else
-            sprintf(translated, "%s%s", filename, DSO_EXTENSION);
+            sprintf(translated, "%s%s", filename, extension);
     } else
         sprintf(translated, "%s", filename);
     return (translated);
diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_dlfcn.c b/Cryptlib/OpenSSL/crypto/dso/dso_dlfcn.c
index a4b0cdd9..78df723f 100644
--- a/Cryptlib/OpenSSL/crypto/dso/dso_dlfcn.c
+++ b/Cryptlib/OpenSSL/crypto/dso/dso_dlfcn.c
@@ -1,10 +1,60 @@
+/* dso_dlfcn.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 /*
@@ -16,9 +66,16 @@
 # define _GNU_SOURCE            /* make sure dladdr is declared */
 #endif
 
-#include "dso_locl.h"
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
 
-#ifdef DSO_DLFCN
+#ifndef DSO_DLFCN
+DSO_METHOD *DSO_METHOD_dlfcn(void)
+{
+    return NULL;
+}
+#else
 
 # ifdef HAVE_DLFCN_H
 #  ifdef __osf__
@@ -40,7 +97,14 @@
 
 static int dlfcn_load(DSO *dso);
 static int dlfcn_unload(DSO *dso);
+static void *dlfcn_bind_var(DSO *dso, const char *symname);
 static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname);
+# if 0
+static int dlfcn_unbind(DSO *dso, char *symname, void *symptr);
+static int dlfcn_init(DSO *dso);
+static int dlfcn_finish(DSO *dso);
+static long dlfcn_ctrl(DSO *dso, int cmd, long larg, void *parg);
+# endif
 static char *dlfcn_name_converter(DSO *dso, const char *filename);
 static char *dlfcn_merger(DSO *dso, const char *filespec1,
                           const char *filespec2);
@@ -51,7 +115,13 @@ static DSO_METHOD dso_meth_dlfcn = {
     "OpenSSL 'dlfcn' shared library method",
     dlfcn_load,
     dlfcn_unload,
+    dlfcn_bind_var,
     dlfcn_bind_func,
+/* For now, "unbind" doesn't exist */
+# if 0
+    NULL,                       /* unbind_var */
+    NULL,                       /* unbind_func */
+# endif
     NULL,                       /* ctrl */
     dlfcn_name_converter,
     dlfcn_merger,
@@ -61,9 +131,9 @@ static DSO_METHOD dso_meth_dlfcn = {
     dlfcn_globallookup
 };
 
-DSO_METHOD *DSO_METHOD_openssl(void)
+DSO_METHOD *DSO_METHOD_dlfcn(void)
 {
-    return &dso_meth_dlfcn;
+    return (&dso_meth_dlfcn);
 }
 
 /*
@@ -85,7 +155,11 @@ DSO_METHOD *DSO_METHOD_openssl(void)
 #   endif
 #  endif
 # else
-#  define DLOPEN_FLAG RTLD_NOW  /* Hope this works everywhere else */
+#  ifdef OPENSSL_SYS_SUNOS
+#   define DLOPEN_FLAG 1
+#  else
+#   define DLOPEN_FLAG RTLD_NOW /* Hope this works everywhere else */
+#  endif
 # endif
 
 /*
@@ -123,7 +197,8 @@ static int dlfcn_load(DSO *dso)
     return (1);
  err:
     /* Cleanup! */
-    OPENSSL_free(filename);
+    if (filename != NULL)
+        OPENSSL_free(filename);
     if (ptr != NULL)
         dlclose(ptr);
     return (0);
@@ -152,6 +227,32 @@ static int dlfcn_unload(DSO *dso)
     return (1);
 }
 
+static void *dlfcn_bind_var(DSO *dso, const char *symname)
+{
+    void *ptr, *sym;
+
+    if ((dso == NULL) || (symname == NULL)) {
+        DSOerr(DSO_F_DLFCN_BIND_VAR, ERR_R_PASSED_NULL_PARAMETER);
+        return (NULL);
+    }
+    if (sk_void_num(dso->meth_data) < 1) {
+        DSOerr(DSO_F_DLFCN_BIND_VAR, DSO_R_STACK_ERROR);
+        return (NULL);
+    }
+    ptr = sk_void_value(dso->meth_data, sk_void_num(dso->meth_data) - 1);
+    if (ptr == NULL) {
+        DSOerr(DSO_F_DLFCN_BIND_VAR, DSO_R_NULL_HANDLE);
+        return (NULL);
+    }
+    sym = dlsym(ptr, symname);
+    if (sym == NULL) {
+        DSOerr(DSO_F_DLFCN_BIND_VAR, DSO_R_SYM_FAILURE);
+        ERR_add_error_data(4, "symname(", symname, "): ", dlerror());
+        return (NULL);
+    }
+    return (sym);
+}
+
 static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname)
 {
     void *ptr;
@@ -196,21 +297,23 @@ static char *dlfcn_merger(DSO *dso, const char *filespec1,
      * if the second file specification is missing.
      */
     if (!filespec2 || (filespec1 != NULL && filespec1[0] == '/')) {
-        merged = OPENSSL_strdup(filespec1);
-        if (merged == NULL) {
+        merged = OPENSSL_malloc(strlen(filespec1) + 1);
+        if (!merged) {
             DSOerr(DSO_F_DLFCN_MERGER, ERR_R_MALLOC_FAILURE);
             return (NULL);
         }
+        strcpy(merged, filespec1);
     }
     /*
      * If the first file specification is missing, the second one rules.
      */
     else if (!filespec1) {
-        merged = OPENSSL_strdup(filespec2);
-        if (merged == NULL) {
+        merged = OPENSSL_malloc(strlen(filespec2) + 1);
+        if (!merged) {
             DSOerr(DSO_F_DLFCN_MERGER, ERR_R_MALLOC_FAILURE);
             return (NULL);
         }
+        strcpy(merged, filespec2);
     } else {
         /*
          * This part isn't as trivial as it looks.  It assumes that the
@@ -229,7 +332,7 @@ static char *dlfcn_merger(DSO *dso, const char *filespec1,
             len--;
         }
         merged = OPENSSL_malloc(len + 2);
-        if (merged == NULL) {
+        if (!merged) {
             DSOerr(DSO_F_DLFCN_MERGER, ERR_R_MALLOC_FAILURE);
             return (NULL);
         }
@@ -240,6 +343,14 @@ static char *dlfcn_merger(DSO *dso, const char *filespec1,
     return (merged);
 }
 
+# ifdef OPENSSL_SYS_MACOSX
+#  define DSO_ext ".dylib"
+#  define DSO_extlen 6
+# else
+#  define DSO_ext ".so"
+#  define DSO_extlen 3
+# endif
+
 static char *dlfcn_name_converter(DSO *dso, const char *filename)
 {
     char *translated;
@@ -250,7 +361,7 @@ static char *dlfcn_name_converter(DSO *dso, const char *filename)
     transform = (strstr(filename, "/") == NULL);
     if (transform) {
         /* We will convert this to "%s.so" or "lib%s.so" etc */
-        rsize += strlen(DSO_EXTENSION);    /* The length of ".so" */
+        rsize += DSO_extlen;    /* The length of ".so" */
         if ((DSO_flags(dso) & DSO_FLAG_NAME_TRANSLATION_EXT_ONLY) == 0)
             rsize += 3;         /* The length of "lib" */
     }
@@ -261,9 +372,9 @@ static char *dlfcn_name_converter(DSO *dso, const char *filename)
     }
     if (transform) {
         if ((DSO_flags(dso) & DSO_FLAG_NAME_TRANSLATION_EXT_ONLY) == 0)
-            sprintf(translated, "lib%s" DSO_EXTENSION, filename);
+            sprintf(translated, "lib%s" DSO_ext, filename);
         else
-            sprintf(translated, "%s" DSO_EXTENSION, filename);
+            sprintf(translated, "%s" DSO_ext, filename);
     } else
         sprintf(translated, "%s", filename);
     return (translated);
diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_err.c b/Cryptlib/OpenSSL/crypto/dso/dso_err.c
index 07588d5c..e143cc01 100644
--- a/Cryptlib/OpenSSL/crypto/dso/dso_err.c
+++ b/Cryptlib/OpenSSL/crypto/dso/dso_err.c
@@ -1,16 +1,67 @@
-/*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/dso/dso_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
  */
 
 #include <stdio.h>
 #include <openssl/err.h>
-#include "internal/dso.h"
+#include <openssl/dso.h>
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
@@ -19,41 +70,55 @@
 # define ERR_REASON(reason) ERR_PACK(ERR_LIB_DSO,0,reason)
 
 static ERR_STRING_DATA DSO_str_functs[] = {
-    {ERR_FUNC(DSO_F_DLFCN_BIND_FUNC), "dlfcn_bind_func"},
-    {ERR_FUNC(DSO_F_DLFCN_LOAD), "dlfcn_load"},
-    {ERR_FUNC(DSO_F_DLFCN_MERGER), "dlfcn_merger"},
-    {ERR_FUNC(DSO_F_DLFCN_NAME_CONVERTER), "dlfcn_name_converter"},
-    {ERR_FUNC(DSO_F_DLFCN_UNLOAD), "dlfcn_unload"},
-    {ERR_FUNC(DSO_F_DL_BIND_FUNC), "dl_bind_func"},
-    {ERR_FUNC(DSO_F_DL_LOAD), "dl_load"},
-    {ERR_FUNC(DSO_F_DL_MERGER), "dl_merger"},
-    {ERR_FUNC(DSO_F_DL_NAME_CONVERTER), "dl_name_converter"},
-    {ERR_FUNC(DSO_F_DL_UNLOAD), "dl_unload"},
+    {ERR_FUNC(DSO_F_BEOS_BIND_FUNC), "BEOS_BIND_FUNC"},
+    {ERR_FUNC(DSO_F_BEOS_BIND_VAR), "BEOS_BIND_VAR"},
+    {ERR_FUNC(DSO_F_BEOS_LOAD), "BEOS_LOAD"},
+    {ERR_FUNC(DSO_F_BEOS_NAME_CONVERTER), "BEOS_NAME_CONVERTER"},
+    {ERR_FUNC(DSO_F_BEOS_UNLOAD), "BEOS_UNLOAD"},
+    {ERR_FUNC(DSO_F_DLFCN_BIND_FUNC), "DLFCN_BIND_FUNC"},
+    {ERR_FUNC(DSO_F_DLFCN_BIND_VAR), "DLFCN_BIND_VAR"},
+    {ERR_FUNC(DSO_F_DLFCN_LOAD), "DLFCN_LOAD"},
+    {ERR_FUNC(DSO_F_DLFCN_MERGER), "DLFCN_MERGER"},
+    {ERR_FUNC(DSO_F_DLFCN_NAME_CONVERTER), "DLFCN_NAME_CONVERTER"},
+    {ERR_FUNC(DSO_F_DLFCN_UNLOAD), "DLFCN_UNLOAD"},
+    {ERR_FUNC(DSO_F_DL_BIND_FUNC), "DL_BIND_FUNC"},
+    {ERR_FUNC(DSO_F_DL_BIND_VAR), "DL_BIND_VAR"},
+    {ERR_FUNC(DSO_F_DL_LOAD), "DL_LOAD"},
+    {ERR_FUNC(DSO_F_DL_MERGER), "DL_MERGER"},
+    {ERR_FUNC(DSO_F_DL_NAME_CONVERTER), "DL_NAME_CONVERTER"},
+    {ERR_FUNC(DSO_F_DL_UNLOAD), "DL_UNLOAD"},
     {ERR_FUNC(DSO_F_DSO_BIND_FUNC), "DSO_bind_func"},
+    {ERR_FUNC(DSO_F_DSO_BIND_VAR), "DSO_bind_var"},
     {ERR_FUNC(DSO_F_DSO_CONVERT_FILENAME), "DSO_convert_filename"},
     {ERR_FUNC(DSO_F_DSO_CTRL), "DSO_ctrl"},
     {ERR_FUNC(DSO_F_DSO_FREE), "DSO_free"},
     {ERR_FUNC(DSO_F_DSO_GET_FILENAME), "DSO_get_filename"},
+    {ERR_FUNC(DSO_F_DSO_GET_LOADED_FILENAME), "DSO_get_loaded_filename"},
     {ERR_FUNC(DSO_F_DSO_GLOBAL_LOOKUP), "DSO_global_lookup"},
     {ERR_FUNC(DSO_F_DSO_LOAD), "DSO_load"},
     {ERR_FUNC(DSO_F_DSO_MERGE), "DSO_merge"},
     {ERR_FUNC(DSO_F_DSO_NEW_METHOD), "DSO_new_method"},
     {ERR_FUNC(DSO_F_DSO_PATHBYADDR), "DSO_pathbyaddr"},
     {ERR_FUNC(DSO_F_DSO_SET_FILENAME), "DSO_set_filename"},
+    {ERR_FUNC(DSO_F_DSO_SET_NAME_CONVERTER), "DSO_set_name_converter"},
     {ERR_FUNC(DSO_F_DSO_UP_REF), "DSO_up_ref"},
-    {ERR_FUNC(DSO_F_VMS_BIND_SYM), "vms_bind_sym"},
-    {ERR_FUNC(DSO_F_VMS_LOAD), "vms_load"},
-    {ERR_FUNC(DSO_F_VMS_MERGER), "vms_merger"},
-    {ERR_FUNC(DSO_F_VMS_UNLOAD), "vms_unload"},
-    {ERR_FUNC(DSO_F_WIN32_BIND_FUNC), "win32_bind_func"},
-    {ERR_FUNC(DSO_F_WIN32_GLOBALLOOKUP), "win32_globallookup"},
-    {ERR_FUNC(DSO_F_WIN32_JOINER), "win32_joiner"},
-    {ERR_FUNC(DSO_F_WIN32_LOAD), "win32_load"},
-    {ERR_FUNC(DSO_F_WIN32_MERGER), "win32_merger"},
-    {ERR_FUNC(DSO_F_WIN32_NAME_CONVERTER), "win32_name_converter"},
-    {ERR_FUNC(DSO_F_WIN32_PATHBYADDR), "win32_pathbyaddr"},
-    {ERR_FUNC(DSO_F_WIN32_SPLITTER), "win32_splitter"},
-    {ERR_FUNC(DSO_F_WIN32_UNLOAD), "win32_unload"},
+    {ERR_FUNC(DSO_F_GLOBAL_LOOKUP_FUNC), "GLOBAL_LOOKUP_FUNC"},
+    {ERR_FUNC(DSO_F_PATHBYADDR), "PATHBYADDR"},
+    {ERR_FUNC(DSO_F_VMS_BIND_SYM), "VMS_BIND_SYM"},
+    {ERR_FUNC(DSO_F_VMS_LOAD), "VMS_LOAD"},
+    {ERR_FUNC(DSO_F_VMS_MERGER), "VMS_MERGER"},
+    {ERR_FUNC(DSO_F_VMS_UNLOAD), "VMS_UNLOAD"},
+    {ERR_FUNC(DSO_F_WIN32_BIND_FUNC), "WIN32_BIND_FUNC"},
+    {ERR_FUNC(DSO_F_WIN32_BIND_VAR), "WIN32_BIND_VAR"},
+    {ERR_FUNC(DSO_F_WIN32_GLOBALLOOKUP), "WIN32_GLOBALLOOKUP"},
+    {ERR_FUNC(DSO_F_WIN32_GLOBALLOOKUP_FUNC), "WIN32_GLOBALLOOKUP_FUNC"},
+    {ERR_FUNC(DSO_F_WIN32_JOINER), "WIN32_JOINER"},
+    {ERR_FUNC(DSO_F_WIN32_LOAD), "WIN32_LOAD"},
+    {ERR_FUNC(DSO_F_WIN32_MERGER), "WIN32_MERGER"},
+    {ERR_FUNC(DSO_F_WIN32_NAME_CONVERTER), "WIN32_NAME_CONVERTER"},
+    {ERR_FUNC(DSO_F_WIN32_PATHBYADDR), "WIN32_PATHBYADDR"},
+    {ERR_FUNC(DSO_F_WIN32_SPLITTER), "WIN32_SPLITTER"},
+    {ERR_FUNC(DSO_F_WIN32_UNLOAD), "WIN32_UNLOAD"},
     {0, NULL}
 };
 
@@ -68,6 +133,7 @@ static ERR_STRING_DATA DSO_str_reasons[] = {
     {ERR_REASON(DSO_R_LOAD_FAILED), "could not load the shared library"},
     {ERR_REASON(DSO_R_NAME_TRANSLATION_FAILED), "name translation failed"},
     {ERR_REASON(DSO_R_NO_FILENAME), "no filename"},
+    {ERR_REASON(DSO_R_NO_FILE_SPECIFICATION), "no file specification"},
     {ERR_REASON(DSO_R_NULL_HANDLE), "a null shared library handle was used"},
     {ERR_REASON(DSO_R_SET_FILENAME_FAILED), "set filename failed"},
     {ERR_REASON(DSO_R_STACK_ERROR), "the meth_data stack is corrupt"},
@@ -80,7 +146,7 @@ static ERR_STRING_DATA DSO_str_reasons[] = {
 
 #endif
 
-int ERR_load_DSO_strings(void)
+void ERR_load_DSO_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
 
@@ -89,5 +155,4 @@ int ERR_load_DSO_strings(void)
         ERR_load_strings(0, DSO_str_reasons);
     }
 #endif
-    return 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_lib.c b/Cryptlib/OpenSSL/crypto/dso/dso_lib.c
index f58237d6..2beb7c1b 100644
--- a/Cryptlib/OpenSSL/crypto/dso/dso_lib.c
+++ b/Cryptlib/OpenSSL/crypto/dso/dso_lib.c
@@ -1,33 +1,114 @@
+/* dso_lib.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
-#include "dso_locl.h"
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
 
 static DSO_METHOD *default_DSO_meth = NULL;
 
-static DSO *DSO_new_method(DSO_METHOD *meth)
+DSO *DSO_new(void)
+{
+    return (DSO_new_method(NULL));
+}
+
+void DSO_set_default_method(DSO_METHOD *meth)
+{
+    default_DSO_meth = meth;
+}
+
+DSO_METHOD *DSO_get_default_method(void)
+{
+    return (default_DSO_meth);
+}
+
+DSO_METHOD *DSO_get_method(DSO *dso)
+{
+    return (dso->meth);
+}
+
+DSO_METHOD *DSO_set_method(DSO *dso, DSO_METHOD *meth)
+{
+    DSO_METHOD *mtmp;
+    mtmp = dso->meth;
+    dso->meth = meth;
+    return (mtmp);
+}
+
+DSO *DSO_new_method(DSO_METHOD *meth)
 {
     DSO *ret;
 
-    if (default_DSO_meth == NULL) {
+    if (default_DSO_meth == NULL)
         /*
          * We default to DSO_METH_openssl() which in turn defaults to
          * stealing the "best available" method. Will fallback to
          * DSO_METH_null() in the worst case.
          */
         default_DSO_meth = DSO_METHOD_openssl();
-    }
-    ret = OPENSSL_zalloc(sizeof(*ret));
+    ret = (DSO *)OPENSSL_malloc(sizeof(DSO));
     if (ret == NULL) {
         DSOerr(DSO_F_DSO_NEW_METHOD, ERR_R_MALLOC_FAILURE);
         return (NULL);
     }
+    memset(ret, 0, sizeof(DSO));
     ret->meth_data = sk_void_new_null();
     if (ret->meth_data == NULL) {
         /* sk_new doesn't generate any errors so we do */
@@ -35,62 +116,59 @@ static DSO *DSO_new_method(DSO_METHOD *meth)
         OPENSSL_free(ret);
         return (NULL);
     }
-    ret->meth = default_DSO_meth;
+    if (meth == NULL)
+        ret->meth = default_DSO_meth;
+    else
+        ret->meth = meth;
     ret->references = 1;
-    ret->lock = CRYPTO_THREAD_lock_new();
-    if (ret->lock == NULL) {
-        DSOerr(DSO_F_DSO_NEW_METHOD, ERR_R_MALLOC_FAILURE);
+    if ((ret->meth->init != NULL) && !ret->meth->init(ret)) {
         sk_void_free(ret->meth_data);
         OPENSSL_free(ret);
-        return NULL;
-    }
-
-    if ((ret->meth->init != NULL) && !ret->meth->init(ret)) {
-        DSO_free(ret);
         ret = NULL;
     }
-
-    return ret;
-}
-
-DSO *DSO_new(void)
-{
-    return DSO_new_method(NULL);
+    return (ret);
 }
 
 int DSO_free(DSO *dso)
 {
     int i;
 
-    if (dso == NULL)
-        return (1);
-
-    if (CRYPTO_atomic_add(&dso->references, -1, &i, dso->lock) <= 0)
-        return 0;
+    if (dso == NULL) {
+        DSOerr(DSO_F_DSO_FREE, ERR_R_PASSED_NULL_PARAMETER);
+        return (0);
+    }
 
-    REF_PRINT_COUNT("DSO", dso);
+    i = CRYPTO_add(&dso->references, -1, CRYPTO_LOCK_DSO);
+#ifdef REF_PRINT
+    REF_PRINT("DSO", dso);
+#endif
     if (i > 0)
-        return 1;
-    REF_ASSERT_ISNT(i < 0);
+        return (1);
+#ifdef REF_CHECK
+    if (i < 0) {
+        fprintf(stderr, "DSO_free, bad reference count\n");
+        abort();
+    }
+#endif
 
-    if ((dso->flags & DSO_FLAG_NO_UNLOAD_ON_FREE) == 0) {
-        if ((dso->meth->dso_unload != NULL) && !dso->meth->dso_unload(dso)) {
-            DSOerr(DSO_F_DSO_FREE, DSO_R_UNLOAD_FAILED);
-            return 0;
-        }
+    if ((dso->meth->dso_unload != NULL) && !dso->meth->dso_unload(dso)) {
+        DSOerr(DSO_F_DSO_FREE, DSO_R_UNLOAD_FAILED);
+        return (0);
     }
 
     if ((dso->meth->finish != NULL) && !dso->meth->finish(dso)) {
         DSOerr(DSO_F_DSO_FREE, DSO_R_FINISH_FAILED);
-        return 0;
+        return (0);
     }
 
     sk_void_free(dso->meth_data);
-    OPENSSL_free(dso->filename);
-    OPENSSL_free(dso->loaded_filename);
-    CRYPTO_THREAD_lock_free(dso->lock);
+    if (dso->filename != NULL)
+        OPENSSL_free(dso->filename);
+    if (dso->loaded_filename != NULL)
+        OPENSSL_free(dso->loaded_filename);
+
     OPENSSL_free(dso);
-    return 1;
+    return (1);
 }
 
 int DSO_flags(DSO *dso)
@@ -100,19 +178,13 @@ int DSO_flags(DSO *dso)
 
 int DSO_up_ref(DSO *dso)
 {
-    int i;
-
     if (dso == NULL) {
         DSOerr(DSO_F_DSO_UP_REF, ERR_R_PASSED_NULL_PARAMETER);
-        return 0;
+        return (0);
     }
 
-    if (CRYPTO_atomic_add(&dso->references, 1, &i, dso->lock) <= 0)
-        return 0;
-
-    REF_PRINT_COUNT("DSO", r);
-    REF_ASSERT_ISNT(i < 2);
-    return ((i > 1) ? 1 : 0);
+    CRYPTO_add(&dso->references, 1, CRYPTO_LOCK_DSO);
+    return (1);
 }
 
 DSO *DSO_load(DSO *dso, const char *filename, DSO_METHOD *meth, int flags)
@@ -169,6 +241,26 @@ DSO *DSO_load(DSO *dso, const char *filename, DSO_METHOD *meth, int flags)
     return (NULL);
 }
 
+void *DSO_bind_var(DSO *dso, const char *symname)
+{
+    void *ret = NULL;
+
+    if ((dso == NULL) || (symname == NULL)) {
+        DSOerr(DSO_F_DSO_BIND_VAR, ERR_R_PASSED_NULL_PARAMETER);
+        return (NULL);
+    }
+    if (dso->meth->dso_bind_var == NULL) {
+        DSOerr(DSO_F_DSO_BIND_VAR, DSO_R_UNSUPPORTED);
+        return (NULL);
+    }
+    if ((ret = dso->meth->dso_bind_var(dso, symname)) == NULL) {
+        DSOerr(DSO_F_DSO_BIND_VAR, DSO_R_SYM_FAILURE);
+        return (NULL);
+    }
+    /* Success */
+    return (ret);
+}
+
 DSO_FUNC_TYPE DSO_bind_func(DSO *dso, const char *symname)
 {
     DSO_FUNC_TYPE ret = NULL;
@@ -227,6 +319,19 @@ long DSO_ctrl(DSO *dso, int cmd, long larg, void *parg)
     return (dso->meth->dso_ctrl(dso, cmd, larg, parg));
 }
 
+int DSO_set_name_converter(DSO *dso, DSO_NAME_CONVERTER_FUNC cb,
+                           DSO_NAME_CONVERTER_FUNC *oldcb)
+{
+    if (dso == NULL) {
+        DSOerr(DSO_F_DSO_SET_NAME_CONVERTER, ERR_R_PASSED_NULL_PARAMETER);
+        return (0);
+    }
+    if (oldcb)
+        *oldcb = dso->name_converter;
+    dso->name_converter = cb;
+    return (1);
+}
+
 const char *DSO_get_filename(DSO *dso)
 {
     if (dso == NULL) {
@@ -249,12 +354,14 @@ int DSO_set_filename(DSO *dso, const char *filename)
         return (0);
     }
     /* We'll duplicate filename */
-    copied = OPENSSL_strdup(filename);
+    copied = OPENSSL_malloc(strlen(filename) + 1);
     if (copied == NULL) {
         DSOerr(DSO_F_DSO_SET_FILENAME, ERR_R_MALLOC_FAILURE);
         return (0);
     }
-    OPENSSL_free(dso->filename);
+    BUF_strlcpy(copied, filename, strlen(filename) + 1);
+    if (dso->filename)
+        OPENSSL_free(dso->filename);
     dso->filename = copied;
     return (1);
 }
@@ -297,15 +404,25 @@ char *DSO_convert_filename(DSO *dso, const char *filename)
             result = dso->meth->dso_name_converter(dso, filename);
     }
     if (result == NULL) {
-        result = OPENSSL_strdup(filename);
+        result = OPENSSL_malloc(strlen(filename) + 1);
         if (result == NULL) {
             DSOerr(DSO_F_DSO_CONVERT_FILENAME, ERR_R_MALLOC_FAILURE);
             return (NULL);
         }
+        BUF_strlcpy(result, filename, strlen(filename) + 1);
     }
     return (result);
 }
 
+const char *DSO_get_loaded_filename(DSO *dso)
+{
+    if (dso == NULL) {
+        DSOerr(DSO_F_DSO_GET_LOADED_FILENAME, ERR_R_PASSED_NULL_PARAMETER);
+        return (NULL);
+    }
+    return (dso->loaded_filename);
+}
+
 int DSO_pathbyaddr(void *addr, char *path, int sz)
 {
     DSO_METHOD *meth = default_DSO_meth;
@@ -318,24 +435,6 @@ int DSO_pathbyaddr(void *addr, char *path, int sz)
     return (*meth->pathbyaddr) (addr, path, sz);
 }
 
-DSO *DSO_dsobyaddr(void *addr, int flags)
-{
-    DSO *ret = NULL;
-    char *filename = NULL;
-    int len = DSO_pathbyaddr(addr, NULL, 0);
-
-    if (len < 0)
-        return NULL;
-
-    filename = OPENSSL_malloc(len);
-    if (filename != NULL
-            && DSO_pathbyaddr(addr, filename, len) == len)
-        ret = DSO_load(NULL, filename, NULL, flags);
-
-    OPENSSL_free(filename);
-    return ret;
-}
-
 void *DSO_global_lookup(const char *name)
 {
     DSO_METHOD *meth = default_DSO_meth;
diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_locl.h b/Cryptlib/OpenSSL/crypto/dso/dso_locl.h
deleted file mode 100644
index fbfad054..00000000
--- a/Cryptlib/OpenSSL/crypto/dso/dso_locl.h
+++ /dev/null
@@ -1,106 +0,0 @@
-/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include "internal/cryptlib.h"
-#include "internal/dso.h"
-#include "internal/dso_conf.h"
-
-/**********************************************************************/
-/* The low-level handle type used to refer to a loaded shared library */
-
-struct dso_st {
-    DSO_METHOD *meth;
-    /*
-     * Standard dlopen uses a (void *). Win32 uses a HANDLE. VMS doesn't use
-     * anything but will need to cache the filename for use in the dso_bind
-     * handler. All in all, let each method control its own destiny.
-     * "Handles" and such go in a STACK.
-     */
-    STACK_OF(void) *meth_data;
-    int references;
-    int flags;
-    /*
-     * For use by applications etc ... use this for your bits'n'pieces, don't
-     * touch meth_data!
-     */
-    CRYPTO_EX_DATA ex_data;
-    /*
-     * If this callback function pointer is set to non-NULL, then it will be
-     * used in DSO_load() in place of meth->dso_name_converter. NB: This
-     * should normally set using DSO_set_name_converter().
-     */
-    DSO_NAME_CONVERTER_FUNC name_converter;
-    /*
-     * If this callback function pointer is set to non-NULL, then it will be
-     * used in DSO_load() in place of meth->dso_merger. NB: This should
-     * normally set using DSO_set_merger().
-     */
-    DSO_MERGER_FUNC merger;
-    /*
-     * This is populated with (a copy of) the platform-independent filename
-     * used for this DSO.
-     */
-    char *filename;
-    /*
-     * This is populated with (a copy of) the translated filename by which
-     * the DSO was actually loaded. It is NULL iff the DSO is not currently
-     * loaded. NB: This is here because the filename translation process may
-     * involve a callback being invoked more than once not only to convert to
-     * a platform-specific form, but also to try different filenames in the
-     * process of trying to perform a load. As such, this variable can be
-     * used to indicate (a) whether this DSO structure corresponds to a
-     * loaded library or not, and (b) the filename with which it was actually
-     * loaded.
-     */
-    char *loaded_filename;
-    CRYPTO_RWLOCK *lock;
-};
-
-struct dso_meth_st {
-    const char *name;
-    /*
-     * Loads a shared library, NB: new DSO_METHODs must ensure that a
-     * successful load populates the loaded_filename field, and likewise a
-     * successful unload OPENSSL_frees and NULLs it out.
-     */
-    int (*dso_load) (DSO *dso);
-    /* Unloads a shared library */
-    int (*dso_unload) (DSO *dso);
-    /*
-     * Binds a function - assumes a return type of DSO_FUNC_TYPE. This should
-     * be cast to the real function prototype by the caller. Platforms that
-     * don't have compatible representations for different prototypes (this
-     * is possible within ANSI C) are highly unlikely to have shared
-     * libraries at all, let alone a DSO_METHOD implemented for them.
-     */
-    DSO_FUNC_TYPE (*dso_bind_func) (DSO *dso, const char *symname);
-    /*
-     * The generic (yuck) "ctrl()" function. NB: Negative return values
-     * (rather than zero) indicate errors.
-     */
-    long (*dso_ctrl) (DSO *dso, int cmd, long larg, void *parg);
-    /*
-     * The default DSO_METHOD-specific function for converting filenames to a
-     * canonical native form.
-     */
-    DSO_NAME_CONVERTER_FUNC dso_name_converter;
-    /*
-     * The default DSO_METHOD-specific function for converting filenames to a
-     * canonical native form.
-     */
-    DSO_MERGER_FUNC dso_merger;
-    /* [De]Initialisation handlers. */
-    int (*init) (DSO *dso);
-    int (*finish) (DSO *dso);
-    /* Return pathname of the module containing location */
-    int (*pathbyaddr) (void *addr, char *path, int sz);
-    /* Perform global symbol lookup, i.e. among *all* modules */
-    void *(*globallookup) (const char *symname);
-};
diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_null.c b/Cryptlib/OpenSSL/crypto/dso/dso_null.c
new file mode 100644
index 00000000..20122d1c
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/dso/dso_null.c
@@ -0,0 +1,92 @@
+/* dso_null.c */
+/*
+ * Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * This "NULL" method is provided as the fallback for systems that have no
+ * appropriate support for "shared-libraries".
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
+
+static DSO_METHOD dso_meth_null = {
+    "NULL shared library method",
+    NULL,                       /* load */
+    NULL,                       /* unload */
+    NULL,                       /* bind_var */
+    NULL,                       /* bind_func */
+/* For now, "unbind" doesn't exist */
+#if 0
+    NULL,                       /* unbind_var */
+    NULL,                       /* unbind_func */
+#endif
+    NULL,                       /* ctrl */
+    NULL,                       /* dso_name_converter */
+    NULL,                       /* dso_merger */
+    NULL,                       /* init */
+    NULL,                       /* finish */
+    NULL,                       /* pathbyaddr */
+    NULL                        /* globallookup */
+};
+
+DSO_METHOD *DSO_METHOD_null(void)
+{
+    return (&dso_meth_null);
+}
diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_openssl.c b/Cryptlib/OpenSSL/crypto/dso/dso_openssl.c
index 6626331e..087e989e 100644
--- a/Cryptlib/OpenSSL/crypto/dso/dso_openssl.c
+++ b/Cryptlib/OpenSSL/crypto/dso/dso_openssl.c
@@ -1,22 +1,83 @@
+/* dso_openssl.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
-#include "dso_locl.h"
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
 
-#if !defined(DSO_VMS) && !defined(DSO_DLCFN) && !defined(DSO_DL) && !defined(DSO_WIN32) && !defined(DSO_DLFCN)
-
-static DSO_METHOD dso_meth_null = {
-    "NULL shared library method"
-};
+/* We just pinch the method from an appropriate "default" method. */
 
 DSO_METHOD *DSO_METHOD_openssl(void)
 {
-    return &dso_meth_null;
-}
+#ifdef DEF_DSO_METHOD
+    return (DEF_DSO_METHOD());
+#elif defined(DSO_DLFCN)
+    return (DSO_METHOD_dlfcn());
+#elif defined(DSO_DL)
+    return (DSO_METHOD_dl());
+#elif defined(DSO_WIN32)
+    return (DSO_METHOD_win32());
+#elif defined(DSO_VMS)
+    return (DSO_METHOD_vms());
+#elif defined(DSO_BEOS)
+    return (DSO_METHOD_beos());
+#else
+    return (DSO_METHOD_null());
 #endif
+}
diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_vms.c b/Cryptlib/OpenSSL/crypto/dso/dso_vms.c
index b9a98ddd..1efd84b9 100644
--- a/Cryptlib/OpenSSL/crypto/dso/dso_vms.c
+++ b/Cryptlib/OpenSSL/crypto/dso/dso_vms.c
@@ -1,25 +1,82 @@
+/* dso_vms.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
-#include "dso_locl.h"
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
 
-#ifdef OPENSSL_SYS_VMS
+#ifndef OPENSSL_SYS_VMS
+DSO_METHOD *DSO_METHOD_vms(void)
+{
+    return NULL;
+}
+#else
 
 # pragma message disable DOLLARID
-# include <errno.h>
 # include <rms.h>
 # include <lib$routines.h>
-# include <libfisdef.h>
 # include <stsdef.h>
 # include <descrip.h>
 # include <starlet.h>
-# include "../vms_rms.h"
+# include "vms_rms.h"
 
 /* Some compiler options may mask the declaration of "_malloc32". */
 # if __INITIAL_POINTER_SIZE && defined _ANSI_C_SOURCE
@@ -36,7 +93,15 @@ void *_malloc32(__size_t);
 
 static int vms_load(DSO *dso);
 static int vms_unload(DSO *dso);
+static void *vms_bind_var(DSO *dso, const char *symname);
 static DSO_FUNC_TYPE vms_bind_func(DSO *dso, const char *symname);
+# if 0
+static int vms_unbind_var(DSO *dso, char *symname, void *symptr);
+static int vms_unbind_func(DSO *dso, char *symname, DSO_FUNC_TYPE symptr);
+static int vms_init(DSO *dso);
+static int vms_finish(DSO *dso);
+static long vms_ctrl(DSO *dso, int cmd, long larg, void *parg);
+# endif
 static char *vms_name_converter(DSO *dso, const char *filename);
 static char *vms_merger(DSO *dso, const char *filespec1,
                         const char *filespec2);
@@ -45,14 +110,18 @@ static DSO_METHOD dso_meth_vms = {
     "OpenSSL 'VMS' shared library method",
     vms_load,
     NULL,                       /* unload */
+    vms_bind_var,
     vms_bind_func,
+/* For now, "unbind" doesn't exist */
+# if 0
+    NULL,                       /* unbind_var */
+    NULL,                       /* unbind_func */
+# endif
     NULL,                       /* ctrl */
     vms_name_converter,
     vms_merger,
     NULL,                       /* init */
-    NULL,                       /* finish */
-    NULL,                       /* pathbyaddr */
-    NULL                        /* globallookup */
+    NULL                        /* finish */
 };
 
 /*
@@ -76,9 +145,9 @@ typedef struct dso_internal_st {
     char imagename[NAMX_MAXRSS + 1];
 } DSO_VMS_INTERNAL;
 
-DSO_METHOD *DSO_METHOD_openssl(void)
+DSO_METHOD *DSO_METHOD_vms(void)
 {
-    return &dso_meth_vms;
+    return (&dso_meth_vms);
 }
 
 static int vms_load(DSO *dso)
@@ -103,7 +172,7 @@ static int vms_load(DSO *dso)
 # endif                         /* __INITIAL_POINTER_SIZE == 64 */
 
     const char *sp1, *sp2;      /* Search result */
-    const char *ext = NULL;     /* possible extension to add */
+    const char *ext = NULL;	/* possible extension to add */
 
     if (filename == NULL) {
         DSOerr(DSO_F_VMS_LOAD, DSO_R_NO_FILENAME);
@@ -173,7 +242,7 @@ static int vms_load(DSO *dso)
         goto err;
     }
 
-    p = DSO_MALLOC(sizeof(*p));
+    p = DSO_MALLOC(sizeof(DSO_VMS_INTERNAL));
     if (p == NULL) {
         DSOerr(DSO_F_VMS_LOAD, ERR_R_MALLOC_FAILURE);
         goto err;
@@ -210,8 +279,10 @@ static int vms_load(DSO *dso)
     return (1);
  err:
     /* Cleanup! */
-    OPENSSL_free(p);
-    OPENSSL_free(filename);
+    if (p != NULL)
+        OPENSSL_free(p);
+    if (filename != NULL)
+        OPENSSL_free(filename);
     return (0);
 }
 
@@ -267,10 +338,11 @@ void vms_bind_sym(DSO *dso, const char *symname, void **sym)
 {
     DSO_VMS_INTERNAL *ptr;
     int status;
-# ifdef LIB$M_FIS_MIXEDCASE
-    int flags = LIB$M_FIS_MIXEDCASE;
+# if 0
+    int flags = (1 << 4);       /* LIB$M_FIS_MIXEDCASE, but this symbol isn't
+                                 * defined in VMS older than 7.0 or so */
 # else
-    int flags = (1 << 4);
+    int flags = 0;
 # endif
     struct dsc$descriptor_s symname_dsc;
 
@@ -355,6 +427,13 @@ void vms_bind_sym(DSO *dso, const char *symname, void **sym)
     return;
 }
 
+static void *vms_bind_var(DSO *dso, const char *symname)
+{
+    void *sym = 0;
+    vms_bind_sym(dso, symname, &sym);
+    return sym;
+}
+
 static DSO_FUNC_TYPE vms_bind_func(DSO *dso, const char *symname)
 {
     DSO_FUNC_TYPE sym = 0;
@@ -447,7 +526,7 @@ static char *vms_merger(DSO *dso, const char *filespec1,
     }
 
     merged = OPENSSL_malloc(nam.NAMX_ESL + 1);
-    if (merged == NULL)
+    if (!merged)
         goto malloc_err;
     strncpy(merged, nam.NAMX_ESA, nam.NAMX_ESL);
     merged[nam.NAMX_ESL] = '\0';
@@ -460,7 +539,7 @@ static char *vms_name_converter(DSO *dso, const char *filename)
 {
     int len = strlen(filename);
     char *not_translated = OPENSSL_malloc(len + 1);
-    if (not_translated != NULL)
+    if (not_translated)
         strcpy(not_translated, filename);
     return (not_translated);
 }
diff --git a/Cryptlib/OpenSSL/crypto/dso/dso_win32.c b/Cryptlib/OpenSSL/crypto/dso/dso_win32.c
index 4a4c34ab..706e754a 100644
--- a/Cryptlib/OpenSSL/crypto/dso/dso_win32.c
+++ b/Cryptlib/OpenSSL/crypto/dso/dso_win32.c
@@ -1,15 +1,73 @@
+/* dso_win32.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
-#include "dso_locl.h"
+#include <stdio.h>
+#include <string.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
 
-#if defined(DSO_WIN32)
+#if !defined(DSO_WIN32)
+DSO_METHOD *DSO_METHOD_win32(void)
+{
+    return NULL;
+}
+#else
 
 # ifdef _WIN32_WCE
 #  if _WIN32_WCE < 300
@@ -59,10 +117,19 @@ static HINSTANCE LoadLibraryA(LPCSTR lpLibFileName)
 
 static int win32_load(DSO *dso);
 static int win32_unload(DSO *dso);
+static void *win32_bind_var(DSO *dso, const char *symname);
 static DSO_FUNC_TYPE win32_bind_func(DSO *dso, const char *symname);
+# if 0
+static int win32_unbind_var(DSO *dso, char *symname, void *symptr);
+static int win32_unbind_func(DSO *dso, char *symname, DSO_FUNC_TYPE symptr);
+static int win32_init(DSO *dso);
+static int win32_finish(DSO *dso);
+static long win32_ctrl(DSO *dso, int cmd, long larg, void *parg);
+# endif
 static char *win32_name_converter(DSO *dso, const char *filename);
 static char *win32_merger(DSO *dso, const char *filespec1,
                           const char *filespec2);
+static int win32_pathbyaddr(void *addr, char *path, int sz);
 static void *win32_globallookup(const char *name);
 
 static const char *openssl_strnchr(const char *string, int c, size_t len);
@@ -71,19 +138,25 @@ static DSO_METHOD dso_meth_win32 = {
     "OpenSSL 'win32' shared library method",
     win32_load,
     win32_unload,
+    win32_bind_var,
     win32_bind_func,
+/* For now, "unbind" doesn't exist */
+# if 0
+    NULL,                       /* unbind_var */
+    NULL,                       /* unbind_func */
+# endif
     NULL,                       /* ctrl */
     win32_name_converter,
     win32_merger,
     NULL,                       /* init */
     NULL,                       /* finish */
-    NULL,                       /* pathbyaddr */
+    win32_pathbyaddr,
     win32_globallookup
 };
 
-DSO_METHOD *DSO_METHOD_openssl(void)
+DSO_METHOD *DSO_METHOD_win32(void)
 {
-    return &dso_meth_win32;
+    return (&dso_meth_win32);
 }
 
 /*
@@ -107,7 +180,7 @@ static int win32_load(DSO *dso)
         ERR_add_error_data(3, "filename(", filename, ")");
         goto err;
     }
-    p = OPENSSL_malloc(sizeof(*p));
+    p = (HINSTANCE *) OPENSSL_malloc(sizeof(HINSTANCE));
     if (p == NULL) {
         DSOerr(DSO_F_WIN32_LOAD, ERR_R_MALLOC_FAILURE);
         goto err;
@@ -122,8 +195,10 @@ static int win32_load(DSO *dso)
     return (1);
  err:
     /* Cleanup ! */
-    OPENSSL_free(filename);
-    OPENSSL_free(p);
+    if (filename != NULL)
+        OPENSSL_free(filename);
+    if (p != NULL)
+        OPENSSL_free(p);
     if (h != NULL)
         FreeLibrary(h);
     return (0);
@@ -156,13 +231,41 @@ static int win32_unload(DSO *dso)
     return (1);
 }
 
+/*
+ * Using GetProcAddress for variables? TODO: Check this out in the Win32 API
+ * docs, there's probably a variant for variables.
+ */
+static void *win32_bind_var(DSO *dso, const char *symname)
+{
+    HINSTANCE *ptr;
+    void *sym;
+
+    if ((dso == NULL) || (symname == NULL)) {
+        DSOerr(DSO_F_WIN32_BIND_VAR, ERR_R_PASSED_NULL_PARAMETER);
+        return (NULL);
+    }
+    if (sk_void_num(dso->meth_data) < 1) {
+        DSOerr(DSO_F_WIN32_BIND_VAR, DSO_R_STACK_ERROR);
+        return (NULL);
+    }
+    ptr = sk_void_value(dso->meth_data, sk_void_num(dso->meth_data) - 1);
+    if (ptr == NULL) {
+        DSOerr(DSO_F_WIN32_BIND_VAR, DSO_R_NULL_HANDLE);
+        return (NULL);
+    }
+    sym = GetProcAddress(*ptr, symname);
+    if (sym == NULL) {
+        DSOerr(DSO_F_WIN32_BIND_VAR, DSO_R_SYM_FAILURE);
+        ERR_add_error_data(3, "symname(", symname, ")");
+        return (NULL);
+    }
+    return (sym);
+}
+
 static DSO_FUNC_TYPE win32_bind_func(DSO *dso, const char *symname)
 {
     HINSTANCE *ptr;
-    union {
-        void *p;
-        FARPROC f;
-    } sym;
+    void *sym;
 
     if ((dso == NULL) || (symname == NULL)) {
         DSOerr(DSO_F_WIN32_BIND_FUNC, ERR_R_PASSED_NULL_PARAMETER);
@@ -177,13 +280,13 @@ static DSO_FUNC_TYPE win32_bind_func(DSO *dso, const char *symname)
         DSOerr(DSO_F_WIN32_BIND_FUNC, DSO_R_NULL_HANDLE);
         return (NULL);
     }
-    sym.f = GetProcAddress(*ptr, symname);
-    if (sym.p == NULL) {
+    sym = GetProcAddress(*ptr, symname);
+    if (sym == NULL) {
         DSOerr(DSO_F_WIN32_BIND_FUNC, DSO_R_SYM_FAILURE);
         ERR_add_error_data(3, "symname(", symname, ")");
         return (NULL);
     }
-    return ((DSO_FUNC_TYPE)sym.f);
+    return ((DSO_FUNC_TYPE)sym);
 }
 
 struct file_st {
@@ -215,12 +318,13 @@ static struct file_st *win32_splitter(DSO *dso, const char *filename,
         return (NULL);
     }
 
-    result = OPENSSL_zalloc(sizeof(*result));
+    result = OPENSSL_malloc(sizeof(struct file_st));
     if (result == NULL) {
         DSOerr(DSO_F_WIN32_SPLITTER, ERR_R_MALLOC_FAILURE);
         return (NULL);
     }
 
+    memset(result, 0, sizeof(struct file_st));
     position = IN_DEVICE;
 
     if ((filename[0] == '\\' && filename[1] == '\\')
@@ -338,7 +442,7 @@ static char *win32_joiner(DSO *dso, const struct file_st *file_split)
     }
 
     result = OPENSSL_malloc(len + 1);
-    if (result == NULL) {
+    if (!result) {
         DSOerr(DSO_F_WIN32_JOINER, ERR_R_MALLOC_FAILURE);
         return (NULL);
     }
@@ -372,6 +476,13 @@ static char *win32_joiner(DSO *dso, const struct file_st *file_split)
         offset++;
         start = end + 1;
     }
+# if 0                          /* Not needed, since the directory converter
+                                 * above already appeneded a backslash */
+    if (file_split->predir && (file_split->dir || file_split->file)) {
+        result[offset] = '\\';
+        offset++;
+    }
+# endif
     start = file_split->dir;
     while (file_split->dirlen > (start - file_split->dir)) {
         const char *end = openssl_strnchr(start, '/',
@@ -385,6 +496,13 @@ static char *win32_joiner(DSO *dso, const struct file_st *file_split)
         offset++;
         start = end + 1;
     }
+# if 0                          /* Not needed, since the directory converter
+                                 * above already appeneded a backslash */
+    if (file_split->dir && file_split->file) {
+        result[offset] = '\\';
+        offset++;
+    }
+# endif
     strncpy(&result[offset], file_split->file, file_split->filelen);
     offset += file_split->filelen;
     result[offset] = '\0';
@@ -404,14 +522,14 @@ static char *win32_merger(DSO *dso, const char *filespec1,
     }
     if (!filespec2) {
         merged = OPENSSL_malloc(strlen(filespec1) + 1);
-        if (merged == NULL) {
+        if (!merged) {
             DSOerr(DSO_F_WIN32_MERGER, ERR_R_MALLOC_FAILURE);
             return (NULL);
         }
         strcpy(merged, filespec1);
     } else if (!filespec1) {
         merged = OPENSSL_malloc(strlen(filespec2) + 1);
-        if (merged == NULL) {
+        if (!merged) {
             DSOerr(DSO_F_WIN32_MERGER, ERR_R_MALLOC_FAILURE);
             return (NULL);
         }
@@ -507,6 +625,106 @@ typedef HANDLE(WINAPI *CREATETOOLHELP32SNAPSHOT) (DWORD, DWORD);
 typedef BOOL(WINAPI *CLOSETOOLHELP32SNAPSHOT) (HANDLE);
 typedef BOOL(WINAPI *MODULE32) (HANDLE, MODULEENTRY32 *);
 
+static int win32_pathbyaddr(void *addr, char *path, int sz)
+{
+    HMODULE dll;
+    HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
+    MODULEENTRY32 me32;
+    CREATETOOLHELP32SNAPSHOT create_snap;
+    CLOSETOOLHELP32SNAPSHOT close_snap;
+    MODULE32 module_first, module_next;
+
+    if (addr == NULL) {
+        union {
+            int (*f) (void *, char *, int);
+            void *p;
+        } t = {
+            win32_pathbyaddr
+        };
+        addr = t.p;
+    }
+
+    dll = LoadLibrary(TEXT(DLLNAME));
+    if (dll == NULL) {
+        DSOerr(DSO_F_WIN32_PATHBYADDR, DSO_R_UNSUPPORTED);
+        return -1;
+    }
+
+    create_snap = (CREATETOOLHELP32SNAPSHOT)
+        GetProcAddress(dll, "CreateToolhelp32Snapshot");
+    if (create_snap == NULL) {
+        FreeLibrary(dll);
+        DSOerr(DSO_F_WIN32_PATHBYADDR, DSO_R_UNSUPPORTED);
+        return -1;
+    }
+    /* We take the rest for granted... */
+# ifdef _WIN32_WCE
+    close_snap = (CLOSETOOLHELP32SNAPSHOT)
+        GetProcAddress(dll, "CloseToolhelp32Snapshot");
+# else
+    close_snap = (CLOSETOOLHELP32SNAPSHOT) CloseHandle;
+# endif
+    module_first = (MODULE32) GetProcAddress(dll, "Module32First");
+    module_next = (MODULE32) GetProcAddress(dll, "Module32Next");
+
+    hModuleSnap = (*create_snap) (TH32CS_SNAPMODULE, 0);
+    if (hModuleSnap == INVALID_HANDLE_VALUE) {
+        FreeLibrary(dll);
+        DSOerr(DSO_F_WIN32_PATHBYADDR, DSO_R_UNSUPPORTED);
+        return -1;
+    }
+
+    me32.dwSize = sizeof(me32);
+
+    if (!(*module_first) (hModuleSnap, &me32)) {
+        (*close_snap) (hModuleSnap);
+        FreeLibrary(dll);
+        DSOerr(DSO_F_WIN32_PATHBYADDR, DSO_R_FAILURE);
+        return -1;
+    }
+
+    do {
+        if ((BYTE *) addr >= me32.modBaseAddr &&
+            (BYTE *) addr < me32.modBaseAddr + me32.modBaseSize) {
+            (*close_snap) (hModuleSnap);
+            FreeLibrary(dll);
+# ifdef _WIN32_WCE
+#  if _WIN32_WCE >= 101
+            return WideCharToMultiByte(CP_ACP, 0, me32.szExePath, -1,
+                                       path, sz, NULL, NULL);
+#  else
+            {
+                int i, len = (int)wcslen(me32.szExePath);
+                if (sz <= 0)
+                    return len + 1;
+                if (len >= sz)
+                    len = sz - 1;
+                for (i = 0; i < len; i++)
+                    path[i] = (char)me32.szExePath[i];
+                path[len++] = 0;
+                return len;
+            }
+#  endif
+# else
+            {
+                int len = (int)strlen(me32.szExePath);
+                if (sz <= 0)
+                    return len + 1;
+                if (len >= sz)
+                    len = sz - 1;
+                memcpy(path, me32.szExePath, len);
+                path[len++] = 0;
+                return len;
+            }
+# endif
+        }
+    } while ((*module_next) (hModuleSnap, &me32));
+
+    (*close_snap) (hModuleSnap);
+    FreeLibrary(dll);
+    return 0;
+}
+
 static void *win32_globallookup(const char *name)
 {
     HMODULE dll;
@@ -515,10 +733,7 @@ static void *win32_globallookup(const char *name)
     CREATETOOLHELP32SNAPSHOT create_snap;
     CLOSETOOLHELP32SNAPSHOT close_snap;
     MODULE32 module_first, module_next;
-    union {
-        void *p;
-        FARPROC f;
-    } ret = { NULL };
+    FARPROC ret = NULL;
 
     dll = LoadLibrary(TEXT(DLLNAME));
     if (dll == NULL) {
@@ -559,10 +774,10 @@ static void *win32_globallookup(const char *name)
     }
 
     do {
-        if ((ret.f = GetProcAddress(me32.hModule, name))) {
+        if ((ret = GetProcAddress(me32.hModule, name))) {
             (*close_snap) (hModuleSnap);
             FreeLibrary(dll);
-            return ret.p;
+            return ret;
         }
     } while ((*module_next) (hModuleSnap, &me32));
 
diff --git a/Cryptlib/OpenSSL/crypto/ebcdic.c b/Cryptlib/OpenSSL/crypto/ebcdic.c
index 68719538..fd6df92b 100644
--- a/Cryptlib/OpenSSL/crypto/ebcdic.c
+++ b/Cryptlib/OpenSSL/crypto/ebcdic.c
@@ -1,103 +1,21 @@
-/*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
+/* crypto/ebcdic.c */
 
-# include <openssl/e_os2.h>
 #ifndef CHARSET_EBCDIC
-NON_EMPTY_TRANSLATION_UNIT
-#else
 
-# include <openssl/ebcdic.h>
+# include <openssl/e_os2.h>
+# if defined(PEDANTIC) || defined(__DECC) || defined(OPENSSL_SYS_MACOSX) || defined(__clang__)
+static void *dummy = &dummy;
+# endif
+
+#else                           /* CHARSET_EBCDIC */
 
+# include "ebcdic.h"
 /*-
  *      Initial Port for  Apache-1.3     by <Martin.Kraemer@Mch.SNI.De>
  *      Adapted for       OpenSSL-0.9.4  by <Martin.Kraemer@Mch.SNI.De>
  */
 
-# ifdef CHARSET_EBCDIC_TEST
-/*
- * Here we're looking to test the EBCDIC code on an ASCII system so we don't do
- * any translation in these tables at all.
- */
-
-/* The ebcdic-to-ascii table: */
-const unsigned char os_toascii[256] = {
-    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-    0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
-    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-    0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
-    0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
-    0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
-    0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
-    0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
-    0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
-    0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
-    0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
-    0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
-    0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
-    0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
-    0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
-    0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
-    0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
-    0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
-    0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
-    0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
-    0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
-    0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
-    0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
-    0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
-    0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
-    0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
-    0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
-    0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
-    0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
-    0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
-    0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
-    0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
-};
-
-/* The ascii-to-ebcdic table: */
-const unsigned char os_toebcdic[256] = {
-    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-    0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
-    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-    0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
-    0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
-    0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
-    0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
-    0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
-    0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
-    0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
-    0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
-    0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
-    0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
-    0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
-    0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
-    0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
-    0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
-    0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
-    0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
-    0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
-    0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
-    0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
-    0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
-    0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
-    0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
-    0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
-    0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
-    0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
-    0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
-    0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
-    0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
-    0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
-};
-
-# elif defined(_OSD_POSIX)
+# ifdef _OSD_POSIX
 /*
  * "BS2000 OSD" is a POSIX subsystem on a main frame. It is made by Siemens
  * AG, Germany, for their BS2000 mainframe machines. Within the POSIX
@@ -255,7 +173,7 @@ const unsigned char os_toebcdic[256] = {
  * systems. It is a modified version of the BS2000 table.
  *
  * Bijective EBCDIC (character set IBM-1047) to US-ASCII table: This table is
- * bijective - there are no ambiguous or duplicate characters.
+ * bijective - there are no ambigous or duplicate characters.
  */
 const unsigned char os_toascii[256] = {
     0x00, 0x01, 0x02, 0x03, 0x85, 0x09, 0x86, 0x7f, /* 00-0f: */
diff --git a/Cryptlib/OpenSSL/crypto/err/err.c b/Cryptlib/OpenSSL/crypto/err/err.c
index 44a293ad..e2251454 100644
--- a/Cryptlib/OpenSSL/crypto/err/err.c
+++ b/Cryptlib/OpenSSL/crypto/err/err.c
@@ -1,24 +1,126 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/err/err.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <stdarg.h>
 #include <string.h>
-#include <internal/cryptlib_int.h>
-#include <internal/err.h>
-#include <internal/err_int.h>
+#include "cryptlib.h"
 #include <openssl/lhash.h>
 #include <openssl/crypto.h>
 #include <openssl/buffer.h>
 #include <openssl/bio.h>
-#include <openssl/opensslconf.h>
-#include <internal/thread_once.h>
+#include <openssl/err.h>
+
+DECLARE_LHASH_OF(ERR_STRING_DATA);
+DECLARE_LHASH_OF(ERR_STATE);
 
 static void err_load_strings(int lib, ERR_STRING_DATA *str);
 
@@ -40,8 +142,6 @@ static ERR_STRING_DATA ERR_str_libraries[] = {
     {ERR_PACK(ERR_LIB_CONF, 0, 0), "configuration file routines"},
     {ERR_PACK(ERR_LIB_CRYPTO, 0, 0), "common libcrypto routines"},
     {ERR_PACK(ERR_LIB_EC, 0, 0), "elliptic curve routines"},
-    {ERR_PACK(ERR_LIB_ECDSA, 0, 0), "ECDSA routines"},
-    {ERR_PACK(ERR_LIB_ECDH, 0, 0), "ECDH routines"},
     {ERR_PACK(ERR_LIB_SSL, 0, 0), "SSL routines"},
     {ERR_PACK(ERR_LIB_BIO, 0, 0), "BIO routines"},
     {ERR_PACK(ERR_LIB_PKCS7, 0, 0), "PKCS7 routines"},
@@ -52,13 +152,9 @@ static ERR_STRING_DATA ERR_str_libraries[] = {
     {ERR_PACK(ERR_LIB_TS, 0, 0), "time stamp routines"},
     {ERR_PACK(ERR_LIB_ENGINE, 0, 0), "engine routines"},
     {ERR_PACK(ERR_LIB_OCSP, 0, 0), "OCSP routines"},
-    {ERR_PACK(ERR_LIB_UI, 0, 0), "UI routines"},
     {ERR_PACK(ERR_LIB_FIPS, 0, 0), "FIPS routines"},
     {ERR_PACK(ERR_LIB_CMS, 0, 0), "CMS routines"},
     {ERR_PACK(ERR_LIB_HMAC, 0, 0), "HMAC routines"},
-    {ERR_PACK(ERR_LIB_CT, 0, 0), "CT routines"},
-    {ERR_PACK(ERR_LIB_ASYNC, 0, 0), "ASYNC routines"},
-    {ERR_PACK(ERR_LIB_KDF, 0, 0), "KDF routines"},
     {0, NULL},
 };
 
@@ -76,12 +172,6 @@ static ERR_STRING_DATA ERR_str_functs[] = {
 # endif
     {ERR_PACK(0, SYS_F_OPENDIR, 0), "opendir"},
     {ERR_PACK(0, SYS_F_FREAD, 0), "fread"},
-    {ERR_PACK(0, SYS_F_GETADDRINFO, 0), "getaddrinfo"},
-    {ERR_PACK(0, SYS_F_GETNAMEINFO, 0), "getnameinfo"},
-    {ERR_PACK(0, SYS_F_SETSOCKOPT, 0), "setsockopt"},
-    {ERR_PACK(0, SYS_F_GETSOCKOPT, 0), "getsockopt"},
-    {ERR_PACK(0, SYS_F_GETSOCKNAME, 0), "getsockname"},
-    {ERR_PACK(0, SYS_F_GETHOSTBYNAME, 0), "gethostbyname"},
     {0, NULL},
 };
 
@@ -97,14 +187,25 @@ static ERR_STRING_DATA ERR_str_reasons[] = {
     {ERR_R_DSA_LIB, "DSA lib"},
     {ERR_R_X509_LIB, "X509 lib"},
     {ERR_R_ASN1_LIB, "ASN1 lib"},
+    {ERR_R_CONF_LIB, "CONF lib"},
+    {ERR_R_CRYPTO_LIB, "CRYPTO lib"},
     {ERR_R_EC_LIB, "EC lib"},
+    {ERR_R_SSL_LIB, "SSL lib"},
     {ERR_R_BIO_LIB, "BIO lib"},
     {ERR_R_PKCS7_LIB, "PKCS7 lib"},
     {ERR_R_X509V3_LIB, "X509V3 lib"},
+    {ERR_R_PKCS12_LIB, "PKCS12 lib"},
+    {ERR_R_RAND_LIB, "RAND lib"},
+    {ERR_R_DSO_LIB, "DSO lib"},
     {ERR_R_ENGINE_LIB, "ENGINE lib"},
-    {ERR_R_ECDSA_LIB, "ECDSA lib"},
+    {ERR_R_OCSP_LIB, "OCSP lib"},
+    {ERR_R_TS_LIB, "TS lib"},
 
     {ERR_R_NESTED_ASN1_ERROR, "nested asn1 error"},
+    {ERR_R_BAD_ASN1_OBJECT_HEADER, "bad asn1 object header"},
+    {ERR_R_BAD_GET_ASN1_OBJECT_CALL, "bad get asn1 object call"},
+    {ERR_R_EXPECTING_AN_ASN1_SEQUENCE, "expecting an asn1 sequence"},
+    {ERR_R_ASN1_LENGTH_MISMATCH, "asn1 length mismatch"},
     {ERR_R_MISSING_ASN1_EOS, "missing asn1 eos"},
 
     {ERR_R_FATAL, "fatal"},
@@ -114,31 +215,125 @@ static ERR_STRING_DATA ERR_str_reasons[] = {
     {ERR_R_PASSED_NULL_PARAMETER, "passed a null parameter"},
     {ERR_R_INTERNAL_ERROR, "internal error"},
     {ERR_R_DISABLED, "called a function that was disabled at compile-time"},
-    {ERR_R_INIT_FAIL, "init fail"},
 
     {0, NULL},
 };
 #endif
 
-static CRYPTO_ONCE err_init = CRYPTO_ONCE_STATIC_INIT;
-static CRYPTO_THREAD_LOCAL err_thread_local;
-
-static CRYPTO_ONCE err_string_init = CRYPTO_ONCE_STATIC_INIT;
-static CRYPTO_RWLOCK *err_string_lock;
+/* Define the predeclared (but externally opaque) "ERR_FNS" type */
+struct st_ERR_FNS {
+    /* Works on the "error_hash" string table */
+    LHASH_OF(ERR_STRING_DATA) *(*cb_err_get) (int create);
+    void (*cb_err_del) (void);
+    ERR_STRING_DATA *(*cb_err_get_item) (const ERR_STRING_DATA *);
+    ERR_STRING_DATA *(*cb_err_set_item) (ERR_STRING_DATA *);
+    ERR_STRING_DATA *(*cb_err_del_item) (ERR_STRING_DATA *);
+    /* Works on the "thread_hash" error-state table */
+    LHASH_OF(ERR_STATE) *(*cb_thread_get) (int create);
+    void (*cb_thread_release) (LHASH_OF(ERR_STATE) **hash);
+    ERR_STATE *(*cb_thread_get_item) (const ERR_STATE *);
+    ERR_STATE *(*cb_thread_set_item) (ERR_STATE *);
+    void (*cb_thread_del_item) (const ERR_STATE *);
+    /* Returns the next available error "library" numbers */
+    int (*cb_get_next_lib) (void);
+};
 
+/* Predeclarations of the "err_defaults" functions */
+static LHASH_OF(ERR_STRING_DATA) *int_err_get(int create);
+static void int_err_del(void);
 static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *);
+static ERR_STRING_DATA *int_err_set_item(ERR_STRING_DATA *);
+static ERR_STRING_DATA *int_err_del_item(ERR_STRING_DATA *);
+static LHASH_OF(ERR_STATE) *int_thread_get(int create);
+static void int_thread_release(LHASH_OF(ERR_STATE) **hash);
+static ERR_STATE *int_thread_get_item(const ERR_STATE *);
+static ERR_STATE *int_thread_set_item(ERR_STATE *);
+static void int_thread_del_item(const ERR_STATE *);
+static int int_err_get_next_lib(void);
+/* The static ERR_FNS table using these defaults functions */
+static const ERR_FNS err_defaults = {
+    int_err_get,
+    int_err_del,
+    int_err_get_item,
+    int_err_set_item,
+    int_err_del_item,
+    int_thread_get,
+    int_thread_release,
+    int_thread_get_item,
+    int_thread_set_item,
+    int_thread_del_item,
+    int_err_get_next_lib
+};
+
+/* The replacable table of ERR_FNS functions we use at run-time */
+static const ERR_FNS *err_fns = NULL;
+
+/* Eg. rather than using "err_get()", use "ERRFN(err_get)()". */
+#define ERRFN(a) err_fns->cb_##a
 
 /*
- * The internal state
+ * The internal state used by "err_defaults" - as such, the setting, reading,
+ * creating, and deleting of this data should only be permitted via the
+ * "err_defaults" functions. This way, a linked module can completely defer
+ * all ERR state operation (together with requisite locking) to the
+ * implementations and state in the loading application.
  */
-
 static LHASH_OF(ERR_STRING_DATA) *int_error_hash = NULL;
+static LHASH_OF(ERR_STATE) *int_thread_hash = NULL;
+static int int_thread_hash_references = 0;
 static int int_err_library_number = ERR_LIB_USER;
 
+/*
+ * Internal function that checks whether "err_fns" is set and if not, sets it
+ * to the defaults.
+ */
+static void err_fns_check(void)
+{
+    if (err_fns)
+        return;
+
+    CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+    if (!err_fns)
+        err_fns = &err_defaults;
+    CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+}
+
+/* API functions to get or set the underlying ERR functions. */
+
+const ERR_FNS *ERR_get_implementation(void)
+{
+    err_fns_check();
+    return err_fns;
+}
+
+int ERR_set_implementation(const ERR_FNS *fns)
+{
+    int ret = 0;
+
+    CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+    /*
+     * It's too late if 'err_fns' is non-NULL. BTW: not much point setting an
+     * error is there?!
+     */
+    if (!err_fns) {
+        err_fns = fns;
+        ret = 1;
+    }
+    CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+    return ret;
+}
+
+/*
+ * These are the callbacks provided to "lh_new()" when creating the LHASH
+ * tables internal to the "err_defaults" implementation.
+ */
+
 static unsigned long get_error_values(int inc, int top, const char **file,
                                       int *line, const char **data,
                                       int *flags);
 
+/* The internal functions used in the "err_defaults" implementation */
+
 static unsigned long err_string_data_hash(const ERR_STRING_DATA *a)
 {
     unsigned long ret, l;
@@ -148,24 +343,221 @@ static unsigned long err_string_data_hash(const ERR_STRING_DATA *a)
     return (ret ^ ret % 19 * 13);
 }
 
+static IMPLEMENT_LHASH_HASH_FN(err_string_data, ERR_STRING_DATA)
+
 static int err_string_data_cmp(const ERR_STRING_DATA *a,
                                const ERR_STRING_DATA *b)
 {
     return (int)(a->error - b->error);
 }
 
+static IMPLEMENT_LHASH_COMP_FN(err_string_data, ERR_STRING_DATA)
+
+static LHASH_OF(ERR_STRING_DATA) *int_err_get(int create)
+{
+    LHASH_OF(ERR_STRING_DATA) *ret = NULL;
+
+    CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+    if (!int_error_hash && create) {
+        CRYPTO_push_info("int_err_get (err.c)");
+        int_error_hash = lh_ERR_STRING_DATA_new();
+        CRYPTO_pop_info();
+    }
+    if (int_error_hash)
+        ret = int_error_hash;
+    CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+
+    return ret;
+}
+
+static void int_err_del(void)
+{
+    CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+    if (int_error_hash) {
+        lh_ERR_STRING_DATA_free(int_error_hash);
+        int_error_hash = NULL;
+    }
+    CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+}
+
 static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *d)
 {
-    ERR_STRING_DATA *p = NULL;
+    ERR_STRING_DATA *p;
+    LHASH_OF(ERR_STRING_DATA) *hash;
+
+    err_fns_check();
+    hash = ERRFN(err_get) (0);
+    if (!hash)
+        return NULL;
+
+    CRYPTO_r_lock(CRYPTO_LOCK_ERR);
+    p = lh_ERR_STRING_DATA_retrieve(hash, d);
+    CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
+
+    return p;
+}
+
+static ERR_STRING_DATA *int_err_set_item(ERR_STRING_DATA *d)
+{
+    ERR_STRING_DATA *p;
+    LHASH_OF(ERR_STRING_DATA) *hash;
+
+    err_fns_check();
+    hash = ERRFN(err_get) (1);
+    if (!hash)
+        return NULL;
+
+    CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+    p = lh_ERR_STRING_DATA_insert(hash, d);
+    CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+
+    return p;
+}
+
+static ERR_STRING_DATA *int_err_del_item(ERR_STRING_DATA *d)
+{
+    ERR_STRING_DATA *p;
+    LHASH_OF(ERR_STRING_DATA) *hash;
+
+    err_fns_check();
+    hash = ERRFN(err_get) (0);
+    if (!hash)
+        return NULL;
+
+    CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+    p = lh_ERR_STRING_DATA_delete(hash, d);
+    CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+
+    return p;
+}
+
+static unsigned long err_state_hash(const ERR_STATE *a)
+{
+    return CRYPTO_THREADID_hash(&a->tid) * 13;
+}
+
+static IMPLEMENT_LHASH_HASH_FN(err_state, ERR_STATE)
+
+static int err_state_cmp(const ERR_STATE *a, const ERR_STATE *b)
+{
+    return CRYPTO_THREADID_cmp(&a->tid, &b->tid);
+}
+
+static IMPLEMENT_LHASH_COMP_FN(err_state, ERR_STATE)
+
+static LHASH_OF(ERR_STATE) *int_thread_get(int create)
+{
+    LHASH_OF(ERR_STATE) *ret = NULL;
+
+    CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+    if (!int_thread_hash && create) {
+        CRYPTO_push_info("int_thread_get (err.c)");
+        int_thread_hash = lh_ERR_STATE_new();
+        CRYPTO_pop_info();
+    }
+    if (int_thread_hash) {
+        int_thread_hash_references++;
+        ret = int_thread_hash;
+    }
+    CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+    return ret;
+}
+
+static void int_thread_release(LHASH_OF(ERR_STATE) **hash)
+{
+    int i;
+
+    if (hash == NULL || *hash == NULL)
+        return;
+
+    i = CRYPTO_add(&int_thread_hash_references, -1, CRYPTO_LOCK_ERR);
+
+#ifdef REF_PRINT
+    fprintf(stderr, "%4d:%s\n", int_thread_hash_references, "ERR");
+#endif
+    if (i > 0)
+        return;
+#ifdef REF_CHECK
+    if (i < 0) {
+        fprintf(stderr, "int_thread_release, bad reference count\n");
+        abort();                /* ok */
+    }
+#endif
+    *hash = NULL;
+}
+
+static ERR_STATE *int_thread_get_item(const ERR_STATE *d)
+{
+    ERR_STATE *p;
+    LHASH_OF(ERR_STATE) *hash;
+
+    err_fns_check();
+    hash = ERRFN(thread_get) (0);
+    if (!hash)
+        return NULL;
 
-    CRYPTO_THREAD_read_lock(err_string_lock);
-    if (int_error_hash != NULL)
-        p = lh_ERR_STRING_DATA_retrieve(int_error_hash, d);
-    CRYPTO_THREAD_unlock(err_string_lock);
+    CRYPTO_r_lock(CRYPTO_LOCK_ERR);
+    p = lh_ERR_STATE_retrieve(hash, d);
+    CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
 
+    ERRFN(thread_release) (&hash);
     return p;
 }
 
+static ERR_STATE *int_thread_set_item(ERR_STATE *d)
+{
+    ERR_STATE *p;
+    LHASH_OF(ERR_STATE) *hash;
+
+    err_fns_check();
+    hash = ERRFN(thread_get) (1);
+    if (!hash)
+        return NULL;
+
+    CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+    p = lh_ERR_STATE_insert(hash, d);
+    CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+
+    ERRFN(thread_release) (&hash);
+    return p;
+}
+
+static void int_thread_del_item(const ERR_STATE *d)
+{
+    ERR_STATE *p;
+    LHASH_OF(ERR_STATE) *hash;
+
+    err_fns_check();
+    hash = ERRFN(thread_get) (0);
+    if (!hash)
+        return;
+
+    CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+    p = lh_ERR_STATE_delete(hash, d);
+    /* make sure we don't leak memory */
+    if (int_thread_hash_references == 1
+        && int_thread_hash && lh_ERR_STATE_num_items(int_thread_hash) == 0) {
+        lh_ERR_STATE_free(int_thread_hash);
+        int_thread_hash = NULL;
+    }
+    CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+
+    ERRFN(thread_release) (&hash);
+    if (p)
+        ERR_STATE_free(p);
+}
+
+static int int_err_get_next_lib(void)
+{
+    int ret;
+
+    CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+    ret = int_err_library_number++;
+    CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+
+    return ret;
+}
+
 #ifndef OPENSSL_NO_ERR
 # define NUM_SYS_STR_REASONS 127
 # define LEN_SYS_STR_REASON 32
@@ -185,12 +577,19 @@ static void build_SYS_str_reasons(void)
 {
     /* OPENSSL_malloc cannot be used here, use static storage instead */
     static char strerror_tab[NUM_SYS_STR_REASONS][LEN_SYS_STR_REASON];
-    static int init = 1;
     int i;
+    static int init = 1;
 
-    CRYPTO_THREAD_write_lock(err_string_lock);
+    CRYPTO_r_lock(CRYPTO_LOCK_ERR);
     if (!init) {
-        CRYPTO_THREAD_unlock(err_string_lock);
+        CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
+        return;
+    }
+
+    CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
+    CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+    if (!init) {
+        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
         return;
     }
 
@@ -200,8 +599,12 @@ static void build_SYS_str_reasons(void)
         str->error = (unsigned long)i;
         if (str->string == NULL) {
             char (*dest)[LEN_SYS_STR_REASON] = &(strerror_tab[i - 1]);
-            if (openssl_strerror_r(i, *dest, sizeof(*dest)))
+            char *src = strerror(i);
+            if (src != NULL) {
+                strncpy(*dest, src, sizeof *dest);
+                (*dest)[sizeof *dest - 1] = '\0';
                 str->string = *dest;
+            }
         }
         if (str->string == NULL)
             str->string = "unknown";
@@ -214,13 +617,14 @@ static void build_SYS_str_reasons(void)
 
     init = 0;
 
-    CRYPTO_THREAD_unlock(err_string_lock);
+    CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
 }
 #endif
 
 #define err_clear_data(p,i) \
         do { \
-        if ((p)->err_data_flags[i] & ERR_TXT_MALLOCED) \
+        if (((p)->err_data[i] != NULL) && \
+                (p)->err_data_flags[i] & ERR_TXT_MALLOCED) \
                 {  \
                 OPENSSL_free((p)->err_data[i]); \
                 (p)->err_data[i]=NULL; \
@@ -250,85 +654,48 @@ static void ERR_STATE_free(ERR_STATE *s)
     OPENSSL_free(s);
 }
 
-DEFINE_RUN_ONCE_STATIC(do_err_strings_init)
-{
-    OPENSSL_init_crypto(0, NULL);
-    err_string_lock = CRYPTO_THREAD_lock_new();
-    return err_string_lock != NULL;
-}
-
-void err_cleanup(void)
-{
-    CRYPTO_THREAD_lock_free(err_string_lock);
-    err_string_lock = NULL;
-}
-
-int ERR_load_ERR_strings(void)
+void ERR_load_ERR_strings(void)
 {
+    err_fns_check();
 #ifndef OPENSSL_NO_ERR
-    if (!RUN_ONCE(&err_string_init, do_err_strings_init))
-        return 0;
-
     err_load_strings(0, ERR_str_libraries);
     err_load_strings(0, ERR_str_reasons);
     err_load_strings(ERR_LIB_SYS, ERR_str_functs);
     build_SYS_str_reasons();
     err_load_strings(ERR_LIB_SYS, SYS_str_reasons);
 #endif
-    return 1;
 }
 
 static void err_load_strings(int lib, ERR_STRING_DATA *str)
 {
-    CRYPTO_THREAD_write_lock(err_string_lock);
-    if (int_error_hash == NULL)
-        int_error_hash = lh_ERR_STRING_DATA_new(err_string_data_hash,
-                                                err_string_data_cmp);
-    if (int_error_hash != NULL) {
-        for (; str->error; str++) {
-            if (lib)
-                str->error |= ERR_PACK(lib, 0, 0);
-            (void)lh_ERR_STRING_DATA_insert(int_error_hash, str);
-        }
+    while (str->error) {
+        if (lib)
+            str->error |= ERR_PACK(lib, 0, 0);
+        ERRFN(err_set_item) (str);
+        str++;
     }
-    CRYPTO_THREAD_unlock(err_string_lock);
 }
 
-int ERR_load_strings(int lib, ERR_STRING_DATA *str)
+void ERR_load_strings(int lib, ERR_STRING_DATA *str)
 {
-    if (ERR_load_ERR_strings() == 0)
-        return 0;
+    ERR_load_ERR_strings();
     err_load_strings(lib, str);
-    return 1;
 }
 
-int ERR_unload_strings(int lib, ERR_STRING_DATA *str)
+void ERR_unload_strings(int lib, ERR_STRING_DATA *str)
 {
-    if (!RUN_ONCE(&err_string_init, do_err_strings_init))
-        return 0;
-
-    CRYPTO_THREAD_write_lock(err_string_lock);
-    if (int_error_hash != NULL) {
-        for (; str->error; str++) {
-            if (lib)
-                str->error |= ERR_PACK(lib, 0, 0);
-            (void)lh_ERR_STRING_DATA_delete(int_error_hash, str);
-        }
+    while (str->error) {
+        if (lib)
+            str->error |= ERR_PACK(lib, 0, 0);
+        ERRFN(err_del_item) (str);
+        str++;
     }
-    CRYPTO_THREAD_unlock(err_string_lock);
-
-    return 1;
 }
 
-void err_free_strings_int(void)
+void ERR_free_strings(void)
 {
-    if (!RUN_ONCE(&err_string_init, do_err_strings_init))
-        return;
-
-    CRYPTO_THREAD_write_lock(err_string_lock);
-    lh_ERR_STRING_DATA_free(int_error_hash);
-    int_error_hash = NULL;
-    CRYPTO_THREAD_unlock(err_string_lock);
+    err_fns_check();
+    ERRFN(err_del) ();
 }
 
 /********************************************************/
@@ -547,6 +914,7 @@ void ERR_error_string_n(unsigned long e, char *buf, size_t len)
     }
 }
 
+/* BAD for multi-threading: uses a local buffer if ret == NULL */
 /*
  * ERR_error_string_n should be used instead for ret != NULL as
  * ERR_error_string cannot know how large the buffer is
@@ -562,18 +930,33 @@ char *ERR_error_string(unsigned long e, char *ret)
     return ret;
 }
 
+LHASH_OF(ERR_STRING_DATA) *ERR_get_string_table(void)
+{
+    err_fns_check();
+    return ERRFN(err_get) (0);
+}
+
+LHASH_OF(ERR_STATE) *ERR_get_err_state_table(void)
+{
+    err_fns_check();
+    return ERRFN(thread_get) (0);
+}
+
+void ERR_release_err_state_table(LHASH_OF(ERR_STATE) **hash)
+{
+    err_fns_check();
+    ERRFN(thread_release) (hash);
+}
+
 const char *ERR_lib_error_string(unsigned long e)
 {
     ERR_STRING_DATA d, *p;
     unsigned long l;
 
-    if (!RUN_ONCE(&err_string_init, do_err_strings_init)) {
-        return NULL;
-    }
-
+    err_fns_check();
     l = ERR_GET_LIB(e);
     d.error = ERR_PACK(l, 0, 0);
-    p = int_err_get_item(&d);
+    p = ERRFN(err_get_item) (&d);
     return ((p == NULL) ? NULL : p->string);
 }
 
@@ -582,14 +965,11 @@ const char *ERR_func_error_string(unsigned long e)
     ERR_STRING_DATA d, *p;
     unsigned long l, f;
 
-    if (!RUN_ONCE(&err_string_init, do_err_strings_init)) {
-        return NULL;
-    }
-
+    err_fns_check();
     l = ERR_GET_LIB(e);
     f = ERR_GET_FUNC(e);
     d.error = ERR_PACK(l, f, 0);
-    p = int_err_get_item(&d);
+    p = ERRFN(err_get_item) (&d);
     return ((p == NULL) ? NULL : p->string);
 }
 
@@ -598,87 +978,85 @@ const char *ERR_reason_error_string(unsigned long e)
     ERR_STRING_DATA d, *p = NULL;
     unsigned long l, r;
 
-    if (!RUN_ONCE(&err_string_init, do_err_strings_init)) {
-        return NULL;
-    }
-
+    err_fns_check();
     l = ERR_GET_LIB(e);
     r = ERR_GET_REASON(e);
     d.error = ERR_PACK(l, 0, r);
-    p = int_err_get_item(&d);
+    p = ERRFN(err_get_item) (&d);
     if (!p) {
         d.error = ERR_PACK(0, 0, r);
-        p = int_err_get_item(&d);
+        p = ERRFN(err_get_item) (&d);
     }
     return ((p == NULL) ? NULL : p->string);
 }
 
-void err_delete_thread_state(void)
+void ERR_remove_thread_state(const CRYPTO_THREADID *id)
 {
-    ERR_STATE *state = ERR_get_state();
-    if (state == NULL)
-        return;
-
-    CRYPTO_THREAD_set_local(&err_thread_local, NULL);
-    ERR_STATE_free(state);
-}
+    ERR_STATE tmp;
 
-#if OPENSSL_API_COMPAT < 0x10100000L
-void ERR_remove_thread_state(void *dummy)
-{
+    if (id)
+        CRYPTO_THREADID_cpy(&tmp.tid, id);
+    else
+        CRYPTO_THREADID_current(&tmp.tid);
+    err_fns_check();
+    /*
+     * thread_del_item automatically destroys the LHASH if the number of
+     * items reaches zero.
+     */
+    ERRFN(thread_del_item) (&tmp);
 }
-#endif
 
-#if OPENSSL_API_COMPAT < 0x10000000L
+#ifndef OPENSSL_NO_DEPRECATED
 void ERR_remove_state(unsigned long pid)
 {
+    ERR_remove_thread_state(NULL);
 }
 #endif
 
-DEFINE_RUN_ONCE_STATIC(err_do_init)
-{
-    return CRYPTO_THREAD_init_local(&err_thread_local, NULL);
-}
-
 ERR_STATE *ERR_get_state(void)
 {
-    ERR_STATE *state = NULL;
-
-    if (!RUN_ONCE(&err_init, err_do_init))
-        return NULL;
-
-    state = CRYPTO_THREAD_get_local(&err_thread_local);
-
-    if (state == NULL) {
-        state = OPENSSL_zalloc(sizeof(*state));
-        if (state == NULL)
-            return NULL;
-
-        if (!CRYPTO_THREAD_set_local(&err_thread_local, state)) {
-            ERR_STATE_free(state);
-            return NULL;
+    static ERR_STATE fallback;
+    ERR_STATE *ret, tmp, *tmpp = NULL;
+    int i;
+    CRYPTO_THREADID tid;
+
+    err_fns_check();
+    CRYPTO_THREADID_current(&tid);
+    CRYPTO_THREADID_cpy(&tmp.tid, &tid);
+    ret = ERRFN(thread_get_item) (&tmp);
+
+    /* ret == the error state, if NULL, make a new one */
+    if (ret == NULL) {
+        ret = (ERR_STATE *)OPENSSL_malloc(sizeof(ERR_STATE));
+        if (ret == NULL)
+            return (&fallback);
+        CRYPTO_THREADID_cpy(&ret->tid, &tid);
+        ret->top = 0;
+        ret->bottom = 0;
+        for (i = 0; i < ERR_NUM_ERRORS; i++) {
+            ret->err_data[i] = NULL;
+            ret->err_data_flags[i] = 0;
         }
-
-        /* Ignore failures from these */
-        OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
-        ossl_init_thread_start(OPENSSL_INIT_THREAD_ERR_STATE);
+        tmpp = ERRFN(thread_set_item) (ret);
+        /* To check if insertion failed, do a get. */
+        if (ERRFN(thread_get_item) (ret) != ret) {
+            ERR_STATE_free(ret); /* could not insert it */
+            return (&fallback);
+        }
+        /*
+         * If a race occured in this function and we came second, tmpp is the
+         * first one that we just replaced.
+         */
+        if (tmpp)
+            ERR_STATE_free(tmpp);
     }
-
-    return state;
+    return ret;
 }
 
 int ERR_get_next_error_library(void)
 {
-    int ret;
-
-    if (!RUN_ONCE(&err_string_init, do_err_strings_init)) {
-        return 0;
-    }
-
-    CRYPTO_THREAD_write_lock(err_string_lock);
-    ret = int_err_library_number++;
-    CRYPTO_THREAD_unlock(err_string_lock);
-    return ret;
+    err_fns_check();
+    return ERRFN(get_next_lib) ();
 }
 
 void ERR_set_error_data(char *data, int flags)
@@ -697,15 +1075,15 @@ void ERR_set_error_data(char *data, int flags)
     es->err_data_flags[i] = flags;
 }
 
-void ERR_add_error_data(int num, ...)
+void EFIAPI ERR_add_error_data(int num, ...)
 {
-    va_list args;
-    va_start(args, num);
+    ms_va_list args;
+    ms_va_start(args, num);
     ERR_add_error_vdata(num, args);
-    va_end(args);
+    ms_va_end(args);
 }
 
-void ERR_add_error_vdata(int num, va_list args)
+void EFIAPI ERR_add_error_vdata(int num, ms_va_list args)
 {
     int i, n, s;
     char *str, *p, *a;
@@ -718,7 +1096,7 @@ void ERR_add_error_vdata(int num, va_list args)
 
     n = 0;
     for (i = 0; i < num; i++) {
-        a = va_arg(args, char *);
+        a = ms_va_arg(args, char *);
         /* ignore NULLs, thanks to Bob Beck <beck@obtuse.com> */
         if (a != NULL) {
             n += strlen(a);
@@ -728,10 +1106,10 @@ void ERR_add_error_vdata(int num, va_list args)
                 if (p == NULL) {
                     OPENSSL_free(str);
                     return;
-                }
-                str = p;
+                } else
+                    str = p;
             }
-            OPENSSL_strlcat(str, a, (size_t)s + 1);
+            BUF_strlcat(str, a, (size_t)s + 1);
         }
     }
     ERR_set_error_data(str, ERR_TXT_MALLOCED | ERR_TXT_STRING);
diff --git a/Cryptlib/OpenSSL/crypto/err/err_all.c b/Cryptlib/OpenSSL/crypto/err/err_all.c
index 3b1304f8..d7575a7e 100644
--- a/Cryptlib/OpenSSL/crypto/err/err_all.c
+++ b/Cryptlib/OpenSSL/crypto/err/err_all.c
@@ -1,23 +1,87 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/err/err_all.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/err_int.h"
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
-#include <openssl/ec.h>
+#ifndef OPENSSL_NO_EC
+# include <openssl/ec.h>
+#endif
 #include <openssl/buffer.h>
 #include <openssl/bio.h>
-#include <openssl/comp.h>
-#include <openssl/rsa.h>
-#include <openssl/dh.h>
-#include <openssl/dsa.h>
+#ifndef OPENSSL_NO_COMP
+# include <openssl/comp.h>
+#endif
+#ifndef OPENSSL_NO_RSA
+# include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DH
+# include <openssl/dh.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+# include <openssl/dsa.h>
+#endif
+#ifndef OPENSSL_NO_ECDSA
+# include <openssl/ecdsa.h>
+#endif
+#ifndef OPENSSL_NO_ECDH
+# include <openssl/ecdh.h>
+#endif
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem2.h>
@@ -26,8 +90,10 @@
 #include <openssl/conf.h>
 #include <openssl/pkcs12.h>
 #include <openssl/rand.h>
-#include "internal/dso.h"
-#include <openssl/engine.h>
+#include <openssl/dso.h>
+#ifndef OPENSSL_NO_ENGINE
+# include <openssl/engine.h>
+#endif
 #include <openssl/ui.h>
 #include <openssl/ocsp.h>
 #include <openssl/err.h>
@@ -35,75 +101,68 @@
 # include <openssl/fips.h>
 #endif
 #include <openssl/ts.h>
-#include <openssl/cms.h>
-#include <openssl/ct.h>
-#include <openssl/async.h>
-#include <openssl/kdf.h>
+#ifndef OPENSSL_NO_CMS
+# include <openssl/cms.h>
+#endif
+#ifndef OPENSSL_NO_JPAKE
+# include <openssl/jpake.h>
+#endif
 
-int err_load_crypto_strings_int(void)
+void ERR_load_crypto_strings(void)
 {
-    if (
-#ifdef OPENSSL_FIPS
-        FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata) == 0 ||
-#endif
 #ifndef OPENSSL_NO_ERR
-        ERR_load_ERR_strings() == 0 ||    /* include error strings for SYSerr */
-        ERR_load_BN_strings() == 0 ||
+    ERR_load_ERR_strings();     /* include error strings for SYSerr */
+    ERR_load_BN_strings();
 # ifndef OPENSSL_NO_RSA
-        ERR_load_RSA_strings() == 0 ||
+    ERR_load_RSA_strings();
 # endif
 # ifndef OPENSSL_NO_DH
-        ERR_load_DH_strings() == 0 ||
+    ERR_load_DH_strings();
 # endif
-        ERR_load_EVP_strings() == 0 ||
-        ERR_load_BUF_strings() == 0 ||
-        ERR_load_OBJ_strings() == 0 ||
-        ERR_load_PEM_strings() == 0 ||
+    ERR_load_EVP_strings();
+    ERR_load_BUF_strings();
+    ERR_load_OBJ_strings();
+    ERR_load_PEM_strings();
 # ifndef OPENSSL_NO_DSA
-        ERR_load_DSA_strings() == 0 ||
+    ERR_load_DSA_strings();
 # endif
-        ERR_load_X509_strings() == 0 ||
-        ERR_load_ASN1_strings() == 0 ||
-        ERR_load_CONF_strings() == 0 ||
-        ERR_load_CRYPTO_strings() == 0 ||
+    ERR_load_X509_strings();
+    ERR_load_ASN1_strings();
+    ERR_load_CONF_strings();
+    ERR_load_CRYPTO_strings();
 # ifndef OPENSSL_NO_COMP
-        ERR_load_COMP_strings() == 0 ||
+    ERR_load_COMP_strings();
 # endif
 # ifndef OPENSSL_NO_EC
-        ERR_load_EC_strings() == 0 ||
+    ERR_load_EC_strings();
 # endif
-        /* skip ERR_load_SSL_strings() because it is not in this library */
-        ERR_load_BIO_strings() == 0 ||
-        ERR_load_PKCS7_strings() == 0 ||
-        ERR_load_X509V3_strings() == 0 ||
-        ERR_load_PKCS12_strings() == 0 ||
-        ERR_load_RAND_strings() == 0 ||
-        ERR_load_DSO_strings() == 0 ||
-# ifndef OPENSSL_NO_TS
-        ERR_load_TS_strings() == 0 ||
+# ifndef OPENSSL_NO_ECDSA
+    ERR_load_ECDSA_strings();
 # endif
-# ifndef OPENSSL_NO_ENGINE
-        ERR_load_ENGINE_strings() == 0 ||
+# ifndef OPENSSL_NO_ECDH
+    ERR_load_ECDH_strings();
 # endif
-# ifndef OPENSSL_NO_OCSP
-        ERR_load_OCSP_strings() == 0 ||
+    /* skip ERR_load_SSL_strings() because it is not in this library */
+    ERR_load_BIO_strings();
+    ERR_load_PKCS7_strings();
+    ERR_load_X509V3_strings();
+    ERR_load_PKCS12_strings();
+    ERR_load_RAND_strings();
+    ERR_load_DSO_strings();
+    ERR_load_TS_strings();
+# ifndef OPENSSL_NO_ENGINE
+    ERR_load_ENGINE_strings();
 # endif
-#ifndef OPENSSL_NO_UI
-        ERR_load_UI_strings() == 0 ||
-#endif
+    ERR_load_OCSP_strings();
+    ERR_load_UI_strings();
 # ifdef OPENSSL_FIPS
-        ERR_load_FIPS_strings() == 0 ||
+    ERR_load_FIPS_strings();
 # endif
 # ifndef OPENSSL_NO_CMS
-        ERR_load_CMS_strings() == 0 ||
+    ERR_load_CMS_strings();
 # endif
-# ifndef OPENSSL_NO_CT
-        ERR_load_CT_strings() == 0 ||
+# ifndef OPENSSL_NO_JPAKE
+    ERR_load_JPAKE_strings();
 # endif
-        ERR_load_ASYNC_strings() == 0 ||
 #endif
-        ERR_load_KDF_strings() == 0)
-        return 0;
-
-    return 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/err/err_prn.c b/Cryptlib/OpenSSL/crypto/err/err_prn.c
index c7dc1d15..6e352eff 100644
--- a/Cryptlib/OpenSSL/crypto/err/err_prn.c
+++ b/Cryptlib/OpenSSL/crypto/err/err_prn.c
@@ -1,14 +1,63 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/err/err_prn.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/lhash.h>
 #include <openssl/crypto.h>
 #include <openssl/buffer.h>
@@ -22,45 +71,43 @@ void ERR_print_errors_cb(int (*cb) (const char *str, size_t len, void *u),
     char buf2[4096];
     const char *file, *data;
     int line, flags;
-    /*
-     * We don't know what kind of thing CRYPTO_THREAD_ID is. Here is our best
-     * attempt to convert it into something we can print.
-     */
-    union {
-        CRYPTO_THREAD_ID tid;
-        unsigned long ltid;
-    } tid;
-
-    tid.ltid = 0;
-    tid.tid = CRYPTO_THREAD_get_current_id();
+    unsigned long es;
+    CRYPTO_THREADID cur;
 
+    CRYPTO_THREADID_current(&cur);
+    es = CRYPTO_THREADID_hash(&cur);
     while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) {
         ERR_error_string_n(l, buf, sizeof buf);
-        BIO_snprintf(buf2, sizeof(buf2), "%lu:%s:%s:%d:%s\n", tid.ltid, buf,
+        BIO_snprintf(buf2, sizeof(buf2), "%lu:%s:%s:%d:%s\n", es, buf,
                      file, line, (flags & ERR_TXT_STRING) ? data : "");
         if (cb(buf2, strlen(buf2), u) <= 0)
             break;              /* abort outputting the error report */
     }
 }
 
-static int print_bio(const char *str, size_t len, void *bp)
+#ifndef OPENSSL_NO_FP_API
+static int print_fp(const char *str, size_t len, void *fp)
 {
-    return BIO_write((BIO *)bp, str, len);
+    BIO bio;
+
+    BIO_set(&bio, BIO_s_file());
+    BIO_set_fp(&bio, fp, BIO_NOCLOSE);
+
+    return BIO_printf(&bio, "%s", str);
 }
 
-void ERR_print_errors(BIO *bp)
+void ERR_print_errors_fp(FILE *fp)
 {
-    ERR_print_errors_cb(print_bio, bp);
+    ERR_print_errors_cb(print_fp, fp);
 }
+#endif
 
-#ifndef OPENSSL_NO_STDIO
-void ERR_print_errors_fp(FILE *fp)
+static int print_bio(const char *str, size_t len, void *bp)
 {
-    BIO *bio = BIO_new_fp(fp, BIO_NOCLOSE);
-    if (bio == NULL)
-        return;
+    return BIO_write((BIO *)bp, str, len);
+}
 
-    ERR_print_errors_cb(print_bio, bio);
-    BIO_free(bio);
+void ERR_print_errors(BIO *bp)
+{
+    ERR_print_errors_cb(print_bio, bp);
 }
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/evp/bio_b64.c b/Cryptlib/OpenSSL/crypto/evp/bio_b64.c
index 32a884a7..538b5202 100644
--- a/Cryptlib/OpenSSL/crypto/evp/bio_b64.c
+++ b/Cryptlib/OpenSSL/crypto/evp/bio_b64.c
@@ -1,18 +1,66 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/bio_b64.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <errno.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/evp.h>
-#include "internal/bio.h"
 
 static int b64_write(BIO *h, const char *buf, int num);
 static int b64_read(BIO *h, char *buf, int size);
@@ -41,12 +89,12 @@ typedef struct b64_struct {
     int encode;
     int start;                  /* have we started decoding yet? */
     int cont;                   /* <= 0 when finished */
-    EVP_ENCODE_CTX *base64;
+    EVP_ENCODE_CTX base64;
     char buf[EVP_ENCODE_LENGTH(B64_BLOCK_SIZE) + 10];
     char tmp[B64_BLOCK_SIZE];
 } BIO_B64_CTX;
 
-static const BIO_METHOD methods_b64 = {
+static BIO_METHOD methods_b64 = {
     BIO_TYPE_BASE64, "base64 encoding",
     b64_write,
     b64_read,
@@ -58,50 +106,43 @@ static const BIO_METHOD methods_b64 = {
     b64_callback_ctrl,
 };
 
-
-const BIO_METHOD *BIO_f_base64(void)
+BIO_METHOD *BIO_f_base64(void)
 {
-    return &methods_b64;
+    return (&methods_b64);
 }
 
 static int b64_new(BIO *bi)
 {
     BIO_B64_CTX *ctx;
 
-    ctx = OPENSSL_zalloc(sizeof(*ctx));
+    ctx = (BIO_B64_CTX *)OPENSSL_malloc(sizeof(BIO_B64_CTX));
     if (ctx == NULL)
-        return 0;
+        return (0);
 
+    ctx->buf_len = 0;
+    ctx->tmp_len = 0;
+    ctx->tmp_nl = 0;
+    ctx->buf_off = 0;
     ctx->cont = 1;
     ctx->start = 1;
-    ctx->base64 = EVP_ENCODE_CTX_new();
-    if (ctx->base64 == NULL) {
-        OPENSSL_free(ctx);
-        return 0;
-    }
-
-    BIO_set_data(bi, ctx);
-    BIO_set_init(bi, 1);
+    ctx->encode = 0;
 
-    return 1;
+    bi->init = 1;
+    bi->ptr = (char *)ctx;
+    bi->flags = 0;
+    bi->num = 0;
+    return (1);
 }
 
 static int b64_free(BIO *a)
 {
-    BIO_B64_CTX *ctx;
     if (a == NULL)
-        return 0;
-
-    ctx = BIO_get_data(a);
-    if (ctx == NULL)
-        return 0;
-
-    EVP_ENCODE_CTX_free(ctx->base64);
-    OPENSSL_free(ctx);
-    BIO_set_data(a, NULL);
-    BIO_set_init(a, 0);
-
-    return 1;
+        return (0);
+    OPENSSL_free(a->ptr);
+    a->ptr = NULL;
+    a->init = 0;
+    a->flags = 0;
+    return (1);
 }
 
 static int b64_read(BIO *b, char *out, int outl)
@@ -109,15 +150,13 @@ static int b64_read(BIO *b, char *out, int outl)
     int ret = 0, i, ii, j, k, x, n, num, ret_code = 0;
     BIO_B64_CTX *ctx;
     unsigned char *p, *q;
-    BIO *next;
 
     if (out == NULL)
         return (0);
-    ctx = (BIO_B64_CTX *)BIO_get_data(b);
+    ctx = (BIO_B64_CTX *)b->ptr;
 
-    next = BIO_next(b);
-    if ((ctx == NULL) || (next == NULL))
-        return 0;
+    if ((ctx == NULL) || (b->next_bio == NULL))
+        return (0);
 
     BIO_clear_retry_flags(b);
 
@@ -126,7 +165,7 @@ static int b64_read(BIO *b, char *out, int outl)
         ctx->buf_len = 0;
         ctx->buf_off = 0;
         ctx->tmp_len = 0;
-        EVP_DecodeInit(ctx->base64);
+        EVP_DecodeInit(&(ctx->base64));
     }
 
     /* First check if there are bytes decoded/encoded */
@@ -157,14 +196,14 @@ static int b64_read(BIO *b, char *out, int outl)
         if (ctx->cont <= 0)
             break;
 
-        i = BIO_read(next, &(ctx->tmp[ctx->tmp_len]),
+        i = BIO_read(b->next_bio, &(ctx->tmp[ctx->tmp_len]),
                      B64_BLOCK_SIZE - ctx->tmp_len);
 
         if (i <= 0) {
             ret_code = i;
 
             /* Should we continue next time we are called? */
-            if (!BIO_should_retry(next)) {
+            if (!BIO_should_retry(b->next_bio)) {
                 ctx->cont = i;
                 /* If buffer empty break */
                 if (ctx->tmp_len == 0)
@@ -205,11 +244,11 @@ static int b64_read(BIO *b, char *out, int outl)
                     continue;
                 }
 
-                k = EVP_DecodeUpdate(ctx->base64,
+                k = EVP_DecodeUpdate(&(ctx->base64),
                                      (unsigned char *)ctx->buf,
                                      &num, p, q - p);
                 if ((k <= 0) && (num == 0) && (ctx->start))
-                    EVP_DecodeInit(ctx->base64);
+                    EVP_DecodeInit(&ctx->base64);
                 else {
                     if (p != (unsigned char *)
                         &(ctx->tmp[0])) {
@@ -218,7 +257,7 @@ static int b64_read(BIO *b, char *out, int outl)
                         for (x = 0; x < i; x++)
                             ctx->tmp[x] = p[x];
                     }
-                    EVP_DecodeInit(ctx->base64);
+                    EVP_DecodeInit(&ctx->base64);
                     ctx->start = 0;
                     break;
                 }
@@ -259,7 +298,11 @@ static int b64_read(BIO *b, char *out, int outl)
         if (BIO_get_flags(b) & BIO_FLAGS_BASE64_NO_NL) {
             int z, jj;
 
+#if 0
+            jj = (i >> 2) << 2;
+#else
             jj = i & ~3;        /* process per 4 */
+#endif
             z = EVP_DecodeBlock((unsigned char *)ctx->buf,
                                 (unsigned char *)ctx->tmp, jj);
             if (jj > 2) {
@@ -282,7 +325,7 @@ static int b64_read(BIO *b, char *out, int outl)
             }
             i = z;
         } else {
-            i = EVP_DecodeUpdate(ctx->base64,
+            i = EVP_DecodeUpdate(&(ctx->base64),
                                  (unsigned char *)ctx->buf, &ctx->buf_len,
                                  (unsigned char *)ctx->tmp, i);
             ctx->tmp_len = 0;
@@ -320,13 +363,8 @@ static int b64_write(BIO *b, const char *in, int inl)
     int n;
     int i;
     BIO_B64_CTX *ctx;
-    BIO *next;
-
-    ctx = (BIO_B64_CTX *)BIO_get_data(b);
-    next = BIO_next(b);
-    if ((ctx == NULL) || (next == NULL))
-        return 0;
 
+    ctx = (BIO_B64_CTX *)b->ptr;
     BIO_clear_retry_flags(b);
 
     if (ctx->encode != B64_ENCODE) {
@@ -334,7 +372,7 @@ static int b64_write(BIO *b, const char *in, int inl)
         ctx->buf_len = 0;
         ctx->buf_off = 0;
         ctx->tmp_len = 0;
-        EVP_EncodeInit(ctx->base64);
+        EVP_EncodeInit(&(ctx->base64));
     }
 
     OPENSSL_assert(ctx->buf_off < (int)sizeof(ctx->buf));
@@ -342,7 +380,7 @@ static int b64_write(BIO *b, const char *in, int inl)
     OPENSSL_assert(ctx->buf_len >= ctx->buf_off);
     n = ctx->buf_len - ctx->buf_off;
     while (n > 0) {
-        i = BIO_write(next, &(ctx->buf[ctx->buf_off]), n);
+        i = BIO_write(b->next_bio, &(ctx->buf[ctx->buf_off]), n);
         if (i <= 0) {
             BIO_copy_next_retry(b);
             return (i);
@@ -403,10 +441,9 @@ static int b64_write(BIO *b, const char *in, int inl)
                 ret += n;
             }
         } else {
-            if (!EVP_EncodeUpdate(ctx->base64,
-                                 (unsigned char *)ctx->buf, &ctx->buf_len,
-                                 (unsigned char *)in, n))
-                return ((ret == 0) ? -1 : ret);
+            EVP_EncodeUpdate(&(ctx->base64),
+                             (unsigned char *)ctx->buf, &ctx->buf_len,
+                             (unsigned char *)in, n);
             OPENSSL_assert(ctx->buf_len <= (int)sizeof(ctx->buf));
             OPENSSL_assert(ctx->buf_len >= ctx->buf_off);
             ret += n;
@@ -417,7 +454,7 @@ static int b64_write(BIO *b, const char *in, int inl)
         ctx->buf_off = 0;
         n = ctx->buf_len;
         while (n > 0) {
-            i = BIO_write(next, &(ctx->buf[ctx->buf_off]), n);
+            i = BIO_write(b->next_bio, &(ctx->buf[ctx->buf_off]), n);
             if (i <= 0) {
                 BIO_copy_next_retry(b);
                 return ((ret == 0) ? i : ret);
@@ -439,40 +476,36 @@ static long b64_ctrl(BIO *b, int cmd, long num, void *ptr)
     BIO_B64_CTX *ctx;
     long ret = 1;
     int i;
-    BIO *next;
 
-    ctx = (BIO_B64_CTX *)BIO_get_data(b);
-    next = BIO_next(b);
-    if ((ctx == NULL) || (next == NULL))
-        return 0;
+    ctx = (BIO_B64_CTX *)b->ptr;
 
     switch (cmd) {
     case BIO_CTRL_RESET:
         ctx->cont = 1;
         ctx->start = 1;
         ctx->encode = B64_NONE;
-        ret = BIO_ctrl(next, cmd, num, ptr);
+        ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         break;
     case BIO_CTRL_EOF:         /* More to read */
         if (ctx->cont <= 0)
             ret = 1;
         else
-            ret = BIO_ctrl(next, cmd, num, ptr);
+            ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         break;
     case BIO_CTRL_WPENDING:    /* More to write in buffer */
         OPENSSL_assert(ctx->buf_len >= ctx->buf_off);
         ret = ctx->buf_len - ctx->buf_off;
         if ((ret == 0) && (ctx->encode != B64_NONE)
-            && (EVP_ENCODE_CTX_num(ctx->base64) != 0))
+            && (ctx->base64.num != 0))
             ret = 1;
         else if (ret <= 0)
-            ret = BIO_ctrl(next, cmd, num, ptr);
+            ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         break;
     case BIO_CTRL_PENDING:     /* More to read in buffer */
         OPENSSL_assert(ctx->buf_len >= ctx->buf_off);
         ret = ctx->buf_len - ctx->buf_off;
         if (ret <= 0)
-            ret = BIO_ctrl(next, cmd, num, ptr);
+            ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         break;
     case BIO_CTRL_FLUSH:
         /* do a final write */
@@ -491,21 +524,20 @@ static long b64_ctrl(BIO *b, int cmd, long num, void *ptr)
                 ctx->tmp_len = 0;
                 goto again;
             }
-        } else if (ctx->encode != B64_NONE
-                   && EVP_ENCODE_CTX_num(ctx->base64) != 0) {
+        } else if (ctx->encode != B64_NONE && ctx->base64.num != 0) {
             ctx->buf_off = 0;
-            EVP_EncodeFinal(ctx->base64,
+            EVP_EncodeFinal(&(ctx->base64),
                             (unsigned char *)ctx->buf, &(ctx->buf_len));
             /* push out the bytes */
             goto again;
         }
         /* Finally flush the underlying BIO */
-        ret = BIO_ctrl(next, cmd, num, ptr);
+        ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         break;
 
     case BIO_C_DO_STATE_MACHINE:
         BIO_clear_retry_flags(b);
-        ret = BIO_ctrl(next, cmd, num, ptr);
+        ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         BIO_copy_next_retry(b);
         break;
 
@@ -515,22 +547,21 @@ static long b64_ctrl(BIO *b, int cmd, long num, void *ptr)
     case BIO_CTRL_GET:
     case BIO_CTRL_SET:
     default:
-        ret = BIO_ctrl(next, cmd, num, ptr);
+        ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         break;
     }
-    return ret;
+    return (ret);
 }
 
 static long b64_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
 {
     long ret = 1;
-    BIO *next = BIO_next(b);
 
-    if (next == NULL)
-        return 0;
+    if (b->next_bio == NULL)
+        return (0);
     switch (cmd) {
     default:
-        ret = BIO_callback_ctrl(next, cmd, fp);
+        ret = BIO_callback_ctrl(b->next_bio, cmd, fp);
         break;
     }
     return (ret);
diff --git a/Cryptlib/OpenSSL/crypto/evp/bio_enc.c b/Cryptlib/OpenSSL/crypto/evp/bio_enc.c
index 5a3beef9..0806f233 100644
--- a/Cryptlib/OpenSSL/crypto/evp/bio_enc.c
+++ b/Cryptlib/OpenSSL/crypto/evp/bio_enc.c
@@ -1,18 +1,66 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/bio_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <errno.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/evp.h>
-#include "internal/bio.h"
 
 static int enc_write(BIO *h, const char *buf, int num);
 static int enc_read(BIO *h, char *buf, int size);
@@ -27,8 +75,7 @@ static int enc_new(BIO *h);
 static int enc_free(BIO *data);
 static long enc_callback_ctrl(BIO *h, int cmd, bio_info_cb *fps);
 #define ENC_BLOCK_SIZE  (1024*4)
-#define ENC_MIN_CHUNK   (256)
-#define BUF_OFFSET      (ENC_MIN_CHUNK + EVP_MAX_BLOCK_LENGTH)
+#define BUF_OFFSET      (EVP_MAX_BLOCK_LENGTH*2)
 
 typedef struct enc_struct {
     int buf_len;
@@ -36,16 +83,15 @@ typedef struct enc_struct {
     int cont;                   /* <= 0 when finished */
     int finished;
     int ok;                     /* bad decrypt */
-    EVP_CIPHER_CTX *cipher;
-    unsigned char *read_start, *read_end;
+    EVP_CIPHER_CTX cipher;
     /*
      * buf is larger than ENC_BLOCK_SIZE because EVP_DecryptUpdate can return
      * up to a block more data than is presented to it
      */
-    unsigned char buf[BUF_OFFSET + ENC_BLOCK_SIZE];
+    char buf[ENC_BLOCK_SIZE + BUF_OFFSET + 2];
 } BIO_ENC_CTX;
 
-static const BIO_METHOD methods_enc = {
+static BIO_METHOD methods_enc = {
     BIO_TYPE_CIPHER, "cipher",
     enc_write,
     enc_read,
@@ -57,7 +103,7 @@ static const BIO_METHOD methods_enc = {
     enc_callback_ctrl,
 };
 
-const BIO_METHOD *BIO_f_cipher(void)
+BIO_METHOD *BIO_f_cipher(void)
 {
     return (&methods_enc);
 }
@@ -66,22 +112,21 @@ static int enc_new(BIO *bi)
 {
     BIO_ENC_CTX *ctx;
 
-    ctx = OPENSSL_zalloc(sizeof(*ctx));
+    ctx = (BIO_ENC_CTX *)OPENSSL_malloc(sizeof(BIO_ENC_CTX));
     if (ctx == NULL)
-        return 0;
+        return (0);
+    EVP_CIPHER_CTX_init(&ctx->cipher);
 
-    ctx->cipher = EVP_CIPHER_CTX_new();
-    if (ctx->cipher == NULL) {
-        OPENSSL_free(ctx);
-        return 0;
-    }
+    ctx->buf_len = 0;
+    ctx->buf_off = 0;
     ctx->cont = 1;
+    ctx->finished = 0;
     ctx->ok = 1;
-    ctx->read_end = ctx->read_start = &(ctx->buf[BUF_OFFSET]);
-    BIO_set_data(bi, ctx);
-    BIO_set_init(bi, 1);
 
-    return 1;
+    bi->init = 0;
+    bi->ptr = (char *)ctx;
+    bi->flags = 0;
+    return (1);
 }
 
 static int enc_free(BIO *a)
@@ -89,33 +134,28 @@ static int enc_free(BIO *a)
     BIO_ENC_CTX *b;
 
     if (a == NULL)
-        return 0;
-
-    b = BIO_get_data(a);
-    if (b == NULL)
-        return 0;
-
-    EVP_CIPHER_CTX_free(b->cipher);
-    OPENSSL_clear_free(b, sizeof(BIO_ENC_CTX));
-    BIO_set_data(a, NULL);
-    BIO_set_init(a, 0);
-
-    return 1;
+        return (0);
+    b = (BIO_ENC_CTX *)a->ptr;
+    EVP_CIPHER_CTX_cleanup(&(b->cipher));
+    OPENSSL_cleanse(a->ptr, sizeof(BIO_ENC_CTX));
+    OPENSSL_free(a->ptr);
+    a->ptr = NULL;
+    a->init = 0;
+    a->flags = 0;
+    return (1);
 }
 
 static int enc_read(BIO *b, char *out, int outl)
 {
-    int ret = 0, i, blocksize;
+    int ret = 0, i;
     BIO_ENC_CTX *ctx;
-    BIO *next;
 
     if (out == NULL)
         return (0);
-    ctx = BIO_get_data(b);
+    ctx = (BIO_ENC_CTX *)b->ptr;
 
-    next = BIO_next(b);
-    if ((ctx == NULL) || (next == NULL))
-        return 0;
+    if ((ctx == NULL) || (b->next_bio == NULL))
+        return (0);
 
     /* First check if there are bytes decoded/encoded */
     if (ctx->buf_len > 0) {
@@ -133,10 +173,6 @@ static int enc_read(BIO *b, char *out, int outl)
         }
     }
 
-    blocksize = EVP_CIPHER_CTX_block_size(ctx->cipher);
-    if (blocksize == 1)
-        blocksize = 0;
-
     /*
      * At this point, we have room of outl bytes and an empty buffer, so we
      * should read in some more.
@@ -146,21 +182,18 @@ static int enc_read(BIO *b, char *out, int outl)
         if (ctx->cont <= 0)
             break;
 
-        if (ctx->read_start == ctx->read_end) { /* time to read more data */
-            ctx->read_end = ctx->read_start = &(ctx->buf[BUF_OFFSET]);
-            i = BIO_read(next, ctx->read_start, ENC_BLOCK_SIZE);
-            if (i > 0)
-                ctx->read_end += i;
-        } else {
-            i = ctx->read_end - ctx->read_start;
-        }
+        /*
+         * read in at IV offset, read the EVP_Cipher documentation about why
+         */
+        i = BIO_read(b->next_bio, &(ctx->buf[BUF_OFFSET]), ENC_BLOCK_SIZE);
 
         if (i <= 0) {
             /* Should be continue next time we are called? */
-            if (!BIO_should_retry(next)) {
+            if (!BIO_should_retry(b->next_bio)) {
                 ctx->cont = i;
-                i = EVP_CipherFinal_ex(ctx->cipher,
-                                       ctx->buf, &(ctx->buf_len));
+                i = EVP_CipherFinal_ex(&(ctx->cipher),
+                                       (unsigned char *)ctx->buf,
+                                       &(ctx->buf_len));
                 ctx->ok = i;
                 ctx->buf_off = 0;
             } else {
@@ -168,40 +201,14 @@ static int enc_read(BIO *b, char *out, int outl)
                 break;
             }
         } else {
-            if (outl > ENC_MIN_CHUNK) {
-                /*
-                 * Depending on flags block cipher decrypt can write
-                 * one extra block and then back off, i.e. output buffer
-                 * has to accommodate extra block...
-                 */
-                int j = outl - blocksize, buf_len;
-
-                if (!EVP_CipherUpdate(ctx->cipher,
-                                      (unsigned char *)out, &buf_len,
-                                      ctx->read_start, i > j ? j : i)) {
-                    BIO_clear_retry_flags(b);
-                    return 0;
-                }
-                ret += buf_len;
-                out += buf_len;
-                outl -= buf_len;
-
-                if ((i -= j) <= 0) {
-                    ctx->read_start = ctx->read_end;
-                    continue;
-                }
-                ctx->read_start += j;
-            }
-            if (i > ENC_MIN_CHUNK)
-                i = ENC_MIN_CHUNK;
-            if (!EVP_CipherUpdate(ctx->cipher,
-                                  ctx->buf, &ctx->buf_len,
-                                  ctx->read_start, i)) {
+            if (!EVP_CipherUpdate(&ctx->cipher,
+                                  (unsigned char *)ctx->buf, &ctx->buf_len,
+                                  (unsigned char *)&(ctx->buf[BUF_OFFSET]),
+                                  i)) {
                 BIO_clear_retry_flags(b);
                 ctx->ok = 0;
                 return 0;
             }
-            ctx->read_start += i;
             ctx->cont = 1;
             /*
              * Note: it is possible for EVP_CipherUpdate to decrypt zero
@@ -235,19 +242,14 @@ static int enc_write(BIO *b, const char *in, int inl)
 {
     int ret = 0, n, i;
     BIO_ENC_CTX *ctx;
-    BIO *next;
-
-    ctx = BIO_get_data(b);
-    next = BIO_next(b);
-    if ((ctx == NULL) || (next == NULL))
-        return 0;
 
+    ctx = (BIO_ENC_CTX *)b->ptr;
     ret = inl;
 
     BIO_clear_retry_flags(b);
     n = ctx->buf_len - ctx->buf_off;
     while (n > 0) {
-        i = BIO_write(next, &(ctx->buf[ctx->buf_off]), n);
+        i = BIO_write(b->next_bio, &(ctx->buf[ctx->buf_off]), n);
         if (i <= 0) {
             BIO_copy_next_retry(b);
             return (i);
@@ -263,9 +265,9 @@ static int enc_write(BIO *b, const char *in, int inl)
     ctx->buf_off = 0;
     while (inl > 0) {
         n = (inl > ENC_BLOCK_SIZE) ? ENC_BLOCK_SIZE : inl;
-        if (!EVP_CipherUpdate(ctx->cipher,
-                              ctx->buf, &ctx->buf_len,
-                              (const unsigned char *)in, n)) {
+        if (!EVP_CipherUpdate(&ctx->cipher,
+                              (unsigned char *)ctx->buf, &ctx->buf_len,
+                              (unsigned char *)in, n)) {
             BIO_clear_retry_flags(b);
             ctx->ok = 0;
             return 0;
@@ -276,7 +278,7 @@ static int enc_write(BIO *b, const char *in, int inl)
         ctx->buf_off = 0;
         n = ctx->buf_len;
         while (n > 0) {
-            i = BIO_write(next, &(ctx->buf[ctx->buf_off]), n);
+            i = BIO_write(b->next_bio, &(ctx->buf[ctx->buf_off]), n);
             if (i <= 0) {
                 BIO_copy_next_retry(b);
                 return (ret == inl) ? i : ret - inl;
@@ -298,37 +300,32 @@ static long enc_ctrl(BIO *b, int cmd, long num, void *ptr)
     long ret = 1;
     int i;
     EVP_CIPHER_CTX **c_ctx;
-    BIO *next;
 
-    ctx = BIO_get_data(b);
-    next = BIO_next(b);
-    if (ctx == NULL)
-        return 0;
+    ctx = (BIO_ENC_CTX *)b->ptr;
 
     switch (cmd) {
     case BIO_CTRL_RESET:
         ctx->ok = 1;
         ctx->finished = 0;
-        if (!EVP_CipherInit_ex(ctx->cipher, NULL, NULL, NULL, NULL,
-                               EVP_CIPHER_CTX_encrypting(ctx->cipher)))
-            return 0;
-        ret = BIO_ctrl(next, cmd, num, ptr);
+        EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL,
+                          ctx->cipher.encrypt);
+        ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         break;
     case BIO_CTRL_EOF:         /* More to read */
         if (ctx->cont <= 0)
             ret = 1;
         else
-            ret = BIO_ctrl(next, cmd, num, ptr);
+            ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         break;
     case BIO_CTRL_WPENDING:
         ret = ctx->buf_len - ctx->buf_off;
         if (ret <= 0)
-            ret = BIO_ctrl(next, cmd, num, ptr);
+            ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         break;
     case BIO_CTRL_PENDING:     /* More to read in buffer */
         ret = ctx->buf_len - ctx->buf_off;
         if (ret <= 0)
-            ret = BIO_ctrl(next, cmd, num, ptr);
+            ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         break;
     case BIO_CTRL_FLUSH:
         /* do a final write */
@@ -342,7 +339,7 @@ static long enc_ctrl(BIO *b, int cmd, long num, void *ptr)
         if (!ctx->finished) {
             ctx->finished = 1;
             ctx->buf_off = 0;
-            ret = EVP_CipherFinal_ex(ctx->cipher,
+            ret = EVP_CipherFinal_ex(&(ctx->cipher),
                                      (unsigned char *)ctx->buf,
                                      &(ctx->buf_len));
             ctx->ok = (int)ret;
@@ -354,33 +351,31 @@ static long enc_ctrl(BIO *b, int cmd, long num, void *ptr)
         }
 
         /* Finally flush the underlying BIO */
-        ret = BIO_ctrl(next, cmd, num, ptr);
+        ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         break;
     case BIO_C_GET_CIPHER_STATUS:
         ret = (long)ctx->ok;
         break;
     case BIO_C_DO_STATE_MACHINE:
         BIO_clear_retry_flags(b);
-        ret = BIO_ctrl(next, cmd, num, ptr);
+        ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         BIO_copy_next_retry(b);
         break;
     case BIO_C_GET_CIPHER_CTX:
         c_ctx = (EVP_CIPHER_CTX **)ptr;
-        *c_ctx = ctx->cipher;
-        BIO_set_init(b, 1);
+        (*c_ctx) = &(ctx->cipher);
+        b->init = 1;
         break;
     case BIO_CTRL_DUP:
         dbio = (BIO *)ptr;
-        dctx = BIO_get_data(dbio);
-        dctx->cipher = EVP_CIPHER_CTX_new();
-        if (dctx->cipher == NULL)
-            return 0;
-        ret = EVP_CIPHER_CTX_copy(dctx->cipher, ctx->cipher);
+        dctx = (BIO_ENC_CTX *)dbio->ptr;
+        EVP_CIPHER_CTX_init(&dctx->cipher);
+        ret = EVP_CIPHER_CTX_copy(&dctx->cipher, &ctx->cipher);
         if (ret)
-            BIO_set_init(dbio, 1);
+            dbio->init = 1;
         break;
     default:
-        ret = BIO_ctrl(next, cmd, num, ptr);
+        ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         break;
     }
     return (ret);
@@ -389,13 +384,12 @@ static long enc_ctrl(BIO *b, int cmd, long num, void *ptr)
 static long enc_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
 {
     long ret = 1;
-    BIO *next = BIO_next(b);
 
-    if (next == NULL)
+    if (b->next_bio == NULL)
         return (0);
     switch (cmd) {
     default:
-        ret = BIO_callback_ctrl(next, cmd, fp);
+        ret = BIO_callback_ctrl(b->next_bio, cmd, fp);
         break;
     }
     return (ret);
@@ -421,29 +415,23 @@ EVP_CIPHER_ctx *c;
         }
 */
 
-int BIO_set_cipher(BIO *b, const EVP_CIPHER *c, const unsigned char *k,
-                   const unsigned char *i, int e)
+void BIO_set_cipher(BIO *b, const EVP_CIPHER *c, const unsigned char *k,
+                    const unsigned char *i, int e)
 {
     BIO_ENC_CTX *ctx;
-    long (*callback) (struct bio_st *, int, const char *, int, long, long);
-
-    ctx = BIO_get_data(b);
-    if (ctx == NULL)
-        return 0;
-
-    callback = BIO_get_callback(b);
 
-    if ((callback != NULL) &&
-            (callback(b, BIO_CB_CTRL, (const char *)c, BIO_CTRL_SET, e,
-                      0L) <= 0))
-        return 0;
+    if (b == NULL)
+        return;
 
-    BIO_set_init(b, 1);
+    if ((b->callback != NULL) &&
+        (b->callback(b, BIO_CB_CTRL, (const char *)c, BIO_CTRL_SET, e, 0L) <=
+         0))
+        return;
 
-    if (!EVP_CipherInit_ex(ctx->cipher, c, NULL, k, i, e))
-        return 0;
+    b->init = 1;
+    ctx = (BIO_ENC_CTX *)b->ptr;
+    EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e);
 
-    if (callback != NULL)
-        return callback(b, BIO_CB_CTRL, (const char *)c, BIO_CTRL_SET, e, 1L);
-    return 1;
+    if (b->callback != NULL)
+        b->callback(b, BIO_CB_CTRL, (const char *)c, BIO_CTRL_SET, e, 1L);
 }
diff --git a/Cryptlib/OpenSSL/crypto/evp/bio_md.c b/Cryptlib/OpenSSL/crypto/evp/bio_md.c
index cd968ec2..f0b0c0c0 100644
--- a/Cryptlib/OpenSSL/crypto/evp/bio_md.c
+++ b/Cryptlib/OpenSSL/crypto/evp/bio_md.c
@@ -1,20 +1,66 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/bio_md.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <errno.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/evp.h>
-#include "internal/evp_int.h"
-#include "evp_locl.h"
-#include "internal/bio.h"
 
 /*
  * BIO_put and BIO_get both add to the digest, BIO_gets returns the digest
@@ -31,7 +77,7 @@ static int md_new(BIO *h);
 static int md_free(BIO *data);
 static long md_callback_ctrl(BIO *h, int cmd, bio_info_cb *fp);
 
-static const BIO_METHOD methods_md = {
+static BIO_METHOD methods_md = {
     BIO_TYPE_MD, "message digest",
     md_write,
     md_read,
@@ -43,7 +89,7 @@ static const BIO_METHOD methods_md = {
     md_callback_ctrl,
 };
 
-const BIO_METHOD *BIO_f_md(void)
+BIO_METHOD *BIO_f_md(void)
 {
     return (&methods_md);
 }
@@ -52,44 +98,41 @@ static int md_new(BIO *bi)
 {
     EVP_MD_CTX *ctx;
 
-    ctx = EVP_MD_CTX_new();
+    ctx = EVP_MD_CTX_create();
     if (ctx == NULL)
         return (0);
 
-    BIO_set_init(bi, 1);
-    BIO_set_data(bi, ctx);
-
-    return 1;
+    bi->init = 0;
+    bi->ptr = (char *)ctx;
+    bi->flags = 0;
+    return (1);
 }
 
 static int md_free(BIO *a)
 {
     if (a == NULL)
         return (0);
-    EVP_MD_CTX_free(BIO_get_data(a));
-    BIO_set_data(a, NULL);
-    BIO_set_init(a, 0);
-
-    return 1;
+    EVP_MD_CTX_destroy(a->ptr);
+    a->ptr = NULL;
+    a->init = 0;
+    a->flags = 0;
+    return (1);
 }
 
 static int md_read(BIO *b, char *out, int outl)
 {
     int ret = 0;
     EVP_MD_CTX *ctx;
-    BIO *next;
 
     if (out == NULL)
         return (0);
+    ctx = b->ptr;
 
-    ctx = BIO_get_data(b);
-    next = BIO_next(b);
-
-    if ((ctx == NULL) || (next == NULL))
+    if ((ctx == NULL) || (b->next_bio == NULL))
         return (0);
 
-    ret = BIO_read(next, out, outl);
-    if (BIO_get_init(b)) {
+    ret = BIO_read(b->next_bio, out, outl);
+    if (b->init) {
         if (ret > 0) {
             if (EVP_DigestUpdate(ctx, (unsigned char *)out,
                                  (unsigned int)ret) <= 0)
@@ -105,17 +148,14 @@ static int md_write(BIO *b, const char *in, int inl)
 {
     int ret = 0;
     EVP_MD_CTX *ctx;
-    BIO *next;
 
     if ((in == NULL) || (inl <= 0))
-        return 0;
-
-    ctx = BIO_get_data(b);
-    next = BIO_next(b);
-    if ((ctx != NULL) && (next != NULL))
-        ret = BIO_write(next, in, inl);
+        return (0);
+    ctx = b->ptr;
 
-    if (BIO_get_init(b)) {
+    if ((ctx != NULL) && (b->next_bio != NULL))
+        ret = BIO_write(b->next_bio, in, inl);
+    if (b->init) {
         if (ret > 0) {
             if (!EVP_DigestUpdate(ctx, (const unsigned char *)in,
                                   (unsigned int)ret)) {
@@ -124,11 +164,11 @@ static int md_write(BIO *b, const char *in, int inl)
             }
         }
     }
-    if (next != NULL) {
+    if (b->next_bio != NULL) {
         BIO_clear_retry_flags(b);
         BIO_copy_next_retry(b);
     }
-    return ret;
+    return (ret);
 }
 
 static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
@@ -137,23 +177,21 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
     const EVP_MD **ppmd;
     EVP_MD *md;
     long ret = 1;
-    BIO *dbio, *next;
-
+    BIO *dbio;
 
-    ctx = BIO_get_data(b);
-    next = BIO_next(b);
+    ctx = b->ptr;
 
     switch (cmd) {
     case BIO_CTRL_RESET:
-        if (BIO_get_init(b))
+        if (b->init)
             ret = EVP_DigestInit_ex(ctx, ctx->digest, NULL);
         else
             ret = 0;
         if (ret > 0)
-            ret = BIO_ctrl(next, cmd, num, ptr);
+            ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         break;
     case BIO_C_GET_MD:
-        if (BIO_get_init(b)) {
+        if (b->init) {
             ppmd = ptr;
             *ppmd = ctx->digest;
         } else
@@ -162,17 +200,17 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
     case BIO_C_GET_MD_CTX:
         pctx = ptr;
         *pctx = ctx;
-        BIO_set_init(b, 1);
+        b->init = 1;
         break;
     case BIO_C_SET_MD_CTX:
-        if (BIO_get_init(b))
-            BIO_set_data(b, ptr);
+        if (b->init)
+            b->ptr = ptr;
         else
             ret = 0;
         break;
     case BIO_C_DO_STATE_MACHINE:
         BIO_clear_retry_flags(b);
-        ret = BIO_ctrl(next, cmd, num, ptr);
+        ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         BIO_copy_next_retry(b);
         break;
 
@@ -180,17 +218,17 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
         md = ptr;
         ret = EVP_DigestInit_ex(ctx, md, NULL);
         if (ret > 0)
-            BIO_set_init(b, 1);
+            b->init = 1;
         break;
     case BIO_CTRL_DUP:
         dbio = ptr;
-        dctx = BIO_get_data(dbio);
+        dctx = dbio->ptr;
         if (!EVP_MD_CTX_copy_ex(dctx, ctx))
             return 0;
-        BIO_set_init(b, 1);
+        b->init = 1;
         break;
     default:
-        ret = BIO_ctrl(next, cmd, num, ptr);
+        ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         break;
     }
     return (ret);
@@ -199,16 +237,12 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
 static long md_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
 {
     long ret = 1;
-    BIO *next;
-
-    next = BIO_next(b);
-
-    if (next == NULL)
-        return 0;
 
+    if (b->next_bio == NULL)
+        return (0);
     switch (cmd) {
     default:
-        ret = BIO_callback_ctrl(next, cmd, fp);
+        ret = BIO_callback_ctrl(b->next_bio, cmd, fp);
         break;
     }
     return (ret);
@@ -219,13 +253,20 @@ static int md_gets(BIO *bp, char *buf, int size)
     EVP_MD_CTX *ctx;
     unsigned int ret;
 
-    ctx = BIO_get_data(bp);
-
+    ctx = bp->ptr;
     if (size < ctx->digest->md_size)
-        return 0;
-
+        return (0);
     if (EVP_DigestFinal_ex(ctx, (unsigned char *)buf, &ret) <= 0)
         return -1;
 
     return ((int)ret);
 }
+
+/*-
+static int md_puts(bp,str)
+BIO *bp;
+char *str;
+        {
+        return(-1);
+        }
+*/
diff --git a/Cryptlib/OpenSSL/crypto/evp/bio_ok.c b/Cryptlib/OpenSSL/crypto/evp/bio_ok.c
index 7974b963..16e151f1 100644
--- a/Cryptlib/OpenSSL/crypto/evp/bio_ok.c
+++ b/Cryptlib/OpenSSL/crypto/evp/bio_ok.c
@@ -1,10 +1,59 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/bio_ok.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 /*-
@@ -71,12 +120,11 @@
 #include <stdio.h>
 #include <errno.h>
 #include <assert.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/buffer.h>
-#include "internal/bio.h"
+#include <openssl/bio.h>
 #include <openssl/evp.h>
 #include <openssl/rand.h>
-#include "internal/evp_int.h"
 
 static int ok_write(BIO *h, const char *buf, int num);
 static int ok_read(BIO *h, char *buf, int size);
@@ -85,10 +133,10 @@ static int ok_new(BIO *h);
 static int ok_free(BIO *data);
 static long ok_callback_ctrl(BIO *h, int cmd, bio_info_cb *fp);
 
-static __owur int sig_out(BIO *b);
-static __owur int sig_in(BIO *b);
-static __owur int block_out(BIO *b);
-static __owur int block_in(BIO *b);
+static int sig_out(BIO *b);
+static int sig_in(BIO *b);
+static int block_out(BIO *b);
+static int block_in(BIO *b);
 #define OK_BLOCK_SIZE   (1024*4)
 #define OK_BLOCK_BLOCK  4
 #define IOBS            (OK_BLOCK_SIZE+ OK_BLOCK_BLOCK+ 3*EVP_MAX_MD_SIZE)
@@ -101,13 +149,13 @@ typedef struct ok_struct {
     size_t buf_off_save;
     int cont;                   /* <= 0 when finished */
     int finished;
-    EVP_MD_CTX *md;
+    EVP_MD_CTX md;
     int blockout;               /* output block is ready */
     int sigio;                  /* must process signature */
     unsigned char buf[IOBS];
 } BIO_OK_CTX;
 
-static const BIO_METHOD methods_ok = {
+static BIO_METHOD methods_ok = {
     BIO_TYPE_CIPHER, "reliable",
     ok_write,
     ok_read,
@@ -119,7 +167,7 @@ static const BIO_METHOD methods_ok = {
     ok_callback_ctrl,
 };
 
-const BIO_METHOD *BIO_f_reliable(void)
+BIO_METHOD *BIO_f_reliable(void)
 {
     return (&methods_ok);
 }
@@ -128,54 +176,51 @@ static int ok_new(BIO *bi)
 {
     BIO_OK_CTX *ctx;
 
-    ctx = OPENSSL_zalloc(sizeof(*ctx));
+    ctx = (BIO_OK_CTX *)OPENSSL_malloc(sizeof(BIO_OK_CTX));
     if (ctx == NULL)
-        return 0;
+        return (0);
 
+    ctx->buf_len = 0;
+    ctx->buf_off = 0;
+    ctx->buf_len_save = 0;
+    ctx->buf_off_save = 0;
     ctx->cont = 1;
+    ctx->finished = 0;
+    ctx->blockout = 0;
     ctx->sigio = 1;
-    ctx->md = EVP_MD_CTX_new();
-    if (ctx->md == NULL) {
-        OPENSSL_free(ctx);
-        return 0;
-    }
-    BIO_set_init(bi, 0);
-    BIO_set_data(bi, ctx);
 
-    return 1;
+    EVP_MD_CTX_init(&ctx->md);
+
+    bi->init = 0;
+    bi->ptr = (char *)ctx;
+    bi->flags = 0;
+    return (1);
 }
 
 static int ok_free(BIO *a)
 {
-    BIO_OK_CTX *ctx;
-
     if (a == NULL)
-        return 0;
-
-    ctx = BIO_get_data(a);
-
-    EVP_MD_CTX_free(ctx->md);
-    OPENSSL_clear_free(ctx, sizeof(BIO_OK_CTX));
-    BIO_set_data(a, NULL);
-    BIO_set_init(a, 0);
-
-    return 1;
+        return (0);
+    EVP_MD_CTX_cleanup(&((BIO_OK_CTX *)a->ptr)->md);
+    OPENSSL_cleanse(a->ptr, sizeof(BIO_OK_CTX));
+    OPENSSL_free(a->ptr);
+    a->ptr = NULL;
+    a->init = 0;
+    a->flags = 0;
+    return (1);
 }
 
 static int ok_read(BIO *b, char *out, int outl)
 {
     int ret = 0, i, n;
     BIO_OK_CTX *ctx;
-    BIO *next;
 
     if (out == NULL)
-        return 0;
-
-    ctx = BIO_get_data(b);
-    next = BIO_next(b);
+        return (0);
+    ctx = (BIO_OK_CTX *)b->ptr;
 
-    if ((ctx == NULL) || (next == NULL) || (BIO_get_init(b) == 0))
-        return 0;
+    if ((ctx == NULL) || (b->next_bio == NULL) || (b->init == 0))
+        return (0);
 
     while (outl > 0) {
 
@@ -214,7 +259,7 @@ static int ok_read(BIO *b, char *out, int outl)
 
         /* no clean bytes in buffer -- fill it */
         n = IOBS - ctx->buf_len;
-        i = BIO_read(next, &(ctx->buf[ctx->buf_len]), n);
+        i = BIO_read(b->next_bio, &(ctx->buf[ctx->buf_len]), n);
 
         if (i <= 0)
             break;              /* nothing new */
@@ -245,23 +290,21 @@ static int ok_read(BIO *b, char *out, int outl)
 
     BIO_clear_retry_flags(b);
     BIO_copy_next_retry(b);
-    return ret;
+    return (ret);
 }
 
 static int ok_write(BIO *b, const char *in, int inl)
 {
     int ret = 0, n, i;
     BIO_OK_CTX *ctx;
-    BIO *next;
 
     if (inl <= 0)
         return inl;
 
-    ctx = BIO_get_data(b);
-    next = BIO_next(b);
+    ctx = (BIO_OK_CTX *)b->ptr;
     ret = inl;
 
-    if ((ctx == NULL) || (next == NULL) || (BIO_get_init(b) == 0))
+    if ((ctx == NULL) || (b->next_bio == NULL) || (b->init == 0))
         return (0);
 
     if (ctx->sigio && !sig_out(b))
@@ -271,7 +314,7 @@ static int ok_write(BIO *b, const char *in, int inl)
         BIO_clear_retry_flags(b);
         n = ctx->buf_len - ctx->buf_off;
         while (ctx->blockout && n > 0) {
-            i = BIO_write(next, &(ctx->buf[ctx->buf_off]), n);
+            i = BIO_write(b->next_bio, &(ctx->buf[ctx->buf_off]), n);
             if (i <= 0) {
                 BIO_copy_next_retry(b);
                 if (!BIO_should_retry(b))
@@ -295,7 +338,8 @@ static int ok_write(BIO *b, const char *in, int inl)
         n = (inl + ctx->buf_len > OK_BLOCK_SIZE + OK_BLOCK_BLOCK) ?
             (int)(OK_BLOCK_SIZE + OK_BLOCK_BLOCK - ctx->buf_len) : inl;
 
-        memcpy(&ctx->buf[ctx->buf_len], in, n);
+        memcpy((unsigned char *)(&(ctx->buf[ctx->buf_len])),
+               (unsigned char *)in, n);
         ctx->buf_len += n;
         inl -= n;
         in += n;
@@ -320,10 +364,8 @@ static long ok_ctrl(BIO *b, int cmd, long num, void *ptr)
     const EVP_MD **ppmd;
     long ret = 1;
     int i;
-    BIO *next;
 
-    ctx = BIO_get_data(b);
-    next = BIO_next(b);
+    ctx = b->ptr;
 
     switch (cmd) {
     case BIO_CTRL_RESET:
@@ -335,19 +377,19 @@ static long ok_ctrl(BIO *b, int cmd, long num, void *ptr)
         ctx->finished = 0;
         ctx->blockout = 0;
         ctx->sigio = 1;
-        ret = BIO_ctrl(next, cmd, num, ptr);
+        ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         break;
     case BIO_CTRL_EOF:         /* More to read */
         if (ctx->cont <= 0)
             ret = 1;
         else
-            ret = BIO_ctrl(next, cmd, num, ptr);
+            ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         break;
     case BIO_CTRL_PENDING:     /* More to read in buffer */
     case BIO_CTRL_WPENDING:    /* More to read in buffer */
         ret = ctx->blockout ? ctx->buf_len - ctx->buf_off : 0;
         if (ret <= 0)
-            ret = BIO_ctrl(next, cmd, num, ptr);
+            ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         break;
     case BIO_CTRL_FLUSH:
         /* do a final write */
@@ -368,11 +410,11 @@ static long ok_ctrl(BIO *b, int cmd, long num, void *ptr)
         ctx->cont = (int)ret;
 
         /* Finally flush the underlying BIO */
-        ret = BIO_ctrl(next, cmd, num, ptr);
+        ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         break;
     case BIO_C_DO_STATE_MACHINE:
         BIO_clear_retry_flags(b);
-        ret = BIO_ctrl(next, cmd, num, ptr);
+        ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         BIO_copy_next_retry(b);
         break;
     case BIO_CTRL_INFO:
@@ -380,41 +422,36 @@ static long ok_ctrl(BIO *b, int cmd, long num, void *ptr)
         break;
     case BIO_C_SET_MD:
         md = ptr;
-        if (!EVP_DigestInit_ex(ctx->md, md, NULL))
+        if (!EVP_DigestInit_ex(&ctx->md, md, NULL))
             return 0;
-        BIO_set_init(b, 1);
+        b->init = 1;
         break;
     case BIO_C_GET_MD:
-        if (BIO_get_init(b)) {
+        if (b->init) {
             ppmd = ptr;
-            *ppmd = EVP_MD_CTX_md(ctx->md);
+            *ppmd = ctx->md.digest;
         } else
             ret = 0;
         break;
     default:
-        ret = BIO_ctrl(next, cmd, num, ptr);
+        ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
         break;
     }
-    return ret;
+    return (ret);
 }
 
 static long ok_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
 {
     long ret = 1;
-    BIO *next;
-
-    next = BIO_next(b);
-
-    if (next == NULL)
-        return 0;
 
+    if (b->next_bio == NULL)
+        return (0);
     switch (cmd) {
     default:
-        ret = BIO_callback_ctrl(next, cmd, fp);
+        ret = BIO_callback_ctrl(b->next_bio, cmd, fp);
         break;
     }
-
-    return ret;
+    return (ret);
 }
 
 static void longswap(void *_ptr, size_t len)
@@ -441,36 +478,30 @@ static int sig_out(BIO *b)
 {
     BIO_OK_CTX *ctx;
     EVP_MD_CTX *md;
-    const EVP_MD *digest;
-    int md_size;
-    void *md_data;
 
-    ctx = BIO_get_data(b);
-    md = ctx->md;
-    digest = EVP_MD_CTX_md(md);
-    md_size = EVP_MD_size(digest);
-    md_data = EVP_MD_CTX_md_data(md);
+    ctx = b->ptr;
+    md = &ctx->md;
 
-    if (ctx->buf_len + 2 * md_size > OK_BLOCK_SIZE)
+    if (ctx->buf_len + 2 * md->digest->md_size > OK_BLOCK_SIZE)
         return 1;
 
-    if (!EVP_DigestInit_ex(md, digest, NULL))
+    if (!EVP_DigestInit_ex(md, md->digest, NULL))
         goto berr;
     /*
      * FIXME: there's absolutely no guarantee this makes any sense at all,
      * particularly now EVP_MD_CTX has been restructured.
      */
-    if (RAND_bytes(md_data, md_size) <= 0)
+    if (RAND_bytes(md->md_data, md->digest->md_size) <= 0)
         goto berr;
-    memcpy(&(ctx->buf[ctx->buf_len]), md_data, md_size);
-    longswap(&(ctx->buf[ctx->buf_len]), md_size);
-    ctx->buf_len += md_size;
+    memcpy(&(ctx->buf[ctx->buf_len]), md->md_data, md->digest->md_size);
+    longswap(&(ctx->buf[ctx->buf_len]), md->digest->md_size);
+    ctx->buf_len += md->digest->md_size;
 
     if (!EVP_DigestUpdate(md, WELLKNOWN, strlen(WELLKNOWN)))
         goto berr;
     if (!EVP_DigestFinal_ex(md, &(ctx->buf[ctx->buf_len]), NULL))
         goto berr;
-    ctx->buf_len += md_size;
+    ctx->buf_len += md->digest->md_size;
     ctx->blockout = 1;
     ctx->sigio = 0;
     return 1;
@@ -485,31 +516,25 @@ static int sig_in(BIO *b)
     EVP_MD_CTX *md;
     unsigned char tmp[EVP_MAX_MD_SIZE];
     int ret = 0;
-    const EVP_MD *digest;
-    int md_size;
-    void *md_data;
 
-    ctx = BIO_get_data(b);
-    md = ctx->md;
-    digest = EVP_MD_CTX_md(md);
-    md_size = EVP_MD_size(digest);
-    md_data = EVP_MD_CTX_md_data(md);
+    ctx = b->ptr;
+    md = &ctx->md;
 
-    if ((int)(ctx->buf_len - ctx->buf_off) < 2 * md_size)
+    if ((int)(ctx->buf_len - ctx->buf_off) < 2 * md->digest->md_size)
         return 1;
 
-    if (!EVP_DigestInit_ex(md, digest, NULL))
+    if (!EVP_DigestInit_ex(md, md->digest, NULL))
         goto berr;
-    memcpy(md_data, &(ctx->buf[ctx->buf_off]), md_size);
-    longswap(md_data, md_size);
-    ctx->buf_off += md_size;
+    memcpy(md->md_data, &(ctx->buf[ctx->buf_off]), md->digest->md_size);
+    longswap(md->md_data, md->digest->md_size);
+    ctx->buf_off += md->digest->md_size;
 
     if (!EVP_DigestUpdate(md, WELLKNOWN, strlen(WELLKNOWN)))
         goto berr;
     if (!EVP_DigestFinal_ex(md, tmp, NULL))
         goto berr;
-    ret = memcmp(&(ctx->buf[ctx->buf_off]), tmp, md_size) == 0;
-    ctx->buf_off += md_size;
+    ret = memcmp(&(ctx->buf[ctx->buf_off]), tmp, md->digest->md_size) == 0;
+    ctx->buf_off += md->digest->md_size;
     if (ret == 1) {
         ctx->sigio = 0;
         if (ctx->buf_len != ctx->buf_off) {
@@ -532,13 +557,9 @@ static int block_out(BIO *b)
     BIO_OK_CTX *ctx;
     EVP_MD_CTX *md;
     unsigned long tl;
-    const EVP_MD *digest;
-    int md_size;
 
-    ctx = BIO_get_data(b);
-    md = ctx->md;
-    digest = EVP_MD_CTX_md(md);
-    md_size = EVP_MD_size(digest);
+    ctx = b->ptr;
+    md = &ctx->md;
 
     tl = ctx->buf_len - OK_BLOCK_BLOCK;
     ctx->buf[0] = (unsigned char)(tl >> 24);
@@ -550,7 +571,7 @@ static int block_out(BIO *b)
         goto berr;
     if (!EVP_DigestFinal_ex(md, &(ctx->buf[ctx->buf_len]), NULL))
         goto berr;
-    ctx->buf_len += md_size;
+    ctx->buf_len += md->digest->md_size;
     ctx->blockout = 1;
     return 1;
  berr:
@@ -564,11 +585,9 @@ static int block_in(BIO *b)
     EVP_MD_CTX *md;
     unsigned long tl = 0;
     unsigned char tmp[EVP_MAX_MD_SIZE];
-    int md_size;
 
-    ctx = BIO_get_data(b);
-    md = ctx->md;
-    md_size = EVP_MD_size(EVP_MD_CTX_md(md));
+    ctx = b->ptr;
+    md = &ctx->md;
 
     assert(sizeof(tl) >= OK_BLOCK_BLOCK); /* always true */
     tl = ctx->buf[0];
@@ -579,7 +598,7 @@ static int block_in(BIO *b)
     tl <<= 8;
     tl |= ctx->buf[3];
 
-    if (ctx->buf_len < tl + OK_BLOCK_BLOCK + md_size)
+    if (ctx->buf_len < tl + OK_BLOCK_BLOCK + md->digest->md_size)
         return 1;
 
     if (!EVP_DigestUpdate(md,
@@ -587,9 +606,10 @@ static int block_in(BIO *b)
         goto berr;
     if (!EVP_DigestFinal_ex(md, tmp, NULL))
         goto berr;
-    if (memcmp(&(ctx->buf[tl + OK_BLOCK_BLOCK]), tmp, md_size) == 0) {
+    if (memcmp(&(ctx->buf[tl + OK_BLOCK_BLOCK]), tmp, md->digest->md_size) ==
+        0) {
         /* there might be parts from next block lurking around ! */
-        ctx->buf_off_save = tl + OK_BLOCK_BLOCK + md_size;
+        ctx->buf_off_save = tl + OK_BLOCK_BLOCK + md->digest->md_size;
         ctx->buf_len_save = ctx->buf_len;
         ctx->buf_off = OK_BLOCK_BLOCK;
         ctx->buf_len = tl + OK_BLOCK_BLOCK;
diff --git a/Cryptlib/OpenSSL/crypto/evp/c_all.c b/Cryptlib/OpenSSL/crypto/evp/c_all.c
new file mode 100644
index 00000000..719e34d2
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/evp/c_all.c
@@ -0,0 +1,85 @@
+/* crypto/evp/c_all.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#ifndef OPENSSL_NO_ENGINE
+# include <openssl/engine.h>
+#endif
+
+#if 0
+# undef OpenSSL_add_all_algorithms
+
+void OpenSSL_add_all_algorithms(void)
+{
+    OPENSSL_add_all_algorithms_noconf();
+}
+#endif
+
+void OPENSSL_add_all_algorithms_noconf(void)
+{
+    /*
+     * For the moment OPENSSL_cpuid_setup does something
+     * only on IA-32, but we reserve the option for all
+     * platforms...
+     */
+    OPENSSL_cpuid_setup();
+    OpenSSL_add_all_ciphers();
+    OpenSSL_add_all_digests();
+}
diff --git a/Cryptlib/OpenSSL/crypto/evp/c_allc.c b/Cryptlib/OpenSSL/crypto/evp/c_allc.c
index 6ed31edb..280e5840 100644
--- a/Cryptlib/OpenSSL/crypto/evp/c_allc.c
+++ b/Cryptlib/OpenSSL/crypto/evp/c_allc.c
@@ -1,20 +1,68 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/c_allc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/evp.h>
-#include <internal/evp_int.h>
 #include <openssl/pkcs12.h>
 #include <openssl/objects.h>
 
-void openssl_add_all_ciphers_int(void)
+void OpenSSL_add_all_ciphers(void)
 {
 
 #ifndef OPENSSL_NO_DES
@@ -44,13 +92,8 @@ void openssl_add_all_ciphers_int(void)
 
     EVP_add_cipher(EVP_des_ecb());
     EVP_add_cipher(EVP_des_ede());
-    EVP_add_cipher_alias(SN_des_ede_ecb, "DES-EDE-ECB");
-    EVP_add_cipher_alias(SN_des_ede_ecb, "des-ede-ecb");
     EVP_add_cipher(EVP_des_ede3());
-    EVP_add_cipher_alias(SN_des_ede3_ecb, "DES-EDE3-ECB");
-    EVP_add_cipher_alias(SN_des_ede3_ecb, "des-ede3-ecb");
     EVP_add_cipher(EVP_des_ede3_wrap());
-    EVP_add_cipher_alias(SN_id_smime_alg_CMS3DESwrap, "des3-wrap");
 #endif
 
 #ifndef OPENSSL_NO_RC4
@@ -88,9 +131,6 @@ void openssl_add_all_ciphers_int(void)
     EVP_add_cipher(EVP_rc2_64_cbc());
     EVP_add_cipher_alias(SN_rc2_cbc, "RC2");
     EVP_add_cipher_alias(SN_rc2_cbc, "rc2");
-    EVP_add_cipher_alias(SN_rc2_cbc, "rc2-128");
-    EVP_add_cipher_alias(SN_rc2_64_cbc, "rc2-64");
-    EVP_add_cipher_alias(SN_rc2_40_cbc, "rc2-40");
 #endif
 
 #ifndef OPENSSL_NO_BF
@@ -123,6 +163,7 @@ void openssl_add_all_ciphers_int(void)
     EVP_add_cipher_alias(SN_rc5_cbc, "RC5");
 #endif
 
+#ifndef OPENSSL_NO_AES
     EVP_add_cipher(EVP_aes_128_ecb());
     EVP_add_cipher(EVP_aes_128_cbc());
     EVP_add_cipher(EVP_aes_128_cfb());
@@ -131,14 +172,9 @@ void openssl_add_all_ciphers_int(void)
     EVP_add_cipher(EVP_aes_128_ofb());
     EVP_add_cipher(EVP_aes_128_ctr());
     EVP_add_cipher(EVP_aes_128_gcm());
-#ifndef OPENSSL_NO_OCB
-    EVP_add_cipher(EVP_aes_128_ocb());
-#endif
     EVP_add_cipher(EVP_aes_128_xts());
     EVP_add_cipher(EVP_aes_128_ccm());
     EVP_add_cipher(EVP_aes_128_wrap());
-    EVP_add_cipher_alias(SN_id_aes128_wrap, "aes128-wrap");
-    EVP_add_cipher(EVP_aes_128_wrap_pad());
     EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
     EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
     EVP_add_cipher(EVP_aes_192_ecb());
@@ -149,13 +185,8 @@ void openssl_add_all_ciphers_int(void)
     EVP_add_cipher(EVP_aes_192_ofb());
     EVP_add_cipher(EVP_aes_192_ctr());
     EVP_add_cipher(EVP_aes_192_gcm());
-#ifndef OPENSSL_NO_OCB
-    EVP_add_cipher(EVP_aes_192_ocb());
-#endif
     EVP_add_cipher(EVP_aes_192_ccm());
     EVP_add_cipher(EVP_aes_192_wrap());
-    EVP_add_cipher_alias(SN_id_aes192_wrap, "aes192-wrap");
-    EVP_add_cipher(EVP_aes_192_wrap_pad());
     EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
     EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
     EVP_add_cipher(EVP_aes_256_ecb());
@@ -166,20 +197,20 @@ void openssl_add_all_ciphers_int(void)
     EVP_add_cipher(EVP_aes_256_ofb());
     EVP_add_cipher(EVP_aes_256_ctr());
     EVP_add_cipher(EVP_aes_256_gcm());
-#ifndef OPENSSL_NO_OCB
-    EVP_add_cipher(EVP_aes_256_ocb());
-#endif
     EVP_add_cipher(EVP_aes_256_xts());
     EVP_add_cipher(EVP_aes_256_ccm());
     EVP_add_cipher(EVP_aes_256_wrap());
-    EVP_add_cipher_alias(SN_id_aes256_wrap, "aes256-wrap");
-    EVP_add_cipher(EVP_aes_256_wrap_pad());
     EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
     EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
+# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
     EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
     EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
+# endif
+# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA256)
     EVP_add_cipher(EVP_aes_128_cbc_hmac_sha256());
     EVP_add_cipher(EVP_aes_256_cbc_hmac_sha256());
+# endif
+#endif
 
 #ifndef OPENSSL_NO_CAMELLIA
     EVP_add_cipher(EVP_camellia_128_ecb());
@@ -206,15 +237,5 @@ void openssl_add_all_ciphers_int(void)
     EVP_add_cipher(EVP_camellia_256_ofb());
     EVP_add_cipher_alias(SN_camellia_256_cbc, "CAMELLIA256");
     EVP_add_cipher_alias(SN_camellia_256_cbc, "camellia256");
-    EVP_add_cipher(EVP_camellia_128_ctr());
-    EVP_add_cipher(EVP_camellia_192_ctr());
-    EVP_add_cipher(EVP_camellia_256_ctr());
-#endif
-
-#ifndef OPENSSL_NO_CHACHA
-    EVP_add_cipher(EVP_chacha20());
-# ifndef OPENSSL_NO_POLY1305
-    EVP_add_cipher(EVP_chacha20_poly1305());
-# endif
 #endif
 }
diff --git a/Cryptlib/OpenSSL/crypto/evp/c_alld.c b/Cryptlib/OpenSSL/crypto/evp/c_alld.c
index ec79734e..fdbe3ee0 100644
--- a/Cryptlib/OpenSSL/crypto/evp/c_alld.c
+++ b/Cryptlib/OpenSSL/crypto/evp/c_alld.c
@@ -1,49 +1,114 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/c_alld.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/evp.h>
-#include <internal/evp_int.h>
 #include <openssl/pkcs12.h>
 #include <openssl/objects.h>
 
-void openssl_add_all_digests_int(void)
+void OpenSSL_add_all_digests(void)
 {
 #ifndef OPENSSL_NO_MD4
     EVP_add_digest(EVP_md4());
 #endif
 #ifndef OPENSSL_NO_MD5
     EVP_add_digest(EVP_md5());
+    EVP_add_digest_alias(SN_md5, "ssl2-md5");
     EVP_add_digest_alias(SN_md5, "ssl3-md5");
-    EVP_add_digest(EVP_md5_sha1());
 #endif
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA0)
+    EVP_add_digest(EVP_sha());
+# ifndef OPENSSL_NO_DSA
+    EVP_add_digest(EVP_dss());
+# endif
+#endif
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
     EVP_add_digest(EVP_sha1());
     EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
     EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
+# ifndef OPENSSL_NO_DSA
+    EVP_add_digest(EVP_dss1());
+    EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
+    EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
+    EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
+# endif
+# ifndef OPENSSL_NO_ECDSA
+    EVP_add_digest(EVP_ecdsa());
+# endif
+#endif
 #if !defined(OPENSSL_NO_MDC2) && !defined(OPENSSL_NO_DES)
     EVP_add_digest(EVP_mdc2());
 #endif
-#ifndef OPENSSL_NO_RMD160
+#ifndef OPENSSL_NO_RIPEMD
     EVP_add_digest(EVP_ripemd160());
     EVP_add_digest_alias(SN_ripemd160, "ripemd");
     EVP_add_digest_alias(SN_ripemd160, "rmd160");
 #endif
+#ifndef OPENSSL_NO_SHA256
     EVP_add_digest(EVP_sha224());
     EVP_add_digest(EVP_sha256());
+#endif
+#ifndef OPENSSL_NO_SHA512
     EVP_add_digest(EVP_sha384());
     EVP_add_digest(EVP_sha512());
+#endif
 #ifndef OPENSSL_NO_WHIRLPOOL
     EVP_add_digest(EVP_whirlpool());
 #endif
-#ifndef OPENSSL_NO_BLAKE2
-    EVP_add_digest(EVP_blake2b512());
-    EVP_add_digest(EVP_blake2s256());
-#endif
 }
diff --git a/Cryptlib/OpenSSL/crypto/evp/cmeth_lib.c b/Cryptlib/OpenSSL/crypto/evp/cmeth_lib.c
deleted file mode 100644
index e2295c4d..00000000
--- a/Cryptlib/OpenSSL/crypto/evp/cmeth_lib.c
+++ /dev/null
@@ -1,151 +0,0 @@
-/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <string.h>
-
-#include <openssl/evp.h>
-#include "internal/evp_int.h"
-#include "evp_locl.h"
-
-EVP_CIPHER *EVP_CIPHER_meth_new(int cipher_type, int block_size, int key_len)
-{
-    EVP_CIPHER *cipher = OPENSSL_zalloc(sizeof(EVP_CIPHER));
-
-    if (cipher != NULL) {
-        cipher->nid = cipher_type;
-        cipher->block_size = block_size;
-        cipher->key_len = key_len;
-    }
-    return cipher;
-}
-
-EVP_CIPHER *EVP_CIPHER_meth_dup(const EVP_CIPHER *cipher)
-{
-    EVP_CIPHER *to = EVP_CIPHER_meth_new(cipher->nid, cipher->block_size,
-                                         cipher->key_len);
-
-    if (to != NULL)
-        memcpy(to, cipher, sizeof(*to));
-    return to;
-}
-
-void EVP_CIPHER_meth_free(EVP_CIPHER *cipher)
-{
-    OPENSSL_free(cipher);
-}
-
-int EVP_CIPHER_meth_set_iv_length(EVP_CIPHER *cipher, int iv_len)
-{
-    cipher->iv_len = iv_len;
-    return 1;
-}
-
-int EVP_CIPHER_meth_set_flags(EVP_CIPHER *cipher, unsigned long flags)
-{
-    cipher->flags = flags;
-    return 1;
-}
-
-int EVP_CIPHER_meth_set_impl_ctx_size(EVP_CIPHER *cipher, int ctx_size)
-{
-    cipher->ctx_size = ctx_size;
-    return 1;
-}
-
-int EVP_CIPHER_meth_set_init(EVP_CIPHER *cipher,
-                             int (*init) (EVP_CIPHER_CTX *ctx,
-                                          const unsigned char *key,
-                                          const unsigned char *iv,
-                                          int enc))
-{
-    cipher->init = init;
-    return 1;
-}
-
-int EVP_CIPHER_meth_set_do_cipher(EVP_CIPHER *cipher,
-                                  int (*do_cipher) (EVP_CIPHER_CTX *ctx,
-                                                    unsigned char *out,
-                                                    const unsigned char *in,
-                                                    size_t inl))
-{
-    cipher->do_cipher = do_cipher;
-    return 1;
-}
-
-int EVP_CIPHER_meth_set_cleanup(EVP_CIPHER *cipher,
-                                int (*cleanup) (EVP_CIPHER_CTX *))
-{
-    cipher->cleanup = cleanup;
-    return 1;
-}
-
-int EVP_CIPHER_meth_set_set_asn1_params(EVP_CIPHER *cipher,
-                                        int (*set_asn1_parameters) (EVP_CIPHER_CTX *,
-                                                                    ASN1_TYPE *))
-{
-    cipher->set_asn1_parameters = set_asn1_parameters;
-    return 1;
-}
-
-int EVP_CIPHER_meth_set_get_asn1_params(EVP_CIPHER *cipher,
-                                        int (*get_asn1_parameters) (EVP_CIPHER_CTX *,
-                                                                    ASN1_TYPE *))
-{
-    cipher->get_asn1_parameters = get_asn1_parameters;
-    return 1;
-}
-
-int EVP_CIPHER_meth_set_ctrl(EVP_CIPHER *cipher,
-                             int (*ctrl) (EVP_CIPHER_CTX *, int type,
-                                          int arg, void *ptr))
-{
-    cipher->ctrl = ctrl;
-    return 1;
-}
-
-
-int (*EVP_CIPHER_meth_get_init(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *ctx,
-                                                          const unsigned char *key,
-                                                          const unsigned char *iv,
-                                                          int enc)
-{
-    return cipher->init;
-}
-int (*EVP_CIPHER_meth_get_do_cipher(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *ctx,
-                                                               unsigned char *out,
-                                                               const unsigned char *in,
-                                                               size_t inl)
-{
-    return cipher->do_cipher;
-}
-
-int (*EVP_CIPHER_meth_get_cleanup(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *)
-{
-    return cipher->cleanup;
-}
-
-int (*EVP_CIPHER_meth_get_set_asn1_params(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *,
-                                                                     ASN1_TYPE *)
-{
-    return cipher->set_asn1_parameters;
-}
-
-int (*EVP_CIPHER_meth_get_get_asn1_params(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *,
-                                                               ASN1_TYPE *)
-{
-    return cipher->get_asn1_parameters;
-}
-
-int (*EVP_CIPHER_meth_get_ctrl(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *,
-                                                          int type, int arg,
-                                                          void *ptr)
-{
-    return cipher->ctrl;
-}
-
diff --git a/Cryptlib/OpenSSL/crypto/evp/digest.c b/Cryptlib/OpenSSL/crypto/evp/digest.c
index 65eff7c8..4db17962 100644
--- a/Cryptlib/OpenSSL/crypto/evp/digest.c
+++ b/Cryptlib/OpenSSL/crypto/evp/digest.c
@@ -1,75 +1,173 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/digest.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/objects.h>
 #include <openssl/evp.h>
-#include <openssl/engine.h>
-#include "internal/evp_int.h"
-#include "evp_locl.h"
-
-/* This call frees resources associated with the context */
-int EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
-{
-    if (ctx == NULL)
-        return 1;
-
-    /*
-     * Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because
-     * sometimes only copies of the context are ever finalised.
-     */
-    if (ctx->digest && ctx->digest->cleanup
-        && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_CLEANED))
-        ctx->digest->cleanup(ctx);
-    if (ctx->digest && ctx->digest->ctx_size && ctx->md_data
-        && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE)) {
-        OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
-    }
-    EVP_PKEY_CTX_free(ctx->pctx);
 #ifndef OPENSSL_NO_ENGINE
-    ENGINE_finish(ctx->engine);
+# include <openssl/engine.h>
 #endif
-    OPENSSL_cleanse(ctx, sizeof(*ctx));
 
-    return 1;
-}
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+# include "evp_locl.h"
+#endif
 
-EVP_MD_CTX *EVP_MD_CTX_new(void)
+void EVP_MD_CTX_init(EVP_MD_CTX *ctx)
 {
-    return OPENSSL_zalloc(sizeof(EVP_MD_CTX));
+    memset(ctx, '\0', sizeof *ctx);
 }
 
-void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
+EVP_MD_CTX *EVP_MD_CTX_create(void)
 {
-    EVP_MD_CTX_reset(ctx);
-    OPENSSL_free(ctx);
+    EVP_MD_CTX *ctx = OPENSSL_malloc(sizeof *ctx);
+
+    if (ctx)
+        EVP_MD_CTX_init(ctx);
+
+    return ctx;
 }
 
 int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type)
 {
-    EVP_MD_CTX_reset(ctx);
+    EVP_MD_CTX_init(ctx);
     return EVP_DigestInit_ex(ctx, type, NULL);
 }
 
 int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
 {
     EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
+#ifdef OPENSSL_FIPS
+    /* If FIPS mode switch to approved implementation if possible */
+    if (FIPS_mode()) {
+        const EVP_MD *fipsmd;
+        if (type) {
+            fipsmd = evp_get_fips_md(type);
+            if (fipsmd)
+                type = fipsmd;
+        }
+    }
+#endif
 #ifndef OPENSSL_NO_ENGINE
     /*
      * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
      * this context may already have an ENGINE! Try to avoid releasing the
      * previous handle, re-querying for an ENGINE, and having a
-     * reinitialisation, when it may all be unnecessary.
+     * reinitialisation, when it may all be unecessary.
      */
-    if (ctx->engine && ctx->digest &&
-        (type == NULL || (type->type == ctx->digest->type)))
+    if (ctx->engine && ctx->digest && (!type ||
+                                       (type
+                                        && (type->type ==
+                                            ctx->digest->type))))
         goto skip_to_init;
     if (type) {
         /*
@@ -77,21 +175,21 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
          * previous check attempted to avoid this if the same ENGINE and
          * EVP_MD could be used).
          */
-        ENGINE_finish(ctx->engine);
-        if (impl != NULL) {
+        if (ctx->engine)
+            ENGINE_finish(ctx->engine);
+        if (impl) {
             if (!ENGINE_init(impl)) {
                 EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_INITIALIZATION_ERROR);
                 return 0;
             }
-        } else {
+        } else
             /* Ask if an ENGINE is reserved for this job */
             impl = ENGINE_get_digest_engine(type->type);
-        }
-        if (impl != NULL) {
+        if (impl) {
             /* There's an ENGINE for this job ... (apparently) */
             const EVP_MD *d = ENGINE_get_digest(impl, type->type);
-
-            if (d == NULL) {
+            if (!d) {
+                /* Same comment from evp_enc.c */
                 EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_INITIALIZATION_ERROR);
                 ENGINE_finish(impl);
                 return 0;
@@ -115,13 +213,13 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
 #endif
     if (ctx->digest != type) {
         if (ctx->digest && ctx->digest->ctx_size) {
-            OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
+            OPENSSL_free(ctx->md_data);
             ctx->md_data = NULL;
         }
         ctx->digest = type;
         if (!(ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) && type->ctx_size) {
             ctx->update = type->update;
-            ctx->md_data = OPENSSL_zalloc(type->ctx_size);
+            ctx->md_data = OPENSSL_malloc(type->ctx_size);
             if (ctx->md_data == NULL) {
                 EVPerr(EVP_F_EVP_DIGESTINIT_EX, ERR_R_MALLOC_FAILURE);
                 return 0;
@@ -140,11 +238,24 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
     }
     if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT)
         return 1;
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode()) {
+        if (FIPS_digestinit(ctx, type))
+            return 1;
+        OPENSSL_free(ctx->md_data);
+        ctx->md_data = NULL;
+        return 0;
+    }
+#endif
     return ctx->digest->init(ctx);
 }
 
 int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
 {
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode())
+        return FIPS_digestupdate(ctx, data, count);
+#endif
     return ctx->update(ctx, data, count);
 }
 
@@ -153,7 +264,7 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
 {
     int ret;
     ret = EVP_DigestFinal_ex(ctx, md, size);
-    EVP_MD_CTX_reset(ctx);
+    EVP_MD_CTX_cleanup(ctx);
     return ret;
 }
 
@@ -161,6 +272,10 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
 int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
 {
     int ret;
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode())
+        return FIPS_digestfinal(ctx, md, size);
+#endif
 
     OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
     ret = ctx->digest->final(ctx, md);
@@ -176,7 +291,7 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
 
 int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in)
 {
-    EVP_MD_CTX_reset(out);
+    EVP_MD_CTX_init(out);
     return EVP_MD_CTX_copy_ex(out, in);
 }
 
@@ -200,22 +315,15 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
         EVP_MD_CTX_set_flags(out, EVP_MD_CTX_FLAG_REUSE);
     } else
         tmp_buf = NULL;
-    EVP_MD_CTX_reset(out);
-    memcpy(out, in, sizeof(*out));
-
-    /* Null these variables, since they are getting fixed up
-     * properly below.  Anything else may cause a memleak and/or
-     * double free if any of the memory allocations below fail
-     */
-    out->md_data = NULL;
-    out->pctx = NULL;
+    EVP_MD_CTX_cleanup(out);
+    memcpy(out, in, sizeof *out);
 
     if (in->md_data && out->digest->ctx_size) {
         if (tmp_buf)
             out->md_data = tmp_buf;
         else {
             out->md_data = OPENSSL_malloc(out->digest->ctx_size);
-            if (out->md_data == NULL) {
+            if (!out->md_data) {
                 EVPerr(EVP_F_EVP_MD_CTX_COPY_EX, ERR_R_MALLOC_FAILURE);
                 return 0;
             }
@@ -228,7 +336,7 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
     if (in->pctx) {
         out->pctx = EVP_PKEY_CTX_dup(in->pctx);
         if (!out->pctx) {
-            EVP_MD_CTX_reset(out);
+            EVP_MD_CTX_cleanup(out);
             return 0;
         }
     }
@@ -243,27 +351,58 @@ int EVP_Digest(const void *data, size_t count,
                unsigned char *md, unsigned int *size, const EVP_MD *type,
                ENGINE *impl)
 {
-    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+    EVP_MD_CTX ctx;
     int ret;
 
-    if (ctx == NULL)
-        return 0;
-    EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT);
-    ret = EVP_DigestInit_ex(ctx, type, impl)
-        && EVP_DigestUpdate(ctx, data, count)
-        && EVP_DigestFinal_ex(ctx, md, size);
-    EVP_MD_CTX_free(ctx);
+    EVP_MD_CTX_init(&ctx);
+    EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_ONESHOT);
+    ret = EVP_DigestInit_ex(&ctx, type, impl)
+        && EVP_DigestUpdate(&ctx, data, count)
+        && EVP_DigestFinal_ex(&ctx, md, size);
+    EVP_MD_CTX_cleanup(&ctx);
 
     return ret;
 }
 
-int EVP_MD_CTX_ctrl(EVP_MD_CTX *ctx, int cmd, int p1, void *p2)
+void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx)
 {
-    if (ctx->digest && ctx->digest->md_ctrl) {
-        int ret = ctx->digest->md_ctrl(ctx, cmd, p1, p2);
-        if (ret <= 0)
-            return 0;
-        return 1;
+    if (ctx) {
+        EVP_MD_CTX_cleanup(ctx);
+        OPENSSL_free(ctx);
+    }
+}
+
+/* This call frees resources associated with the context */
+int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
+{
+#ifndef OPENSSL_FIPS
+    /*
+     * Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because
+     * sometimes only copies of the context are ever finalised.
+     */
+    if (ctx->digest && ctx->digest->cleanup
+        && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_CLEANED))
+        ctx->digest->cleanup(ctx);
+    if (ctx->digest && ctx->digest->ctx_size && ctx->md_data
+        && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE)) {
+        OPENSSL_cleanse(ctx->md_data, ctx->digest->ctx_size);
+        OPENSSL_free(ctx->md_data);
     }
-    return 0;
+#endif
+    if (ctx->pctx)
+        EVP_PKEY_CTX_free(ctx->pctx);
+#ifndef OPENSSL_NO_ENGINE
+    if (ctx->engine)
+        /*
+         * The EVP_MD we used belongs to an ENGINE, release the functional
+         * reference we held for this reason.
+         */
+        ENGINE_finish(ctx->engine);
+#endif
+#ifdef OPENSSL_FIPS
+    FIPS_md_ctx_cleanup(ctx);
+#endif
+    memset(ctx, '\0', sizeof *ctx);
+
+    return 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/evp/e_aes.c b/Cryptlib/OpenSSL/crypto/evp/e_aes.c
index 17822f20..7c62d327 100644
--- a/Cryptlib/OpenSSL/crypto/evp/e_aes.c
+++ b/Cryptlib/OpenSSL/crypto/evp/e_aes.c
@@ -1,23 +1,67 @@
-/*
- * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* ====================================================================
+ * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <openssl/opensslconf.h>
+#ifndef OPENSSL_NO_AES
 #include <openssl/crypto.h>
-#include <openssl/evp.h>
-#include <openssl/err.h>
-#include <string.h>
-#include <assert.h>
-#include <openssl/aes.h>
-#include "internal/evp_int.h"
-#include "modes_lcl.h"
-#include <openssl/rand.h>
-#include "evp_locl.h"
+# include <openssl/evp.h>
+# include <openssl/err.h>
+# include <string.h>
+# include <assert.h>
+# include <openssl/aes.h>
+# include "evp_locl.h"
+# include "modes_lcl.h"
+# include <openssl/rand.h>
+
+# undef EVP_CIPH_FLAG_FIPS
+# define EVP_CIPH_FLAG_FIPS 0
 
 typedef struct {
     union {
@@ -69,38 +113,13 @@ typedef struct {
     int tag_set;                /* Set if tag is valid */
     int len_set;                /* Set if message length set */
     int L, M;                   /* L and M parameters from RFC3610 */
-    int tls_aad_len;            /* TLS AAD length */
     CCM128_CONTEXT ccm;
     ccm128_f str;
 } EVP_AES_CCM_CTX;
 
-#ifndef OPENSSL_NO_OCB
-typedef struct {
-    union {
-        double align;
-        AES_KEY ks;
-    } ksenc;                    /* AES key schedule to use for encryption */
-    union {
-        double align;
-        AES_KEY ks;
-    } ksdec;                    /* AES key schedule to use for decryption */
-    int key_set;                /* Set if key initialised */
-    int iv_set;                 /* Set if an iv is set */
-    OCB128_CONTEXT ocb;
-    unsigned char *iv;          /* Temporary IV store */
-    unsigned char tag[16];
-    unsigned char data_buf[16]; /* Store partial data blocks */
-    unsigned char aad_buf[16];  /* Store partial AAD blocks */
-    int data_buf_len;
-    int aad_buf_len;
-    int ivlen;                  /* IV length */
-    int taglen;
-} EVP_AES_OCB_CTX;
-#endif
-
-#define MAXBITCHUNK     ((size_t)1<<(sizeof(size_t)*8-4))
+# define MAXBITCHUNK     ((size_t)1<<(sizeof(size_t)*8-4))
 
-#ifdef VPAES_ASM
+# ifdef VPAES_ASM
 int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
                           AES_KEY *key);
 int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
@@ -115,8 +134,8 @@ void vpaes_cbc_encrypt(const unsigned char *in,
                        unsigned char *out,
                        size_t length,
                        const AES_KEY *key, unsigned char *ivec, int enc);
-#endif
-#ifdef BSAES_ASM
+# endif
+# ifdef BSAES_ASM
 void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
                        size_t length, const AES_KEY *key,
                        unsigned char ivec[16], int enc);
@@ -129,55 +148,54 @@ void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
 void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
                        size_t len, const AES_KEY *key1,
                        const AES_KEY *key2, const unsigned char iv[16]);
-#endif
-#ifdef AES_CTR_ASM
+# endif
+# ifdef AES_CTR_ASM
 void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
                        size_t blocks, const AES_KEY *key,
                        const unsigned char ivec[AES_BLOCK_SIZE]);
-#endif
-#ifdef AES_XTS_ASM
-void AES_xts_encrypt(const char *inp, char *out, size_t len,
+# endif
+# ifdef AES_XTS_ASM
+void AES_xts_encrypt(const unsigned char *inp, unsigned char *out, size_t len,
                      const AES_KEY *key1, const AES_KEY *key2,
                      const unsigned char iv[16]);
-void AES_xts_decrypt(const char *inp, char *out, size_t len,
+void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len,
                      const AES_KEY *key1, const AES_KEY *key2,
                      const unsigned char iv[16]);
-#endif
+# endif
 
-#if defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
-# include "ppc_arch.h"
-# ifdef VPAES_ASM
-#  define VPAES_CAPABLE (OPENSSL_ppccap_P & PPC_ALTIVEC)
+# if     defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
+#  include "ppc_arch.h"
+#  ifdef VPAES_ASM
+#   define VPAES_CAPABLE (OPENSSL_ppccap_P & PPC_ALTIVEC)
+#  endif
+#  define HWAES_CAPABLE  (OPENSSL_ppccap_P & PPC_CRYPTO207)
+#  define HWAES_set_encrypt_key aes_p8_set_encrypt_key
+#  define HWAES_set_decrypt_key aes_p8_set_decrypt_key
+#  define HWAES_encrypt aes_p8_encrypt
+#  define HWAES_decrypt aes_p8_decrypt
+#  define HWAES_cbc_encrypt aes_p8_cbc_encrypt
+#  define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
 # endif
-# define HWAES_CAPABLE  (OPENSSL_ppccap_P & PPC_CRYPTO207)
-# define HWAES_set_encrypt_key aes_p8_set_encrypt_key
-# define HWAES_set_decrypt_key aes_p8_set_decrypt_key
-# define HWAES_encrypt aes_p8_encrypt
-# define HWAES_decrypt aes_p8_decrypt
-# define HWAES_cbc_encrypt aes_p8_cbc_encrypt
-# define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
-# define HWAES_xts_encrypt aes_p8_xts_encrypt
-# define HWAES_xts_decrypt aes_p8_xts_decrypt
-#endif
 
-#if     defined(AES_ASM) && !defined(I386_ONLY) &&      (  \
+# if     defined(AES_ASM) && !defined(I386_ONLY) &&      (  \
         ((defined(__i386)       || defined(__i386__)    || \
           defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
         defined(__x86_64)       || defined(__x86_64__)  || \
-        defined(_M_AMD64)       || defined(_M_X64)      )
+        defined(_M_AMD64)       || defined(_M_X64)      || \
+        defined(__INTEL__)                              )
 
 extern unsigned int OPENSSL_ia32cap_P[];
 
-# ifdef VPAES_ASM
-#  define VPAES_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
-# endif
-# ifdef BSAES_ASM
-#  define BSAES_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
-# endif
+#  ifdef VPAES_ASM
+#   define VPAES_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
+#  endif
+#  ifdef BSAES_ASM
+#   define BSAES_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
+#  endif
 /*
  * AES-NI section
  */
-# define AESNI_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
+#  define AESNI_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
 
 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
                           AES_KEY *key);
@@ -228,43 +246,41 @@ void aesni_ccm64_decrypt_blocks(const unsigned char *in,
                                 const unsigned char ivec[16],
                                 unsigned char cmac[16]);
 
-# if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
+#  if defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
 size_t aesni_gcm_encrypt(const unsigned char *in,
                          unsigned char *out,
                          size_t len,
                          const void *key, unsigned char ivec[16], u64 *Xi);
-#  define AES_gcm_encrypt aesni_gcm_encrypt
+#   define AES_gcm_encrypt aesni_gcm_encrypt
 size_t aesni_gcm_decrypt(const unsigned char *in,
                          unsigned char *out,
                          size_t len,
                          const void *key, unsigned char ivec[16], u64 *Xi);
-#  define AES_gcm_decrypt aesni_gcm_decrypt
+#   define AES_gcm_decrypt aesni_gcm_decrypt
 void gcm_ghash_avx(u64 Xi[2], const u128 Htable[16], const u8 *in,
                    size_t len);
-#  define AES_GCM_ASM(gctx)       (gctx->ctr==aesni_ctr32_encrypt_blocks && \
+#   define AES_GCM_ASM(gctx)       (gctx->ctr==aesni_ctr32_encrypt_blocks && \
                                  gctx->gcm.ghash==gcm_ghash_avx)
-#  define AES_GCM_ASM2(gctx)      (gctx->gcm.block==(block128_f)aesni_encrypt && \
+#   define AES_GCM_ASM2(gctx)      (gctx->gcm.block==(block128_f)aesni_encrypt && \
                                  gctx->gcm.ghash==gcm_ghash_avx)
-#  undef AES_GCM_ASM2          /* minor size optimization */
-# endif
+#   undef AES_GCM_ASM2          /* minor size optimization */
+#  endif
 
 static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                           const unsigned char *iv, int enc)
 {
     int ret, mode;
-    EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
+    EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
 
-    mode = EVP_CIPHER_CTX_mode(ctx);
+    mode = ctx->cipher->flags & EVP_CIPH_MODE;
     if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
         && !enc) {
-        ret = aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                    &dat->ks.ks);
+        ret = aesni_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
         dat->block = (block128_f) aesni_decrypt;
         dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
             (cbc128_f) aesni_cbc_encrypt : NULL;
     } else {
-        ret = aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                    &dat->ks.ks);
+        ret = aesni_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
         dat->block = (block128_f) aesni_encrypt;
         if (mode == EVP_CIPH_CBC_MODE)
             dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt;
@@ -285,9 +301,7 @@ static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                             const unsigned char *in, size_t len)
 {
-    aesni_cbc_encrypt(in, out, len, &EVP_C_DATA(EVP_AES_KEY,ctx)->ks.ks,
-                      EVP_CIPHER_CTX_iv_noconst(ctx),
-                      EVP_CIPHER_CTX_encrypting(ctx));
+    aesni_cbc_encrypt(in, out, len, ctx->cipher_data, ctx->iv, ctx->encrypt);
 
     return 1;
 }
@@ -295,46 +309,44 @@ static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                             const unsigned char *in, size_t len)
 {
-    size_t bl = EVP_CIPHER_CTX_block_size(ctx);
+    size_t bl = ctx->cipher->block_size;
 
     if (len < bl)
         return 1;
 
-    aesni_ecb_encrypt(in, out, len, &EVP_C_DATA(EVP_AES_KEY,ctx)->ks.ks,
-                      EVP_CIPHER_CTX_encrypting(ctx));
+    aesni_ecb_encrypt(in, out, len, ctx->cipher_data, ctx->encrypt);
 
     return 1;
 }
 
-# define aesni_ofb_cipher aes_ofb_cipher
+#  define aesni_ofb_cipher aes_ofb_cipher
 static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                             const unsigned char *in, size_t len);
 
-# define aesni_cfb_cipher aes_cfb_cipher
+#  define aesni_cfb_cipher aes_cfb_cipher
 static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                             const unsigned char *in, size_t len);
 
-# define aesni_cfb8_cipher aes_cfb8_cipher
+#  define aesni_cfb8_cipher aes_cfb8_cipher
 static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                              const unsigned char *in, size_t len);
 
-# define aesni_cfb1_cipher aes_cfb1_cipher
+#  define aesni_cfb1_cipher aes_cfb1_cipher
 static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                              const unsigned char *in, size_t len);
 
-# define aesni_ctr_cipher aes_ctr_cipher
+#  define aesni_ctr_cipher aes_ctr_cipher
 static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                             const unsigned char *in, size_t len);
 
 static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                               const unsigned char *iv, int enc)
 {
-    EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
+    EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
     if (!iv && !key)
         return 1;
     if (key) {
-        aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                              &gctx->ks.ks);
+        aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
         CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f) aesni_encrypt);
         gctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
         /*
@@ -359,34 +371,31 @@ static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
     return 1;
 }
 
-# define aesni_gcm_cipher aes_gcm_cipher
+#  define aesni_gcm_cipher aes_gcm_cipher
 static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                             const unsigned char *in, size_t len);
 
 static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                               const unsigned char *iv, int enc)
 {
-    EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
+    EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
     if (!iv && !key)
         return 1;
 
     if (key) {
         /* key_len is two AES keys */
         if (enc) {
-            aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
-                                  &xctx->ks1.ks);
+            aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
             xctx->xts.block1 = (block128_f) aesni_encrypt;
             xctx->stream = aesni_xts_encrypt;
         } else {
-            aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
-                                  &xctx->ks1.ks);
+            aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
             xctx->xts.block1 = (block128_f) aesni_decrypt;
             xctx->stream = aesni_xts_decrypt;
         }
 
-        aesni_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
-                              EVP_CIPHER_CTX_key_length(ctx) * 4,
-                              &xctx->ks2.ks);
+        aesni_set_encrypt_key(key + ctx->key_len / 2,
+                              ctx->key_len * 4, &xctx->ks2.ks);
         xctx->xts.block2 = (block128_f) aesni_encrypt;
 
         xctx->xts.key1 = &xctx->ks1;
@@ -394,25 +403,24 @@ static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 
     if (iv) {
         xctx->xts.key2 = &xctx->ks2;
-        memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 16);
+        memcpy(ctx->iv, iv, 16);
     }
 
     return 1;
 }
 
-# define aesni_xts_cipher aes_xts_cipher
+#  define aesni_xts_cipher aes_xts_cipher
 static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                             const unsigned char *in, size_t len);
 
 static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                               const unsigned char *iv, int enc)
 {
-    EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
+    EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
     if (!iv && !key)
         return 1;
     if (key) {
-        aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                              &cctx->ks.ks);
+        aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
         CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
                            &cctx->ks, (block128_f) aesni_encrypt);
         cctx->str = enc ? (ccm128_f) aesni_ccm64_encrypt_blocks :
@@ -420,86 +428,17 @@ static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
         cctx->key_set = 1;
     }
     if (iv) {
-        memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 15 - cctx->L);
+        memcpy(ctx->iv, iv, 15 - cctx->L);
         cctx->iv_set = 1;
     }
     return 1;
 }
 
-# define aesni_ccm_cipher aes_ccm_cipher
+#  define aesni_ccm_cipher aes_ccm_cipher
 static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                             const unsigned char *in, size_t len);
 
-# ifndef OPENSSL_NO_OCB
-void aesni_ocb_encrypt(const unsigned char *in, unsigned char *out,
-                       size_t blocks, const void *key,
-                       size_t start_block_num,
-                       unsigned char offset_i[16],
-                       const unsigned char L_[][16],
-                       unsigned char checksum[16]);
-void aesni_ocb_decrypt(const unsigned char *in, unsigned char *out,
-                       size_t blocks, const void *key,
-                       size_t start_block_num,
-                       unsigned char offset_i[16],
-                       const unsigned char L_[][16],
-                       unsigned char checksum[16]);
-
-static int aesni_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-                              const unsigned char *iv, int enc)
-{
-    EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
-    if (!iv && !key)
-        return 1;
-    if (key) {
-        do {
-            /*
-             * We set both the encrypt and decrypt key here because decrypt
-             * needs both. We could possibly optimise to remove setting the
-             * decrypt for an encryption operation.
-             */
-            aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                  &octx->ksenc.ks);
-            aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                  &octx->ksdec.ks);
-            if (!CRYPTO_ocb128_init(&octx->ocb,
-                                    &octx->ksenc.ks, &octx->ksdec.ks,
-                                    (block128_f) aesni_encrypt,
-                                    (block128_f) aesni_decrypt,
-                                    enc ? aesni_ocb_encrypt
-                                        : aesni_ocb_decrypt))
-                return 0;
-        }
-        while (0);
-
-        /*
-         * If we have an iv we can set it directly, otherwise use saved IV.
-         */
-        if (iv == NULL && octx->iv_set)
-            iv = octx->iv;
-        if (iv) {
-            if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
-                != 1)
-                return 0;
-            octx->iv_set = 1;
-        }
-        octx->key_set = 1;
-    } else {
-        /* If key set use IV, otherwise copy */
-        if (octx->key_set)
-            CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
-        else
-            memcpy(octx->iv, iv, octx->ivlen);
-        octx->iv_set = 1;
-    }
-    return 1;
-}
-
-#  define aesni_ocb_cipher aes_ocb_cipher
-static int aesni_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-                            const unsigned char *in, size_t len);
-# endif                        /* OPENSSL_NO_OCB */
-
-# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
+#  define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
 static const EVP_CIPHER aesni_##keylen##_##mode = { \
         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
         flags|EVP_CIPH_##MODE##_MODE,   \
@@ -520,7 +459,7 @@ static const EVP_CIPHER aes_##keylen##_##mode = { \
 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
 
-# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
+#  define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
 static const EVP_CIPHER aesni_##keylen##_##mode = { \
         nid##_##keylen##_##mode,blocksize, \
         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
@@ -542,24 +481,13 @@ static const EVP_CIPHER aes_##keylen##_##mode = { \
 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
 { return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
 
-#elif   defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
+# elif   defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
 
-# include "sparc_arch.h"
+#  include "sparc_arch.h"
 
 extern unsigned int OPENSSL_sparcv9cap_P[];
 
-/*
- * Initial Fujitsu SPARC64 X support
- */
-# define HWAES_CAPABLE           (OPENSSL_sparcv9cap_P[0] & SPARCV9_FJAESX)
-# define HWAES_set_encrypt_key aes_fx_set_encrypt_key
-# define HWAES_set_decrypt_key aes_fx_set_decrypt_key
-# define HWAES_encrypt aes_fx_encrypt
-# define HWAES_decrypt aes_fx_decrypt
-# define HWAES_cbc_encrypt aes_fx_cbc_encrypt
-# define HWAES_ctr32_encrypt_blocks aes_fx_ctr32_encrypt_blocks
-
-# define SPARC_AES_CAPABLE       (OPENSSL_sparcv9cap_P[1] & CFR_AES)
+#  define SPARC_AES_CAPABLE       (OPENSSL_sparcv9cap_P[1] & CFR_AES)
 
 void aes_t4_set_encrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
 void aes_t4_set_decrypt_key(const unsigned char *key, int bits, AES_KEY *ks);
@@ -576,7 +504,7 @@ void aes_t4_decrypt(const unsigned char *in, unsigned char *out,
  * non-key-length specific routines would require conditional branches
  * either in inner loops or on subroutines' entries. Former is hardly
  * acceptable, while latter means code size increase to size occupied
- * by multiple key-length specific subroutines, so why fight?
+ * by multiple key-length specfic subroutines, so why fight?
  */
 void aes128_t4_cbc_encrypt(const unsigned char *in, unsigned char *out,
                            size_t len, const AES_KEY *key,
@@ -622,14 +550,14 @@ static int aes_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                            const unsigned char *iv, int enc)
 {
     int ret, mode, bits;
-    EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
+    EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
 
-    mode = EVP_CIPHER_CTX_mode(ctx);
-    bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
+    mode = ctx->cipher->flags & EVP_CIPH_MODE;
+    bits = ctx->key_len * 8;
     if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
         && !enc) {
         ret = 0;
-        aes_t4_set_decrypt_key(key, bits, &dat->ks.ks);
+        aes_t4_set_decrypt_key(key, bits, ctx->cipher_data);
         dat->block = (block128_f) aes_t4_decrypt;
         switch (bits) {
         case 128:
@@ -649,7 +577,7 @@ static int aes_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
         }
     } else {
         ret = 0;
-        aes_t4_set_encrypt_key(key, bits, &dat->ks.ks);
+        aes_t4_set_encrypt_key(key, bits, ctx->cipher_data);
         dat->block = (block128_f) aes_t4_encrypt;
         switch (bits) {
         case 128:
@@ -689,42 +617,42 @@ static int aes_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
     return 1;
 }
 
-# define aes_t4_cbc_cipher aes_cbc_cipher
+#  define aes_t4_cbc_cipher aes_cbc_cipher
 static int aes_t4_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                              const unsigned char *in, size_t len);
 
-# define aes_t4_ecb_cipher aes_ecb_cipher
+#  define aes_t4_ecb_cipher aes_ecb_cipher
 static int aes_t4_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                              const unsigned char *in, size_t len);
 
-# define aes_t4_ofb_cipher aes_ofb_cipher
+#  define aes_t4_ofb_cipher aes_ofb_cipher
 static int aes_t4_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                              const unsigned char *in, size_t len);
 
-# define aes_t4_cfb_cipher aes_cfb_cipher
+#  define aes_t4_cfb_cipher aes_cfb_cipher
 static int aes_t4_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                              const unsigned char *in, size_t len);
 
-# define aes_t4_cfb8_cipher aes_cfb8_cipher
+#  define aes_t4_cfb8_cipher aes_cfb8_cipher
 static int aes_t4_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                               const unsigned char *in, size_t len);
 
-# define aes_t4_cfb1_cipher aes_cfb1_cipher
+#  define aes_t4_cfb1_cipher aes_cfb1_cipher
 static int aes_t4_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                               const unsigned char *in, size_t len);
 
-# define aes_t4_ctr_cipher aes_ctr_cipher
+#  define aes_t4_ctr_cipher aes_ctr_cipher
 static int aes_t4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                              const unsigned char *in, size_t len);
 
 static int aes_t4_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                                const unsigned char *iv, int enc)
 {
-    EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
+    EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
     if (!iv && !key)
         return 1;
     if (key) {
-        int bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
+        int bits = ctx->key_len * 8;
         aes_t4_set_encrypt_key(key, bits, &gctx->ks.ks);
         CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
                            (block128_f) aes_t4_encrypt);
@@ -763,19 +691,19 @@ static int aes_t4_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
     return 1;
 }
 
-# define aes_t4_gcm_cipher aes_gcm_cipher
+#  define aes_t4_gcm_cipher aes_gcm_cipher
 static int aes_t4_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                              const unsigned char *in, size_t len);
 
 static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                                const unsigned char *iv, int enc)
 {
-    EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
+    EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
     if (!iv && !key)
         return 1;
 
     if (key) {
-        int bits = EVP_CIPHER_CTX_key_length(ctx) * 4;
+        int bits = ctx->key_len * 4;
         xctx->stream = NULL;
         /* key_len is two AES keys */
         if (enc) {
@@ -785,6 +713,11 @@ static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
             case 128:
                 xctx->stream = aes128_t4_xts_encrypt;
                 break;
+#  if 0                         /* not yet */
+            case 192:
+                xctx->stream = aes192_t4_xts_encrypt;
+                break;
+#  endif
             case 256:
                 xctx->stream = aes256_t4_xts_encrypt;
                 break;
@@ -792,13 +725,17 @@ static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                 return 0;
             }
         } else {
-            aes_t4_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
-                                   &xctx->ks1.ks);
+            aes_t4_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
             xctx->xts.block1 = (block128_f) aes_t4_decrypt;
             switch (bits) {
             case 128:
                 xctx->stream = aes128_t4_xts_decrypt;
                 break;
+#  if 0                         /* not yet */
+            case 192:
+                xctx->stream = aes192_t4_xts_decrypt;
+                break;
+#  endif
             case 256:
                 xctx->stream = aes256_t4_xts_decrypt;
                 break;
@@ -807,9 +744,8 @@ static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
             }
         }
 
-        aes_t4_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
-                               EVP_CIPHER_CTX_key_length(ctx) * 4,
-                               &xctx->ks2.ks);
+        aes_t4_set_encrypt_key(key + ctx->key_len / 2,
+                               ctx->key_len * 4, &xctx->ks2.ks);
         xctx->xts.block2 = (block128_f) aes_t4_encrypt;
 
         xctx->xts.key1 = &xctx->ks1;
@@ -817,97 +753,61 @@ static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 
     if (iv) {
         xctx->xts.key2 = &xctx->ks2;
-        memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 16);
+        memcpy(ctx->iv, iv, 16);
     }
 
     return 1;
 }
 
-# define aes_t4_xts_cipher aes_xts_cipher
+#  define aes_t4_xts_cipher aes_xts_cipher
 static int aes_t4_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                              const unsigned char *in, size_t len);
 
 static int aes_t4_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                                const unsigned char *iv, int enc)
 {
-    EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
+    EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
     if (!iv && !key)
         return 1;
     if (key) {
-        int bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
+        int bits = ctx->key_len * 8;
         aes_t4_set_encrypt_key(key, bits, &cctx->ks.ks);
         CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
                            &cctx->ks, (block128_f) aes_t4_encrypt);
+#  if 0                         /* not yet */
+        switch (bits) {
+        case 128:
+            cctx->str = enc ? (ccm128_f) aes128_t4_ccm64_encrypt :
+                (ccm128_f) ae128_t4_ccm64_decrypt;
+            break;
+        case 192:
+            cctx->str = enc ? (ccm128_f) aes192_t4_ccm64_encrypt :
+                (ccm128_f) ae192_t4_ccm64_decrypt;
+            break;
+        case 256:
+            cctx->str = enc ? (ccm128_f) aes256_t4_ccm64_encrypt :
+                (ccm128_f) ae256_t4_ccm64_decrypt;
+            break;
+        default:
+            return 0;
+        }
+#  else
         cctx->str = NULL;
+#  endif
         cctx->key_set = 1;
     }
     if (iv) {
-        memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 15 - cctx->L);
+        memcpy(ctx->iv, iv, 15 - cctx->L);
         cctx->iv_set = 1;
     }
     return 1;
 }
 
-# define aes_t4_ccm_cipher aes_ccm_cipher
+#  define aes_t4_ccm_cipher aes_ccm_cipher
 static int aes_t4_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                              const unsigned char *in, size_t len);
 
-# ifndef OPENSSL_NO_OCB
-static int aes_t4_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-                               const unsigned char *iv, int enc)
-{
-    EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
-    if (!iv && !key)
-        return 1;
-    if (key) {
-        do {
-            /*
-             * We set both the encrypt and decrypt key here because decrypt
-             * needs both. We could possibly optimise to remove setting the
-             * decrypt for an encryption operation.
-             */
-            aes_t4_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                   &octx->ksenc.ks);
-            aes_t4_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                   &octx->ksdec.ks);
-            if (!CRYPTO_ocb128_init(&octx->ocb,
-                                    &octx->ksenc.ks, &octx->ksdec.ks,
-                                    (block128_f) aes_t4_encrypt,
-                                    (block128_f) aes_t4_decrypt,
-                                    NULL))
-                return 0;
-        }
-        while (0);
-
-        /*
-         * If we have an iv we can set it directly, otherwise use saved IV.
-         */
-        if (iv == NULL && octx->iv_set)
-            iv = octx->iv;
-        if (iv) {
-            if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
-                != 1)
-                return 0;
-            octx->iv_set = 1;
-        }
-        octx->key_set = 1;
-    } else {
-        /* If key set use IV, otherwise copy */
-        if (octx->key_set)
-            CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
-        else
-            memcpy(octx->iv, iv, octx->ivlen);
-        octx->iv_set = 1;
-    }
-    return 1;
-}
-
-#  define aes_t4_ocb_cipher aes_ocb_cipher
-static int aes_t4_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-                             const unsigned char *in, size_t len);
-# endif                        /* OPENSSL_NO_OCB */
-
-# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
+#  define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
 static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
         flags|EVP_CIPH_##MODE##_MODE,   \
@@ -928,7 +828,7 @@ static const EVP_CIPHER aes_##keylen##_##mode = { \
 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
 { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
 
-# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
+#  define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
 static const EVP_CIPHER aes_t4_##keylen##_##mode = { \
         nid##_##keylen##_##mode,blocksize, \
         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
@@ -950,9 +850,9 @@ static const EVP_CIPHER aes_##keylen##_##mode = { \
 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
 { return SPARC_AES_CAPABLE?&aes_t4_##keylen##_##mode:&aes_##keylen##_##mode; }
 
-#else
+# else
 
-# define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
+#  define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
 static const EVP_CIPHER aes_##keylen##_##mode = { \
         nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
         flags|EVP_CIPH_##MODE##_MODE,   \
@@ -964,7 +864,7 @@ static const EVP_CIPHER aes_##keylen##_##mode = { \
 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
 { return &aes_##keylen##_##mode; }
 
-# define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
+#  define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
 static const EVP_CIPHER aes_##keylen##_##mode = { \
         nid##_##keylen##_##mode,blocksize, \
         (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
@@ -976,29 +876,25 @@ static const EVP_CIPHER aes_##keylen##_##mode = { \
         NULL,NULL,aes_##mode##_ctrl,NULL }; \
 const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
 { return &aes_##keylen##_##mode; }
+# endif
 
-#endif
-
-#if defined(OPENSSL_CPUID_OBJ) && (defined(__arm__) || defined(__arm) || defined(__aarch64__))
-# include "arm_arch.h"
-# if __ARM_MAX_ARCH__>=7
-#  if defined(BSAES_ASM)
-#   define BSAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
+# if defined(OPENSSL_CPUID_OBJ) && (defined(__arm__) || defined(__arm) || defined(__aarch64__))
+#  include "arm_arch.h"
+#  if __ARM_MAX_ARCH__>=7
+#   if defined(BSAES_ASM)
+#    define BSAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
+#   endif
+#   define HWAES_CAPABLE (OPENSSL_armcap_P & ARMV8_AES)
+#   define HWAES_set_encrypt_key aes_v8_set_encrypt_key
+#   define HWAES_set_decrypt_key aes_v8_set_decrypt_key
+#   define HWAES_encrypt aes_v8_encrypt
+#   define HWAES_decrypt aes_v8_decrypt
+#   define HWAES_cbc_encrypt aes_v8_cbc_encrypt
+#   define HWAES_ctr32_encrypt_blocks aes_v8_ctr32_encrypt_blocks
 #  endif
-#  if defined(VPAES_ASM)
-#   define VPAES_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON)
-#  endif
-#  define HWAES_CAPABLE (OPENSSL_armcap_P & ARMV8_AES)
-#  define HWAES_set_encrypt_key aes_v8_set_encrypt_key
-#  define HWAES_set_decrypt_key aes_v8_set_decrypt_key
-#  define HWAES_encrypt aes_v8_encrypt
-#  define HWAES_decrypt aes_v8_decrypt
-#  define HWAES_cbc_encrypt aes_v8_cbc_encrypt
-#  define HWAES_ctr32_encrypt_blocks aes_v8_ctr32_encrypt_blocks
 # endif
-#endif
 
-#if defined(HWAES_CAPABLE)
+# if defined(HWAES_CAPABLE)
 int HWAES_set_encrypt_key(const unsigned char *userKey, const int bits,
                           AES_KEY *key);
 int HWAES_set_decrypt_key(const unsigned char *userKey, const int bits,
@@ -1013,15 +909,9 @@ void HWAES_cbc_encrypt(const unsigned char *in, unsigned char *out,
 void HWAES_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
                                 size_t len, const AES_KEY *key,
                                 const unsigned char ivec[16]);
-void HWAES_xts_encrypt(const unsigned char *inp, unsigned char *out,
-                       size_t len, const AES_KEY *key1,
-                       const AES_KEY *key2, const unsigned char iv[16]);
-void HWAES_xts_decrypt(const unsigned char *inp, unsigned char *out,
-                       size_t len, const AES_KEY *key1,
-                       const AES_KEY *key2, const unsigned char iv[16]);
-#endif
+# endif
 
-#define BLOCK_CIPHER_generic_pack(nid,keylen,flags)             \
+# define BLOCK_CIPHER_generic_pack(nid,keylen,flags)             \
         BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)     \
         BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)      \
         BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
@@ -1034,97 +924,85 @@ static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                         const unsigned char *iv, int enc)
 {
     int ret, mode;
-    EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
+    EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
 
-    mode = EVP_CIPHER_CTX_mode(ctx);
+    mode = ctx->cipher->flags & EVP_CIPH_MODE;
     if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
-        && !enc) {
-#ifdef HWAES_CAPABLE
+        && !enc)
+# ifdef HWAES_CAPABLE
         if (HWAES_CAPABLE) {
-            ret = HWAES_set_decrypt_key(key,
-                                        EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                        &dat->ks.ks);
+            ret = HWAES_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
             dat->block = (block128_f) HWAES_decrypt;
             dat->stream.cbc = NULL;
-# ifdef HWAES_cbc_encrypt
+#  ifdef HWAES_cbc_encrypt
             if (mode == EVP_CIPH_CBC_MODE)
                 dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
-# endif
+#  endif
         } else
-#endif
-#ifdef BSAES_CAPABLE
+# endif
+# ifdef BSAES_CAPABLE
         if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) {
-            ret = AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                      &dat->ks.ks);
+            ret = AES_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
             dat->block = (block128_f) AES_decrypt;
             dat->stream.cbc = (cbc128_f) bsaes_cbc_encrypt;
         } else
-#endif
-#ifdef VPAES_CAPABLE
+# endif
+# ifdef VPAES_CAPABLE
         if (VPAES_CAPABLE) {
-            ret = vpaes_set_decrypt_key(key,
-                                        EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                        &dat->ks.ks);
+            ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
             dat->block = (block128_f) vpaes_decrypt;
             dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
                 (cbc128_f) vpaes_cbc_encrypt : NULL;
         } else
-#endif
+# endif
         {
-            ret = AES_set_decrypt_key(key,
-                                      EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                      &dat->ks.ks);
+            ret = AES_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
             dat->block = (block128_f) AES_decrypt;
             dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
                 (cbc128_f) AES_cbc_encrypt : NULL;
-        }
     } else
-#ifdef HWAES_CAPABLE
+# ifdef HWAES_CAPABLE
     if (HWAES_CAPABLE) {
-        ret = HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                    &dat->ks.ks);
+        ret = HWAES_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
         dat->block = (block128_f) HWAES_encrypt;
         dat->stream.cbc = NULL;
-# ifdef HWAES_cbc_encrypt
+#  ifdef HWAES_cbc_encrypt
         if (mode == EVP_CIPH_CBC_MODE)
             dat->stream.cbc = (cbc128_f) HWAES_cbc_encrypt;
         else
-# endif
-# ifdef HWAES_ctr32_encrypt_blocks
+#  endif
+#  ifdef HWAES_ctr32_encrypt_blocks
         if (mode == EVP_CIPH_CTR_MODE)
             dat->stream.ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
         else
-# endif
+#  endif
             (void)0;            /* terminate potentially open 'else' */
     } else
-#endif
-#ifdef BSAES_CAPABLE
+# endif
+# ifdef BSAES_CAPABLE
     if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) {
-        ret = AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                  &dat->ks.ks);
+        ret = AES_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
         dat->block = (block128_f) AES_encrypt;
         dat->stream.ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks;
     } else
-#endif
-#ifdef VPAES_CAPABLE
+# endif
+# ifdef VPAES_CAPABLE
     if (VPAES_CAPABLE) {
-        ret = vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                    &dat->ks.ks);
+        ret = vpaes_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
         dat->block = (block128_f) vpaes_encrypt;
         dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
             (cbc128_f) vpaes_cbc_encrypt : NULL;
     } else
-#endif
+# endif
     {
-        ret = AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                  &dat->ks.ks);
+        ret = AES_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);
         dat->block = (block128_f) AES_encrypt;
         dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
             (cbc128_f) AES_cbc_encrypt : NULL;
-#ifdef AES_CTR_ASM
+# ifdef AES_CTR_ASM
         if (mode == EVP_CIPH_CTR_MODE)
             dat->stream.ctr = (ctr128_f) AES_ctr32_encrypt;
-#endif
+# endif
     }
 
     if (ret < 0) {
@@ -1138,18 +1016,14 @@ static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                           const unsigned char *in, size_t len)
 {
-    EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
+    EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
 
     if (dat->stream.cbc)
-        (*dat->stream.cbc) (in, out, len, &dat->ks,
-                            EVP_CIPHER_CTX_iv_noconst(ctx),
-                            EVP_CIPHER_CTX_encrypting(ctx));
-    else if (EVP_CIPHER_CTX_encrypting(ctx))
-        CRYPTO_cbc128_encrypt(in, out, len, &dat->ks,
-                              EVP_CIPHER_CTX_iv_noconst(ctx), dat->block);
+        (*dat->stream.cbc) (in, out, len, &dat->ks, ctx->iv, ctx->encrypt);
+    else if (ctx->encrypt)
+        CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv, dat->block);
     else
-        CRYPTO_cbc128_decrypt(in, out, len, &dat->ks,
-                              EVP_CIPHER_CTX_iv_noconst(ctx), dat->block);
+        CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, ctx->iv, dat->block);
 
     return 1;
 }
@@ -1157,9 +1031,9 @@ static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                           const unsigned char *in, size_t len)
 {
-    size_t bl = EVP_CIPHER_CTX_block_size(ctx);
+    size_t bl = ctx->cipher->block_size;
     size_t i;
-    EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
+    EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
 
     if (len < bl)
         return 1;
@@ -1173,70 +1047,52 @@ static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                           const unsigned char *in, size_t len)
 {
-    EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
+    EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
 
-    int num = EVP_CIPHER_CTX_num(ctx);
     CRYPTO_ofb128_encrypt(in, out, len, &dat->ks,
-                          EVP_CIPHER_CTX_iv_noconst(ctx), &num, dat->block);
-    EVP_CIPHER_CTX_set_num(ctx, num);
+                          ctx->iv, &ctx->num, dat->block);
     return 1;
 }
 
 static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                           const unsigned char *in, size_t len)
 {
-    EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
+    EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
 
-    int num = EVP_CIPHER_CTX_num(ctx);
     CRYPTO_cfb128_encrypt(in, out, len, &dat->ks,
-                          EVP_CIPHER_CTX_iv_noconst(ctx), &num,
-                          EVP_CIPHER_CTX_encrypting(ctx), dat->block);
-    EVP_CIPHER_CTX_set_num(ctx, num);
+                          ctx->iv, &ctx->num, ctx->encrypt, dat->block);
     return 1;
 }
 
 static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                            const unsigned char *in, size_t len)
 {
-    EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
+    EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
 
-    int num = EVP_CIPHER_CTX_num(ctx);
     CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks,
-                            EVP_CIPHER_CTX_iv_noconst(ctx), &num,
-                            EVP_CIPHER_CTX_encrypting(ctx), dat->block);
-    EVP_CIPHER_CTX_set_num(ctx, num);
+                            ctx->iv, &ctx->num, ctx->encrypt, dat->block);
     return 1;
 }
 
 static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                            const unsigned char *in, size_t len)
 {
-    EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
+    EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
 
-    if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS)) {
-        int num = EVP_CIPHER_CTX_num(ctx);
+    if (ctx->flags & EVP_CIPH_FLAG_LENGTH_BITS) {
         CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks,
-                                EVP_CIPHER_CTX_iv_noconst(ctx), &num,
-                                EVP_CIPHER_CTX_encrypting(ctx), dat->block);
-        EVP_CIPHER_CTX_set_num(ctx, num);
+                                ctx->iv, &ctx->num, ctx->encrypt, dat->block);
         return 1;
     }
 
     while (len >= MAXBITCHUNK) {
-        int num = EVP_CIPHER_CTX_num(ctx);
         CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK * 8, &dat->ks,
-                                EVP_CIPHER_CTX_iv_noconst(ctx), &num,
-                                EVP_CIPHER_CTX_encrypting(ctx), dat->block);
-        EVP_CIPHER_CTX_set_num(ctx, num);
+                                ctx->iv, &ctx->num, ctx->encrypt, dat->block);
         len -= MAXBITCHUNK;
     }
-    if (len) {
-        int num = EVP_CIPHER_CTX_num(ctx);
+    if (len)
         CRYPTO_cfb128_1_encrypt(in, out, len * 8, &dat->ks,
-                                EVP_CIPHER_CTX_iv_noconst(ctx), &num,
-                                EVP_CIPHER_CTX_encrypting(ctx), dat->block);
-        EVP_CIPHER_CTX_set_num(ctx, num);
-    }
+                                ctx->iv, &ctx->num, ctx->encrypt, dat->block);
 
     return 1;
 }
@@ -1244,34 +1100,28 @@ static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                           const unsigned char *in, size_t len)
 {
-    unsigned int num = EVP_CIPHER_CTX_num(ctx);
-    EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
+    unsigned int num = ctx->num;
+    EVP_AES_KEY *dat = (EVP_AES_KEY *) ctx->cipher_data;
 
     if (dat->stream.ctr)
         CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks,
-                                    EVP_CIPHER_CTX_iv_noconst(ctx),
-                                    EVP_CIPHER_CTX_buf_noconst(ctx),
-                                    &num, dat->stream.ctr);
+                                    ctx->iv, ctx->buf, &num, dat->stream.ctr);
     else
         CRYPTO_ctr128_encrypt(in, out, len, &dat->ks,
-                              EVP_CIPHER_CTX_iv_noconst(ctx),
-                              EVP_CIPHER_CTX_buf_noconst(ctx), &num,
-                              dat->block);
-    EVP_CIPHER_CTX_set_num(ctx, num);
+                              ctx->iv, ctx->buf, &num, dat->block);
+    ctx->num = (size_t)num;
     return 1;
 }
 
-BLOCK_CIPHER_generic_pack(NID_aes, 128, 0)
-    BLOCK_CIPHER_generic_pack(NID_aes, 192, 0)
-    BLOCK_CIPHER_generic_pack(NID_aes, 256, 0)
+BLOCK_CIPHER_generic_pack(NID_aes, 128, EVP_CIPH_FLAG_FIPS)
+    BLOCK_CIPHER_generic_pack(NID_aes, 192, EVP_CIPH_FLAG_FIPS)
+    BLOCK_CIPHER_generic_pack(NID_aes, 256, EVP_CIPH_FLAG_FIPS)
 
 static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
 {
-    EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,c);
-    if (gctx == NULL)
-        return 0;
+    EVP_AES_GCM_CTX *gctx = c->cipher_data;
     OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
-    if (gctx->iv != EVP_CIPHER_CTX_iv_noconst(c))
+    if (gctx->iv != c->iv)
         OPENSSL_free(gctx->iv);
     return 1;
 }
@@ -1294,44 +1144,43 @@ static void ctr64_inc(unsigned char *counter)
 
 static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
 {
-    EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,c);
+    EVP_AES_GCM_CTX *gctx = c->cipher_data;
     switch (type) {
     case EVP_CTRL_INIT:
         gctx->key_set = 0;
         gctx->iv_set = 0;
-        gctx->ivlen = EVP_CIPHER_CTX_iv_length(c);
-        gctx->iv = EVP_CIPHER_CTX_iv_noconst(c);
+        gctx->ivlen = c->cipher->iv_len;
+        gctx->iv = c->iv;
         gctx->taglen = -1;
         gctx->iv_gen = 0;
         gctx->tls_aad_len = -1;
         return 1;
 
-    case EVP_CTRL_AEAD_SET_IVLEN:
+    case EVP_CTRL_GCM_SET_IVLEN:
         if (arg <= 0)
             return 0;
         /* Allocate memory for IV if needed */
         if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
-            if (gctx->iv != EVP_CIPHER_CTX_iv_noconst(c))
+            if (gctx->iv != c->iv)
                 OPENSSL_free(gctx->iv);
             gctx->iv = OPENSSL_malloc(arg);
-            if (gctx->iv == NULL)
+            if (!gctx->iv)
                 return 0;
         }
         gctx->ivlen = arg;
         return 1;
 
-    case EVP_CTRL_AEAD_SET_TAG:
-        if (arg <= 0 || arg > 16 || EVP_CIPHER_CTX_encrypting(c))
+    case EVP_CTRL_GCM_SET_TAG:
+        if (arg <= 0 || arg > 16 || c->encrypt)
             return 0;
-        memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
+        memcpy(c->buf, ptr, arg);
         gctx->taglen = arg;
         return 1;
 
-    case EVP_CTRL_AEAD_GET_TAG:
-        if (arg <= 0 || arg > 16 || !EVP_CIPHER_CTX_encrypting(c)
-            || gctx->taglen < 0)
+    case EVP_CTRL_GCM_GET_TAG:
+        if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
             return 0;
-        memcpy(ptr, EVP_CIPHER_CTX_buf_noconst(c), arg);
+        memcpy(ptr, c->buf, arg);
         return 1;
 
     case EVP_CTRL_GCM_SET_IV_FIXED:
@@ -1349,8 +1198,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
             return 0;
         if (arg)
             memcpy(gctx->iv, ptr, arg);
-        if (EVP_CIPHER_CTX_encrypting(c)
-            && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
+        if (c->encrypt && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
             return 0;
         gctx->iv_gen = 1;
         return 1;
@@ -1371,8 +1219,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
         return 1;
 
     case EVP_CTRL_GCM_SET_IV_INV:
-        if (gctx->iv_gen == 0 || gctx->key_set == 0
-            || EVP_CIPHER_CTX_encrypting(c))
+        if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
             return 0;
         memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
         CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
@@ -1383,24 +1230,17 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
         /* Save the AAD for later use */
         if (arg != EVP_AEAD_TLS1_AAD_LEN)
             return 0;
-        memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
+        memcpy(c->buf, ptr, arg);
         gctx->tls_aad_len = arg;
         {
-            unsigned int len =
-                EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8
-                | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1];
+            unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1];
             /* Correct length for explicit IV */
-            if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
-                return 0;
             len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
             /* If decrypting correct for tag too */
-            if (!EVP_CIPHER_CTX_encrypting(c)) {
-                if (len < EVP_GCM_TLS_TAG_LEN)
-                    return 0;
+            if (!c->encrypt)
                 len -= EVP_GCM_TLS_TAG_LEN;
-            }
-            EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8;
-            EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff;
+            c->buf[arg - 2] = len >> 8;
+            c->buf[arg - 1] = len & 0xff;
         }
         /* Extra padding: tag appended to record */
         return EVP_GCM_TLS_TAG_LEN;
@@ -1408,17 +1248,17 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
     case EVP_CTRL_COPY:
         {
             EVP_CIPHER_CTX *out = ptr;
-            EVP_AES_GCM_CTX *gctx_out = EVP_C_DATA(EVP_AES_GCM_CTX,out);
+            EVP_AES_GCM_CTX *gctx_out = out->cipher_data;
             if (gctx->gcm.key) {
                 if (gctx->gcm.key != &gctx->ks)
                     return 0;
                 gctx_out->gcm.key = &gctx_out->ks;
             }
-            if (gctx->iv == EVP_CIPHER_CTX_iv_noconst(c))
-                gctx_out->iv = EVP_CIPHER_CTX_iv_noconst(out);
+            if (gctx->iv == c->iv)
+                gctx_out->iv = out->iv;
             else {
                 gctx_out->iv = OPENSSL_malloc(gctx->ivlen);
-                if (gctx_out->iv == NULL)
+                if (!gctx_out->iv)
                     return 0;
                 memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
             }
@@ -1434,56 +1274,52 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
 static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                             const unsigned char *iv, int enc)
 {
-    EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
+    EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
     if (!iv && !key)
         return 1;
     if (key) {
         do {
-#ifdef HWAES_CAPABLE
+# ifdef HWAES_CAPABLE
             if (HWAES_CAPABLE) {
-                HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                      &gctx->ks.ks);
+                HWAES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
                                    (block128_f) HWAES_encrypt);
-# ifdef HWAES_ctr32_encrypt_blocks
+#  ifdef HWAES_ctr32_encrypt_blocks
                 gctx->ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks;
-# else
+#  else
                 gctx->ctr = NULL;
-# endif
+#  endif
                 break;
             } else
-#endif
-#ifdef BSAES_CAPABLE
+# endif
+# ifdef BSAES_CAPABLE
             if (BSAES_CAPABLE) {
-                AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                    &gctx->ks.ks);
+                AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
                                    (block128_f) AES_encrypt);
                 gctx->ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks;
                 break;
             } else
-#endif
-#ifdef VPAES_CAPABLE
+# endif
+# ifdef VPAES_CAPABLE
             if (VPAES_CAPABLE) {
-                vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                      &gctx->ks.ks);
+                vpaes_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
                 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
                                    (block128_f) vpaes_encrypt);
                 gctx->ctr = NULL;
                 break;
             } else
-#endif
+# endif
                 (void)0;        /* terminate potentially open 'else' */
 
-            AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                &gctx->ks.ks);
+            AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
             CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
                                (block128_f) AES_encrypt);
-#ifdef AES_CTR_ASM
+# ifdef AES_CTR_ASM
             gctx->ctr = (ctr128_f) AES_ctr32_encrypt;
-#else
+# else
             gctx->ctr = NULL;
-#endif
+# endif
         } while (0);
 
         /*
@@ -1518,7 +1354,7 @@ static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                               const unsigned char *in, size_t len)
 {
-    EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
+    EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
     int rv = -1;
     /* Encrypt/decrypt must be performed in place */
     if (out != in
@@ -1528,23 +1364,22 @@ static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
      * Set IV from start of buffer or generate IV and write to start of
      * buffer.
      */
-    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CIPHER_CTX_encrypting(ctx) ?
+    if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
                             EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
                             EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
         goto err;
     /* Use saved AAD */
-    if (CRYPTO_gcm128_aad(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx),
-                          gctx->tls_aad_len))
+    if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
         goto err;
     /* Fix buffer and length to point to payload */
     in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
     out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
     len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
-    if (EVP_CIPHER_CTX_encrypting(ctx)) {
+    if (ctx->encrypt) {
         /* Encrypt payload */
         if (gctx->ctr) {
             size_t bulk = 0;
-#if defined(AES_GCM_ASM)
+# if defined(AES_GCM_ASM)
             if (len >= 32 && AES_GCM_ASM(gctx)) {
                 if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
                     return -1;
@@ -1554,7 +1389,7 @@ static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                        gctx->gcm.Yi.c, gctx->gcm.Xi.u);
                 gctx->gcm.len.u[1] += bulk;
             }
-#endif
+# endif
             if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
                                             in + bulk,
                                             out + bulk,
@@ -1562,7 +1397,7 @@ static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                 goto err;
         } else {
             size_t bulk = 0;
-#if defined(AES_GCM_ASM2)
+# if defined(AES_GCM_ASM2)
             if (len >= 32 && AES_GCM_ASM2(gctx)) {
                 if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
                     return -1;
@@ -1572,7 +1407,7 @@ static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                        gctx->gcm.Yi.c, gctx->gcm.Xi.u);
                 gctx->gcm.len.u[1] += bulk;
             }
-#endif
+# endif
             if (CRYPTO_gcm128_encrypt(&gctx->gcm,
                                       in + bulk, out + bulk, len - bulk))
                 goto err;
@@ -1585,7 +1420,7 @@ static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
         /* Decrypt */
         if (gctx->ctr) {
             size_t bulk = 0;
-#if defined(AES_GCM_ASM)
+# if defined(AES_GCM_ASM)
             if (len >= 16 && AES_GCM_ASM(gctx)) {
                 if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
                     return -1;
@@ -1595,7 +1430,7 @@ static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                        gctx->gcm.Yi.c, gctx->gcm.Xi.u);
                 gctx->gcm.len.u[1] += bulk;
             }
-#endif
+# endif
             if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
                                             in + bulk,
                                             out + bulk,
@@ -1603,7 +1438,7 @@ static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                 goto err;
         } else {
             size_t bulk = 0;
-#if defined(AES_GCM_ASM2)
+# if defined(AES_GCM_ASM2)
             if (len >= 16 && AES_GCM_ASM2(gctx)) {
                 if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
                     return -1;
@@ -1613,17 +1448,15 @@ static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                        gctx->gcm.Yi.c, gctx->gcm.Xi.u);
                 gctx->gcm.len.u[1] += bulk;
             }
-#endif
+# endif
             if (CRYPTO_gcm128_decrypt(&gctx->gcm,
                                       in + bulk, out + bulk, len - bulk))
                 goto err;
         }
         /* Retrieve tag */
-        CRYPTO_gcm128_tag(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx),
-                          EVP_GCM_TLS_TAG_LEN);
+        CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN);
         /* If tag mismatch wipe buffer */
-        if (CRYPTO_memcmp(EVP_CIPHER_CTX_buf_noconst(ctx), in + len,
-                          EVP_GCM_TLS_TAG_LEN)) {
+        if (CRYPTO_memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) {
             OPENSSL_cleanse(out, len);
             goto err;
         }
@@ -1639,7 +1472,7 @@ static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                           const unsigned char *in, size_t len)
 {
-    EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx);
+    EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
     /* If not set up, return error */
     if (!gctx->key_set)
         return -1;
@@ -1653,10 +1486,10 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
         if (out == NULL) {
             if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
                 return -1;
-        } else if (EVP_CIPHER_CTX_encrypting(ctx)) {
+        } else if (ctx->encrypt) {
             if (gctx->ctr) {
                 size_t bulk = 0;
-#if defined(AES_GCM_ASM)
+# if defined(AES_GCM_ASM)
                 if (len >= 32 && AES_GCM_ASM(gctx)) {
                     size_t res = (16 - gctx->gcm.mres) % 16;
 
@@ -1670,7 +1503,7 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                     gctx->gcm.len.u[1] += bulk;
                     bulk += res;
                 }
-#endif
+# endif
                 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
                                                 in + bulk,
                                                 out + bulk,
@@ -1678,7 +1511,7 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                     return -1;
             } else {
                 size_t bulk = 0;
-#if defined(AES_GCM_ASM2)
+# if defined(AES_GCM_ASM2)
                 if (len >= 32 && AES_GCM_ASM2(gctx)) {
                     size_t res = (16 - gctx->gcm.mres) % 16;
 
@@ -1692,7 +1525,7 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                     gctx->gcm.len.u[1] += bulk;
                     bulk += res;
                 }
-#endif
+# endif
                 if (CRYPTO_gcm128_encrypt(&gctx->gcm,
                                           in + bulk, out + bulk, len - bulk))
                     return -1;
@@ -1700,7 +1533,7 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
         } else {
             if (gctx->ctr) {
                 size_t bulk = 0;
-#if defined(AES_GCM_ASM)
+# if defined(AES_GCM_ASM)
                 if (len >= 16 && AES_GCM_ASM(gctx)) {
                     size_t res = (16 - gctx->gcm.mres) % 16;
 
@@ -1714,7 +1547,7 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                     gctx->gcm.len.u[1] += bulk;
                     bulk += res;
                 }
-#endif
+# endif
                 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
                                                 in + bulk,
                                                 out + bulk,
@@ -1722,7 +1555,7 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                     return -1;
             } else {
                 size_t bulk = 0;
-#if defined(AES_GCM_ASM2)
+# if defined(AES_GCM_ASM2)
                 if (len >= 16 && AES_GCM_ASM2(gctx)) {
                     size_t res = (16 - gctx->gcm.mres) % 16;
 
@@ -1736,7 +1569,7 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                     gctx->gcm.len.u[1] += bulk;
                     bulk += res;
                 }
-#endif
+# endif
                 if (CRYPTO_gcm128_decrypt(&gctx->gcm,
                                           in + bulk, out + bulk, len - bulk))
                     return -1;
@@ -1744,17 +1577,15 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
         }
         return len;
     } else {
-        if (!EVP_CIPHER_CTX_encrypting(ctx)) {
+        if (!ctx->encrypt) {
             if (gctx->taglen < 0)
                 return -1;
-            if (CRYPTO_gcm128_finish(&gctx->gcm,
-                                     EVP_CIPHER_CTX_buf_noconst(ctx),
-                                     gctx->taglen) != 0)
+            if (CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen) != 0)
                 return -1;
             gctx->iv_set = 0;
             return 0;
         }
-        CRYPTO_gcm128_tag(&gctx->gcm, EVP_CIPHER_CTX_buf_noconst(ctx), 16);
+        CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
         gctx->taglen = 16;
         /* Don't reuse the IV */
         gctx->iv_set = 0;
@@ -1763,24 +1594,27 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 
 }
 
-#define CUSTOM_FLAGS    (EVP_CIPH_FLAG_DEFAULT_ASN1 \
+# define CUSTOM_FLAGS    (EVP_CIPH_FLAG_DEFAULT_ASN1 \
                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
                 | EVP_CIPH_CUSTOM_COPY)
 
 BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
-                    EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+                    EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
+                    CUSTOM_FLAGS)
     BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
-                    EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+                    EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
+                    CUSTOM_FLAGS)
     BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
-                    EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+                    EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
+                    CUSTOM_FLAGS)
 
 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
 {
-    EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,c);
+    EVP_AES_XTS_CTX *xctx = c->cipher_data;
     if (type == EVP_CTRL_COPY) {
         EVP_CIPHER_CTX *out = ptr;
-        EVP_AES_XTS_CTX *xctx_out = EVP_C_DATA(EVP_AES_XTS_CTX,out);
+        EVP_AES_XTS_CTX *xctx_out = out->cipher_data;
         if (xctx->xts.key1) {
             if (xctx->xts.key1 != &xctx->ks1)
                 return 0;
@@ -1803,90 +1637,75 @@ static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
 static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                             const unsigned char *iv, int enc)
 {
-    EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
+    EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
     if (!iv && !key)
         return 1;
 
     if (key)
         do {
-#ifdef AES_XTS_ASM
+# ifdef AES_XTS_ASM
             xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
-#else
+# else
             xctx->stream = NULL;
-#endif
+# endif
             /* key_len is two AES keys */
-#ifdef HWAES_CAPABLE
+# ifdef HWAES_CAPABLE
             if (HWAES_CAPABLE) {
                 if (enc) {
-                    HWAES_set_encrypt_key(key,
-                                          EVP_CIPHER_CTX_key_length(ctx) * 4,
+                    HWAES_set_encrypt_key(key, ctx->key_len * 4,
                                           &xctx->ks1.ks);
                     xctx->xts.block1 = (block128_f) HWAES_encrypt;
-# ifdef HWAES_xts_encrypt
-                    xctx->stream = HWAES_xts_encrypt;
-# endif
                 } else {
-                    HWAES_set_decrypt_key(key,
-                                          EVP_CIPHER_CTX_key_length(ctx) * 4,
+                    HWAES_set_decrypt_key(key, ctx->key_len * 4,
                                           &xctx->ks1.ks);
                     xctx->xts.block1 = (block128_f) HWAES_decrypt;
-# ifdef HWAES_xts_decrypt
-                    xctx->stream = HWAES_xts_decrypt;
-#endif
                 }
 
-                HWAES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
-                                      EVP_CIPHER_CTX_key_length(ctx) * 4,
-                                      &xctx->ks2.ks);
+                HWAES_set_encrypt_key(key + ctx->key_len / 2,
+                                      ctx->key_len * 4, &xctx->ks2.ks);
                 xctx->xts.block2 = (block128_f) HWAES_encrypt;
 
                 xctx->xts.key1 = &xctx->ks1;
                 break;
             } else
-#endif
-#ifdef BSAES_CAPABLE
+# endif
+# ifdef BSAES_CAPABLE
             if (BSAES_CAPABLE)
                 xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt;
             else
-#endif
-#ifdef VPAES_CAPABLE
+# endif
+# ifdef VPAES_CAPABLE
             if (VPAES_CAPABLE) {
                 if (enc) {
-                    vpaes_set_encrypt_key(key,
-                                          EVP_CIPHER_CTX_key_length(ctx) * 4,
+                    vpaes_set_encrypt_key(key, ctx->key_len * 4,
                                           &xctx->ks1.ks);
                     xctx->xts.block1 = (block128_f) vpaes_encrypt;
                 } else {
-                    vpaes_set_decrypt_key(key,
-                                          EVP_CIPHER_CTX_key_length(ctx) * 4,
+                    vpaes_set_decrypt_key(key, ctx->key_len * 4,
                                           &xctx->ks1.ks);
                     xctx->xts.block1 = (block128_f) vpaes_decrypt;
                 }
 
-                vpaes_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
-                                      EVP_CIPHER_CTX_key_length(ctx) * 4,
-                                      &xctx->ks2.ks);
+                vpaes_set_encrypt_key(key + ctx->key_len / 2,
+                                      ctx->key_len * 4, &xctx->ks2.ks);
                 xctx->xts.block2 = (block128_f) vpaes_encrypt;
 
                 xctx->xts.key1 = &xctx->ks1;
                 break;
             } else
-#endif
+# endif
                 (void)0;        /* terminate potentially open 'else' */
 
             if (enc) {
-                AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
-                                    &xctx->ks1.ks);
+                AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
                 xctx->xts.block1 = (block128_f) AES_encrypt;
             } else {
-                AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4,
-                                    &xctx->ks1.ks);
+                AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
                 xctx->xts.block1 = (block128_f) AES_decrypt;
             }
 
-            AES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2,
-                                EVP_CIPHER_CTX_key_length(ctx) * 4,
-                                &xctx->ks2.ks);
+            AES_set_encrypt_key(key + ctx->key_len / 2,
+                                ctx->key_len * 4, &xctx->ks2.ks);
             xctx->xts.block2 = (block128_f) AES_encrypt;
 
             xctx->xts.key1 = &xctx->ks1;
@@ -1894,7 +1713,7 @@ static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 
     if (iv) {
         xctx->xts.key2 = &xctx->ks2;
-        memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 16);
+        memcpy(ctx->iv, iv, 16);
     }
 
     return 1;
@@ -1903,34 +1722,34 @@ static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                           const unsigned char *in, size_t len)
 {
-    EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx);
+    EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
     if (!xctx->xts.key1 || !xctx->xts.key2)
         return 0;
     if (!out || !in || len < AES_BLOCK_SIZE)
         return 0;
     if (xctx->stream)
         (*xctx->stream) (in, out, len,
-                         xctx->xts.key1, xctx->xts.key2,
-                         EVP_CIPHER_CTX_iv_noconst(ctx));
-    else if (CRYPTO_xts128_encrypt(&xctx->xts, EVP_CIPHER_CTX_iv_noconst(ctx),
-                                   in, out, len,
-                                   EVP_CIPHER_CTX_encrypting(ctx)))
+                         xctx->xts.key1, xctx->xts.key2, ctx->iv);
+    else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
+                                   ctx->encrypt))
         return 0;
     return 1;
 }
 
-#define aes_xts_cleanup NULL
+# define aes_xts_cleanup NULL
 
-#define XTS_FLAGS       (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
+# define XTS_FLAGS       (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
                          | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
                          | EVP_CIPH_CUSTOM_COPY)
 
-BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS)
-    BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS)
+BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS,
+                    EVP_CIPH_FLAG_FIPS | XTS_FLAGS)
+    BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS,
+                    EVP_CIPH_FLAG_FIPS | XTS_FLAGS)
 
 static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
 {
-    EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,c);
+    EVP_AES_CCM_CTX *cctx = c->cipher_data;
     switch (type) {
     case EVP_CTRL_INIT:
         cctx->key_set = 0;
@@ -1939,44 +1758,9 @@ static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
         cctx->M = 12;
         cctx->tag_set = 0;
         cctx->len_set = 0;
-        cctx->tls_aad_len = -1;
         return 1;
 
-    case EVP_CTRL_AEAD_TLS1_AAD:
-        /* Save the AAD for later use */
-        if (arg != EVP_AEAD_TLS1_AAD_LEN)
-            return 0;
-        memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
-        cctx->tls_aad_len = arg;
-        {
-            uint16_t len =
-                EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8
-                | EVP_CIPHER_CTX_buf_noconst(c)[arg - 1];
-            /* Correct length for explicit IV */
-            if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
-                return 0;
-            len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
-            /* If decrypting correct for tag too */
-            if (!EVP_CIPHER_CTX_encrypting(c)) {
-                if (len < cctx->M)
-                    return 0;
-                len -= cctx->M;
-            }
-            EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8;
-            EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff;
-        }
-        /* Extra padding: tag appended to record */
-        return cctx->M;
-
-    case EVP_CTRL_CCM_SET_IV_FIXED:
-        /* Sanity check length */
-        if (arg != EVP_CCM_TLS_FIXED_IV_LEN)
-            return 0;
-        /* Just copy to first part of IV */
-        memcpy(EVP_CIPHER_CTX_iv_noconst(c), ptr, arg);
-        return 1;
-
-    case EVP_CTRL_AEAD_SET_IVLEN:
+    case EVP_CTRL_CCM_SET_IVLEN:
         arg = 15 - arg;
     case EVP_CTRL_CCM_SET_L:
         if (arg < 2 || arg > 8)
@@ -1984,20 +1768,20 @@ static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
         cctx->L = arg;
         return 1;
 
-    case EVP_CTRL_AEAD_SET_TAG:
+    case EVP_CTRL_CCM_SET_TAG:
         if ((arg & 1) || arg < 4 || arg > 16)
             return 0;
-        if (EVP_CIPHER_CTX_encrypting(c) && ptr)
+        if (c->encrypt && ptr)
             return 0;
         if (ptr) {
             cctx->tag_set = 1;
-            memcpy(EVP_CIPHER_CTX_buf_noconst(c), ptr, arg);
+            memcpy(c->buf, ptr, arg);
         }
         cctx->M = arg;
         return 1;
 
-    case EVP_CTRL_AEAD_GET_TAG:
-        if (!EVP_CIPHER_CTX_encrypting(c) || !cctx->tag_set)
+    case EVP_CTRL_CCM_GET_TAG:
+        if (!c->encrypt || !cctx->tag_set)
             return 0;
         if (!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
             return 0;
@@ -2009,7 +1793,7 @@ static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
     case EVP_CTRL_COPY:
         {
             EVP_CIPHER_CTX *out = ptr;
-            EVP_AES_CCM_CTX *cctx_out = EVP_C_DATA(EVP_AES_CCM_CTX,out);
+            EVP_AES_CCM_CTX *cctx_out = out->cipher_data;
             if (cctx->ccm.key) {
                 if (cctx->ccm.key != &cctx->ks)
                     return 0;
@@ -2027,15 +1811,14 @@ static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
 static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                             const unsigned char *iv, int enc)
 {
-    EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
+    EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
     if (!iv && !key)
         return 1;
     if (key)
         do {
-#ifdef HWAES_CAPABLE
+# ifdef HWAES_CAPABLE
             if (HWAES_CAPABLE) {
-                HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                      &cctx->ks.ks);
+                HWAES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
 
                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
                                    &cctx->ks, (block128_f) HWAES_encrypt);
@@ -2043,101 +1826,43 @@ static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                 cctx->key_set = 1;
                 break;
             } else
-#endif
-#ifdef VPAES_CAPABLE
+# endif
+# ifdef VPAES_CAPABLE
             if (VPAES_CAPABLE) {
-                vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                      &cctx->ks.ks);
+                vpaes_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
                                    &cctx->ks, (block128_f) vpaes_encrypt);
                 cctx->str = NULL;
                 cctx->key_set = 1;
                 break;
             }
-#endif
-            AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                &cctx->ks.ks);
+# endif
+            AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks.ks);
             CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
                                &cctx->ks, (block128_f) AES_encrypt);
             cctx->str = NULL;
             cctx->key_set = 1;
         } while (0);
     if (iv) {
-        memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 15 - cctx->L);
+        memcpy(ctx->iv, iv, 15 - cctx->L);
         cctx->iv_set = 1;
     }
     return 1;
 }
 
-static int aes_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-                              const unsigned char *in, size_t len)
-{
-    EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
-    CCM128_CONTEXT *ccm = &cctx->ccm;
-    /* Encrypt/decrypt must be performed in place */
-    if (out != in || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->M))
-        return -1;
-    /* If encrypting set explicit IV from sequence number (start of AAD) */
-    if (EVP_CIPHER_CTX_encrypting(ctx))
-        memcpy(out, EVP_CIPHER_CTX_buf_noconst(ctx),
-               EVP_CCM_TLS_EXPLICIT_IV_LEN);
-    /* Get rest of IV from explicit IV */
-    memcpy(EVP_CIPHER_CTX_iv_noconst(ctx) + EVP_CCM_TLS_FIXED_IV_LEN, in,
-           EVP_CCM_TLS_EXPLICIT_IV_LEN);
-    /* Correct length value */
-    len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M;
-    if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx), 15 - cctx->L,
-                            len))
-            return -1;
-    /* Use saved AAD */
-    CRYPTO_ccm128_aad(ccm, EVP_CIPHER_CTX_buf_noconst(ctx), cctx->tls_aad_len);
-    /* Fix buffer to point to payload */
-    in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
-    out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
-    if (EVP_CIPHER_CTX_encrypting(ctx)) {
-        if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
-                                                    cctx->str) :
-            CRYPTO_ccm128_encrypt(ccm, in, out, len))
-            return -1;
-        if (!CRYPTO_ccm128_tag(ccm, out + len, cctx->M))
-            return -1;
-        return len + EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M;
-    } else {
-        if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
-                                                     cctx->str) :
-            !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
-            unsigned char tag[16];
-            if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
-                if (!CRYPTO_memcmp(tag, in + len, cctx->M))
-                    return len;
-            }
-        }
-        OPENSSL_cleanse(out, len);
-        return -1;
-    }
-}
-
 static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                           const unsigned char *in, size_t len)
 {
-    EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx);
+    EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
     CCM128_CONTEXT *ccm = &cctx->ccm;
     /* If not set up, return error */
-    if (!cctx->key_set)
+    if (!cctx->iv_set && !cctx->key_set)
         return -1;
-
-    if (cctx->tls_aad_len >= 0)
-        return aes_ccm_tls_cipher(ctx, out, in, len);
-
-    if (!cctx->iv_set)
-        return -1;
-
-    if (!EVP_CIPHER_CTX_encrypting(ctx) && !cctx->tag_set)
+    if (!ctx->encrypt && !cctx->tag_set)
         return -1;
     if (!out) {
         if (!in) {
-            if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx),
-                                    15 - cctx->L, len))
+            if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
                 return -1;
             cctx->len_set = 1;
             return len;
@@ -2153,12 +1878,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
         return 0;
     /* If not set length yet do it */
     if (!cctx->len_set) {
-        if (CRYPTO_ccm128_setiv(ccm, EVP_CIPHER_CTX_iv_noconst(ctx),
-                                15 - cctx->L, len))
+        if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
             return -1;
         cctx->len_set = 1;
     }
-    if (EVP_CIPHER_CTX_encrypting(ctx)) {
+    if (ctx->encrypt) {
         if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
                                                     cctx->str) :
             CRYPTO_ccm128_encrypt(ccm, in, out, len))
@@ -2172,8 +1896,7 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
             !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
             unsigned char tag[16];
             if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
-                if (!CRYPTO_memcmp(tag, EVP_CIPHER_CTX_buf_noconst(ctx),
-                                   cctx->M))
+                if (!CRYPTO_memcmp(tag, ctx->buf, cctx->M))
                     rv = len;
             }
         }
@@ -2184,17 +1907,18 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
         cctx->len_set = 0;
         return rv;
     }
+
 }
 
-#define aes_ccm_cleanup NULL
+# define aes_ccm_cleanup NULL
 
 BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
-                    EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+                    EVP_CIPH_FLAG_FIPS | CUSTOM_FLAGS)
     BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
-                        EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+                    EVP_CIPH_FLAG_FIPS | CUSTOM_FLAGS)
     BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
-                        EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
-
+                    EVP_CIPH_FLAG_FIPS | CUSTOM_FLAGS)
+#endif
 typedef struct {
     union {
         double align;
@@ -2207,22 +1931,20 @@ typedef struct {
 static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                              const unsigned char *iv, int enc)
 {
-    EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx);
+    EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
     if (!iv && !key)
         return 1;
     if (key) {
-        if (EVP_CIPHER_CTX_encrypting(ctx))
-            AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                &wctx->ks.ks);
+        if (ctx->encrypt)
+            AES_set_encrypt_key(key, ctx->key_len * 8, &wctx->ks.ks);
         else
-            AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                &wctx->ks.ks);
+            AES_set_decrypt_key(key, ctx->key_len * 8, &wctx->ks.ks);
         if (!iv)
             wctx->iv = NULL;
     }
     if (iv) {
-        memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, EVP_CIPHER_CTX_iv_length(ctx));
-        wctx->iv = EVP_CIPHER_CTX_iv_noconst(ctx);
+        memcpy(ctx->iv, iv, 8);
+        wctx->iv = ctx->iv;
     }
     return 1;
 }
@@ -2230,59 +1952,28 @@ static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 static int aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                            const unsigned char *in, size_t inlen)
 {
-    EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx);
+    EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
     size_t rv;
-    /* AES wrap with padding has IV length of 4, without padding 8 */
-    int pad = EVP_CIPHER_CTX_iv_length(ctx) == 4;
-    /* No final operation so always return zero length */
     if (!in)
         return 0;
-    /* Input length must always be non-zero */
-    if (!inlen)
+    if (inlen % 8)
         return -1;
-    /* If decrypting need at least 16 bytes and multiple of 8 */
-    if (!EVP_CIPHER_CTX_encrypting(ctx) && (inlen < 16 || inlen & 0x7))
+    if (ctx->encrypt && inlen < 8)
         return -1;
-    /* If not padding input must be multiple of 8 */
-    if (!pad && inlen & 0x7)
+    if (!ctx->encrypt && inlen < 16)
         return -1;
-    if (is_partially_overlapping(out, in, inlen)) {
-        EVPerr(EVP_F_AES_WRAP_CIPHER, EVP_R_PARTIALLY_OVERLAPPING);
-        return 0;
-    }
     if (!out) {
-        if (EVP_CIPHER_CTX_encrypting(ctx)) {
-            /* If padding round up to multiple of 8 */
-            if (pad)
-                inlen = (inlen + 7) / 8 * 8;
-            /* 8 byte prefix */
+        if (ctx->encrypt)
             return inlen + 8;
-        } else {
-            /*
-             * If not padding output will be exactly 8 bytes smaller than
-             * input. If padding it will be at least 8 bytes smaller but we
-             * don't know how much.
-             */
-            return inlen - 8;
-        }
-    }
-    if (pad) {
-        if (EVP_CIPHER_CTX_encrypting(ctx))
-            rv = CRYPTO_128_wrap_pad(&wctx->ks.ks, wctx->iv,
-                                     out, in, inlen,
-                                     (block128_f) AES_encrypt);
         else
-            rv = CRYPTO_128_unwrap_pad(&wctx->ks.ks, wctx->iv,
-                                       out, in, inlen,
-                                       (block128_f) AES_decrypt);
-    } else {
-        if (EVP_CIPHER_CTX_encrypting(ctx))
-            rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv,
-                                 out, in, inlen, (block128_f) AES_encrypt);
-        else
-            rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv,
-                                   out, in, inlen, (block128_f) AES_decrypt);
+            return inlen - 8;
     }
+    if (ctx->encrypt)
+        rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv, out, in, inlen,
+                             (block128_f) AES_encrypt);
+    else
+        rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv, out, in, inlen,
+                               (block128_f) AES_decrypt);
     return rv ? (int)rv : -1;
 }
 
@@ -2331,372 +2022,3 @@ const EVP_CIPHER *EVP_aes_256_wrap(void)
 {
     return &aes_256_wrap;
 }
-
-static const EVP_CIPHER aes_128_wrap_pad = {
-    NID_id_aes128_wrap_pad,
-    8, 16, 4, WRAP_FLAGS,
-    aes_wrap_init_key, aes_wrap_cipher,
-    NULL,
-    sizeof(EVP_AES_WRAP_CTX),
-    NULL, NULL, NULL, NULL
-};
-
-const EVP_CIPHER *EVP_aes_128_wrap_pad(void)
-{
-    return &aes_128_wrap_pad;
-}
-
-static const EVP_CIPHER aes_192_wrap_pad = {
-    NID_id_aes192_wrap_pad,
-    8, 24, 4, WRAP_FLAGS,
-    aes_wrap_init_key, aes_wrap_cipher,
-    NULL,
-    sizeof(EVP_AES_WRAP_CTX),
-    NULL, NULL, NULL, NULL
-};
-
-const EVP_CIPHER *EVP_aes_192_wrap_pad(void)
-{
-    return &aes_192_wrap_pad;
-}
-
-static const EVP_CIPHER aes_256_wrap_pad = {
-    NID_id_aes256_wrap_pad,
-    8, 32, 4, WRAP_FLAGS,
-    aes_wrap_init_key, aes_wrap_cipher,
-    NULL,
-    sizeof(EVP_AES_WRAP_CTX),
-    NULL, NULL, NULL, NULL
-};
-
-const EVP_CIPHER *EVP_aes_256_wrap_pad(void)
-{
-    return &aes_256_wrap_pad;
-}
-
-#ifndef OPENSSL_NO_OCB
-static int aes_ocb_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
-{
-    EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,c);
-    EVP_CIPHER_CTX *newc;
-    EVP_AES_OCB_CTX *new_octx;
-
-    switch (type) {
-    case EVP_CTRL_INIT:
-        octx->key_set = 0;
-        octx->iv_set = 0;
-        octx->ivlen = EVP_CIPHER_CTX_iv_length(c);
-        octx->iv = EVP_CIPHER_CTX_iv_noconst(c);
-        octx->taglen = 16;
-        octx->data_buf_len = 0;
-        octx->aad_buf_len = 0;
-        return 1;
-
-    case EVP_CTRL_AEAD_SET_IVLEN:
-        /* IV len must be 1 to 15 */
-        if (arg <= 0 || arg > 15)
-            return 0;
-
-        octx->ivlen = arg;
-        return 1;
-
-    case EVP_CTRL_AEAD_SET_TAG:
-        if (!ptr) {
-            /* Tag len must be 0 to 16 */
-            if (arg < 0 || arg > 16)
-                return 0;
-
-            octx->taglen = arg;
-            return 1;
-        }
-        if (arg != octx->taglen || EVP_CIPHER_CTX_encrypting(c))
-            return 0;
-        memcpy(octx->tag, ptr, arg);
-        return 1;
-
-    case EVP_CTRL_AEAD_GET_TAG:
-        if (arg != octx->taglen || !EVP_CIPHER_CTX_encrypting(c))
-            return 0;
-
-        memcpy(ptr, octx->tag, arg);
-        return 1;
-
-    case EVP_CTRL_COPY:
-        newc = (EVP_CIPHER_CTX *)ptr;
-        new_octx = EVP_C_DATA(EVP_AES_OCB_CTX,newc);
-        return CRYPTO_ocb128_copy_ctx(&new_octx->ocb, &octx->ocb,
-                                      &new_octx->ksenc.ks,
-                                      &new_octx->ksdec.ks);
-
-    default:
-        return -1;
-
-    }
-}
-
-# ifdef HWAES_CAPABLE
-#  ifdef HWAES_ocb_encrypt
-void HWAES_ocb_encrypt(const unsigned char *in, unsigned char *out,
-                       size_t blocks, const void *key,
-                       size_t start_block_num,
-                       unsigned char offset_i[16],
-                       const unsigned char L_[][16],
-                       unsigned char checksum[16]);
-#  else
-#    define HWAES_ocb_encrypt ((ocb128_f)NULL)
-#  endif
-#  ifdef HWAES_ocb_decrypt
-void HWAES_ocb_decrypt(const unsigned char *in, unsigned char *out,
-                       size_t blocks, const void *key,
-                       size_t start_block_num,
-                       unsigned char offset_i[16],
-                       const unsigned char L_[][16],
-                       unsigned char checksum[16]);
-#  else
-#    define HWAES_ocb_decrypt ((ocb128_f)NULL)
-#  endif
-# endif
-
-static int aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-                            const unsigned char *iv, int enc)
-{
-    EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
-    if (!iv && !key)
-        return 1;
-    if (key) {
-        do {
-            /*
-             * We set both the encrypt and decrypt key here because decrypt
-             * needs both. We could possibly optimise to remove setting the
-             * decrypt for an encryption operation.
-             */
-# ifdef HWAES_CAPABLE
-            if (HWAES_CAPABLE) {
-                HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                      &octx->ksenc.ks);
-                HWAES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                      &octx->ksdec.ks);
-                if (!CRYPTO_ocb128_init(&octx->ocb,
-                                        &octx->ksenc.ks, &octx->ksdec.ks,
-                                        (block128_f) HWAES_encrypt,
-                                        (block128_f) HWAES_decrypt,
-                                        enc ? HWAES_ocb_encrypt
-                                            : HWAES_ocb_decrypt))
-                    return 0;
-                break;
-            }
-# endif
-# ifdef VPAES_CAPABLE
-            if (VPAES_CAPABLE) {
-                vpaes_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                      &octx->ksenc.ks);
-                vpaes_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                      &octx->ksdec.ks);
-                if (!CRYPTO_ocb128_init(&octx->ocb,
-                                        &octx->ksenc.ks, &octx->ksdec.ks,
-                                        (block128_f) vpaes_encrypt,
-                                        (block128_f) vpaes_decrypt,
-                                        NULL))
-                    return 0;
-                break;
-            }
-# endif
-            AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                &octx->ksenc.ks);
-            AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                &octx->ksdec.ks);
-            if (!CRYPTO_ocb128_init(&octx->ocb,
-                                    &octx->ksenc.ks, &octx->ksdec.ks,
-                                    (block128_f) AES_encrypt,
-                                    (block128_f) AES_decrypt,
-                                    NULL))
-                return 0;
-        }
-        while (0);
-
-        /*
-         * If we have an iv we can set it directly, otherwise use saved IV.
-         */
-        if (iv == NULL && octx->iv_set)
-            iv = octx->iv;
-        if (iv) {
-            if (CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen)
-                != 1)
-                return 0;
-            octx->iv_set = 1;
-        }
-        octx->key_set = 1;
-    } else {
-        /* If key set use IV, otherwise copy */
-        if (octx->key_set)
-            CRYPTO_ocb128_setiv(&octx->ocb, iv, octx->ivlen, octx->taglen);
-        else
-            memcpy(octx->iv, iv, octx->ivlen);
-        octx->iv_set = 1;
-    }
-    return 1;
-}
-
-static int aes_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-                          const unsigned char *in, size_t len)
-{
-    unsigned char *buf;
-    int *buf_len;
-    int written_len = 0;
-    size_t trailing_len;
-    EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx);
-
-    /* If IV or Key not set then return error */
-    if (!octx->iv_set)
-        return -1;
-
-    if (!octx->key_set)
-        return -1;
-
-    if (in != NULL) {
-        /*
-         * Need to ensure we are only passing full blocks to low level OCB
-         * routines. We do it here rather than in EVP_EncryptUpdate/
-         * EVP_DecryptUpdate because we need to pass full blocks of AAD too
-         * and those routines don't support that
-         */
-
-        /* Are we dealing with AAD or normal data here? */
-        if (out == NULL) {
-            buf = octx->aad_buf;
-            buf_len = &(octx->aad_buf_len);
-        } else {
-            buf = octx->data_buf;
-            buf_len = &(octx->data_buf_len);
-
-            if (is_partially_overlapping(out + *buf_len, in, len)) {
-                EVPerr(EVP_F_AES_OCB_CIPHER, EVP_R_PARTIALLY_OVERLAPPING);
-                return 0;
-            }
-        }
-
-        /*
-         * If we've got a partially filled buffer from a previous call then
-         * use that data first
-         */
-        if (*buf_len > 0) {
-            unsigned int remaining;
-
-            remaining = AES_BLOCK_SIZE - (*buf_len);
-            if (remaining > len) {
-                memcpy(buf + (*buf_len), in, len);
-                *(buf_len) += len;
-                return 0;
-            }
-            memcpy(buf + (*buf_len), in, remaining);
-
-            /*
-             * If we get here we've filled the buffer, so process it
-             */
-            len -= remaining;
-            in += remaining;
-            if (out == NULL) {
-                if (!CRYPTO_ocb128_aad(&octx->ocb, buf, AES_BLOCK_SIZE))
-                    return -1;
-            } else if (EVP_CIPHER_CTX_encrypting(ctx)) {
-                if (!CRYPTO_ocb128_encrypt(&octx->ocb, buf, out,
-                                           AES_BLOCK_SIZE))
-                    return -1;
-            } else {
-                if (!CRYPTO_ocb128_decrypt(&octx->ocb, buf, out,
-                                           AES_BLOCK_SIZE))
-                    return -1;
-            }
-            written_len = AES_BLOCK_SIZE;
-            *buf_len = 0;
-            if (out != NULL)
-                out += AES_BLOCK_SIZE;
-        }
-
-        /* Do we have a partial block to handle at the end? */
-        trailing_len = len % AES_BLOCK_SIZE;
-
-        /*
-         * If we've got some full blocks to handle, then process these first
-         */
-        if (len != trailing_len) {
-            if (out == NULL) {
-                if (!CRYPTO_ocb128_aad(&octx->ocb, in, len - trailing_len))
-                    return -1;
-            } else if (EVP_CIPHER_CTX_encrypting(ctx)) {
-                if (!CRYPTO_ocb128_encrypt
-                    (&octx->ocb, in, out, len - trailing_len))
-                    return -1;
-            } else {
-                if (!CRYPTO_ocb128_decrypt
-                    (&octx->ocb, in, out, len - trailing_len))
-                    return -1;
-            }
-            written_len += len - trailing_len;
-            in += len - trailing_len;
-        }
-
-        /* Handle any trailing partial block */
-        if (trailing_len > 0) {
-            memcpy(buf, in, trailing_len);
-            *buf_len = trailing_len;
-        }
-
-        return written_len;
-    } else {
-        /*
-         * First of all empty the buffer of any partial block that we might
-         * have been provided - both for data and AAD
-         */
-        if (octx->data_buf_len > 0) {
-            if (EVP_CIPHER_CTX_encrypting(ctx)) {
-                if (!CRYPTO_ocb128_encrypt(&octx->ocb, octx->data_buf, out,
-                                           octx->data_buf_len))
-                    return -1;
-            } else {
-                if (!CRYPTO_ocb128_decrypt(&octx->ocb, octx->data_buf, out,
-                                           octx->data_buf_len))
-                    return -1;
-            }
-            written_len = octx->data_buf_len;
-            octx->data_buf_len = 0;
-        }
-        if (octx->aad_buf_len > 0) {
-            if (!CRYPTO_ocb128_aad
-                (&octx->ocb, octx->aad_buf, octx->aad_buf_len))
-                return -1;
-            octx->aad_buf_len = 0;
-        }
-        /* If decrypting then verify */
-        if (!EVP_CIPHER_CTX_encrypting(ctx)) {
-            if (octx->taglen < 0)
-                return -1;
-            if (CRYPTO_ocb128_finish(&octx->ocb,
-                                     octx->tag, octx->taglen) != 0)
-                return -1;
-            octx->iv_set = 0;
-            return written_len;
-        }
-        /* If encrypting then just get the tag */
-        if (CRYPTO_ocb128_tag(&octx->ocb, octx->tag, 16) != 1)
-            return -1;
-        /* Don't reuse the IV */
-        octx->iv_set = 0;
-        return written_len;
-    }
-}
-
-static int aes_ocb_cleanup(EVP_CIPHER_CTX *c)
-{
-    EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,c);
-    CRYPTO_ocb128_cleanup(&octx->ocb);
-    return 1;
-}
-
-BLOCK_CIPHER_custom(NID_aes, 128, 16, 12, ocb, OCB,
-                    EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
-BLOCK_CIPHER_custom(NID_aes, 192, 16, 12, ocb, OCB,
-                    EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
-BLOCK_CIPHER_custom(NID_aes, 256, 16, 12, ocb, OCB,
-                    EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
-#endif                         /* OPENSSL_NO_OCB */
diff --git a/Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha1.c b/Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha1.c
index 52c7c744..6dfd590a 100644
--- a/Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha1.c
+++ b/Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha1.c
@@ -1,10 +1,50 @@
-/*
- * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* ====================================================================
+ * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  */
 
 #include <openssl/opensslconf.h>
@@ -12,14 +52,31 @@
 #include <stdio.h>
 #include <string.h>
 
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include <openssl/aes.h>
-#include <openssl/sha.h>
-#include <openssl/rand.h>
-#include "modes_lcl.h"
-#include "internal/evp_int.h"
-#include "internal/constant_time_locl.h"
+#if !defined(OPENSSL_NO_AES) && !defined(OPENSSL_NO_SHA1)
+
+# include <openssl/evp.h>
+# include <openssl/objects.h>
+# include <openssl/aes.h>
+# include <openssl/sha.h>
+# include <openssl/rand.h>
+# include "modes_lcl.h"
+# include "constant_time_locl.h"
+
+# ifndef EVP_CIPH_FLAG_AEAD_CIPHER
+#  define EVP_CIPH_FLAG_AEAD_CIPHER       0x200000
+#  define EVP_CTRL_AEAD_TLS1_AAD          0x16
+#  define EVP_CTRL_AEAD_SET_MAC_KEY       0x17
+# endif
+
+# if !defined(EVP_CIPH_FLAG_DEFAULT_ASN1)
+#  define EVP_CIPH_FLAG_DEFAULT_ASN1 0
+# endif
+
+# if !defined(EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)
+#  define EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK 0
+# endif
+
+# define TLS1_1_VERSION 0x0302
 
 typedef struct {
     AES_KEY ks;
@@ -31,14 +88,15 @@ typedef struct {
     } aux;
 } EVP_AES_HMAC_SHA1;
 
-#define NO_PAYLOAD_LENGTH       ((size_t)-1)
+# define NO_PAYLOAD_LENGTH       ((size_t)-1)
 
-#if     defined(AES_ASM) &&     ( \
+# if     defined(AES_ASM) &&     ( \
         defined(__x86_64)       || defined(__x86_64__)  || \
-        defined(_M_AMD64)       || defined(_M_X64)      )
+        defined(_M_AMD64)       || defined(_M_X64)      || \
+        defined(__INTEL__)      )
 
 extern unsigned int OPENSSL_ia32cap_P[];
-# define AESNI_CAPABLE   (1<<(57-32))
+#  define AESNI_CAPABLE   (1<<(57-32))
 
 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
                           AES_KEY *key);
@@ -58,7 +116,7 @@ void aesni256_cbc_sha1_dec(const void *inp, void *out, size_t blocks,
                            const AES_KEY *key, unsigned char iv[16],
                            SHA_CTX *ctx, const void *in0);
 
-# define data(ctx) ((EVP_AES_HMAC_SHA1 *)EVP_CIPHER_CTX_get_cipher_data(ctx))
+#  define data(ctx) ((EVP_AES_HMAC_SHA1 *)(ctx)->cipher_data)
 
 static int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx,
                                         const unsigned char *inkey,
@@ -68,13 +126,9 @@ static int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx,
     int ret;
 
     if (enc)
-        ret = aesni_set_encrypt_key(inkey,
-                                    EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                    &key->ks);
+        ret = aesni_set_encrypt_key(inkey, ctx->key_len * 8, &key->ks);
     else
-        ret = aesni_set_decrypt_key(inkey,
-                                    EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                    &key->ks);
+        ret = aesni_set_decrypt_key(inkey, ctx->key_len * 8, &key->ks);
 
     SHA1_Init(&key->head);      /* handy when benchmarking */
     key->tail = key->head;
@@ -85,12 +139,12 @@ static int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx,
     return ret < 0 ? 0 : 1;
 }
 
-# define STITCHED_CALL
-# undef  STITCHED_DECRYPT_CALL
+#  define STITCHED_CALL
+#  undef  STITCHED_DECRYPT_CALL
 
-# if !defined(STITCHED_CALL)
-#  define aes_off 0
-# endif
+#  if !defined(STITCHED_CALL)
+#   define aes_off 0
+#  endif
 
 void sha1_block_data_order(void *c, const void *p, size_t len);
 
@@ -125,12 +179,12 @@ static void sha1_update(SHA_CTX *c, const void *data, size_t len)
         SHA1_Update(c, ptr, res);
 }
 
-# ifdef SHA1_Update
-#  undef SHA1_Update
-# endif
-# define SHA1_Update sha1_update
+#  ifdef SHA1_Update
+#   undef SHA1_Update
+#  endif
+#  define SHA1_Update sha1_update
 
-# if !defined(OPENSSL_NO_MULTIBLOCK)
+#  if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
 
 typedef struct {
     unsigned int A[8], B[8], C[8], D[8], E[8];
@@ -169,9 +223,9 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key,
         0;
     size_t ret = 0;
     u8 *IVs;
-#  if defined(BSWAP8)
+#   if defined(BSWAP8)
     u64 seqnum;
-#  endif
+#   endif
 
     /* ask for IVs in bulk */
     if (RAND_bytes((IVs = blocks[0].c), 16 * x4) <= 0)
@@ -205,15 +259,15 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key,
         IVs += 16;
     }
 
-#  if defined(BSWAP8)
+#   if defined(BSWAP8)
     memcpy(blocks[0].c, key->md.data, 8);
     seqnum = BSWAP8(blocks[0].q[0]);
-#  endif
+#   endif
     for (i = 0; i < x4; i++) {
         unsigned int len = (i == (x4 - 1) ? last : frag);
-#  if !defined(BSWAP8)
+#   if !defined(BSWAP8)
         unsigned int carry, j;
-#  endif
+#   endif
 
         ctx->A[i] = key->md.h0;
         ctx->B[i] = key->md.h1;
@@ -222,14 +276,14 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key,
         ctx->E[i] = key->md.h4;
 
         /* fix seqnum */
-#  if defined(BSWAP8)
+#   if defined(BSWAP8)
         blocks[i].q[0] = BSWAP8(seqnum + i);
-#  else
+#   else
         for (carry = i, j = 8; j--;) {
             blocks[i].c[j] = ((u8 *)key->md.data)[j] + carry;
             carry = (blocks[i].c[j] - carry) >> (sizeof(carry) * 8 - 1);
         }
-#  endif
+#   endif
         blocks[i].c[8] = ((u8 *)key->md.data)[8];
         blocks[i].c[9] = ((u8 *)key->md.data)[9];
         blocks[i].c[10] = ((u8 *)key->md.data)[10];
@@ -248,10 +302,10 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key,
     /* hash 13-byte headers and first 64-13 bytes of inputs */
     sha1_multi_block(ctx, edges, n4x);
     /* hash bulk inputs */
-#  define MAXCHUNKSIZE    2048
-#  if     MAXCHUNKSIZE%64
-#   error  "MAXCHUNKSIZE is not divisible by 64"
-#  elif   MAXCHUNKSIZE
+#   define MAXCHUNKSIZE    2048
+#   if     MAXCHUNKSIZE%64
+#    error  "MAXCHUNKSIZE is not divisible by 64"
+#   elif   MAXCHUNKSIZE
     /*
      * goal is to minimize pressure on L1 cache by moving in shorter steps,
      * so that hashed data is still in the cache by the time we encrypt it
@@ -280,8 +334,8 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key,
             minblocks -= MAXCHUNKSIZE / 64;
         } while (minblocks > MAXCHUNKSIZE / 64);
     }
-#  endif
-#  undef  MAXCHUNKSIZE
+#   endif
+#   undef  MAXCHUNKSIZE
     sha1_multi_block(ctx, hash_d, n4x);
 
     memset(blocks, 0, sizeof(blocks));
@@ -296,18 +350,18 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key,
         len += 64 + 13;         /* 64 is HMAC header */
         len *= 8;               /* convert to bits */
         if (off < (64 - 8)) {
-#  ifdef BSWAP4
+#   ifdef BSWAP4
             blocks[i].d[15] = BSWAP4(len);
-#  else
+#   else
             PUTU32(blocks[i].c + 60, len);
-#  endif
+#   endif
             edges[i].blocks = 1;
         } else {
-#  ifdef BSWAP4
+#   ifdef BSWAP4
             blocks[i].d[31] = BSWAP4(len);
-#  else
+#   else
             PUTU32(blocks[i].c + 124, len);
-#  endif
+#   endif
             edges[i].blocks = 2;
         }
         edges[i].ptr = blocks[i].c;
@@ -318,7 +372,7 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key,
 
     memset(blocks, 0, sizeof(blocks));
     for (i = 0; i < x4; i++) {
-#  ifdef BSWAP4
+#   ifdef BSWAP4
         blocks[i].d[0] = BSWAP4(ctx->A[i]);
         ctx->A[i] = key->tail.h0;
         blocks[i].d[1] = BSWAP4(ctx->B[i]);
@@ -331,7 +385,7 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key,
         ctx->E[i] = key->tail.h4;
         blocks[i].c[20] = 0x80;
         blocks[i].d[15] = BSWAP4((64 + 20) * 8);
-#  else
+#   else
         PUTU32(blocks[i].c + 0, ctx->A[i]);
         ctx->A[i] = key->tail.h0;
         PUTU32(blocks[i].c + 4, ctx->B[i]);
@@ -344,7 +398,7 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key,
         ctx->E[i] = key->tail.h4;
         blocks[i].c[20] = 0x80;
         PUTU32(blocks[i].c + 60, (64 + 20) * 8);
-#  endif
+#   endif
         edges[i].ptr = blocks[i].c;
         edges[i].blocks = 1;
     }
@@ -397,7 +451,7 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key,
 
     return ret;
 }
-# endif
+#  endif
 
 static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                       const unsigned char *in, size_t len)
@@ -407,18 +461,18 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     size_t plen = key->payload_length, iv = 0, /* explicit IV in TLS 1.1 and
                                                 * later */
         sha_off = 0;
-# if defined(STITCHED_CALL)
+#  if defined(STITCHED_CALL)
     size_t aes_off = 0, blocks;
 
     sha_off = SHA_CBLOCK - key->md.num;
-# endif
+#  endif
 
     key->payload_length = NO_PAYLOAD_LENGTH;
 
     if (len % AES_BLOCK_SIZE)
         return 0;
 
-    if (EVP_CIPHER_CTX_encrypting(ctx)) {
+    if (ctx->encrypt) {
         if (plen == NO_PAYLOAD_LENGTH)
             plen = len;
         else if (len !=
@@ -428,14 +482,13 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
         else if (key->aux.tls_ver >= TLS1_1_VERSION)
             iv = AES_BLOCK_SIZE;
 
-# if defined(STITCHED_CALL)
+#  if defined(STITCHED_CALL)
         if (plen > (sha_off + iv)
             && (blocks = (plen - (sha_off + iv)) / SHA_CBLOCK)) {
             SHA1_Update(&key->md, in + iv, sha_off);
 
             aesni_cbc_sha1_enc(in, out, blocks, &key->ks,
-                               EVP_CIPHER_CTX_iv_noconst(ctx),
-                               &key->md, in + iv + sha_off);
+                               ctx->iv, &key->md, in + iv + sha_off);
             blocks *= SHA_CBLOCK;
             aes_off += blocks;
             sha_off += blocks;
@@ -446,7 +499,7 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
         } else {
             sha_off = 0;
         }
-# endif
+#  endif
         sha_off += iv;
         SHA1_Update(&key->md, in + sha_off, plen - sha_off);
 
@@ -466,10 +519,10 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                 out[plen] = l;
             /* encrypt HMAC|padding at once */
             aesni_cbc_encrypt(out + aes_off, out + aes_off, len - aes_off,
-                              &key->ks, EVP_CIPHER_CTX_iv_noconst(ctx), 1);
+                              &key->ks, ctx->iv, 1);
         } else {
             aesni_cbc_encrypt(in + aes_off, out + aes_off, len - aes_off,
-                              &key->ks, EVP_CIPHER_CTX_iv_noconst(ctx), 1);
+                              &key->ks, ctx->iv, 1);
         }
     } else {
         union {
@@ -488,10 +541,10 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                 unsigned int u[SHA_LBLOCK];
                 unsigned char c[SHA_CBLOCK];
             } *data = (void *)key->md.data;
-# if defined(STITCHED_DECRYPT_CALL)
+#  if defined(STITCHED_DECRYPT_CALL)
             unsigned char tail_iv[AES_BLOCK_SIZE];
             int stitch = 0;
-# endif
+#  endif
 
             if ((key->aux.tls_aad[plen - 4] << 8 | key->aux.tls_aad[plen - 3])
                 >= TLS1_1_VERSION) {
@@ -499,15 +552,14 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                     return 0;
 
                 /* omit explicit iv */
-                memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), in, AES_BLOCK_SIZE);
-
+                memcpy(ctx->iv, in, AES_BLOCK_SIZE);
                 in += AES_BLOCK_SIZE;
                 out += AES_BLOCK_SIZE;
                 len -= AES_BLOCK_SIZE;
             } else if (len < (SHA_DIGEST_LENGTH + 1))
                 return 0;
 
-# if defined(STITCHED_DECRYPT_CALL)
+#  if defined(STITCHED_DECRYPT_CALL)
             if (len >= 1024 && ctx->key_len == 32) {
                 /* decrypt last block */
                 memcpy(tail_iv, in + len - 2 * AES_BLOCK_SIZE,
@@ -517,10 +569,9 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                   &key->ks, tail_iv, 0);
                 stitch = 1;
             } else
-# endif
+#  endif
                 /* decrypt HMAC|padding at once */
-                aesni_cbc_encrypt(in, out, len, &key->ks,
-                                  EVP_CIPHER_CTX_iv_noconst(ctx), 0);
+                aesni_cbc_encrypt(in, out, len, &key->ks, ctx->iv, 0);
 
             /* figure out payload length */
             pad = out[len - 1];
@@ -542,7 +593,7 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
             key->md = key->head;
             SHA1_Update(&key->md, key->aux.tls_aad, plen);
 
-# if defined(STITCHED_DECRYPT_CALL)
+#  if defined(STITCHED_DECRYPT_CALL)
             if (stitch) {
                 blocks = (len - (256 + 32 + SHA_CBLOCK)) / SHA_CBLOCK;
                 aes_off = len - AES_BLOCK_SIZE - blocks * SHA_CBLOCK;
@@ -563,9 +614,9 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                 key->md.Nl += (blocks << 3); /* at most 18 bits */
                 memcpy(ctx->iv, tail_iv, AES_BLOCK_SIZE);
             }
-# endif
+#  endif
 
-# if 1
+#  if 1
             len -= SHA_DIGEST_LENGTH; /* amend mac */
             if (len >= (256 + SHA_CBLOCK)) {
                 j = (len - (256 + SHA_CBLOCK)) & (0 - SHA_CBLOCK);
@@ -578,15 +629,15 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 
             /* but pretend as if we hashed padded payload */
             bitlen = key->md.Nl + (inp_len << 3); /* at most 18 bits */
-#  ifdef BSWAP4
+#   ifdef BSWAP4
             bitlen = BSWAP4(bitlen);
-#  else
+#   else
             mac.c[0] = 0;
             mac.c[1] = (unsigned char)(bitlen >> 16);
             mac.c[2] = (unsigned char)(bitlen >> 8);
             mac.c[3] = (unsigned char)bitlen;
             bitlen = mac.u[0];
-#  endif
+#   endif
 
             pmac->u[0] = 0;
             pmac->u[1] = 0;
@@ -643,13 +694,13 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
             pmac->u[3] |= key->md.h3 & mask;
             pmac->u[4] |= key->md.h4 & mask;
 
-#  ifdef BSWAP4
+#   ifdef BSWAP4
             pmac->u[0] = BSWAP4(pmac->u[0]);
             pmac->u[1] = BSWAP4(pmac->u[1]);
             pmac->u[2] = BSWAP4(pmac->u[2]);
             pmac->u[3] = BSWAP4(pmac->u[3]);
             pmac->u[4] = BSWAP4(pmac->u[4]);
-#  else
+#   else
             for (i = 0; i < 5; i++) {
                 res = pmac->u[i];
                 pmac->c[4 * i + 0] = (unsigned char)(res >> 24);
@@ -657,9 +708,9 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                 pmac->c[4 * i + 2] = (unsigned char)(res >> 8);
                 pmac->c[4 * i + 3] = (unsigned char)res;
             }
-#  endif
+#   endif
             len += SHA_DIGEST_LENGTH;
-# else
+#  else
             SHA1_Update(&key->md, out, inp_len);
             res = key->md.num;
             SHA1_Final(pmac->c, &key->md);
@@ -678,7 +729,7 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                 for (; inp_blocks < pad_blocks; inp_blocks++)
                     sha1_block_data_order(&key->md, data, 1);
             }
-# endif
+#  endif
             key->md = key->tail;
             SHA1_Update(&key->md, pmac->c, SHA_DIGEST_LENGTH);
             SHA1_Final(pmac->c, &key->md);
@@ -686,7 +737,7 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
             /* verify HMAC */
             out += inp_len;
             len -= inp_len;
-# if 1
+#  if 1
             {
                 unsigned char *p = out + len - 1 - maxpad - SHA_DIGEST_LENGTH;
                 size_t off = out - p;
@@ -708,7 +759,7 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                 res = 0 - ((0 - res) >> (sizeof(res) * 8 - 1));
                 ret &= (int)~res;
             }
-# else
+#  else
             for (res = 0, i = 0; i < SHA_DIGEST_LENGTH; i++)
                 res |= out[i] ^ pmac->c[i];
             res = 0 - ((0 - res) >> (sizeof(res) * 8 - 1));
@@ -722,10 +773,10 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 
             res = (0 - res) >> (sizeof(res) * 8 - 1);
             ret &= (int)~res;
-# endif
+#  endif
             return ret;
         } else {
-# if defined(STITCHED_DECRYPT_CALL)
+#  if defined(STITCHED_DECRYPT_CALL)
             if (len >= 1024 && ctx->key_len == 32) {
                 if (sha_off %= SHA_CBLOCK)
                     blocks = (len - 3 * SHA_CBLOCK) / SHA_CBLOCK;
@@ -748,10 +799,9 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                 if (key->md.Nl < (unsigned int)blocks)
                     key->md.Nh++;
             } else
-# endif
+#  endif
                 /* decrypt HMAC|padding at once */
-                aesni_cbc_encrypt(in, out, len, &key->ks,
-                                  EVP_CIPHER_CTX_iv_noconst(ctx), 0);
+                aesni_cbc_encrypt(in, out, len, &key->ks, ctx->iv, 0);
 
             SHA1_Update(&key->md, out, len);
         }
@@ -802,10 +852,10 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
 
             if (arg != EVP_AEAD_TLS1_AAD_LEN)
                 return -1;
-
+ 
             len = p[arg - 2] << 8 | p[arg - 1];
 
-            if (EVP_CIPHER_CTX_encrypting(ctx)) {
+            if (ctx->encrypt) {
                 key->payload_length = len;
                 if ((key->aux.tls_ver =
                      p[arg - 4] << 8 | p[arg - 3]) >= TLS1_1_VERSION) {
@@ -826,7 +876,7 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
                 return SHA_DIGEST_LENGTH;
             }
         }
-# if !defined(OPENSSL_NO_MULTIBLOCK)
+#  if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
     case EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE:
         return (int)(5 + 16 + ((arg + 20 + 16) & -16));
     case EVP_CTRL_TLS1_1_MULTIBLOCK_AAD:
@@ -841,7 +891,7 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
 
             inp_len = param->inp[11] << 8 | param->inp[12];
 
-            if (EVP_CIPHER_CTX_encrypting(ctx)) {
+            if (ctx->encrypt) {
                 if ((param->inp[9] << 8 | param->inp[10]) < TLS1_1_VERSION)
                     return -1;
 
@@ -889,19 +939,19 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
                                                    param->interleave / 4);
         }
     case EVP_CTRL_TLS1_1_MULTIBLOCK_DECRYPT:
-# endif
+#  endif
     default:
         return -1;
     }
 }
 
 static EVP_CIPHER aesni_128_cbc_hmac_sha1_cipher = {
-# ifdef NID_aes_128_cbc_hmac_sha1
+#  ifdef NID_aes_128_cbc_hmac_sha1
     NID_aes_128_cbc_hmac_sha1,
-# else
+#  else
     NID_undef,
-# endif
-    AES_BLOCK_SIZE, 16, AES_BLOCK_SIZE,
+#  endif
+    16, 16, 16,
     EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 |
         EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK,
     aesni_cbc_hmac_sha1_init_key,
@@ -915,12 +965,12 @@ static EVP_CIPHER aesni_128_cbc_hmac_sha1_cipher = {
 };
 
 static EVP_CIPHER aesni_256_cbc_hmac_sha1_cipher = {
-# ifdef NID_aes_256_cbc_hmac_sha1
+#  ifdef NID_aes_256_cbc_hmac_sha1
     NID_aes_256_cbc_hmac_sha1,
-# else
+#  else
     NID_undef,
-# endif
-    AES_BLOCK_SIZE, 32, AES_BLOCK_SIZE,
+#  endif
+    16, 32, 16,
     EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 |
         EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK,
     aesni_cbc_hmac_sha1_init_key,
@@ -944,7 +994,7 @@ const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void)
     return (OPENSSL_ia32cap_P[1] & AESNI_CAPABLE ?
             &aesni_256_cbc_hmac_sha1_cipher : NULL);
 }
-#else
+# else
 const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void)
 {
     return NULL;
@@ -954,4 +1004,5 @@ const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void)
 {
     return NULL;
 }
+# endif
 #endif
diff --git a/Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha256.c b/Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha256.c
index 5a92e0b8..46c9d033 100644
--- a/Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha256.c
+++ b/Cryptlib/OpenSSL/crypto/evp/e_aes_cbc_hmac_sha256.c
@@ -1,10 +1,50 @@
-/*
- * Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* ====================================================================
+ * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  */
 
 #include <openssl/opensslconf.h>
@@ -12,15 +52,31 @@
 #include <stdio.h>
 #include <string.h>
 
+#if !defined(OPENSSL_NO_AES) && !defined(OPENSSL_NO_SHA256)
+
+# include <openssl/evp.h>
+# include <openssl/objects.h>
+# include <openssl/aes.h>
+# include <openssl/sha.h>
+# include <openssl/rand.h>
+# include "modes_lcl.h"
+# include "constant_time_locl.h"
 
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include <openssl/aes.h>
-#include <openssl/sha.h>
-#include <openssl/rand.h>
-#include "modes_lcl.h"
-#include "internal/constant_time_locl.h"
-#include "internal/evp_int.h"
+# ifndef EVP_CIPH_FLAG_AEAD_CIPHER
+#  define EVP_CIPH_FLAG_AEAD_CIPHER       0x200000
+#  define EVP_CTRL_AEAD_TLS1_AAD          0x16
+#  define EVP_CTRL_AEAD_SET_MAC_KEY       0x17
+# endif
+
+# if !defined(EVP_CIPH_FLAG_DEFAULT_ASN1)
+#  define EVP_CIPH_FLAG_DEFAULT_ASN1 0
+# endif
+
+# if !defined(EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)
+#  define EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK 0
+# endif
+
+# define TLS1_1_VERSION 0x0302
 
 typedef struct {
     AES_KEY ks;
@@ -34,12 +90,13 @@ typedef struct {
 
 # define NO_PAYLOAD_LENGTH       ((size_t)-1)
 
-#if     defined(AES_ASM) &&     ( \
+# if     defined(AES_ASM) &&     ( \
         defined(__x86_64)       || defined(__x86_64__)  || \
-        defined(_M_AMD64)       || defined(_M_X64)      )
+        defined(_M_AMD64)       || defined(_M_X64)      || \
+        defined(__INTEL__)      )
 
 extern unsigned int OPENSSL_ia32cap_P[];
-# define AESNI_CAPABLE   (1<<(57-32))
+#  define AESNI_CAPABLE   (1<<(57-32))
 
 int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
                           AES_KEY *key);
@@ -55,7 +112,7 @@ int aesni_cbc_sha256_enc(const void *inp, void *out, size_t blocks,
                          const AES_KEY *key, unsigned char iv[16],
                          SHA256_CTX *ctx, const void *in0);
 
-# define data(ctx) ((EVP_AES_HMAC_SHA256 *)EVP_CIPHER_CTX_get_cipher_data(ctx))
+#  define data(ctx) ((EVP_AES_HMAC_SHA256 *)(ctx)->cipher_data)
 
 static int aesni_cbc_hmac_sha256_init_key(EVP_CIPHER_CTX *ctx,
                                           const unsigned char *inkey,
@@ -65,13 +122,10 @@ static int aesni_cbc_hmac_sha256_init_key(EVP_CIPHER_CTX *ctx,
     int ret;
 
     if (enc)
-        ret = aesni_set_encrypt_key(inkey,
-                                    EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                    &key->ks);
+        memset(&key->ks, 0, sizeof(key->ks.rd_key)),
+            ret = aesni_set_encrypt_key(inkey, ctx->key_len * 8, &key->ks);
     else
-        ret = aesni_set_decrypt_key(inkey,
-                                    EVP_CIPHER_CTX_key_length(ctx) * 8,
-                                    &key->ks);
+        ret = aesni_set_decrypt_key(inkey, ctx->key_len * 8, &key->ks);
 
     SHA256_Init(&key->head);    /* handy when benchmarking */
     key->tail = key->head;
@@ -82,11 +136,11 @@ static int aesni_cbc_hmac_sha256_init_key(EVP_CIPHER_CTX *ctx,
     return ret < 0 ? 0 : 1;
 }
 
-# define STITCHED_CALL
+#  define STITCHED_CALL
 
-# if !defined(STITCHED_CALL)
-#  define aes_off 0
-# endif
+#  if !defined(STITCHED_CALL)
+#   define aes_off 0
+#  endif
 
 void sha256_block_data_order(void *c, const void *p, size_t len);
 
@@ -121,12 +175,12 @@ static void sha256_update(SHA256_CTX *c, const void *data, size_t len)
         SHA256_Update(c, ptr, res);
 }
 
-# ifdef SHA256_Update
-#  undef SHA256_Update
-# endif
-# define SHA256_Update sha256_update
+#  ifdef SHA256_Update
+#   undef SHA256_Update
+#  endif
+#  define SHA256_Update sha256_update
 
-# if !defined(OPENSSL_NO_MULTIBLOCK)
+#  if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
 
 typedef struct {
     unsigned int A[8], B[8], C[8], D[8], E[8], F[8], G[8], H[8];
@@ -165,9 +219,9 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key,
         0;
     size_t ret = 0;
     u8 *IVs;
-#  if defined(BSWAP8)
+#   if defined(BSWAP8)
     u64 seqnum;
-#  endif
+#   endif
 
     /* ask for IVs in bulk */
     if (RAND_bytes((IVs = blocks[0].c), 16 * x4) <= 0)
@@ -202,15 +256,15 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key,
         IVs += 16;
     }
 
-#  if defined(BSWAP8)
+#   if defined(BSWAP8)
     memcpy(blocks[0].c, key->md.data, 8);
     seqnum = BSWAP8(blocks[0].q[0]);
-#  endif
+#   endif
     for (i = 0; i < x4; i++) {
         unsigned int len = (i == (x4 - 1) ? last : frag);
-#  if !defined(BSWAP8)
+#   if !defined(BSWAP8)
         unsigned int carry, j;
-#  endif
+#   endif
 
         ctx->A[i] = key->md.h[0];
         ctx->B[i] = key->md.h[1];
@@ -222,14 +276,14 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key,
         ctx->H[i] = key->md.h[7];
 
         /* fix seqnum */
-#  if defined(BSWAP8)
+#   if defined(BSWAP8)
         blocks[i].q[0] = BSWAP8(seqnum + i);
-#  else
+#   else
         for (carry = i, j = 8; j--;) {
             blocks[i].c[j] = ((u8 *)key->md.data)[j] + carry;
             carry = (blocks[i].c[j] - carry) >> (sizeof(carry) * 8 - 1);
         }
-#  endif
+#   endif
         blocks[i].c[8] = ((u8 *)key->md.data)[8];
         blocks[i].c[9] = ((u8 *)key->md.data)[9];
         blocks[i].c[10] = ((u8 *)key->md.data)[10];
@@ -248,10 +302,10 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key,
     /* hash 13-byte headers and first 64-13 bytes of inputs */
     sha256_multi_block(ctx, edges, n4x);
     /* hash bulk inputs */
-#  define MAXCHUNKSIZE    2048
-#  if     MAXCHUNKSIZE%64
-#   error  "MAXCHUNKSIZE is not divisible by 64"
-#  elif   MAXCHUNKSIZE
+#   define MAXCHUNKSIZE    2048
+#   if     MAXCHUNKSIZE%64
+#    error  "MAXCHUNKSIZE is not divisible by 64"
+#   elif   MAXCHUNKSIZE
     /*
      * goal is to minimize pressure on L1 cache by moving in shorter steps,
      * so that hashed data is still in the cache by the time we encrypt it
@@ -280,8 +334,8 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key,
             minblocks -= MAXCHUNKSIZE / 64;
         } while (minblocks > MAXCHUNKSIZE / 64);
     }
-#  endif
-#  undef  MAXCHUNKSIZE
+#   endif
+#   undef  MAXCHUNKSIZE
     sha256_multi_block(ctx, hash_d, n4x);
 
     memset(blocks, 0, sizeof(blocks));
@@ -296,18 +350,18 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key,
         len += 64 + 13;         /* 64 is HMAC header */
         len *= 8;               /* convert to bits */
         if (off < (64 - 8)) {
-#  ifdef BSWAP4
+#   ifdef BSWAP4
             blocks[i].d[15] = BSWAP4(len);
-#  else
+#   else
             PUTU32(blocks[i].c + 60, len);
-#  endif
+#   endif
             edges[i].blocks = 1;
         } else {
-#  ifdef BSWAP4
+#   ifdef BSWAP4
             blocks[i].d[31] = BSWAP4(len);
-#  else
+#   else
             PUTU32(blocks[i].c + 124, len);
-#  endif
+#   endif
             edges[i].blocks = 2;
         }
         edges[i].ptr = blocks[i].c;
@@ -318,7 +372,7 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key,
 
     memset(blocks, 0, sizeof(blocks));
     for (i = 0; i < x4; i++) {
-#  ifdef BSWAP4
+#   ifdef BSWAP4
         blocks[i].d[0] = BSWAP4(ctx->A[i]);
         ctx->A[i] = key->tail.h[0];
         blocks[i].d[1] = BSWAP4(ctx->B[i]);
@@ -337,7 +391,7 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key,
         ctx->H[i] = key->tail.h[7];
         blocks[i].c[32] = 0x80;
         blocks[i].d[15] = BSWAP4((64 + 32) * 8);
-#  else
+#   else
         PUTU32(blocks[i].c + 0, ctx->A[i]);
         ctx->A[i] = key->tail.h[0];
         PUTU32(blocks[i].c + 4, ctx->B[i]);
@@ -356,7 +410,7 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key,
         ctx->H[i] = key->tail.h[7];
         blocks[i].c[32] = 0x80;
         PUTU32(blocks[i].c + 60, (64 + 32) * 8);
-#  endif
+#   endif
         edges[i].ptr = blocks[i].c;
         edges[i].blocks = 1;
     }
@@ -412,7 +466,7 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key,
 
     return ret;
 }
-# endif
+#  endif
 
 static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx,
                                         unsigned char *out,
@@ -423,18 +477,18 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx,
     size_t plen = key->payload_length, iv = 0, /* explicit IV in TLS 1.1 and
                                                 * later */
         sha_off = 0;
-# if defined(STITCHED_CALL)
+#  if defined(STITCHED_CALL)
     size_t aes_off = 0, blocks;
 
     sha_off = SHA256_CBLOCK - key->md.num;
-# endif
+#  endif
 
     key->payload_length = NO_PAYLOAD_LENGTH;
 
     if (len % AES_BLOCK_SIZE)
         return 0;
 
-    if (EVP_CIPHER_CTX_encrypting(ctx)) {
+    if (ctx->encrypt) {
         if (plen == NO_PAYLOAD_LENGTH)
             plen = len;
         else if (len !=
@@ -444,7 +498,7 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx,
         else if (key->aux.tls_ver >= TLS1_1_VERSION)
             iv = AES_BLOCK_SIZE;
 
-# if defined(STITCHED_CALL)
+#  if defined(STITCHED_CALL)
         /*
          * Assembly stitch handles AVX-capable processors, but its
          * performance is not optimal on AMD Jaguar, ~40% worse, for
@@ -462,8 +516,7 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx,
             SHA256_Update(&key->md, in + iv, sha_off);
 
             (void)aesni_cbc_sha256_enc(in, out, blocks, &key->ks,
-                                       EVP_CIPHER_CTX_iv_noconst(ctx),
-                                       &key->md, in + iv + sha_off);
+                                       ctx->iv, &key->md, in + iv + sha_off);
             blocks *= SHA256_CBLOCK;
             aes_off += blocks;
             sha_off += blocks;
@@ -474,7 +527,7 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx,
         } else {
             sha_off = 0;
         }
-# endif
+#  endif
         sha_off += iv;
         SHA256_Update(&key->md, in + sha_off, plen - sha_off);
 
@@ -494,10 +547,10 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx,
                 out[plen] = l;
             /* encrypt HMAC|padding at once */
             aesni_cbc_encrypt(out + aes_off, out + aes_off, len - aes_off,
-                              &key->ks, EVP_CIPHER_CTX_iv_noconst(ctx), 1);
+                              &key->ks, ctx->iv, 1);
         } else {
             aesni_cbc_encrypt(in + aes_off, out + aes_off, len - aes_off,
-                              &key->ks, EVP_CIPHER_CTX_iv_noconst(ctx), 1);
+                              &key->ks, ctx->iv, 1);
         }
     } else {
         union {
@@ -509,8 +562,7 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx,
         pmac = (void *)(((size_t)mac.c + 63) & ((size_t)0 - 64));
 
         /* decrypt HMAC|padding at once */
-        aesni_cbc_encrypt(in, out, len, &key->ks,
-                          EVP_CIPHER_CTX_iv_noconst(ctx), 0);
+        aesni_cbc_encrypt(in, out, len, &key->ks, ctx->iv, 0);
 
         if (plen != NO_PAYLOAD_LENGTH) { /* "TLS" mode of operation */
             size_t inp_len, mask, j, i;
@@ -552,7 +604,7 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx,
             key->md = key->head;
             SHA256_Update(&key->md, key->aux.tls_aad, plen);
 
-# if 1
+#  if 1
             len -= SHA256_DIGEST_LENGTH; /* amend mac */
             if (len >= (256 + SHA256_CBLOCK)) {
                 j = (len - (256 + SHA256_CBLOCK)) & (0 - SHA256_CBLOCK);
@@ -565,15 +617,15 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx,
 
             /* but pretend as if we hashed padded payload */
             bitlen = key->md.Nl + (inp_len << 3); /* at most 18 bits */
-#  ifdef BSWAP4
+#   ifdef BSWAP4
             bitlen = BSWAP4(bitlen);
-#  else
+#   else
             mac.c[0] = 0;
             mac.c[1] = (unsigned char)(bitlen >> 16);
             mac.c[2] = (unsigned char)(bitlen >> 8);
             mac.c[3] = (unsigned char)bitlen;
             bitlen = mac.u[0];
-#  endif
+#   endif
 
             pmac->u[0] = 0;
             pmac->u[1] = 0;
@@ -642,7 +694,7 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx,
             pmac->u[6] |= key->md.h[6] & mask;
             pmac->u[7] |= key->md.h[7] & mask;
 
-#  ifdef BSWAP4
+#   ifdef BSWAP4
             pmac->u[0] = BSWAP4(pmac->u[0]);
             pmac->u[1] = BSWAP4(pmac->u[1]);
             pmac->u[2] = BSWAP4(pmac->u[2]);
@@ -651,7 +703,7 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx,
             pmac->u[5] = BSWAP4(pmac->u[5]);
             pmac->u[6] = BSWAP4(pmac->u[6]);
             pmac->u[7] = BSWAP4(pmac->u[7]);
-#  else
+#   else
             for (i = 0; i < 8; i++) {
                 res = pmac->u[i];
                 pmac->c[4 * i + 0] = (unsigned char)(res >> 24);
@@ -659,9 +711,9 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx,
                 pmac->c[4 * i + 2] = (unsigned char)(res >> 8);
                 pmac->c[4 * i + 3] = (unsigned char)res;
             }
-#  endif
+#   endif
             len += SHA256_DIGEST_LENGTH;
-# else
+#  else
             SHA256_Update(&key->md, out, inp_len);
             res = key->md.num;
             SHA256_Final(pmac->c, &key->md);
@@ -680,7 +732,7 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx,
                 for (; inp_blocks < pad_blocks; inp_blocks++)
                     sha1_block_data_order(&key->md, data, 1);
             }
-# endif
+#  endif
             key->md = key->tail;
             SHA256_Update(&key->md, pmac->c, SHA256_DIGEST_LENGTH);
             SHA256_Final(pmac->c, &key->md);
@@ -688,7 +740,7 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx,
             /* verify HMAC */
             out += inp_len;
             len -= inp_len;
-# if 1
+#  if 1
             {
                 unsigned char *p =
                     out + len - 1 - maxpad - SHA256_DIGEST_LENGTH;
@@ -711,7 +763,7 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx,
                 res = 0 - ((0 - res) >> (sizeof(res) * 8 - 1));
                 ret &= (int)~res;
             }
-# else
+#  else
             for (res = 0, i = 0; i < SHA256_DIGEST_LENGTH; i++)
                 res |= out[i] ^ pmac->c[i];
             res = 0 - ((0 - res) >> (sizeof(res) * 8 - 1));
@@ -725,7 +777,7 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx,
 
             res = (0 - res) >> (sizeof(res) * 8 - 1);
             ret &= (int)~res;
-# endif
+#  endif
             return ret;
         } else {
             SHA256_Update(&key->md, out, len);
@@ -739,7 +791,6 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
                                       void *ptr)
 {
     EVP_AES_HMAC_SHA256 *key = data(ctx);
-    unsigned int u_arg = (unsigned int)arg;
 
     switch (type) {
     case EVP_CTRL_AEAD_SET_MAC_KEY:
@@ -749,10 +800,7 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
 
             memset(hmac_key, 0, sizeof(hmac_key));
 
-            if (arg < 0)
-                return -1;
-
-            if (u_arg > sizeof(hmac_key)) {
+            if (arg > (int)sizeof(hmac_key)) {
                 SHA256_Init(&key->head);
                 SHA256_Update(&key->head, ptr, arg);
                 SHA256_Final(hmac_key, &key->head);
@@ -782,7 +830,7 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
             if (arg != EVP_AEAD_TLS1_AAD_LEN)
                 return -1;
 
-            if (EVP_CIPHER_CTX_encrypting(ctx)) {
+            if (ctx->encrypt) {
                 key->payload_length = len;
                 if ((key->aux.tls_ver =
                      p[arg - 4] << 8 | p[arg - 3]) >= TLS1_1_VERSION) {
@@ -803,7 +851,7 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
                 return SHA256_DIGEST_LENGTH;
             }
         }
-# if !defined(OPENSSL_NO_MULTIBLOCK)
+#  if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
     case EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE:
         return (int)(5 + 16 + ((arg + 32 + 16) & -16));
     case EVP_CTRL_TLS1_1_MULTIBLOCK_AAD:
@@ -813,15 +861,12 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
             unsigned int n4x = 1, x4;
             unsigned int frag, last, packlen, inp_len;
 
-            if (arg < 0)
-                return -1;
-
-            if (u_arg < sizeof(EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM))
+            if (arg < (int)sizeof(EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM))
                 return -1;
 
             inp_len = param->inp[11] << 8 | param->inp[12];
 
-            if (EVP_CIPHER_CTX_encrypting(ctx)) {
+            if (ctx->encrypt) {
                 if ((param->inp[9] << 8 | param->inp[10]) < TLS1_1_VERSION)
                     return -1;
 
@@ -869,19 +914,19 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
                                                    param->interleave / 4);
         }
     case EVP_CTRL_TLS1_1_MULTIBLOCK_DECRYPT:
-# endif
+#  endif
     default:
         return -1;
     }
 }
 
 static EVP_CIPHER aesni_128_cbc_hmac_sha256_cipher = {
-# ifdef NID_aes_128_cbc_hmac_sha256
+#  ifdef NID_aes_128_cbc_hmac_sha256
     NID_aes_128_cbc_hmac_sha256,
-# else
+#  else
     NID_undef,
-# endif
-    AES_BLOCK_SIZE, 16, AES_BLOCK_SIZE,
+#  endif
+    16, 16, 16,
     EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 |
         EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK,
     aesni_cbc_hmac_sha256_init_key,
@@ -895,12 +940,12 @@ static EVP_CIPHER aesni_128_cbc_hmac_sha256_cipher = {
 };
 
 static EVP_CIPHER aesni_256_cbc_hmac_sha256_cipher = {
-# ifdef NID_aes_256_cbc_hmac_sha256
+#  ifdef NID_aes_256_cbc_hmac_sha256
     NID_aes_256_cbc_hmac_sha256,
-# else
+#  else
     NID_undef,
-# endif
-    AES_BLOCK_SIZE, 32, AES_BLOCK_SIZE,
+#  endif
+    16, 32, 16,
     EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 |
         EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK,
     aesni_cbc_hmac_sha256_init_key,
@@ -926,7 +971,7 @@ const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha256(void)
             aesni_cbc_sha256_enc(NULL, NULL, 0, NULL, NULL, NULL, NULL) ?
             &aesni_256_cbc_hmac_sha256_cipher : NULL);
 }
-#else
+# else
 const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha256(void)
 {
     return NULL;
@@ -936,4 +981,5 @@ const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha256(void)
 {
     return NULL;
 }
+# endif
 #endif
diff --git a/Cryptlib/OpenSSL/crypto/evp/e_bf.c b/Cryptlib/OpenSSL/crypto/evp/e_bf.c
index dc386905..d6a01782 100644
--- a/Cryptlib/OpenSSL/crypto/evp/e_bf.c
+++ b/Cryptlib/OpenSSL/crypto/evp/e_bf.c
@@ -1,17 +1,66 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/e_bf.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #ifndef OPENSSL_NO_BF
 # include <openssl/evp.h>
-# include "internal/evp_int.h"
+# include "evp_locl.h"
 # include <openssl/objects.h>
 # include <openssl/blowfish.h>
 
diff --git a/Cryptlib/OpenSSL/crypto/evp/e_camellia.c b/Cryptlib/OpenSSL/crypto/evp/e_camellia.c
index b50fa0b9..f273f9c9 100644
--- a/Cryptlib/OpenSSL/crypto/evp/e_camellia.c
+++ b/Cryptlib/OpenSSL/crypto/evp/e_camellia.c
@@ -1,23 +1,66 @@
-/*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/e_camellia.c */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <openssl/opensslconf.h>
-#ifdef OPENSSL_NO_CAMELLIA
-NON_EMPTY_TRANSLATION_UNIT
-#else
-
+#ifndef OPENSSL_NO_CAMELLIA
 # include <openssl/evp.h>
 # include <openssl/err.h>
 # include <string.h>
 # include <assert.h>
 # include <openssl/camellia.h>
-# include "internal/evp_int.h"
+# include "evp_locl.h"
 # include "modes_lcl.h"
 
 static int camellia_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
@@ -76,11 +119,10 @@ static int cmll_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                             const unsigned char *iv, int enc)
 {
     int ret, mode, bits;
-    EVP_CAMELLIA_KEY *dat =
-        (EVP_CAMELLIA_KEY *)EVP_CIPHER_CTX_get_cipher_data(ctx);
+    EVP_CAMELLIA_KEY *dat = (EVP_CAMELLIA_KEY *) ctx->cipher_data;
 
-    mode = EVP_CIPHER_CTX_mode(ctx);
-    bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
+    mode = ctx->cipher->flags & EVP_CIPH_MODE;
+    bits = ctx->key_len * 8;
 
     cmll_t4_set_key(key, bits, &dat->ks);
 
@@ -206,23 +248,24 @@ const EVP_CIPHER *EVP_camellia_##keylen##_##mode(void) \
         BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1)   \
         BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags)       \
-        BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags)       \
-        BLOCK_CIPHER_generic(nid, keylen, 1, 16, ctr, ctr, CTR, flags)
-
+        BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags)
+# if 0                          /* not yet, missing NID */
+BLOCK_CIPHER_generic(nid, keylen, 1, 16, ctr, ctr, CTR, flags)
+# endif
 /* The subkey for Camellia is generated. */
 static int camellia_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                              const unsigned char *iv, int enc)
 {
     int ret, mode;
-    EVP_CAMELLIA_KEY *dat = EVP_C_DATA(EVP_CAMELLIA_KEY,ctx);
+    EVP_CAMELLIA_KEY *dat = (EVP_CAMELLIA_KEY *) ctx->cipher_data;
 
-    ret = Camellia_set_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, &dat->ks);
+    ret = Camellia_set_key(key, ctx->key_len * 8, &dat->ks);
     if (ret < 0) {
         EVPerr(EVP_F_CAMELLIA_INIT_KEY, EVP_R_CAMELLIA_KEY_SETUP_FAILED);
         return 0;
     }
 
-    mode = EVP_CIPHER_CTX_mode(ctx);
+    mode = ctx->cipher->flags & EVP_CIPH_MODE;
     if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
         && !enc) {
         dat->block = (block128_f) Camellia_decrypt;
@@ -240,18 +283,14 @@ static int camellia_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 static int camellia_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                const unsigned char *in, size_t len)
 {
-    EVP_CAMELLIA_KEY *dat = EVP_C_DATA(EVP_CAMELLIA_KEY,ctx);
+    EVP_CAMELLIA_KEY *dat = (EVP_CAMELLIA_KEY *) ctx->cipher_data;
 
     if (dat->stream.cbc)
-        (*dat->stream.cbc) (in, out, len, &dat->ks,
-                            EVP_CIPHER_CTX_iv_noconst(ctx),
-                            EVP_CIPHER_CTX_encrypting(ctx));
-    else if (EVP_CIPHER_CTX_encrypting(ctx))
-        CRYPTO_cbc128_encrypt(in, out, len, &dat->ks,
-                              EVP_CIPHER_CTX_iv_noconst(ctx), dat->block);
+        (*dat->stream.cbc) (in, out, len, &dat->ks, ctx->iv, ctx->encrypt);
+    else if (ctx->encrypt)
+        CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv, dat->block);
     else
-        CRYPTO_cbc128_decrypt(in, out, len, &dat->ks,
-                              EVP_CIPHER_CTX_iv_noconst(ctx), dat->block);
+        CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, ctx->iv, dat->block);
 
     return 1;
 }
@@ -259,9 +298,9 @@ static int camellia_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 static int camellia_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                const unsigned char *in, size_t len)
 {
-    size_t bl = EVP_CIPHER_CTX_block_size(ctx);
+    size_t bl = ctx->cipher->block_size;
     size_t i;
-    EVP_CAMELLIA_KEY *dat = EVP_C_DATA(EVP_CAMELLIA_KEY,ctx);
+    EVP_CAMELLIA_KEY *dat = (EVP_CAMELLIA_KEY *) ctx->cipher_data;
 
     if (len < bl)
         return 1;
@@ -275,90 +314,81 @@ static int camellia_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 static int camellia_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                const unsigned char *in, size_t len)
 {
-    EVP_CAMELLIA_KEY *dat = EVP_C_DATA(EVP_CAMELLIA_KEY,ctx);
+    EVP_CAMELLIA_KEY *dat = (EVP_CAMELLIA_KEY *) ctx->cipher_data;
 
-    int num = EVP_CIPHER_CTX_num(ctx);
     CRYPTO_ofb128_encrypt(in, out, len, &dat->ks,
-                          EVP_CIPHER_CTX_iv_noconst(ctx), &num, dat->block);
-    EVP_CIPHER_CTX_set_num(ctx, num);
+                          ctx->iv, &ctx->num, dat->block);
     return 1;
 }
 
 static int camellia_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                const unsigned char *in, size_t len)
 {
-    EVP_CAMELLIA_KEY *dat = EVP_C_DATA(EVP_CAMELLIA_KEY,ctx);
+    EVP_CAMELLIA_KEY *dat = (EVP_CAMELLIA_KEY *) ctx->cipher_data;
 
-    int num = EVP_CIPHER_CTX_num(ctx);
     CRYPTO_cfb128_encrypt(in, out, len, &dat->ks,
-                          EVP_CIPHER_CTX_iv_noconst(ctx), &num, EVP_CIPHER_CTX_encrypting(ctx), dat->block);
-    EVP_CIPHER_CTX_set_num(ctx, num);
+                          ctx->iv, &ctx->num, ctx->encrypt, dat->block);
     return 1;
 }
 
 static int camellia_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                 const unsigned char *in, size_t len)
 {
-    EVP_CAMELLIA_KEY *dat = EVP_C_DATA(EVP_CAMELLIA_KEY,ctx);
+    EVP_CAMELLIA_KEY *dat = (EVP_CAMELLIA_KEY *) ctx->cipher_data;
 
-    int num = EVP_CIPHER_CTX_num(ctx);
     CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks,
-                            EVP_CIPHER_CTX_iv_noconst(ctx), &num, EVP_CIPHER_CTX_encrypting(ctx), dat->block);
-    EVP_CIPHER_CTX_set_num(ctx, num);
+                            ctx->iv, &ctx->num, ctx->encrypt, dat->block);
     return 1;
 }
 
 static int camellia_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                 const unsigned char *in, size_t len)
 {
-    EVP_CAMELLIA_KEY *dat = EVP_C_DATA(EVP_CAMELLIA_KEY,ctx);
+    EVP_CAMELLIA_KEY *dat = (EVP_CAMELLIA_KEY *) ctx->cipher_data;
 
-    if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS)) {
-        int num = EVP_CIPHER_CTX_num(ctx);
+    if (ctx->flags & EVP_CIPH_FLAG_LENGTH_BITS) {
         CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks,
-                                EVP_CIPHER_CTX_iv_noconst(ctx), &num, EVP_CIPHER_CTX_encrypting(ctx), dat->block);
-        EVP_CIPHER_CTX_set_num(ctx, num);
+                                ctx->iv, &ctx->num, ctx->encrypt, dat->block);
         return 1;
     }
 
     while (len >= MAXBITCHUNK) {
-        int num = EVP_CIPHER_CTX_num(ctx);
         CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK * 8, &dat->ks,
-                                EVP_CIPHER_CTX_iv_noconst(ctx), &num, EVP_CIPHER_CTX_encrypting(ctx), dat->block);
+                                ctx->iv, &ctx->num, ctx->encrypt, dat->block);
         len -= MAXBITCHUNK;
-        EVP_CIPHER_CTX_set_num(ctx, num);
     }
-    if (len) {
-        int num = EVP_CIPHER_CTX_num(ctx);
+    if (len)
         CRYPTO_cfb128_1_encrypt(in, out, len * 8, &dat->ks,
-                                EVP_CIPHER_CTX_iv_noconst(ctx), &num, EVP_CIPHER_CTX_encrypting(ctx), dat->block);
-        EVP_CIPHER_CTX_set_num(ctx, num);
-    }
+                                ctx->iv, &ctx->num, ctx->encrypt, dat->block);
 
     return 1;
 }
 
+# if 0                          /* not yet, missing NID */
 static int camellia_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                const unsigned char *in, size_t len)
 {
-    unsigned int num = EVP_CIPHER_CTX_num(ctx);
-    EVP_CAMELLIA_KEY *dat = EVP_C_DATA(EVP_CAMELLIA_KEY,ctx);
+    unsigned int num = ctx->num;
+    EVP_CAMELLIA_KEY *dat = (EVP_CAMELLIA_KEY *) ctx->cipher_data;
 
     if (dat->stream.ctr)
         CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks,
-                                    EVP_CIPHER_CTX_iv_noconst(ctx),
-                                    EVP_CIPHER_CTX_buf_noconst(ctx), &num,
-                                    dat->stream.ctr);
+                                    ctx->iv, ctx->buf, &num, dat->stream.ctr);
     else
         CRYPTO_ctr128_encrypt(in, out, len, &dat->ks,
-                              EVP_CIPHER_CTX_iv_noconst(ctx),
-                              EVP_CIPHER_CTX_buf_noconst(ctx), &num,
-                              dat->block);
-    EVP_CIPHER_CTX_set_num(ctx, num);
+                              ctx->iv, ctx->buf, &num, dat->block);
+    ctx->num = (size_t)num;
     return 1;
 }
+# endif
 
 BLOCK_CIPHER_generic_pack(NID_camellia, 128, 0)
     BLOCK_CIPHER_generic_pack(NID_camellia, 192, 0)
     BLOCK_CIPHER_generic_pack(NID_camellia, 256, 0)
+#else
+
+# ifdef PEDANTIC
+static void *dummy = &dummy;
+# endif
+
 #endif
diff --git a/Cryptlib/OpenSSL/crypto/evp/e_cast.c b/Cryptlib/OpenSSL/crypto/evp/e_cast.c
index 259d4405..3f745485 100644
--- a/Cryptlib/OpenSSL/crypto/evp/e_cast.c
+++ b/Cryptlib/OpenSSL/crypto/evp/e_cast.c
@@ -1,19 +1,68 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/e_cast.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 
 #ifndef OPENSSL_NO_CAST
 # include <openssl/evp.h>
 # include <openssl/objects.h>
-# include "internal/evp_int.h"
+# include "evp_locl.h"
 # include <openssl/cast.h>
 
 static int cast_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
diff --git a/Cryptlib/OpenSSL/crypto/evp/e_chacha20_poly1305.c b/Cryptlib/OpenSSL/crypto/evp/e_chacha20_poly1305.c
deleted file mode 100644
index 7fd4f8df..00000000
--- a/Cryptlib/OpenSSL/crypto/evp/e_chacha20_poly1305.c
+++ /dev/null
@@ -1,454 +0,0 @@
-/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include "internal/cryptlib.h"
-
-#ifndef OPENSSL_NO_CHACHA
-
-# include <openssl/evp.h>
-# include <openssl/objects.h>
-# include "evp_locl.h"
-# include "internal/evp_int.h"
-# include "internal/chacha.h"
-
-typedef struct {
-    union {
-        double align;   /* this ensures even sizeof(EVP_CHACHA_KEY)%8==0 */
-        unsigned int d[CHACHA_KEY_SIZE / 4];
-    } key;
-    unsigned int  counter[CHACHA_CTR_SIZE / 4];
-    unsigned char buf[CHACHA_BLK_SIZE];
-    unsigned int  partial_len;
-} EVP_CHACHA_KEY;
-
-#define data(ctx)   ((EVP_CHACHA_KEY *)(ctx)->cipher_data)
-
-static int chacha_init_key(EVP_CIPHER_CTX *ctx,
-                           const unsigned char user_key[CHACHA_KEY_SIZE],
-                           const unsigned char iv[CHACHA_CTR_SIZE], int enc)
-{
-    EVP_CHACHA_KEY *key = data(ctx);
-    unsigned int i;
-
-    if (user_key)
-        for (i = 0; i < CHACHA_KEY_SIZE; i+=4) {
-            key->key.d[i/4] = CHACHA_U8TOU32(user_key+i);
-        }
-
-    if (iv)
-        for (i = 0; i < CHACHA_CTR_SIZE; i+=4) {
-            key->counter[i/4] = CHACHA_U8TOU32(iv+i);
-        }
-
-    key->partial_len = 0;
-
-    return 1;
-}
-
-static int chacha_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
-                         const unsigned char *inp, size_t len)
-{
-    EVP_CHACHA_KEY *key = data(ctx);
-    unsigned int n, rem, ctr32;
-
-    if ((n = key->partial_len)) {
-        while (len && n < CHACHA_BLK_SIZE) {
-            *out++ = *inp++ ^ key->buf[n++];
-            len--;
-        }
-        key->partial_len = n;
-
-        if (len == 0)
-            return 1;
-
-        if (n == CHACHA_BLK_SIZE) {
-            key->partial_len = 0;
-            key->counter[0]++;
-            if (key->counter[0] == 0)
-                key->counter[1]++;
-        }
-    }
-
-    rem = (unsigned int)(len % CHACHA_BLK_SIZE);
-    len -= rem;
-    ctr32 = key->counter[0];
-    while (len >= CHACHA_BLK_SIZE) {
-        size_t blocks = len / CHACHA_BLK_SIZE;
-        /*
-         * 1<<28 is just a not-so-small yet not-so-large number...
-         * Below condition is practically never met, but it has to
-         * be checked for code correctness.
-         */
-        if (sizeof(size_t)>sizeof(unsigned int) && blocks>(1U<<28))
-            blocks = (1U<<28);
-
-        /*
-         * As ChaCha20_ctr32 operates on 32-bit counter, caller
-         * has to handle overflow. 'if' below detects the
-         * overflow, which is then handled by limiting the
-         * amount of blocks to the exact overflow point...
-         */
-        ctr32 += (unsigned int)blocks;
-        if (ctr32 < blocks) {
-            blocks -= ctr32;
-            ctr32 = 0;
-        }
-        blocks *= CHACHA_BLK_SIZE;
-        ChaCha20_ctr32(out, inp, blocks, key->key.d, key->counter);
-        len -= blocks;
-        inp += blocks;
-        out += blocks;
-
-        key->counter[0] = ctr32;
-        if (ctr32 == 0) key->counter[1]++;
-    }
-
-    if (rem) {
-        memset(key->buf, 0, sizeof(key->buf));
-        ChaCha20_ctr32(key->buf, key->buf, CHACHA_BLK_SIZE,
-                       key->key.d, key->counter);
-        for (n = 0; n < rem; n++)
-            out[n] = inp[n] ^ key->buf[n];
-        key->partial_len = rem;
-    }
-
-    return 1;
-}
-
-static const EVP_CIPHER chacha20 = {
-    NID_chacha20,
-    1,                      /* block_size */
-    CHACHA_KEY_SIZE,        /* key_len */
-    CHACHA_CTR_SIZE,        /* iv_len, 128-bit counter in the context */
-    EVP_CIPH_CUSTOM_IV | EVP_CIPH_ALWAYS_CALL_INIT,
-    chacha_init_key,
-    chacha_cipher,
-    NULL,
-    sizeof(EVP_CHACHA_KEY),
-    NULL,
-    NULL,
-    NULL,
-    NULL
-};
-
-const EVP_CIPHER *EVP_chacha20(void)
-{
-    return (&chacha20);
-}
-
-# ifndef OPENSSL_NO_POLY1305
-#  include "internal/poly1305.h"
-
-typedef struct {
-    EVP_CHACHA_KEY key;
-    unsigned int nonce[12/4];
-    unsigned char tag[POLY1305_BLOCK_SIZE];
-    struct { uint64_t aad, text; } len;
-    int aad, mac_inited, tag_len, nonce_len;
-    size_t tls_payload_length;
-} EVP_CHACHA_AEAD_CTX;
-
-#  define NO_TLS_PAYLOAD_LENGTH ((size_t)-1)
-#  define aead_data(ctx)        ((EVP_CHACHA_AEAD_CTX *)(ctx)->cipher_data)
-#  define POLY1305_ctx(actx)    ((POLY1305 *)(actx + 1))
-
-static int chacha20_poly1305_init_key(EVP_CIPHER_CTX *ctx,
-                                      const unsigned char *inkey,
-                                      const unsigned char *iv, int enc)
-{
-    EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
-
-    if (!inkey && !iv)
-        return 1;
-
-    actx->len.aad = 0;
-    actx->len.text = 0;
-    actx->aad = 0;
-    actx->mac_inited = 0;
-    actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
-
-    if (iv != NULL) {
-        unsigned char temp[CHACHA_CTR_SIZE] = { 0 };
-
-        /* pad on the left */
-        if (actx->nonce_len <= CHACHA_CTR_SIZE)
-            memcpy(temp + CHACHA_CTR_SIZE - actx->nonce_len, iv, actx->nonce_len);
-
-        chacha_init_key(ctx, inkey, temp, enc);
-
-        actx->nonce[0] = actx->key.counter[1];
-        actx->nonce[1] = actx->key.counter[2];
-        actx->nonce[2] = actx->key.counter[3];
-    } else {
-        chacha_init_key(ctx, inkey, NULL, enc);
-    }
-
-    return 1;
-}
-
-static int chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-                                    const unsigned char *in, size_t len)
-{
-    EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
-    size_t rem, plen = actx->tls_payload_length;
-    static const unsigned char zero[POLY1305_BLOCK_SIZE] = { 0 };
-
-    if (!actx->mac_inited) {
-        actx->key.counter[0] = 0;
-        memset(actx->key.buf, 0, sizeof(actx->key.buf));
-        ChaCha20_ctr32(actx->key.buf, actx->key.buf, CHACHA_BLK_SIZE,
-                       actx->key.key.d, actx->key.counter);
-        Poly1305_Init(POLY1305_ctx(actx), actx->key.buf);
-        actx->key.counter[0] = 1;
-        actx->key.partial_len = 0;
-        actx->len.aad = actx->len.text = 0;
-        actx->mac_inited = 1;
-    }
-
-    if (in) {                                   /* aad or text */
-        if (out == NULL) {                      /* aad */
-            Poly1305_Update(POLY1305_ctx(actx), in, len);
-            actx->len.aad += len;
-            actx->aad = 1;
-            return len;
-        } else {                                /* plain- or ciphertext */
-            if (actx->aad) {                    /* wrap up aad */
-                if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
-                    Poly1305_Update(POLY1305_ctx(actx), zero,
-                                    POLY1305_BLOCK_SIZE - rem);
-                actx->aad = 0;
-            }
-
-            actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
-            if (plen == NO_TLS_PAYLOAD_LENGTH)
-                plen = len;
-            else if (len != plen + POLY1305_BLOCK_SIZE)
-                return -1;
-
-            if (ctx->encrypt) {                 /* plaintext */
-                chacha_cipher(ctx, out, in, plen);
-                Poly1305_Update(POLY1305_ctx(actx), out, plen);
-                in += plen;
-                out += plen;
-                actx->len.text += plen;
-            } else {                            /* ciphertext */
-                Poly1305_Update(POLY1305_ctx(actx), in, plen);
-                chacha_cipher(ctx, out, in, plen);
-                in += plen;
-                out += plen;
-                actx->len.text += plen;
-            }
-        }
-    }
-    if (in == NULL                              /* explicit final */
-        || plen != len) {                       /* or tls mode */
-        const union {
-            long one;
-            char little;
-        } is_endian = { 1 };
-        unsigned char temp[POLY1305_BLOCK_SIZE];
-
-        if (actx->aad) {                        /* wrap up aad */
-            if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
-                Poly1305_Update(POLY1305_ctx(actx), zero,
-                                POLY1305_BLOCK_SIZE - rem);
-            actx->aad = 0;
-        }
-
-        if ((rem = (size_t)actx->len.text % POLY1305_BLOCK_SIZE))
-            Poly1305_Update(POLY1305_ctx(actx), zero,
-                            POLY1305_BLOCK_SIZE - rem);
-
-        if (is_endian.little) {
-            Poly1305_Update(POLY1305_ctx(actx),
-                            (unsigned char *)&actx->len, POLY1305_BLOCK_SIZE);
-        } else {
-            temp[0]  = (unsigned char)(actx->len.aad);
-            temp[1]  = (unsigned char)(actx->len.aad>>8);
-            temp[2]  = (unsigned char)(actx->len.aad>>16);
-            temp[3]  = (unsigned char)(actx->len.aad>>24);
-            temp[4]  = (unsigned char)(actx->len.aad>>32);
-            temp[5]  = (unsigned char)(actx->len.aad>>40);
-            temp[6]  = (unsigned char)(actx->len.aad>>48);
-            temp[7]  = (unsigned char)(actx->len.aad>>56);
-
-            temp[8]  = (unsigned char)(actx->len.text);
-            temp[9]  = (unsigned char)(actx->len.text>>8);
-            temp[10] = (unsigned char)(actx->len.text>>16);
-            temp[11] = (unsigned char)(actx->len.text>>24);
-            temp[12] = (unsigned char)(actx->len.text>>32);
-            temp[13] = (unsigned char)(actx->len.text>>40);
-            temp[14] = (unsigned char)(actx->len.text>>48);
-            temp[15] = (unsigned char)(actx->len.text>>56);
-
-            Poly1305_Update(POLY1305_ctx(actx), temp, POLY1305_BLOCK_SIZE);
-        }
-        Poly1305_Final(POLY1305_ctx(actx), ctx->encrypt ? actx->tag
-                                                        : temp);
-        actx->mac_inited = 0;
-
-        if (in != NULL && len != plen) {        /* tls mode */
-            if (ctx->encrypt) {
-                memcpy(out, actx->tag, POLY1305_BLOCK_SIZE);
-            } else {
-                if (CRYPTO_memcmp(temp, in, POLY1305_BLOCK_SIZE)) {
-                    memset(out - plen, 0, plen);
-                    return -1;
-                }
-            }
-        }
-        else if (!ctx->encrypt) {
-            if (CRYPTO_memcmp(temp, actx->tag, actx->tag_len))
-                return -1;
-        }
-    }
-    return len;
-}
-
-static int chacha20_poly1305_cleanup(EVP_CIPHER_CTX *ctx)
-{
-    EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
-    if (actx)
-        OPENSSL_cleanse(ctx->cipher_data, sizeof(*actx) + Poly1305_ctx_size());
-    return 1;
-}
-
-static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
-                                  void *ptr)
-{
-    EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
-
-    switch(type) {
-    case EVP_CTRL_INIT:
-        if (actx == NULL)
-            actx = ctx->cipher_data
-                 = OPENSSL_zalloc(sizeof(*actx) + Poly1305_ctx_size());
-        if (actx == NULL) {
-            EVPerr(EVP_F_CHACHA20_POLY1305_CTRL, EVP_R_INITIALIZATION_ERROR);
-            return 0;
-        }
-        actx->len.aad = 0;
-        actx->len.text = 0;
-        actx->aad = 0;
-        actx->mac_inited = 0;
-        actx->tag_len = 0;
-        actx->nonce_len = 12;
-        actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
-        return 1;
-
-    case EVP_CTRL_COPY:
-        if (actx) {
-            EVP_CIPHER_CTX *dst = (EVP_CIPHER_CTX *)ptr;
-
-            dst->cipher_data =
-                   OPENSSL_memdup(actx, sizeof(*actx) + Poly1305_ctx_size());
-            if (dst->cipher_data == NULL) {
-                EVPerr(EVP_F_CHACHA20_POLY1305_CTRL, EVP_R_COPY_ERROR);
-                return 0;
-            }
-        }
-        return 1;
-
-    case EVP_CTRL_AEAD_SET_IVLEN:
-        if (arg <= 0 || arg > CHACHA_CTR_SIZE)
-            return 0;
-        actx->nonce_len = arg;
-        return 1;
-
-    case EVP_CTRL_AEAD_SET_IV_FIXED:
-        if (arg != 12)
-            return 0;
-        actx->nonce[0] = actx->key.counter[1]
-                       = CHACHA_U8TOU32((unsigned char *)ptr);
-        actx->nonce[1] = actx->key.counter[2]
-                       = CHACHA_U8TOU32((unsigned char *)ptr+4);
-        actx->nonce[2] = actx->key.counter[3]
-                       = CHACHA_U8TOU32((unsigned char *)ptr+8);
-        return 1;
-
-    case EVP_CTRL_AEAD_SET_TAG:
-        if (arg <= 0 || arg > POLY1305_BLOCK_SIZE)
-            return 0;
-        if (ptr != NULL) {
-            memcpy(actx->tag, ptr, arg);
-            actx->tag_len = arg;
-        }
-        return 1;
-
-    case EVP_CTRL_AEAD_GET_TAG:
-        if (arg <= 0 || arg > POLY1305_BLOCK_SIZE || !ctx->encrypt)
-            return 0;
-        memcpy(ptr, actx->tag, arg);
-        return 1;
-
-    case EVP_CTRL_AEAD_TLS1_AAD:
-        if (arg != EVP_AEAD_TLS1_AAD_LEN)
-            return 0;
-        {
-            unsigned int len;
-            unsigned char *aad = ptr, temp[POLY1305_BLOCK_SIZE];
-
-            len = aad[EVP_AEAD_TLS1_AAD_LEN - 2] << 8 |
-                  aad[EVP_AEAD_TLS1_AAD_LEN - 1];
-            if (!ctx->encrypt) {
-                if (len < POLY1305_BLOCK_SIZE)
-                    return 0;
-                len -= POLY1305_BLOCK_SIZE;     /* discount attached tag */
-                memcpy(temp, aad, EVP_AEAD_TLS1_AAD_LEN - 2);
-                aad = temp;
-                temp[EVP_AEAD_TLS1_AAD_LEN - 2] = (unsigned char)(len >> 8);
-                temp[EVP_AEAD_TLS1_AAD_LEN - 1] = (unsigned char)len;
-            }
-            actx->tls_payload_length = len;
-
-            /*
-             * merge record sequence number as per RFC7905
-             */
-            actx->key.counter[1] = actx->nonce[0];
-            actx->key.counter[2] = actx->nonce[1] ^ CHACHA_U8TOU32(aad);
-            actx->key.counter[3] = actx->nonce[2] ^ CHACHA_U8TOU32(aad+4);
-            actx->mac_inited = 0;
-            chacha20_poly1305_cipher(ctx, NULL, aad, EVP_AEAD_TLS1_AAD_LEN);
-            return POLY1305_BLOCK_SIZE;         /* tag length */
-        }
-
-    case EVP_CTRL_AEAD_SET_MAC_KEY:
-        /* no-op */
-        return 1;
-
-    default:
-        return -1;
-    }
-}
-
-static EVP_CIPHER chacha20_poly1305 = {
-    NID_chacha20_poly1305,
-    1,                  /* block_size */
-    CHACHA_KEY_SIZE,    /* key_len */
-    12,                 /* iv_len, 96-bit nonce in the context */
-    EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_CUSTOM_IV |
-    EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT |
-    EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_CUSTOM_CIPHER,
-    chacha20_poly1305_init_key,
-    chacha20_poly1305_cipher,
-    chacha20_poly1305_cleanup,
-    0,          /* 0 moves context-specific structure allocation to ctrl */
-    NULL,       /* set_asn1_parameters */
-    NULL,       /* get_asn1_parameters */
-    chacha20_poly1305_ctrl,
-    NULL        /* app_data */
-};
-
-const EVP_CIPHER *EVP_chacha20_poly1305(void)
-{
-    return(&chacha20_poly1305);
-}
-# endif
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/evp/e_des.c b/Cryptlib/OpenSSL/crypto/evp/e_des.c
index 9b2facfe..8ca65cd0 100644
--- a/Cryptlib/OpenSSL/crypto/evp/e_des.c
+++ b/Cryptlib/OpenSSL/crypto/evp/e_des.c
@@ -1,18 +1,67 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/e_des.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #ifndef OPENSSL_NO_DES
 # include <openssl/evp.h>
 # include <openssl/objects.h>
-# include "internal/evp_int.h"
+# include "evp_locl.h"
 # include <openssl/des.h>
 # include <openssl/rand.h>
 
@@ -57,8 +106,7 @@ static int des_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 {
     BLOCK_CIPHER_ecb_loop()
         DES_ecb_encrypt((DES_cblock *)(in + i), (DES_cblock *)(out + i),
-                        EVP_CIPHER_CTX_get_cipher_data(ctx),
-                        EVP_CIPHER_CTX_encrypting(ctx));
+                        ctx->cipher_data, ctx->encrypt);
     return 1;
 }
 
@@ -66,49 +114,37 @@ static int des_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                           const unsigned char *in, size_t inl)
 {
     while (inl >= EVP_MAXCHUNK) {
-        int num = EVP_CIPHER_CTX_num(ctx);
-        DES_ofb64_encrypt(in, out, (long)EVP_MAXCHUNK,
-                          EVP_CIPHER_CTX_get_cipher_data(ctx),
-                          (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx), &num);
-        EVP_CIPHER_CTX_set_num(ctx, num);
+        DES_ofb64_encrypt(in, out, (long)EVP_MAXCHUNK, ctx->cipher_data,
+                          (DES_cblock *)ctx->iv, &ctx->num);
         inl -= EVP_MAXCHUNK;
         in += EVP_MAXCHUNK;
         out += EVP_MAXCHUNK;
     }
-    if (inl) {
-        int num = EVP_CIPHER_CTX_num(ctx);
-        DES_ofb64_encrypt(in, out, (long)inl,
-                          EVP_CIPHER_CTX_get_cipher_data(ctx),
-                          (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx), &num);
-        EVP_CIPHER_CTX_set_num(ctx, num);
-    }
+    if (inl)
+        DES_ofb64_encrypt(in, out, (long)inl, ctx->cipher_data,
+                          (DES_cblock *)ctx->iv, &ctx->num);
     return 1;
 }
 
 static int des_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                           const unsigned char *in, size_t inl)
 {
-    EVP_DES_KEY *dat = (EVP_DES_KEY *) EVP_CIPHER_CTX_get_cipher_data(ctx);
+    EVP_DES_KEY *dat = (EVP_DES_KEY *) ctx->cipher_data;
 
     if (dat->stream.cbc != NULL) {
-        (*dat->stream.cbc) (in, out, inl, &dat->ks.ks,
-                            EVP_CIPHER_CTX_iv_noconst(ctx));
+        (*dat->stream.cbc) (in, out, inl, &dat->ks.ks, ctx->iv);
         return 1;
     }
     while (inl >= EVP_MAXCHUNK) {
-        DES_ncbc_encrypt(in, out, (long)EVP_MAXCHUNK,
-                         EVP_CIPHER_CTX_get_cipher_data(ctx),
-                         (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
-                         EVP_CIPHER_CTX_encrypting(ctx));
+        DES_ncbc_encrypt(in, out, (long)EVP_MAXCHUNK, ctx->cipher_data,
+                         (DES_cblock *)ctx->iv, ctx->encrypt);
         inl -= EVP_MAXCHUNK;
         in += EVP_MAXCHUNK;
         out += EVP_MAXCHUNK;
     }
     if (inl)
-        DES_ncbc_encrypt(in, out, (long)inl,
-                         EVP_CIPHER_CTX_get_cipher_data(ctx),
-                         (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
-                         EVP_CIPHER_CTX_encrypting(ctx));
+        DES_ncbc_encrypt(in, out, (long)inl, ctx->cipher_data,
+                         (DES_cblock *)ctx->iv, ctx->encrypt);
     return 1;
 }
 
@@ -116,24 +152,15 @@ static int des_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                             const unsigned char *in, size_t inl)
 {
     while (inl >= EVP_MAXCHUNK) {
-        int num = EVP_CIPHER_CTX_num(ctx);
-        DES_cfb64_encrypt(in, out, (long)EVP_MAXCHUNK,
-                          EVP_CIPHER_CTX_get_cipher_data(ctx),
-                          (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx), &num,
-                          EVP_CIPHER_CTX_encrypting(ctx));
-        EVP_CIPHER_CTX_set_num(ctx, num);
+        DES_cfb64_encrypt(in, out, (long)EVP_MAXCHUNK, ctx->cipher_data,
+                          (DES_cblock *)ctx->iv, &ctx->num, ctx->encrypt);
         inl -= EVP_MAXCHUNK;
         in += EVP_MAXCHUNK;
         out += EVP_MAXCHUNK;
     }
-    if (inl) {
-        int num = EVP_CIPHER_CTX_num(ctx);
-        DES_cfb64_encrypt(in, out, (long)inl,
-                          EVP_CIPHER_CTX_get_cipher_data(ctx),
-                          (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx), &num,
-                          EVP_CIPHER_CTX_encrypting(ctx));
-        EVP_CIPHER_CTX_set_num(ctx, num);
-    }
+    if (inl)
+        DES_cfb64_encrypt(in, out, (long)inl, ctx->cipher_data,
+                          (DES_cblock *)ctx->iv, &ctx->num, ctx->encrypt);
     return 1;
 }
 
@@ -153,9 +180,8 @@ static int des_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     while (inl && inl >= chunk) {
         for (n = 0; n < chunk * 8; ++n) {
             c[0] = (in[n / 8] & (1 << (7 - n % 8))) ? 0x80 : 0;
-            DES_cfb_encrypt(c, d, 1, 1, EVP_CIPHER_CTX_get_cipher_data(ctx),
-                            (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
-                            EVP_CIPHER_CTX_encrypting(ctx));
+            DES_cfb_encrypt(c, d, 1, 1, ctx->cipher_data,
+                            (DES_cblock *)ctx->iv, ctx->encrypt);
             out[n / 8] =
                 (out[n / 8] & ~(0x80 >> (unsigned int)(n % 8))) |
                 ((d[0] & 0x80) >> (unsigned int)(n % 8));
@@ -174,19 +200,15 @@ static int des_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                            const unsigned char *in, size_t inl)
 {
     while (inl >= EVP_MAXCHUNK) {
-        DES_cfb_encrypt(in, out, 8, (long)EVP_MAXCHUNK,
-                        EVP_CIPHER_CTX_get_cipher_data(ctx),
-                        (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
-                        EVP_CIPHER_CTX_encrypting(ctx));
+        DES_cfb_encrypt(in, out, 8, (long)EVP_MAXCHUNK, ctx->cipher_data,
+                        (DES_cblock *)ctx->iv, ctx->encrypt);
         inl -= EVP_MAXCHUNK;
         in += EVP_MAXCHUNK;
         out += EVP_MAXCHUNK;
     }
     if (inl)
-        DES_cfb_encrypt(in, out, 8, (long)inl,
-                        EVP_CIPHER_CTX_get_cipher_data(ctx),
-                        (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
-                        EVP_CIPHER_CTX_encrypting(ctx));
+        DES_cfb_encrypt(in, out, 8, (long)inl, ctx->cipher_data,
+                        (DES_cblock *)ctx->iv, ctx->encrypt);
     return 1;
 }
 
@@ -206,12 +228,12 @@ static int des_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                         const unsigned char *iv, int enc)
 {
     DES_cblock *deskey = (DES_cblock *)key;
-    EVP_DES_KEY *dat = (EVP_DES_KEY *) EVP_CIPHER_CTX_get_cipher_data(ctx);
+    EVP_DES_KEY *dat = (EVP_DES_KEY *) ctx->cipher_data;
 
     dat->stream.cbc = NULL;
 # if defined(SPARC_DES_CAPABLE)
     if (SPARC_DES_CAPABLE) {
-        int mode = EVP_CIPHER_CTX_mode(ctx);
+        int mode = ctx->cipher->flags & EVP_CIPH_MODE;
 
         if (mode == EVP_CIPH_CBC_MODE) {
             des_t4_key_expand(key, &dat->ks.ks);
@@ -220,7 +242,12 @@ static int des_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
         }
     }
 # endif
-    DES_set_key_unchecked(deskey, EVP_CIPHER_CTX_get_cipher_data(ctx));
+# ifdef EVP_CHECK_DES_KEY
+    if (DES_set_key_checked(deskey, dat->ks.ks) != 0)
+        return 0;
+# else
+    DES_set_key_unchecked(deskey, ctx->cipher_data);
+# endif
     return 1;
 }
 
diff --git a/Cryptlib/OpenSSL/crypto/evp/e_des3.c b/Cryptlib/OpenSSL/crypto/evp/e_des3.c
index da77936c..0e910d6d 100644
--- a/Cryptlib/OpenSSL/crypto/evp/e_des3.c
+++ b/Cryptlib/OpenSSL/crypto/evp/e_des3.c
@@ -1,21 +1,73 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/e_des3.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #ifndef OPENSSL_NO_DES
 # include <openssl/evp.h>
 # include <openssl/objects.h>
-# include "internal/evp_int.h"
+# include "evp_locl.h"
 # include <openssl/des.h>
 # include <openssl/rand.h>
-# include "evp_locl.h"
+
+/* Block use of implementations in FIPS mode */
+# undef EVP_CIPH_FLAG_FIPS
+# define EVP_CIPH_FLAG_FIPS      0
 
 typedef struct {
     union {
@@ -55,7 +107,7 @@ static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 
 static int des3_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr);
 
-# define data(ctx) EVP_C_DATA(DES_EDE_KEY,ctx)
+# define data(ctx) ((DES_EDE_KEY *)(ctx)->cipher_data)
 
 /*
  * Because of various casts and different args can't use
@@ -69,7 +121,7 @@ static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
         DES_ecb3_encrypt((const_DES_cblock *)(in + i),
                          (DES_cblock *)(out + i),
                          &data(ctx)->ks1, &data(ctx)->ks2,
-                         &data(ctx)->ks3, EVP_CIPHER_CTX_encrypting(ctx));
+                         &data(ctx)->ks3, ctx->encrypt);
     return 1;
 }
 
@@ -77,26 +129,20 @@ static int des_ede_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                               const unsigned char *in, size_t inl)
 {
     while (inl >= EVP_MAXCHUNK) {
-        int num = EVP_CIPHER_CTX_num(ctx);
         DES_ede3_ofb64_encrypt(in, out, (long)EVP_MAXCHUNK,
                                &data(ctx)->ks1, &data(ctx)->ks2,
-                               &data(ctx)->ks3,
-                               (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
-                               &num);
-        EVP_CIPHER_CTX_set_num(ctx, num);
+                               &data(ctx)->ks3, (DES_cblock *)ctx->iv,
+                               &ctx->num);
         inl -= EVP_MAXCHUNK;
         in += EVP_MAXCHUNK;
         out += EVP_MAXCHUNK;
     }
-    if (inl) {
-        int num = EVP_CIPHER_CTX_num(ctx);
+    if (inl)
         DES_ede3_ofb64_encrypt(in, out, (long)inl,
                                &data(ctx)->ks1, &data(ctx)->ks2,
-                               &data(ctx)->ks3,
-                               (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
-                               &num);
-        EVP_CIPHER_CTX_set_num(ctx, num);
-    }
+                               &data(ctx)->ks3, (DES_cblock *)ctx->iv,
+                               &ctx->num);
+
     return 1;
 }
 
@@ -105,17 +151,26 @@ static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 {
     DES_EDE_KEY *dat = data(ctx);
 
-    if (dat->stream.cbc != NULL) {
-        (*dat->stream.cbc) (in, out, inl, dat->ks.ks,
-                            EVP_CIPHER_CTX_iv_noconst(ctx));
+# ifdef KSSL_DEBUG
+    {
+        int i;
+        fprintf(stderr, "des_ede_cbc_cipher(ctx=%p, buflen=%d)\n", ctx,
+                ctx->buf_len);
+        fprintf(stderr, "\t iv= ");
+        for (i = 0; i < 8; i++)
+            fprintf(stderr, "%02X", ctx->iv[i]);
+        fprintf(stderr, "\n");
+    }
+# endif                         /* KSSL_DEBUG */
+    if (dat->stream.cbc) {
+        (*dat->stream.cbc) (in, out, inl, dat->ks.ks, ctx->iv);
         return 1;
     }
 
     while (inl >= EVP_MAXCHUNK) {
         DES_ede3_cbc_encrypt(in, out, (long)EVP_MAXCHUNK,
                              &dat->ks1, &dat->ks2, &dat->ks3,
-                             (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
-                             EVP_CIPHER_CTX_encrypting(ctx));
+                             (DES_cblock *)ctx->iv, ctx->encrypt);
         inl -= EVP_MAXCHUNK;
         in += EVP_MAXCHUNK;
         out += EVP_MAXCHUNK;
@@ -123,8 +178,7 @@ static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     if (inl)
         DES_ede3_cbc_encrypt(in, out, (long)inl,
                              &dat->ks1, &dat->ks2, &dat->ks3,
-                             (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
-                             EVP_CIPHER_CTX_encrypting(ctx));
+                             (DES_cblock *)ctx->iv, ctx->encrypt);
     return 1;
 }
 
@@ -132,26 +186,19 @@ static int des_ede_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                 const unsigned char *in, size_t inl)
 {
     while (inl >= EVP_MAXCHUNK) {
-        int num = EVP_CIPHER_CTX_num(ctx);
         DES_ede3_cfb64_encrypt(in, out, (long)EVP_MAXCHUNK,
                                &data(ctx)->ks1, &data(ctx)->ks2,
-                               &data(ctx)->ks3,
-                               (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
-                               &num, EVP_CIPHER_CTX_encrypting(ctx));
-        EVP_CIPHER_CTX_set_num(ctx, num);
+                               &data(ctx)->ks3, (DES_cblock *)ctx->iv,
+                               &ctx->num, ctx->encrypt);
         inl -= EVP_MAXCHUNK;
         in += EVP_MAXCHUNK;
         out += EVP_MAXCHUNK;
     }
-    if (inl) {
-        int num = EVP_CIPHER_CTX_num(ctx);
+    if (inl)
         DES_ede3_cfb64_encrypt(in, out, (long)inl,
                                &data(ctx)->ks1, &data(ctx)->ks2,
-                               &data(ctx)->ks3,
-                               (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
-                               &num, EVP_CIPHER_CTX_encrypting(ctx));
-        EVP_CIPHER_CTX_set_num(ctx, num);
-    }
+                               &data(ctx)->ks3, (DES_cblock *)ctx->iv,
+                               &ctx->num, ctx->encrypt);
     return 1;
 }
 
@@ -165,15 +212,12 @@ static int des_ede3_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     size_t n;
     unsigned char c[1], d[1];
 
-    if (!EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
-            inl *= 8;
     for (n = 0; n < inl; ++n) {
         c[0] = (in[n / 8] & (1 << (7 - n % 8))) ? 0x80 : 0;
         DES_ede3_cfb_encrypt(c, d, 1, 1,
                              &data(ctx)->ks1, &data(ctx)->ks2,
-                             &data(ctx)->ks3,
-                             (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
-                             EVP_CIPHER_CTX_encrypting(ctx));
+                             &data(ctx)->ks3, (DES_cblock *)ctx->iv,
+                             ctx->encrypt);
         out[n / 8] = (out[n / 8] & ~(0x80 >> (unsigned int)(n % 8)))
             | ((d[0] & 0x80) >> (unsigned int)(n % 8));
     }
@@ -187,9 +231,8 @@ static int des_ede3_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     while (inl >= EVP_MAXCHUNK) {
         DES_ede3_cfb_encrypt(in, out, 8, (long)EVP_MAXCHUNK,
                              &data(ctx)->ks1, &data(ctx)->ks2,
-                             &data(ctx)->ks3,
-                             (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
-                             EVP_CIPHER_CTX_encrypting(ctx));
+                             &data(ctx)->ks3, (DES_cblock *)ctx->iv,
+                             ctx->encrypt);
         inl -= EVP_MAXCHUNK;
         in += EVP_MAXCHUNK;
         out += EVP_MAXCHUNK;
@@ -197,9 +240,8 @@ static int des_ede3_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     if (inl)
         DES_ede3_cfb_encrypt(in, out, 8, (long)inl,
                              &data(ctx)->ks1, &data(ctx)->ks2,
-                             &data(ctx)->ks3,
-                             (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
-                             EVP_CIPHER_CTX_encrypting(ctx));
+                             &data(ctx)->ks3, (DES_cblock *)ctx->iv,
+                             ctx->encrypt);
     return 1;
 }
 
@@ -211,16 +253,19 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64,
 # define des_ede3_cbc_cipher des_ede_cbc_cipher
 # define des_ede3_ecb_cipher des_ede_ecb_cipher
     BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,
-                  EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
-                  des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
+                  EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |
+                  EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, NULL,
+                  des3_ctrl)
 
     BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 1,
-                     EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
-                     des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
+                     EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |
+                     EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL,
+                     NULL, des3_ctrl)
 
     BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 8,
-                     EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
-                     des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
+                     EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |
+                     EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL,
+                     NULL, des3_ctrl)
 
 static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                             const unsigned char *iv, int enc)
@@ -231,7 +276,7 @@ static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
     dat->stream.cbc = NULL;
 # if defined(SPARC_DES_CAPABLE)
     if (SPARC_DES_CAPABLE) {
-        int mode = EVP_CIPHER_CTX_mode(ctx);
+        int mode = ctx->cipher->flags & EVP_CIPH_MODE;
 
         if (mode == EVP_CIPH_CBC_MODE) {
             des_t4_key_expand(&deskey[0], &dat->ks1);
@@ -243,8 +288,14 @@ static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
         }
     }
 # endif
+# ifdef EVP_CHECK_DES_KEY
+    if (DES_set_key_checked(&deskey[0], &dat->ks1)
+        || DES_set_key_checked(&deskey[1], &dat->ks2))
+        return 0;
+# else
     DES_set_key_unchecked(&deskey[0], &dat->ks1);
     DES_set_key_unchecked(&deskey[1], &dat->ks2);
+# endif
     memcpy(&dat->ks3, &dat->ks1, sizeof(dat->ks1));
     return 1;
 }
@@ -255,10 +306,27 @@ static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
     DES_cblock *deskey = (DES_cblock *)key;
     DES_EDE_KEY *dat = data(ctx);
 
+# ifdef KSSL_DEBUG
+    {
+        int i;
+        fprintf(stderr, "des_ede3_init_key(ctx=%p)\n", ctx);
+        fprintf(stderr, "\tKEY= ");
+        for (i = 0; i < 24; i++)
+            fprintf(stderr, "%02X", key[i]);
+        fprintf(stderr, "\n");
+        if (iv) {
+            fprintf(stderr, "\t IV= ");
+            for (i = 0; i < 8; i++)
+                fprintf(stderr, "%02X", iv[i]);
+            fprintf(stderr, "\n");
+        }
+    }
+# endif                         /* KSSL_DEBUG */
+
     dat->stream.cbc = NULL;
 # if defined(SPARC_DES_CAPABLE)
     if (SPARC_DES_CAPABLE) {
-        int mode = EVP_CIPHER_CTX_mode(ctx);
+        int mode = ctx->cipher->flags & EVP_CIPH_MODE;
 
         if (mode == EVP_CIPH_CBC_MODE) {
             des_t4_key_expand(&deskey[0], &dat->ks1);
@@ -270,25 +338,32 @@ static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
         }
     }
 # endif
+# ifdef EVP_CHECK_DES_KEY
+    if (DES_set_key_checked(&deskey[0], &dat->ks1)
+        || DES_set_key_checked(&deskey[1], &dat->ks2)
+        || DES_set_key_checked(&deskey[2], &dat->ks3))
+        return 0;
+# else
     DES_set_key_unchecked(&deskey[0], &dat->ks1);
     DES_set_key_unchecked(&deskey[1], &dat->ks2);
     DES_set_key_unchecked(&deskey[2], &dat->ks3);
+# endif
     return 1;
 }
 
-static int des3_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
+static int des3_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
 {
 
     DES_cblock *deskey = ptr;
 
     switch (type) {
     case EVP_CTRL_RAND_KEY:
-        if (RAND_bytes(ptr, EVP_CIPHER_CTX_key_length(ctx)) <= 0)
+        if (RAND_bytes(ptr, c->key_len) <= 0)
             return 0;
         DES_set_odd_parity(deskey);
-        if (EVP_CIPHER_CTX_key_length(ctx) >= 16)
+        if (c->key_len >= 16)
             DES_set_odd_parity(deskey + 1);
-        if (EVP_CIPHER_CTX_key_length(ctx) >= 24)
+        if (c->key_len >= 24)
             DES_set_odd_parity(deskey + 2);
         return 1;
 
@@ -307,8 +382,9 @@ const EVP_CIPHER *EVP_des_ede3(void)
     return &des_ede3_ecb;
 }
 
+# ifndef OPENSSL_NO_SHA
 
-# include <openssl/sha.h>
+#  include <openssl/sha.h>
 
 static const unsigned char wrap_iv[8] =
     { 0x4a, 0xdd, 0xa2, 0x2c, 0x79, 0xe8, 0x21, 0x05 };
@@ -322,7 +398,7 @@ static int des_ede3_unwrap(EVP_CIPHER_CTX *ctx, unsigned char *out,
         return -1;
     if (out == NULL)
         return inl - 16;
-    memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), wrap_iv, 8);
+    memcpy(ctx->iv, wrap_iv, 8);
     /* Decrypt first block which will end up as icv */
     des_ede_cbc_cipher(ctx, icv, in, 8);
     /* Decrypt central blocks */
@@ -340,7 +416,7 @@ static int des_ede3_unwrap(EVP_CIPHER_CTX *ctx, unsigned char *out,
     /* Reverse order of everything */
     BUF_reverse(icv, NULL, 8);
     BUF_reverse(out, NULL, inl - 16);
-    BUF_reverse(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 8);
+    BUF_reverse(ctx->iv, iv, 8);
     /* Decrypt again using new IV */
     des_ede_cbc_cipher(ctx, out, out, inl - 16);
     des_ede_cbc_cipher(ctx, icv, icv, 8);
@@ -352,7 +428,7 @@ static int des_ede3_unwrap(EVP_CIPHER_CTX *ctx, unsigned char *out,
     OPENSSL_cleanse(icv, 8);
     OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH);
     OPENSSL_cleanse(iv, 8);
-    OPENSSL_cleanse(EVP_CIPHER_CTX_iv_noconst(ctx), 8);
+    OPENSSL_cleanse(ctx->iv, 8);
     if (rv == -1)
         OPENSSL_cleanse(out, inl - 16);
 
@@ -372,13 +448,13 @@ static int des_ede3_wrap(EVP_CIPHER_CTX *ctx, unsigned char *out,
     memcpy(out + inl + 8, sha1tmp, 8);
     OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH);
     /* Generate random IV */
-    if (RAND_bytes(EVP_CIPHER_CTX_iv_noconst(ctx), 8) <= 0)
+    if (RAND_bytes(ctx->iv, 8) <= 0)
         return -1;
-    memcpy(out, EVP_CIPHER_CTX_iv_noconst(ctx), 8);
+    memcpy(out, ctx->iv, 8);
     /* Encrypt everything after IV in place */
     des_ede_cbc_cipher(ctx, out + 8, out + 8, inl + 8);
     BUF_reverse(out, NULL, inl + 16);
-    memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), wrap_iv, 8);
+    memcpy(ctx->iv, wrap_iv, 8);
     des_ede_cbc_cipher(ctx, out, out, inl + 16);
     return inl + 16;
 }
@@ -393,13 +469,7 @@ static int des_ede3_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
      */
     if (inl >= EVP_MAXCHUNK || inl % 8)
         return -1;
-
-    if (is_partially_overlapping(out, in, inl)) {
-        EVPerr(EVP_F_DES_EDE3_WRAP_CIPHER, EVP_R_PARTIALLY_OVERLAPPING);
-        return 0;
-    }
-
-    if (EVP_CIPHER_CTX_encrypting(ctx))
+    if (ctx->encrypt)
         return des_ede3_wrap(ctx, out, in, inl);
     else
         return des_ede3_unwrap(ctx, out, in, inl);
@@ -421,4 +491,5 @@ const EVP_CIPHER *EVP_des_ede3_wrap(void)
     return &des3_wrap;
 }
 
+# endif
 #endif
diff --git a/Cryptlib/OpenSSL/crypto/evp/e_idea.c b/Cryptlib/OpenSSL/crypto/evp/e_idea.c
index 93f6a413..cac72b33 100644
--- a/Cryptlib/OpenSSL/crypto/evp/e_idea.c
+++ b/Cryptlib/OpenSSL/crypto/evp/e_idea.c
@@ -1,32 +1,75 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/e_idea.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 
 #ifndef OPENSSL_NO_IDEA
 # include <openssl/evp.h>
 # include <openssl/objects.h>
-# include "internal/evp_int.h"
+# include "evp_locl.h"
 # include <openssl/idea.h>
 
-/* Can't use IMPLEMENT_BLOCK_CIPHER because IDEA_ecb_encrypt is different */
-
-typedef struct {
-    IDEA_KEY_SCHEDULE ks;
-} EVP_IDEA_KEY;
-
 static int idea_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                          const unsigned char *iv, int enc);
 
 /*
- * NB IDEA_ecb_encrypt doesn't take an 'encrypt' argument so we treat it as a
+ * NB idea_ecb_encrypt doesn't take an 'encrypt' argument so we treat it as a
  * special case
  */
 
@@ -34,15 +77,21 @@ static int idea_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                            const unsigned char *in, size_t inl)
 {
     BLOCK_CIPHER_ecb_loop()
-        IDEA_ecb_encrypt(in + i, out + i, &EVP_C_DATA(EVP_IDEA_KEY,ctx)->ks);
+        idea_ecb_encrypt(in + i, out + i, ctx->cipher_data);
     return 1;
 }
 
-BLOCK_CIPHER_func_cbc(idea, IDEA, EVP_IDEA_KEY, ks)
-BLOCK_CIPHER_func_ofb(idea, IDEA, 64, EVP_IDEA_KEY, ks)
-BLOCK_CIPHER_func_cfb(idea, IDEA, 64, EVP_IDEA_KEY, ks)
+/* Can't use IMPLEMENT_BLOCK_CIPHER because idea_ecb_encrypt is different */
+
+typedef struct {
+    IDEA_KEY_SCHEDULE ks;
+} EVP_IDEA_KEY;
+
+BLOCK_CIPHER_func_cbc(idea, idea, EVP_IDEA_KEY, ks)
+    BLOCK_CIPHER_func_ofb(idea, idea, 64, EVP_IDEA_KEY, ks)
+    BLOCK_CIPHER_func_cfb(idea, idea, 64, EVP_IDEA_KEY, ks)
 
-BLOCK_CIPHER_defs(idea, IDEA_KEY_SCHEDULE, NID_idea, 8, 16, 8, 64,
+    BLOCK_CIPHER_defs(idea, IDEA_KEY_SCHEDULE, NID_idea, 8, 16, 8, 64,
                   0, idea_init_key, NULL,
                   EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL)
 
@@ -56,12 +105,12 @@ static int idea_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
             enc = 1;
     }
     if (enc)
-        IDEA_set_encrypt_key(key, &EVP_C_DATA(EVP_IDEA_KEY,ctx)->ks);
+        idea_set_encrypt_key(key, ctx->cipher_data);
     else {
         IDEA_KEY_SCHEDULE tmp;
 
-        IDEA_set_encrypt_key(key, &tmp);
-        IDEA_set_decrypt_key(&tmp, &EVP_C_DATA(EVP_IDEA_KEY,ctx)->ks);
+        idea_set_encrypt_key(key, &tmp);
+        idea_set_decrypt_key(&tmp, ctx->cipher_data);
         OPENSSL_cleanse((unsigned char *)&tmp, sizeof(IDEA_KEY_SCHEDULE));
     }
     return 1;
diff --git a/Cryptlib/OpenSSL/crypto/evp/e_null.c b/Cryptlib/OpenSSL/crypto/evp/e_null.c
index 0dfc48ab..599fcb80 100644
--- a/Cryptlib/OpenSSL/crypto/evp/e_null.c
+++ b/Cryptlib/OpenSSL/crypto/evp/e_null.c
@@ -1,17 +1,65 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/e_null.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
-#include "internal/evp_int.h"
 
 static int null_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                          const unsigned char *iv, int enc);
@@ -19,7 +67,8 @@ static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                        const unsigned char *in, size_t inl);
 static const EVP_CIPHER n_cipher = {
     NID_undef,
-    1, 0, 0, 0,
+    1, 0, 0,
+    0,
     null_init_key,
     null_cipher,
     NULL,
@@ -38,6 +87,7 @@ const EVP_CIPHER *EVP_enc_null(void)
 static int null_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                          const unsigned char *iv, int enc)
 {
+    /*      memset(&(ctx->c),0,sizeof(ctx->c)); */
     return 1;
 }
 
@@ -45,6 +95,6 @@ static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                        const unsigned char *in, size_t inl)
 {
     if (in != out)
-        memcpy(out, in, inl);
+        memcpy((char *)out, (const char *)in, inl);
     return 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/evp/e_old.c b/Cryptlib/OpenSSL/crypto/evp/e_old.c
index 927908f8..a23d143b 100644
--- a/Cryptlib/OpenSSL/crypto/evp/e_old.c
+++ b/Cryptlib/OpenSSL/crypto/evp/e_old.c
@@ -1,15 +1,64 @@
+/* crypto/evp/e_old.c */
 /*
- * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project
+ * 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
-#include <openssl/opensslconf.h>
-#if OPENSSL_API_COMPAT >= 0x00908000L
-NON_EMPTY_TRANSLATION_UNIT
+#ifdef OPENSSL_NO_DEPRECATED
+static void *dummy = &dummy;
 #else
 
 # include <openssl/evp.h>
@@ -89,25 +138,27 @@ const EVP_CIPHER *EVP_rc5_32_12_16_cfb(void)
 }
 # endif
 
-# undef EVP_aes_128_cfb
+# ifndef OPENSSL_NO_AES
+#  undef EVP_aes_128_cfb
 const EVP_CIPHER *EVP_aes_128_cfb(void);
 const EVP_CIPHER *EVP_aes_128_cfb(void)
 {
     return EVP_aes_128_cfb128();
 }
 
-# undef EVP_aes_192_cfb
+#  undef EVP_aes_192_cfb
 const EVP_CIPHER *EVP_aes_192_cfb(void);
 const EVP_CIPHER *EVP_aes_192_cfb(void)
 {
     return EVP_aes_192_cfb128();
 }
 
-# undef EVP_aes_256_cfb
+#  undef EVP_aes_256_cfb
 const EVP_CIPHER *EVP_aes_256_cfb(void);
 const EVP_CIPHER *EVP_aes_256_cfb(void)
 {
     return EVP_aes_256_cfb128();
 }
+# endif
 
 #endif
diff --git a/Cryptlib/OpenSSL/crypto/evp/e_rc2.c b/Cryptlib/OpenSSL/crypto/evp/e_rc2.c
index ed10bb33..718cc869 100644
--- a/Cryptlib/OpenSSL/crypto/evp/e_rc2.c
+++ b/Cryptlib/OpenSSL/crypto/evp/e_rc2.c
@@ -1,20 +1,69 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/e_rc2.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 
 #ifndef OPENSSL_NO_RC2
 
 # include <openssl/evp.h>
 # include <openssl/objects.h>
-# include "internal/evp_int.h"
+# include "evp_locl.h"
 # include <openssl/rc2.h>
 
 static int rc2_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
@@ -30,7 +79,7 @@ typedef struct {
     RC2_KEY ks;                 /* key schedule */
 } EVP_RC2_KEY;
 
-# define data(ctx)       EVP_C_DATA(EVP_RC2_KEY,ctx)
+# define data(ctx)       ((EVP_RC2_KEY *)(ctx)->cipher_data)
 
 IMPLEMENT_BLOCK_CIPHER(rc2, ks, RC2, EVP_RC2_KEY, NID_rc2,
                        8,
@@ -130,17 +179,16 @@ static int rc2_get_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
         OPENSSL_assert(l <= sizeof(iv));
         i = ASN1_TYPE_get_int_octetstring(type, &num, iv, l);
         if (i != (int)l)
-            return -1;
+            return (-1);
         key_bits = rc2_magic_to_meth((int)num);
         if (!key_bits)
-            return -1;
+            return (-1);
         if (i > 0 && !EVP_CipherInit_ex(c, NULL, NULL, NULL, iv, -1))
             return -1;
         EVP_CIPHER_CTX_ctrl(c, EVP_CTRL_SET_RC2_KEY_BITS, key_bits, NULL);
-        if (EVP_CIPHER_CTX_set_key_length(c, key_bits / 8) <= 0)
-            return -1;
+        EVP_CIPHER_CTX_set_key_length(c, key_bits / 8);
     }
-    return i;
+    return (i);
 }
 
 static int rc2_set_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
@@ -151,9 +199,7 @@ static int rc2_set_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
     if (type != NULL) {
         num = rc2_meth_to_magic(c);
         j = EVP_CIPHER_CTX_iv_length(c);
-        i = ASN1_TYPE_set_int_octetstring(type, num,
-                                          (unsigned char *)EVP_CIPHER_CTX_original_iv(c),
-                                          j);
+        i = ASN1_TYPE_set_int_octetstring(type, num, c->oiv, j);
     }
     return (i);
 }
diff --git a/Cryptlib/OpenSSL/crypto/evp/e_rc4.c b/Cryptlib/OpenSSL/crypto/evp/e_rc4.c
index ea95deab..08e48f39 100644
--- a/Cryptlib/OpenSSL/crypto/evp/e_rc4.c
+++ b/Cryptlib/OpenSSL/crypto/evp/e_rc4.c
@@ -1,28 +1,79 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/e_rc4.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 
 #ifndef OPENSSL_NO_RC4
 
 # include <openssl/evp.h>
+# include "evp_locl.h"
 # include <openssl/objects.h>
 # include <openssl/rc4.h>
 
-# include "internal/evp_int.h"
+/* FIXME: surely this is available elsewhere? */
+# define EVP_RC4_KEY_SIZE                16
 
 typedef struct {
     RC4_KEY ks;                 /* working key */
 } EVP_RC4_KEY;
 
-# define data(ctx) ((EVP_RC4_KEY *)EVP_CIPHER_CTX_get_cipher_data(ctx))
+# define data(ctx) ((EVP_RC4_KEY *)(ctx)->cipher_data)
 
 static int rc4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                         const unsigned char *iv, int enc);
diff --git a/Cryptlib/OpenSSL/crypto/evp/e_rc4_hmac_md5.c b/Cryptlib/OpenSSL/crypto/evp/e_rc4_hmac_md5.c
index 8ab18c14..93cfe3f1 100644
--- a/Cryptlib/OpenSSL/crypto/evp/e_rc4_hmac_md5.c
+++ b/Cryptlib/OpenSSL/crypto/evp/e_rc4_hmac_md5.c
@@ -1,10 +1,50 @@
-/*
- * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  */
 
 #include <openssl/opensslconf.h>
@@ -19,7 +59,15 @@
 # include <openssl/objects.h>
 # include <openssl/rc4.h>
 # include <openssl/md5.h>
-# include "internal/evp_int.h"
+
+# ifndef EVP_CIPH_FLAG_AEAD_CIPHER
+#  define EVP_CIPH_FLAG_AEAD_CIPHER       0x200000
+#  define EVP_CTRL_AEAD_TLS1_AAD          0x16
+#  define EVP_CTRL_AEAD_SET_MAC_KEY       0x17
+# endif
+
+/* FIXME: surely this is available elsewhere? */
+# define EVP_RC4_KEY_SIZE                16
 
 typedef struct {
     RC4_KEY ks;
@@ -32,7 +80,7 @@ typedef struct {
 void rc4_md5_enc(RC4_KEY *key, const void *in0, void *out,
                  MD5_CTX *ctx, const void *inp, size_t blocks);
 
-# define data(ctx) ((EVP_RC4_HMAC_MD5 *)EVP_CIPHER_CTX_get_cipher_data(ctx))
+# define data(ctx) ((EVP_RC4_HMAC_MD5 *)(ctx)->cipher_data)
 
 static int rc4_hmac_md5_init_key(EVP_CIPHER_CTX *ctx,
                                  const unsigned char *inkey,
@@ -53,7 +101,9 @@ static int rc4_hmac_md5_init_key(EVP_CIPHER_CTX *ctx,
 
 # if     defined(RC4_ASM) && defined(MD5_ASM) &&     (	   \
         defined(__x86_64)       || defined(__x86_64__)  || \
-        defined(_M_AMD64)       || defined(_M_X64)      )
+        defined(_M_AMD64)       || defined(_M_X64)      || \
+        defined(__INTEL__)              ) && \
+        !(defined(__APPLE__) && defined(__MACH__))
 #  define STITCHED_CALL
 # endif
 
@@ -78,7 +128,7 @@ static int rc4_hmac_md5_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     if (plen != NO_PAYLOAD_LENGTH && len != (plen + MD5_DIGEST_LENGTH))
         return 0;
 
-    if (EVP_CIPHER_CTX_encrypting(ctx)) {
+    if (ctx->encrypt) {
         if (plen == NO_PAYLOAD_LENGTH)
             plen = len;
 # if defined(STITCHED_CALL)
@@ -218,7 +268,7 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
 
             len = p[arg - 2] << 8 | p[arg - 1];
 
-            if (!EVP_CIPHER_CTX_encrypting(ctx)) {
+            if (!ctx->encrypt) {
                 if (len < MD5_DIGEST_LENGTH)
                     return -1;
                 len -= MD5_DIGEST_LENGTH;
diff --git a/Cryptlib/OpenSSL/crypto/evp/e_rc5.c b/Cryptlib/OpenSSL/crypto/evp/e_rc5.c
index f69ba5b2..f17e99d0 100644
--- a/Cryptlib/OpenSSL/crypto/evp/e_rc5.c
+++ b/Cryptlib/OpenSSL/crypto/evp/e_rc5.c
@@ -1,19 +1,67 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/e_rc5.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 
 #ifndef OPENSSL_NO_RC5
 
 # include <openssl/evp.h>
-# include <internal/evp_int.h>
 # include <openssl/objects.h>
 # include "evp_locl.h"
 # include <openssl/rc5.h>
@@ -54,7 +102,7 @@ static int rc5_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
             return 1;
 
         default:
-            EVPerr(EVP_F_RC5_CTRL, EVP_R_UNSUPPORTED_NUMBER_OF_ROUNDS);
+            EVPerr(EVP_F_RC5_CTRL, EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS);
             return 0;
         }
 
diff --git a/Cryptlib/OpenSSL/crypto/evp/e_seed.c b/Cryptlib/OpenSSL/crypto/evp/e_seed.c
index 40aec5fc..3d01eaca 100644
--- a/Cryptlib/OpenSSL/crypto/evp/e_seed.c
+++ b/Cryptlib/OpenSSL/crypto/evp/e_seed.c
@@ -1,22 +1,66 @@
-/*
- * Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/e_seed.c */
+/* ====================================================================
+ * Copyright (c) 2007 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <openssl/opensslconf.h>
-#ifdef OPENSSL_NO_SEED
-NON_EMPTY_TRANSLATION_UNIT
-#else
+#ifndef OPENSSL_NO_SEED
 # include <openssl/evp.h>
 # include <openssl/err.h>
 # include <string.h>
 # include <assert.h>
 # include <openssl/seed.h>
-# include "internal/evp_int.h"
+# include "evp_locl.h"
 
 static int seed_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                          const unsigned char *iv, int enc);
@@ -32,7 +76,7 @@ IMPLEMENT_BLOCK_CIPHER(seed, ks, SEED, EVP_SEED_KEY, NID_seed,
 static int seed_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                          const unsigned char *iv, int enc)
 {
-    SEED_set_key(key, &EVP_C_DATA(EVP_SEED_KEY,ctx)->ks);
+    SEED_set_key(key, ctx->cipher_data);
     return 1;
 }
 
diff --git a/Cryptlib/OpenSSL/crypto/evp/e_xcbc_d.c b/Cryptlib/OpenSSL/crypto/evp/e_xcbc_d.c
index effaf5cc..3430df9e 100644
--- a/Cryptlib/OpenSSL/crypto/evp/e_xcbc_d.c
+++ b/Cryptlib/OpenSSL/crypto/evp/e_xcbc_d.c
@@ -1,20 +1,69 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/e_xcbc_d.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 
 #ifndef OPENSSL_NO_DES
 
 # include <openssl/evp.h>
 # include <openssl/objects.h>
-# include "internal/evp_int.h"
+# include "evp_locl.h"
 # include <openssl/des.h>
 
 static int desx_cbc_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
@@ -28,7 +77,7 @@ typedef struct {
     DES_cblock outw;
 } DESX_CBC_KEY;
 
-# define data(ctx) EVP_C_DATA(DESX_CBC_KEY,ctx)
+# define data(ctx) ((DESX_CBC_KEY *)(ctx)->cipher_data)
 
 static const EVP_CIPHER d_xcbc_cipher = {
     NID_desx_cbc,
@@ -66,18 +115,16 @@ static int desx_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 {
     while (inl >= EVP_MAXCHUNK) {
         DES_xcbc_encrypt(in, out, (long)EVP_MAXCHUNK, &data(ctx)->ks,
-                         (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
-                         &data(ctx)->inw, &data(ctx)->outw,
-                         EVP_CIPHER_CTX_encrypting(ctx));
+                         (DES_cblock *)&(ctx->iv[0]),
+                         &data(ctx)->inw, &data(ctx)->outw, ctx->encrypt);
         inl -= EVP_MAXCHUNK;
         in += EVP_MAXCHUNK;
         out += EVP_MAXCHUNK;
     }
     if (inl)
         DES_xcbc_encrypt(in, out, (long)inl, &data(ctx)->ks,
-                         (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
-                         &data(ctx)->inw, &data(ctx)->outw,
-                         EVP_CIPHER_CTX_encrypting(ctx));
+                         (DES_cblock *)&(ctx->iv[0]),
+                         &data(ctx)->inw, &data(ctx)->outw, ctx->encrypt);
     return 1;
 }
 #endif
diff --git a/Cryptlib/OpenSSL/crypto/evp/encode.c b/Cryptlib/OpenSSL/crypto/evp/encode.c
index abb10443..c6c775e0 100644
--- a/Cryptlib/OpenSSL/crypto/evp/encode.c
+++ b/Cryptlib/OpenSSL/crypto/evp/encode.c
@@ -1,17 +1,65 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/encode.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <limits.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/evp.h>
-#include "evp_locl.h"
 
 static unsigned char conv_ascii2bin(unsigned char a);
 #ifndef CHARSET_EBCDIC
@@ -55,7 +103,7 @@ abcdefghijklmnopqrstuvwxyz0123456789+/";
 #define B64_WS                  0xE0
 #define B64_ERROR               0xFF
 #define B64_NOT_BASE64(a)       (((a)|0x13) == 0xF3)
-#define B64_BASE64(a)           (!B64_NOT_BASE64(a))
+#define B64_BASE64(a)           !B64_NOT_BASE64(a)
 
 static const unsigned char data_ascii2bin[128] = {
     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
@@ -93,28 +141,6 @@ static unsigned char conv_ascii2bin(unsigned char a)
 }
 #endif
 
-EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void)
-{
-    return OPENSSL_zalloc(sizeof(EVP_ENCODE_CTX));
-}
-
-void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx)
-{
-    OPENSSL_free(ctx);
-}
-
-int EVP_ENCODE_CTX_copy(EVP_ENCODE_CTX *dctx, EVP_ENCODE_CTX *sctx)
-{
-    memcpy(dctx, sctx, sizeof(EVP_ENCODE_CTX));
-
-    return 1;
-}
-
-int EVP_ENCODE_CTX_num(EVP_ENCODE_CTX *ctx)
-{
-    return ctx->num;
-}
-
 void EVP_EncodeInit(EVP_ENCODE_CTX *ctx)
 {
     ctx->length = 48;
@@ -122,7 +148,7 @@ void EVP_EncodeInit(EVP_ENCODE_CTX *ctx)
     ctx->line_num = 0;
 }
 
-int EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
+void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
                       const unsigned char *in, int inl)
 {
     int i, j;
@@ -130,12 +156,12 @@ int EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
 
     *outl = 0;
     if (inl <= 0)
-        return 0;
+        return;
     OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data));
     if (ctx->length - ctx->num > inl) {
         memcpy(&(ctx->enc_data[ctx->num]), in, inl);
         ctx->num += inl;
-        return 1;
+        return;
     }
     if (ctx->num != 0) {
         i = ctx->length - ctx->num;
@@ -161,14 +187,12 @@ int EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
     if (total > INT_MAX) {
         /* Too much output data! */
         *outl = 0;
-        return 0;
+        return;
     }
     if (inl != 0)
         memcpy(&(ctx->enc_data[0]), in, inl);
     ctx->num = inl;
     *outl = total;
-
-    return 1;
 }
 
 void EVP_EncodeFinal(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl)
@@ -402,3 +426,35 @@ int EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl)
     } else
         return (1);
 }
+
+#ifdef undef
+int EVP_DecodeValid(unsigned char *buf, int len)
+{
+    int i, num = 0, bad = 0;
+
+    if (len == 0)
+        return (-1);
+    while (conv_ascii2bin(*buf) == B64_WS) {
+        buf++;
+        len--;
+        if (len == 0)
+            return (-1);
+    }
+
+    for (i = len; i >= 4; i -= 4) {
+        if ((conv_ascii2bin(buf[0]) >= 0x40) ||
+            (conv_ascii2bin(buf[1]) >= 0x40) ||
+            (conv_ascii2bin(buf[2]) >= 0x40) ||
+            (conv_ascii2bin(buf[3]) >= 0x40))
+            return (-1);
+        buf += 4;
+        num += 1 + (buf[2] != '=') + (buf[3] != '=');
+    }
+    if ((i == 1) && (conv_ascii2bin(buf[0]) == B64_EOLN))
+        return (num);
+    if ((i == 2) && (conv_ascii2bin(buf[0]) == B64_EOLN) &&
+        (conv_ascii2bin(buf[0]) == B64_EOLN))
+        return (num);
+    return (1);
+}
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_acnf.c b/Cryptlib/OpenSSL/crypto/evp/evp_acnf.c
new file mode 100644
index 00000000..9703116e
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/evp/evp_acnf.c
@@ -0,0 +1,73 @@
+/* evp_acnf.c */
+/*
+ * Written by Stephen Henson (steve@openssl.org) for the OpenSSL project
+ * 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/conf.h>
+
+/*
+ * Load all algorithms and configure OpenSSL. This function is called
+ * automatically when OPENSSL_LOAD_CONF is set.
+ */
+
+void OPENSSL_add_all_algorithms_conf(void)
+{
+    OPENSSL_add_all_algorithms_noconf();
+    OPENSSL_config(NULL);
+}
diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_cnf.c b/Cryptlib/OpenSSL/crypto/evp/evp_cnf.c
index 71d13b8d..6fd3a6da 100644
--- a/Cryptlib/OpenSSL/crypto/evp/evp_cnf.c
+++ b/Cryptlib/OpenSSL/crypto/evp/evp_cnf.c
@@ -1,19 +1,73 @@
+/* evp_cnf.c */
 /*
- * Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Stephen Henson (steve@openssl.org) for the OpenSSL project
+ * 2007.
+ */
+/* ====================================================================
+ * Copyright (c) 2007 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <ctype.h>
 #include <openssl/crypto.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/conf.h>
+#include <openssl/dso.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
 
 /* Algorithm configuration module. */
 
@@ -23,15 +77,14 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf)
     const char *oid_section;
     STACK_OF(CONF_VALUE) *sktmp;
     CONF_VALUE *oval;
-
     oid_section = CONF_imodule_get_value(md);
-    if ((sktmp = NCONF_get_section(cnf, oid_section)) == NULL) {
+    if (!(sktmp = NCONF_get_section(cnf, oid_section))) {
         EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_ERROR_LOADING_SECTION);
         return 0;
     }
     for (i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
         oval = sk_CONF_VALUE_value(sktmp, i);
-        if (strcmp(oval->name, "fips_mode") == 0) {
+        if (!strcmp(oval->name, "fips_mode")) {
             int m;
             if (!X509V3_get_value_bool(oval, &m)) {
                 EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_INVALID_FIPS_MODE);
diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_enc.c b/Cryptlib/OpenSSL/crypto/evp/evp_enc.c
index f829e8dc..0e40f09f 100644
--- a/Cryptlib/OpenSSL/crypto/evp/evp_enc.c
+++ b/Cryptlib/OpenSSL/crypto/evp/evp_enc.c
@@ -1,56 +1,101 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/evp_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include <assert.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
-#include <openssl/engine.h>
-#include "internal/evp_int.h"
+#ifndef OPENSSL_NO_ENGINE
+# include <openssl/engine.h>
+#endif
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
 #include "evp_locl.h"
 
-int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c)
-{
-    if (c == NULL)
-        return 1;
-    if (c->cipher != NULL) {
-        if (c->cipher->cleanup && !c->cipher->cleanup(c))
-            return 0;
-        /* Cleanse cipher context data */
-        if (c->cipher_data && c->cipher->ctx_size)
-            OPENSSL_cleanse(c->cipher_data, c->cipher->ctx_size);
-    }
-    OPENSSL_free(c->cipher_data);
-#ifndef OPENSSL_NO_ENGINE
-    ENGINE_finish(c->engine);
+#ifdef OPENSSL_FIPS
+# define M_do_cipher(ctx, out, in, inl) FIPS_cipher(ctx, out, in, inl)
+#else
+# define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl)
 #endif
-    memset(c, 0, sizeof(*c));
-    return 1;
-}
 
-EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void)
+const char EVP_version[] = "EVP" OPENSSL_VERSION_PTEXT;
+
+void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx)
 {
-    return OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX));
+    memset(ctx, 0, sizeof(EVP_CIPHER_CTX));
+    /* ctx->cipher=NULL; */
 }
 
-void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
+EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void)
 {
-    EVP_CIPHER_CTX_reset(ctx);
-    OPENSSL_free(ctx);
+    EVP_CIPHER_CTX *ctx = OPENSSL_malloc(sizeof *ctx);
+    if (ctx)
+        EVP_CIPHER_CTX_init(ctx);
+    return ctx;
 }
 
 int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
                    const unsigned char *key, const unsigned char *iv, int enc)
 {
-    EVP_CIPHER_CTX_reset(ctx);
+    if (cipher)
+        EVP_CIPHER_CTX_init(ctx);
     return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, enc);
 }
 
@@ -70,10 +115,12 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
      * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
      * this context may already have an ENGINE! Try to avoid releasing the
      * previous handle, re-querying for an ENGINE, and having a
-     * reinitialisation, when it may all be unnecessary.
+     * reinitialisation, when it may all be unecessary.
      */
-    if (ctx->engine && ctx->cipher
-        && (cipher == NULL || cipher->nid == ctx->cipher->nid))
+    if (ctx->engine && ctx->cipher && (!cipher ||
+                                       (cipher
+                                        && (cipher->nid ==
+                                            ctx->cipher->nid))))
         goto skip_to_init;
 #endif
     if (cipher) {
@@ -84,7 +131,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
          */
         if (ctx->cipher) {
             unsigned long flags = ctx->flags;
-            EVP_CIPHER_CTX_reset(ctx);
+            EVP_CIPHER_CTX_cleanup(ctx);
             /* Restore encrypt and flags */
             ctx->encrypt = enc;
             ctx->flags = flags;
@@ -105,7 +152,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
                 /*
                  * One positive side-effect of US's export control history,
                  * is that we should at least be able to avoid using US
-                 * misspellings of "initialisation"?
+                 * mispellings of "initialisation"?
                  */
                 EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
                 return 0;
@@ -121,11 +168,20 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
             ctx->engine = NULL;
 #endif
 
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode()) {
+            const EVP_CIPHER *fcipher = NULL;
+            if (cipher)
+                fcipher = evp_get_fips_cipher(cipher);
+            if (fcipher)
+                cipher = fcipher;
+            return FIPS_cipherinit(ctx, cipher, key, iv, enc);
+        }
+#endif
         ctx->cipher = cipher;
         if (ctx->cipher->ctx_size) {
-            ctx->cipher_data = OPENSSL_zalloc(ctx->cipher->ctx_size);
-            if (ctx->cipher_data == NULL) {
-                ctx->cipher = NULL;
+            ctx->cipher_data = OPENSSL_malloc(ctx->cipher->ctx_size);
+            if (!ctx->cipher_data) {
                 EVPerr(EVP_F_EVP_CIPHERINIT_EX, ERR_R_MALLOC_FAILURE);
                 return 0;
             }
@@ -137,7 +193,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
         ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW;
         if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) {
             if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) {
-                ctx->cipher = NULL;
                 EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
                 return 0;
             }
@@ -149,6 +204,10 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
 #ifndef OPENSSL_NO_ENGINE
  skip_to_init:
 #endif
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode())
+        return FIPS_cipherinit(ctx, cipher, key, iv, enc);
+#endif
     /* we assume block size is a power of 2 in *cryptUpdate */
     OPENSSL_assert(ctx->cipher->block_size == 1
                    || ctx->cipher->block_size == 8
@@ -160,7 +219,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
         return 0;
     }
 
-    if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_CUSTOM_IV)) {
+    if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) {
         switch (EVP_CIPHER_CTX_mode(ctx)) {
 
         case EVP_CIPH_STREAM_CIPHER:
@@ -191,6 +250,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
 
         default:
             return 0;
+            break;
         }
     }
 
@@ -255,61 +315,13 @@ int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
     return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0);
 }
 
-/*
- * According to the letter of standard difference between pointers
- * is specified to be valid only within same object. This makes
- * it formally challenging to determine if input and output buffers
- * are not partially overlapping with standard pointer arithmetic.
- */
-#ifdef PTRDIFF_T
-# undef PTRDIFF_T
-#endif
-#if defined(OPENSSL_SYS_VMS) && __INITIAL_POINTER_SIZE==64
-/*
- * Then we have VMS that distinguishes itself by adhering to
- * sizeof(size_t)==4 even in 64-bit builds, which means that
- * difference between two pointers might be truncated to 32 bits.
- * In the context one can even wonder how comparison for
- * equality is implemented. To be on the safe side we adhere to
- * PTRDIFF_T even for comparison for equality.
- */
-# define PTRDIFF_T uint64_t
-#else
-# define PTRDIFF_T size_t
-#endif
-
-int is_partially_overlapping(const void *ptr1, const void *ptr2, int len)
-{
-    PTRDIFF_T diff = (PTRDIFF_T)ptr1-(PTRDIFF_T)ptr2;
-    /*
-     * Check for partially overlapping buffers. [Binary logical
-     * operations are used instead of boolean to minimize number
-     * of conditional branches.]
-     */
-    int overlapped = (len > 0) & (diff != 0) & ((diff < (PTRDIFF_T)len) |
-                                                (diff > (0 - (PTRDIFF_T)len)));
-
-    return overlapped;
-}
-
 int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
                       const unsigned char *in, int inl)
 {
-    int i, j, bl, cmpl = inl;
-
-    if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
-        cmpl = (cmpl + 7) / 8;
-
-    bl = ctx->cipher->block_size;
+    int i, j, bl;
 
     if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
-        /* If block size > 1 then the cipher will have to do this check */
-        if (bl == 1 && is_partially_overlapping(out, in, cmpl)) {
-            EVPerr(EVP_F_EVP_ENCRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
-            return 0;
-        }
-
-        i = ctx->cipher->do_cipher(ctx, out, in, inl);
+        i = M_do_cipher(ctx, out, in, inl);
         if (i < 0)
             return 0;
         else
@@ -321,13 +333,9 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
         *outl = 0;
         return inl == 0;
     }
-    if (is_partially_overlapping(out + ctx->buf_len, in, cmpl)) {
-        EVPerr(EVP_F_EVP_ENCRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
-        return 0;
-    }
 
     if (ctx->buf_len == 0 && (inl & (ctx->block_mask)) == 0) {
-        if (ctx->cipher->do_cipher(ctx, out, in, inl)) {
+        if (M_do_cipher(ctx, out, in, inl)) {
             *outl = inl;
             return 1;
         } else {
@@ -336,6 +344,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
         }
     }
     i = ctx->buf_len;
+    bl = ctx->cipher->block_size;
     OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
     if (i != 0) {
         if (bl - i > inl) {
@@ -346,10 +355,10 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
         } else {
             j = bl - i;
             memcpy(&(ctx->buf[i]), in, j);
+            if (!M_do_cipher(ctx, out, ctx->buf, bl))
+                return 0;
             inl -= j;
             in += j;
-            if (!ctx->cipher->do_cipher(ctx, out, ctx->buf, bl))
-                return 0;
             out += bl;
             *outl = bl;
         }
@@ -358,7 +367,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
     i = inl & (bl - 1);
     inl -= i;
     if (inl > 0) {
-        if (!ctx->cipher->do_cipher(ctx, out, in, inl))
+        if (!M_do_cipher(ctx, out, in, inl))
             return 0;
         *outl += inl;
     }
@@ -382,7 +391,7 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
     unsigned int i, b, bl;
 
     if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
-        ret = ctx->cipher->do_cipher(ctx, out, NULL, 0);
+        ret = M_do_cipher(ctx, out, NULL, 0);
         if (ret < 0)
             return 0;
         else
@@ -410,7 +419,7 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
     n = b - bl;
     for (i = bl; i < b; i++)
         ctx->buf[i] = n;
-    ret = ctx->cipher->do_cipher(ctx, out, ctx->buf, b);
+    ret = M_do_cipher(ctx, out, ctx->buf, b);
 
     if (ret)
         *outl = b;
@@ -421,21 +430,11 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
                       const unsigned char *in, int inl)
 {
-    int fix_len, cmpl = inl;
+    int fix_len;
     unsigned int b;
 
-    b = ctx->cipher->block_size;
-
-    if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
-        cmpl = (cmpl + 7) / 8;
-
     if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
-        if (b == 1 && is_partially_overlapping(out, in, cmpl)) {
-            EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
-            return 0;
-        }
-
-        fix_len = ctx->cipher->do_cipher(ctx, out, in, inl);
+        fix_len = M_do_cipher(ctx, out, in, inl);
         if (fix_len < 0) {
             *outl = 0;
             return 0;
@@ -452,15 +451,10 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
     if (ctx->flags & EVP_CIPH_NO_PADDING)
         return EVP_EncryptUpdate(ctx, out, outl, in, inl);
 
+    b = ctx->cipher->block_size;
     OPENSSL_assert(b <= sizeof ctx->final);
 
     if (ctx->final_used) {
-        /* see comment about PTRDIFF_T comparison above */
-        if (((PTRDIFF_T)out == (PTRDIFF_T)in)
-            || is_partially_overlapping(out, in, b)) {
-            EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
-            return 0;
-        }
         memcpy(out, ctx->final, b);
         out += b;
         fix_len = 1;
@@ -501,7 +495,7 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
     *outl = 0;
 
     if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
-        i = ctx->cipher->do_cipher(ctx, out, NULL, 0);
+        i = M_do_cipher(ctx, out, NULL, 0);
         if (i < 0)
             return 0;
         else
@@ -550,6 +544,42 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
     return (1);
 }
 
+void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
+{
+    if (ctx) {
+        EVP_CIPHER_CTX_cleanup(ctx);
+        OPENSSL_free(ctx);
+    }
+}
+
+int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
+{
+#ifndef OPENSSL_FIPS
+    if (c->cipher != NULL) {
+        if (c->cipher->cleanup && !c->cipher->cleanup(c))
+            return 0;
+        /* Cleanse cipher context data */
+        if (c->cipher_data)
+            OPENSSL_cleanse(c->cipher_data, c->cipher->ctx_size);
+    }
+    if (c->cipher_data)
+        OPENSSL_free(c->cipher_data);
+#endif
+#ifndef OPENSSL_NO_ENGINE
+    if (c->engine)
+        /*
+         * The EVP_CIPHER we used belongs to an ENGINE, release the
+         * functional reference we held for this reason.
+         */
+        ENGINE_finish(c->engine);
+#endif
+#ifdef OPENSSL_FIPS
+    FIPS_cipher_ctx_cleanup(c);
+#endif
+    memset(c, 0, sizeof(EVP_CIPHER_CTX));
+    return 1;
+}
+
 int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, int keylen)
 {
     if (c->cipher->flags & EVP_CIPH_CUSTOM_KEY_LENGTH)
@@ -618,13 +648,12 @@ int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
     }
 #endif
 
-    EVP_CIPHER_CTX_reset(out);
-    memcpy(out, in, sizeof(*out));
+    EVP_CIPHER_CTX_cleanup(out);
+    memcpy(out, in, sizeof *out);
 
     if (in->cipher_data && in->cipher->ctx_size) {
         out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size);
-        if (out->cipher_data == NULL) {
-            out->cipher = NULL;
+        if (!out->cipher_data) {
             EVPerr(EVP_F_EVP_CIPHER_CTX_COPY, ERR_R_MALLOC_FAILURE);
             return 0;
         }
@@ -632,10 +661,6 @@ int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
     }
 
     if (in->cipher->flags & EVP_CIPH_CUSTOM_COPY)
-        if (!in->cipher->ctrl((EVP_CIPHER_CTX *)in, EVP_CTRL_COPY, 0, out)) {
-            out->cipher = NULL;
-            EVPerr(EVP_F_EVP_CIPHER_CTX_COPY, EVP_R_INITIALIZATION_ERROR);
-            return 0;
-        }
+        return in->cipher->ctrl((EVP_CIPHER_CTX *)in, EVP_CTRL_COPY, 0, out);
     return 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_err.c b/Cryptlib/OpenSSL/crypto/evp/evp_err.c
index e32a1c01..bcd841eb 100644
--- a/Cryptlib/OpenSSL/crypto/evp/evp_err.c
+++ b/Cryptlib/OpenSSL/crypto/evp/evp_err.c
@@ -1,11 +1,62 @@
-/*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/evp_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2016 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
  */
 
 #include <stdio.h>
@@ -19,36 +70,39 @@
 # define ERR_REASON(reason) ERR_PACK(ERR_LIB_EVP,0,reason)
 
 static ERR_STRING_DATA EVP_str_functs[] = {
-    {ERR_FUNC(EVP_F_AESNI_INIT_KEY), "aesni_init_key"},
-    {ERR_FUNC(EVP_F_AES_INIT_KEY), "aes_init_key"},
-    {ERR_FUNC(EVP_F_AES_OCB_CIPHER), "aes_ocb_cipher"},
-    {ERR_FUNC(EVP_F_AES_T4_INIT_KEY), "aes_t4_init_key"},
-    {ERR_FUNC(EVP_F_AES_WRAP_CIPHER), "aes_wrap_cipher"},
-    {ERR_FUNC(EVP_F_ALG_MODULE_INIT), "alg_module_init"},
-    {ERR_FUNC(EVP_F_CAMELLIA_INIT_KEY), "camellia_init_key"},
-    {ERR_FUNC(EVP_F_CHACHA20_POLY1305_CTRL), "chacha20_poly1305_ctrl"},
-    {ERR_FUNC(EVP_F_CMLL_T4_INIT_KEY), "cmll_t4_init_key"},
-    {ERR_FUNC(EVP_F_DES_EDE3_WRAP_CIPHER), "des_ede3_wrap_cipher"},
-    {ERR_FUNC(EVP_F_DO_SIGVER_INIT), "do_sigver_init"},
+    {ERR_FUNC(EVP_F_AESNI_INIT_KEY), "AESNI_INIT_KEY"},
+    {ERR_FUNC(EVP_F_AESNI_XTS_CIPHER), "AESNI_XTS_CIPHER"},
+    {ERR_FUNC(EVP_F_AES_INIT_KEY), "AES_INIT_KEY"},
+    {ERR_FUNC(EVP_F_AES_T4_INIT_KEY), "AES_T4_INIT_KEY"},
+    {ERR_FUNC(EVP_F_AES_XTS), "AES_XTS"},
+    {ERR_FUNC(EVP_F_AES_XTS_CIPHER), "AES_XTS_CIPHER"},
+    {ERR_FUNC(EVP_F_ALG_MODULE_INIT), "ALG_MODULE_INIT"},
+    {ERR_FUNC(EVP_F_CAMELLIA_INIT_KEY), "CAMELLIA_INIT_KEY"},
+    {ERR_FUNC(EVP_F_CMAC_INIT), "CMAC_INIT"},
+    {ERR_FUNC(EVP_F_CMLL_T4_INIT_KEY), "CMLL_T4_INIT_KEY"},
+    {ERR_FUNC(EVP_F_D2I_PKEY), "D2I_PKEY"},
+    {ERR_FUNC(EVP_F_DO_SIGVER_INIT), "DO_SIGVER_INIT"},
+    {ERR_FUNC(EVP_F_DSAPKEY2PKCS8), "DSAPKEY2PKCS8"},
+    {ERR_FUNC(EVP_F_DSA_PKEY2PKCS8), "DSA_PKEY2PKCS8"},
+    {ERR_FUNC(EVP_F_ECDSA_PKEY2PKCS8), "ECDSA_PKEY2PKCS8"},
+    {ERR_FUNC(EVP_F_ECKEY_PKEY2PKCS8), "ECKEY_PKEY2PKCS8"},
     {ERR_FUNC(EVP_F_EVP_CIPHERINIT_EX), "EVP_CipherInit_ex"},
     {ERR_FUNC(EVP_F_EVP_CIPHER_CTX_COPY), "EVP_CIPHER_CTX_copy"},
     {ERR_FUNC(EVP_F_EVP_CIPHER_CTX_CTRL), "EVP_CIPHER_CTX_ctrl"},
     {ERR_FUNC(EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH),
      "EVP_CIPHER_CTX_set_key_length"},
     {ERR_FUNC(EVP_F_EVP_DECRYPTFINAL_EX), "EVP_DecryptFinal_ex"},
-    {ERR_FUNC(EVP_F_EVP_DECRYPTUPDATE), "EVP_DecryptUpdate"},
     {ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"},
     {ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"},
-    {ERR_FUNC(EVP_F_EVP_ENCRYPTUPDATE), "EVP_EncryptUpdate"},
     {ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"},
     {ERR_FUNC(EVP_F_EVP_MD_SIZE), "EVP_MD_size"},
     {ERR_FUNC(EVP_F_EVP_OPENINIT), "EVP_OpenInit"},
     {ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD), "EVP_PBE_alg_add"},
     {ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD_TYPE), "EVP_PBE_alg_add_type"},
     {ERR_FUNC(EVP_F_EVP_PBE_CIPHERINIT), "EVP_PBE_CipherInit"},
-    {ERR_FUNC(EVP_F_EVP_PBE_SCRYPT), "EVP_PBE_scrypt"},
     {ERR_FUNC(EVP_F_EVP_PKCS82PKEY), "EVP_PKCS82PKEY"},
-    {ERR_FUNC(EVP_F_EVP_PKEY2PKCS8), "EVP_PKEY2PKCS8"},
+    {ERR_FUNC(EVP_F_EVP_PKCS82PKEY_BROKEN), "EVP_PKCS82PKEY_BROKEN"},
+    {ERR_FUNC(EVP_F_EVP_PKEY2PKCS8_BROKEN), "EVP_PKEY2PKCS8_broken"},
     {ERR_FUNC(EVP_F_EVP_PKEY_COPY_PARAMETERS), "EVP_PKEY_copy_parameters"},
     {ERR_FUNC(EVP_F_EVP_PKEY_CTX_CTRL), "EVP_PKEY_CTX_ctrl"},
     {ERR_FUNC(EVP_F_EVP_PKEY_CTX_CTRL_STR), "EVP_PKEY_CTX_ctrl_str"},
@@ -62,11 +116,11 @@ static ERR_STRING_DATA EVP_str_functs[] = {
     {ERR_FUNC(EVP_F_EVP_PKEY_ENCRYPT), "EVP_PKEY_encrypt"},
     {ERR_FUNC(EVP_F_EVP_PKEY_ENCRYPT_INIT), "EVP_PKEY_encrypt_init"},
     {ERR_FUNC(EVP_F_EVP_PKEY_ENCRYPT_OLD), "EVP_PKEY_encrypt_old"},
-    {ERR_FUNC(EVP_F_EVP_PKEY_GET0_DH), "EVP_PKEY_get0_DH"},
-    {ERR_FUNC(EVP_F_EVP_PKEY_GET0_DSA), "EVP_PKEY_get0_DSA"},
-    {ERR_FUNC(EVP_F_EVP_PKEY_GET0_EC_KEY), "EVP_PKEY_get0_EC_KEY"},
-    {ERR_FUNC(EVP_F_EVP_PKEY_GET0_HMAC), "EVP_PKEY_get0_hmac"},
-    {ERR_FUNC(EVP_F_EVP_PKEY_GET0_RSA), "EVP_PKEY_get0_RSA"},
+    {ERR_FUNC(EVP_F_EVP_PKEY_GET1_DH), "EVP_PKEY_get1_DH"},
+    {ERR_FUNC(EVP_F_EVP_PKEY_GET1_DSA), "EVP_PKEY_get1_DSA"},
+    {ERR_FUNC(EVP_F_EVP_PKEY_GET1_ECDSA), "EVP_PKEY_GET1_ECDSA"},
+    {ERR_FUNC(EVP_F_EVP_PKEY_GET1_EC_KEY), "EVP_PKEY_get1_EC_KEY"},
+    {ERR_FUNC(EVP_F_EVP_PKEY_GET1_RSA), "EVP_PKEY_get1_RSA"},
     {ERR_FUNC(EVP_F_EVP_PKEY_KEYGEN), "EVP_PKEY_keygen"},
     {ERR_FUNC(EVP_F_EVP_PKEY_KEYGEN_INIT), "EVP_PKEY_keygen_init"},
     {ERR_FUNC(EVP_F_EVP_PKEY_NEW), "EVP_PKEY_new"},
@@ -79,28 +133,42 @@ static ERR_STRING_DATA EVP_str_functs[] = {
     {ERR_FUNC(EVP_F_EVP_PKEY_VERIFY_RECOVER), "EVP_PKEY_verify_recover"},
     {ERR_FUNC(EVP_F_EVP_PKEY_VERIFY_RECOVER_INIT),
      "EVP_PKEY_verify_recover_init"},
+    {ERR_FUNC(EVP_F_EVP_RIJNDAEL), "EVP_RIJNDAEL"},
     {ERR_FUNC(EVP_F_EVP_SIGNFINAL), "EVP_SignFinal"},
     {ERR_FUNC(EVP_F_EVP_VERIFYFINAL), "EVP_VerifyFinal"},
-    {ERR_FUNC(EVP_F_INT_CTX_NEW), "int_ctx_new"},
+    {ERR_FUNC(EVP_F_FIPS_CIPHERINIT), "FIPS_CIPHERINIT"},
+    {ERR_FUNC(EVP_F_FIPS_CIPHER_CTX_COPY), "FIPS_CIPHER_CTX_COPY"},
+    {ERR_FUNC(EVP_F_FIPS_CIPHER_CTX_CTRL), "FIPS_CIPHER_CTX_CTRL"},
+    {ERR_FUNC(EVP_F_FIPS_CIPHER_CTX_SET_KEY_LENGTH),
+     "FIPS_CIPHER_CTX_SET_KEY_LENGTH"},
+    {ERR_FUNC(EVP_F_FIPS_DIGESTINIT), "FIPS_DIGESTINIT"},
+    {ERR_FUNC(EVP_F_FIPS_MD_CTX_COPY), "FIPS_MD_CTX_COPY"},
+    {ERR_FUNC(EVP_F_HMAC_INIT_EX), "HMAC_Init_ex"},
+    {ERR_FUNC(EVP_F_INT_CTX_NEW), "INT_CTX_NEW"},
     {ERR_FUNC(EVP_F_PKCS5_PBE_KEYIVGEN), "PKCS5_PBE_keyivgen"},
     {ERR_FUNC(EVP_F_PKCS5_V2_PBE_KEYIVGEN), "PKCS5_v2_PBE_keyivgen"},
-    {ERR_FUNC(EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN), "PKCS5_v2_PBKDF2_keyivgen"},
-    {ERR_FUNC(EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN), "PKCS5_v2_scrypt_keyivgen"},
-    {ERR_FUNC(EVP_F_PKEY_SET_TYPE), "pkey_set_type"},
-    {ERR_FUNC(EVP_F_RC2_MAGIC_TO_METH), "rc2_magic_to_meth"},
-    {ERR_FUNC(EVP_F_RC5_CTRL), "rc5_ctrl"},
+    {ERR_FUNC(EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN), "PKCS5_V2_PBKDF2_KEYIVGEN"},
+    {ERR_FUNC(EVP_F_PKCS8_SET_BROKEN), "PKCS8_set_broken"},
+    {ERR_FUNC(EVP_F_PKEY_SET_TYPE), "PKEY_SET_TYPE"},
+    {ERR_FUNC(EVP_F_RC2_MAGIC_TO_METH), "RC2_MAGIC_TO_METH"},
+    {ERR_FUNC(EVP_F_RC5_CTRL), "RC5_CTRL"},
     {0, NULL}
 };
 
 static ERR_STRING_DATA EVP_str_reasons[] = {
+    {ERR_REASON(EVP_R_AES_IV_SETUP_FAILED), "aes iv setup failed"},
     {ERR_REASON(EVP_R_AES_KEY_SETUP_FAILED), "aes key setup failed"},
+    {ERR_REASON(EVP_R_ASN1_LIB), "asn1 lib"},
+    {ERR_REASON(EVP_R_BAD_BLOCK_LENGTH), "bad block length"},
     {ERR_REASON(EVP_R_BAD_DECRYPT), "bad decrypt"},
+    {ERR_REASON(EVP_R_BAD_KEY_LENGTH), "bad key length"},
+    {ERR_REASON(EVP_R_BN_DECODE_ERROR), "bn decode error"},
+    {ERR_REASON(EVP_R_BN_PUBKEY_ERROR), "bn pubkey error"},
     {ERR_REASON(EVP_R_BUFFER_TOO_SMALL), "buffer too small"},
     {ERR_REASON(EVP_R_CAMELLIA_KEY_SETUP_FAILED),
      "camellia key setup failed"},
     {ERR_REASON(EVP_R_CIPHER_PARAMETER_ERROR), "cipher parameter error"},
     {ERR_REASON(EVP_R_COMMAND_NOT_SUPPORTED), "command not supported"},
-    {ERR_REASON(EVP_R_COPY_ERROR), "copy error"},
     {ERR_REASON(EVP_R_CTRL_NOT_IMPLEMENTED), "ctrl not implemented"},
     {ERR_REASON(EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED),
      "ctrl operation not implemented"},
@@ -109,16 +177,17 @@ static ERR_STRING_DATA EVP_str_reasons[] = {
     {ERR_REASON(EVP_R_DECODE_ERROR), "decode error"},
     {ERR_REASON(EVP_R_DIFFERENT_KEY_TYPES), "different key types"},
     {ERR_REASON(EVP_R_DIFFERENT_PARAMETERS), "different parameters"},
+    {ERR_REASON(EVP_R_DISABLED_FOR_FIPS), "disabled for fips"},
+    {ERR_REASON(EVP_R_ENCODE_ERROR), "encode error"},
     {ERR_REASON(EVP_R_ERROR_LOADING_SECTION), "error loading section"},
     {ERR_REASON(EVP_R_ERROR_SETTING_FIPS_MODE), "error setting fips mode"},
-    {ERR_REASON(EVP_R_EXPECTING_AN_HMAC_KEY), "expecting an hmac key"},
+    {ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR), "evp pbe cipherinit error"},
     {ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY), "expecting an rsa key"},
     {ERR_REASON(EVP_R_EXPECTING_A_DH_KEY), "expecting a dh key"},
     {ERR_REASON(EVP_R_EXPECTING_A_DSA_KEY), "expecting a dsa key"},
+    {ERR_REASON(EVP_R_EXPECTING_A_ECDSA_KEY), "expecting a ecdsa key"},
     {ERR_REASON(EVP_R_EXPECTING_A_EC_KEY), "expecting a ec key"},
     {ERR_REASON(EVP_R_FIPS_MODE_NOT_SUPPORTED), "fips mode not supported"},
-    {ERR_REASON(EVP_R_ILLEGAL_SCRYPT_PARAMETERS),
-     "illegal scrypt parameters"},
     {ERR_REASON(EVP_R_INITIALIZATION_ERROR), "initialization error"},
     {ERR_REASON(EVP_R_INPUT_NOT_INITIALIZED), "input not initialized"},
     {ERR_REASON(EVP_R_INVALID_DIGEST), "invalid digest"},
@@ -126,48 +195,55 @@ static ERR_STRING_DATA EVP_str_reasons[] = {
     {ERR_REASON(EVP_R_INVALID_KEY), "invalid key"},
     {ERR_REASON(EVP_R_INVALID_KEY_LENGTH), "invalid key length"},
     {ERR_REASON(EVP_R_INVALID_OPERATION), "invalid operation"},
+    {ERR_REASON(EVP_R_IV_TOO_LARGE), "iv too large"},
     {ERR_REASON(EVP_R_KEYGEN_FAILURE), "keygen failure"},
-    {ERR_REASON(EVP_R_MEMORY_LIMIT_EXCEEDED), "memory limit exceeded"},
     {ERR_REASON(EVP_R_MESSAGE_DIGEST_IS_NULL), "message digest is null"},
     {ERR_REASON(EVP_R_METHOD_NOT_SUPPORTED), "method not supported"},
     {ERR_REASON(EVP_R_MISSING_PARAMETERS), "missing parameters"},
     {ERR_REASON(EVP_R_NO_CIPHER_SET), "no cipher set"},
     {ERR_REASON(EVP_R_NO_DEFAULT_DIGEST), "no default digest"},
     {ERR_REASON(EVP_R_NO_DIGEST_SET), "no digest set"},
+    {ERR_REASON(EVP_R_NO_DSA_PARAMETERS), "no dsa parameters"},
     {ERR_REASON(EVP_R_NO_KEY_SET), "no key set"},
     {ERR_REASON(EVP_R_NO_OPERATION_SET), "no operation set"},
+    {ERR_REASON(EVP_R_NO_SIGN_FUNCTION_CONFIGURED),
+     "no sign function configured"},
+    {ERR_REASON(EVP_R_NO_VERIFY_FUNCTION_CONFIGURED),
+     "no verify function configured"},
     {ERR_REASON(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),
      "operation not supported for this keytype"},
     {ERR_REASON(EVP_R_OPERATON_NOT_INITIALIZED), "operaton not initialized"},
-    {ERR_REASON(EVP_R_PARTIALLY_OVERLAPPING),
-     "partially overlapping buffers"},
+    {ERR_REASON(EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE),
+     "pkcs8 unknown broken type"},
     {ERR_REASON(EVP_R_PRIVATE_KEY_DECODE_ERROR), "private key decode error"},
     {ERR_REASON(EVP_R_PRIVATE_KEY_ENCODE_ERROR), "private key encode error"},
     {ERR_REASON(EVP_R_PUBLIC_KEY_NOT_RSA), "public key not rsa"},
+    {ERR_REASON(EVP_R_TOO_LARGE), "too large"},
     {ERR_REASON(EVP_R_UNKNOWN_CIPHER), "unknown cipher"},
     {ERR_REASON(EVP_R_UNKNOWN_DIGEST), "unknown digest"},
     {ERR_REASON(EVP_R_UNKNOWN_OPTION), "unknown option"},
     {ERR_REASON(EVP_R_UNKNOWN_PBE_ALGORITHM), "unknown pbe algorithm"},
+    {ERR_REASON(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS),
+     "unsuported number of rounds"},
     {ERR_REASON(EVP_R_UNSUPPORTED_ALGORITHM), "unsupported algorithm"},
     {ERR_REASON(EVP_R_UNSUPPORTED_CIPHER), "unsupported cipher"},
     {ERR_REASON(EVP_R_UNSUPPORTED_KEYLENGTH), "unsupported keylength"},
     {ERR_REASON(EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION),
      "unsupported key derivation function"},
     {ERR_REASON(EVP_R_UNSUPPORTED_KEY_SIZE), "unsupported key size"},
-    {ERR_REASON(EVP_R_UNSUPPORTED_NUMBER_OF_ROUNDS),
-     "unsupported number of rounds"},
     {ERR_REASON(EVP_R_UNSUPPORTED_PRF), "unsupported prf"},
     {ERR_REASON(EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM),
      "unsupported private key algorithm"},
     {ERR_REASON(EVP_R_UNSUPPORTED_SALT_TYPE), "unsupported salt type"},
     {ERR_REASON(EVP_R_WRAP_MODE_NOT_ALLOWED), "wrap mode not allowed"},
     {ERR_REASON(EVP_R_WRONG_FINAL_BLOCK_LENGTH), "wrong final block length"},
+    {ERR_REASON(EVP_R_WRONG_PUBLIC_KEY_TYPE), "wrong public key type"},
     {0, NULL}
 };
 
 #endif
 
-int ERR_load_EVP_strings(void)
+void ERR_load_EVP_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
 
@@ -176,5 +252,4 @@ int ERR_load_EVP_strings(void)
         ERR_load_strings(0, EVP_str_reasons);
     }
 #endif
-    return 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_key.c b/Cryptlib/OpenSSL/crypto/evp/evp_key.c
index 8a4297cf..63c8866e 100644
--- a/Cryptlib/OpenSSL/crypto/evp/evp_key.c
+++ b/Cryptlib/OpenSSL/crypto/evp/evp_key.c
@@ -1,14 +1,63 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/evp_key.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
@@ -76,42 +125,40 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
                    int datal, int count, unsigned char *key,
                    unsigned char *iv)
 {
-    EVP_MD_CTX *c;
+    EVP_MD_CTX c;
     unsigned char md_buf[EVP_MAX_MD_SIZE];
     int niv, nkey, addmd = 0;
     unsigned int mds = 0, i;
     int rv = 0;
-    nkey = EVP_CIPHER_key_length(type);
-    niv = EVP_CIPHER_iv_length(type);
+    nkey = type->key_len;
+    niv = type->iv_len;
     OPENSSL_assert(nkey <= EVP_MAX_KEY_LENGTH);
     OPENSSL_assert(niv <= EVP_MAX_IV_LENGTH);
 
     if (data == NULL)
         return (nkey);
 
-    c = EVP_MD_CTX_new();
-    if (c == NULL)
-        goto err;
+    EVP_MD_CTX_init(&c);
     for (;;) {
-        if (!EVP_DigestInit_ex(c, md, NULL))
+        if (!EVP_DigestInit_ex(&c, md, NULL))
             goto err;
         if (addmd++)
-            if (!EVP_DigestUpdate(c, &(md_buf[0]), mds))
+            if (!EVP_DigestUpdate(&c, &(md_buf[0]), mds))
                 goto err;
-        if (!EVP_DigestUpdate(c, data, datal))
+        if (!EVP_DigestUpdate(&c, data, datal))
             goto err;
         if (salt != NULL)
-            if (!EVP_DigestUpdate(c, salt, PKCS5_SALT_LEN))
+            if (!EVP_DigestUpdate(&c, salt, PKCS5_SALT_LEN))
                 goto err;
-        if (!EVP_DigestFinal_ex(c, &(md_buf[0]), &mds))
+        if (!EVP_DigestFinal_ex(&c, &(md_buf[0]), &mds))
             goto err;
 
         for (i = 1; i < (unsigned int)count; i++) {
-            if (!EVP_DigestInit_ex(c, md, NULL))
+            if (!EVP_DigestInit_ex(&c, md, NULL))
                 goto err;
-            if (!EVP_DigestUpdate(c, &(md_buf[0]), mds))
+            if (!EVP_DigestUpdate(&c, &(md_buf[0]), mds))
                 goto err;
-            if (!EVP_DigestFinal_ex(c, &(md_buf[0]), &mds))
+            if (!EVP_DigestFinal_ex(&c, &(md_buf[0]), &mds))
                 goto err;
         }
         i = 0;
@@ -142,9 +189,9 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
         if ((nkey == 0) && (niv == 0))
             break;
     }
-    rv = EVP_CIPHER_key_length(type);
+    rv = type->key_len;
  err:
-    EVP_MD_CTX_free(c);
+    EVP_MD_CTX_cleanup(&c);
     OPENSSL_cleanse(md_buf, sizeof(md_buf));
     return rv;
 }
diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_lib.c b/Cryptlib/OpenSSL/crypto/evp/evp_lib.c
index 0c76db5a..7e0bab90 100644
--- a/Cryptlib/OpenSSL/crypto/evp/evp_lib.c
+++ b/Cryptlib/OpenSSL/crypto/evp/evp_lib.c
@@ -1,18 +1,69 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/evp_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
-#include "internal/evp_int.h"
-#include "evp_locl.h"
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+# include "evp_locl.h"
+#endif
 
 int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
 {
@@ -31,7 +82,6 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
         case EVP_CIPH_GCM_MODE:
         case EVP_CIPH_CCM_MODE:
         case EVP_CIPH_XTS_MODE:
-        case EVP_CIPH_OCB_MODE:
             ret = -1;
             break;
 
@@ -59,7 +109,6 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
         case EVP_CIPH_GCM_MODE:
         case EVP_CIPH_CCM_MODE:
         case EVP_CIPH_XTS_MODE:
-        case EVP_CIPH_OCB_MODE:
             ret = -1;
             break;
 
@@ -155,7 +204,7 @@ int EVP_CIPHER_type(const EVP_CIPHER *ctx)
     default:
         /* Check it has an OID and it is valid */
         otmp = OBJ_nid2obj(nid);
-        if (OBJ_get0_data(otmp) == NULL)
+        if (!otmp || !otmp->data)
             nid = NID_undef;
         ASN1_OBJECT_free(otmp);
         return nid;
@@ -172,11 +221,6 @@ int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx)
     return ctx->cipher->block_size;
 }
 
-int EVP_CIPHER_impl_ctx_size(const EVP_CIPHER *e)
-{
-    return e->ctx_size;
-}
-
 int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                const unsigned char *in, unsigned int inl)
 {
@@ -188,14 +232,24 @@ const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx)
     return ctx->cipher;
 }
 
-int EVP_CIPHER_CTX_encrypting(const EVP_CIPHER_CTX *ctx)
+unsigned long EVP_CIPHER_flags(const EVP_CIPHER *cipher)
 {
-    return ctx->encrypt;
+#ifdef OPENSSL_FIPS
+    const EVP_CIPHER *fcipher;
+    fcipher = evp_get_fips_cipher(cipher);
+    if (fcipher && fcipher->flags & EVP_CIPH_FLAG_FIPS)
+        return cipher->flags | EVP_CIPH_FLAG_FIPS;
+#endif
+    return cipher->flags;
 }
 
-unsigned long EVP_CIPHER_flags(const EVP_CIPHER *cipher)
+unsigned long EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx)
 {
-    return cipher->flags;
+#ifdef OPENSSL_FIPS
+    return EVP_CIPHER_flags(ctx->cipher);
+#else
+    return ctx->cipher->flags;
+#endif
 }
 
 void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx)
@@ -208,21 +262,6 @@ void EVP_CIPHER_CTX_set_app_data(EVP_CIPHER_CTX *ctx, void *data)
     ctx->app_data = data;
 }
 
-void *EVP_CIPHER_CTX_get_cipher_data(const EVP_CIPHER_CTX *ctx)
-{
-    return ctx->cipher_data;
-}
-
-void *EVP_CIPHER_CTX_set_cipher_data(EVP_CIPHER_CTX *ctx, void *cipher_data)
-{
-    void *old_cipher_data;
-
-    old_cipher_data = ctx->cipher_data;
-    ctx->cipher_data = cipher_data;
-
-    return old_cipher_data;
-}
-
 int EVP_CIPHER_iv_length(const EVP_CIPHER *cipher)
 {
     return cipher->iv_len;
@@ -233,36 +272,6 @@ int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx)
     return ctx->cipher->iv_len;
 }
 
-const unsigned char *EVP_CIPHER_CTX_original_iv(const EVP_CIPHER_CTX *ctx)
-{
-    return ctx->oiv;
-}
-
-const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx)
-{
-    return ctx->iv;
-}
-
-unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *ctx)
-{
-    return ctx->iv;
-}
-
-unsigned char *EVP_CIPHER_CTX_buf_noconst(EVP_CIPHER_CTX *ctx)
-{
-    return ctx->buf;
-}
-
-int EVP_CIPHER_CTX_num(const EVP_CIPHER_CTX *ctx)
-{
-    return ctx->num;
-}
-
-void EVP_CIPHER_CTX_set_num(EVP_CIPHER_CTX *ctx, int num)
-{
-    ctx->num = num;
-}
-
 int EVP_CIPHER_key_length(const EVP_CIPHER *cipher)
 {
     return cipher->key_len;
@@ -307,134 +316,42 @@ int EVP_MD_size(const EVP_MD *md)
     return md->md_size;
 }
 
-unsigned long EVP_MD_flags(const EVP_MD *md)
-{
-    return md->flags;
-}
+#ifdef OPENSSL_FIPS
 
-EVP_MD *EVP_MD_meth_new(int md_type, int pkey_type)
+const EVP_MD *evp_get_fips_md(const EVP_MD *md)
 {
-    EVP_MD *md = OPENSSL_zalloc(sizeof(*md));
-
-    if (md != NULL) {
-        md->type = md_type;
-        md->pkey_type = pkey_type;
-    }
-    return md;
+    int nid = EVP_MD_type(md);
+    if (nid == NID_dsa)
+        return FIPS_evp_dss1();
+    else if (nid == NID_dsaWithSHA)
+        return FIPS_evp_dss();
+    else if (nid == NID_ecdsa_with_SHA1)
+        return FIPS_evp_ecdsa();
+    else
+        return FIPS_get_digestbynid(nid);
 }
-EVP_MD *EVP_MD_meth_dup(const EVP_MD *md)
-{
-    EVP_MD *to = EVP_MD_meth_new(md->type, md->pkey_type);
 
-    if (to != NULL)
-        memcpy(to, md, sizeof(*to));
-    return to;
-}
-void EVP_MD_meth_free(EVP_MD *md)
-{
-    OPENSSL_free(md);
-}
-int EVP_MD_meth_set_input_blocksize(EVP_MD *md, int blocksize)
-{
-    md->block_size = blocksize;
-    return 1;
-}
-int EVP_MD_meth_set_result_size(EVP_MD *md, int resultsize)
+const EVP_CIPHER *evp_get_fips_cipher(const EVP_CIPHER *cipher)
 {
-    md->md_size = resultsize;
-    return 1;
-}
-int EVP_MD_meth_set_app_datasize(EVP_MD *md, int datasize)
-{
-    md->ctx_size = datasize;
-    return 1;
-}
-int EVP_MD_meth_set_flags(EVP_MD *md, unsigned long flags)
-{
-    md->flags = flags;
-    return 1;
-}
-int EVP_MD_meth_set_init(EVP_MD *md, int (*init)(EVP_MD_CTX *ctx))
-{
-    md->init = init;
-    return 1;
-}
-int EVP_MD_meth_set_update(EVP_MD *md, int (*update)(EVP_MD_CTX *ctx,
-                                                     const void *data,
-                                                     size_t count))
-{
-    md->update = update;
-    return 1;
-}
-int EVP_MD_meth_set_final(EVP_MD *md, int (*final)(EVP_MD_CTX *ctx,
-                                                   unsigned char *md))
-{
-    md->final = final;
-    return 1;
-}
-int EVP_MD_meth_set_copy(EVP_MD *md, int (*copy)(EVP_MD_CTX *to,
-                                                 const EVP_MD_CTX *from))
-{
-    md->copy = copy;
-    return 1;
-}
-int EVP_MD_meth_set_cleanup(EVP_MD *md, int (*cleanup)(EVP_MD_CTX *ctx))
-{
-    md->cleanup = cleanup;
-    return 1;
-}
-int EVP_MD_meth_set_ctrl(EVP_MD *md, int (*ctrl)(EVP_MD_CTX *ctx, int cmd,
-                                                 int p1, void *p2))
-{
-    md->md_ctrl = ctrl;
-    return 1;
+    int nid = cipher->nid;
+    if (nid == NID_undef)
+        return FIPS_evp_enc_null();
+    else
+        return FIPS_get_cipherbynid(nid);
 }
 
-int EVP_MD_meth_get_input_blocksize(const EVP_MD *md)
-{
-    return md->block_size;
-}
-int EVP_MD_meth_get_result_size(const EVP_MD *md)
-{
-    return md->md_size;
-}
-int EVP_MD_meth_get_app_datasize(const EVP_MD *md)
-{
-    return md->ctx_size;
-}
-unsigned long EVP_MD_meth_get_flags(const EVP_MD *md)
+#endif
+
+unsigned long EVP_MD_flags(const EVP_MD *md)
 {
+#ifdef OPENSSL_FIPS
+    const EVP_MD *fmd;
+    fmd = evp_get_fips_md(md);
+    if (fmd && fmd->flags & EVP_MD_FLAG_FIPS)
+        return md->flags | EVP_MD_FLAG_FIPS;
+#endif
     return md->flags;
 }
-int (*EVP_MD_meth_get_init(const EVP_MD *md))(EVP_MD_CTX *ctx)
-{
-    return md->init;
-}
-int (*EVP_MD_meth_get_update(const EVP_MD *md))(EVP_MD_CTX *ctx,
-                                                const void *data,
-                                                size_t count)
-{
-    return md->update;
-}
-int (*EVP_MD_meth_get_final(const EVP_MD *md))(EVP_MD_CTX *ctx,
-                                               unsigned char *md)
-{
-    return md->final;
-}
-int (*EVP_MD_meth_get_copy(const EVP_MD *md))(EVP_MD_CTX *to,
-                                              const EVP_MD_CTX *from)
-{
-    return md->copy;
-}
-int (*EVP_MD_meth_get_cleanup(const EVP_MD *md))(EVP_MD_CTX *ctx)
-{
-    return md->cleanup;
-}
-int (*EVP_MD_meth_get_ctrl(const EVP_MD *md))(EVP_MD_CTX *ctx, int cmd,
-                                              int p1, void *p2)
-{
-    return md->md_ctrl;
-}
 
 const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx)
 {
@@ -443,29 +360,6 @@ const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx)
     return ctx->digest;
 }
 
-EVP_PKEY_CTX *EVP_MD_CTX_pkey_ctx(const EVP_MD_CTX *ctx)
-{
-    return ctx->pctx;
-}
-
-void *EVP_MD_CTX_md_data(const EVP_MD_CTX *ctx)
-{
-    return ctx->md_data;
-}
-
-int (*EVP_MD_CTX_update_fn(EVP_MD_CTX *ctx))(EVP_MD_CTX *ctx,
-                                             const void *data, size_t count)
-{
-    return ctx->update;
-}
-
-void EVP_MD_CTX_set_update_fn(EVP_MD_CTX *ctx,
-                              int (*update) (EVP_MD_CTX *ctx,
-                                             const void *data, size_t count))
-{
-    ctx->update = update;
-}
-
 void EVP_MD_CTX_set_flags(EVP_MD_CTX *ctx, int flags)
 {
     ctx->flags |= flags;
diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_locl.h b/Cryptlib/OpenSSL/crypto/evp/evp_locl.h
index 209577b7..2bb709a0 100644
--- a/Cryptlib/OpenSSL/crypto/evp/evp_locl.h
+++ b/Cryptlib/OpenSSL/crypto/evp/evp_locl.h
@@ -1,68 +1,373 @@
+/* evp_locl.h */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
-/* EVP_MD_CTX related stuff */
-
-struct evp_md_ctx_st {
-    const EVP_MD *digest;
-    ENGINE *engine;             /* functional reference if 'digest' is
-                                 * ENGINE-provided */
-    unsigned long flags;
-    void *md_data;
-    /* Public key context for sign/verify */
-    EVP_PKEY_CTX *pctx;
-    /* Update function: usually copied from EVP_MD */
-    int (*update) (EVP_MD_CTX *ctx, const void *data, size_t count);
-} /* EVP_MD_CTX */ ;
-
-struct evp_cipher_ctx_st {
-    const EVP_CIPHER *cipher;
-    ENGINE *engine;             /* functional reference if 'cipher' is
-                                 * ENGINE-provided */
-    int encrypt;                /* encrypt or decrypt */
-    int buf_len;                /* number we have left */
-    unsigned char oiv[EVP_MAX_IV_LENGTH]; /* original iv */
-    unsigned char iv[EVP_MAX_IV_LENGTH]; /* working iv */
-    unsigned char buf[EVP_MAX_BLOCK_LENGTH]; /* saved partial block */
-    int num;                    /* used by cfb/ofb/ctr mode */
-    /* FIXME: Should this even exist? It appears unused */
-    void *app_data;             /* application stuff */
-    int key_len;                /* May change for variable length cipher */
-    unsigned long flags;        /* Various flags */
-    void *cipher_data;          /* per EVP data */
-    int final_used;
-    int block_mask;
-    unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */
-} /* EVP_CIPHER_CTX */ ;
+/* Macros to code block cipher wrappers */
+
+/* Wrapper functions for each cipher mode */
+
+#define BLOCK_CIPHER_ecb_loop() \
+        size_t i, bl; \
+        bl = ctx->cipher->block_size;\
+        if(inl < bl) return 1;\
+        inl -= bl; \
+        for(i=0; i <= inl; i+=bl)
+
+#define BLOCK_CIPHER_func_ecb(cname, cprefix, kstruct, ksched) \
+static int cname##_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) \
+{\
+        BLOCK_CIPHER_ecb_loop() \
+                cprefix##_ecb_encrypt(in + i, out + i, &((kstruct *)ctx->cipher_data)->ksched, ctx->encrypt);\
+        return 1;\
+}
+
+#define EVP_MAXCHUNK ((size_t)1<<(sizeof(long)*8-2))
+
+#define BLOCK_CIPHER_func_ofb(cname, cprefix, cbits, kstruct, ksched) \
+static int cname##_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) \
+{\
+        while(inl>=EVP_MAXCHUNK)\
+            {\
+            cprefix##_ofb##cbits##_encrypt(in, out, (long)EVP_MAXCHUNK, &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, &ctx->num);\
+            inl-=EVP_MAXCHUNK;\
+            in +=EVP_MAXCHUNK;\
+            out+=EVP_MAXCHUNK;\
+            }\
+        if (inl)\
+            cprefix##_ofb##cbits##_encrypt(in, out, (long)inl, &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, &ctx->num);\
+        return 1;\
+}
+
+#define BLOCK_CIPHER_func_cbc(cname, cprefix, kstruct, ksched) \
+static int cname##_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) \
+{\
+        while(inl>=EVP_MAXCHUNK) \
+            {\
+            cprefix##_cbc_encrypt(in, out, (long)EVP_MAXCHUNK, &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, ctx->encrypt);\
+            inl-=EVP_MAXCHUNK;\
+            in +=EVP_MAXCHUNK;\
+            out+=EVP_MAXCHUNK;\
+            }\
+        if (inl)\
+            cprefix##_cbc_encrypt(in, out, (long)inl, &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, ctx->encrypt);\
+        return 1;\
+}
+
+#define BLOCK_CIPHER_func_cfb(cname, cprefix, cbits, kstruct, ksched) \
+static int cname##_cfb##cbits##_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) \
+{\
+        size_t chunk=EVP_MAXCHUNK;\
+        if (cbits==1)  chunk>>=3;\
+        if (inl<chunk) chunk=inl;\
+        while(inl && inl>=chunk)\
+            {\
+            cprefix##_cfb##cbits##_encrypt(in, out, (long)((cbits==1) && !(ctx->flags & EVP_CIPH_FLAG_LENGTH_BITS) ?inl*8:inl), &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, &ctx->num, ctx->encrypt);\
+            inl-=chunk;\
+            in +=chunk;\
+            out+=chunk;\
+            if(inl<chunk) chunk=inl;\
+            }\
+        return 1;\
+}
+
+#define BLOCK_CIPHER_all_funcs(cname, cprefix, cbits, kstruct, ksched) \
+        BLOCK_CIPHER_func_cbc(cname, cprefix, kstruct, ksched) \
+        BLOCK_CIPHER_func_cfb(cname, cprefix, cbits, kstruct, ksched) \
+        BLOCK_CIPHER_func_ecb(cname, cprefix, kstruct, ksched) \
+        BLOCK_CIPHER_func_ofb(cname, cprefix, cbits, kstruct, ksched)
+
+#define BLOCK_CIPHER_def1(cname, nmode, mode, MODE, kstruct, nid, block_size, \
+                          key_len, iv_len, flags, init_key, cleanup, \
+                          set_asn1, get_asn1, ctrl) \
+static const EVP_CIPHER cname##_##mode = { \
+        nid##_##nmode, block_size, key_len, iv_len, \
+        flags | EVP_CIPH_##MODE##_MODE, \
+        init_key, \
+        cname##_##mode##_cipher, \
+        cleanup, \
+        sizeof(kstruct), \
+        set_asn1, get_asn1,\
+        ctrl, \
+        NULL \
+}; \
+const EVP_CIPHER *EVP_##cname##_##mode(void) { return &cname##_##mode; }
+
+#define BLOCK_CIPHER_def_cbc(cname, kstruct, nid, block_size, key_len, \
+                             iv_len, flags, init_key, cleanup, set_asn1, \
+                             get_asn1, ctrl) \
+BLOCK_CIPHER_def1(cname, cbc, cbc, CBC, kstruct, nid, block_size, key_len, \
+                  iv_len, flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
+
+#define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, \
+                             iv_len, cbits, flags, init_key, cleanup, \
+                             set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, 1, \
+                  key_len, iv_len, flags, init_key, cleanup, set_asn1, \
+                  get_asn1, ctrl)
+
+#define BLOCK_CIPHER_def_ofb(cname, kstruct, nid, key_len, \
+                             iv_len, cbits, flags, init_key, cleanup, \
+                             set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def1(cname, ofb##cbits, ofb, OFB, kstruct, nid, 1, \
+                  key_len, iv_len, flags, init_key, cleanup, set_asn1, \
+                  get_asn1, ctrl)
+
+#define BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, \
+                             flags, init_key, cleanup, set_asn1, \
+                             get_asn1, ctrl) \
+BLOCK_CIPHER_def1(cname, ecb, ecb, ECB, kstruct, nid, block_size, key_len, \
+                  0, flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
+
+#define BLOCK_CIPHER_defs(cname, kstruct, \
+                          nid, block_size, key_len, iv_len, cbits, flags, \
+                          init_key, cleanup, set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def_cbc(cname, kstruct, nid, block_size, key_len, iv_len, flags, \
+                     init_key, cleanup, set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, iv_len, cbits, \
+                     flags, init_key, cleanup, set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def_ofb(cname, kstruct, nid, key_len, iv_len, cbits, \
+                     flags, init_key, cleanup, set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, flags, \
+                     init_key, cleanup, set_asn1, get_asn1, ctrl)
+
+/*-
+#define BLOCK_CIPHER_defs(cname, kstruct, \
+                                nid, block_size, key_len, iv_len, flags,\
+                                 init_key, cleanup, set_asn1, get_asn1, ctrl)\
+static const EVP_CIPHER cname##_cbc = {\
+        nid##_cbc, block_size, key_len, iv_len, \
+        flags | EVP_CIPH_CBC_MODE,\
+        init_key,\
+        cname##_cbc_cipher,\
+        cleanup,\
+        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\
+                sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\
+        set_asn1, get_asn1,\
+        ctrl, \
+        NULL \
+};\
+const EVP_CIPHER *EVP_##cname##_cbc(void) { return &cname##_cbc; }\
+static const EVP_CIPHER cname##_cfb = {\
+        nid##_cfb64, 1, key_len, iv_len, \
+        flags | EVP_CIPH_CFB_MODE,\
+        init_key,\
+        cname##_cfb_cipher,\
+        cleanup,\
+        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\
+                sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\
+        set_asn1, get_asn1,\
+        ctrl,\
+        NULL \
+};\
+const EVP_CIPHER *EVP_##cname##_cfb(void) { return &cname##_cfb; }\
+static const EVP_CIPHER cname##_ofb = {\
+        nid##_ofb64, 1, key_len, iv_len, \
+        flags | EVP_CIPH_OFB_MODE,\
+        init_key,\
+        cname##_ofb_cipher,\
+        cleanup,\
+        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\
+                sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\
+        set_asn1, get_asn1,\
+        ctrl,\
+        NULL \
+};\
+const EVP_CIPHER *EVP_##cname##_ofb(void) { return &cname##_ofb; }\
+static const EVP_CIPHER cname##_ecb = {\
+        nid##_ecb, block_size, key_len, iv_len, \
+        flags | EVP_CIPH_ECB_MODE,\
+        init_key,\
+        cname##_ecb_cipher,\
+        cleanup,\
+        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\
+                sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\
+        set_asn1, get_asn1,\
+        ctrl,\
+        NULL \
+};\
+const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; }
+*/
+
+#define IMPLEMENT_BLOCK_CIPHER(cname, ksched, cprefix, kstruct, nid, \
+                               block_size, key_len, iv_len, cbits, \
+                               flags, init_key, \
+                               cleanup, set_asn1, get_asn1, ctrl) \
+        BLOCK_CIPHER_all_funcs(cname, cprefix, cbits, kstruct, ksched) \
+        BLOCK_CIPHER_defs(cname, kstruct, nid, block_size, key_len, iv_len, \
+                          cbits, flags, init_key, cleanup, set_asn1, \
+                          get_asn1, ctrl)
+
+#define EVP_C_DATA(kstruct, ctx)        ((kstruct *)(ctx)->cipher_data)
+
+#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len) \
+        BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \
+        BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \
+                             NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \
+                             0, cipher##_init_key, NULL, \
+                             EVP_CIPHER_set_asn1_iv, \
+                             EVP_CIPHER_get_asn1_iv, \
+                             NULL)
+
+struct evp_pkey_ctx_st {
+    /* Method associated with this operation */
+    const EVP_PKEY_METHOD *pmeth;
+    /* Engine that implements this method or NULL if builtin */
+    ENGINE *engine;
+    /* Key: may be NULL */
+    EVP_PKEY *pkey;
+    /* Peer key for key agreement, may be NULL */
+    EVP_PKEY *peerkey;
+    /* Actual operation */
+    int operation;
+    /* Algorithm specific data */
+    void *data;
+    /* Application specific data */
+    void *app_data;
+    /* Keygen callback */
+    EVP_PKEY_gen_cb *pkey_gencb;
+    /* implementation specific keygen data */
+    int *keygen_info;
+    int keygen_info_count;
+} /* EVP_PKEY_CTX */ ;
+
+#define EVP_PKEY_FLAG_DYNAMIC   1
+
+struct evp_pkey_method_st {
+    int pkey_id;
+    int flags;
+    int (*init) (EVP_PKEY_CTX *ctx);
+    int (*copy) (EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src);
+    void (*cleanup) (EVP_PKEY_CTX *ctx);
+    int (*paramgen_init) (EVP_PKEY_CTX *ctx);
+    int (*paramgen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey);
+    int (*keygen_init) (EVP_PKEY_CTX *ctx);
+    int (*keygen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey);
+    int (*sign_init) (EVP_PKEY_CTX *ctx);
+    int (*sign) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
+                 const unsigned char *tbs, size_t tbslen);
+    int (*verify_init) (EVP_PKEY_CTX *ctx);
+    int (*verify) (EVP_PKEY_CTX *ctx,
+                   const unsigned char *sig, size_t siglen,
+                   const unsigned char *tbs, size_t tbslen);
+    int (*verify_recover_init) (EVP_PKEY_CTX *ctx);
+    int (*verify_recover) (EVP_PKEY_CTX *ctx,
+                           unsigned char *rout, size_t *routlen,
+                           const unsigned char *sig, size_t siglen);
+    int (*signctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx);
+    int (*signctx) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
+                    EVP_MD_CTX *mctx);
+    int (*verifyctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx);
+    int (*verifyctx) (EVP_PKEY_CTX *ctx, const unsigned char *sig, int siglen,
+                      EVP_MD_CTX *mctx);
+    int (*encrypt_init) (EVP_PKEY_CTX *ctx);
+    int (*encrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
+                    const unsigned char *in, size_t inlen);
+    int (*decrypt_init) (EVP_PKEY_CTX *ctx);
+    int (*decrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
+                    const unsigned char *in, size_t inlen);
+    int (*derive_init) (EVP_PKEY_CTX *ctx);
+    int (*derive) (EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen);
+    int (*ctrl) (EVP_PKEY_CTX *ctx, int type, int p1, void *p2);
+    int (*ctrl_str) (EVP_PKEY_CTX *ctx, const char *type, const char *value);
+} /* EVP_PKEY_METHOD */ ;
+
+void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx);
 
 int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
                              int passlen, ASN1_TYPE *param,
                              const EVP_CIPHER *c, const EVP_MD *md,
                              int en_de);
 
-struct evp_Encode_Ctx_st {
-    /* number saved in a partial encode/decode */
-    int num;
-    /*
-     * The length is either the output line length (in input bytes) or the
-     * shortest input line length that is ok.  Once decoding begins, the
-     * length is adjusted up each time a longer line is decoded
-     */
-    int length;
-    /* data to encode */
-    unsigned char enc_data[80];
-    /* number read on current line */
-    int line_num;
-    int expect_nl;
-};
-
-typedef struct evp_pbe_st EVP_PBE_CTL;
-DEFINE_STACK_OF(EVP_PBE_CTL)
-
-int is_partially_overlapping(const void *ptr1, const void *ptr2, int len);
+const EVP_MD *evp_get_fips_md(const EVP_MD *md);
+const EVP_CIPHER *evp_get_fips_cipher(const EVP_CIPHER *cipher);
+
+#ifdef OPENSSL_FIPS
+
+# ifdef OPENSSL_DOING_MAKEDEPEND
+#  undef SHA1_Init
+#  undef SHA1_Update
+#  undef SHA224_Init
+#  undef SHA256_Init
+#  undef SHA384_Init
+#  undef SHA512_Init
+#  undef DES_set_key_unchecked
+# endif
+
+# define RIPEMD160_Init  private_RIPEMD160_Init
+# define WHIRLPOOL_Init  private_WHIRLPOOL_Init
+# define MD5_Init        private_MD5_Init
+# define MD4_Init        private_MD4_Init
+# define MD2_Init        private_MD2_Init
+# define MDC2_Init       private_MDC2_Init
+# define SHA_Init        private_SHA_Init
+# define SHA1_Init       private_SHA1_Init
+# define SHA224_Init     private_SHA224_Init
+# define SHA256_Init     private_SHA256_Init
+# define SHA384_Init     private_SHA384_Init
+# define SHA512_Init     private_SHA512_Init
+
+# define BF_set_key      private_BF_set_key
+# define CAST_set_key    private_CAST_set_key
+# define idea_set_encrypt_key    private_idea_set_encrypt_key
+# define SEED_set_key    private_SEED_set_key
+# define RC2_set_key     private_RC2_set_key
+# define RC4_set_key     private_RC4_set_key
+# define DES_set_key_unchecked   private_DES_set_key_unchecked
+# define Camellia_set_key        private_Camellia_set_key
+
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_pbe.c b/Cryptlib/OpenSSL/crypto/evp/evp_pbe.c
index ce7aa2cf..7934c95f 100644
--- a/Cryptlib/OpenSSL/crypto/evp/evp_pbe.c
+++ b/Cryptlib/OpenSSL/crypto/evp/evp_pbe.c
@@ -1,14 +1,64 @@
+/* evp_pbe.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/pkcs12.h>
 #include <openssl/x509.h>
@@ -16,17 +66,18 @@
 
 /* Password based encryption (PBE) functions */
 
+DECLARE_STACK_OF(EVP_PBE_CTL)
+static STACK_OF(EVP_PBE_CTL) *pbe_algs;
+
 /* Setup a cipher context from a PBE algorithm */
 
-struct evp_pbe_st {
+typedef struct {
     int pbe_type;
     int pbe_nid;
     int cipher_nid;
     int md_nid;
     EVP_PBE_KEYGEN *keygen;
-};
-
-static STACK_OF(EVP_PBE_CTL) *pbe_algs;
+} EVP_PBE_CTL;
 
 static const EVP_PBE_CTL builtin_pbe[] = {
     {EVP_PBE_TYPE_OUTER, NID_pbeWithMD2AndDES_CBC,
@@ -36,7 +87,9 @@ static const EVP_PBE_CTL builtin_pbe[] = {
     {EVP_PBE_TYPE_OUTER, NID_pbeWithSHA1AndRC2_CBC,
      NID_rc2_64_cbc, NID_sha1, PKCS5_PBE_keyivgen},
 
+#ifndef OPENSSL_NO_HMAC
     {EVP_PBE_TYPE_OUTER, NID_id_pbkdf2, -1, -1, PKCS5_v2_PBKDF2_keyivgen},
+#endif
 
     {EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And128BitRC4,
      NID_rc4, NID_sha1, PKCS12_PBE_keyivgen},
@@ -51,8 +104,9 @@ static const EVP_PBE_CTL builtin_pbe[] = {
     {EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And40BitRC2_CBC,
      NID_rc2_40_cbc, NID_sha1, PKCS12_PBE_keyivgen},
 
+#ifndef OPENSSL_NO_HMAC
     {EVP_PBE_TYPE_OUTER, NID_pbes2, -1, -1, PKCS5_v2_PBE_keyivgen},
-
+#endif
     {EVP_PBE_TYPE_OUTER, NID_pbeWithMD2AndRC2_CBC,
      NID_rc2_64_cbc, NID_md2, PKCS5_PBE_keyivgen},
     {EVP_PBE_TYPE_OUTER, NID_pbeWithMD5AndRC2_CBC,
@@ -67,16 +121,33 @@ static const EVP_PBE_CTL builtin_pbe[] = {
     {EVP_PBE_TYPE_PRF, NID_hmacWithSHA384, -1, NID_sha384, 0},
     {EVP_PBE_TYPE_PRF, NID_hmacWithSHA512, -1, NID_sha512, 0},
     {EVP_PBE_TYPE_PRF, NID_id_HMACGostR3411_94, -1, NID_id_GostR3411_94, 0},
-    {EVP_PBE_TYPE_PRF, NID_id_tc26_hmac_gost_3411_2012_256, -1,
-     NID_id_GostR3411_2012_256, 0},
-    {EVP_PBE_TYPE_PRF, NID_id_tc26_hmac_gost_3411_2012_512, -1,
-     NID_id_GostR3411_2012_512, 0},
-    {EVP_PBE_TYPE_KDF, NID_id_pbkdf2, -1, -1, PKCS5_v2_PBKDF2_keyivgen},
-#ifndef OPENSSL_NO_SCRYPT
-    {EVP_PBE_TYPE_KDF, NID_id_scrypt, -1, -1, PKCS5_v2_scrypt_keyivgen}
-#endif
 };
 
+#ifdef TEST
+int main(int argc, char **argv)
+{
+    int i, nid_md, nid_cipher;
+    EVP_PBE_CTL *tpbe, *tpbe2;
+    /*
+     * OpenSSL_add_all_algorithms();
+     */
+
+    for (i = 0; i < sizeof(builtin_pbe) / sizeof(EVP_PBE_CTL); i++) {
+        tpbe = builtin_pbe + i;
+        fprintf(stderr, "%d %d %s ", tpbe->pbe_type, tpbe->pbe_nid,
+                OBJ_nid2sn(tpbe->pbe_nid));
+        if (EVP_PBE_find(tpbe->pbe_type, tpbe->pbe_nid,
+                         &nid_cipher, &nid_md, 0))
+            fprintf(stderr, "Found %s %s\n",
+                    OBJ_nid2sn(nid_cipher), OBJ_nid2sn(nid_md));
+        else
+            fprintf(stderr, "Find ERROR!!\n");
+    }
+
+    return 0;
+}
+#endif
+
 int EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
                        ASN1_TYPE *param, EVP_CIPHER_CTX *ctx, int en_de)
 {
@@ -90,7 +161,7 @@ int EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
         char obj_tmp[80];
         EVPerr(EVP_F_EVP_PBE_CIPHERINIT, EVP_R_UNKNOWN_PBE_ALGORITHM);
         if (!pbe_obj)
-            OPENSSL_strlcpy(obj_tmp, "NULL", sizeof obj_tmp);
+            BUF_strlcpy(obj_tmp, "NULL", sizeof obj_tmp);
         else
             i2t_ASN1_OBJECT(obj_tmp, sizeof obj_tmp, pbe_obj);
         ERR_add_error_data(2, "TYPE=", obj_tmp);
@@ -173,10 +244,7 @@ int EVP_PBE_alg_add_type(int pbe_type, int pbe_nid, int cipher_nid,
     pbe_tmp->md_nid = md_nid;
     pbe_tmp->keygen = keygen;
 
-    if (!sk_EVP_PBE_CTL_push(pbe_algs, pbe_tmp)) {
-        OPENSSL_free(pbe_tmp);
-        goto err;
-    }
+    sk_EVP_PBE_CTL_push(pbe_algs, pbe_tmp);
     return 1;
 
  err:
@@ -188,7 +256,6 @@ int EVP_PBE_alg_add(int nid, const EVP_CIPHER *cipher, const EVP_MD *md,
                     EVP_PBE_KEYGEN *keygen)
 {
     int cipher_nid, md_nid;
-
     if (cipher)
         cipher_nid = EVP_CIPHER_nid(cipher);
     else
@@ -219,7 +286,8 @@ int EVP_PBE_find(int type, int pbe_nid,
             pbetmp = sk_EVP_PBE_CTL_value(pbe_algs, i);
     }
     if (pbetmp == NULL) {
-        pbetmp = OBJ_bsearch_pbe2(&pbelu, builtin_pbe, OSSL_NELEM(builtin_pbe));
+        pbetmp = OBJ_bsearch_pbe2(&pbelu, builtin_pbe,
+                                  sizeof(builtin_pbe) / sizeof(EVP_PBE_CTL));
     }
     if (pbetmp == NULL)
         return 0;
@@ -234,7 +302,7 @@ int EVP_PBE_find(int type, int pbe_nid,
 
 static void free_evp_pbe_ctl(EVP_PBE_CTL *pbe)
 {
-    OPENSSL_free(pbe);
+    OPENSSL_freeFunc(pbe);
 }
 
 void EVP_PBE_cleanup(void)
@@ -242,18 +310,3 @@ void EVP_PBE_cleanup(void)
     sk_EVP_PBE_CTL_pop_free(pbe_algs, free_evp_pbe_ctl);
     pbe_algs = NULL;
 }
-
-int EVP_PBE_get(int *ptype, int *ppbe_nid, size_t num)
-{
-    const EVP_PBE_CTL *tpbe;
-
-    if (num >= OSSL_NELEM(builtin_pbe))
-        return 0;
-
-    tpbe = builtin_pbe + num;
-    if (ptype)
-        *ptype = tpbe->pbe_type;
-    if (ppbe_nid)
-        *ppbe_nid = tpbe->pbe_nid;
-    return 1;
-}
diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_pkey.c b/Cryptlib/OpenSSL/crypto/evp/evp_pkey.c
index 81bffa6d..6a456297 100644
--- a/Cryptlib/OpenSSL/crypto/evp/evp_pkey.c
+++ b/Cryptlib/OpenSSL/crypto/evp/evp_pkey.c
@@ -1,33 +1,81 @@
+/* evp_pkey.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <stdlib.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/rand.h>
-#include "internal/asn1_int.h"
-#include "internal/evp_int.h"
-#include "internal/x509_int.h"
+#include "asn1_locl.h"
 
 /* Extract a private key from a PKCS8 structure */
 
-EVP_PKEY *EVP_PKCS82PKEY(const PKCS8_PRIV_KEY_INFO *p8)
+EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8)
 {
     EVP_PKEY *pkey = NULL;
-    const ASN1_OBJECT *algoid;
+    ASN1_OBJECT *algoid;
     char obj_tmp[80];
 
     if (!PKCS8_pkey_get0(&algoid, NULL, NULL, NULL, p8))
         return NULL;
 
-    if ((pkey = EVP_PKEY_new()) == NULL) {
+    if (!(pkey = EVP_PKEY_new())) {
         EVPerr(EVP_F_EVP_PKCS82PKEY, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
@@ -56,37 +104,68 @@ EVP_PKEY *EVP_PKCS82PKEY(const PKCS8_PRIV_KEY_INFO *p8)
     return NULL;
 }
 
+PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey)
+{
+    return EVP_PKEY2PKCS8_broken(pkey, PKCS8_OK);
+}
+
 /* Turn a private key into a PKCS8 structure */
 
-PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey)
+PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken)
 {
-    PKCS8_PRIV_KEY_INFO *p8 = PKCS8_PRIV_KEY_INFO_new();
-    if (p8  == NULL) {
-        EVPerr(EVP_F_EVP_PKEY2PKCS8, ERR_R_MALLOC_FAILURE);
+    PKCS8_PRIV_KEY_INFO *p8;
+
+    if (!(p8 = PKCS8_PRIV_KEY_INFO_new())) {
+        EVPerr(EVP_F_EVP_PKEY2PKCS8_BROKEN, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
+    p8->broken = broken;
 
     if (pkey->ameth) {
         if (pkey->ameth->priv_encode) {
             if (!pkey->ameth->priv_encode(p8, pkey)) {
-                EVPerr(EVP_F_EVP_PKEY2PKCS8, EVP_R_PRIVATE_KEY_ENCODE_ERROR);
+                EVPerr(EVP_F_EVP_PKEY2PKCS8_BROKEN,
+                       EVP_R_PRIVATE_KEY_ENCODE_ERROR);
                 goto error;
             }
         } else {
-            EVPerr(EVP_F_EVP_PKEY2PKCS8, EVP_R_METHOD_NOT_SUPPORTED);
+            EVPerr(EVP_F_EVP_PKEY2PKCS8_BROKEN, EVP_R_METHOD_NOT_SUPPORTED);
             goto error;
         }
     } else {
-        EVPerr(EVP_F_EVP_PKEY2PKCS8, EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM);
+        EVPerr(EVP_F_EVP_PKEY2PKCS8_BROKEN,
+               EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM);
         goto error;
     }
-    RAND_add(p8->pkey->data, p8->pkey->length, 0.0);
+    RAND_add(p8->pkey->value.octet_string->data,
+             p8->pkey->value.octet_string->length, 0.0);
     return p8;
  error:
     PKCS8_PRIV_KEY_INFO_free(p8);
     return NULL;
 }
 
+PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken)
+{
+    switch (broken) {
+
+    case PKCS8_OK:
+        p8->broken = PKCS8_OK;
+        return p8;
+        break;
+
+    case PKCS8_NO_OCTET:
+        p8->broken = PKCS8_NO_OCTET;
+        p8->pkey->type = V_ASN1_SEQUENCE;
+        return p8;
+        break;
+
+    default:
+        EVPerr(EVP_F_PKCS8_SET_BROKEN, EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE);
+        return NULL;
+    }
+}
+
 /* EVP_PKEY attribute functions */
 
 int EVP_PKEY_get_attr_count(const EVP_PKEY *key)
@@ -99,7 +178,7 @@ int EVP_PKEY_get_attr_by_NID(const EVP_PKEY *key, int nid, int lastpos)
     return X509at_get_attr_by_NID(key->attributes, nid, lastpos);
 }
 
-int EVP_PKEY_get_attr_by_OBJ(const EVP_PKEY *key, const ASN1_OBJECT *obj,
+int EVP_PKEY_get_attr_by_OBJ(const EVP_PKEY *key, ASN1_OBJECT *obj,
                              int lastpos)
 {
     return X509at_get_attr_by_OBJ(key->attributes, obj, lastpos);
diff --git a/Cryptlib/OpenSSL/crypto/evp/m_dss.c b/Cryptlib/OpenSSL/crypto/evp/m_dss.c
new file mode 100644
index 00000000..14784486
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/evp/m_dss.c
@@ -0,0 +1,104 @@
+/* crypto/evp/m_dss.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/sha.h>
+#ifndef OPENSSL_NO_DSA
+# include <openssl/dsa.h>
+#endif
+
+#ifndef OPENSSL_NO_SHA
+
+static int init(EVP_MD_CTX *ctx)
+{
+    return SHA1_Init(ctx->md_data);
+}
+
+static int update(EVP_MD_CTX *ctx, const void *data, size_t count)
+{
+    return SHA1_Update(ctx->md_data, data, count);
+}
+
+static int final(EVP_MD_CTX *ctx, unsigned char *md)
+{
+    return SHA1_Final(md, ctx->md_data);
+}
+
+static const EVP_MD dsa_md = {
+    NID_dsaWithSHA,
+    NID_dsaWithSHA,
+    SHA_DIGEST_LENGTH,
+    EVP_MD_FLAG_PKEY_DIGEST,
+    init,
+    update,
+    final,
+    NULL,
+    NULL,
+    EVP_PKEY_DSA_method,
+    SHA_CBLOCK,
+    sizeof(EVP_MD *) + sizeof(SHA_CTX),
+};
+
+const EVP_MD *EVP_dss(void)
+{
+    return (&dsa_md);
+}
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/evp/m_dss1.c b/Cryptlib/OpenSSL/crypto/evp/m_dss1.c
new file mode 100644
index 00000000..e36fabff
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/evp/m_dss1.c
@@ -0,0 +1,105 @@
+/* crypto/evp/m_dss1.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+
+#ifndef OPENSSL_NO_SHA
+
+# include <openssl/evp.h>
+# include <openssl/objects.h>
+# include <openssl/sha.h>
+# ifndef OPENSSL_NO_DSA
+#  include <openssl/dsa.h>
+# endif
+
+static int init(EVP_MD_CTX *ctx)
+{
+    return SHA1_Init(ctx->md_data);
+}
+
+static int update(EVP_MD_CTX *ctx, const void *data, size_t count)
+{
+    return SHA1_Update(ctx->md_data, data, count);
+}
+
+static int final(EVP_MD_CTX *ctx, unsigned char *md)
+{
+    return SHA1_Final(md, ctx->md_data);
+}
+
+static const EVP_MD dss1_md = {
+    NID_dsa,
+    NID_dsaWithSHA1,
+    SHA_DIGEST_LENGTH,
+    EVP_MD_FLAG_PKEY_DIGEST,
+    init,
+    update,
+    final,
+    NULL,
+    NULL,
+    EVP_PKEY_DSA_method,
+    SHA_CBLOCK,
+    sizeof(EVP_MD *) + sizeof(SHA_CTX),
+};
+
+const EVP_MD *EVP_dss1(void)
+{
+    return (&dss1_md);
+}
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/evp/m_ecdsa.c b/Cryptlib/OpenSSL/crypto/evp/m_ecdsa.c
new file mode 100644
index 00000000..803d3149
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/evp/m_ecdsa.c
@@ -0,0 +1,154 @@
+/* crypto/evp/m_ecdsa.c */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+
+#ifndef OPENSSL_NO_SHA
+
+static int init(EVP_MD_CTX *ctx)
+{
+    return SHA1_Init(ctx->md_data);
+}
+
+static int update(EVP_MD_CTX *ctx, const void *data, size_t count)
+{
+    return SHA1_Update(ctx->md_data, data, count);
+}
+
+static int final(EVP_MD_CTX *ctx, unsigned char *md)
+{
+    return SHA1_Final(md, ctx->md_data);
+}
+
+static const EVP_MD ecdsa_md = {
+    NID_ecdsa_with_SHA1,
+    NID_ecdsa_with_SHA1,
+    SHA_DIGEST_LENGTH,
+    EVP_MD_FLAG_PKEY_DIGEST,
+    init,
+    update,
+    final,
+    NULL,
+    NULL,
+    EVP_PKEY_ECDSA_method,
+    SHA_CBLOCK,
+    sizeof(EVP_MD *) + sizeof(SHA_CTX),
+};
+
+const EVP_MD *EVP_ecdsa(void)
+{
+    return (&ecdsa_md);
+}
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/evp/m_md2.c b/Cryptlib/OpenSSL/crypto/evp/m_md2.c
index c4e28ae1..3c4cd7bf 100644
--- a/Cryptlib/OpenSSL/crypto/evp/m_md2.c
+++ b/Cryptlib/OpenSSL/crypto/evp/m_md2.c
@@ -1,14 +1,63 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/m_md2.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 
 #ifndef OPENSSL_NO_MD2
 
@@ -16,23 +65,23 @@
 # include <openssl/objects.h>
 # include <openssl/x509.h>
 # include <openssl/md2.h>
-# include <openssl/rsa.h>
-
-#include "internal/evp_int.h"
+# ifndef OPENSSL_NO_RSA
+#  include <openssl/rsa.h>
+# endif
 
 static int init(EVP_MD_CTX *ctx)
 {
-    return MD2_Init(EVP_MD_CTX_md_data(ctx));
+    return MD2_Init(ctx->md_data);
 }
 
 static int update(EVP_MD_CTX *ctx, const void *data, size_t count)
 {
-    return MD2_Update(EVP_MD_CTX_md_data(ctx), data, count);
+    return MD2_Update(ctx->md_data, data, count);
 }
 
 static int final(EVP_MD_CTX *ctx, unsigned char *md)
 {
-    return MD2_Final(md, EVP_MD_CTX_md_data(ctx));
+    return MD2_Final(md, ctx->md_data);
 }
 
 static const EVP_MD md2_md = {
@@ -45,12 +94,13 @@ static const EVP_MD md2_md = {
     final,
     NULL,
     NULL,
+    EVP_PKEY_RSA_method,
     MD2_BLOCK,
     sizeof(EVP_MD *) + sizeof(MD2_CTX),
 };
 
 const EVP_MD *EVP_md2(void)
 {
-    return &md2_md;
+    return (&md2_md);
 }
 #endif
diff --git a/Cryptlib/OpenSSL/crypto/evp/m_md4.c b/Cryptlib/OpenSSL/crypto/evp/m_md4.c
index f3decaaf..851de69f 100644
--- a/Cryptlib/OpenSSL/crypto/evp/m_md4.c
+++ b/Cryptlib/OpenSSL/crypto/evp/m_md4.c
@@ -1,14 +1,63 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/m_md4.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 
 #ifndef OPENSSL_NO_MD4
 
@@ -16,22 +65,25 @@
 # include <openssl/objects.h>
 # include <openssl/x509.h>
 # include <openssl/md4.h>
-# include <openssl/rsa.h>
-# include "internal/evp_int.h"
+# ifndef OPENSSL_NO_RSA
+#  include <openssl/rsa.h>
+# endif
+
+# include "evp_locl.h"
 
 static int init(EVP_MD_CTX *ctx)
 {
-    return MD4_Init(EVP_MD_CTX_md_data(ctx));
+    return MD4_Init(ctx->md_data);
 }
 
 static int update(EVP_MD_CTX *ctx, const void *data, size_t count)
 {
-    return MD4_Update(EVP_MD_CTX_md_data(ctx), data, count);
+    return MD4_Update(ctx->md_data, data, count);
 }
 
 static int final(EVP_MD_CTX *ctx, unsigned char *md)
 {
-    return MD4_Final(md, EVP_MD_CTX_md_data(ctx));
+    return MD4_Final(md, ctx->md_data);
 }
 
 static const EVP_MD md4_md = {
@@ -44,6 +96,7 @@ static const EVP_MD md4_md = {
     final,
     NULL,
     NULL,
+    EVP_PKEY_RSA_method,
     MD4_CBLOCK,
     sizeof(EVP_MD *) + sizeof(MD4_CTX),
 };
diff --git a/Cryptlib/OpenSSL/crypto/evp/m_md5.c b/Cryptlib/OpenSSL/crypto/evp/m_md5.c
index f4dc0c43..e5d5f71b 100644
--- a/Cryptlib/OpenSSL/crypto/evp/m_md5.c
+++ b/Cryptlib/OpenSSL/crypto/evp/m_md5.c
@@ -1,14 +1,63 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/m_md5.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 
 #ifndef OPENSSL_NO_MD5
 
@@ -16,22 +65,24 @@
 # include <openssl/objects.h>
 # include <openssl/x509.h>
 # include <openssl/md5.h>
-# include <openssl/rsa.h>
-# include "internal/evp_int.h"
+# ifndef OPENSSL_NO_RSA
+#  include <openssl/rsa.h>
+# endif
+# include "evp_locl.h"
 
 static int init(EVP_MD_CTX *ctx)
 {
-    return MD5_Init(EVP_MD_CTX_md_data(ctx));
+    return MD5_Init(ctx->md_data);
 }
 
 static int update(EVP_MD_CTX *ctx, const void *data, size_t count)
 {
-    return MD5_Update(EVP_MD_CTX_md_data(ctx), data, count);
+    return MD5_Update(ctx->md_data, data, count);
 }
 
 static int final(EVP_MD_CTX *ctx, unsigned char *md)
 {
-    return MD5_Final(md, EVP_MD_CTX_md_data(ctx));
+    return MD5_Final(md, ctx->md_data);
 }
 
 static const EVP_MD md5_md = {
@@ -44,6 +95,7 @@ static const EVP_MD md5_md = {
     final,
     NULL,
     NULL,
+    EVP_PKEY_RSA_method,
     MD5_CBLOCK,
     sizeof(EVP_MD *) + sizeof(MD5_CTX),
 };
diff --git a/Cryptlib/OpenSSL/crypto/evp/m_md5_sha1.c b/Cryptlib/OpenSSL/crypto/evp/m_md5_sha1.c
deleted file mode 100644
index 2d98886b..00000000
--- a/Cryptlib/OpenSSL/crypto/evp/m_md5_sha1.c
+++ /dev/null
@@ -1,142 +0,0 @@
-/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#if !defined(OPENSSL_NO_MD5)
-
-# include <openssl/evp.h>
-# include <openssl/objects.h>
-# include <openssl/x509.h>
-# include <openssl/md5.h>
-# include <openssl/sha.h>
-# include "internal/cryptlib.h"
-# include "internal/evp_int.h"
-# include <openssl/rsa.h>
-
-struct md5_sha1_ctx {
-    MD5_CTX md5;
-    SHA_CTX sha1;
-};
-
-static int init(EVP_MD_CTX *ctx)
-{
-    struct md5_sha1_ctx *mctx = EVP_MD_CTX_md_data(ctx);
-    if (!MD5_Init(&mctx->md5))
-        return 0;
-    return SHA1_Init(&mctx->sha1);
-}
-
-static int update(EVP_MD_CTX *ctx, const void *data, size_t count)
-{
-    struct md5_sha1_ctx *mctx = EVP_MD_CTX_md_data(ctx);
-    if (!MD5_Update(&mctx->md5, data, count))
-        return 0;
-    return SHA1_Update(&mctx->sha1, data, count);
-}
-
-static int final(EVP_MD_CTX *ctx, unsigned char *md)
-{
-    struct md5_sha1_ctx *mctx = EVP_MD_CTX_md_data(ctx);
-    if (!MD5_Final(md, &mctx->md5))
-        return 0;
-    return SHA1_Final(md + MD5_DIGEST_LENGTH, &mctx->sha1);
-}
-
-static int ctrl(EVP_MD_CTX *ctx, int cmd, int mslen, void *ms)
-{
-    unsigned char padtmp[48];
-    unsigned char md5tmp[MD5_DIGEST_LENGTH];
-    unsigned char sha1tmp[SHA_DIGEST_LENGTH];
-    struct md5_sha1_ctx *mctx;
-
-    if (cmd != EVP_CTRL_SSL3_MASTER_SECRET)
-        return -2;
-
-    if (ctx == NULL)
-        return 0;
-
-    mctx = EVP_MD_CTX_md_data(ctx);
-
-    /* SSLv3 client auth handling: see RFC-6101 5.6.8 */
-    if (mslen != 48)
-        return 0;
-
-    /* At this point hash contains all handshake messages, update
-     * with master secret and pad_1.
-     */
-
-    if (update(ctx, ms, mslen) <= 0)
-        return 0;
-
-    /* Set padtmp to pad_1 value */
-    memset(padtmp, 0x36, sizeof(padtmp));
-
-    if (!MD5_Update(&mctx->md5, padtmp, sizeof(padtmp)))
-        return 0;
-
-    if (!MD5_Final(md5tmp, &mctx->md5))
-        return 0;
-
-    if (!SHA1_Update(&mctx->sha1, padtmp, 40))
-        return 0;
-
-    if (!SHA1_Final(sha1tmp, &mctx->sha1))
-        return 0;
-
-    /* Reinitialise context */
-
-    if (!init(ctx))
-        return 0;
-
-    if (update(ctx, ms, mslen) <= 0)
-        return 0;
-
-    /* Set padtmp to pad_2 value */
-    memset(padtmp, 0x5c, sizeof(padtmp));
-
-    if (!MD5_Update(&mctx->md5, padtmp, sizeof(padtmp)))
-        return 0;
-
-    if (!MD5_Update(&mctx->md5, md5tmp, sizeof(md5tmp)))
-        return 0;
-
-    if (!SHA1_Update(&mctx->sha1, padtmp, 40))
-        return 0;
-
-    if (!SHA1_Update(&mctx->sha1, sha1tmp, sizeof(sha1tmp)))
-        return 0;
-
-    /* Now when ctx is finalised it will return the SSL v3 hash value */
-
-    OPENSSL_cleanse(md5tmp, sizeof(md5tmp));
-    OPENSSL_cleanse(sha1tmp, sizeof(sha1tmp));
-
-    return 1;
-
-}
-
-static const EVP_MD md5_sha1_md = {
-    NID_md5_sha1,
-    NID_md5_sha1,
-    MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH,
-    0,
-    init,
-    update,
-    final,
-    NULL,
-    NULL,
-    MD5_CBLOCK,
-    sizeof(EVP_MD *) + sizeof(struct md5_sha1_ctx),
-    ctrl
-};
-
-const EVP_MD *EVP_md5_sha1(void)
-{
-    return &md5_sha1_md;
-}
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/evp/m_mdc2.c b/Cryptlib/OpenSSL/crypto/evp/m_mdc2.c
index b7f0fd8c..94e12a6b 100644
--- a/Cryptlib/OpenSSL/crypto/evp/m_mdc2.c
+++ b/Cryptlib/OpenSSL/crypto/evp/m_mdc2.c
@@ -1,14 +1,63 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/m_mdc2.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 
 #ifndef OPENSSL_NO_MDC2
 
@@ -16,22 +65,25 @@
 # include <openssl/objects.h>
 # include <openssl/x509.h>
 # include <openssl/mdc2.h>
-# include <openssl/rsa.h>
-# include "internal/evp_int.h"
+# ifndef OPENSSL_NO_RSA
+#  include <openssl/rsa.h>
+# endif
+
+# include "evp_locl.h"
 
 static int init(EVP_MD_CTX *ctx)
 {
-    return MDC2_Init(EVP_MD_CTX_md_data(ctx));
+    return MDC2_Init(ctx->md_data);
 }
 
 static int update(EVP_MD_CTX *ctx, const void *data, size_t count)
 {
-    return MDC2_Update(EVP_MD_CTX_md_data(ctx), data, count);
+    return MDC2_Update(ctx->md_data, data, count);
 }
 
 static int final(EVP_MD_CTX *ctx, unsigned char *md)
 {
-    return MDC2_Final(md, EVP_MD_CTX_md_data(ctx));
+    return MDC2_Final(md, ctx->md_data);
 }
 
 static const EVP_MD mdc2_md = {
@@ -44,6 +96,7 @@ static const EVP_MD mdc2_md = {
     final,
     NULL,
     NULL,
+    EVP_PKEY_RSA_ASN1_OCTET_STRING_method,
     MDC2_BLOCK,
     sizeof(EVP_MD *) + sizeof(MDC2_CTX),
 };
diff --git a/Cryptlib/OpenSSL/crypto/evp/m_null.c b/Cryptlib/OpenSSL/crypto/evp/m_null.c
index 6c4daf56..017e1feb 100644
--- a/Cryptlib/OpenSSL/crypto/evp/m_null.c
+++ b/Cryptlib/OpenSSL/crypto/evp/m_null.c
@@ -1,18 +1,66 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/m_null.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
-#include "internal/evp_int.h"
 
 static int init(EVP_MD_CTX *ctx)
 {
@@ -39,6 +87,7 @@ static const EVP_MD null_md = {
     final,
     NULL,
     NULL,
+    EVP_PKEY_NULL_method,
     0,
     sizeof(EVP_MD *),
 };
diff --git a/Cryptlib/OpenSSL/crypto/evp/m_ripemd.c b/Cryptlib/OpenSSL/crypto/evp/m_ripemd.c
index 07b46bd5..81de0ef4 100644
--- a/Cryptlib/OpenSSL/crypto/evp/m_ripemd.c
+++ b/Cryptlib/OpenSSL/crypto/evp/m_ripemd.c
@@ -1,37 +1,88 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/m_ripemd.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 
-#ifndef OPENSSL_NO_RMD160
+#ifndef OPENSSL_NO_RIPEMD
 
 # include <openssl/ripemd.h>
 # include <openssl/evp.h>
 # include <openssl/objects.h>
 # include <openssl/x509.h>
-# include <openssl/rsa.h>
-# include "internal/evp_int.h"
+# ifndef OPENSSL_NO_RSA
+#  include <openssl/rsa.h>
+# endif
+# include "evp_locl.h"
 
 static int init(EVP_MD_CTX *ctx)
 {
-    return RIPEMD160_Init(EVP_MD_CTX_md_data(ctx));
+    return RIPEMD160_Init(ctx->md_data);
 }
 
 static int update(EVP_MD_CTX *ctx, const void *data, size_t count)
 {
-    return RIPEMD160_Update(EVP_MD_CTX_md_data(ctx), data, count);
+    return RIPEMD160_Update(ctx->md_data, data, count);
 }
 
 static int final(EVP_MD_CTX *ctx, unsigned char *md)
 {
-    return RIPEMD160_Final(md, EVP_MD_CTX_md_data(ctx));
+    return RIPEMD160_Final(md, ctx->md_data);
 }
 
 static const EVP_MD ripemd160_md = {
@@ -44,6 +95,7 @@ static const EVP_MD ripemd160_md = {
     final,
     NULL,
     NULL,
+    EVP_PKEY_RSA_method,
     RIPEMD160_CBLOCK,
     sizeof(EVP_MD *) + sizeof(RIPEMD160_CTX),
 };
diff --git a/Cryptlib/OpenSSL/crypto/evp/m_sha.c b/Cryptlib/OpenSSL/crypto/evp/m_sha.c
new file mode 100644
index 00000000..e1e22e0c
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/evp/m_sha.c
@@ -0,0 +1,106 @@
+/* crypto/evp/m_sha.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA0)
+
+# include <openssl/evp.h>
+# include <openssl/objects.h>
+# include <openssl/x509.h>
+# ifndef OPENSSL_NO_RSA
+#  include <openssl/rsa.h>
+# endif
+# include "evp_locl.h"
+
+static int init(EVP_MD_CTX *ctx)
+{
+    return SHA_Init(ctx->md_data);
+}
+
+static int update(EVP_MD_CTX *ctx, const void *data, size_t count)
+{
+    return SHA_Update(ctx->md_data, data, count);
+}
+
+static int final(EVP_MD_CTX *ctx, unsigned char *md)
+{
+    return SHA_Final(md, ctx->md_data);
+}
+
+static const EVP_MD sha_md = {
+    NID_sha,
+    NID_shaWithRSAEncryption,
+    SHA_DIGEST_LENGTH,
+    0,
+    init,
+    update,
+    final,
+    NULL,
+    NULL,
+    EVP_PKEY_RSA_method,
+    SHA_CBLOCK,
+    sizeof(EVP_MD *) + sizeof(SHA_CTX),
+};
+
+const EVP_MD *EVP_sha(void)
+{
+    return (&sha_md);
+}
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/evp/m_sha1.c b/Cryptlib/OpenSSL/crypto/evp/m_sha1.c
index 8f30077a..a74e6b77 100644
--- a/Cryptlib/OpenSSL/crypto/evp/m_sha1.c
+++ b/Cryptlib/OpenSSL/crypto/evp/m_sha1.c
@@ -1,123 +1,118 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/m_sha1.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include <openssl/sha.h>
-#include <openssl/rsa.h>
-#include "internal/evp_int.h"
+#ifndef OPENSSL_NO_SHA
+
+# include <openssl/evp.h>
+# include <openssl/objects.h>
+# include <openssl/sha.h>
+# ifndef OPENSSL_NO_RSA
+#  include <openssl/rsa.h>
+# endif
 
 static int init(EVP_MD_CTX *ctx)
 {
-    return SHA1_Init(EVP_MD_CTX_md_data(ctx));
+    return SHA1_Init(ctx->md_data);
 }
 
 static int update(EVP_MD_CTX *ctx, const void *data, size_t count)
 {
-    return SHA1_Update(EVP_MD_CTX_md_data(ctx), data, count);
+    return SHA1_Update(ctx->md_data, data, count);
 }
 
 static int final(EVP_MD_CTX *ctx, unsigned char *md)
 {
-    return SHA1_Final(md, EVP_MD_CTX_md_data(ctx));
-}
-
-static int ctrl(EVP_MD_CTX *ctx, int cmd, int mslen, void *ms)
-{
-    unsigned char padtmp[40];
-    unsigned char sha1tmp[SHA_DIGEST_LENGTH];
-
-    SHA_CTX *sha1;
-
-    if (cmd != EVP_CTRL_SSL3_MASTER_SECRET)
-        return -2;
-
-    if (ctx == NULL)
-        return 0;
-
-    sha1 = EVP_MD_CTX_md_data(ctx);
-
-    /* SSLv3 client auth handling: see RFC-6101 5.6.8 */
-    if (mslen != 48)
-        return 0;
-
-    /* At this point hash contains all handshake messages, update
-     * with master secret and pad_1.
-     */
-
-    if (SHA1_Update(sha1, ms, mslen) <= 0)
-        return 0;
-
-    /* Set padtmp to pad_1 value */
-    memset(padtmp, 0x36, sizeof(padtmp));
-
-    if (!SHA1_Update(sha1, padtmp, sizeof(padtmp)))
-        return 0;
-
-    if (!SHA1_Final(sha1tmp, sha1))
-        return 0;
-
-    /* Reinitialise context */
-
-    if (!SHA1_Init(sha1))
-        return 0;
-
-    if (SHA1_Update(sha1, ms, mslen) <= 0)
-        return 0;
-
-    /* Set padtmp to pad_2 value */
-    memset(padtmp, 0x5c, sizeof(padtmp));
-
-    if (!SHA1_Update(sha1, padtmp, sizeof(padtmp)))
-        return 0;
-
-    if (!SHA1_Update(sha1, sha1tmp, sizeof(sha1tmp)))
-        return 0;
-
-    /* Now when ctx is finalised it will return the SSL v3 hash value */
-    OPENSSL_cleanse(sha1tmp, sizeof(sha1tmp));
-
-    return 1;
-
+    return SHA1_Final(md, ctx->md_data);
 }
 
 static const EVP_MD sha1_md = {
     NID_sha1,
     NID_sha1WithRSAEncryption,
     SHA_DIGEST_LENGTH,
-    EVP_MD_FLAG_DIGALGID_ABSENT,
+    EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
     init,
     update,
     final,
     NULL,
     NULL,
+    EVP_PKEY_RSA_method,
     SHA_CBLOCK,
     sizeof(EVP_MD *) + sizeof(SHA_CTX),
-    ctrl
 };
 
 const EVP_MD *EVP_sha1(void)
 {
     return (&sha1_md);
 }
+#endif
 
+#ifndef OPENSSL_NO_SHA256
 static int init224(EVP_MD_CTX *ctx)
 {
-    return SHA224_Init(EVP_MD_CTX_md_data(ctx));
+    return SHA224_Init(ctx->md_data);
 }
 
 static int init256(EVP_MD_CTX *ctx)
 {
-    return SHA256_Init(EVP_MD_CTX_md_data(ctx));
+    return SHA256_Init(ctx->md_data);
 }
 
 /*
@@ -127,24 +122,25 @@ static int init256(EVP_MD_CTX *ctx)
  */
 static int update256(EVP_MD_CTX *ctx, const void *data, size_t count)
 {
-    return SHA256_Update(EVP_MD_CTX_md_data(ctx), data, count);
+    return SHA256_Update(ctx->md_data, data, count);
 }
 
 static int final256(EVP_MD_CTX *ctx, unsigned char *md)
 {
-    return SHA256_Final(md, EVP_MD_CTX_md_data(ctx));
+    return SHA256_Final(md, ctx->md_data);
 }
 
 static const EVP_MD sha224_md = {
     NID_sha224,
     NID_sha224WithRSAEncryption,
     SHA224_DIGEST_LENGTH,
-    EVP_MD_FLAG_DIGALGID_ABSENT,
+    EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
     init224,
     update256,
     final256,
     NULL,
     NULL,
+    EVP_PKEY_RSA_method,
     SHA256_CBLOCK,
     sizeof(EVP_MD *) + sizeof(SHA256_CTX),
 };
@@ -158,12 +154,13 @@ static const EVP_MD sha256_md = {
     NID_sha256,
     NID_sha256WithRSAEncryption,
     SHA256_DIGEST_LENGTH,
-    EVP_MD_FLAG_DIGALGID_ABSENT,
+    EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
     init256,
     update256,
     final256,
     NULL,
     NULL,
+    EVP_PKEY_RSA_method,
     SHA256_CBLOCK,
     sizeof(EVP_MD *) + sizeof(SHA256_CTX),
 };
@@ -172,38 +169,41 @@ const EVP_MD *EVP_sha256(void)
 {
     return (&sha256_md);
 }
+#endif                          /* ifndef OPENSSL_NO_SHA256 */
 
+#ifndef OPENSSL_NO_SHA512
 static int init384(EVP_MD_CTX *ctx)
 {
-    return SHA384_Init(EVP_MD_CTX_md_data(ctx));
+    return SHA384_Init(ctx->md_data);
 }
 
 static int init512(EVP_MD_CTX *ctx)
 {
-    return SHA512_Init(EVP_MD_CTX_md_data(ctx));
+    return SHA512_Init(ctx->md_data);
 }
 
 /* See comment in SHA224/256 section */
 static int update512(EVP_MD_CTX *ctx, const void *data, size_t count)
 {
-    return SHA512_Update(EVP_MD_CTX_md_data(ctx), data, count);
+    return SHA512_Update(ctx->md_data, data, count);
 }
 
 static int final512(EVP_MD_CTX *ctx, unsigned char *md)
 {
-    return SHA512_Final(md, EVP_MD_CTX_md_data(ctx));
+    return SHA512_Final(md, ctx->md_data);
 }
 
 static const EVP_MD sha384_md = {
     NID_sha384,
     NID_sha384WithRSAEncryption,
     SHA384_DIGEST_LENGTH,
-    EVP_MD_FLAG_DIGALGID_ABSENT,
+    EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
     init384,
     update512,
     final512,
     NULL,
     NULL,
+    EVP_PKEY_RSA_method,
     SHA512_CBLOCK,
     sizeof(EVP_MD *) + sizeof(SHA512_CTX),
 };
@@ -217,12 +217,13 @@ static const EVP_MD sha512_md = {
     NID_sha512,
     NID_sha512WithRSAEncryption,
     SHA512_DIGEST_LENGTH,
-    EVP_MD_FLAG_DIGALGID_ABSENT,
+    EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
     init512,
     update512,
     final512,
     NULL,
     NULL,
+    EVP_PKEY_RSA_method,
     SHA512_CBLOCK,
     sizeof(EVP_MD *) + sizeof(SHA512_CTX),
 };
@@ -231,3 +232,4 @@ const EVP_MD *EVP_sha512(void)
 {
     return (&sha512_md);
 }
+#endif                          /* ifndef OPENSSL_NO_SHA512 */
diff --git a/Cryptlib/OpenSSL/crypto/evp/m_sigver.c b/Cryptlib/OpenSSL/crypto/evp/m_sigver.c
index 3b74f722..4492d207 100644
--- a/Cryptlib/OpenSSL/crypto/evp/m_sigver.c
+++ b/Cryptlib/OpenSSL/crypto/evp/m_sigver.c
@@ -1,18 +1,67 @@
+/* m_sigver.c */
 /*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2006.
+ */
+/* ====================================================================
+ * Copyright (c) 2006,2007 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
-#include "internal/evp_int.h"
 #include "evp_locl.h"
 
 static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
@@ -79,20 +128,17 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
 int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
                         size_t *siglen)
 {
-    int sctx = 0, r = 0;
+    int sctx, r = 0;
     EVP_PKEY_CTX *pctx = ctx->pctx;
     if (pctx->pmeth->flags & EVP_PKEY_FLAG_SIGCTX_CUSTOM) {
+        EVP_PKEY_CTX *dctx;
         if (!sigret)
             return pctx->pmeth->signctx(pctx, sigret, siglen, ctx);
-        if (ctx->flags & EVP_MD_CTX_FLAG_FINALISE)
-            r = pctx->pmeth->signctx(pctx, sigret, siglen, ctx);
-        else {
-            EVP_PKEY_CTX *dctx = EVP_PKEY_CTX_dup(ctx->pctx);
-            if (!dctx)
-                return 0;
-            r = dctx->pmeth->signctx(dctx, sigret, siglen, ctx);
-            EVP_PKEY_CTX_free(dctx);
-        }
+        dctx = EVP_PKEY_CTX_dup(ctx->pctx);
+        if (!dctx)
+            return 0;
+        r = dctx->pmeth->signctx(dctx, sigret, siglen, ctx);
+        EVP_PKEY_CTX_free(dctx);
         return r;
     }
     if (pctx->pmeth->signctx)
@@ -100,24 +146,18 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
     else
         sctx = 0;
     if (sigret) {
+        EVP_MD_CTX tmp_ctx;
         unsigned char md[EVP_MAX_MD_SIZE];
-        unsigned int mdlen = 0;
-        if (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) {
-            if (sctx)
-                r = ctx->pctx->pmeth->signctx(ctx->pctx, sigret, siglen, ctx);
-            else
-                r = EVP_DigestFinal_ex(ctx, md, &mdlen);
-        } else {
-            EVP_MD_CTX *tmp_ctx = EVP_MD_CTX_new();
-            if (tmp_ctx == NULL || !EVP_MD_CTX_copy_ex(tmp_ctx, ctx))
-                return 0;
-            if (sctx)
-                r = tmp_ctx->pctx->pmeth->signctx(tmp_ctx->pctx,
-                                                  sigret, siglen, tmp_ctx);
-            else
-                r = EVP_DigestFinal_ex(tmp_ctx, md, &mdlen);
-            EVP_MD_CTX_free(tmp_ctx);
-        }
+        unsigned int mdlen;
+        EVP_MD_CTX_init(&tmp_ctx);
+        if (!EVP_MD_CTX_copy_ex(&tmp_ctx, ctx))
+            return 0;
+        if (sctx)
+            r = tmp_ctx.pctx->pmeth->signctx(tmp_ctx.pctx,
+                                             sigret, siglen, &tmp_ctx);
+        else
+            r = EVP_DigestFinal_ex(&tmp_ctx, md, &mdlen);
+        EVP_MD_CTX_cleanup(&tmp_ctx);
         if (sctx || !r)
             return r;
         if (EVP_PKEY_sign(ctx->pctx, sigret, siglen, md, mdlen) <= 0)
@@ -138,31 +178,25 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
 int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
                           size_t siglen)
 {
+    EVP_MD_CTX tmp_ctx;
     unsigned char md[EVP_MAX_MD_SIZE];
-    int r = 0;
-    unsigned int mdlen = 0;
-    int vctx = 0;
+    int r;
+    unsigned int mdlen;
+    int vctx;
 
     if (ctx->pctx->pmeth->verifyctx)
         vctx = 1;
     else
         vctx = 0;
-    if (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) {
-        if (vctx) {
-            r = ctx->pctx->pmeth->verifyctx(ctx->pctx, sig, siglen, ctx);
-        } else
-            r = EVP_DigestFinal_ex(ctx, md, &mdlen);
-    } else {
-        EVP_MD_CTX *tmp_ctx = EVP_MD_CTX_new();
-        if (tmp_ctx == NULL || !EVP_MD_CTX_copy_ex(tmp_ctx, ctx))
-            return -1;
-        if (vctx) {
-            r = tmp_ctx->pctx->pmeth->verifyctx(tmp_ctx->pctx,
-                                                sig, siglen, tmp_ctx);
-        } else
-            r = EVP_DigestFinal_ex(tmp_ctx, md, &mdlen);
-        EVP_MD_CTX_free(tmp_ctx);
-    }
+    EVP_MD_CTX_init(&tmp_ctx);
+    if (!EVP_MD_CTX_copy_ex(&tmp_ctx, ctx))
+        return -1;
+    if (vctx) {
+        r = tmp_ctx.pctx->pmeth->verifyctx(tmp_ctx.pctx,
+                                           sig, siglen, &tmp_ctx);
+    } else
+        r = EVP_DigestFinal_ex(&tmp_ctx, md, &mdlen);
+    EVP_MD_CTX_cleanup(&tmp_ctx);
     if (vctx || !r)
         return r;
     return EVP_PKEY_verify(ctx->pctx, sig, siglen, md, mdlen);
diff --git a/Cryptlib/OpenSSL/crypto/evp/m_wp.c b/Cryptlib/OpenSSL/crypto/evp/m_wp.c
index 94fac226..a890939e 100644
--- a/Cryptlib/OpenSSL/crypto/evp/m_wp.c
+++ b/Cryptlib/OpenSSL/crypto/evp/m_wp.c
@@ -1,14 +1,7 @@
-/*
- * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
+/* crypto/evp/m_wp.c */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 
 #ifndef OPENSSL_NO_WHIRLPOOL
 
@@ -16,21 +9,21 @@
 # include <openssl/objects.h>
 # include <openssl/x509.h>
 # include <openssl/whrlpool.h>
-# include "internal/evp_int.h"
+# include "evp_locl.h"
 
 static int init(EVP_MD_CTX *ctx)
 {
-    return WHIRLPOOL_Init(EVP_MD_CTX_md_data(ctx));
+    return WHIRLPOOL_Init(ctx->md_data);
 }
 
 static int update(EVP_MD_CTX *ctx, const void *data, size_t count)
 {
-    return WHIRLPOOL_Update(EVP_MD_CTX_md_data(ctx), data, count);
+    return WHIRLPOOL_Update(ctx->md_data, data, count);
 }
 
 static int final(EVP_MD_CTX *ctx, unsigned char *md)
 {
-    return WHIRLPOOL_Final(md, EVP_MD_CTX_md_data(ctx));
+    return WHIRLPOOL_Final(md, ctx->md_data);
 }
 
 static const EVP_MD whirlpool_md = {
@@ -43,6 +36,7 @@ static const EVP_MD whirlpool_md = {
     final,
     NULL,
     NULL,
+    EVP_PKEY_NULL_method,
     WHIRLPOOL_BBLOCK / 8,
     sizeof(EVP_MD *) + sizeof(WHIRLPOOL_CTX),
 };
diff --git a/Cryptlib/OpenSSL/crypto/evp/names.c b/Cryptlib/OpenSSL/crypto/evp/names.c
index a92be1fe..ff115a31 100644
--- a/Cryptlib/OpenSSL/crypto/evp/names.c
+++ b/Cryptlib/OpenSSL/crypto/evp/names.c
@@ -1,18 +1,66 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/names.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/evp.h>
-#include <internal/objects.h>
+#include <openssl/objects.h>
 #include <openssl/x509.h>
-#include "internal/evp_int.h"
 
 int EVP_add_cipher(const EVP_CIPHER *c)
 {
@@ -21,10 +69,13 @@ int EVP_add_cipher(const EVP_CIPHER *c)
     if (c == NULL)
         return 0;
 
+    OPENSSL_init();
+
     r = OBJ_NAME_add(OBJ_nid2sn(c->nid), OBJ_NAME_TYPE_CIPHER_METH,
                      (const char *)c);
     if (r == 0)
         return (0);
+    check_defer(c->nid);
     r = OBJ_NAME_add(OBJ_nid2ln(c->nid), OBJ_NAME_TYPE_CIPHER_METH,
                      (const char *)c);
     return (r);
@@ -34,11 +85,13 @@ int EVP_add_digest(const EVP_MD *md)
 {
     int r;
     const char *name;
+    OPENSSL_init();
 
     name = OBJ_nid2sn(md->type);
     r = OBJ_NAME_add(name, OBJ_NAME_TYPE_MD_METH, (const char *)md);
     if (r == 0)
         return (0);
+    check_defer(md->type);
     r = OBJ_NAME_add(OBJ_nid2ln(md->type), OBJ_NAME_TYPE_MD_METH,
                      (const char *)md);
     if (r == 0)
@@ -49,6 +102,7 @@ int EVP_add_digest(const EVP_MD *md)
                          OBJ_NAME_TYPE_MD_METH | OBJ_NAME_ALIAS, name);
         if (r == 0)
             return (0);
+        check_defer(md->pkey_type);
         r = OBJ_NAME_add(OBJ_nid2ln(md->pkey_type),
                          OBJ_NAME_TYPE_MD_METH | OBJ_NAME_ALIAS, name);
     }
@@ -59,9 +113,6 @@ const EVP_CIPHER *EVP_get_cipherbyname(const char *name)
 {
     const EVP_CIPHER *cp;
 
-    if (!OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS, NULL))
-        return NULL;
-
     cp = (const EVP_CIPHER *)OBJ_NAME_get(name, OBJ_NAME_TYPE_CIPHER_METH);
     return (cp);
 }
@@ -70,14 +121,11 @@ const EVP_MD *EVP_get_digestbyname(const char *name)
 {
     const EVP_MD *cp;
 
-    if (!OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_DIGESTS, NULL))
-        return NULL;
-
     cp = (const EVP_MD *)OBJ_NAME_get(name, OBJ_NAME_TYPE_MD_METH);
     return (cp);
 }
 
-void evp_cleanup_int(void)
+void EVP_cleanup(void)
 {
     OBJ_NAME_cleanup(OBJ_NAME_TYPE_CIPHER_METH);
     OBJ_NAME_cleanup(OBJ_NAME_TYPE_MD_METH);
@@ -89,6 +137,10 @@ void evp_cleanup_int(void)
     OBJ_NAME_cleanup(-1);
 
     EVP_PBE_cleanup();
+    if (obj_cleanup_defer == 2) {
+        obj_cleanup_defer = 0;
+        OBJ_cleanup();
+    }
     OBJ_sigid_free();
 }
 
@@ -112,10 +164,6 @@ void EVP_CIPHER_do_all(void (*fn) (const EVP_CIPHER *ciph,
                        void *arg)
 {
     struct doall_cipher dc;
-
-    /* Ignore errors */
-    OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS, NULL);
-
     dc.fn = fn;
     dc.arg = arg;
     OBJ_NAME_do_all(OBJ_NAME_TYPE_CIPHER_METH, do_all_cipher_fn, &dc);
@@ -126,10 +174,6 @@ void EVP_CIPHER_do_all_sorted(void (*fn) (const EVP_CIPHER *ciph,
                                           void *x), void *arg)
 {
     struct doall_cipher dc;
-
-    /* Ignore errors */
-    OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS, NULL);
-
     dc.fn = fn;
     dc.arg = arg;
     OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH, do_all_cipher_fn, &dc);
@@ -155,10 +199,6 @@ void EVP_MD_do_all(void (*fn) (const EVP_MD *md,
                    void *arg)
 {
     struct doall_md dc;
-
-    /* Ignore errors */
-    OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
-
     dc.fn = fn;
     dc.arg = arg;
     OBJ_NAME_do_all(OBJ_NAME_TYPE_MD_METH, do_all_md_fn, &dc);
@@ -169,9 +209,6 @@ void EVP_MD_do_all_sorted(void (*fn) (const EVP_MD *md,
                                       void *x), void *arg)
 {
     struct doall_md dc;
-
-    OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
-
     dc.fn = fn;
     dc.arg = arg;
     OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_MD_METH, do_all_md_fn, &dc);
diff --git a/Cryptlib/OpenSSL/crypto/evp/p5_crpt.c b/Cryptlib/OpenSSL/crypto/evp/p5_crpt.c
index 7e55d0bf..d06ab90a 100644
--- a/Cryptlib/OpenSSL/crypto/evp/p5_crpt.c
+++ b/Cryptlib/OpenSSL/crypto/evp/p5_crpt.c
@@ -1,15 +1,65 @@
+/* p5_crpt.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <stdlib.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/evp.h>
 
@@ -25,15 +75,17 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
                        ASN1_TYPE *param, const EVP_CIPHER *cipher,
                        const EVP_MD *md, int en_de)
 {
-    EVP_MD_CTX *ctx;
+    EVP_MD_CTX ctx;
     unsigned char md_tmp[EVP_MAX_MD_SIZE];
     unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
     int i;
     PBEPARAM *pbe;
     int saltlen, iter;
     unsigned char *salt;
+    const unsigned char *pbuf;
     int mdsize;
     int rv = 0;
+    EVP_MD_CTX_init(&ctx);
 
     /* Extract useful info from parameter */
     if (param == NULL || param->type != V_ASN1_SEQUENCE ||
@@ -42,8 +94,8 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
         return 0;
     }
 
-    pbe = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(PBEPARAM), param);
-    if (pbe == NULL) {
+    pbuf = param->value.sequence->data;
+    if (!(pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length))) {
         EVPerr(EVP_F_PKCS5_PBE_KEYIVGEN, EVP_R_DECODE_ERROR);
         return 0;
     }
@@ -60,30 +112,24 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
     else if (passlen == -1)
         passlen = strlen(pass);
 
-    ctx = EVP_MD_CTX_new();
-    if (ctx == NULL) {
-        EVPerr(EVP_F_PKCS5_PBE_KEYIVGEN, ERR_R_MALLOC_FAILURE);
-        goto err;
-    }
-
-    if (!EVP_DigestInit_ex(ctx, md, NULL))
+    if (!EVP_DigestInit_ex(&ctx, md, NULL))
         goto err;
-    if (!EVP_DigestUpdate(ctx, pass, passlen))
+    if (!EVP_DigestUpdate(&ctx, pass, passlen))
         goto err;
-    if (!EVP_DigestUpdate(ctx, salt, saltlen))
+    if (!EVP_DigestUpdate(&ctx, salt, saltlen))
         goto err;
     PBEPARAM_free(pbe);
-    if (!EVP_DigestFinal_ex(ctx, md_tmp, NULL))
+    if (!EVP_DigestFinal_ex(&ctx, md_tmp, NULL))
         goto err;
     mdsize = EVP_MD_size(md);
     if (mdsize < 0)
         return 0;
     for (i = 1; i < iter; i++) {
-        if (!EVP_DigestInit_ex(ctx, md, NULL))
+        if (!EVP_DigestInit_ex(&ctx, md, NULL))
             goto err;
-        if (!EVP_DigestUpdate(ctx, md_tmp, mdsize))
+        if (!EVP_DigestUpdate(&ctx, md_tmp, mdsize))
             goto err;
-        if (!EVP_DigestFinal_ex(ctx, md_tmp, NULL))
+        if (!EVP_DigestFinal_ex(&ctx, md_tmp, NULL))
             goto err;
     }
     OPENSSL_assert(EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp));
@@ -98,6 +144,6 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
     OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
     rv = 1;
  err:
-    EVP_MD_CTX_free(ctx);
+    EVP_MD_CTX_cleanup(&ctx);
     return rv;
 }
diff --git a/Cryptlib/OpenSSL/crypto/evp/p5_crpt2.c b/Cryptlib/OpenSSL/crypto/evp/p5_crpt2.c
index 2e45aa3b..f2ae1e57 100644
--- a/Cryptlib/OpenSSL/crypto/evp/p5_crpt2.c
+++ b/Cryptlib/OpenSSL/crypto/evp/p5_crpt2.c
@@ -1,24 +1,74 @@
+/* p5_crpt2.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
-
 #include <stdio.h>
 #include <stdlib.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
+#if !defined(OPENSSL_NO_HMAC) && !defined(OPENSSL_NO_SHA)
 # include <openssl/x509.h>
 # include <openssl/evp.h>
 # include <openssl/hmac.h>
 # include "evp_locl.h"
 
 /* set this to print out info about the keygen algorithm */
-/* #define OPENSSL_DEBUG_PKCS5V2 */
+/* #define DEBUG_PKCS5V2 */
 
-# ifdef OPENSSL_DEBUG_PKCS5V2
+# ifdef DEBUG_PKCS5V2
 static void h__dump(const unsigned char *p, int len);
 # endif
 
@@ -36,28 +86,21 @@ int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
     unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
     int cplen, j, k, tkeylen, mdlen;
     unsigned long i = 1;
-    HMAC_CTX *hctx_tpl = NULL, *hctx = NULL;
+    HMAC_CTX hctx_tpl, hctx;
 
     mdlen = EVP_MD_size(digest);
     if (mdlen < 0)
         return 0;
 
-    hctx_tpl = HMAC_CTX_new();
-    if (hctx_tpl == NULL)
-        return 0;
+    HMAC_CTX_init(&hctx_tpl);
     p = out;
     tkeylen = keylen;
     if (!pass)
         passlen = 0;
     else if (passlen == -1)
         passlen = strlen(pass);
-    if (!HMAC_Init_ex(hctx_tpl, pass, passlen, digest, NULL)) {
-        HMAC_CTX_free(hctx_tpl);
-        return 0;
-    }
-    hctx = HMAC_CTX_new();
-    if (hctx == NULL) {
-        HMAC_CTX_free(hctx_tpl);
+    if (!HMAC_Init_ex(&hctx_tpl, pass, passlen, digest, NULL)) {
+        HMAC_CTX_cleanup(&hctx_tpl);
         return 0;
     }
     while (tkeylen) {
@@ -73,33 +116,31 @@ int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
         itmp[1] = (unsigned char)((i >> 16) & 0xff);
         itmp[2] = (unsigned char)((i >> 8) & 0xff);
         itmp[3] = (unsigned char)(i & 0xff);
-        if (!HMAC_CTX_copy(hctx, hctx_tpl)) {
-            HMAC_CTX_free(hctx);
-            HMAC_CTX_free(hctx_tpl);
+        if (!HMAC_CTX_copy(&hctx, &hctx_tpl)) {
+            HMAC_CTX_cleanup(&hctx_tpl);
             return 0;
         }
-        if (!HMAC_Update(hctx, salt, saltlen)
-            || !HMAC_Update(hctx, itmp, 4)
-            || !HMAC_Final(hctx, digtmp, NULL)) {
-            HMAC_CTX_free(hctx);
-            HMAC_CTX_free(hctx_tpl);
+        if (!HMAC_Update(&hctx, salt, saltlen)
+            || !HMAC_Update(&hctx, itmp, 4)
+            || !HMAC_Final(&hctx, digtmp, NULL)) {
+            HMAC_CTX_cleanup(&hctx_tpl);
+            HMAC_CTX_cleanup(&hctx);
             return 0;
         }
-        HMAC_CTX_reset(hctx);
+        HMAC_CTX_cleanup(&hctx);
         memcpy(p, digtmp, cplen);
         for (j = 1; j < iter; j++) {
-            if (!HMAC_CTX_copy(hctx, hctx_tpl)) {
-                HMAC_CTX_free(hctx);
-                HMAC_CTX_free(hctx_tpl);
+            if (!HMAC_CTX_copy(&hctx, &hctx_tpl)) {
+                HMAC_CTX_cleanup(&hctx_tpl);
                 return 0;
             }
-            if (!HMAC_Update(hctx, digtmp, mdlen)
-                || !HMAC_Final(hctx, digtmp, NULL)) {
-                HMAC_CTX_free(hctx);
-                HMAC_CTX_free(hctx_tpl);
+            if (!HMAC_Update(&hctx, digtmp, mdlen)
+                || !HMAC_Final(&hctx, digtmp, NULL)) {
+                HMAC_CTX_cleanup(&hctx_tpl);
+                HMAC_CTX_cleanup(&hctx);
                 return 0;
             }
-            HMAC_CTX_reset(hctx);
+            HMAC_CTX_cleanup(&hctx);
             for (k = 0; k < cplen; k++)
                 p[k] ^= digtmp[k];
         }
@@ -107,9 +148,8 @@ int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
         i++;
         p += cplen;
     }
-    HMAC_CTX_free(hctx);
-    HMAC_CTX_free(hctx_tpl);
-# ifdef OPENSSL_DEBUG_PKCS5V2
+    HMAC_CTX_cleanup(&hctx_tpl);
+# ifdef DEBUG_PKCS5V2
     fprintf(stderr, "Password:\n");
     h__dump(pass, passlen);
     fprintf(stderr, "Salt:\n");
@@ -151,21 +191,29 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
                           ASN1_TYPE *param, const EVP_CIPHER *c,
                           const EVP_MD *md, int en_de)
 {
+    const unsigned char *pbuf;
+    int plen;
     PBE2PARAM *pbe2 = NULL;
     const EVP_CIPHER *cipher;
-    EVP_PBE_KEYGEN *kdf;
 
     int rv = 0;
 
-    pbe2 = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(PBE2PARAM), param);
-    if (pbe2 == NULL) {
+    if (param == NULL || param->type != V_ASN1_SEQUENCE ||
+        param->value.sequence == NULL) {
+        EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN, EVP_R_DECODE_ERROR);
+        goto err;
+    }
+
+    pbuf = param->value.sequence->data;
+    plen = param->value.sequence->length;
+    if (!(pbe2 = d2i_PBE2PARAM(NULL, &pbuf, plen))) {
         EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN, EVP_R_DECODE_ERROR);
         goto err;
     }
 
     /* See if we recognise the key derivation function */
-    if (!EVP_PBE_find(EVP_PBE_TYPE_KDF, OBJ_obj2nid(pbe2->keyfunc->algorithm),
-                        NULL, NULL, &kdf)) {
+
+    if (OBJ_obj2nid(pbe2->keyfunc->algorithm) != NID_id_pbkdf2) {
         EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
                EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION);
         goto err;
@@ -189,7 +237,8 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
         EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN, EVP_R_CIPHER_PARAMETER_ERROR);
         goto err;
     }
-    rv = kdf(ctx, pass, passlen, pbe2->keyfunc->parameter, NULL, NULL, en_de);
+    rv = PKCS5_v2_PBKDF2_keyivgen(ctx, pass, passlen,
+                                  pbe2->keyfunc->parameter, c, md, en_de);
  err:
     PBE2PARAM_free(pbe2);
     return rv;
@@ -200,7 +249,8 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
                              const EVP_CIPHER *c, const EVP_MD *md, int en_de)
 {
     unsigned char *salt, key[EVP_MAX_KEY_LENGTH];
-    int saltlen, iter;
+    const unsigned char *pbuf;
+    int saltlen, iter, plen;
     int rv = 0;
     unsigned int keylen = 0;
     int prf_nid, hmac_md_nid;
@@ -216,9 +266,15 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
 
     /* Decode parameter */
 
-    kdf = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(PBKDF2PARAM), param);
+    if (!param || (param->type != V_ASN1_SEQUENCE)) {
+        EVPerr(EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN, EVP_R_DECODE_ERROR);
+        goto err;
+    }
+
+    pbuf = param->value.sequence->data;
+    plen = param->value.sequence->length;
 
-    if (kdf == NULL) {
+    if (!(kdf = d2i_PBKDF2PARAM(NULL, &pbuf, plen))) {
         EVPerr(EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN, EVP_R_DECODE_ERROR);
         goto err;
     }
@@ -267,7 +323,7 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
     return rv;
 }
 
-# ifdef OPENSSL_DEBUG_PKCS5V2
+# ifdef DEBUG_PKCS5V2
 static void h__dump(const unsigned char *p, int len)
 {
     for (; len--; p++)
@@ -275,3 +331,4 @@ static void h__dump(const unsigned char *p, int len)
     fprintf(stderr, "\n");
 }
 # endif
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/evp/p_dec.c b/Cryptlib/OpenSSL/crypto/evp/p_dec.c
index 6bec4062..225b8b45 100644
--- a/Cryptlib/OpenSSL/crypto/evp/p_dec.c
+++ b/Cryptlib/OpenSSL/crypto/evp/p_dec.c
@@ -1,15 +1,67 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/p_dec.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
-#include <openssl/rsa.h>
+#include "cryptlib.h"
+#include <openssl/rand.h>
+#ifndef OPENSSL_NO_RSA
+# include <openssl/rsa.h>
+#endif
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
@@ -20,7 +72,7 @@ int EVP_PKEY_decrypt_old(unsigned char *key, const unsigned char *ek, int ekl,
     int ret = -1;
 
 #ifndef OPENSSL_NO_RSA
-    if (EVP_PKEY_id(priv) != EVP_PKEY_RSA) {
+    if (priv->type != EVP_PKEY_RSA) {
 #endif
         EVPerr(EVP_F_EVP_PKEY_DECRYPT_OLD, EVP_R_PUBLIC_KEY_NOT_RSA);
 #ifndef OPENSSL_NO_RSA
@@ -28,8 +80,7 @@ int EVP_PKEY_decrypt_old(unsigned char *key, const unsigned char *ek, int ekl,
     }
 
     ret =
-        RSA_private_decrypt(ekl, ek, key, EVP_PKEY_get0_RSA(priv),
-                            RSA_PKCS1_PADDING);
+        RSA_private_decrypt(ekl, ek, key, priv->pkey.rsa, RSA_PKCS1_PADDING);
  err:
 #endif
     return (ret);
diff --git a/Cryptlib/OpenSSL/crypto/evp/p_enc.c b/Cryptlib/OpenSSL/crypto/evp/p_enc.c
index 3277fbb0..f565f33f 100644
--- a/Cryptlib/OpenSSL/crypto/evp/p_enc.c
+++ b/Cryptlib/OpenSSL/crypto/evp/p_enc.c
@@ -1,15 +1,67 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/p_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
-#include <openssl/rsa.h>
+#include "cryptlib.h"
+#include <openssl/rand.h>
+#ifndef OPENSSL_NO_RSA
+# include <openssl/rsa.h>
+#endif
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
@@ -20,14 +72,14 @@ int EVP_PKEY_encrypt_old(unsigned char *ek, const unsigned char *key,
     int ret = 0;
 
 #ifndef OPENSSL_NO_RSA
-    if (EVP_PKEY_id(pubk) != EVP_PKEY_RSA) {
+    if (pubk->type != EVP_PKEY_RSA) {
 #endif
         EVPerr(EVP_F_EVP_PKEY_ENCRYPT_OLD, EVP_R_PUBLIC_KEY_NOT_RSA);
 #ifndef OPENSSL_NO_RSA
         goto err;
     }
     ret =
-        RSA_public_encrypt(key_len, key, ek, EVP_PKEY_get0_RSA(pubk),
+        RSA_public_encrypt(key_len, key, ek, pubk->pkey.rsa,
                            RSA_PKCS1_PADDING);
  err:
 #endif
diff --git a/Cryptlib/OpenSSL/crypto/evp/p_lib.c b/Cryptlib/OpenSSL/crypto/evp/p_lib.c
index 98286205..545d04fd 100644
--- a/Cryptlib/OpenSSL/crypto/evp/p_lib.c
+++ b/Cryptlib/OpenSSL/crypto/evp/p_lib.c
@@ -1,45 +1,94 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/p_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
+#include <openssl/asn1_mac.h>
 #include <openssl/x509.h>
-#include <openssl/rsa.h>
-#include <openssl/dsa.h>
-#include <openssl/dh.h>
-#include <openssl/engine.h>
+#ifndef OPENSSL_NO_RSA
+# include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+# include <openssl/dsa.h>
+#endif
+#ifndef OPENSSL_NO_DH
+# include <openssl/dh.h>
+#endif
 
-#include "internal/asn1_int.h"
-#include "internal/evp_int.h"
+#ifndef OPENSSL_NO_ENGINE
+# include <openssl/engine.h>
+#endif
+
+#include "asn1_locl.h"
 
 static void EVP_PKEY_free_it(EVP_PKEY *x);
 
-int EVP_PKEY_bits(const EVP_PKEY *pkey)
+int EVP_PKEY_bits(EVP_PKEY *pkey)
 {
     if (pkey && pkey->ameth && pkey->ameth->pkey_bits)
         return pkey->ameth->pkey_bits(pkey);
     return 0;
 }
 
-int EVP_PKEY_security_bits(const EVP_PKEY *pkey)
-{
-    if (pkey == NULL)
-        return 0;
-    if (!pkey->ameth || !pkey->ameth->pkey_security_bits)
-        return -2;
-    return pkey->ameth->pkey_security_bits(pkey);
-}
-
 int EVP_PKEY_size(EVP_PKEY *pkey)
 {
     if (pkey && pkey->ameth && pkey->ameth->pkey_size)
@@ -72,10 +121,7 @@ int EVP_PKEY_save_parameters(EVP_PKEY *pkey, int mode)
 
 int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from)
 {
-    if (to->type == EVP_PKEY_NONE) {
-        if (EVP_PKEY_set_type(to, from->type) == 0)
-            return 0;
-    } else if (to->type != from->type) {
+    if (to->type != from->type) {
         EVPerr(EVP_F_EVP_PKEY_COPY_PARAMETERS, EVP_R_DIFFERENT_KEY_TYPES);
         goto err;
     }
@@ -137,35 +183,22 @@ int EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
 
 EVP_PKEY *EVP_PKEY_new(void)
 {
-    EVP_PKEY *ret = OPENSSL_zalloc(sizeof(*ret));
+    EVP_PKEY *ret;
 
+    ret = (EVP_PKEY *)OPENSSL_malloc(sizeof(EVP_PKEY));
     if (ret == NULL) {
         EVPerr(EVP_F_EVP_PKEY_NEW, ERR_R_MALLOC_FAILURE);
-        return NULL;
+        return (NULL);
     }
     ret->type = EVP_PKEY_NONE;
     ret->save_type = EVP_PKEY_NONE;
     ret->references = 1;
+    ret->ameth = NULL;
+    ret->engine = NULL;
+    ret->pkey.ptr = NULL;
+    ret->attributes = NULL;
     ret->save_parameters = 1;
-    ret->lock = CRYPTO_THREAD_lock_new();
-    if (ret->lock == NULL) {
-        EVPerr(EVP_F_EVP_PKEY_NEW, ERR_R_MALLOC_FAILURE);
-        OPENSSL_free(ret);
-        return NULL;
-    }
-    return ret;
-}
-
-int EVP_PKEY_up_ref(EVP_PKEY *pkey)
-{
-    int i;
-
-    if (CRYPTO_atomic_add(&pkey->references, 1, &i, pkey->lock) <= 0)
-        return 0;
-
-    REF_PRINT_COUNT("EVP_PKEY", pkey);
-    REF_ASSERT_ISNT(i < 2);
-    return ((i > 1) ? 1 : 0);
+    return (ret);
 }
 
 /*
@@ -188,8 +221,10 @@ static int pkey_set_type(EVP_PKEY *pkey, int type, const char *str, int len)
             return 1;
 #ifndef OPENSSL_NO_ENGINE
         /* If we have an ENGINE release it */
-        ENGINE_finish(pkey->engine);
-        pkey->engine = NULL;
+        if (pkey->engine) {
+            ENGINE_finish(pkey->engine);
+            pkey->engine = NULL;
+        }
 #endif
     }
     if (str)
@@ -197,10 +232,10 @@ static int pkey_set_type(EVP_PKEY *pkey, int type, const char *str, int len)
     else
         ameth = EVP_PKEY_asn1_find(&e, type);
 #ifndef OPENSSL_NO_ENGINE
-    if (pkey == NULL)
+    if (!pkey && e)
         ENGINE_finish(e);
 #endif
-    if (ameth == NULL) {
+    if (!ameth) {
         EVPerr(EVP_F_PKEY_SET_TYPE, EVP_R_UNSUPPORTED_ALGORITHM);
         return 0;
     }
@@ -232,23 +267,11 @@ int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key)
     return (key != NULL);
 }
 
-void *EVP_PKEY_get0(const EVP_PKEY *pkey)
+void *EVP_PKEY_get0(EVP_PKEY *pkey)
 {
     return pkey->pkey.ptr;
 }
 
-const unsigned char *EVP_PKEY_get0_hmac(const EVP_PKEY *pkey, size_t *len)
-{
-    ASN1_OCTET_STRING *os = NULL;
-    if (pkey->type != EVP_PKEY_HMAC) {
-        EVPerr(EVP_F_EVP_PKEY_GET0_HMAC, EVP_R_EXPECTING_AN_HMAC_KEY);
-        return NULL;
-    }
-    os = EVP_PKEY_get0(pkey);
-    *len = os->length;
-    return os->data;
-}
-
 #ifndef OPENSSL_NO_RSA
 int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key)
 {
@@ -258,22 +281,15 @@ int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key)
     return ret;
 }
 
-RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
+RSA *EVP_PKEY_get1_RSA(EVP_PKEY *pkey)
 {
     if (pkey->type != EVP_PKEY_RSA) {
-        EVPerr(EVP_F_EVP_PKEY_GET0_RSA, EVP_R_EXPECTING_AN_RSA_KEY);
+        EVPerr(EVP_F_EVP_PKEY_GET1_RSA, EVP_R_EXPECTING_AN_RSA_KEY);
         return NULL;
     }
+    RSA_up_ref(pkey->pkey.rsa);
     return pkey->pkey.rsa;
 }
-
-RSA *EVP_PKEY_get1_RSA(EVP_PKEY *pkey)
-{
-    RSA *ret = EVP_PKEY_get0_RSA(pkey);
-    if (ret != NULL)
-        RSA_up_ref(ret);
-    return ret;
-}
 #endif
 
 #ifndef OPENSSL_NO_DSA
@@ -285,22 +301,15 @@ int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, DSA *key)
     return ret;
 }
 
-DSA *EVP_PKEY_get0_DSA(EVP_PKEY *pkey)
+DSA *EVP_PKEY_get1_DSA(EVP_PKEY *pkey)
 {
     if (pkey->type != EVP_PKEY_DSA) {
-        EVPerr(EVP_F_EVP_PKEY_GET0_DSA, EVP_R_EXPECTING_A_DSA_KEY);
+        EVPerr(EVP_F_EVP_PKEY_GET1_DSA, EVP_R_EXPECTING_A_DSA_KEY);
         return NULL;
     }
+    DSA_up_ref(pkey->pkey.dsa);
     return pkey->pkey.dsa;
 }
-
-DSA *EVP_PKEY_get1_DSA(EVP_PKEY *pkey)
-{
-    DSA *ret = EVP_PKEY_get0_DSA(pkey);
-    if (ret != NULL)
-        DSA_up_ref(ret);
-    return ret;
-}
 #endif
 
 #ifndef OPENSSL_NO_EC
@@ -313,22 +322,15 @@ int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key)
     return ret;
 }
 
-EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)
+EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey)
 {
     if (pkey->type != EVP_PKEY_EC) {
-        EVPerr(EVP_F_EVP_PKEY_GET0_EC_KEY, EVP_R_EXPECTING_A_EC_KEY);
+        EVPerr(EVP_F_EVP_PKEY_GET1_EC_KEY, EVP_R_EXPECTING_A_EC_KEY);
         return NULL;
     }
+    EC_KEY_up_ref(pkey->pkey.ec);
     return pkey->pkey.ec;
 }
-
-EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey)
-{
-    EC_KEY *ret = EVP_PKEY_get0_EC_KEY(pkey);
-    if (ret != NULL)
-        EC_KEY_up_ref(ret);
-    return ret;
-}
 #endif
 
 #ifndef OPENSSL_NO_DH
@@ -341,22 +343,15 @@ int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key)
     return ret;
 }
 
-DH *EVP_PKEY_get0_DH(EVP_PKEY *pkey)
+DH *EVP_PKEY_get1_DH(EVP_PKEY *pkey)
 {
     if (pkey->type != EVP_PKEY_DH && pkey->type != EVP_PKEY_DHX) {
-        EVPerr(EVP_F_EVP_PKEY_GET0_DH, EVP_R_EXPECTING_A_DH_KEY);
+        EVPerr(EVP_F_EVP_PKEY_GET1_DH, EVP_R_EXPECTING_A_DH_KEY);
         return NULL;
     }
+    DH_up_ref(pkey->pkey.dh);
     return pkey->pkey.dh;
 }
-
-DH *EVP_PKEY_get1_DH(EVP_PKEY *pkey)
-{
-    DH *ret = EVP_PKEY_get0_DH(pkey);
-    if (ret != NULL)
-        DH_up_ref(ret);
-    return ret;
-}
 #endif
 
 int EVP_PKEY_type(int type)
@@ -370,7 +365,8 @@ int EVP_PKEY_type(int type)
     else
         ret = NID_undef;
 #ifndef OPENSSL_NO_ENGINE
-    ENGINE_finish(e);
+    if (e)
+        ENGINE_finish(e);
 #endif
     return ret;
 }
@@ -392,27 +388,35 @@ void EVP_PKEY_free(EVP_PKEY *x)
     if (x == NULL)
         return;
 
-    CRYPTO_atomic_add(&x->references, -1, &i, x->lock);
-    REF_PRINT_COUNT("EVP_PKEY", x);
+    i = CRYPTO_add(&x->references, -1, CRYPTO_LOCK_EVP_PKEY);
+#ifdef REF_PRINT
+    REF_PRINT("EVP_PKEY", x);
+#endif
     if (i > 0)
         return;
-    REF_ASSERT_ISNT(i < 0);
+#ifdef REF_CHECK
+    if (i < 0) {
+        fprintf(stderr, "EVP_PKEY_free, bad reference count\n");
+        abort();
+    }
+#endif
     EVP_PKEY_free_it(x);
-    CRYPTO_THREAD_lock_free(x->lock);
-    sk_X509_ATTRIBUTE_pop_free(x->attributes, X509_ATTRIBUTE_free);
+    if (x->attributes)
+        sk_X509_ATTRIBUTE_pop_free(x->attributes, X509_ATTRIBUTE_free);
     OPENSSL_free(x);
 }
 
 static void EVP_PKEY_free_it(EVP_PKEY *x)
 {
-    /* internal function; x is never NULL */
     if (x->ameth && x->ameth->pkey_free) {
         x->ameth->pkey_free(x);
         x->pkey.ptr = NULL;
     }
 #ifndef OPENSSL_NO_ENGINE
-    ENGINE_finish(x->engine);
-    x->engine = NULL;
+    if (x->engine) {
+        ENGINE_finish(x->engine);
+        x->engine = NULL;
+    }
 #endif
 }
 
@@ -451,34 +455,10 @@ int EVP_PKEY_print_params(BIO *out, const EVP_PKEY *pkey,
     return unsup_alg(out, pkey, indent, "Parameters");
 }
 
-static int evp_pkey_asn1_ctrl(EVP_PKEY *pkey, int op, int arg1, void *arg2)
-{
-    if (pkey->ameth == NULL || pkey->ameth->pkey_ctrl == NULL)
-        return -2;
-    return pkey->ameth->pkey_ctrl(pkey, op, arg1, arg2);
-}
-
 int EVP_PKEY_get_default_digest_nid(EVP_PKEY *pkey, int *pnid)
 {
-    return evp_pkey_asn1_ctrl(pkey, ASN1_PKEY_CTRL_DEFAULT_MD_NID, 0, pnid);
-}
-
-int EVP_PKEY_set1_tls_encodedpoint(EVP_PKEY *pkey,
-                               const unsigned char *pt, size_t ptlen)
-{
-    if (ptlen > INT_MAX)
-        return 0;
-    if (evp_pkey_asn1_ctrl(pkey, ASN1_PKEY_CTRL_SET1_TLS_ENCPT, ptlen,
-                           (void *)pt) <= 0)
-        return 0;
-    return 1;
-}
-
-size_t EVP_PKEY_get1_tls_encodedpoint(EVP_PKEY *pkey, unsigned char **ppt)
-{
-    int rv;
-    rv = evp_pkey_asn1_ctrl(pkey, ASN1_PKEY_CTRL_GET1_TLS_ENCPT, 0, ppt);
-    if (rv <= 0)
-        return 0;
-    return rv;
+    if (!pkey->ameth || !pkey->ameth->pkey_ctrl)
+        return -2;
+    return pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_DEFAULT_MD_NID,
+                                  0, pnid);
 }
diff --git a/Cryptlib/OpenSSL/crypto/evp/p_open.c b/Cryptlib/OpenSSL/crypto/evp/p_open.c
index b65bc74e..229eb641 100644
--- a/Cryptlib/OpenSSL/crypto/evp/p_open.c
+++ b/Cryptlib/OpenSSL/crypto/evp/p_open.c
@@ -1,18 +1,66 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/p_open.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
-#include "internal/cryptlib.h"
-#ifdef OPENSSL_NO_RSA
-NON_EMPTY_TRANSLATION_UNIT
-#else
+#include <stdio.h>
+#include "cryptlib.h"
+
+#ifndef OPENSSL_NO_RSA
 
-# include <stdio.h>
 # include <openssl/evp.h>
 # include <openssl/objects.h>
 # include <openssl/x509.h>
@@ -26,7 +74,7 @@ int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
     int i, size = 0, ret = 0;
 
     if (type) {
-        EVP_CIPHER_CTX_reset(ctx);
+        EVP_CIPHER_CTX_init(ctx);
         if (!EVP_DecryptInit_ex(ctx, type, NULL, NULL, NULL))
             return 0;
     }
@@ -34,13 +82,13 @@ int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
     if (!priv)
         return 1;
 
-    if (EVP_PKEY_id(priv) != EVP_PKEY_RSA) {
+    if (priv->type != EVP_PKEY_RSA) {
         EVPerr(EVP_F_EVP_OPENINIT, EVP_R_PUBLIC_KEY_NOT_RSA);
         goto err;
     }
 
-    size = EVP_PKEY_size(priv);
-    key = OPENSSL_malloc(size + 2);
+    size = RSA_size(priv->pkey.rsa);
+    key = (unsigned char *)OPENSSL_malloc(size + 2);
     if (key == NULL) {
         /* ERROR */
         EVPerr(EVP_F_EVP_OPENINIT, ERR_R_MALLOC_FAILURE);
@@ -57,7 +105,9 @@ int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
 
     ret = 1;
  err:
-    OPENSSL_clear_free(key, size);
+    if (key != NULL)
+        OPENSSL_cleanse(key, size);
+    OPENSSL_free(key);
     return (ret);
 }
 
@@ -70,4 +120,10 @@ int EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
         i = EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, NULL);
     return (i);
 }
+#else                           /* !OPENSSL_NO_RSA */
+
+# ifdef PEDANTIC
+static void *dummy = &dummy;
+# endif
+
 #endif
diff --git a/Cryptlib/OpenSSL/crypto/evp/p_seal.c b/Cryptlib/OpenSSL/crypto/evp/p_seal.c
index faa24648..ba9dfff2 100644
--- a/Cryptlib/OpenSSL/crypto/evp/p_seal.c
+++ b/Cryptlib/OpenSSL/crypto/evp/p_seal.c
@@ -1,16 +1,67 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/p_seal.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/rand.h>
-#include <openssl/rsa.h>
+#ifndef OPENSSL_NO_RSA
+# include <openssl/rsa.h>
+#endif
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
@@ -23,7 +74,7 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
     int i;
 
     if (type) {
-        EVP_CIPHER_CTX_reset(ctx);
+        EVP_CIPHER_CTX_init(ctx);
         if (!EVP_EncryptInit_ex(ctx, type, NULL, NULL, NULL))
             return 0;
     }
diff --git a/Cryptlib/OpenSSL/crypto/evp/p_sign.c b/Cryptlib/OpenSSL/crypto/evp/p_sign.c
index 6cb442e4..1b9ba060 100644
--- a/Cryptlib/OpenSSL/crypto/evp/p_sign.c
+++ b/Cryptlib/OpenSSL/crypto/evp/p_sign.c
@@ -1,61 +1,133 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/p_sign.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
-#include "internal/evp_int.h"
+
+#ifdef undef
+void EVP_SignInit(EVP_MD_CTX *ctx, EVP_MD *type)
+{
+    EVP_DigestInit_ex(ctx, type);
+}
+
+void EVP_SignUpdate(EVP_MD_CTX *ctx, unsigned char *data, unsigned int count)
+{
+    EVP_DigestUpdate(ctx, data, count);
+}
+#endif
 
 int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
                   unsigned int *siglen, EVP_PKEY *pkey)
 {
     unsigned char m[EVP_MAX_MD_SIZE];
-    unsigned int m_len = 0;
-    int i = 0;
-    size_t sltmp;
+    unsigned int m_len;
+    int i = 0, ok = 0, v;
+    EVP_MD_CTX tmp_ctx;
     EVP_PKEY_CTX *pkctx = NULL;
 
     *siglen = 0;
-    if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_FINALISE)) {
-        if (!EVP_DigestFinal_ex(ctx, m, &m_len))
+    EVP_MD_CTX_init(&tmp_ctx);
+    if (!EVP_MD_CTX_copy_ex(&tmp_ctx, ctx))
+        goto err;
+    if (!EVP_DigestFinal_ex(&tmp_ctx, &(m[0]), &m_len))
+        goto err;
+    EVP_MD_CTX_cleanup(&tmp_ctx);
+
+    if (ctx->digest->flags & EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) {
+        size_t sltmp = (size_t)EVP_PKEY_size(pkey);
+        i = 0;
+        pkctx = EVP_PKEY_CTX_new(pkey, NULL);
+        if (!pkctx)
             goto err;
-    } else {
-        int rv = 0;
-        EVP_MD_CTX *tmp_ctx = EVP_MD_CTX_new();
-        if (tmp_ctx == NULL) {
-            EVPerr(EVP_F_EVP_SIGNFINAL, ERR_R_MALLOC_FAILURE);
-            return 0;
+        if (EVP_PKEY_sign_init(pkctx) <= 0)
+            goto err;
+        if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0)
+            goto err;
+        if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0)
+            goto err;
+        *siglen = sltmp;
+        i = 1;
+ err:
+        EVP_PKEY_CTX_free(pkctx);
+        return i;
+    }
+
+    for (i = 0; i < 4; i++) {
+        v = ctx->digest->required_pkey_type[i];
+        if (v == 0)
+            break;
+        if (pkey->type == v) {
+            ok = 1;
+            break;
         }
-        rv = EVP_MD_CTX_copy_ex(tmp_ctx, ctx);
-        if (rv)
-            rv = EVP_DigestFinal_ex(tmp_ctx, m, &m_len);
-        EVP_MD_CTX_free(tmp_ctx);
-        if (!rv)
-            return 0;
+    }
+    if (!ok) {
+        EVPerr(EVP_F_EVP_SIGNFINAL, EVP_R_WRONG_PUBLIC_KEY_TYPE);
+        return (0);
     }
 
-    sltmp = (size_t)EVP_PKEY_size(pkey);
-    i = 0;
-    pkctx = EVP_PKEY_CTX_new(pkey, NULL);
-    if (pkctx == NULL)
-        goto err;
-    if (EVP_PKEY_sign_init(pkctx) <= 0)
-        goto err;
-    if (EVP_PKEY_CTX_set_signature_md(pkctx, EVP_MD_CTX_md(ctx)) <= 0)
-        goto err;
-    if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0)
-        goto err;
-    *siglen = sltmp;
-    i = 1;
- err:
-    EVP_PKEY_CTX_free(pkctx);
-    return i;
+    if (ctx->digest->sign == NULL) {
+        EVPerr(EVP_F_EVP_SIGNFINAL, EVP_R_NO_SIGN_FUNCTION_CONFIGURED);
+        return (0);
+    }
+    return (ctx->digest->sign(ctx->digest->type, m, m_len, sigret, siglen,
+                              pkey->pkey.ptr));
 }
diff --git a/Cryptlib/OpenSSL/crypto/evp/p_verify.c b/Cryptlib/OpenSSL/crypto/evp/p_verify.c
index 6e8c565d..65e1e216 100644
--- a/Cryptlib/OpenSSL/crypto/evp/p_verify.c
+++ b/Cryptlib/OpenSSL/crypto/evp/p_verify.c
@@ -1,55 +1,116 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/evp/p_verify.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
-#include "internal/evp_int.h"
 
 int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf,
                     unsigned int siglen, EVP_PKEY *pkey)
 {
     unsigned char m[EVP_MAX_MD_SIZE];
-    unsigned int m_len = 0;
-    int i = 0;
+    unsigned int m_len;
+    int i = 0, ok = 0, v;
+    EVP_MD_CTX tmp_ctx;
     EVP_PKEY_CTX *pkctx = NULL;
 
-    if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_FINALISE)) {
-        if (!EVP_DigestFinal_ex(ctx, m, &m_len))
+    EVP_MD_CTX_init(&tmp_ctx);
+    if (!EVP_MD_CTX_copy_ex(&tmp_ctx, ctx))
+        goto err;
+    if (!EVP_DigestFinal_ex(&tmp_ctx, &(m[0]), &m_len))
+        goto err;
+    EVP_MD_CTX_cleanup(&tmp_ctx);
+
+    if (ctx->digest->flags & EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) {
+        i = -1;
+        pkctx = EVP_PKEY_CTX_new(pkey, NULL);
+        if (!pkctx)
+            goto err;
+        if (EVP_PKEY_verify_init(pkctx) <= 0)
+            goto err;
+        if (EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0)
             goto err;
-    } else {
-        int rv = 0;
-        EVP_MD_CTX *tmp_ctx = EVP_MD_CTX_new();
-        if (tmp_ctx == NULL) {
-            EVPerr(EVP_F_EVP_VERIFYFINAL, ERR_R_MALLOC_FAILURE);
-            return 0;
+        i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len);
+ err:
+        EVP_PKEY_CTX_free(pkctx);
+        return i;
+    }
+
+    for (i = 0; i < 4; i++) {
+        v = ctx->digest->required_pkey_type[i];
+        if (v == 0)
+            break;
+        if (pkey->type == v) {
+            ok = 1;
+            break;
         }
-        rv = EVP_MD_CTX_copy_ex(tmp_ctx, ctx);
-        if (rv)
-            rv = EVP_DigestFinal_ex(tmp_ctx, m, &m_len);
-        EVP_MD_CTX_free(tmp_ctx);
-        if (!rv)
-            return 0;
+    }
+    if (!ok) {
+        EVPerr(EVP_F_EVP_VERIFYFINAL, EVP_R_WRONG_PUBLIC_KEY_TYPE);
+        return (-1);
+    }
+    if (ctx->digest->verify == NULL) {
+        EVPerr(EVP_F_EVP_VERIFYFINAL, EVP_R_NO_VERIFY_FUNCTION_CONFIGURED);
+        return (0);
     }
 
-    i = -1;
-    pkctx = EVP_PKEY_CTX_new(pkey, NULL);
-    if (pkctx == NULL)
-        goto err;
-    if (EVP_PKEY_verify_init(pkctx) <= 0)
-        goto err;
-    if (EVP_PKEY_CTX_set_signature_md(pkctx, EVP_MD_CTX_md(ctx)) <= 0)
-        goto err;
-    i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len);
- err:
-    EVP_PKEY_CTX_free(pkctx);
-    return i;
+    return (ctx->digest->verify(ctx->digest->type, m, m_len,
+                                sigbuf, siglen, pkey->pkey.ptr));
 }
diff --git a/Cryptlib/OpenSSL/crypto/evp/pmeth_fn.c b/Cryptlib/OpenSSL/crypto/evp/pmeth_fn.c
index eb638019..727869e3 100644
--- a/Cryptlib/OpenSSL/crypto/evp/pmeth_fn.c
+++ b/Cryptlib/OpenSSL/crypto/evp/pmeth_fn.c
@@ -1,18 +1,68 @@
+/* pmeth_fn.c */
 /*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2006.
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <stdlib.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/objects.h>
 #include <openssl/evp.h>
-#include "internal/evp_int.h"
+#include "evp_locl.h"
 
 #define M_check_autoarg(ctx, arg, arglen, err) \
     if (ctx->pmeth->flags & EVP_PKEY_FLAG_AUTOARGLEN) {           \
@@ -267,7 +317,8 @@ int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer)
         return -1;
     }
 
-    EVP_PKEY_free(ctx->peerkey);
+    if (ctx->peerkey)
+        EVP_PKEY_free(ctx->peerkey);
     ctx->peerkey = peer;
 
     ret = ctx->pmeth->ctrl(ctx, EVP_PKEY_CTRL_PEER_KEY, 1, peer);
@@ -277,7 +328,7 @@ int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer)
         return ret;
     }
 
-    EVP_PKEY_up_ref(peer);
+    CRYPTO_add(&peer->references, 1, CRYPTO_LOCK_EVP_PKEY);
     return 1;
 }
 
diff --git a/Cryptlib/OpenSSL/crypto/evp/pmeth_gn.c b/Cryptlib/OpenSSL/crypto/evp/pmeth_gn.c
index 6adc3a9c..6a4d3573 100644
--- a/Cryptlib/OpenSSL/crypto/evp/pmeth_gn.c
+++ b/Cryptlib/OpenSSL/crypto/evp/pmeth_gn.c
@@ -1,19 +1,69 @@
+/* pmeth_gn.c */
 /*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2006.
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <stdlib.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/objects.h>
 #include <openssl/evp.h>
-#include "internal/bn_int.h"
-#include "internal/evp_int.h"
+#include <openssl/bn.h>
+#include "evp_locl.h"
 
 int EVP_PKEY_paramgen_init(EVP_PKEY_CTX *ctx)
 {
@@ -96,7 +146,7 @@ int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey)
         return -1;
     }
 
-    if (ppkey == NULL)
+    if (!ppkey)
         return -1;
 
     if (*ppkey == NULL)
@@ -129,7 +179,7 @@ EVP_PKEY_gen_cb *EVP_PKEY_CTX_get_cb(EVP_PKEY_CTX *ctx)
 
 static int trans_cb(int a, int b, BN_GENCB *gcb)
 {
-    EVP_PKEY_CTX *ctx = BN_GENCB_get_arg(gcb);
+    EVP_PKEY_CTX *ctx = gcb->arg;
     ctx->keygen_info[0] = a;
     ctx->keygen_info[1] = b;
     return ctx->pkey_gencb(ctx);
@@ -137,7 +187,7 @@ static int trans_cb(int a, int b, BN_GENCB *gcb)
 
 void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx)
 {
-    BN_GENCB_set(cb, trans_cb, ctx);
+    BN_GENCB_set(cb, trans_cb, ctx)
 }
 
 int EVP_PKEY_CTX_get_keygen_info(EVP_PKEY_CTX *ctx, int idx)
@@ -159,11 +209,14 @@ EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *e,
         return NULL;
     if (EVP_PKEY_keygen_init(mac_ctx) <= 0)
         goto merr;
-    if (EVP_PKEY_CTX_set_mac_key(mac_ctx, key, keylen) <= 0)
+    if (EVP_PKEY_CTX_ctrl(mac_ctx, -1, EVP_PKEY_OP_KEYGEN,
+                          EVP_PKEY_CTRL_SET_MAC_KEY,
+                          keylen, (void *)key) <= 0)
         goto merr;
     if (EVP_PKEY_keygen(mac_ctx, &mac_key) <= 0)
         goto merr;
  merr:
-    EVP_PKEY_CTX_free(mac_ctx);
+    if (mac_ctx)
+        EVP_PKEY_CTX_free(mac_ctx);
     return mac_key;
 }
diff --git a/Cryptlib/OpenSSL/crypto/evp/pmeth_lib.c b/Cryptlib/OpenSSL/crypto/evp/pmeth_lib.c
index b7f06be5..d0668629 100644
--- a/Cryptlib/OpenSSL/crypto/evp/pmeth_lib.c
+++ b/Cryptlib/OpenSSL/crypto/evp/pmeth_lib.c
@@ -1,25 +1,81 @@
+/* pmeth_lib.c */
 /*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2006.
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <stdlib.h>
-#include "internal/cryptlib.h"
-#include <openssl/engine.h>
+#include "cryptlib.h"
+#include <openssl/objects.h>
 #include <openssl/evp.h>
-#include <openssl/x509v3.h>
-#include "internal/asn1_int.h"
-#include "internal/evp_int.h"
-#include "internal/numbers.h"
+#ifndef OPENSSL_NO_ENGINE
+# include <openssl/engine.h>
+#endif
+#include "asn1_locl.h"
+#include "evp_locl.h"
 
 typedef int sk_cmp_fn_type(const char *const *a, const char *const *b);
 
-static STACK_OF(EVP_PKEY_METHOD) *app_pkey_methods = NULL;
+DECLARE_STACK_OF(EVP_PKEY_METHOD)
+STACK_OF(EVP_PKEY_METHOD) *app_pkey_methods = NULL;
+
+extern const EVP_PKEY_METHOD rsa_pkey_meth, dh_pkey_meth, dsa_pkey_meth;
+extern const EVP_PKEY_METHOD ec_pkey_meth, hmac_pkey_meth, cmac_pkey_meth;
+extern const EVP_PKEY_METHOD dhx_pkey_meth;
 
 static const EVP_PKEY_METHOD *standard_methods[] = {
 #ifndef OPENSSL_NO_RSA
@@ -39,13 +95,8 @@ static const EVP_PKEY_METHOD *standard_methods[] = {
     &cmac_pkey_meth,
 #endif
 #ifndef OPENSSL_NO_DH
-    &dhx_pkey_meth,
+    &dhx_pkey_meth
 #endif
-    &tls1_prf_pkey_meth,
-#ifndef OPENSSL_NO_EC
-    &ecx25519_pkey_meth,
-#endif
-    &hkdf_pkey_meth
 };
 
 DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, const EVP_PKEY_METHOD *,
@@ -101,7 +152,7 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id)
         e = ENGINE_get_pkey_meth_engine(id);
 
     /*
-     * If an ENGINE handled this method look it up. Otherwise use internal
+     * If an ENGINE handled this method look it up. Othewise use internal
      * tables.
      */
 
@@ -116,10 +167,11 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id)
         return NULL;
     }
 
-    ret = OPENSSL_zalloc(sizeof(*ret));
-    if (ret == NULL) {
+    ret = OPENSSL_malloc(sizeof(EVP_PKEY_CTX));
+    if (!ret) {
 #ifndef OPENSSL_NO_ENGINE
-        ENGINE_finish(e);
+        if (e)
+            ENGINE_finish(e);
 #endif
         EVPerr(EVP_F_INT_CTX_NEW, ERR_R_MALLOC_FAILURE);
         return NULL;
@@ -128,12 +180,14 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id)
     ret->pmeth = pmeth;
     ret->operation = EVP_PKEY_OP_UNDEFINED;
     ret->pkey = pkey;
+    ret->peerkey = NULL;
+    ret->pkey_gencb = 0;
     if (pkey)
-        EVP_PKEY_up_ref(pkey);
+        CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
+    ret->data = NULL;
 
     if (pmeth->init) {
         if (pmeth->init(ret) <= 0) {
-            ret->pmeth = NULL;
             EVP_PKEY_CTX_free(ret);
             return NULL;
         }
@@ -146,10 +200,12 @@ EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags)
 {
     EVP_PKEY_METHOD *pmeth;
 
-    pmeth = OPENSSL_zalloc(sizeof(*pmeth));
-    if (pmeth == NULL)
+    pmeth = OPENSSL_malloc(sizeof(EVP_PKEY_METHOD));
+    if (!pmeth)
         return NULL;
 
+    memset(pmeth, 0, sizeof(EVP_PKEY_METHOD));
+
     pmeth->pkey_id = id;
     pmeth->flags = flags | EVP_PKEY_FLAG_DYNAMIC;
     return pmeth;
@@ -233,8 +289,8 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_CTX *pctx)
         return 0;
     }
 #endif
-    rctx = OPENSSL_malloc(sizeof(*rctx));
-    if (rctx == NULL)
+    rctx = OPENSSL_malloc(sizeof(EVP_PKEY_CTX));
+    if (!rctx)
         return NULL;
 
     rctx->pmeth = pctx->pmeth;
@@ -243,12 +299,12 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_CTX *pctx)
 #endif
 
     if (pctx->pkey)
-        EVP_PKEY_up_ref(pctx->pkey);
+        CRYPTO_add(&pctx->pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
 
     rctx->pkey = pctx->pkey;
 
     if (pctx->peerkey)
-        EVP_PKEY_up_ref(pctx->peerkey);
+        CRYPTO_add(&pctx->peerkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
 
     rctx->peerkey = pctx->peerkey;
 
@@ -259,7 +315,6 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_CTX *pctx)
     if (pctx->pmeth->copy(rctx, pctx) > 0)
         return rctx;
 
-    rctx->pmeth = NULL;
     EVP_PKEY_CTX_free(rctx);
     return NULL;
 
@@ -269,7 +324,7 @@ int EVP_PKEY_meth_add0(const EVP_PKEY_METHOD *pmeth)
 {
     if (app_pkey_methods == NULL) {
         app_pkey_methods = sk_EVP_PKEY_METHOD_new(pmeth_cmp);
-        if (app_pkey_methods == NULL)
+        if (!app_pkey_methods)
             return 0;
     }
     if (!sk_EVP_PKEY_METHOD_push(app_pkey_methods, pmeth))
@@ -284,10 +339,17 @@ void EVP_PKEY_CTX_free(EVP_PKEY_CTX *ctx)
         return;
     if (ctx->pmeth && ctx->pmeth->cleanup)
         ctx->pmeth->cleanup(ctx);
-    EVP_PKEY_free(ctx->pkey);
-    EVP_PKEY_free(ctx->peerkey);
+    if (ctx->pkey)
+        EVP_PKEY_free(ctx->pkey);
+    if (ctx->peerkey)
+        EVP_PKEY_free(ctx->peerkey);
 #ifndef OPENSSL_NO_ENGINE
-    ENGINE_finish(ctx->engine);
+    if (ctx->engine)
+        /*
+         * The EVP_PKEY_CTX we used belongs to an ENGINE, release the
+         * functional reference we held for this reason.
+         */
+        ENGINE_finish(ctx->engine);
 #endif
     OPENSSL_free(ctx);
 }
@@ -329,9 +391,9 @@ int EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx,
         EVPerr(EVP_F_EVP_PKEY_CTX_CTRL_STR, EVP_R_COMMAND_NOT_SUPPORTED);
         return -2;
     }
-    if (strcmp(name, "digest") == 0) {
+    if (!strcmp(name, "digest")) {
         const EVP_MD *md;
-        if (value == NULL || (md = EVP_get_digestbyname(value)) == NULL) {
+        if (!value || !(md = EVP_get_digestbyname(value))) {
             EVPerr(EVP_F_EVP_PKEY_CTX_CTRL_STR, EVP_R_INVALID_DIGEST);
             return 0;
         }
@@ -340,33 +402,6 @@ int EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx,
     return ctx->pmeth->ctrl_str(ctx, name, value);
 }
 
-/* Utility functions to send a string of hex string to a ctrl */
-
-int EVP_PKEY_CTX_str2ctrl(EVP_PKEY_CTX *ctx, int cmd, const char *str)
-{
-    size_t len;
-
-    len = strlen(str);
-    if (len > INT_MAX)
-        return -1;
-    return ctx->pmeth->ctrl(ctx, cmd, len, (void *)str);
-}
-
-int EVP_PKEY_CTX_hex2ctrl(EVP_PKEY_CTX *ctx, int cmd, const char *hex)
-{
-    unsigned char *bin;
-    long binlen;
-    int rv = -1;
-
-    bin = OPENSSL_hexstr2buf(hex, &binlen);
-    if (bin == NULL)
-        return 0;
-    if (binlen <= INT_MAX)
-        rv = ctx->pmeth->ctrl(ctx, cmd, binlen, bin);
-    OPENSSL_free(bin);
-    return rv;
-}
-
 int EVP_PKEY_CTX_get_operation(EVP_PKEY_CTX *ctx)
 {
     return ctx->operation;
@@ -552,170 +587,3 @@ void EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth,
     pmeth->ctrl = ctrl;
     pmeth->ctrl_str = ctrl_str;
 }
-
-void EVP_PKEY_meth_get_init(EVP_PKEY_METHOD *pmeth,
-                            int (**pinit) (EVP_PKEY_CTX *ctx))
-{
-    *pinit = pmeth->init;
-}
-
-void EVP_PKEY_meth_get_copy(EVP_PKEY_METHOD *pmeth,
-                            int (**pcopy) (EVP_PKEY_CTX *dst,
-                                           EVP_PKEY_CTX *src))
-{
-    *pcopy = pmeth->copy;
-}
-
-void EVP_PKEY_meth_get_cleanup(EVP_PKEY_METHOD *pmeth,
-                               void (**pcleanup) (EVP_PKEY_CTX *ctx))
-{
-    *pcleanup = pmeth->cleanup;
-}
-
-void EVP_PKEY_meth_get_paramgen(EVP_PKEY_METHOD *pmeth,
-                                int (**pparamgen_init) (EVP_PKEY_CTX *ctx),
-                                int (**pparamgen) (EVP_PKEY_CTX *ctx,
-                                                   EVP_PKEY *pkey))
-{
-    if (pparamgen_init)
-        *pparamgen_init = pmeth->paramgen_init;
-    if (pparamgen)
-        *pparamgen = pmeth->paramgen;
-}
-
-void EVP_PKEY_meth_get_keygen(EVP_PKEY_METHOD *pmeth,
-                              int (**pkeygen_init) (EVP_PKEY_CTX *ctx),
-                              int (**pkeygen) (EVP_PKEY_CTX *ctx,
-                                               EVP_PKEY *pkey))
-{
-    if (pkeygen_init)
-        *pkeygen_init = pmeth->keygen_init;
-    if (pkeygen)
-        *pkeygen = pmeth->keygen;
-}
-
-void EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth,
-                            int (**psign_init) (EVP_PKEY_CTX *ctx),
-                            int (**psign) (EVP_PKEY_CTX *ctx,
-                                           unsigned char *sig, size_t *siglen,
-                                           const unsigned char *tbs,
-                                           size_t tbslen))
-{
-    if (psign_init)
-        *psign_init = pmeth->sign_init;
-    if (psign)
-        *psign = pmeth->sign;
-}
-
-void EVP_PKEY_meth_get_verify(EVP_PKEY_METHOD *pmeth,
-                              int (**pverify_init) (EVP_PKEY_CTX *ctx),
-                              int (**pverify) (EVP_PKEY_CTX *ctx,
-                                               const unsigned char *sig,
-                                               size_t siglen,
-                                               const unsigned char *tbs,
-                                               size_t tbslen))
-{
-    if (pverify_init)
-        *pverify_init = pmeth->verify_init;
-    if (pverify)
-        *pverify = pmeth->verify;
-}
-
-void EVP_PKEY_meth_get_verify_recover(EVP_PKEY_METHOD *pmeth,
-                                      int (**pverify_recover_init) (EVP_PKEY_CTX
-                                                                    *ctx),
-                                      int (**pverify_recover) (EVP_PKEY_CTX
-                                                               *ctx,
-                                                               unsigned char
-                                                               *sig,
-                                                               size_t *siglen,
-                                                               const unsigned
-                                                               char *tbs,
-                                                               size_t tbslen))
-{
-    if (pverify_recover_init)
-        *pverify_recover_init = pmeth->verify_recover_init;
-    if (pverify_recover)
-        *pverify_recover = pmeth->verify_recover;
-}
-
-void EVP_PKEY_meth_get_signctx(EVP_PKEY_METHOD *pmeth,
-                               int (**psignctx_init) (EVP_PKEY_CTX *ctx,
-                                                      EVP_MD_CTX *mctx),
-                               int (**psignctx) (EVP_PKEY_CTX *ctx,
-                                                 unsigned char *sig,
-                                                 size_t *siglen,
-                                                 EVP_MD_CTX *mctx))
-{
-    if (psignctx_init)
-        *psignctx_init = pmeth->signctx_init;
-    if (psignctx)
-        *psignctx = pmeth->signctx;
-}
-
-void EVP_PKEY_meth_get_verifyctx(EVP_PKEY_METHOD *pmeth,
-                                 int (**pverifyctx_init) (EVP_PKEY_CTX *ctx,
-                                                          EVP_MD_CTX *mctx),
-                                 int (**pverifyctx) (EVP_PKEY_CTX *ctx,
-                                                     const unsigned char *sig,
-                                                     int siglen,
-                                                     EVP_MD_CTX *mctx))
-{
-    if (pverifyctx_init)
-        *pverifyctx_init = pmeth->verifyctx_init;
-    if (pverifyctx)
-        *pverifyctx = pmeth->verifyctx;
-}
-
-void EVP_PKEY_meth_get_encrypt(EVP_PKEY_METHOD *pmeth,
-                               int (**pencrypt_init) (EVP_PKEY_CTX *ctx),
-                               int (**pencryptfn) (EVP_PKEY_CTX *ctx,
-                                                   unsigned char *out,
-                                                   size_t *outlen,
-                                                   const unsigned char *in,
-                                                   size_t inlen))
-{
-    if (pencrypt_init)
-        *pencrypt_init = pmeth->encrypt_init;
-    if (pencryptfn)
-        *pencryptfn = pmeth->encrypt;
-}
-
-void EVP_PKEY_meth_get_decrypt(EVP_PKEY_METHOD *pmeth,
-                               int (**pdecrypt_init) (EVP_PKEY_CTX *ctx),
-                               int (**pdecrypt) (EVP_PKEY_CTX *ctx,
-                                                 unsigned char *out,
-                                                 size_t *outlen,
-                                                 const unsigned char *in,
-                                                 size_t inlen))
-{
-    if (pdecrypt_init)
-        *pdecrypt_init = pmeth->decrypt_init;
-    if (pdecrypt)
-        *pdecrypt = pmeth->decrypt;
-}
-
-void EVP_PKEY_meth_get_derive(EVP_PKEY_METHOD *pmeth,
-                              int (**pderive_init) (EVP_PKEY_CTX *ctx),
-                              int (**pderive) (EVP_PKEY_CTX *ctx,
-                                               unsigned char *key,
-                                               size_t *keylen))
-{
-    if (pderive_init)
-        *pderive_init = pmeth->derive_init;
-    if (pderive)
-        *pderive = pmeth->derive;
-}
-
-void EVP_PKEY_meth_get_ctrl(EVP_PKEY_METHOD *pmeth,
-                            int (**pctrl) (EVP_PKEY_CTX *ctx, int type, int p1,
-                                           void *p2),
-                            int (**pctrl_str) (EVP_PKEY_CTX *ctx,
-                                               const char *type,
-                                               const char *value))
-{
-    if (pctrl)
-        *pctrl = pmeth->ctrl;
-    if (pctrl_str)
-        *pctrl_str = pmeth->ctrl_str;
-}
diff --git a/Cryptlib/OpenSSL/crypto/evp/scrypt.c b/Cryptlib/OpenSSL/crypto/evp/scrypt.c
deleted file mode 100644
index 101bb1ed..00000000
--- a/Cryptlib/OpenSSL/crypto/evp/scrypt.c
+++ /dev/null
@@ -1,248 +0,0 @@
-/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stddef.h>
-#include <stdio.h>
-#include <string.h>
-#include <openssl/evp.h>
-#include <openssl/err.h>
-#include <internal/numbers.h>
-
-#ifndef OPENSSL_NO_SCRYPT
-
-#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
-static void salsa208_word_specification(uint32_t inout[16])
-{
-    int i;
-    uint32_t x[16];
-    memcpy(x, inout, sizeof(x));
-    for (i = 8; i > 0; i -= 2) {
-        x[4] ^= R(x[0] + x[12], 7);
-        x[8] ^= R(x[4] + x[0], 9);
-        x[12] ^= R(x[8] + x[4], 13);
-        x[0] ^= R(x[12] + x[8], 18);
-        x[9] ^= R(x[5] + x[1], 7);
-        x[13] ^= R(x[9] + x[5], 9);
-        x[1] ^= R(x[13] + x[9], 13);
-        x[5] ^= R(x[1] + x[13], 18);
-        x[14] ^= R(x[10] + x[6], 7);
-        x[2] ^= R(x[14] + x[10], 9);
-        x[6] ^= R(x[2] + x[14], 13);
-        x[10] ^= R(x[6] + x[2], 18);
-        x[3] ^= R(x[15] + x[11], 7);
-        x[7] ^= R(x[3] + x[15], 9);
-        x[11] ^= R(x[7] + x[3], 13);
-        x[15] ^= R(x[11] + x[7], 18);
-        x[1] ^= R(x[0] + x[3], 7);
-        x[2] ^= R(x[1] + x[0], 9);
-        x[3] ^= R(x[2] + x[1], 13);
-        x[0] ^= R(x[3] + x[2], 18);
-        x[6] ^= R(x[5] + x[4], 7);
-        x[7] ^= R(x[6] + x[5], 9);
-        x[4] ^= R(x[7] + x[6], 13);
-        x[5] ^= R(x[4] + x[7], 18);
-        x[11] ^= R(x[10] + x[9], 7);
-        x[8] ^= R(x[11] + x[10], 9);
-        x[9] ^= R(x[8] + x[11], 13);
-        x[10] ^= R(x[9] + x[8], 18);
-        x[12] ^= R(x[15] + x[14], 7);
-        x[13] ^= R(x[12] + x[15], 9);
-        x[14] ^= R(x[13] + x[12], 13);
-        x[15] ^= R(x[14] + x[13], 18);
-    }
-    for (i = 0; i < 16; ++i)
-        inout[i] += x[i];
-    OPENSSL_cleanse(x, sizeof(x));
-}
-
-static void scryptBlockMix(uint32_t *B_, uint32_t *B, uint64_t r)
-{
-    uint64_t i, j;
-    uint32_t X[16], *pB;
-
-    memcpy(X, B + (r * 2 - 1) * 16, sizeof(X));
-    pB = B;
-    for (i = 0; i < r * 2; i++) {
-        for (j = 0; j < 16; j++)
-            X[j] ^= *pB++;
-        salsa208_word_specification(X);
-        memcpy(B_ + (i / 2 + (i & 1) * r) * 16, X, sizeof(X));
-    }
-    OPENSSL_cleanse(X, sizeof(X));
-}
-
-static void scryptROMix(unsigned char *B, uint64_t r, uint64_t N,
-                        uint32_t *X, uint32_t *T, uint32_t *V)
-{
-    unsigned char *pB;
-    uint32_t *pV;
-    uint64_t i, k;
-
-    /* Convert from little endian input */
-    for (pV = V, i = 0, pB = B; i < 32 * r; i++, pV++) {
-        *pV = *pB++;
-        *pV |= *pB++ << 8;
-        *pV |= *pB++ << 16;
-        *pV |= (uint32_t)*pB++ << 24;
-    }
-
-    for (i = 1; i < N; i++, pV += 32 * r)
-        scryptBlockMix(pV, pV - 32 * r, r);
-
-    scryptBlockMix(X, V + (N - 1) * 32 * r, r);
-
-    for (i = 0; i < N; i++) {
-        uint32_t j;
-        j = X[16 * (2 * r - 1)] % N;
-        pV = V + 32 * r * j;
-        for (k = 0; k < 32 * r; k++)
-            T[k] = X[k] ^ *pV++;
-        scryptBlockMix(X, T, r);
-    }
-    /* Convert output to little endian */
-    for (i = 0, pB = B; i < 32 * r; i++) {
-        uint32_t xtmp = X[i];
-        *pB++ = xtmp & 0xff;
-        *pB++ = (xtmp >> 8) & 0xff;
-        *pB++ = (xtmp >> 16) & 0xff;
-        *pB++ = (xtmp >> 24) & 0xff;
-    }
-}
-
-#ifndef SIZE_MAX
-# define SIZE_MAX    ((size_t)-1)
-#endif
-
-/*
- * Maximum power of two that will fit in uint64_t: this should work on
- * most (all?) platforms.
- */
-
-#define LOG2_UINT64_MAX         (sizeof(uint64_t) * 8 - 1)
-
-/*
- * Maximum value of p * r:
- * p <= ((2^32-1) * hLen) / MFLen =>
- * p <= ((2^32-1) * 32) / (128 * r) =>
- * p * r <= (2^30-1)
- *
- */
-
-#define SCRYPT_PR_MAX   ((1 << 30) - 1)
-
-/*
- * Maximum permitted memory allow this to be overridden with Configuration
- * option: e.g. -DSCRYPT_MAX_MEM=0 for maximum possible.
- */
-
-#ifdef SCRYPT_MAX_MEM
-# if SCRYPT_MAX_MEM == 0
-#  undef SCRYPT_MAX_MEM
-/*
- * Although we could theoretically allocate SIZE_MAX memory that would leave
- * no memory available for anything else so set limit as half that.
- */
-#  define SCRYPT_MAX_MEM (SIZE_MAX/2)
-# endif
-#else
-/* Default memory limit: 32 MB */
-# define SCRYPT_MAX_MEM  (1024 * 1024 * 32)
-#endif
-
-int EVP_PBE_scrypt(const char *pass, size_t passlen,
-                   const unsigned char *salt, size_t saltlen,
-                   uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
-                   unsigned char *key, size_t keylen)
-{
-    int rv = 0;
-    unsigned char *B;
-    uint32_t *X, *V, *T;
-    uint64_t i, Blen, Vlen;
-    size_t allocsize;
-
-    /* Sanity check parameters */
-    /* initial check, r,p must be non zero, N >= 2 and a power of 2 */
-    if (r == 0 || p == 0 || N < 2 || (N & (N - 1)))
-        return 0;
-    /* Check p * r < SCRYPT_PR_MAX avoiding overflow */
-    if (p > SCRYPT_PR_MAX / r)
-        return 0;
-
-    /*
-     * Need to check N: if 2^(128 * r / 8) overflows limit this is
-     * automatically satisfied since N <= UINT64_MAX.
-     */
-
-    if (16 * r <= LOG2_UINT64_MAX) {
-        if (N >= (((uint64_t)1) << (16 * r)))
-            return 0;
-    }
-
-    /* Memory checks: check total allocated buffer size fits in uint64_t */
-
-    /*
-     * B size in section 5 step 1.S
-     * Note: we know p * 128 * r < UINT64_MAX because we already checked
-     * p * r < SCRYPT_PR_MAX
-     */
-    Blen = p * 128 * r;
-
-    /*
-     * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in
-     * uint64_t and also size_t (their sizes are unrelated).
-     * This is combined size V, X and T (section 4)
-     */
-    i = UINT64_MAX / (32 * sizeof(uint32_t));
-    if (N + 2 > i / r)
-        return 0;
-    Vlen = 32 * r * (N + 2) * sizeof(uint32_t);
-
-    /* check total allocated size fits in uint64_t */
-    if (Blen > UINT64_MAX - Vlen)
-        return 0;
-    /* check total allocated size fits in size_t */
-    if (Blen > SIZE_MAX - Vlen)
-        return 0;
-
-    allocsize = (size_t)(Blen + Vlen);
-
-    if (maxmem == 0)
-        maxmem = SCRYPT_MAX_MEM;
-
-    if (allocsize > maxmem) {
-        EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
-        return 0;
-    }
-
-    /* If no key return to indicate parameters are OK */
-    if (key == NULL)
-        return 1;
-
-    B = OPENSSL_malloc(allocsize);
-    if (B == NULL)
-        return 0;
-    X = (uint32_t *)(B + Blen);
-    T = X + 32 * r;
-    V = T + 32 * r;
-    if (PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, 1, EVP_sha256(),
-                          Blen, B) == 0)
-        goto err;
-
-    for (i = 0; i < p; i++)
-        scryptROMix(B + 128 * r * i, r, N, X, T, V);
-
-    if (PKCS5_PBKDF2_HMAC(pass, passlen, B, Blen, 1, EVP_sha256(),
-                          keylen, key) == 0)
-        goto err;
-    rv = 1;
- err:
-    OPENSSL_clear_free(B, allocsize);
-    return rv;
-}
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/ex_data.c b/Cryptlib/OpenSSL/crypto/ex_data.c
index 84b65551..f96a5178 100644
--- a/Cryptlib/OpenSSL/crypto/ex_data.c
+++ b/Cryptlib/OpenSSL/crypto/ex_data.c
@@ -1,237 +1,441 @@
+/* crypto/ex_data.c */
+
 /*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Overhaul notes;
+ *
+ * This code is now *mostly* thread-safe. It is now easier to understand in what
+ * ways it is safe and in what ways it is not, which is an improvement. Firstly,
+ * all per-class stacks and index-counters for ex_data are stored in the same
+ * global LHASH table (keyed by class). This hash table uses locking for all
+ * access with the exception of CRYPTO_cleanup_all_ex_data(), which must only be
+ * called when no other threads can possibly race against it (even if it was
+ * locked, the race would mean it's possible the hash table might have been
+ * recreated after the cleanup). As classes can only be added to the hash table,
+ * and within each class, the stack of methods can only be incremented, the
+ * locking mechanics are simpler than they would otherwise be. For example, the
+ * new/dup/free ex_data functions will lock the hash table, copy the method
+ * pointers it needs from the relevant class, then unlock the hash table before
+ * actually applying those method pointers to the task of the new/dup/free
+ * operations. As they can't be removed from the method-stack, only
+ * supplemented, there's no race conditions associated with using them outside
+ * the lock. The get/set_ex_data functions are not locked because they do not
+ * involve this global state at all - they operate directly with a previously
+ * obtained per-class method index and a particular "ex_data" variable. These
+ * variables are usually instantiated per-context (eg. each RSA structure has
+ * one) so locking on read/write access to that variable can be locked locally
+ * if required (eg. using the "RSA" lock to synchronise access to a
+ * per-RSA-structure ex_data variable if required).
+ * [Geoff]
+ */
+
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
-#include "internal/cryptlib_int.h"
-#include "internal/thread_once.h"
+#include "cryptlib.h"
 #include <openssl/lhash.h>
 
+/* What an "implementation of ex_data functionality" looks like */
+struct st_CRYPTO_EX_DATA_IMPL {
+        /*********************/
+    /* GLOBAL OPERATIONS */
+    /* Return a new class index */
+    int (*cb_new_class) (void);
+    /* Cleanup all state used by the implementation */
+    void (*cb_cleanup) (void);
+        /************************/
+    /* PER-CLASS OPERATIONS */
+    /* Get a new method index within a class */
+    int (*cb_get_new_index) (int class_index, long argl, void *argp,
+                             CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,
+                             CRYPTO_EX_free *free_func);
+    /* Initialise a new CRYPTO_EX_DATA of a given class */
+    int (*cb_new_ex_data) (int class_index, void *obj, CRYPTO_EX_DATA *ad);
+    /* Duplicate a CRYPTO_EX_DATA of a given class onto a copy */
+    int (*cb_dup_ex_data) (int class_index, CRYPTO_EX_DATA *to,
+                           CRYPTO_EX_DATA *from);
+    /* Cleanup a CRYPTO_EX_DATA of a given class */
+    void (*cb_free_ex_data) (int class_index, void *obj, CRYPTO_EX_DATA *ad);
+};
+
+/* The implementation we use at run-time */
+static const CRYPTO_EX_DATA_IMPL *impl = NULL;
+
 /*
- * Each structure type (sometimes called a class), that supports
- * exdata has a stack of callbacks for each instance.
+ * To call "impl" functions, use this macro rather than referring to 'impl'
+ * directly, eg. EX_IMPL(get_new_index)(...);
  */
-struct ex_callback_st {
-    long argl;                  /* Arbitrary long */
-    void *argp;                 /* Arbitrary void * */
-    CRYPTO_EX_new *new_func;
-    CRYPTO_EX_free *free_func;
-    CRYPTO_EX_dup *dup_func;
+#define EX_IMPL(a) impl->cb_##a
+
+/* Predeclare the "default" ex_data implementation */
+static int int_new_class(void);
+static void int_cleanup(void);
+static int int_get_new_index(int class_index, long argl, void *argp,
+                             CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,
+                             CRYPTO_EX_free *free_func);
+static int int_new_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad);
+static int int_dup_ex_data(int class_index, CRYPTO_EX_DATA *to,
+                           CRYPTO_EX_DATA *from);
+static void int_free_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad);
+static CRYPTO_EX_DATA_IMPL impl_default = {
+    int_new_class,
+    int_cleanup,
+    int_get_new_index,
+    int_new_ex_data,
+    int_dup_ex_data,
+    int_free_ex_data
 };
 
 /*
- * The state for each class.  This could just be a typedef, but
- * a structure allows future changes.
+ * Internal function that checks whether "impl" is set and if not, sets it to
+ * the default.
  */
-typedef struct ex_callbacks_st {
-    STACK_OF(EX_CALLBACK) *meth;
-} EX_CALLBACKS;
+static void impl_check(void)
+{
+    CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
+    if (!impl)
+        impl = &impl_default;
+    CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
+}
 
-static EX_CALLBACKS ex_data[CRYPTO_EX_INDEX__COUNT];
+/*
+ * A macro wrapper for impl_check that first uses a non-locked test before
+ * invoking the function (which checks again inside a lock).
+ */
+#define IMPL_CHECK if(!impl) impl_check();
 
-static CRYPTO_RWLOCK *ex_data_lock = NULL;
-static CRYPTO_ONCE ex_data_init = CRYPTO_ONCE_STATIC_INIT;
+/* API functions to get/set the "ex_data" implementation */
+const CRYPTO_EX_DATA_IMPL *CRYPTO_get_ex_data_implementation(void)
+{
+    IMPL_CHECK return impl;
+}
 
-DEFINE_RUN_ONCE_STATIC(do_ex_data_init)
+int CRYPTO_set_ex_data_implementation(const CRYPTO_EX_DATA_IMPL *i)
 {
-    OPENSSL_init_crypto(0, NULL);
-    ex_data_lock = CRYPTO_THREAD_lock_new();
-    return ex_data_lock != NULL;
+    int toret = 0;
+    CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
+    if (!impl) {
+        impl = i;
+        toret = 1;
+    }
+    CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
+    return toret;
 }
 
+/****************************************************************************/
 /*
- * Return the EX_CALLBACKS from the |ex_data| array that corresponds to
- * a given class.  On success, *holds the lock.*
+ * Interal (default) implementation of "ex_data" support. API functions are
+ * further down.
  */
-static EX_CALLBACKS *get_and_lock(int class_index)
-{
-    EX_CALLBACKS *ip;
 
-    if (class_index < 0 || class_index >= CRYPTO_EX_INDEX__COUNT) {
-        CRYPTOerr(CRYPTO_F_GET_AND_LOCK, ERR_R_PASSED_INVALID_ARGUMENT);
-        return NULL;
-    }
+/*
+ * The type that represents what each "class" used to implement locally. A
+ * STACK of CRYPTO_EX_DATA_FUNCS plus a index-counter. The 'class_index' is
+ * the global value representing the class that is used to distinguish these
+ * items.
+ */
+typedef struct st_ex_class_item {
+    int class_index;
+    STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth;
+    int meth_num;
+} EX_CLASS_ITEM;
 
-    if (!RUN_ONCE(&ex_data_init, do_ex_data_init)) {
-        CRYPTOerr(CRYPTO_F_GET_AND_LOCK, ERR_R_MALLOC_FAILURE);
-        return NULL;
-    }
+/* When assigning new class indexes, this is our counter */
+static int ex_class = CRYPTO_EX_INDEX_USER;
 
-    if (ex_data_lock == NULL) {
-        /*
-         * This can happen in normal operation when using CRYPTO_mem_leaks().
-         * The CRYPTO_mem_leaks() function calls OPENSSL_cleanup() which cleans
-         * up the locks. Subsequently the BIO that CRYPTO_mem_leaks() uses gets
-         * freed, which also attempts to free the ex_data. However
-         * CRYPTO_mem_leaks() ensures that the ex_data is freed early (i.e.
-         * before OPENSSL_cleanup() is called), so if we get here we can safely
-         * ignore this operation. We just treat it as an error.
-         */
-         return NULL;
-    }
+/* The global hash table of EX_CLASS_ITEM items */
+DECLARE_LHASH_OF(EX_CLASS_ITEM);
+static LHASH_OF(EX_CLASS_ITEM) *ex_data = NULL;
 
-    ip = &ex_data[class_index];
-    CRYPTO_THREAD_write_lock(ex_data_lock);
-    return ip;
+/* The callbacks required in the "ex_data" hash table */
+static unsigned long ex_class_item_hash(const EX_CLASS_ITEM *a)
+{
+    return a->class_index;
 }
 
-static void cleanup_cb(EX_CALLBACK *funcs)
+static IMPLEMENT_LHASH_HASH_FN(ex_class_item, EX_CLASS_ITEM)
+
+static int ex_class_item_cmp(const EX_CLASS_ITEM *a, const EX_CLASS_ITEM *b)
 {
-    OPENSSL_free(funcs);
+    return a->class_index - b->class_index;
 }
 
+static IMPLEMENT_LHASH_COMP_FN(ex_class_item, EX_CLASS_ITEM)
+
 /*
- * Release all "ex_data" state to prevent memory leaks. This can't be made
- * thread-safe without overhauling a lot of stuff, and shouldn't really be
- * called under potential race-conditions anyway (it's for program shutdown
- * after all).
+ * Internal functions used by the "impl_default" implementation to access the
+ * state
  */
-void crypto_cleanup_all_ex_data_int(void)
+static int ex_data_check(void)
 {
-    int i;
-
-    for (i = 0; i < CRYPTO_EX_INDEX__COUNT; ++i) {
-        EX_CALLBACKS *ip = &ex_data[i];
-
-        sk_EX_CALLBACK_pop_free(ip->meth, cleanup_cb);
-        ip->meth = NULL;
-    }
-
-    CRYPTO_THREAD_lock_free(ex_data_lock);
-    ex_data_lock = NULL;
+    int toret = 1;
+    CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
+    if (!ex_data && (ex_data = lh_EX_CLASS_ITEM_new()) == NULL)
+        toret = 0;
+    CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
+    return toret;
 }
 
-
 /*
- * Unregister a new index by replacing the callbacks with no-ops.
- * Any in-use instances are leaked.
+ * This macros helps reduce the locking from repeated checks because the
+ * ex_data_check() function checks ex_data again inside a lock.
  */
-static void dummy_new(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx,
-                     long argl, void *argp)
-{
-}
+#define EX_DATA_CHECK(iffail) if(!ex_data && !ex_data_check()) {iffail}
 
-static void dummy_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx,
-                       long argl, void *argp)
+/* This "inner" callback is used by the callback function that follows it */
+static void def_cleanup_util_cb(CRYPTO_EX_DATA_FUNCS *funcs)
 {
+    OPENSSL_free(funcs);
 }
 
-static int dummy_dup(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
-                     void *from_d, int idx,
-                     long argl, void *argp)
+/*
+ * This callback is used in lh_doall to destroy all EX_CLASS_ITEM values from
+ * "ex_data" prior to the ex_data hash table being itself destroyed. Doesn't
+ * do any locking.
+ */
+static void def_cleanup_cb(void *a_void)
 {
-    return 0;
+    EX_CLASS_ITEM *item = (EX_CLASS_ITEM *)a_void;
+    sk_CRYPTO_EX_DATA_FUNCS_pop_free(item->meth, def_cleanup_util_cb);
+    OPENSSL_free(item);
 }
 
-int CRYPTO_free_ex_index(int class_index, int idx)
+/*
+ * Return the EX_CLASS_ITEM from the "ex_data" hash table that corresponds to
+ * a given class. Handles locking.
+ */
+static EX_CLASS_ITEM *def_get_class(int class_index)
 {
-    EX_CALLBACKS *ip = get_and_lock(class_index);
-    EX_CALLBACK *a;
-    int toret = 0;
-
-    if (ip == NULL)
-        return 0;
-    if (idx < 0 || idx >= sk_EX_CALLBACK_num(ip->meth))
-        goto err;
-    a = sk_EX_CALLBACK_value(ip->meth, idx);
-    if (a == NULL)
-        goto err;
-    a->new_func = dummy_new;
-    a->dup_func = dummy_dup;
-    a->free_func = dummy_free;
-    toret = 1;
-err:
-    CRYPTO_THREAD_unlock(ex_data_lock);
-    return toret;
+    EX_CLASS_ITEM d, *p, *gen;
+    EX_DATA_CHECK(return NULL;)
+        d.class_index = class_index;
+    CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
+    p = lh_EX_CLASS_ITEM_retrieve(ex_data, &d);
+    if (!p) {
+        gen = OPENSSL_malloc(sizeof(EX_CLASS_ITEM));
+        if (gen) {
+            gen->class_index = class_index;
+            gen->meth_num = 0;
+            gen->meth = sk_CRYPTO_EX_DATA_FUNCS_new_null();
+            if (!gen->meth)
+                OPENSSL_free(gen);
+            else {
+                /*
+                 * Because we're inside the ex_data lock, the return value
+                 * from the insert will be NULL
+                 */
+                (void)lh_EX_CLASS_ITEM_insert(ex_data, gen);
+                p = gen;
+            }
+        }
+    }
+    CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
+    if (!p)
+        CRYPTOerr(CRYPTO_F_DEF_GET_CLASS, ERR_R_MALLOC_FAILURE);
+    return p;
 }
 
 /*
- * Register a new index.
+ * Add a new method to the given EX_CLASS_ITEM and return the corresponding
+ * index (or -1 for error). Handles locking.
  */
-int CRYPTO_get_ex_new_index(int class_index, long argl, void *argp,
-                            CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,
-                            CRYPTO_EX_free *free_func)
+static int def_add_index(EX_CLASS_ITEM *item, long argl, void *argp,
+                         CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,
+                         CRYPTO_EX_free *free_func)
 {
     int toret = -1;
-    EX_CALLBACK *a;
-    EX_CALLBACKS *ip = get_and_lock(class_index);
-
-    if (ip == NULL)
+    CRYPTO_EX_DATA_FUNCS *a =
+        (CRYPTO_EX_DATA_FUNCS *)OPENSSL_malloc(sizeof(CRYPTO_EX_DATA_FUNCS));
+    if (!a) {
+        CRYPTOerr(CRYPTO_F_DEF_ADD_INDEX, ERR_R_MALLOC_FAILURE);
         return -1;
-
-    if (ip->meth == NULL) {
-        ip->meth = sk_EX_CALLBACK_new_null();
-        /* We push an initial value on the stack because the SSL
-         * "app_data" routines use ex_data index zero.  See RT 3710. */
-        if (ip->meth == NULL
-            || !sk_EX_CALLBACK_push(ip->meth, NULL)) {
-            CRYPTOerr(CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX, ERR_R_MALLOC_FAILURE);
-            goto err;
-        }
-    }
-
-    a = (EX_CALLBACK *)OPENSSL_malloc(sizeof(*a));
-    if (a == NULL) {
-        CRYPTOerr(CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX, ERR_R_MALLOC_FAILURE);
-        goto err;
     }
     a->argl = argl;
     a->argp = argp;
     a->new_func = new_func;
     a->dup_func = dup_func;
     a->free_func = free_func;
-
-    if (!sk_EX_CALLBACK_push(ip->meth, NULL)) {
-        CRYPTOerr(CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX, ERR_R_MALLOC_FAILURE);
-        OPENSSL_free(a);
-        goto err;
+    CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
+    while (sk_CRYPTO_EX_DATA_FUNCS_num(item->meth) <= item->meth_num) {
+        if (!sk_CRYPTO_EX_DATA_FUNCS_push(item->meth, NULL)) {
+            CRYPTOerr(CRYPTO_F_DEF_ADD_INDEX, ERR_R_MALLOC_FAILURE);
+            OPENSSL_free(a);
+            goto err;
+        }
     }
-    toret = sk_EX_CALLBACK_num(ip->meth) - 1;
-    (void)sk_EX_CALLBACK_set(ip->meth, toret, a);
-
+    toret = item->meth_num++;
+    (void)sk_CRYPTO_EX_DATA_FUNCS_set(item->meth, toret, a);
  err:
-    CRYPTO_THREAD_unlock(ex_data_lock);
+    CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
+    return toret;
+}
+
+/**************************************************************/
+/* The functions in the default CRYPTO_EX_DATA_IMPL structure */
+
+static int int_new_class(void)
+{
+    int toret;
+    CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
+    toret = ex_class++;
+    CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
     return toret;
 }
 
+static void int_cleanup(void)
+{
+    EX_DATA_CHECK(return;)
+        lh_EX_CLASS_ITEM_doall(ex_data, def_cleanup_cb);
+    lh_EX_CLASS_ITEM_free(ex_data);
+    ex_data = NULL;
+    impl = NULL;
+}
+
+static int int_get_new_index(int class_index, long argl, void *argp,
+                             CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,
+                             CRYPTO_EX_free *free_func)
+{
+    EX_CLASS_ITEM *item = def_get_class(class_index);
+    if (!item)
+        return -1;
+    return def_add_index(item, argl, argp, new_func, dup_func, free_func);
+}
+
 /*
- * Initialise a new CRYPTO_EX_DATA for use in a particular class - including
- * calling new() callbacks for each index in the class used by this variable
- * Thread-safe by copying a class's array of "EX_CALLBACK" entries
- * in the lock, then using them outside the lock. Note this only applies
- * to the global "ex_data" state (ie. class definitions), not 'ad' itself.
+ * Thread-safe by copying a class's array of "CRYPTO_EX_DATA_FUNCS" entries
+ * in the lock, then using them outside the lock. NB: Thread-safety only
+ * applies to the global "ex_data" state (ie. class definitions), not
+ * thread-safe on 'ad' itself.
  */
-int CRYPTO_new_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad)
+static int int_new_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad)
 {
     int mx, i;
     void *ptr;
-    EX_CALLBACK **storage = NULL;
-    EX_CALLBACK *stack[10];
-    EX_CALLBACKS *ip = get_and_lock(class_index);
-
-    if (ip == NULL)
+    CRYPTO_EX_DATA_FUNCS **storage = NULL;
+    EX_CLASS_ITEM *item = def_get_class(class_index);
+    if (!item)
+        /* error is already set */
         return 0;
-
     ad->sk = NULL;
-
-    mx = sk_EX_CALLBACK_num(ip->meth);
+    CRYPTO_r_lock(CRYPTO_LOCK_EX_DATA);
+    mx = sk_CRYPTO_EX_DATA_FUNCS_num(item->meth);
     if (mx > 0) {
-        if (mx < (int)OSSL_NELEM(stack))
-            storage = stack;
-        else
-            storage = OPENSSL_malloc(sizeof(*storage) * mx);
-        if (storage != NULL)
-            for (i = 0; i < mx; i++)
-                storage[i] = sk_EX_CALLBACK_value(ip->meth, i);
+        storage = OPENSSL_malloc(mx * sizeof(CRYPTO_EX_DATA_FUNCS *));
+        if (!storage)
+            goto skip;
+        for (i = 0; i < mx; i++)
+            storage[i] = sk_CRYPTO_EX_DATA_FUNCS_value(item->meth, i);
     }
-    CRYPTO_THREAD_unlock(ex_data_lock);
-
-    if (mx > 0 && storage == NULL) {
-        CRYPTOerr(CRYPTO_F_CRYPTO_NEW_EX_DATA, ERR_R_MALLOC_FAILURE);
+ skip:
+    CRYPTO_r_unlock(CRYPTO_LOCK_EX_DATA);
+    if ((mx > 0) && !storage) {
+        CRYPTOerr(CRYPTO_F_INT_NEW_EX_DATA, ERR_R_MALLOC_FAILURE);
         return 0;
     }
     for (i = 0; i < mx; i++) {
@@ -241,50 +445,42 @@ int CRYPTO_new_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad)
                                  storage[i]->argl, storage[i]->argp);
         }
     }
-    if (storage != stack)
+    if (storage)
         OPENSSL_free(storage);
     return 1;
 }
 
-/*
- * Duplicate a CRYPTO_EX_DATA variable - including calling dup() callbacks
- * for each index in the class used by this variable
- */
-int CRYPTO_dup_ex_data(int class_index, CRYPTO_EX_DATA *to,
-                       const CRYPTO_EX_DATA *from)
+/* Same thread-safety notes as for "int_new_ex_data" */
+static int int_dup_ex_data(int class_index, CRYPTO_EX_DATA *to,
+                           CRYPTO_EX_DATA *from)
 {
     int mx, j, i;
     char *ptr;
-    EX_CALLBACK *stack[10];
-    EX_CALLBACK **storage = NULL;
-    EX_CALLBACKS *ip;
-
-    if (from->sk == NULL)
-        /* Nothing to copy over */
+    CRYPTO_EX_DATA_FUNCS **storage = NULL;
+    EX_CLASS_ITEM *item;
+    if (!from->sk)
+        /* 'to' should be "blank" which *is* just like 'from' */
         return 1;
-    if ((ip = get_and_lock(class_index)) == NULL)
+    if ((item = def_get_class(class_index)) == NULL)
         return 0;
-
-    mx = sk_EX_CALLBACK_num(ip->meth);
+    CRYPTO_r_lock(CRYPTO_LOCK_EX_DATA);
+    mx = sk_CRYPTO_EX_DATA_FUNCS_num(item->meth);
     j = sk_void_num(from->sk);
     if (j < mx)
         mx = j;
     if (mx > 0) {
-        if (mx < (int)OSSL_NELEM(stack))
-            storage = stack;
-        else
-            storage = OPENSSL_malloc(sizeof(*storage) * mx);
-        if (storage != NULL)
-            for (i = 0; i < mx; i++)
-                storage[i] = sk_EX_CALLBACK_value(ip->meth, i);
+        storage = OPENSSL_malloc(mx * sizeof(CRYPTO_EX_DATA_FUNCS *));
+        if (!storage)
+            goto skip;
+        for (i = 0; i < mx; i++)
+            storage[i] = sk_CRYPTO_EX_DATA_FUNCS_value(item->meth, i);
     }
-    CRYPTO_THREAD_unlock(ex_data_lock);
-
-    if (mx > 0 && storage == NULL) {
-        CRYPTOerr(CRYPTO_F_CRYPTO_DUP_EX_DATA, ERR_R_MALLOC_FAILURE);
+ skip:
+    CRYPTO_r_unlock(CRYPTO_LOCK_EX_DATA);
+    if ((mx > 0) && !storage) {
+        CRYPTOerr(CRYPTO_F_INT_DUP_EX_DATA, ERR_R_MALLOC_FAILURE);
         return 0;
     }
-
     for (i = 0; i < mx; i++) {
         ptr = CRYPTO_get_ex_data(from, i);
         if (storage[i] && storage[i]->dup_func)
@@ -292,59 +488,118 @@ int CRYPTO_dup_ex_data(int class_index, CRYPTO_EX_DATA *to,
                                  storage[i]->argl, storage[i]->argp);
         CRYPTO_set_ex_data(to, i, ptr);
     }
-    if (storage != stack)
+    if (storage)
         OPENSSL_free(storage);
     return 1;
 }
 
-
-/*
- * Cleanup a CRYPTO_EX_DATA variable - including calling free() callbacks for
- * each index in the class used by this variable
- */
-void CRYPTO_free_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad)
+/* Same thread-safety notes as for "int_new_ex_data" */
+static void int_free_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad)
 {
     int mx, i;
-    EX_CALLBACKS *ip;
+    EX_CLASS_ITEM *item;
     void *ptr;
-    EX_CALLBACK *f;
-    EX_CALLBACK *stack[10];
-    EX_CALLBACK **storage = NULL;
-
-    if ((ip = get_and_lock(class_index)) == NULL)
-        goto err;
-
-    mx = sk_EX_CALLBACK_num(ip->meth);
+    CRYPTO_EX_DATA_FUNCS **storage = NULL;
+    if (ex_data == NULL)
+        return;
+    if ((item = def_get_class(class_index)) == NULL)
+        return;
+    CRYPTO_r_lock(CRYPTO_LOCK_EX_DATA);
+    mx = sk_CRYPTO_EX_DATA_FUNCS_num(item->meth);
     if (mx > 0) {
-        if (mx < (int)OSSL_NELEM(stack))
-            storage = stack;
-        else
-            storage = OPENSSL_malloc(sizeof(*storage) * mx);
-        if (storage != NULL)
-            for (i = 0; i < mx; i++)
-                storage[i] = sk_EX_CALLBACK_value(ip->meth, i);
+        storage = OPENSSL_malloc(mx * sizeof(CRYPTO_EX_DATA_FUNCS *));
+        if (!storage)
+            goto skip;
+        for (i = 0; i < mx; i++)
+            storage[i] = sk_CRYPTO_EX_DATA_FUNCS_value(item->meth, i);
+    }
+ skip:
+    CRYPTO_r_unlock(CRYPTO_LOCK_EX_DATA);
+    if ((mx > 0) && !storage) {
+        CRYPTOerr(CRYPTO_F_INT_FREE_EX_DATA, ERR_R_MALLOC_FAILURE);
+        return;
     }
-    CRYPTO_THREAD_unlock(ex_data_lock);
-
     for (i = 0; i < mx; i++) {
-        if (storage != NULL)
-            f = storage[i];
-        else {
-            CRYPTO_THREAD_write_lock(ex_data_lock);
-            f = sk_EX_CALLBACK_value(ip->meth, i);
-            CRYPTO_THREAD_unlock(ex_data_lock);
-        }
-        if (f != NULL && f->free_func != NULL) {
+        if (storage[i] && storage[i]->free_func) {
             ptr = CRYPTO_get_ex_data(ad, i);
-            f->free_func(obj, ptr, ad, i, f->argl, f->argp);
+            storage[i]->free_func(obj, ptr, ad, i,
+                                  storage[i]->argl, storage[i]->argp);
         }
     }
-
-    if (storage != stack)
+    if (storage)
         OPENSSL_free(storage);
- err:
-    sk_void_free(ad->sk);
-    ad->sk = NULL;
+    if (ad->sk) {
+        sk_void_free(ad->sk);
+        ad->sk = NULL;
+    }
+}
+
+/********************************************************************/
+/*
+ * API functions that defer all "state" operations to the "ex_data"
+ * implementation we have set.
+ */
+
+/*
+ * Obtain an index for a new class (not the same as getting a new index
+ * within an existing class - this is actually getting a new *class*)
+ */
+int CRYPTO_ex_data_new_class(void)
+{
+    IMPL_CHECK return EX_IMPL(new_class) ();
+}
+
+/*
+ * Release all "ex_data" state to prevent memory leaks. This can't be made
+ * thread-safe without overhauling a lot of stuff, and shouldn't really be
+ * called under potential race-conditions anyway (it's for program shutdown
+ * after all).
+ */
+void CRYPTO_cleanup_all_ex_data(void)
+{
+    IMPL_CHECK EX_IMPL(cleanup) ();
+}
+
+/* Inside an existing class, get/register a new index. */
+int CRYPTO_get_ex_new_index(int class_index, long argl, void *argp,
+                            CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,
+                            CRYPTO_EX_free *free_func)
+{
+    int ret = -1;
+
+    IMPL_CHECK
+        ret = EX_IMPL(get_new_index) (class_index,
+                                      argl, argp, new_func, dup_func,
+                                      free_func);
+    return ret;
+}
+
+/*
+ * Initialise a new CRYPTO_EX_DATA for use in a particular class - including
+ * calling new() callbacks for each index in the class used by this variable
+ */
+int CRYPTO_new_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad)
+{
+    IMPL_CHECK return EX_IMPL(new_ex_data) (class_index, obj, ad);
+}
+
+/*
+ * Duplicate a CRYPTO_EX_DATA variable - including calling dup() callbacks
+ * for each index in the class used by this variable
+ */
+int CRYPTO_dup_ex_data(int class_index, CRYPTO_EX_DATA *to,
+                       CRYPTO_EX_DATA *from)
+{
+    IMPL_CHECK return EX_IMPL(dup_ex_data) (class_index, to, from);
+}
+
+/*
+ * Cleanup a CRYPTO_EX_DATA variable - including calling free() callbacks for
+ * each index in the class used by this variable
+ */
+void CRYPTO_free_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad)
+{
+    IMPL_CHECK EX_IMPL(free_ex_data) (class_index, obj, ad);
 }
 
 /*
@@ -358,18 +613,20 @@ int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int idx, void *val)
     if (ad->sk == NULL) {
         if ((ad->sk = sk_void_new_null()) == NULL) {
             CRYPTOerr(CRYPTO_F_CRYPTO_SET_EX_DATA, ERR_R_MALLOC_FAILURE);
-            return 0;
+            return (0);
         }
     }
+    i = sk_void_num(ad->sk);
 
-    for (i = sk_void_num(ad->sk); i <= idx; ++i) {
+    while (i <= idx) {
         if (!sk_void_push(ad->sk, NULL)) {
             CRYPTOerr(CRYPTO_F_CRYPTO_SET_EX_DATA, ERR_R_MALLOC_FAILURE);
-            return 0;
+            return (0);
         }
+        i++;
     }
     sk_void_set(ad->sk, idx, val);
-    return 1;
+    return (1);
 }
 
 /*
@@ -378,7 +635,12 @@ int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int idx, void *val)
  */
 void *CRYPTO_get_ex_data(const CRYPTO_EX_DATA *ad, int idx)
 {
-    if (ad->sk == NULL || idx >= sk_void_num(ad->sk))
-        return NULL;
-    return sk_void_value(ad->sk, idx);
+    if (ad->sk == NULL)
+        return (0);
+    else if (idx >= sk_void_num(ad->sk))
+        return (0);
+    else
+        return (sk_void_value(ad->sk, idx));
 }
+
+IMPLEMENT_STACK_OF(CRYPTO_EX_DATA_FUNCS)
diff --git a/Cryptlib/OpenSSL/crypto/fips_ers.c b/Cryptlib/OpenSSL/crypto/fips_ers.c
new file mode 100644
index 00000000..1788ed28
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/fips_ers.c
@@ -0,0 +1,7 @@
+#include <openssl/opensslconf.h>
+
+#ifdef OPENSSL_FIPS
+# include "fips_err.h"
+#else
+static void *dummy = &dummy;
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/hmac/hm_ameth.c b/Cryptlib/OpenSSL/crypto/hmac/hm_ameth.c
index 78ae0ea6..944c6c85 100644
--- a/Cryptlib/OpenSSL/crypto/hmac/hm_ameth.c
+++ b/Cryptlib/OpenSSL/crypto/hmac/hm_ameth.c
@@ -1,16 +1,65 @@
 /*
- * Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2007.
+ */
+/* ====================================================================
+ * Copyright (c) 2007 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/evp.h>
-#include "internal/asn1_int.h"
+#include "asn1_locl.h"
 
 #define HMAC_TEST_PRIVATE_KEY_FORMAT
 
@@ -26,7 +75,7 @@ static int hmac_size(const EVP_PKEY *pkey)
 
 static void hmac_key_free(EVP_PKEY *pkey)
 {
-    ASN1_OCTET_STRING *os = EVP_PKEY_get0(pkey);
+    ASN1_OCTET_STRING *os = (ASN1_OCTET_STRING *)pkey->pkey.ptr;
     if (os) {
         if (os->data)
             OPENSSL_cleanse(os->data, os->length);
@@ -46,11 +95,6 @@ static int hmac_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
     }
 }
 
-static int hmac_pkey_public_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
-{
-    return ASN1_OCTET_STRING_cmp(EVP_PKEY_get0(a), EVP_PKEY_get0(b));
-}
-
 #ifdef HMAC_TEST_PRIVATE_KEY_FORMAT
 /*
  * A bogus private key format for test purposes. This is simply the HMAC key
@@ -63,7 +107,7 @@ static int old_hmac_decode(EVP_PKEY *pkey,
 {
     ASN1_OCTET_STRING *os;
     os = ASN1_OCTET_STRING_new();
-    if (os == NULL || !ASN1_OCTET_STRING_set(os, *pder, derlen))
+    if (!os || !ASN1_OCTET_STRING_set(os, *pder, derlen))
         goto err;
     if (!EVP_PKEY_assign(pkey, EVP_PKEY_HMAC, os))
         goto err;
@@ -77,12 +121,10 @@ static int old_hmac_decode(EVP_PKEY *pkey,
 static int old_hmac_encode(const EVP_PKEY *pkey, unsigned char **pder)
 {
     int inc;
-    ASN1_OCTET_STRING *os = EVP_PKEY_get0(pkey);
+    ASN1_OCTET_STRING *os = (ASN1_OCTET_STRING *)pkey->pkey.ptr;
     if (pder) {
         if (!*pder) {
             *pder = OPENSSL_malloc(os->length);
-            if (*pder == NULL)
-                return -1;
             inc = 0;
         } else
             inc = 1;
@@ -106,12 +148,12 @@ const EVP_PKEY_ASN1_METHOD hmac_asn1_meth = {
     "HMAC",
     "OpenSSL HMAC method",
 
-    0, 0, hmac_pkey_public_cmp, 0,
+    0, 0, 0, 0,
 
     0, 0, 0,
 
     hmac_size,
-    0, 0,
+    0,
     0, 0, 0, 0, 0, 0, 0,
 
     hmac_key_free,
diff --git a/Cryptlib/OpenSSL/crypto/hmac/hm_pmeth.c b/Cryptlib/OpenSSL/crypto/hmac/hm_pmeth.c
index 5b98477f..0ffff79c 100644
--- a/Cryptlib/OpenSSL/crypto/hmac/hm_pmeth.c
+++ b/Cryptlib/OpenSSL/crypto/hmac/hm_pmeth.c
@@ -1,41 +1,89 @@
 /*
- * Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2007.
+ */
+/* ====================================================================
+ * Copyright (c) 2007 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
-#include "internal/evp_int.h"
+#include "evp_locl.h"
 
 /* HMAC pkey context structure */
 
 typedef struct {
     const EVP_MD *md;           /* MD for HMAC use */
     ASN1_OCTET_STRING ktmp;     /* Temp storage for key */
-    HMAC_CTX *ctx;
+    HMAC_CTX ctx;
 } HMAC_PKEY_CTX;
 
 static int pkey_hmac_init(EVP_PKEY_CTX *ctx)
 {
     HMAC_PKEY_CTX *hctx;
-
-    hctx = OPENSSL_zalloc(sizeof(*hctx));
-    if (hctx == NULL)
+    hctx = OPENSSL_malloc(sizeof(HMAC_PKEY_CTX));
+    if (!hctx)
         return 0;
+    hctx->md = NULL;
+    hctx->ktmp.data = NULL;
+    hctx->ktmp.length = 0;
+    hctx->ktmp.flags = 0;
     hctx->ktmp.type = V_ASN1_OCTET_STRING;
-    hctx->ctx = HMAC_CTX_new();
-    if (hctx->ctx == NULL) {
-        OPENSSL_free(hctx);
-        return 0;
-    }
+    HMAC_CTX_init(&hctx->ctx);
 
     ctx->data = hctx;
     ctx->keygen_info_count = 0;
@@ -43,42 +91,36 @@ static int pkey_hmac_init(EVP_PKEY_CTX *ctx)
     return 1;
 }
 
-static void pkey_hmac_cleanup(EVP_PKEY_CTX *ctx);
-
 static int pkey_hmac_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
 {
     HMAC_PKEY_CTX *sctx, *dctx;
-
-    /* allocate memory for dst->data and a new HMAC_CTX in dst->data->ctx */
     if (!pkey_hmac_init(dst))
         return 0;
-    sctx = EVP_PKEY_CTX_get_data(src);
-    dctx = EVP_PKEY_CTX_get_data(dst);
+    sctx = src->data;
+    dctx = dst->data;
     dctx->md = sctx->md;
-    if (!HMAC_CTX_copy(dctx->ctx, sctx->ctx))
-        goto err;
+    HMAC_CTX_init(&dctx->ctx);
+    if (!HMAC_CTX_copy(&dctx->ctx, &sctx->ctx))
+        return 0;
     if (sctx->ktmp.data) {
         if (!ASN1_OCTET_STRING_set(&dctx->ktmp,
                                    sctx->ktmp.data, sctx->ktmp.length))
-            goto err;
+            return 0;
     }
     return 1;
-err:
-    /* release HMAC_CTX in dst->data->ctx and memory allocated for dst->data */
-    pkey_hmac_cleanup (dst);
-    return 0;
 }
 
 static void pkey_hmac_cleanup(EVP_PKEY_CTX *ctx)
 {
-    HMAC_PKEY_CTX *hctx = EVP_PKEY_CTX_get_data(ctx);
-
-    if (hctx != NULL) {
-        HMAC_CTX_free(hctx->ctx);
-        OPENSSL_clear_free(hctx->ktmp.data, hctx->ktmp.length);
-        OPENSSL_free(hctx);
-        EVP_PKEY_CTX_set_data(ctx, NULL);
+    HMAC_PKEY_CTX *hctx = ctx->data;
+    HMAC_CTX_cleanup(&hctx->ctx);
+    if (hctx->ktmp.data) {
+        if (hctx->ktmp.length)
+            OPENSSL_cleanse(hctx->ktmp.data, hctx->ktmp.length);
+        OPENSSL_free(hctx->ktmp.data);
+        hctx->ktmp.data = NULL;
     }
+    OPENSSL_free(hctx);
 }
 
 static int pkey_hmac_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
@@ -97,8 +139,8 @@ static int pkey_hmac_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
 
 static int int_update(EVP_MD_CTX *ctx, const void *data, size_t count)
 {
-    HMAC_PKEY_CTX *hctx = EVP_MD_CTX_pkey_ctx(ctx)->data;
-    if (!HMAC_Update(hctx->ctx, data, count))
+    HMAC_PKEY_CTX *hctx = ctx->pctx->data;
+    if (!HMAC_Update(&hctx->ctx, data, count))
         return 0;
     return 1;
 }
@@ -106,10 +148,9 @@ static int int_update(EVP_MD_CTX *ctx, const void *data, size_t count)
 static int hmac_signctx_init(EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx)
 {
     HMAC_PKEY_CTX *hctx = ctx->data;
-    HMAC_CTX_set_flags(hctx->ctx,
-                       EVP_MD_CTX_test_flags(mctx, ~EVP_MD_CTX_FLAG_NO_INIT));
+    HMAC_CTX_set_flags(&hctx->ctx, mctx->flags & ~EVP_MD_CTX_FLAG_NO_INIT);
     EVP_MD_CTX_set_flags(mctx, EVP_MD_CTX_FLAG_NO_INIT);
-    EVP_MD_CTX_set_update_fn(mctx, int_update);
+    mctx->update = int_update;
     return 1;
 }
 
@@ -126,7 +167,7 @@ static int hmac_signctx(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
     if (!sig)
         return 1;
 
-    if (!HMAC_Final(hctx->ctx, sig, &hlen))
+    if (!HMAC_Final(&hctx->ctx, sig, &hlen))
         return 0;
     *siglen = (size_t)hlen;
     return 1;
@@ -151,7 +192,7 @@ static int pkey_hmac_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 
     case EVP_PKEY_CTRL_DIGESTINIT:
         key = (ASN1_OCTET_STRING *)ctx->pkey->pkey.ptr;
-        if (!HMAC_Init_ex(hctx->ctx, key->data, key->length, hctx->md,
+        if (!HMAC_Init_ex(&hctx->ctx, key->data, key->length, hctx->md,
                           ctx->engine))
             return 0;
         break;
@@ -169,10 +210,21 @@ static int pkey_hmac_ctrl_str(EVP_PKEY_CTX *ctx,
     if (!value) {
         return 0;
     }
-    if (strcmp(type, "key") == 0)
-        return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_SET_MAC_KEY, value);
-    if (strcmp(type, "hexkey") == 0)
-        return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_SET_MAC_KEY, value);
+    if (!strcmp(type, "key")) {
+        void *p = (void *)value;
+        return pkey_hmac_ctrl(ctx, EVP_PKEY_CTRL_SET_MAC_KEY, -1, p);
+    }
+    if (!strcmp(type, "hexkey")) {
+        unsigned char *key;
+        int r;
+        long keylen;
+        key = string_to_hex(value, &keylen);
+        if (!key)
+            return 0;
+        r = pkey_hmac_ctrl(ctx, EVP_PKEY_CTRL_SET_MAC_KEY, keylen, key);
+        OPENSSL_free(key);
+        return r;
+    }
     return -2;
 }
 
diff --git a/Cryptlib/OpenSSL/crypto/hmac/hmac.c b/Cryptlib/OpenSSL/crypto/hmac/hmac.c
index 3374105c..213504e8 100644
--- a/Cryptlib/OpenSSL/crypto/hmac/hmac.c
+++ b/Cryptlib/OpenSSL/crypto/hmac/hmac.c
@@ -1,19 +1,69 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/hmac/hmac.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
-
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/hmac.h>
-#include <openssl/opensslconf.h>
-#include "hmac_lcl.h"
+
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
 
 int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
                  const EVP_MD *md, ENGINE *impl)
@@ -21,6 +71,32 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
     int i, j, reset = 0;
     unsigned char pad[HMAC_MAX_MD_CBLOCK];
 
+#ifdef OPENSSL_FIPS
+    /* If FIPS mode switch to approved implementation if possible */
+    if (FIPS_mode()) {
+        const EVP_MD *fipsmd;
+        if (md) {
+            fipsmd = FIPS_get_digestbynid(EVP_MD_type(md));
+            if (fipsmd)
+                md = fipsmd;
+        }
+    }
+
+    if (FIPS_mode()) {
+        /* If we have an ENGINE need to allow non FIPS */
+        if ((impl || ctx->i_ctx.engine)
+            && !(ctx->i_ctx.flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) {
+            EVPerr(EVP_F_HMAC_INIT_EX, EVP_R_DISABLED_FOR_FIPS);
+            return 0;
+        }
+        /*
+         * Other algorithm blocking will be done in FIPS_cmac_init, via
+         * FIPS_hmac_init_ex().
+         */
+        if (!impl && !ctx->i_ctx.engine)
+            return FIPS_hmac_init_ex(ctx, key, len, md, NULL);
+    }
+#endif
     /* If we are changing MD then we must have a key */
     if (md != NULL && md != ctx->md && (key == NULL || len < 0))
         return 0;
@@ -39,11 +115,11 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
         j = EVP_MD_block_size(md);
         OPENSSL_assert(j <= (int)sizeof(ctx->key));
         if (j < len) {
-            if (!EVP_DigestInit_ex(ctx->md_ctx, md, impl))
+            if (!EVP_DigestInit_ex(&ctx->md_ctx, md, impl))
                 goto err;
-            if (!EVP_DigestUpdate(ctx->md_ctx, key, len))
+            if (!EVP_DigestUpdate(&ctx->md_ctx, key, len))
                 goto err;
-            if (!EVP_DigestFinal_ex(ctx->md_ctx, ctx->key,
+            if (!EVP_DigestFinal_ex(&(ctx->md_ctx), ctx->key,
                                     &ctx->key_length))
                 goto err;
         } else {
@@ -60,181 +136,133 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
     if (reset) {
         for (i = 0; i < HMAC_MAX_MD_CBLOCK; i++)
             pad[i] = 0x36 ^ ctx->key[i];
-        if (!EVP_DigestInit_ex(ctx->i_ctx, md, impl))
+        if (!EVP_DigestInit_ex(&ctx->i_ctx, md, impl))
             goto err;
-        if (!EVP_DigestUpdate(ctx->i_ctx, pad, EVP_MD_block_size(md)))
+        if (!EVP_DigestUpdate(&ctx->i_ctx, pad, EVP_MD_block_size(md)))
             goto err;
 
         for (i = 0; i < HMAC_MAX_MD_CBLOCK; i++)
             pad[i] = 0x5c ^ ctx->key[i];
-        if (!EVP_DigestInit_ex(ctx->o_ctx, md, impl))
+        if (!EVP_DigestInit_ex(&ctx->o_ctx, md, impl))
             goto err;
-        if (!EVP_DigestUpdate(ctx->o_ctx, pad, EVP_MD_block_size(md)))
+        if (!EVP_DigestUpdate(&ctx->o_ctx, pad, EVP_MD_block_size(md)))
             goto err;
     }
-    if (!EVP_MD_CTX_copy_ex(ctx->md_ctx, ctx->i_ctx))
+    if (!EVP_MD_CTX_copy_ex(&ctx->md_ctx, &ctx->i_ctx))
         goto err;
     return 1;
  err:
     return 0;
 }
 
-#if OPENSSL_API_COMPAT < 0x10100000L
 int HMAC_Init(HMAC_CTX *ctx, const void *key, int len, const EVP_MD *md)
 {
     if (key && md)
-        HMAC_CTX_reset(ctx);
+        HMAC_CTX_init(ctx);
     return HMAC_Init_ex(ctx, key, len, md, NULL);
 }
-#endif
 
 int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
 {
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode() && !ctx->i_ctx.engine)
+        return FIPS_hmac_update(ctx, data, len);
+#endif
     if (!ctx->md)
         return 0;
-    return EVP_DigestUpdate(ctx->md_ctx, data, len);
+
+    return EVP_DigestUpdate(&ctx->md_ctx, data, len);
 }
 
 int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len)
 {
     unsigned int i;
     unsigned char buf[EVP_MAX_MD_SIZE];
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode() && !ctx->i_ctx.engine)
+        return FIPS_hmac_final(ctx, md, len);
+#endif
 
     if (!ctx->md)
         goto err;
 
-    if (!EVP_DigestFinal_ex(ctx->md_ctx, buf, &i))
+    if (!EVP_DigestFinal_ex(&ctx->md_ctx, buf, &i))
         goto err;
-    if (!EVP_MD_CTX_copy_ex(ctx->md_ctx, ctx->o_ctx))
+    if (!EVP_MD_CTX_copy_ex(&ctx->md_ctx, &ctx->o_ctx))
         goto err;
-    if (!EVP_DigestUpdate(ctx->md_ctx, buf, i))
+    if (!EVP_DigestUpdate(&ctx->md_ctx, buf, i))
         goto err;
-    if (!EVP_DigestFinal_ex(ctx->md_ctx, md, len))
+    if (!EVP_DigestFinal_ex(&ctx->md_ctx, md, len))
         goto err;
     return 1;
  err:
     return 0;
 }
 
-size_t HMAC_size(const HMAC_CTX *ctx)
-{
-    return EVP_MD_size((ctx)->md);
-}
-
-HMAC_CTX *HMAC_CTX_new(void)
-{
-    HMAC_CTX *ctx = OPENSSL_zalloc(sizeof(HMAC_CTX));
-
-    if (ctx != NULL) {
-        if (!HMAC_CTX_reset(ctx)) {
-            HMAC_CTX_free(ctx);
-            return NULL;
-        }
-    }
-    return ctx;
-}
-
-static void hmac_ctx_cleanup(HMAC_CTX *ctx)
+void HMAC_CTX_init(HMAC_CTX *ctx)
 {
-    EVP_MD_CTX_reset(ctx->i_ctx);
-    EVP_MD_CTX_reset(ctx->o_ctx);
-    EVP_MD_CTX_reset(ctx->md_ctx);
+    EVP_MD_CTX_init(&ctx->i_ctx);
+    EVP_MD_CTX_init(&ctx->o_ctx);
+    EVP_MD_CTX_init(&ctx->md_ctx);
     ctx->md = NULL;
-    ctx->key_length = 0;
-    OPENSSL_cleanse(ctx->key, sizeof(ctx->key));
-}
-
-void HMAC_CTX_free(HMAC_CTX *ctx)
-{
-    if (ctx != NULL) {
-        hmac_ctx_cleanup(ctx);
-        EVP_MD_CTX_free(ctx->i_ctx);
-        EVP_MD_CTX_free(ctx->o_ctx);
-        EVP_MD_CTX_free(ctx->md_ctx);
-        OPENSSL_free(ctx);
-    }
-}
-
-int HMAC_CTX_reset(HMAC_CTX *ctx)
-{
-    hmac_ctx_cleanup(ctx);
-    if (ctx->i_ctx == NULL)
-        ctx->i_ctx = EVP_MD_CTX_new();
-    if (ctx->i_ctx == NULL)
-        goto err;
-    if (ctx->o_ctx == NULL)
-        ctx->o_ctx = EVP_MD_CTX_new();
-    if (ctx->o_ctx == NULL)
-        goto err;
-    if (ctx->md_ctx == NULL)
-        ctx->md_ctx = EVP_MD_CTX_new();
-    if (ctx->md_ctx == NULL)
-        goto err;
-    ctx->md = NULL;
-    return 1;
- err:
-    hmac_ctx_cleanup(ctx);
-    return 0;
 }
 
 int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx)
 {
-    if (!HMAC_CTX_reset(dctx))
+    if (!EVP_MD_CTX_copy(&dctx->i_ctx, &sctx->i_ctx))
         goto err;
-    if (!EVP_MD_CTX_copy_ex(dctx->i_ctx, sctx->i_ctx))
+    if (!EVP_MD_CTX_copy(&dctx->o_ctx, &sctx->o_ctx))
         goto err;
-    if (!EVP_MD_CTX_copy_ex(dctx->o_ctx, sctx->o_ctx))
-        goto err;
-    if (!EVP_MD_CTX_copy_ex(dctx->md_ctx, sctx->md_ctx))
+    if (!EVP_MD_CTX_copy(&dctx->md_ctx, &sctx->md_ctx))
         goto err;
     memcpy(dctx->key, sctx->key, HMAC_MAX_MD_CBLOCK);
     dctx->key_length = sctx->key_length;
     dctx->md = sctx->md;
     return 1;
  err:
-    hmac_ctx_cleanup(dctx);
     return 0;
 }
 
+void HMAC_CTX_cleanup(HMAC_CTX *ctx)
+{
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode() && !ctx->i_ctx.engine) {
+        FIPS_hmac_ctx_cleanup(ctx);
+        return;
+    }
+#endif
+    EVP_MD_CTX_cleanup(&ctx->i_ctx);
+    EVP_MD_CTX_cleanup(&ctx->o_ctx);
+    EVP_MD_CTX_cleanup(&ctx->md_ctx);
+    OPENSSL_cleanse(ctx, sizeof *ctx);
+}
+
 unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
                     const unsigned char *d, size_t n, unsigned char *md,
                     unsigned int *md_len)
 {
-    HMAC_CTX *c = NULL;
+    HMAC_CTX c;
     static unsigned char m[EVP_MAX_MD_SIZE];
-    static const unsigned char dummy_key[1] = {'\0'};
 
     if (md == NULL)
         md = m;
-    if ((c = HMAC_CTX_new()) == NULL)
+    HMAC_CTX_init(&c);
+    if (!HMAC_Init(&c, key, key_len, evp_md))
         goto err;
-
-    /* For HMAC_Init_ex, NULL key signals reuse. */
-    if (key == NULL && key_len == 0) {
-        key = dummy_key;
-    }
-
-    if (!HMAC_Init_ex(c, key, key_len, evp_md, NULL))
-        goto err;
-    if (!HMAC_Update(c, d, n))
+    if (!HMAC_Update(&c, d, n))
         goto err;
-    if (!HMAC_Final(c, md, md_len))
+    if (!HMAC_Final(&c, md, md_len))
         goto err;
-    HMAC_CTX_free(c);
+    HMAC_CTX_cleanup(&c);
     return md;
  err:
-    HMAC_CTX_free(c);
+    HMAC_CTX_cleanup(&c);
     return NULL;
 }
 
 void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags)
 {
-    EVP_MD_CTX_set_flags(ctx->i_ctx, flags);
-    EVP_MD_CTX_set_flags(ctx->o_ctx, flags);
-    EVP_MD_CTX_set_flags(ctx->md_ctx, flags);
-}
-
-const EVP_MD *HMAC_CTX_get_md(const HMAC_CTX *ctx)
-{
-    return ctx->md;
+    EVP_MD_CTX_set_flags(&ctx->i_ctx, flags);
+    EVP_MD_CTX_set_flags(&ctx->o_ctx, flags);
+    EVP_MD_CTX_set_flags(&ctx->md_ctx, flags);
 }
diff --git a/Cryptlib/OpenSSL/crypto/hmac/hmac_lcl.h b/Cryptlib/OpenSSL/crypto/hmac/hmac_lcl.h
deleted file mode 100644
index 4c156dc1..00000000
--- a/Cryptlib/OpenSSL/crypto/hmac/hmac_lcl.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#ifndef HEADER_HMAC_LCL_H
-# define HEADER_HMAC_LCL_H
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-#if 0                            /* emacs indentation fix */
-}
-#endif
-
-struct hmac_ctx_st {
-    const EVP_MD *md;
-    EVP_MD_CTX *md_ctx;
-    EVP_MD_CTX *i_ctx;
-    EVP_MD_CTX *o_ctx;
-    unsigned int key_length;
-    unsigned char key[HMAC_MAX_MD_CBLOCK];
-};
-
-#ifdef __cplusplus
-} /* extern "C" */
-#endif
-
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/include/internal/asn1_int.h b/Cryptlib/OpenSSL/crypto/include/internal/asn1_int.h
deleted file mode 100644
index f70e3b47..00000000
--- a/Cryptlib/OpenSSL/crypto/include/internal/asn1_int.h
+++ /dev/null
@@ -1,94 +0,0 @@
-/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/* Internal ASN1 structures and functions: not for application use */
-
-/* ASN1 public key method structure */
-
-struct evp_pkey_asn1_method_st {
-    int pkey_id;
-    int pkey_base_id;
-    unsigned long pkey_flags;
-    char *pem_str;
-    char *info;
-    int (*pub_decode) (EVP_PKEY *pk, X509_PUBKEY *pub);
-    int (*pub_encode) (X509_PUBKEY *pub, const EVP_PKEY *pk);
-    int (*pub_cmp) (const EVP_PKEY *a, const EVP_PKEY *b);
-    int (*pub_print) (BIO *out, const EVP_PKEY *pkey, int indent,
-                      ASN1_PCTX *pctx);
-    int (*priv_decode) (EVP_PKEY *pk, const PKCS8_PRIV_KEY_INFO *p8inf);
-    int (*priv_encode) (PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pk);
-    int (*priv_print) (BIO *out, const EVP_PKEY *pkey, int indent,
-                       ASN1_PCTX *pctx);
-    int (*pkey_size) (const EVP_PKEY *pk);
-    int (*pkey_bits) (const EVP_PKEY *pk);
-    int (*pkey_security_bits) (const EVP_PKEY *pk);
-    int (*param_decode) (EVP_PKEY *pkey,
-                         const unsigned char **pder, int derlen);
-    int (*param_encode) (const EVP_PKEY *pkey, unsigned char **pder);
-    int (*param_missing) (const EVP_PKEY *pk);
-    int (*param_copy) (EVP_PKEY *to, const EVP_PKEY *from);
-    int (*param_cmp) (const EVP_PKEY *a, const EVP_PKEY *b);
-    int (*param_print) (BIO *out, const EVP_PKEY *pkey, int indent,
-                        ASN1_PCTX *pctx);
-    int (*sig_print) (BIO *out,
-                      const X509_ALGOR *sigalg, const ASN1_STRING *sig,
-                      int indent, ASN1_PCTX *pctx);
-    void (*pkey_free) (EVP_PKEY *pkey);
-    int (*pkey_ctrl) (EVP_PKEY *pkey, int op, long arg1, void *arg2);
-    /* Legacy functions for old PEM */
-    int (*old_priv_decode) (EVP_PKEY *pkey,
-                            const unsigned char **pder, int derlen);
-    int (*old_priv_encode) (const EVP_PKEY *pkey, unsigned char **pder);
-    /* Custom ASN1 signature verification */
-    int (*item_verify) (EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
-                        X509_ALGOR *a, ASN1_BIT_STRING *sig, EVP_PKEY *pkey);
-    int (*item_sign) (EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
-                      X509_ALGOR *alg1, X509_ALGOR *alg2,
-                      ASN1_BIT_STRING *sig);
-} /* EVP_PKEY_ASN1_METHOD */ ;
-
-DEFINE_STACK_OF_CONST(EVP_PKEY_ASN1_METHOD)
-
-extern const EVP_PKEY_ASN1_METHOD cmac_asn1_meth;
-extern const EVP_PKEY_ASN1_METHOD dh_asn1_meth;
-extern const EVP_PKEY_ASN1_METHOD dhx_asn1_meth;
-extern const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[5];
-extern const EVP_PKEY_ASN1_METHOD eckey_asn1_meth;
-extern const EVP_PKEY_ASN1_METHOD ecx25519_asn1_meth;
-extern const EVP_PKEY_ASN1_METHOD hmac_asn1_meth;
-extern const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[2];
-
-/*
- * These are used internally in the ASN1_OBJECT to keep track of whether the
- * names and data need to be free()ed
- */
-# define ASN1_OBJECT_FLAG_DYNAMIC         0x01/* internal use */
-# define ASN1_OBJECT_FLAG_CRITICAL        0x02/* critical x509v3 object id */
-# define ASN1_OBJECT_FLAG_DYNAMIC_STRINGS 0x04/* internal use */
-# define ASN1_OBJECT_FLAG_DYNAMIC_DATA    0x08/* internal use */
-struct asn1_object_st {
-    const char *sn, *ln;
-    int nid;
-    int length;
-    const unsigned char *data;  /* data remains const after init */
-    int flags;                  /* Should we free this one */
-};
-
-/* ASN1 print context structure */
-
-struct asn1_pctx_st {
-    unsigned long flags;
-    unsigned long nm_flags;
-    unsigned long cert_flags;
-    unsigned long oid_flags;
-    unsigned long str_flags;
-} /* ASN1_PCTX */ ;
-
-int asn1_valid_host(const ASN1_STRING *host);
diff --git a/Cryptlib/OpenSSL/crypto/include/internal/async.h b/Cryptlib/OpenSSL/crypto/include/internal/async.h
deleted file mode 100644
index db56258f..00000000
--- a/Cryptlib/OpenSSL/crypto/include/internal/async.h
+++ /dev/null
@@ -1,14 +0,0 @@
-/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/async.h>
-
-int async_init(void);
-void async_deinit(void);
-
diff --git a/Cryptlib/OpenSSL/crypto/include/internal/bn_dh.h b/Cryptlib/OpenSSL/crypto/include/internal/bn_dh.h
deleted file mode 100644
index b4bca40c..00000000
--- a/Cryptlib/OpenSSL/crypto/include/internal/bn_dh.h
+++ /dev/null
@@ -1,17 +0,0 @@
-/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#define declare_dh_bn(x) \
-    const extern BIGNUM _bignum_dh##x##_p;              \
-    const extern BIGNUM _bignum_dh##x##_g;              \
-    const extern BIGNUM _bignum_dh##x##_q;
-
-declare_dh_bn(1024_160)
-declare_dh_bn(2048_224)
-declare_dh_bn(2048_256)
diff --git a/Cryptlib/OpenSSL/crypto/include/internal/bn_int.h b/Cryptlib/OpenSSL/crypto/include/internal/bn_int.h
deleted file mode 100644
index 9c984ba7..00000000
--- a/Cryptlib/OpenSSL/crypto/include/internal/bn_int.h
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#ifndef HEADER_BN_INT_H
-# define HEADER_BN_INT_H
-
-# include <openssl/bn.h>
-# include <limits.h>
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
-BIGNUM *bn_wexpand(BIGNUM *a, int words);
-BIGNUM *bn_expand2(BIGNUM *a, int words);
-
-void bn_correct_top(BIGNUM *a);
-
-/*
- * Determine the modified width-(w+1) Non-Adjacent Form (wNAF) of 'scalar'.
- * This is an array r[] of values that are either zero or odd with an
- * absolute value less than 2^w satisfying scalar = \sum_j r[j]*2^j where at
- * most one of any w+1 consecutive digits is non-zero with the exception that
- * the most significant digit may be only w-1 zeros away from that next
- * non-zero digit.
- */
-signed char *bn_compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len);
-
-int bn_get_top(const BIGNUM *a);
-
-void bn_set_top(BIGNUM *a, int top);
-
-int bn_get_dmax(const BIGNUM *a);
-
-/* Set all words to zero */
-void bn_set_all_zero(BIGNUM *a);
-
-/*
- * Copy the internal BIGNUM words into out which holds size elements (and size
- * must be bigger than top)
- */
-int bn_copy_words(BN_ULONG *out, const BIGNUM *in, int size);
-
-BN_ULONG *bn_get_words(const BIGNUM *a);
-
-/*
- * Set the internal data words in a to point to words which contains size
- * elements. The BN_FLG_STATIC_DATA flag is set
- */
-void bn_set_static_words(BIGNUM *a, BN_ULONG *words, int size);
-
-/*
- * Copy words into the BIGNUM |a|, reallocating space as necessary.
- * The negative flag of |a| is not modified.
- * Returns 1 on success and 0 on failure.
- */
-/*
- * |num_words| is int because bn_expand2 takes an int. This is an internal
- * function so we simply trust callers not to pass negative values.
- */
-int bn_set_words(BIGNUM *a, BN_ULONG *words, int num_words);
-
-size_t bn_sizeof_BIGNUM(void);
-
-/*
- * Return element el from an array of BIGNUMs starting at base (required
- * because callers do not know the size of BIGNUM at compilation time)
- */
-BIGNUM *bn_array_el(BIGNUM *base, int el);
-
-
-#ifdef  __cplusplus
-}
-#endif
-
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/include/internal/bn_srp.h b/Cryptlib/OpenSSL/crypto/include/internal/bn_srp.h
deleted file mode 100644
index d4b282a6..00000000
--- a/Cryptlib/OpenSSL/crypto/include/internal/bn_srp.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#ifndef OPENSSL_NO_SRP
-
-extern const BIGNUM bn_group_1024;
-
-extern const BIGNUM bn_group_1536;
-
-extern const BIGNUM bn_group_2048;
-
-extern const BIGNUM bn_group_3072;
-
-extern const BIGNUM bn_group_4096;
-
-extern const BIGNUM bn_group_6144;
-
-extern const BIGNUM bn_group_8192;
-
-extern const BIGNUM bn_generator_19;
-
-extern const BIGNUM bn_generator_5;
-
-extern const BIGNUM bn_generator_2;
-
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/include/internal/chacha.h b/Cryptlib/OpenSSL/crypto/include/internal/chacha.h
deleted file mode 100644
index 7d4366ea..00000000
--- a/Cryptlib/OpenSSL/crypto/include/internal/chacha.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#ifndef HEADER_CHACHA_H
-#define HEADER_CHACHA_H
-
-#include <stddef.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/*
- * ChaCha20_ctr32 encrypts |len| bytes from |inp| with the given key and
- * nonce and writes the result to |out|, which may be equal to |inp|.
- * The |key| is not 32 bytes of verbatim key material though, but the
- * said material collected into 8 32-bit elements array in host byte
- * order. Same approach applies to nonce: the |counter| argument is
- * pointer to concatenated nonce and counter values collected into 4
- * 32-bit elements. This, passing crypto material collected into 32-bit
- * elements as opposite to passing verbatim byte vectors, is chosen for
- * efficiency in multi-call scenarios.
- */
-void ChaCha20_ctr32(unsigned char *out, const unsigned char *inp,
-                    size_t len, const unsigned int key[8],
-                    const unsigned int counter[4]);
-/*
- * You can notice that there is no key setup procedure. Because it's
- * as trivial as collecting bytes into 32-bit elements, it's reckoned
- * that below macro is sufficient.
- */
-#define CHACHA_U8TOU32(p)  ( \
-                ((unsigned int)(p)[0])     | ((unsigned int)(p)[1]<<8) | \
-                ((unsigned int)(p)[2]<<16) | ((unsigned int)(p)[3]<<24)  )
-
-#define CHACHA_KEY_SIZE		32
-#define CHACHA_CTR_SIZE		16
-#define CHACHA_BLK_SIZE		64
-
-#ifdef __cplusplus
-}
-#endif
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/include/internal/cryptlib.h b/Cryptlib/OpenSSL/crypto/include/internal/cryptlib.h
deleted file mode 100644
index f3ec9b67..00000000
--- a/Cryptlib/OpenSSL/crypto/include/internal/cryptlib.h
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#ifndef HEADER_CRYPTLIB_H
-# define HEADER_CRYPTLIB_H
-
-# include <stdlib.h>
-# include <string.h>
-
-# include "e_os.h"
-
-# ifdef OPENSSL_USE_APPLINK
-#  undef BIO_FLAGS_UPLINK
-#  define BIO_FLAGS_UPLINK 0x8000
-#  include "ms/uplink.h"
-# endif
-
-# include <openssl/crypto.h>
-# include <openssl/buffer.h>
-# include <openssl/bio.h>
-# include <openssl/err.h>
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
-typedef struct ex_callback_st EX_CALLBACK;
-
-DEFINE_STACK_OF(EX_CALLBACK)
-
-typedef struct app_mem_info_st APP_INFO;
-
-typedef struct mem_st MEM;
-DEFINE_LHASH_OF(MEM);
-
-# ifndef OPENSSL_SYS_VMS
-#  define X509_CERT_AREA          OPENSSLDIR
-#  define X509_CERT_DIR           OPENSSLDIR "/certs"
-#  define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
-#  define X509_PRIVATE_DIR        OPENSSLDIR "/private"
-#  define CTLOG_FILE              OPENSSLDIR "/ct_log_list.cnf"
-# else
-#  define X509_CERT_AREA          "OSSL$DATAROOT:[000000]"
-#  define X509_CERT_DIR           "OSSL$DATAROOT:[CERTS]"
-#  define X509_CERT_FILE          "OSSL$DATAROOT:[000000]cert.pem"
-#  define X509_PRIVATE_DIR        "OSSL$DATAROOT:[PRIVATE]"
-#  define CTLOG_FILE              "OSSL$DATAROOT:[000000]ct_log_list.cnf"
-# endif
-
-# define X509_CERT_DIR_EVP        "SSL_CERT_DIR"
-# define X509_CERT_FILE_EVP       "SSL_CERT_FILE"
-# define CTLOG_FILE_EVP           "CTLOG_FILE"
-
-/* size of string representations */
-# define DECIMAL_SIZE(type)      ((sizeof(type)*8+2)/3+1)
-# define HEX_SIZE(type)          (sizeof(type)*2)
-
-void OPENSSL_cpuid_setup(void);
-extern unsigned int OPENSSL_ia32cap_P[];
-void OPENSSL_showfatal(const char *fmta, ...);
-extern int OPENSSL_NONPIC_relocated;
-void crypto_cleanup_all_ex_data_int(void);
-
-int openssl_strerror_r(int errnum, char *buf, size_t buflen);
-# if !defined(OPENSSL_NO_STDIO)
-FILE *openssl_fopen(const char *filename, const char *mode);
-# else
-void *openssl_fopen(const char *filename, const char *mode);
-# endif
-
-#ifdef  __cplusplus
-}
-#endif
-
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/include/internal/cryptlib_int.h b/Cryptlib/OpenSSL/crypto/include/internal/cryptlib_int.h
deleted file mode 100644
index 8e2a7199..00000000
--- a/Cryptlib/OpenSSL/crypto/include/internal/cryptlib_int.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <internal/cryptlib.h>
-
-/* This file is not scanned by mkdef.pl, whereas cryptlib.h is */
-
-struct thread_local_inits_st {
-    int async;
-    int err_state;
-};
-
-int ossl_init_thread_start(uint64_t opts);
-
-/*
- * OPENSSL_INIT flags. The primary list of these is in crypto.h. Flags below
- * are those omitted from crypto.h because they are "reserved for internal
- * use".
- */
-# define OPENSSL_INIT_ZLIB                   0x00010000L
-
-/* OPENSSL_INIT_THREAD flags */
-# define OPENSSL_INIT_THREAD_ASYNC           0x01
-# define OPENSSL_INIT_THREAD_ERR_STATE       0x02
-
diff --git a/Cryptlib/OpenSSL/crypto/include/internal/engine.h b/Cryptlib/OpenSSL/crypto/include/internal/engine.h
deleted file mode 100644
index 977cf06d..00000000
--- a/Cryptlib/OpenSSL/crypto/include/internal/engine.h
+++ /dev/null
@@ -1,20 +0,0 @@
-/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/engine.h>
-
-void engine_load_openssl_int(void);
-void engine_load_cryptodev_int(void);
-void engine_load_rdrand_int(void);
-void engine_load_dynamic_int(void);
-void engine_load_padlock_int(void);
-void engine_load_capi_int(void);
-void engine_load_dasync_int(void);
-void engine_load_afalg_int(void);
-void engine_cleanup_int(void);
diff --git a/Cryptlib/OpenSSL/crypto/include/internal/err_int.h b/Cryptlib/OpenSSL/crypto/include/internal/err_int.h
deleted file mode 100644
index 7fec3ed7..00000000
--- a/Cryptlib/OpenSSL/crypto/include/internal/err_int.h
+++ /dev/null
@@ -1,17 +0,0 @@
-/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#ifndef INTERNAL_ERR_INT_H
-# define INTERNAL_ERR_INT_H
-
-int err_load_crypto_strings_int(void);
-void err_cleanup(void);
-void err_delete_thread_state(void);
-
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/include/internal/evp_int.h b/Cryptlib/OpenSSL/crypto/include/internal/evp_int.h
deleted file mode 100644
index c9ef5827..00000000
--- a/Cryptlib/OpenSSL/crypto/include/internal/evp_int.h
+++ /dev/null
@@ -1,389 +0,0 @@
-/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-struct evp_pkey_ctx_st {
-    /* Method associated with this operation */
-    const EVP_PKEY_METHOD *pmeth;
-    /* Engine that implements this method or NULL if builtin */
-    ENGINE *engine;
-    /* Key: may be NULL */
-    EVP_PKEY *pkey;
-    /* Peer key for key agreement, may be NULL */
-    EVP_PKEY *peerkey;
-    /* Actual operation */
-    int operation;
-    /* Algorithm specific data */
-    void *data;
-    /* Application specific data */
-    void *app_data;
-    /* Keygen callback */
-    EVP_PKEY_gen_cb *pkey_gencb;
-    /* implementation specific keygen data */
-    int *keygen_info;
-    int keygen_info_count;
-} /* EVP_PKEY_CTX */ ;
-
-#define EVP_PKEY_FLAG_DYNAMIC   1
-
-struct evp_pkey_method_st {
-    int pkey_id;
-    int flags;
-    int (*init) (EVP_PKEY_CTX *ctx);
-    int (*copy) (EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src);
-    void (*cleanup) (EVP_PKEY_CTX *ctx);
-    int (*paramgen_init) (EVP_PKEY_CTX *ctx);
-    int (*paramgen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey);
-    int (*keygen_init) (EVP_PKEY_CTX *ctx);
-    int (*keygen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey);
-    int (*sign_init) (EVP_PKEY_CTX *ctx);
-    int (*sign) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
-                 const unsigned char *tbs, size_t tbslen);
-    int (*verify_init) (EVP_PKEY_CTX *ctx);
-    int (*verify) (EVP_PKEY_CTX *ctx,
-                   const unsigned char *sig, size_t siglen,
-                   const unsigned char *tbs, size_t tbslen);
-    int (*verify_recover_init) (EVP_PKEY_CTX *ctx);
-    int (*verify_recover) (EVP_PKEY_CTX *ctx,
-                           unsigned char *rout, size_t *routlen,
-                           const unsigned char *sig, size_t siglen);
-    int (*signctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx);
-    int (*signctx) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
-                    EVP_MD_CTX *mctx);
-    int (*verifyctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx);
-    int (*verifyctx) (EVP_PKEY_CTX *ctx, const unsigned char *sig, int siglen,
-                      EVP_MD_CTX *mctx);
-    int (*encrypt_init) (EVP_PKEY_CTX *ctx);
-    int (*encrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
-                    const unsigned char *in, size_t inlen);
-    int (*decrypt_init) (EVP_PKEY_CTX *ctx);
-    int (*decrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
-                    const unsigned char *in, size_t inlen);
-    int (*derive_init) (EVP_PKEY_CTX *ctx);
-    int (*derive) (EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen);
-    int (*ctrl) (EVP_PKEY_CTX *ctx, int type, int p1, void *p2);
-    int (*ctrl_str) (EVP_PKEY_CTX *ctx, const char *type, const char *value);
-} /* EVP_PKEY_METHOD */ ;
-
-DEFINE_STACK_OF_CONST(EVP_PKEY_METHOD)
-
-void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx);
-
-extern const EVP_PKEY_METHOD cmac_pkey_meth;
-extern const EVP_PKEY_METHOD dh_pkey_meth;
-extern const EVP_PKEY_METHOD dhx_pkey_meth;
-extern const EVP_PKEY_METHOD dsa_pkey_meth;
-extern const EVP_PKEY_METHOD ec_pkey_meth;
-extern const EVP_PKEY_METHOD ecx25519_pkey_meth;
-extern const EVP_PKEY_METHOD hmac_pkey_meth;
-extern const EVP_PKEY_METHOD rsa_pkey_meth;
-extern const EVP_PKEY_METHOD tls1_prf_pkey_meth;
-extern const EVP_PKEY_METHOD hkdf_pkey_meth;
-
-struct evp_md_st {
-    int type;
-    int pkey_type;
-    int md_size;
-    unsigned long flags;
-    int (*init) (EVP_MD_CTX *ctx);
-    int (*update) (EVP_MD_CTX *ctx, const void *data, size_t count);
-    int (*final) (EVP_MD_CTX *ctx, unsigned char *md);
-    int (*copy) (EVP_MD_CTX *to, const EVP_MD_CTX *from);
-    int (*cleanup) (EVP_MD_CTX *ctx);
-    int block_size;
-    int ctx_size;               /* how big does the ctx->md_data need to be */
-    /* control function */
-    int (*md_ctrl) (EVP_MD_CTX *ctx, int cmd, int p1, void *p2);
-} /* EVP_MD */ ;
-
-struct evp_cipher_st {
-    int nid;
-    int block_size;
-    /* Default value for variable length ciphers */
-    int key_len;
-    int iv_len;
-    /* Various flags */
-    unsigned long flags;
-    /* init key */
-    int (*init) (EVP_CIPHER_CTX *ctx, const unsigned char *key,
-                 const unsigned char *iv, int enc);
-    /* encrypt/decrypt data */
-    int (*do_cipher) (EVP_CIPHER_CTX *ctx, unsigned char *out,
-                      const unsigned char *in, size_t inl);
-    /* cleanup ctx */
-    int (*cleanup) (EVP_CIPHER_CTX *);
-    /* how big ctx->cipher_data needs to be */
-    int ctx_size;
-    /* Populate a ASN1_TYPE with parameters */
-    int (*set_asn1_parameters) (EVP_CIPHER_CTX *, ASN1_TYPE *);
-    /* Get parameters from a ASN1_TYPE */
-    int (*get_asn1_parameters) (EVP_CIPHER_CTX *, ASN1_TYPE *);
-    /* Miscellaneous operations */
-    int (*ctrl) (EVP_CIPHER_CTX *, int type, int arg, void *ptr);
-    /* Application data */
-    void *app_data;
-} /* EVP_CIPHER */ ;
-
-/* Macros to code block cipher wrappers */
-
-/* Wrapper functions for each cipher mode */
-
-#define EVP_C_DATA(kstruct, ctx) \
-        ((kstruct *)EVP_CIPHER_CTX_get_cipher_data(ctx))
-
-#define BLOCK_CIPHER_ecb_loop() \
-        size_t i, bl; \
-        bl = EVP_CIPHER_CTX_cipher(ctx)->block_size;    \
-        if (inl < bl) return 1;\
-        inl -= bl; \
-        for (i=0; i <= inl; i+=bl)
-
-#define BLOCK_CIPHER_func_ecb(cname, cprefix, kstruct, ksched) \
-static int cname##_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) \
-{\
-        BLOCK_CIPHER_ecb_loop() \
-            cprefix##_ecb_encrypt(in + i, out + i, &EVP_C_DATA(kstruct,ctx)->ksched, EVP_CIPHER_CTX_encrypting(ctx)); \
-        return 1;\
-}
-
-#define EVP_MAXCHUNK ((size_t)1<<(sizeof(long)*8-2))
-
-#define BLOCK_CIPHER_func_ofb(cname, cprefix, cbits, kstruct, ksched) \
-    static int cname##_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) \
-{\
-        while(inl>=EVP_MAXCHUNK) {\
-            int num = EVP_CIPHER_CTX_num(ctx);\
-            cprefix##_ofb##cbits##_encrypt(in, out, (long)EVP_MAXCHUNK, &EVP_C_DATA(kstruct,ctx)->ksched, EVP_CIPHER_CTX_iv_noconst(ctx), &num); \
-            EVP_CIPHER_CTX_set_num(ctx, num);\
-            inl-=EVP_MAXCHUNK;\
-            in +=EVP_MAXCHUNK;\
-            out+=EVP_MAXCHUNK;\
-        }\
-        if (inl) {\
-            int num = EVP_CIPHER_CTX_num(ctx);\
-            cprefix##_ofb##cbits##_encrypt(in, out, (long)inl, &EVP_C_DATA(kstruct,ctx)->ksched, EVP_CIPHER_CTX_iv_noconst(ctx), &num); \
-            EVP_CIPHER_CTX_set_num(ctx, num);\
-        }\
-        return 1;\
-}
-
-#define BLOCK_CIPHER_func_cbc(cname, cprefix, kstruct, ksched) \
-static int cname##_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) \
-{\
-        while(inl>=EVP_MAXCHUNK) \
-            {\
-            cprefix##_cbc_encrypt(in, out, (long)EVP_MAXCHUNK, &EVP_C_DATA(kstruct,ctx)->ksched, EVP_CIPHER_CTX_iv_noconst(ctx), EVP_CIPHER_CTX_encrypting(ctx));\
-            inl-=EVP_MAXCHUNK;\
-            in +=EVP_MAXCHUNK;\
-            out+=EVP_MAXCHUNK;\
-            }\
-        if (inl)\
-            cprefix##_cbc_encrypt(in, out, (long)inl, &EVP_C_DATA(kstruct,ctx)->ksched, EVP_CIPHER_CTX_iv_noconst(ctx), EVP_CIPHER_CTX_encrypting(ctx));\
-        return 1;\
-}
-
-#define BLOCK_CIPHER_func_cfb(cname, cprefix, cbits, kstruct, ksched)  \
-static int cname##_cfb##cbits##_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) \
-{\
-    size_t chunk = EVP_MAXCHUNK;\
-    if (cbits == 1)  chunk >>= 3;\
-    if (inl < chunk) chunk = inl;\
-    while (inl && inl >= chunk)\
-    {\
-        int num = EVP_CIPHER_CTX_num(ctx);\
-        cprefix##_cfb##cbits##_encrypt(in, out, (long) \
-            ((cbits == 1) \
-                && !EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS) \
-                ? inl*8 : inl), \
-            &EVP_C_DATA(kstruct, ctx)->ksched, EVP_CIPHER_CTX_iv_noconst(ctx),\
-            &num, EVP_CIPHER_CTX_encrypting(ctx));\
-        EVP_CIPHER_CTX_set_num(ctx, num);\
-        inl -= chunk;\
-        in += chunk;\
-        out += chunk;\
-        if (inl < chunk) chunk = inl;\
-    }\
-    return 1;\
-}
-
-#define BLOCK_CIPHER_all_funcs(cname, cprefix, cbits, kstruct, ksched) \
-        BLOCK_CIPHER_func_cbc(cname, cprefix, kstruct, ksched) \
-        BLOCK_CIPHER_func_cfb(cname, cprefix, cbits, kstruct, ksched) \
-        BLOCK_CIPHER_func_ecb(cname, cprefix, kstruct, ksched) \
-        BLOCK_CIPHER_func_ofb(cname, cprefix, cbits, kstruct, ksched)
-
-#define BLOCK_CIPHER_def1(cname, nmode, mode, MODE, kstruct, nid, block_size, \
-                          key_len, iv_len, flags, init_key, cleanup, \
-                          set_asn1, get_asn1, ctrl) \
-static const EVP_CIPHER cname##_##mode = { \
-        nid##_##nmode, block_size, key_len, iv_len, \
-        flags | EVP_CIPH_##MODE##_MODE, \
-        init_key, \
-        cname##_##mode##_cipher, \
-        cleanup, \
-        sizeof(kstruct), \
-        set_asn1, get_asn1,\
-        ctrl, \
-        NULL \
-}; \
-const EVP_CIPHER *EVP_##cname##_##mode(void) { return &cname##_##mode; }
-
-#define BLOCK_CIPHER_def_cbc(cname, kstruct, nid, block_size, key_len, \
-                             iv_len, flags, init_key, cleanup, set_asn1, \
-                             get_asn1, ctrl) \
-BLOCK_CIPHER_def1(cname, cbc, cbc, CBC, kstruct, nid, block_size, key_len, \
-                  iv_len, flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
-
-#define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, \
-                             iv_len, cbits, flags, init_key, cleanup, \
-                             set_asn1, get_asn1, ctrl) \
-BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, 1, \
-                  key_len, iv_len, flags, init_key, cleanup, set_asn1, \
-                  get_asn1, ctrl)
-
-#define BLOCK_CIPHER_def_ofb(cname, kstruct, nid, key_len, \
-                             iv_len, cbits, flags, init_key, cleanup, \
-                             set_asn1, get_asn1, ctrl) \
-BLOCK_CIPHER_def1(cname, ofb##cbits, ofb, OFB, kstruct, nid, 1, \
-                  key_len, iv_len, flags, init_key, cleanup, set_asn1, \
-                  get_asn1, ctrl)
-
-#define BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, \
-                             flags, init_key, cleanup, set_asn1, \
-                             get_asn1, ctrl) \
-BLOCK_CIPHER_def1(cname, ecb, ecb, ECB, kstruct, nid, block_size, key_len, \
-                  0, flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
-
-#define BLOCK_CIPHER_defs(cname, kstruct, \
-                          nid, block_size, key_len, iv_len, cbits, flags, \
-                          init_key, cleanup, set_asn1, get_asn1, ctrl) \
-BLOCK_CIPHER_def_cbc(cname, kstruct, nid, block_size, key_len, iv_len, flags, \
-                     init_key, cleanup, set_asn1, get_asn1, ctrl) \
-BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, iv_len, cbits, \
-                     flags, init_key, cleanup, set_asn1, get_asn1, ctrl) \
-BLOCK_CIPHER_def_ofb(cname, kstruct, nid, key_len, iv_len, cbits, \
-                     flags, init_key, cleanup, set_asn1, get_asn1, ctrl) \
-BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, flags, \
-                     init_key, cleanup, set_asn1, get_asn1, ctrl)
-
-/*-
-#define BLOCK_CIPHER_defs(cname, kstruct, \
-                                nid, block_size, key_len, iv_len, flags,\
-                                 init_key, cleanup, set_asn1, get_asn1, ctrl)\
-static const EVP_CIPHER cname##_cbc = {\
-        nid##_cbc, block_size, key_len, iv_len, \
-        flags | EVP_CIPH_CBC_MODE,\
-        init_key,\
-        cname##_cbc_cipher,\
-        cleanup,\
-        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\
-                sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\
-        set_asn1, get_asn1,\
-        ctrl, \
-        NULL \
-};\
-const EVP_CIPHER *EVP_##cname##_cbc(void) { return &cname##_cbc; }\
-static const EVP_CIPHER cname##_cfb = {\
-        nid##_cfb64, 1, key_len, iv_len, \
-        flags | EVP_CIPH_CFB_MODE,\
-        init_key,\
-        cname##_cfb_cipher,\
-        cleanup,\
-        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\
-                sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\
-        set_asn1, get_asn1,\
-        ctrl,\
-        NULL \
-};\
-const EVP_CIPHER *EVP_##cname##_cfb(void) { return &cname##_cfb; }\
-static const EVP_CIPHER cname##_ofb = {\
-        nid##_ofb64, 1, key_len, iv_len, \
-        flags | EVP_CIPH_OFB_MODE,\
-        init_key,\
-        cname##_ofb_cipher,\
-        cleanup,\
-        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\
-                sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\
-        set_asn1, get_asn1,\
-        ctrl,\
-        NULL \
-};\
-const EVP_CIPHER *EVP_##cname##_ofb(void) { return &cname##_ofb; }\
-static const EVP_CIPHER cname##_ecb = {\
-        nid##_ecb, block_size, key_len, iv_len, \
-        flags | EVP_CIPH_ECB_MODE,\
-        init_key,\
-        cname##_ecb_cipher,\
-        cleanup,\
-        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\
-                sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\
-        set_asn1, get_asn1,\
-        ctrl,\
-        NULL \
-};\
-const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; }
-*/
-
-#define IMPLEMENT_BLOCK_CIPHER(cname, ksched, cprefix, kstruct, nid, \
-                               block_size, key_len, iv_len, cbits, \
-                               flags, init_key, \
-                               cleanup, set_asn1, get_asn1, ctrl) \
-        BLOCK_CIPHER_all_funcs(cname, cprefix, cbits, kstruct, ksched) \
-        BLOCK_CIPHER_defs(cname, kstruct, nid, block_size, key_len, iv_len, \
-                          cbits, flags, init_key, cleanup, set_asn1, \
-                          get_asn1, ctrl)
-
-#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len,fl) \
-        BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \
-        BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \
-                             NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \
-                             (fl)|EVP_CIPH_FLAG_DEFAULT_ASN1, \
-                             cipher##_init_key, NULL, NULL, NULL, NULL)
-
-
-/*
- * Type needs to be a bit field Sub-type needs to be for variations on the
- * method, as in, can it do arbitrary encryption....
- */
-struct evp_pkey_st {
-    int type;
-    int save_type;
-    int references;
-    const EVP_PKEY_ASN1_METHOD *ameth;
-    ENGINE *engine;
-    union {
-        void *ptr;
-# ifndef OPENSSL_NO_RSA
-        struct rsa_st *rsa;     /* RSA */
-# endif
-# ifndef OPENSSL_NO_DSA
-        struct dsa_st *dsa;     /* DSA */
-# endif
-# ifndef OPENSSL_NO_DH
-        struct dh_st *dh;       /* DH */
-# endif
-# ifndef OPENSSL_NO_EC
-        struct ec_key_st *ec;   /* ECC */
-# endif
-    } pkey;
-    int save_parameters;
-    STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */
-    CRYPTO_RWLOCK *lock;
-} /* EVP_PKEY */ ;
-
-
-void openssl_add_all_ciphers_int(void);
-void openssl_add_all_digests_int(void);
-void evp_cleanup_int(void);
-
-/* Pulling defines out of C soure files */
-
-#define EVP_RC4_KEY_SIZE 16
-#ifndef TLS1_1_VERSION
-# define TLS1_1_VERSION   0x0302
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/include/internal/objects.h b/Cryptlib/OpenSSL/crypto/include/internal/objects.h
deleted file mode 100644
index 76e1b4d9..00000000
--- a/Cryptlib/OpenSSL/crypto/include/internal/objects.h
+++ /dev/null
@@ -1,12 +0,0 @@
-/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/objects.h>
-
-void obj_cleanup_int(void);
diff --git a/Cryptlib/OpenSSL/crypto/include/internal/poly1305.h b/Cryptlib/OpenSSL/crypto/include/internal/poly1305.h
deleted file mode 100644
index 1bc8716f..00000000
--- a/Cryptlib/OpenSSL/crypto/include/internal/poly1305.h
+++ /dev/null
@@ -1,19 +0,0 @@
-/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stddef.h>
-
-#define POLY1305_BLOCK_SIZE 16
-
-typedef struct poly1305_context POLY1305;
-
-size_t Poly1305_ctx_size(void);
-void Poly1305_Init(POLY1305 *ctx, const unsigned char key[32]);
-void Poly1305_Update(POLY1305 *ctx, const unsigned char *inp, size_t len);
-void Poly1305_Final(POLY1305 *ctx, unsigned char mac[16]);
diff --git a/Cryptlib/OpenSSL/crypto/include/internal/rand.h b/Cryptlib/OpenSSL/crypto/include/internal/rand.h
deleted file mode 100644
index 30887c4a..00000000
--- a/Cryptlib/OpenSSL/crypto/include/internal/rand.h
+++ /dev/null
@@ -1,20 +0,0 @@
-/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*
- * Licensed under the OpenSSL licenses, (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * https://www.openssl.org/source/license.html
- * or in the file LICENSE in the source distribution.
- */
-
-#include <openssl/rand.h>
-
-void rand_cleanup_int(void);
diff --git a/Cryptlib/OpenSSL/crypto/include/internal/x509_int.h b/Cryptlib/OpenSSL/crypto/include/internal/x509_int.h
deleted file mode 100644
index 2845026d..00000000
--- a/Cryptlib/OpenSSL/crypto/include/internal/x509_int.h
+++ /dev/null
@@ -1,267 +0,0 @@
-/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/* Internal X509 structures and functions: not for application use */
-
-/* Note: unless otherwise stated a field pointer is mandatory and should
- * never be set to NULL: the ASN.1 code and accessors rely on mandatory
- * fields never being NULL.
- */
-
-/*
- * name entry structure, equivalent to AttributeTypeAndValue defined
- * in RFC5280 et al.
- */
-struct X509_name_entry_st {
-    ASN1_OBJECT *object;        /* AttributeType */
-    ASN1_STRING *value;         /* AttributeValue */
-    int set;                    /* index of RDNSequence for this entry */
-    int size;                   /* temp variable */
-};
-
-/* Name from RFC 5280. */
-struct X509_name_st {
-    STACK_OF(X509_NAME_ENTRY) *entries; /* DN components */
-    int modified;               /* true if 'bytes' needs to be built */
-    BUF_MEM *bytes;             /* cached encoding: cannot be NULL */
-    /* canonical encoding used for rapid Name comparison */
-    unsigned char *canon_enc;
-    int canon_enclen;
-} /* X509_NAME */ ;
-
-/* PKCS#10 certificate request */
-
-struct X509_req_info_st {
-    ASN1_ENCODING enc;          /* cached encoding of signed part */
-    ASN1_INTEGER *version;      /* version, defaults to v1(0) so can be NULL */
-    X509_NAME *subject;         /* certificate request DN */
-    X509_PUBKEY *pubkey;        /* public key of request */
-    /*
-     * Zero or more attributes.
-     * NB: although attributes is a mandatory field some broken
-     * encodings omit it so this may be NULL in that case.
-     */
-    STACK_OF(X509_ATTRIBUTE) *attributes;
-};
-
-struct X509_req_st {
-    X509_REQ_INFO req_info;     /* signed certificate request data */
-    X509_ALGOR sig_alg;         /* signature algorithm */
-    ASN1_BIT_STRING *signature; /* signature */
-    int references;
-    CRYPTO_RWLOCK *lock;
-};
-
-struct X509_crl_info_st {
-    ASN1_INTEGER *version;      /* version: defaults to v1(0) so may be NULL */
-    X509_ALGOR sig_alg;         /* signature algorithm */
-    X509_NAME *issuer;          /* CRL issuer name */
-    ASN1_TIME *lastUpdate;      /* lastUpdate field */
-    ASN1_TIME *nextUpdate;      /* nextUpdate field: optional */
-    STACK_OF(X509_REVOKED) *revoked;        /* revoked entries: optional */
-    STACK_OF(X509_EXTENSION) *extensions;   /* extensions: optional */
-    ASN1_ENCODING enc;                      /* encoding of signed portion of CRL */
-};
-
-struct X509_crl_st {
-    X509_CRL_INFO crl;          /* signed CRL data */
-    X509_ALGOR sig_alg;         /* CRL signature algorithm */
-    ASN1_BIT_STRING signature;  /* CRL signature */
-    int references;
-    int flags;
-    /*
-     * Cached copies of decoded extension values, since extensions
-     * are optional any of these can be NULL.
-     */
-    AUTHORITY_KEYID *akid;
-    ISSUING_DIST_POINT *idp;
-    /* Convenient breakdown of IDP */
-    int idp_flags;
-    int idp_reasons;
-    /* CRL and base CRL numbers for delta processing */
-    ASN1_INTEGER *crl_number;
-    ASN1_INTEGER *base_crl_number;
-    STACK_OF(GENERAL_NAMES) *issuers;
-    /* hash of CRL */
-    unsigned char sha1_hash[SHA_DIGEST_LENGTH];
-    /* alternative method to handle this CRL */
-    const X509_CRL_METHOD *meth;
-    void *meth_data;
-    CRYPTO_RWLOCK *lock;
-};
-
-struct x509_revoked_st {
-    ASN1_INTEGER serialNumber; /* revoked entry serial number */
-    ASN1_TIME *revocationDate;  /* revocation date */
-    STACK_OF(X509_EXTENSION) *extensions;   /* CRL entry extensions: optional */
-    /* decoded value of CRLissuer extension: set if indirect CRL */
-    STACK_OF(GENERAL_NAME) *issuer;
-    /* revocation reason: set to CRL_REASON_NONE if reason extension absent */
-    int reason;
-    /*
-     * CRL entries are reordered for faster lookup of serial numbers. This
-     * field contains the original load sequence for this entry.
-     */
-    int sequence;
-};
-
-/*
- * This stuff is certificate "auxiliary info": it contains details which are
- * useful in certificate stores and databases. When used this is tagged onto
- * the end of the certificate itself. OpenSSL specific structure not defined
- * in any RFC.
- */
-
-struct x509_cert_aux_st {
-    STACK_OF(ASN1_OBJECT) *trust; /* trusted uses */
-    STACK_OF(ASN1_OBJECT) *reject; /* rejected uses */
-    ASN1_UTF8STRING *alias;     /* "friendly name" */
-    ASN1_OCTET_STRING *keyid;   /* key id of private key */
-    STACK_OF(X509_ALGOR) *other; /* other unspecified info */
-};
-
-struct x509_cinf_st {
-    ASN1_INTEGER *version;      /* [ 0 ] default of v1 */
-    ASN1_INTEGER serialNumber;
-    X509_ALGOR signature;
-    X509_NAME *issuer;
-    X509_VAL validity;
-    X509_NAME *subject;
-    X509_PUBKEY *key;
-    ASN1_BIT_STRING *issuerUID; /* [ 1 ] optional in v2 */
-    ASN1_BIT_STRING *subjectUID; /* [ 2 ] optional in v2 */
-    STACK_OF(X509_EXTENSION) *extensions; /* [ 3 ] optional in v3 */
-    ASN1_ENCODING enc;
-};
-
-struct x509_st {
-    X509_CINF cert_info;
-    X509_ALGOR sig_alg;
-    ASN1_BIT_STRING signature;
-    int references;
-    CRYPTO_EX_DATA ex_data;
-    /* These contain copies of various extension values */
-    long ex_pathlen;
-    long ex_pcpathlen;
-    uint32_t ex_flags;
-    uint32_t ex_kusage;
-    uint32_t ex_xkusage;
-    uint32_t ex_nscert;
-    ASN1_OCTET_STRING *skid;
-    AUTHORITY_KEYID *akid;
-    X509_POLICY_CACHE *policy_cache;
-    STACK_OF(DIST_POINT) *crldp;
-    STACK_OF(GENERAL_NAME) *altname;
-    NAME_CONSTRAINTS *nc;
-#ifndef OPENSSL_NO_RFC3779
-    STACK_OF(IPAddressFamily) *rfc3779_addr;
-    struct ASIdentifiers_st *rfc3779_asid;
-# endif
-    unsigned char sha1_hash[SHA_DIGEST_LENGTH];
-    X509_CERT_AUX *aux;
-    CRYPTO_RWLOCK *lock;
-} /* X509 */ ;
-
-/*
- * This is a used when verifying cert chains.  Since the gathering of the
- * cert chain can take some time (and have to be 'retried', this needs to be
- * kept and passed around.
- */
-struct x509_store_ctx_st {      /* X509_STORE_CTX */
-    X509_STORE *ctx;
-    /* The following are set by the caller */
-    /* The cert to check */
-    X509 *cert;
-    /* chain of X509s - untrusted - passed in */
-    STACK_OF(X509) *untrusted;
-    /* set of CRLs passed in */
-    STACK_OF(X509_CRL) *crls;
-    X509_VERIFY_PARAM *param;
-    /* Other info for use with get_issuer() */
-    void *other_ctx;
-    /* Callbacks for various operations */
-    /* called to verify a certificate */
-    int (*verify) (X509_STORE_CTX *ctx);
-    /* error callback */
-    int (*verify_cb) (int ok, X509_STORE_CTX *ctx);
-    /* get issuers cert from ctx */
-    int (*get_issuer) (X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
-    /* check issued */
-    int (*check_issued) (X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
-    /* Check revocation status of chain */
-    int (*check_revocation) (X509_STORE_CTX *ctx);
-    /* retrieve CRL */
-    int (*get_crl) (X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x);
-    /* Check CRL validity */
-    int (*check_crl) (X509_STORE_CTX *ctx, X509_CRL *crl);
-    /* Check certificate against CRL */
-    int (*cert_crl) (X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
-    /* Check policy status of the chain */
-    int (*check_policy) (X509_STORE_CTX *ctx);
-    STACK_OF(X509) *(*lookup_certs) (X509_STORE_CTX *ctx, X509_NAME *nm);
-    STACK_OF(X509_CRL) *(*lookup_crls) (X509_STORE_CTX *ctx, X509_NAME *nm);
-    int (*cleanup) (X509_STORE_CTX *ctx);
-    /* The following is built up */
-    /* if 0, rebuild chain */
-    int valid;
-    /* number of untrusted certs */
-    int num_untrusted;
-    /* chain of X509s - built up and trusted */
-    STACK_OF(X509) *chain;
-    /* Valid policy tree */
-    X509_POLICY_TREE *tree;
-    /* Require explicit policy value */
-    int explicit_policy;
-    /* When something goes wrong, this is why */
-    int error_depth;
-    int error;
-    X509 *current_cert;
-    /* cert currently being tested as valid issuer */
-    X509 *current_issuer;
-    /* current CRL */
-    X509_CRL *current_crl;
-    /* score of current CRL */
-    int current_crl_score;
-    /* Reason mask */
-    unsigned int current_reasons;
-    /* For CRL path validation: parent context */
-    X509_STORE_CTX *parent;
-    CRYPTO_EX_DATA ex_data;
-    SSL_DANE *dane;
-    /* signed via bare TA public key, rather than CA certificate */
-    int bare_ta_signed;
-};
-
-/* PKCS#8 private key info structure */
-
-struct pkcs8_priv_key_info_st {
-    ASN1_INTEGER *version;
-    X509_ALGOR *pkeyalg;
-    ASN1_OCTET_STRING *pkey;
-    STACK_OF(X509_ATTRIBUTE) *attributes;
-};
-
-struct X509_sig_st {
-    X509_ALGOR *algor;
-    ASN1_OCTET_STRING *digest;
-};
-
-struct x509_object_st {
-    /* one of the above types */
-    X509_LOOKUP_TYPE type;
-    union {
-        char *ptr;
-        X509 *x509;
-        X509_CRL *crl;
-        EVP_PKEY *pkey;
-    } data;
-};
-
-int a2i_ipadd(unsigned char *ipout, const char *ipasc);
-int x509_set1_time(ASN1_TIME **ptm, const ASN1_TIME *tm);
diff --git a/Cryptlib/OpenSSL/crypto/init.c b/Cryptlib/OpenSSL/crypto/init.c
deleted file mode 100644
index c730e387..00000000
--- a/Cryptlib/OpenSSL/crypto/init.c
+++ /dev/null
@@ -1,664 +0,0 @@
-/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <internal/cryptlib_int.h>
-#include <openssl/err.h>
-#include <internal/rand.h>
-#include <internal/bio.h>
-#include <openssl/evp.h>
-#include <internal/evp_int.h>
-#include <internal/conf.h>
-#include <internal/async.h>
-#include <internal/engine.h>
-#include <internal/comp.h>
-#include <internal/err.h>
-#include <internal/err_int.h>
-#include <internal/objects.h>
-#include <stdlib.h>
-#include <assert.h>
-#include <internal/thread_once.h>
-#include <internal/dso.h>
-
-static int stopped = 0;
-
-static void ossl_init_thread_stop(struct thread_local_inits_st *locals);
-
-static CRYPTO_THREAD_LOCAL threadstopkey;
-
-static void ossl_init_thread_stop_wrap(void *local)
-{
-    ossl_init_thread_stop((struct thread_local_inits_st *)local);
-}
-
-static struct thread_local_inits_st *ossl_init_get_thread_local(int alloc)
-{
-    struct thread_local_inits_st *local =
-        CRYPTO_THREAD_get_local(&threadstopkey);
-
-    if (local == NULL && alloc) {
-        local = OPENSSL_zalloc(sizeof *local);
-        CRYPTO_THREAD_set_local(&threadstopkey, local);
-    }
-    if (!alloc) {
-        CRYPTO_THREAD_set_local(&threadstopkey, NULL);
-    }
-
-    return local;
-}
-
-typedef struct ossl_init_stop_st OPENSSL_INIT_STOP;
-struct ossl_init_stop_st {
-    void (*handler)(void);
-    OPENSSL_INIT_STOP *next;
-};
-
-static OPENSSL_INIT_STOP *stop_handlers = NULL;
-static CRYPTO_RWLOCK *init_lock = NULL;
-
-static CRYPTO_ONCE base = CRYPTO_ONCE_STATIC_INIT;
-static int base_inited = 0;
-DEFINE_RUN_ONCE_STATIC(ossl_init_base)
-{
-#ifdef OPENSSL_INIT_DEBUG
-    fprintf(stderr, "OPENSSL_INIT: ossl_init_base: Setting up stop handlers\n");
-#endif
-    /*
-     * We use a dummy thread local key here. We use the destructor to detect
-     * when the thread is going to stop (where that feature is available)
-     */
-    CRYPTO_THREAD_init_local(&threadstopkey, ossl_init_thread_stop_wrap);
-#ifndef OPENSSL_SYS_UEFI
-    atexit(OPENSSL_cleanup);
-#endif
-    if ((init_lock = CRYPTO_THREAD_lock_new()) == NULL)
-        return 0;
-    OPENSSL_cpuid_setup();
-
-    /*
-     * BIG FAT WARNING!
-     * Everything needed to be initialized in this function before threads
-     * come along MUST happen before base_inited is set to 1, or we will
-     * see race conditions.
-     */
-    base_inited = 1;
-
-#if !defined(OPENSSL_NO_DSO) && !defined(OPENSSL_USE_NODELETE)
-# ifdef DSO_WIN32
-    {
-        HMODULE handle = NULL;
-        BOOL ret;
-
-        /* We don't use the DSO route for WIN32 because there is a better way */
-        ret = GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS
-                                | GET_MODULE_HANDLE_EX_FLAG_PIN,
-                                (void *)&base_inited, &handle);
-
-        return (ret == TRUE) ? 1 : 0;
-    }
-# else
-    /*
-     * Deliberately leak a reference to ourselves. This will force the library
-     * to remain loaded until the atexit() handler is run a process exit.
-     */
-    {
-        DSO *dso = NULL;
-
-        dso = DSO_dsobyaddr(&base_inited, DSO_FLAG_NO_UNLOAD_ON_FREE);
-        DSO_free(dso);
-    }
-# endif
-#endif
-
-    return 1;
-}
-
-static CRYPTO_ONCE load_crypto_strings = CRYPTO_ONCE_STATIC_INIT;
-static int load_crypto_strings_inited = 0;
-DEFINE_RUN_ONCE_STATIC(ossl_init_no_load_crypto_strings)
-{
-    /* Do nothing in this case */
-    return 1;
-}
-
-DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_strings)
-{
-    int ret = 1;
-    /*
-     * OPENSSL_NO_AUTOERRINIT is provided here to prevent at compile time
-     * pulling in all the error strings during static linking
-     */
-#if !defined(OPENSSL_NO_ERR) && !defined(OPENSSL_NO_AUTOERRINIT)
-# ifdef OPENSSL_INIT_DEBUG
-    fprintf(stderr, "OPENSSL_INIT: ossl_init_load_crypto_strings: "
-                    "err_load_crypto_strings_int()\n");
-# endif
-    ret = err_load_crypto_strings_int();
-    load_crypto_strings_inited = 1;
-#endif    
-    return ret;
-}
-
-static CRYPTO_ONCE add_all_ciphers = CRYPTO_ONCE_STATIC_INIT;
-DEFINE_RUN_ONCE_STATIC(ossl_init_add_all_ciphers)
-{
-    /*
-     * OPENSSL_NO_AUTOALGINIT is provided here to prevent at compile time
-     * pulling in all the ciphers during static linking
-     */
-#ifndef OPENSSL_NO_AUTOALGINIT
-# ifdef OPENSSL_INIT_DEBUG
-    fprintf(stderr, "OPENSSL_INIT: ossl_init_add_all_ciphers: "
-                    "openssl_add_all_ciphers_int()\n");
-# endif
-    openssl_add_all_ciphers_int();
-#endif
-    return 1;
-}
-
-static CRYPTO_ONCE add_all_digests = CRYPTO_ONCE_STATIC_INIT;
-DEFINE_RUN_ONCE_STATIC(ossl_init_add_all_digests)
-{
-    /*
-     * OPENSSL_NO_AUTOALGINIT is provided here to prevent at compile time
-     * pulling in all the ciphers during static linking
-     */
-#ifndef OPENSSL_NO_AUTOALGINIT
-# ifdef OPENSSL_INIT_DEBUG
-    fprintf(stderr, "OPENSSL_INIT: ossl_init_add_all_digests: "
-                    "openssl_add_all_digests()\n");
-# endif
-    openssl_add_all_digests_int();
-#endif
-    return 1;
-}
-
-DEFINE_RUN_ONCE_STATIC(ossl_init_no_add_algs)
-{
-    /* Do nothing */
-    return 1;
-}
-
-static CRYPTO_ONCE config = CRYPTO_ONCE_STATIC_INIT;
-static int config_inited = 0;
-static const char *appname;
-DEFINE_RUN_ONCE_STATIC(ossl_init_config)
-{
-#ifdef OPENSSL_INIT_DEBUG
-    fprintf(stderr,
-            "OPENSSL_INIT: ossl_init_config: openssl_config(%s)\n",
-            appname == NULL ? "NULL" : appname);
-#endif
-    openssl_config_int(appname);
-    config_inited = 1;
-    return 1;
-}
-DEFINE_RUN_ONCE_STATIC(ossl_init_no_config)
-{
-#ifdef OPENSSL_INIT_DEBUG
-    fprintf(stderr,
-            "OPENSSL_INIT: ossl_init_config: openssl_no_config_int()\n");
-#endif
-    openssl_no_config_int();
-    config_inited = 1;
-    return 1;
-}
-
-static CRYPTO_ONCE async = CRYPTO_ONCE_STATIC_INIT;
-static int async_inited = 0;
-DEFINE_RUN_ONCE_STATIC(ossl_init_async)
-{
-#ifdef OPENSSL_INIT_DEBUG
-    fprintf(stderr, "OPENSSL_INIT: ossl_init_async: async_init()\n");
-#endif
-    if (!async_init())
-        return 0;
-    async_inited = 1;
-    return 1;
-}
-
-#ifndef OPENSSL_NO_ENGINE
-static CRYPTO_ONCE engine_openssl = CRYPTO_ONCE_STATIC_INIT;
-DEFINE_RUN_ONCE_STATIC(ossl_init_engine_openssl)
-{
-# ifdef OPENSSL_INIT_DEBUG
-    fprintf(stderr, "OPENSSL_INIT: ossl_init_engine_openssl: "
-                    "engine_load_openssl_int()\n");
-# endif
-    engine_load_openssl_int();
-    return 1;
-}
-# if !defined(OPENSSL_NO_HW) && \
-    (defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV))
-static CRYPTO_ONCE engine_cryptodev = CRYPTO_ONCE_STATIC_INIT;
-DEFINE_RUN_ONCE_STATIC(ossl_init_engine_cryptodev)
-{
-#  ifdef OPENSSL_INIT_DEBUG
-    fprintf(stderr, "OPENSSL_INIT: ossl_init_engine_cryptodev: "
-                    "engine_load_cryptodev_int()\n");
-#  endif
-    engine_load_cryptodev_int();
-    return 1;
-}
-# endif
-
-# ifndef OPENSSL_NO_RDRAND
-static CRYPTO_ONCE engine_rdrand = CRYPTO_ONCE_STATIC_INIT;
-DEFINE_RUN_ONCE_STATIC(ossl_init_engine_rdrand)
-{
-#  ifdef OPENSSL_INIT_DEBUG
-    fprintf(stderr, "OPENSSL_INIT: ossl_init_engine_rdrand: "
-                    "engine_load_rdrand_int()\n");
-#  endif
-    engine_load_rdrand_int();
-    return 1;
-}
-# endif
-static CRYPTO_ONCE engine_dynamic = CRYPTO_ONCE_STATIC_INIT;
-DEFINE_RUN_ONCE_STATIC(ossl_init_engine_dynamic)
-{
-# ifdef OPENSSL_INIT_DEBUG
-    fprintf(stderr, "OPENSSL_INIT: ossl_init_engine_dynamic: "
-                    "engine_load_dynamic_int()\n");
-# endif
-    engine_load_dynamic_int();
-    return 1;
-}
-# ifndef OPENSSL_NO_STATIC_ENGINE
-#  if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK)
-static CRYPTO_ONCE engine_padlock = CRYPTO_ONCE_STATIC_INIT;
-DEFINE_RUN_ONCE_STATIC(ossl_init_engine_padlock)
-{
-#   ifdef OPENSSL_INIT_DEBUG
-    fprintf(stderr, "OPENSSL_INIT: ossl_init_engine_padlock: "
-                    "engine_load_padlock_int()\n");
-#   endif
-    engine_load_padlock_int();
-    return 1;
-}
-#  endif
-#  if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG)
-static CRYPTO_ONCE engine_capi = CRYPTO_ONCE_STATIC_INIT;
-DEFINE_RUN_ONCE_STATIC(ossl_init_engine_capi)
-{
-#   ifdef OPENSSL_INIT_DEBUG
-    fprintf(stderr, "OPENSSL_INIT: ossl_init_engine_capi: "
-                    "engine_load_capi_int()\n");
-#   endif
-    engine_load_capi_int();
-    return 1;
-}
-#  endif
-#  if !defined(OPENSSL_NO_AFALGENG)
-static CRYPTO_ONCE engine_afalg = CRYPTO_ONCE_STATIC_INIT;
-DEFINE_RUN_ONCE_STATIC(ossl_init_engine_afalg)
-{
-#   ifdef OPENSSL_INIT_DEBUG
-    fprintf(stderr, "OPENSSL_INIT: ossl_init_engine_afalg: "
-                    "engine_load_afalg_int()\n");
-#   endif
-    engine_load_afalg_int();
-    return 1;
-}
-#  endif
-# endif
-#endif
-
-#ifndef OPENSSL_NO_COMP
-static CRYPTO_ONCE zlib = CRYPTO_ONCE_STATIC_INIT;
-
-static int zlib_inited = 0;
-DEFINE_RUN_ONCE_STATIC(ossl_init_zlib)
-{
-    /* Do nothing - we need to know about this for the later cleanup */
-    zlib_inited = 1;
-    return 1;
-}
-#endif
-
-static void ossl_init_thread_stop(struct thread_local_inits_st *locals)
-{
-    /* Can't do much about this */
-    if (locals == NULL)
-        return;
-
-    if (locals->async) {
-#ifdef OPENSSL_INIT_DEBUG
-        fprintf(stderr, "OPENSSL_INIT: ossl_init_thread_stop: "
-                        "ASYNC_cleanup_thread()\n");
-#endif
-        ASYNC_cleanup_thread();
-    }
-
-    if (locals->err_state) {
-#ifdef OPENSSL_INIT_DEBUG
-        fprintf(stderr, "OPENSSL_INIT: ossl_init_thread_stop: "
-                        "err_delete_thread_state()\n");
-#endif
-        err_delete_thread_state();
-    }
-
-    OPENSSL_free(locals);
-}
-
-void OPENSSL_thread_stop(void)
-{
-    ossl_init_thread_stop(
-        (struct thread_local_inits_st *)ossl_init_get_thread_local(0));
-}
-
-int ossl_init_thread_start(uint64_t opts)
-{
-    struct thread_local_inits_st *locals = ossl_init_get_thread_local(1);
-
-    if (locals == NULL)
-        return 0;
-
-    if (opts & OPENSSL_INIT_THREAD_ASYNC) {
-#ifdef OPENSSL_INIT_DEBUG
-        fprintf(stderr, "OPENSSL_INIT: ossl_init_thread_start: "
-                        "marking thread for async\n");
-#endif
-        locals->async = 1;
-    }
-
-    if (opts & OPENSSL_INIT_THREAD_ERR_STATE) {
-#ifdef OPENSSL_INIT_DEBUG
-        fprintf(stderr, "OPENSSL_INIT: ossl_init_thread_start: "
-                        "marking thread for err_state\n");
-#endif
-        locals->err_state = 1;
-    }
-
-    return 1;
-}
-
-void OPENSSL_cleanup(void)
-{
-    OPENSSL_INIT_STOP *currhandler, *lasthandler;
-
-    /* If we've not been inited then no need to deinit */
-    if (!base_inited)
-        return;
-
-    /* Might be explicitly called and also by atexit */
-    if (stopped)
-        return;
-    stopped = 1;
-
-    /*
-     * Thread stop may not get automatically called by the thread library for
-     * the very last thread in some situations, so call it directly.
-     */
-    ossl_init_thread_stop(ossl_init_get_thread_local(0));
-
-    currhandler = stop_handlers;
-    while (currhandler != NULL) {
-        currhandler->handler();
-        lasthandler = currhandler;
-        currhandler = currhandler->next;
-        OPENSSL_free(lasthandler);
-    }
-    stop_handlers = NULL;
-
-    CRYPTO_THREAD_lock_free(init_lock);
-
-    /*
-     * We assume we are single-threaded for this function, i.e. no race
-     * conditions for the various "*_inited" vars below.
-     */
-
-#ifndef OPENSSL_NO_COMP
-    if (zlib_inited) {
-#ifdef OPENSSL_INIT_DEBUG
-        fprintf(stderr, "OPENSSL_INIT: OPENSSL_cleanup: "
-                        "comp_zlib_cleanup_int()\n");
-#endif
-        comp_zlib_cleanup_int();
-    }
-#endif
-
-    if (async_inited) {
-# ifdef OPENSSL_INIT_DEBUG
-        fprintf(stderr, "OPENSSL_INIT: OPENSSL_cleanup: "
-                        "async_deinit()\n");
-# endif
-        async_deinit();
-    }
-
-    if (load_crypto_strings_inited) {
-#ifdef OPENSSL_INIT_DEBUG
-        fprintf(stderr, "OPENSSL_INIT: OPENSSL_cleanup: "
-                        "err_free_strings_int()\n");
-#endif
-        err_free_strings_int();
-    }
-
-    CRYPTO_THREAD_cleanup_local(&threadstopkey);
-
-#ifdef OPENSSL_INIT_DEBUG
-    fprintf(stderr, "OPENSSL_INIT: OPENSSL_cleanup: "
-                    "rand_cleanup_int()\n");
-    fprintf(stderr, "OPENSSL_INIT: OPENSSL_cleanup: "
-                    "conf_modules_free_int()\n");
-#ifndef OPENSSL_NO_ENGINE
-    fprintf(stderr, "OPENSSL_INIT: OPENSSL_cleanup: "
-                    "engine_cleanup_int()\n");
-#endif
-    fprintf(stderr, "OPENSSL_INIT: OPENSSL_cleanup: "
-                    "crypto_cleanup_all_ex_data_int()\n");
-    fprintf(stderr, "OPENSSL_INIT: OPENSSL_cleanup: "
-                    "bio_sock_cleanup_int()\n");
-    fprintf(stderr, "OPENSSL_INIT: OPENSSL_cleanup: "
-                    "bio_cleanup()\n");
-    fprintf(stderr, "OPENSSL_INIT: OPENSSL_cleanup: "
-                    "evp_cleanup_int()\n");
-    fprintf(stderr, "OPENSSL_INIT: OPENSSL_cleanup: "
-                    "obj_cleanup_int()\n");
-    fprintf(stderr, "OPENSSL_INIT: OPENSSL_cleanup: "
-                    "err_cleanup()\n");
-#endif
-    /*
-     * Note that cleanup order is important:
-     * - rand_cleanup_int could call an ENGINE's RAND cleanup function so
-     * must be called before engine_cleanup_int()
-     * - ENGINEs use CRYPTO_EX_DATA and therefore, must be cleaned up
-     * before the ex data handlers are wiped in CRYPTO_cleanup_all_ex_data().
-     * - conf_modules_free_int() can end up in ENGINE code so must be called
-     * before engine_cleanup_int()
-     * - ENGINEs and additional EVP algorithms might use added OIDs names so
-     * obj_cleanup_int() must be called last
-     */
-    rand_cleanup_int();
-    conf_modules_free_int();
-#ifndef OPENSSL_NO_ENGINE
-    engine_cleanup_int();
-#endif
-    crypto_cleanup_all_ex_data_int();
-    bio_cleanup();
-    evp_cleanup_int();
-    obj_cleanup_int();
-    err_cleanup();
-
-    base_inited = 0;
-}
-
-/*
- * If this function is called with a non NULL settings value then it must be
- * called prior to any threads making calls to any OpenSSL functions,
- * i.e. passing a non-null settings value is assumed to be single-threaded.
- */
-int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
-{
-    static int stoperrset = 0;
-
-    if (stopped) {
-        if (!stoperrset) {
-            /*
-             * We only ever set this once to avoid getting into an infinite
-             * loop where the error system keeps trying to init and fails so
-             * sets an error etc
-             */
-            stoperrset = 1;
-            CRYPTOerr(CRYPTO_F_OPENSSL_INIT_CRYPTO, ERR_R_INIT_FAIL);
-        }
-        return 0;
-    }
-
-    if (!base_inited && !RUN_ONCE(&base, ossl_init_base))
-        return 0;
-
-    if ((opts & OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS)
-            && !RUN_ONCE(&load_crypto_strings,
-                         ossl_init_no_load_crypto_strings))
-        return 0;
-
-    if ((opts & OPENSSL_INIT_LOAD_CRYPTO_STRINGS)
-            && !RUN_ONCE(&load_crypto_strings, ossl_init_load_crypto_strings))
-        return 0;
-
-    if ((opts & OPENSSL_INIT_NO_ADD_ALL_CIPHERS)
-            && !RUN_ONCE(&add_all_ciphers, ossl_init_no_add_algs))
-        return 0;
-
-    if ((opts & OPENSSL_INIT_ADD_ALL_CIPHERS)
-            && !RUN_ONCE(&add_all_ciphers, ossl_init_add_all_ciphers))
-        return 0;
-
-    if ((opts & OPENSSL_INIT_NO_ADD_ALL_DIGESTS)
-            && !RUN_ONCE(&add_all_digests, ossl_init_no_add_algs))
-        return 0;
-
-    if ((opts & OPENSSL_INIT_ADD_ALL_DIGESTS)
-            && !RUN_ONCE(&add_all_digests, ossl_init_add_all_digests))
-        return 0;
-
-    if ((opts & OPENSSL_INIT_NO_LOAD_CONFIG)
-            && !RUN_ONCE(&config, ossl_init_no_config))
-        return 0;
-
-    if (opts & OPENSSL_INIT_LOAD_CONFIG) {
-        int ret;
-        CRYPTO_THREAD_write_lock(init_lock);
-        appname = (settings == NULL) ? NULL : settings->appname;
-        ret = RUN_ONCE(&config, ossl_init_config);
-        CRYPTO_THREAD_unlock(init_lock);
-        if (!ret)
-            return 0;
-    }
-
-    if ((opts & OPENSSL_INIT_ASYNC)
-            && !RUN_ONCE(&async, ossl_init_async))
-        return 0;
-
-#ifndef OPENSSL_NO_ENGINE
-    if ((opts & OPENSSL_INIT_ENGINE_OPENSSL)
-            && !RUN_ONCE(&engine_openssl, ossl_init_engine_openssl))
-        return 0;
-# if !defined(OPENSSL_NO_HW) && \
-    (defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV))
-    if ((opts & OPENSSL_INIT_ENGINE_CRYPTODEV)
-            && !RUN_ONCE(&engine_cryptodev, ossl_init_engine_cryptodev))
-        return 0;
-# endif
-# ifndef OPENSSL_NO_RDRAND
-    if ((opts & OPENSSL_INIT_ENGINE_RDRAND)
-            && !RUN_ONCE(&engine_rdrand, ossl_init_engine_rdrand))
-        return 0;
-# endif
-    if ((opts & OPENSSL_INIT_ENGINE_DYNAMIC)
-            && !RUN_ONCE(&engine_dynamic, ossl_init_engine_dynamic))
-        return 0;
-# ifndef OPENSSL_NO_STATIC_ENGINE
-#  if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK)
-    if ((opts & OPENSSL_INIT_ENGINE_PADLOCK)
-            && !RUN_ONCE(&engine_padlock, ossl_init_engine_padlock))
-        return 0;
-#  endif
-#  if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG)
-    if ((opts & OPENSSL_INIT_ENGINE_CAPI)
-            && !RUN_ONCE(&engine_capi, ossl_init_engine_capi))
-        return 0;
-#  endif
-#  if !defined(OPENSSL_NO_AFALGENG)
-    if ((opts & OPENSSL_INIT_ENGINE_AFALG)
-            && !RUN_ONCE(&engine_afalg, ossl_init_engine_afalg))
-        return 0;
-#  endif
-# endif
-    if (opts & (OPENSSL_INIT_ENGINE_ALL_BUILTIN
-                | OPENSSL_INIT_ENGINE_OPENSSL
-                | OPENSSL_INIT_ENGINE_AFALG)) {
-        ENGINE_register_all_complete();
-    }
-#endif
-
-#ifndef OPENSSL_NO_COMP
-    if ((opts & OPENSSL_INIT_ZLIB)
-            && !RUN_ONCE(&zlib, ossl_init_zlib))
-        return 0;
-#endif
-
-    return 1;
-}
-
-int OPENSSL_atexit(void (*handler)(void))
-{
-    OPENSSL_INIT_STOP *newhand;
-
-#if !defined(OPENSSL_NO_DSO) && !defined(OPENSSL_USE_NODELETE)
-    {
-        union {
-            void *sym;
-            void (*func)(void);
-        } handlersym;
-
-        handlersym.func = handler;
-# ifdef DSO_WIN32
-        {
-            HMODULE handle = NULL;
-            BOOL ret;
-
-            /*
-             * We don't use the DSO route for WIN32 because there is a better
-             * way
-             */
-            ret = GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS
-                                    | GET_MODULE_HANDLE_EX_FLAG_PIN,
-                                    handlersym.sym, &handle);
-
-            if (!ret)
-                return 0;
-        }
-# else
-        /*
-         * Deliberately leak a reference to the handler. This will force the
-         * library/code containing the handler to remain loaded until we run the
-         * atexit handler. If -znodelete has been used then this is
-         * unneccessary.
-         */
-        {
-            DSO *dso = NULL;
-
-            dso = DSO_dsobyaddr(handlersym.sym, DSO_FLAG_NO_UNLOAD_ON_FREE);
-            DSO_free(dso);
-        }
-# endif
-    }
-#endif
-
-    newhand = OPENSSL_malloc(sizeof(*newhand));
-    if (newhand == NULL)
-        return 0;
-
-    newhand->handler = handler;
-    newhand->next = stop_handlers;
-    stop_handlers = newhand;
-
-    return 1;
-}
diff --git a/Cryptlib/OpenSSL/crypto/kdf/hkdf.c b/Cryptlib/OpenSSL/crypto/kdf/hkdf.c
deleted file mode 100644
index 00b95b5a..00000000
--- a/Cryptlib/OpenSSL/crypto/kdf/hkdf.c
+++ /dev/null
@@ -1,293 +0,0 @@
-/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdlib.h>
-#include <string.h>
-#include <openssl/hmac.h>
-#include <openssl/kdf.h>
-#include <openssl/evp.h>
-#include "internal/cryptlib.h"
-#include "internal/evp_int.h"
-
-#define HKDF_MAXBUF 1024
-
-static unsigned char *HKDF(const EVP_MD *evp_md,
-                           const unsigned char *salt, size_t salt_len,
-                           const unsigned char *key, size_t key_len,
-                           const unsigned char *info, size_t info_len,
-                           unsigned char *okm, size_t okm_len);
-
-static unsigned char *HKDF_Extract(const EVP_MD *evp_md,
-                                   const unsigned char *salt, size_t salt_len,
-                                   const unsigned char *key, size_t key_len,
-                                   unsigned char *prk, size_t *prk_len);
-
-static unsigned char *HKDF_Expand(const EVP_MD *evp_md,
-                                  const unsigned char *prk, size_t prk_len,
-                                  const unsigned char *info, size_t info_len,
-                                  unsigned char *okm, size_t okm_len);
-
-typedef struct {
-    const EVP_MD *md;
-    unsigned char *salt;
-    size_t salt_len;
-    unsigned char *key;
-    size_t key_len;
-    unsigned char info[HKDF_MAXBUF];
-    size_t info_len;
-} HKDF_PKEY_CTX;
-
-static int pkey_hkdf_init(EVP_PKEY_CTX *ctx)
-{
-    HKDF_PKEY_CTX *kctx;
-
-    kctx = OPENSSL_zalloc(sizeof(*kctx));
-    if (kctx == NULL)
-        return 0;
-
-    ctx->data = kctx;
-
-    return 1;
-}
-
-static void pkey_hkdf_cleanup(EVP_PKEY_CTX *ctx)
-{
-    HKDF_PKEY_CTX *kctx = ctx->data;
-    OPENSSL_clear_free(kctx->salt, kctx->salt_len);
-    OPENSSL_clear_free(kctx->key, kctx->key_len);
-    OPENSSL_cleanse(kctx->info, kctx->info_len);
-    OPENSSL_free(kctx);
-}
-
-static int pkey_hkdf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
-{
-    HKDF_PKEY_CTX *kctx = ctx->data;
-
-    switch (type) {
-    case EVP_PKEY_CTRL_HKDF_MD:
-        if (p2 == NULL)
-            return 0;
-
-        kctx->md = p2;
-        return 1;
-
-    case EVP_PKEY_CTRL_HKDF_SALT:
-        if (p1 == 0 || p2 == NULL)
-            return 1;
-
-        if (p1 < 0)
-            return 0;
-
-        if (kctx->salt != NULL)
-            OPENSSL_clear_free(kctx->salt, kctx->salt_len);
-
-        kctx->salt = OPENSSL_memdup(p2, p1);
-        if (kctx->salt == NULL)
-            return 0;
-
-        kctx->salt_len = p1;
-        return 1;
-
-    case EVP_PKEY_CTRL_HKDF_KEY:
-        if (p1 < 0)
-            return 0;
-
-        if (kctx->key != NULL)
-            OPENSSL_clear_free(kctx->key, kctx->key_len);
-
-        kctx->key = OPENSSL_memdup(p2, p1);
-        if (kctx->key == NULL)
-            return 0;
-
-        kctx->key_len  = p1;
-        return 1;
-
-    case EVP_PKEY_CTRL_HKDF_INFO:
-        if (p1 == 0 || p2 == NULL)
-            return 1;
-
-        if (p1 < 0 || p1 > (int)(HKDF_MAXBUF - kctx->info_len))
-            return 0;
-
-        memcpy(kctx->info + kctx->info_len, p2, p1);
-        kctx->info_len += p1;
-        return 1;
-
-    default:
-        return -2;
-
-    }
-}
-
-static int pkey_hkdf_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
-                              const char *value)
-{
-    if (strcmp(type, "md") == 0)
-        return EVP_PKEY_CTX_set_hkdf_md(ctx, EVP_get_digestbyname(value));
-
-    if (strcmp(type, "salt") == 0)
-        return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_SALT, value);
-
-    if (strcmp(type, "hexsalt") == 0)
-        return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_HKDF_SALT, value);
-
-    if (strcmp(type, "key") == 0)
-        return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_KEY, value);
-
-    if (strcmp(type, "hexkey") == 0)
-        return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_HKDF_KEY, value);
-
-    if (strcmp(type, "info") == 0)
-        return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_INFO, value);
-
-    if (strcmp(type, "hexinfo") == 0)
-        return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_HKDF_INFO, value);
-
-    return -2;
-}
-
-static int pkey_hkdf_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
-                            size_t *keylen)
-{
-    HKDF_PKEY_CTX *kctx = ctx->data;
-
-    if (kctx->md == NULL || kctx->key == NULL)
-        return 0;
-
-    if (HKDF(kctx->md, kctx->salt, kctx->salt_len, kctx->key, kctx->key_len,
-             kctx->info, kctx->info_len, key, *keylen) == NULL)
-    {
-        return 0;
-    }
-
-    return 1;
-}
-
-const EVP_PKEY_METHOD hkdf_pkey_meth = {
-    EVP_PKEY_HKDF,
-    0,
-    pkey_hkdf_init,
-    0,
-    pkey_hkdf_cleanup,
-
-    0, 0,
-    0, 0,
-
-    0,
-    0,
-
-    0,
-    0,
-
-    0, 0,
-
-    0, 0, 0, 0,
-
-    0, 0,
-
-    0, 0,
-
-    0,
-    pkey_hkdf_derive,
-    pkey_hkdf_ctrl,
-    pkey_hkdf_ctrl_str
-};
-
-static unsigned char *HKDF(const EVP_MD *evp_md,
-                           const unsigned char *salt, size_t salt_len,
-                           const unsigned char *key, size_t key_len,
-                           const unsigned char *info, size_t info_len,
-                           unsigned char *okm, size_t okm_len)
-{
-    unsigned char prk[EVP_MAX_MD_SIZE];
-    size_t prk_len;
-
-    if (!HKDF_Extract(evp_md, salt, salt_len, key, key_len, prk, &prk_len))
-        return NULL;
-
-    return HKDF_Expand(evp_md, prk, prk_len, info, info_len, okm, okm_len);
-}
-
-static unsigned char *HKDF_Extract(const EVP_MD *evp_md,
-                                   const unsigned char *salt, size_t salt_len,
-                                   const unsigned char *key, size_t key_len,
-                                   unsigned char *prk, size_t *prk_len)
-{
-    unsigned int tmp_len;
-
-    if (!HMAC(evp_md, salt, salt_len, key, key_len, prk, &tmp_len))
-        return NULL;
-
-    *prk_len = tmp_len;
-    return prk;
-}
-
-static unsigned char *HKDF_Expand(const EVP_MD *evp_md,
-                                  const unsigned char *prk, size_t prk_len,
-                                  const unsigned char *info, size_t info_len,
-                                  unsigned char *okm, size_t okm_len)
-{
-    HMAC_CTX *hmac;
-
-    unsigned int i;
-
-    unsigned char prev[EVP_MAX_MD_SIZE];
-
-    size_t done_len = 0, dig_len = EVP_MD_size(evp_md);
-
-    size_t n = okm_len / dig_len;
-    if (okm_len % dig_len)
-        n++;
-
-    if (n > 255)
-        return NULL;
-
-    if ((hmac = HMAC_CTX_new()) == NULL)
-        return NULL;
-
-    if (!HMAC_Init_ex(hmac, prk, prk_len, evp_md, NULL))
-        goto err;
-
-    for (i = 1; i <= n; i++) {
-        size_t copy_len;
-        const unsigned char ctr = i;
-
-        if (i > 1) {
-            if (!HMAC_Init_ex(hmac, NULL, 0, NULL, NULL))
-                goto err;
-
-            if (!HMAC_Update(hmac, prev, dig_len))
-                goto err;
-        }
-
-        if (!HMAC_Update(hmac, info, info_len))
-            goto err;
-
-        if (!HMAC_Update(hmac, &ctr, 1))
-            goto err;
-
-        if (!HMAC_Final(hmac, prev, NULL))
-            goto err;
-
-        copy_len = (done_len + dig_len > okm_len) ?
-                       okm_len - done_len :
-                       dig_len;
-
-        memcpy(okm + done_len, prev, copy_len);
-
-        done_len += copy_len;
-    }
-
-    HMAC_CTX_free(hmac);
-    return okm;
-
- err:
-    HMAC_CTX_free(hmac);
-    return NULL;
-}
diff --git a/Cryptlib/OpenSSL/crypto/kdf/kdf_err.c b/Cryptlib/OpenSSL/crypto/kdf/kdf_err.c
deleted file mode 100644
index d7d71b35..00000000
--- a/Cryptlib/OpenSSL/crypto/kdf/kdf_err.c
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include <openssl/err.h>
-#include <openssl/kdf.h>
-
-/* BEGIN ERROR CODES */
-#ifndef OPENSSL_NO_ERR
-
-# define ERR_FUNC(func) ERR_PACK(ERR_LIB_KDF,func,0)
-# define ERR_REASON(reason) ERR_PACK(ERR_LIB_KDF,0,reason)
-
-static ERR_STRING_DATA KDF_str_functs[] = {
-    {ERR_FUNC(KDF_F_PKEY_TLS1_PRF_CTRL_STR), "pkey_tls1_prf_ctrl_str"},
-    {ERR_FUNC(KDF_F_PKEY_TLS1_PRF_DERIVE), "pkey_tls1_prf_derive"},
-    {0, NULL}
-};
-
-static ERR_STRING_DATA KDF_str_reasons[] = {
-    {ERR_REASON(KDF_R_INVALID_DIGEST), "invalid digest"},
-    {ERR_REASON(KDF_R_MISSING_PARAMETER), "missing parameter"},
-    {ERR_REASON(KDF_R_VALUE_MISSING), "value missing"},
-    {0, NULL}
-};
-
-#endif
-
-int ERR_load_KDF_strings(void)
-{
-#ifndef OPENSSL_NO_ERR
-
-    if (ERR_func_error_string(KDF_str_functs[0].error) == NULL) {
-        ERR_load_strings(0, KDF_str_functs);
-        ERR_load_strings(0, KDF_str_reasons);
-    }
-#endif
-    return 1;
-}
diff --git a/Cryptlib/OpenSSL/crypto/kdf/tls1_prf.c b/Cryptlib/OpenSSL/crypto/kdf/tls1_prf.c
deleted file mode 100644
index fa13732b..00000000
--- a/Cryptlib/OpenSSL/crypto/kdf/tls1_prf.c
+++ /dev/null
@@ -1,265 +0,0 @@
-/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include "internal/cryptlib.h"
-#include <openssl/kdf.h>
-#include <openssl/evp.h>
-#include "internal/evp_int.h"
-
-static int tls1_prf_alg(const EVP_MD *md,
-                        const unsigned char *sec, size_t slen,
-                        const unsigned char *seed, size_t seed_len,
-                        unsigned char *out, size_t olen);
-
-#define TLS1_PRF_MAXBUF 1024
-
-/* TLS KDF pkey context structure */
-
-typedef struct {
-    /* Digest to use for PRF */
-    const EVP_MD *md;
-    /* Secret value to use for PRF */
-    unsigned char *sec;
-    size_t seclen;
-    /* Buffer of concatenated seed data */
-    unsigned char seed[TLS1_PRF_MAXBUF];
-    size_t seedlen;
-} TLS1_PRF_PKEY_CTX;
-
-static int pkey_tls1_prf_init(EVP_PKEY_CTX *ctx)
-{
-    TLS1_PRF_PKEY_CTX *kctx;
-
-    kctx = OPENSSL_zalloc(sizeof(*kctx));
-    if (kctx == NULL)
-        return 0;
-    ctx->data = kctx;
-
-    return 1;
-}
-
-static void pkey_tls1_prf_cleanup(EVP_PKEY_CTX *ctx)
-{
-    TLS1_PRF_PKEY_CTX *kctx = ctx->data;
-    OPENSSL_clear_free(kctx->sec, kctx->seclen);
-    OPENSSL_cleanse(kctx->seed, kctx->seedlen);
-    OPENSSL_free(kctx);
-}
-
-static int pkey_tls1_prf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
-{
-    TLS1_PRF_PKEY_CTX *kctx = ctx->data;
-    switch (type) {
-    case EVP_PKEY_CTRL_TLS_MD:
-        kctx->md = p2;
-        return 1;
-
-    case EVP_PKEY_CTRL_TLS_SECRET:
-        if (p1 < 0)
-            return 0;
-        if (kctx->sec != NULL)
-            OPENSSL_clear_free(kctx->sec, kctx->seclen);
-        OPENSSL_cleanse(kctx->seed, kctx->seedlen);
-        kctx->seedlen = 0;
-        kctx->sec = OPENSSL_memdup(p2, p1);
-        if (kctx->sec == NULL)
-            return 0;
-        kctx->seclen  = p1;
-        return 1;
-
-    case EVP_PKEY_CTRL_TLS_SEED:
-        if (p1 == 0 || p2 == NULL)
-            return 1;
-        if (p1 < 0 || p1 > (int)(TLS1_PRF_MAXBUF - kctx->seedlen))
-            return 0;
-        memcpy(kctx->seed + kctx->seedlen, p2, p1);
-        kctx->seedlen += p1;
-        return 1;
-
-    default:
-        return -2;
-
-    }
-}
-
-static int pkey_tls1_prf_ctrl_str(EVP_PKEY_CTX *ctx,
-                                  const char *type, const char *value)
-{
-    if (value == NULL) {
-        KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR, KDF_R_VALUE_MISSING);
-        return 0;
-    }
-    if (strcmp(type, "md") == 0) {
-        TLS1_PRF_PKEY_CTX *kctx = ctx->data;
-
-        const EVP_MD *md = EVP_get_digestbyname(value);
-        if (md == NULL) {
-            KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR, KDF_R_INVALID_DIGEST);
-            return 0;
-        }
-        kctx->md = md;
-        return 1;
-    }
-    if (strcmp(type, "secret") == 0)
-        return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_TLS_SECRET, value);
-    if (strcmp(type, "hexsecret") == 0)
-        return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_TLS_SECRET, value);
-    if (strcmp(type, "seed") == 0)
-        return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_TLS_SEED, value);
-    if (strcmp(type, "hexseed") == 0)
-        return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_TLS_SEED, value);
-    return -2;
-}
-
-static int pkey_tls1_prf_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
-                                size_t *keylen)
-{
-    TLS1_PRF_PKEY_CTX *kctx = ctx->data;
-    if (kctx->md == NULL || kctx->sec == NULL || kctx->seedlen == 0) {
-        KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_PARAMETER);
-        return 0;
-    }
-    return tls1_prf_alg(kctx->md, kctx->sec, kctx->seclen,
-                        kctx->seed, kctx->seedlen,
-                        key, *keylen);
-}
-
-const EVP_PKEY_METHOD tls1_prf_pkey_meth = {
-    EVP_PKEY_TLS1_PRF,
-    0,
-    pkey_tls1_prf_init,
-    0,
-    pkey_tls1_prf_cleanup,
-
-    0, 0,
-    0, 0,
-
-    0,
-    0,
-
-    0,
-    0,
-
-    0, 0,
-
-    0, 0, 0, 0,
-
-    0, 0,
-
-    0, 0,
-
-    0,
-    pkey_tls1_prf_derive,
-    pkey_tls1_prf_ctrl,
-    pkey_tls1_prf_ctrl_str
-};
-
-static int tls1_prf_P_hash(const EVP_MD *md,
-                           const unsigned char *sec, size_t sec_len,
-                           const unsigned char *seed, size_t seed_len,
-                           unsigned char *out, size_t olen)
-{
-    int chunk;
-    EVP_MD_CTX *ctx = NULL, *ctx_tmp = NULL, *ctx_init = NULL;
-    EVP_PKEY *mac_key = NULL;
-    unsigned char A1[EVP_MAX_MD_SIZE];
-    size_t A1_len;
-    int ret = 0;
-
-    chunk = EVP_MD_size(md);
-    OPENSSL_assert(chunk >= 0);
-
-    ctx = EVP_MD_CTX_new();
-    ctx_tmp = EVP_MD_CTX_new();
-    ctx_init = EVP_MD_CTX_new();
-    if (ctx == NULL || ctx_tmp == NULL || ctx_init == NULL)
-        goto err;
-    EVP_MD_CTX_set_flags(ctx_init, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-    mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len);
-    if (mac_key == NULL)
-        goto err;
-    if (!EVP_DigestSignInit(ctx_init, NULL, md, NULL, mac_key))
-        goto err;
-    if (!EVP_MD_CTX_copy_ex(ctx, ctx_init))
-        goto err;
-    if (seed != NULL && !EVP_DigestSignUpdate(ctx, seed, seed_len))
-        goto err;
-    if (!EVP_DigestSignFinal(ctx, A1, &A1_len))
-        goto err;
-
-    for (;;) {
-        /* Reinit mac contexts */
-        if (!EVP_MD_CTX_copy_ex(ctx, ctx_init))
-            goto err;
-        if (!EVP_DigestSignUpdate(ctx, A1, A1_len))
-            goto err;
-        if (olen > (size_t)chunk && !EVP_MD_CTX_copy_ex(ctx_tmp, ctx))
-            goto err;
-        if (seed && !EVP_DigestSignUpdate(ctx, seed, seed_len))
-            goto err;
-
-        if (olen > (size_t)chunk) {
-            size_t mac_len;
-            if (!EVP_DigestSignFinal(ctx, out, &mac_len))
-                goto err;
-            out += mac_len;
-            olen -= mac_len;
-            /* calc the next A1 value */
-            if (!EVP_DigestSignFinal(ctx_tmp, A1, &A1_len))
-                goto err;
-        } else {                /* last one */
-
-            if (!EVP_DigestSignFinal(ctx, A1, &A1_len))
-                goto err;
-            memcpy(out, A1, olen);
-            break;
-        }
-    }
-    ret = 1;
- err:
-    EVP_PKEY_free(mac_key);
-    EVP_MD_CTX_free(ctx);
-    EVP_MD_CTX_free(ctx_tmp);
-    EVP_MD_CTX_free(ctx_init);
-    OPENSSL_cleanse(A1, sizeof(A1));
-    return ret;
-}
-
-static int tls1_prf_alg(const EVP_MD *md,
-                        const unsigned char *sec, size_t slen,
-                        const unsigned char *seed, size_t seed_len,
-                        unsigned char *out, size_t olen)
-{
-
-    if (EVP_MD_type(md) == NID_md5_sha1) {
-        size_t i;
-        unsigned char *tmp;
-        if (!tls1_prf_P_hash(EVP_md5(), sec, slen/2 + (slen & 1),
-                         seed, seed_len, out, olen))
-            return 0;
-
-        tmp = OPENSSL_malloc(olen);
-        if (tmp == NULL)
-            return 0;
-        if (!tls1_prf_P_hash(EVP_sha1(), sec + slen/2, slen/2 + (slen & 1),
-                         seed, seed_len, tmp, olen)) {
-            OPENSSL_clear_free(tmp, olen);
-            return 0;
-        }
-        for (i = 0; i < olen; i++)
-            out[i] ^= tmp[i];
-        OPENSSL_clear_free(tmp, olen);
-        return 1;
-    }
-    if (!tls1_prf_P_hash(md, sec, slen, seed, seed_len, out, olen))
-        return 0;
-
-    return 1;
-}
diff --git a/Cryptlib/OpenSSL/crypto/lhash/lh_stats.c b/Cryptlib/OpenSSL/crypto/lhash/lh_stats.c
index 73378324..0bfec232 100644
--- a/Cryptlib/OpenSSL/crypto/lhash/lh_stats.c
+++ b/Cryptlib/OpenSSL/crypto/lhash/lh_stats.c
@@ -1,65 +1,185 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/lhash/lh_stats.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
 /*
- * If you wish to build this outside of OpenSSL, remove the following lines
+ * If you wish to build this outside of SSLeay, remove the following lines
  * and things should work as expected
  */
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 
-#include <openssl/bio.h>
+#ifndef OPENSSL_NO_BIO
+# include <openssl/bio.h>
+#endif
 #include <openssl/lhash.h>
-#include "lhash_lcl.h"
 
-# ifndef OPENSSL_NO_STDIO
-void OPENSSL_LH_stats(const OPENSSL_LHASH *lh, FILE *fp)
+#ifdef OPENSSL_NO_BIO
+
+void lh_stats(LHASH *lh, FILE *out)
+{
+    fprintf(out, "num_items             = %lu\n", lh->num_items);
+    fprintf(out, "num_nodes             = %u\n", lh->num_nodes);
+    fprintf(out, "num_alloc_nodes       = %u\n", lh->num_alloc_nodes);
+    fprintf(out, "num_expands           = %lu\n", lh->num_expands);
+    fprintf(out, "num_expand_reallocs   = %lu\n", lh->num_expand_reallocs);
+    fprintf(out, "num_contracts         = %lu\n", lh->num_contracts);
+    fprintf(out, "num_contract_reallocs = %lu\n", lh->num_contract_reallocs);
+    fprintf(out, "num_hash_calls        = %lu\n", lh->num_hash_calls);
+    fprintf(out, "num_comp_calls        = %lu\n", lh->num_comp_calls);
+    fprintf(out, "num_insert            = %lu\n", lh->num_insert);
+    fprintf(out, "num_replace           = %lu\n", lh->num_replace);
+    fprintf(out, "num_delete            = %lu\n", lh->num_delete);
+    fprintf(out, "num_no_delete         = %lu\n", lh->num_no_delete);
+    fprintf(out, "num_retrieve          = %lu\n", lh->num_retrieve);
+    fprintf(out, "num_retrieve_miss     = %lu\n", lh->num_retrieve_miss);
+    fprintf(out, "num_hash_comps        = %lu\n", lh->num_hash_comps);
+# if 0
+    fprintf(out, "p                     = %u\n", lh->p);
+    fprintf(out, "pmax                  = %u\n", lh->pmax);
+    fprintf(out, "up_load               = %lu\n", lh->up_load);
+    fprintf(out, "down_load             = %lu\n", lh->down_load);
+# endif
+}
+
+void lh_node_stats(LHASH *lh, FILE *out)
+{
+    LHASH_NODE *n;
+    unsigned int i, num;
+
+    for (i = 0; i < lh->num_nodes; i++) {
+        for (n = lh->b[i], num = 0; n != NULL; n = n->next)
+            num++;
+        fprintf(out, "node %6u -> %3u\n", i, num);
+    }
+}
+
+void lh_node_usage_stats(LHASH *lh, FILE *out)
+{
+    LHASH_NODE *n;
+    unsigned long num;
+    unsigned int i;
+    unsigned long total = 0, n_used = 0;
+
+    for (i = 0; i < lh->num_nodes; i++) {
+        for (n = lh->b[i], num = 0; n != NULL; n = n->next)
+            num++;
+        if (num != 0) {
+            n_used++;
+            total += num;
+        }
+    }
+    fprintf(out, "%lu nodes used out of %u\n", n_used, lh->num_nodes);
+    fprintf(out, "%lu items\n", total);
+    if (n_used == 0)
+        return;
+    fprintf(out, "load %d.%02d  actual load %d.%02d\n",
+            (int)(total / lh->num_nodes),
+            (int)((total % lh->num_nodes) * 100 / lh->num_nodes),
+            (int)(total / n_used), (int)((total % n_used) * 100 / n_used));
+}
+
+#else
+
+# ifndef OPENSSL_NO_FP_API
+void lh_stats(const _LHASH *lh, FILE *fp)
 {
     BIO *bp;
 
     bp = BIO_new(BIO_s_file());
     if (bp == NULL)
-        return;
+        goto end;
     BIO_set_fp(bp, fp, BIO_NOCLOSE);
-    OPENSSL_LH_stats_bio(lh, bp);
+    lh_stats_bio(lh, bp);
     BIO_free(bp);
+ end:;
 }
 
-void OPENSSL_LH_node_stats(const OPENSSL_LHASH *lh, FILE *fp)
+void lh_node_stats(const _LHASH *lh, FILE *fp)
 {
     BIO *bp;
 
     bp = BIO_new(BIO_s_file());
     if (bp == NULL)
-        return;
+        goto end;
     BIO_set_fp(bp, fp, BIO_NOCLOSE);
-    OPENSSL_LH_node_stats_bio(lh, bp);
+    lh_node_stats_bio(lh, bp);
     BIO_free(bp);
+ end:;
 }
 
-void OPENSSL_LH_node_usage_stats(const OPENSSL_LHASH *lh, FILE *fp)
+void lh_node_usage_stats(const _LHASH *lh, FILE *fp)
 {
     BIO *bp;
 
     bp = BIO_new(BIO_s_file());
     if (bp == NULL)
-        return;
+        goto end;
     BIO_set_fp(bp, fp, BIO_NOCLOSE);
-    OPENSSL_LH_node_usage_stats_bio(lh, bp);
+    lh_node_usage_stats_bio(lh, bp);
     BIO_free(bp);
+ end:;
 }
 
 # endif
 
-void OPENSSL_LH_stats_bio(const OPENSSL_LHASH *lh, BIO *out)
+void lh_stats_bio(const _LHASH *lh, BIO *out)
 {
     BIO_printf(out, "num_items             = %lu\n", lh->num_items);
     BIO_printf(out, "num_nodes             = %u\n", lh->num_nodes);
@@ -78,11 +198,17 @@ void OPENSSL_LH_stats_bio(const OPENSSL_LHASH *lh, BIO *out)
     BIO_printf(out, "num_retrieve          = %lu\n", lh->num_retrieve);
     BIO_printf(out, "num_retrieve_miss     = %lu\n", lh->num_retrieve_miss);
     BIO_printf(out, "num_hash_comps        = %lu\n", lh->num_hash_comps);
+# if 0
+    BIO_printf(out, "p                     = %u\n", lh->p);
+    BIO_printf(out, "pmax                  = %u\n", lh->pmax);
+    BIO_printf(out, "up_load               = %lu\n", lh->up_load);
+    BIO_printf(out, "down_load             = %lu\n", lh->down_load);
+# endif
 }
 
-void OPENSSL_LH_node_stats_bio(const OPENSSL_LHASH *lh, BIO *out)
+void lh_node_stats_bio(const _LHASH *lh, BIO *out)
 {
-    OPENSSL_LH_NODE *n;
+    LHASH_NODE *n;
     unsigned int i, num;
 
     for (i = 0; i < lh->num_nodes; i++) {
@@ -92,9 +218,9 @@ void OPENSSL_LH_node_stats_bio(const OPENSSL_LHASH *lh, BIO *out)
     }
 }
 
-void OPENSSL_LH_node_usage_stats_bio(const OPENSSL_LHASH *lh, BIO *out)
+void lh_node_usage_stats_bio(const _LHASH *lh, BIO *out)
 {
-    OPENSSL_LH_NODE *n;
+    LHASH_NODE *n;
     unsigned long num;
     unsigned int i;
     unsigned long total = 0, n_used = 0;
@@ -116,3 +242,5 @@ void OPENSSL_LH_node_usage_stats_bio(const OPENSSL_LHASH *lh, BIO *out)
                (int)((total % lh->num_nodes) * 100 / lh->num_nodes),
                (int)(total / n_used), (int)((total % n_used) * 100 / n_used));
 }
+
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/lhash/lhash.c b/Cryptlib/OpenSSL/crypto/lhash/lhash.c
index adde832c..f20353ae 100644
--- a/Cryptlib/OpenSSL/crypto/lhash/lhash.c
+++ b/Cryptlib/OpenSSL/crypto/lhash/lhash.c
@@ -1,56 +1,164 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/lhash/lhash.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
+/*-
+ * Code for dynamic hash table routines
+ * Author - Eric Young v 2.0
+ *
+ * 2.2 eay - added #include "crypto.h" so the memory leak checking code is
+ *           present. eay 18-Jun-98
+ *
+ * 2.1 eay - Added an 'error in last operation' flag. eay 6-May-98
+ *
+ * 2.0 eay - Fixed a bug that occurred when using lh_delete
+ *           from inside lh_doall().  As entries were deleted,
+ *           the 'table' was 'contract()ed', making some entries
+ *           jump from the end of the table to the start, there by
+ *           skipping the lh_doall() processing. eay - 4/12/95
+ *
+ * 1.9 eay - Fixed a memory leak in lh_free, the LHASH_NODEs
+ *           were not being free()ed. 21/11/95
+ *
+ * 1.8 eay - Put the stats routines into a separate file, lh_stats.c
+ *           19/09/95
+ *
+ * 1.7 eay - Removed the fputs() for realloc failures - the code
+ *           should silently tolerate them.  I have also fixed things
+ *           lint complained about 04/05/95
+ *
+ * 1.6 eay - Fixed an invalid pointers in contract/expand 27/07/92
+ *
+ * 1.5 eay - Fixed a misuse of realloc in expand 02/03/1992
+ *
+ * 1.4 eay - Fixed lh_doall so the function can call lh_delete 28/05/91
+ *
+ * 1.3 eay - Fixed a few lint problems 19/3/1991
+ *
+ * 1.2 eay - Fixed lh_doall problem 13/3/1991
+ *
+ * 1.1 eay - Added lh_doall
+ *
+ * 1.0 eay - First version
+ */
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
 #include <openssl/crypto.h>
 #include <openssl/lhash.h>
-#include "lhash_lcl.h"
 
+const char lh_version[] = "lhash" OPENSSL_VERSION_PTEXT;
 
 #undef MIN_NODES
 #define MIN_NODES       16
 #define UP_LOAD         (2*LH_LOAD_MULT) /* load times 256 (default 2) */
 #define DOWN_LOAD       (LH_LOAD_MULT) /* load times 256 (default 1) */
 
-static int expand(OPENSSL_LHASH *lh);
-static void contract(OPENSSL_LHASH *lh);
-static OPENSSL_LH_NODE **getrn(OPENSSL_LHASH *lh, const void *data, unsigned long *rhash);
+static void expand(_LHASH *lh);
+static void contract(_LHASH *lh);
+static LHASH_NODE **getrn(_LHASH *lh, const void *data, unsigned long *rhash);
 
-OPENSSL_LHASH *OPENSSL_LH_new(OPENSSL_LH_HASHFUNC h, OPENSSL_LH_COMPFUNC c)
+_LHASH *lh_new(LHASH_HASH_FN_TYPE h, LHASH_COMP_FN_TYPE c)
 {
-    OPENSSL_LHASH *ret;
+    _LHASH *ret;
+    int i;
 
-    if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL)
+    if ((ret = OPENSSL_malloc(sizeof(_LHASH))) == NULL)
         goto err0;
-    if ((ret->b = OPENSSL_zalloc(sizeof(*ret->b) * MIN_NODES)) == NULL)
+    if ((ret->b = OPENSSL_malloc(sizeof(LHASH_NODE *) * MIN_NODES)) == NULL)
         goto err1;
-    ret->comp = ((c == NULL) ? (OPENSSL_LH_COMPFUNC)strcmp : c);
-    ret->hash = ((h == NULL) ? (OPENSSL_LH_HASHFUNC)OPENSSL_LH_strhash : h);
+    for (i = 0; i < MIN_NODES; i++)
+        ret->b[i] = NULL;
+    ret->comp = ((c == NULL) ? (LHASH_COMP_FN_TYPE)strcmp : c);
+    ret->hash = ((h == NULL) ? (LHASH_HASH_FN_TYPE)lh_strhash : h);
     ret->num_nodes = MIN_NODES / 2;
     ret->num_alloc_nodes = MIN_NODES;
+    ret->p = 0;
     ret->pmax = MIN_NODES / 2;
     ret->up_load = UP_LOAD;
     ret->down_load = DOWN_LOAD;
+    ret->num_items = 0;
+
+    ret->num_expands = 0;
+    ret->num_expand_reallocs = 0;
+    ret->num_contracts = 0;
+    ret->num_contract_reallocs = 0;
+    ret->num_hash_calls = 0;
+    ret->num_comp_calls = 0;
+    ret->num_insert = 0;
+    ret->num_replace = 0;
+    ret->num_delete = 0;
+    ret->num_no_delete = 0;
+    ret->num_retrieve = 0;
+    ret->num_retrieve_miss = 0;
+    ret->num_hash_comps = 0;
+
+    ret->error = 0;
     return (ret);
-
  err1:
     OPENSSL_free(ret);
  err0:
     return (NULL);
 }
 
-void OPENSSL_LH_free(OPENSSL_LHASH *lh)
+void lh_free(_LHASH *lh)
 {
     unsigned int i;
-    OPENSSL_LH_NODE *n, *nn;
+    LHASH_NODE *n, *nn;
 
     if (lh == NULL)
         return;
@@ -67,26 +175,28 @@ void OPENSSL_LH_free(OPENSSL_LHASH *lh)
     OPENSSL_free(lh);
 }
 
-void *OPENSSL_LH_insert(OPENSSL_LHASH *lh, void *data)
+void *lh_insert(_LHASH *lh, void *data)
 {
     unsigned long hash;
-    OPENSSL_LH_NODE *nn, **rn;
+    LHASH_NODE *nn, **rn;
     void *ret;
 
     lh->error = 0;
-    if ((lh->up_load <= (lh->num_items * LH_LOAD_MULT / lh->num_nodes)) && !expand(lh))
-        return NULL;        /* 'lh->error++' already done in 'expand' */
+    if (lh->up_load <= (lh->num_items * LH_LOAD_MULT / lh->num_nodes))
+        expand(lh);
 
     rn = getrn(lh, data, &hash);
 
     if (*rn == NULL) {
-        if ((nn = OPENSSL_malloc(sizeof(*nn))) == NULL) {
+        if ((nn = (LHASH_NODE *)OPENSSL_malloc(sizeof(LHASH_NODE))) == NULL) {
             lh->error++;
             return (NULL);
         }
         nn->data = data;
         nn->next = NULL;
+#ifndef OPENSSL_NO_HASH_COMP
         nn->hash = hash;
+#endif
         *rn = nn;
         ret = NULL;
         lh->num_insert++;
@@ -100,10 +210,10 @@ void *OPENSSL_LH_insert(OPENSSL_LHASH *lh, void *data)
     return (ret);
 }
 
-void *OPENSSL_LH_delete(OPENSSL_LHASH *lh, const void *data)
+void *lh_delete(_LHASH *lh, const void *data)
 {
     unsigned long hash;
-    OPENSSL_LH_NODE *nn, **rn;
+    LHASH_NODE *nn, **rn;
     void *ret;
 
     lh->error = 0;
@@ -128,10 +238,10 @@ void *OPENSSL_LH_delete(OPENSSL_LHASH *lh, const void *data)
     return (ret);
 }
 
-void *OPENSSL_LH_retrieve(OPENSSL_LHASH *lh, const void *data)
+void *lh_retrieve(_LHASH *lh, const void *data)
 {
     unsigned long hash;
-    OPENSSL_LH_NODE **rn;
+    LHASH_NODE **rn;
     void *ret;
 
     lh->error = 0;
@@ -147,12 +257,11 @@ void *OPENSSL_LH_retrieve(OPENSSL_LHASH *lh, const void *data)
     return (ret);
 }
 
-static void doall_util_fn(OPENSSL_LHASH *lh, int use_arg,
-                          OPENSSL_LH_DOALL_FUNC func,
-                          OPENSSL_LH_DOALL_FUNCARG func_arg, void *arg)
+static void doall_util_fn(_LHASH *lh, int use_arg, LHASH_DOALL_FN_TYPE func,
+                          LHASH_DOALL_ARG_FN_TYPE func_arg, void *arg)
 {
     int i;
-    OPENSSL_LH_NODE *a, *n;
+    LHASH_NODE *a, *n;
 
     if (lh == NULL)
         return;
@@ -164,6 +273,13 @@ static void doall_util_fn(OPENSSL_LHASH *lh, int use_arg,
     for (i = lh->num_nodes - 1; i >= 0; i--) {
         a = lh->b[i];
         while (a != NULL) {
+            /*
+             * 28/05/91 - eay - n added so items can be deleted via lh_doall
+             */
+            /*
+             * 22/05/08 - ben - eh? since a is not passed, this should not be
+             * needed
+             */
             n = a->next;
             if (use_arg)
                 func_arg(a->data, arg);
@@ -174,19 +290,19 @@ static void doall_util_fn(OPENSSL_LHASH *lh, int use_arg,
     }
 }
 
-void OPENSSL_LH_doall(OPENSSL_LHASH *lh, OPENSSL_LH_DOALL_FUNC func)
+void lh_doall(_LHASH *lh, LHASH_DOALL_FN_TYPE func)
 {
-    doall_util_fn(lh, 0, func, (OPENSSL_LH_DOALL_FUNCARG)0, NULL);
+    doall_util_fn(lh, 0, func, (LHASH_DOALL_ARG_FN_TYPE)0, NULL);
 }
 
-void OPENSSL_LH_doall_arg(OPENSSL_LHASH *lh, OPENSSL_LH_DOALL_FUNCARG func, void *arg)
+void lh_doall_arg(_LHASH *lh, LHASH_DOALL_ARG_FN_TYPE func, void *arg)
 {
-    doall_util_fn(lh, 1, (OPENSSL_LH_DOALL_FUNC)0, func, arg);
+    doall_util_fn(lh, 1, (LHASH_DOALL_FN_TYPE)0, func, arg);
 }
 
-static int expand(OPENSSL_LHASH *lh)
+static void expand(_LHASH *lh)
 {
-    OPENSSL_LH_NODE **n, **n1, **n2, *np;
+    LHASH_NODE **n, **n1, **n2, *np;
     unsigned int p, i, j;
     unsigned long hash, nni;
 
@@ -195,11 +311,16 @@ static int expand(OPENSSL_LHASH *lh)
     p = (int)lh->p++;
     n1 = &(lh->b[p]);
     n2 = &(lh->b[p + (int)lh->pmax]);
-    *n2 = NULL;
+    *n2 = NULL;                 /* 27/07/92 - eay - undefined pointer bug */
     nni = lh->num_alloc_nodes;
 
     for (np = *n1; np != NULL;) {
+#ifndef OPENSSL_NO_HASH_COMP
         hash = np->hash;
+#else
+        hash = lh->hash(np->data);
+        lh->num_hash_calls++;
+#endif
         if ((hash % nni) != p) { /* move it */
             *n1 = (*n1)->next;
             np->next = *n2;
@@ -211,13 +332,15 @@ static int expand(OPENSSL_LHASH *lh)
 
     if ((lh->p) >= lh->pmax) {
         j = (int)lh->num_alloc_nodes * 2;
-        n = OPENSSL_realloc(lh->b, (int)(sizeof(OPENSSL_LH_NODE *) * j));
+        n = (LHASH_NODE **)OPENSSL_realloc(lh->b,
+                                           (int)(sizeof(LHASH_NODE *) * j));
         if (n == NULL) {
             lh->error++;
             lh->num_nodes--;
             lh->p = 0;
-            return 0;
+            return;
         }
+        /* else */
         for (i = (int)lh->num_alloc_nodes; i < j; i++) /* 26/02/92 eay */
             n[i] = NULL;        /* 02/03/92 eay */
         lh->pmax = lh->num_alloc_nodes;
@@ -226,20 +349,20 @@ static int expand(OPENSSL_LHASH *lh)
         lh->p = 0;
         lh->b = n;
     }
-    return 1;
 }
 
-static void contract(OPENSSL_LHASH *lh)
+static void contract(_LHASH *lh)
 {
-    OPENSSL_LH_NODE **n, *n1, *np;
+    LHASH_NODE **n, *n1, *np;
 
     np = lh->b[lh->p + lh->pmax - 1];
     lh->b[lh->p + lh->pmax - 1] = NULL; /* 24/07-92 - eay - weird but :-( */
     if (lh->p == 0) {
-        n = OPENSSL_realloc(lh->b,
-                            (unsigned int)(sizeof(OPENSSL_LH_NODE *) * lh->pmax));
+        n = (LHASH_NODE **)OPENSSL_realloc(lh->b,
+                                           (unsigned int)(sizeof(LHASH_NODE *)
+                                                          * lh->pmax));
         if (n == NULL) {
-            /* fputs("realloc error in lhash",stderr); */
+/*                      fputs("realloc error in lhash",stderr); */
             lh->error++;
             return;
         }
@@ -264,12 +387,11 @@ static void contract(OPENSSL_LHASH *lh)
     }
 }
 
-static OPENSSL_LH_NODE **getrn(OPENSSL_LHASH *lh,
-                               const void *data, unsigned long *rhash)
+static LHASH_NODE **getrn(_LHASH *lh, const void *data, unsigned long *rhash)
 {
-    OPENSSL_LH_NODE **ret, *n1;
+    LHASH_NODE **ret, *n1;
     unsigned long hash, nn;
-    OPENSSL_LH_COMPFUNC cf;
+    LHASH_COMP_FN_TYPE cf;
 
     hash = (*(lh->hash)) (data);
     lh->num_hash_calls++;
@@ -282,11 +404,13 @@ static OPENSSL_LH_NODE **getrn(OPENSSL_LHASH *lh,
     cf = lh->comp;
     ret = &(lh->b[(int)nn]);
     for (n1 = *ret; n1 != NULL; n1 = n1->next) {
+#ifndef OPENSSL_NO_HASH_COMP
         lh->num_hash_comps++;
         if (n1->hash != hash) {
             ret = &(n1->next);
             continue;
         }
+#endif
         lh->num_comp_calls++;
         if (cf(n1->data, data) == 0)
             break;
@@ -300,7 +424,7 @@ static OPENSSL_LH_NODE **getrn(OPENSSL_LHASH *lh,
  * collisions on /usr/dict/words and it distributes on %2^n quite well, not
  * as good as MD5, but still good.
  */
-unsigned long OPENSSL_LH_strhash(const char *c)
+unsigned long lh_strhash(const char *c)
 {
     unsigned long ret = 0;
     long n;
@@ -328,22 +452,7 @@ unsigned long OPENSSL_LH_strhash(const char *c)
     return ((ret >> 16) ^ ret);
 }
 
-unsigned long OPENSSL_LH_num_items(const OPENSSL_LHASH *lh)
+unsigned long lh_num_items(const _LHASH *lh)
 {
     return lh ? lh->num_items : 0;
 }
-
-unsigned long OPENSSL_LH_get_down_load(const OPENSSL_LHASH *lh)
-{
-    return lh->down_load;
-}
-
-void OPENSSL_LH_set_down_load(OPENSSL_LHASH *lh, unsigned long down_load)
-{
-    lh->down_load = down_load;
-}
-
-int OPENSSL_LH_error(OPENSSL_LHASH *lh)
-{
-    return lh->error;
-}
diff --git a/Cryptlib/OpenSSL/crypto/lhash/lhash_lcl.h b/Cryptlib/OpenSSL/crypto/lhash/lhash_lcl.h
deleted file mode 100644
index eb4a1a3f..00000000
--- a/Cryptlib/OpenSSL/crypto/lhash/lhash_lcl.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-
-struct lhash_node_st {
-    void *data;
-    struct lhash_node_st *next;
-    unsigned long hash;
-};
-
-struct lhash_st {
-    OPENSSL_LH_NODE **b;
-    OPENSSL_LH_COMPFUNC comp;
-    OPENSSL_LH_HASHFUNC hash;
-    unsigned int num_nodes;
-    unsigned int num_alloc_nodes;
-    unsigned int p;
-    unsigned int pmax;
-    unsigned long up_load;      /* load times 256 */
-    unsigned long down_load;    /* load times 256 */
-    unsigned long num_items;
-    unsigned long num_expands;
-    unsigned long num_expand_reallocs;
-    unsigned long num_contracts;
-    unsigned long num_contract_reallocs;
-    unsigned long num_hash_calls;
-    unsigned long num_comp_calls;
-    unsigned long num_insert;
-    unsigned long num_replace;
-    unsigned long num_delete;
-    unsigned long num_no_delete;
-    unsigned long num_retrieve;
-    unsigned long num_retrieve_miss;
-    unsigned long num_hash_comps;
-    int error;
-};
diff --git a/Cryptlib/OpenSSL/crypto/include/internal/md32_common.h b/Cryptlib/OpenSSL/crypto/md32_common.h
index 6e4ce14e..b5a04bf1 100644
--- a/Cryptlib/OpenSSL/crypto/include/internal/md32_common.h
+++ b/Cryptlib/OpenSSL/crypto/md32_common.h
@@ -1,10 +1,52 @@
-/*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/md32_common.h */
+/* ====================================================================
+ * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 /*-
@@ -22,7 +64,8 @@
  * HASH_CBLOCK
  *      size of a unit chunk HASH_BLOCK operates on.
  * HASH_LONG
- *      has to be at lest 32 bit wide.
+ *      has to be at lest 32 bit wide, if it's wider, then
+ *      HASH_LONG_LOG2 *has to* be defined along
  * HASH_CTX
  *      context structure that at least contains following
  *      members:
@@ -55,6 +98,7 @@
  *      #define DATA_ORDER_IS_LITTLE_ENDIAN
  *
  *      #define HASH_LONG               MD5_LONG
+ *      #define HASH_LONG_LOG2          MD5_LONG_LOG2
  *      #define HASH_CTX                MD5_CTX
  *      #define HASH_CBLOCK             MD5_CBLOCK
  *      #define HASH_UPDATE             MD5_Update
@@ -104,6 +148,15 @@
 #  define ROTATE(a,n)   _lrotl(a,n)
 # elif defined(__ICC)
 #  define ROTATE(a,n)   _rotl(a,n)
+# elif defined(__MWERKS__)
+#  if defined(__POWERPC__)
+#   define ROTATE(a,n)  __rlwinm(a,n,0,31)
+#  elif defined(__MC68K__)
+    /* Motorola specific tweak. <appro@fy.chalmers.se> */
+#   define ROTATE(a,n)  ( n<24 ? __rol(a,n) : __ror(a,32-n) )
+#  else
+#   define ROTATE(a,n)  __rol(a,n)
+#  endif
 # elif defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
   /*
    * Some GNU C inline assembler templates. Note that these are
@@ -354,7 +407,7 @@ int HASH_FINAL(unsigned char *md, HASH_CTX *c)
 # if defined(__alpha) || defined(__sparcv9) || defined(__mips)
 #  define MD32_REG_T long
 /*
- * This comment was originally written for MD5, which is why it
+ * This comment was originaly written for MD5, which is why it
  * discusses A-D. But it basically applies to all 32-bit digests,
  * which is why it was moved to common header file.
  *
diff --git a/Cryptlib/OpenSSL/crypto/md5/md5_dgst.c b/Cryptlib/OpenSSL/crypto/md5/md5_dgst.c
index fbede674..2b519467 100644
--- a/Cryptlib/OpenSSL/crypto/md5/md5_dgst.c
+++ b/Cryptlib/OpenSSL/crypto/md5/md5_dgst.c
@@ -1,15 +1,67 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/md5/md5_dgst.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include "md5_locl.h"
 #include <openssl/opensslv.h>
+#include <openssl/crypto.h>
+
+const char MD5_version[] = "MD5" OPENSSL_VERSION_PTEXT;
 
 /*
  * Implemented from RFC1321 The MD5 Message-Digest Algorithm
@@ -20,7 +72,7 @@
 #define INIT_DATA_C (unsigned long)0x98badcfeL
 #define INIT_DATA_D (unsigned long)0x10325476L
 
-int MD5_Init(MD5_CTX *c)
+fips_md_init(MD5)
 {
     memset(c, 0, sizeof(*c));
     c->A = INIT_DATA_A;
@@ -54,52 +106,52 @@ void md5_block_data_order(MD5_CTX *c, const void *data_, size_t num)
     D = c->D;
 
     for (; num--;) {
-        (void)HOST_c2l(data, l);
+        HOST_c2l(data, l);
         X(0) = l;
-        (void)HOST_c2l(data, l);
+        HOST_c2l(data, l);
         X(1) = l;
         /* Round 0 */
         R0(A, B, C, D, X(0), 7, 0xd76aa478L);
-        (void)HOST_c2l(data, l);
+        HOST_c2l(data, l);
         X(2) = l;
         R0(D, A, B, C, X(1), 12, 0xe8c7b756L);
-        (void)HOST_c2l(data, l);
+        HOST_c2l(data, l);
         X(3) = l;
         R0(C, D, A, B, X(2), 17, 0x242070dbL);
-        (void)HOST_c2l(data, l);
+        HOST_c2l(data, l);
         X(4) = l;
         R0(B, C, D, A, X(3), 22, 0xc1bdceeeL);
-        (void)HOST_c2l(data, l);
+        HOST_c2l(data, l);
         X(5) = l;
         R0(A, B, C, D, X(4), 7, 0xf57c0fafL);
-        (void)HOST_c2l(data, l);
+        HOST_c2l(data, l);
         X(6) = l;
         R0(D, A, B, C, X(5), 12, 0x4787c62aL);
-        (void)HOST_c2l(data, l);
+        HOST_c2l(data, l);
         X(7) = l;
         R0(C, D, A, B, X(6), 17, 0xa8304613L);
-        (void)HOST_c2l(data, l);
+        HOST_c2l(data, l);
         X(8) = l;
         R0(B, C, D, A, X(7), 22, 0xfd469501L);
-        (void)HOST_c2l(data, l);
+        HOST_c2l(data, l);
         X(9) = l;
         R0(A, B, C, D, X(8), 7, 0x698098d8L);
-        (void)HOST_c2l(data, l);
+        HOST_c2l(data, l);
         X(10) = l;
         R0(D, A, B, C, X(9), 12, 0x8b44f7afL);
-        (void)HOST_c2l(data, l);
+        HOST_c2l(data, l);
         X(11) = l;
         R0(C, D, A, B, X(10), 17, 0xffff5bb1L);
-        (void)HOST_c2l(data, l);
+        HOST_c2l(data, l);
         X(12) = l;
         R0(B, C, D, A, X(11), 22, 0x895cd7beL);
-        (void)HOST_c2l(data, l);
+        HOST_c2l(data, l);
         X(13) = l;
         R0(A, B, C, D, X(12), 7, 0x6b901122L);
-        (void)HOST_c2l(data, l);
+        HOST_c2l(data, l);
         X(14) = l;
         R0(D, A, B, C, X(13), 12, 0xfd987193L);
-        (void)HOST_c2l(data, l);
+        HOST_c2l(data, l);
         X(15) = l;
         R0(C, D, A, B, X(14), 17, 0xa679438eL);
         R0(B, C, D, A, X(15), 22, 0x49b40821L);
diff --git a/Cryptlib/OpenSSL/crypto/md5/md5_locl.h b/Cryptlib/OpenSSL/crypto/md5/md5_locl.h
index 9c7aade8..82e69218 100644
--- a/Cryptlib/OpenSSL/crypto/md5/md5_locl.h
+++ b/Cryptlib/OpenSSL/crypto/md5/md5_locl.h
@@ -1,10 +1,59 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/md5/md5_locl.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdlib.h>
@@ -12,8 +61,12 @@
 #include <openssl/e_os2.h>
 #include <openssl/md5.h>
 
+#ifndef MD5_LONG_LOG2
+# define MD5_LONG_LOG2 2        /* default to 32 bits */
+#endif
+
 #ifdef MD5_ASM
-# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
+# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__) || \
      defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
 #  define md5_block_data_order md5_block_asm_data_order
 # elif defined(__ia64) || defined(__ia64__) || defined(_M_IA64)
@@ -42,7 +95,7 @@ void md5_block_data_order(MD5_CTX *c, const void *p, size_t num);
         } while (0)
 #define HASH_BLOCK_DATA_ORDER   md5_block_data_order
 
-#include "internal/md32_common.h"
+#include "md32_common.h"
 
 /*-
 #define F(x,y,z)        (((x) & (y))  |  ((~(x)) & (z)))
diff --git a/Cryptlib/OpenSSL/crypto/md5/md5_one.c b/Cryptlib/OpenSSL/crypto/md5/md5_one.c
index becd87e4..4ac882e7 100644
--- a/Cryptlib/OpenSSL/crypto/md5/md5_one.c
+++ b/Cryptlib/OpenSSL/crypto/md5/md5_one.c
@@ -1,10 +1,59 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/md5/md5_one.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
diff --git a/Cryptlib/OpenSSL/crypto/mem.c b/Cryptlib/OpenSSL/crypto/mem.c
index 02aa43a7..06c3960c 100644
--- a/Cryptlib/OpenSSL/crypto/mem.c
+++ b/Cryptlib/OpenSSL/crypto/mem.c
@@ -1,190 +1,458 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/mem.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <stdlib.h>
-#include <limits.h>
 #include <openssl/crypto.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
+
+static int allow_customize = 1; /* we provide flexible functions for */
+static int allow_customize_debug = 1; /* exchanging memory-related functions
+                                       * at run-time, but this must be done
+                                       * before any blocks are actually
+                                       * allocated; or we'll run into huge
+                                       * problems when malloc/free pairs
+                                       * don't match etc. */
 
 /*
  * the following pointers may be changed as long as 'allow_customize' is set
  */
-static int allow_customize = 1;
 
-static void *(*malloc_impl)(size_t, const char *, int)
-    = CRYPTO_malloc;
-static void *(*realloc_impl)(void *, size_t, const char *, int)
-    = CRYPTO_realloc;
-static void (*free_impl)(void *, const char *, int)
-    = CRYPTO_free;
+static void *(*malloc_func) (size_t) = malloc;
+static void *default_malloc_ex(size_t num, const char *file, int line)
+{
+    return malloc_func(num);
+}
+
+static void *(*malloc_ex_func) (size_t, const char *file, int line)
+    = default_malloc_ex;
+
+#ifdef OPENSSL_SYS_VMS
+# if __INITIAL_POINTER_SIZE == 64
+#  define realloc _realloc64
+# elif __INITIAL_POINTER_SIZE == 32
+#  define realloc _realloc32
+# endif
+#endif
+
+static void *(*realloc_func) (void *, size_t) = realloc;
+static void *default_realloc_ex(void *str, size_t num,
+                                const char *file, int line)
+{
+    return realloc_func(str, num);
+}
+
+static void *(*realloc_ex_func) (void *, size_t, const char *file, int line)
+    = default_realloc_ex;
+
+#ifdef OPENSSL_SYS_VMS
+   static void (*free_func) (__void_ptr64) = free;
+#else
+   static void (*free_func) (void *) = free;
+#endif
+
+static void *(*malloc_locked_func) (size_t) = malloc;
+static void *default_malloc_locked_ex(size_t num, const char *file, int line)
+{
+    return malloc_locked_func(num);
+}
+
+static void *(*malloc_locked_ex_func) (size_t, const char *file, int line)
+    = default_malloc_locked_ex;
 
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
-static int call_malloc_debug = 1;
+#ifdef OPENSSL_SYS_VMS
+   static void (*free_locked_func) (__void_ptr64) = free;
 #else
-static int call_malloc_debug = 0;
+   static void (*free_locked_func) (void *) = free;
+#endif
+
+/* may be changed as long as 'allow_customize_debug' is set */
+/* XXX use correct function pointer types */
+#ifdef CRYPTO_MDEBUG
+/* use default functions from mem_dbg.c */
+static void (*malloc_debug_func) (void *, int, const char *, int, int)
+    = CRYPTO_dbg_malloc;
+static void (*realloc_debug_func) (void *, void *, int, const char *, int,
+                                   int)
+    = CRYPTO_dbg_realloc;
+static void (*free_debug_func) (void *, int) = CRYPTO_dbg_free;
+static void (*set_debug_options_func) (long) = CRYPTO_dbg_set_options;
+static long (*get_debug_options_func) (void) = CRYPTO_dbg_get_options;
+#else
+/*
+ * applications can use CRYPTO_malloc_debug_init() to select above case at
+ * run-time
+ */
+static void (*malloc_debug_func) (void *, int, const char *, int, int) = NULL;
+static void (*realloc_debug_func) (void *, void *, int, const char *, int,
+                                   int)
+    = NULL;
+static void (*free_debug_func) (void *, int) = NULL;
+static void (*set_debug_options_func) (long) = NULL;
+static long (*get_debug_options_func) (void) = NULL;
 #endif
 
-int CRYPTO_set_mem_functions(
-        void *(*m)(size_t, const char *, int),
-        void *(*r)(void *, size_t, const char *, int),
-        void (*f)(void *, const char *, int))
+int CRYPTO_set_mem_functions(void *(*m) (size_t), void *(*r) (void *, size_t),
+                             void (*f) (void *))
 {
+    /* Dummy call just to ensure OPENSSL_init() gets linked in */
+    OPENSSL_init();
     if (!allow_customize)
         return 0;
-    if (m)
-        malloc_impl = m;
-    if (r)
-        realloc_impl = r;
-    if (f)
-        free_impl = f;
+    if ((m == 0) || (r == 0) || (f == 0))
+        return 0;
+    malloc_func = m;
+    malloc_ex_func = default_malloc_ex;
+    realloc_func = r;
+    realloc_ex_func = default_realloc_ex;
+    free_func = f;
+    malloc_locked_func = m;
+    malloc_locked_ex_func = default_malloc_locked_ex;
+    free_locked_func = f;
+    return 1;
+}
+
+int CRYPTO_set_mem_ex_functions(void *(*m) (size_t, const char *, int),
+                                void *(*r) (void *, size_t, const char *,
+                                            int), void (*f) (void *))
+{
+    if (!allow_customize)
+        return 0;
+    if ((m == 0) || (r == 0) || (f == 0))
+        return 0;
+    malloc_func = 0;
+    malloc_ex_func = m;
+    realloc_func = 0;
+    realloc_ex_func = r;
+    free_func = f;
+    malloc_locked_func = 0;
+    malloc_locked_ex_func = m;
+    free_locked_func = f;
+    return 1;
+}
+
+int CRYPTO_set_locked_mem_functions(void *(*m) (size_t), void (*f) (void *))
+{
+    if (!allow_customize)
+        return 0;
+    if ((m == NULL) || (f == NULL))
+        return 0;
+    malloc_locked_func = m;
+    malloc_locked_ex_func = default_malloc_locked_ex;
+    free_locked_func = f;
     return 1;
 }
 
-int CRYPTO_set_mem_debug(int flag)
+int CRYPTO_set_locked_mem_ex_functions(void *(*m) (size_t, const char *, int),
+                                       void (*f) (void *))
 {
     if (!allow_customize)
         return 0;
-    call_malloc_debug = flag;
+    if ((m == NULL) || (f == NULL))
+        return 0;
+    malloc_locked_func = 0;
+    malloc_locked_ex_func = m;
+    free_func = f;
+    return 1;
+}
+
+int CRYPTO_set_mem_debug_functions(void (*m)
+                                    (void *, int, const char *, int, int),
+                                   void (*r) (void *, void *, int,
+                                              const char *, int, int),
+                                   void (*f) (void *, int), void (*so) (long),
+                                   long (*go) (void))
+{
+    if (!allow_customize_debug)
+        return 0;
+    OPENSSL_init();
+    malloc_debug_func = m;
+    realloc_debug_func = r;
+    free_debug_func = f;
+    set_debug_options_func = so;
+    get_debug_options_func = go;
     return 1;
 }
 
-void CRYPTO_get_mem_functions(
-        void *(**m)(size_t, const char *, int),
-        void *(**r)(void *, size_t, const char *, int),
-        void (**f)(void *, const char *, int))
+void CRYPTO_get_mem_functions(void *(**m) (size_t),
+                              void *(**r) (void *, size_t),
+                              void (**f) (void *))
+{
+    if (m != NULL)
+        *m = (malloc_ex_func == default_malloc_ex) ? malloc_func : 0;
+    if (r != NULL)
+        *r = (realloc_ex_func == default_realloc_ex) ? realloc_func : 0;
+    if (f != NULL)
+        *f = free_func;
+}
+
+void CRYPTO_get_mem_ex_functions(void *(**m) (size_t, const char *, int),
+                                 void *(**r) (void *, size_t, const char *,
+                                              int), void (**f) (void *))
+{
+    if (m != NULL)
+        *m = (malloc_ex_func != default_malloc_ex) ? malloc_ex_func : 0;
+    if (r != NULL)
+        *r = (realloc_ex_func != default_realloc_ex) ? realloc_ex_func : 0;
+    if (f != NULL)
+        *f = free_func;
+}
+
+void CRYPTO_get_locked_mem_functions(void *(**m) (size_t),
+                                     void (**f) (void *))
+{
+    if (m != NULL)
+        *m = (malloc_locked_ex_func == default_malloc_locked_ex) ?
+            malloc_locked_func : 0;
+    if (f != NULL)
+        *f = free_locked_func;
+}
+
+void CRYPTO_get_locked_mem_ex_functions(void
+                                        *(**m) (size_t, const char *, int),
+                                        void (**f) (void *))
+{
+    if (m != NULL)
+        *m = (malloc_locked_ex_func != default_malloc_locked_ex) ?
+            malloc_locked_ex_func : 0;
+    if (f != NULL)
+        *f = free_locked_func;
+}
+
+void CRYPTO_get_mem_debug_functions(void (**m)
+                                     (void *, int, const char *, int, int),
+                                    void (**r) (void *, void *, int,
+                                                const char *, int, int),
+                                    void (**f) (void *, int),
+                                    void (**so) (long), long (**go) (void))
 {
     if (m != NULL)
-        *m = malloc_impl;
+        *m = malloc_debug_func;
     if (r != NULL)
-        *r = realloc_impl;
+        *r = realloc_debug_func;
     if (f != NULL)
-        *f = free_impl;
+        *f = free_debug_func;
+    if (so != NULL)
+        *so = set_debug_options_func;
+    if (go != NULL)
+        *go = get_debug_options_func;
 }
 
-void *CRYPTO_malloc(size_t num, const char *file, int line)
+void *CRYPTO_malloc_locked(int num, const char *file, int line)
 {
     void *ret = NULL;
 
-    if (malloc_impl != NULL && malloc_impl != CRYPTO_malloc)
-        return malloc_impl(num, file, line);
+    if (num <= 0)
+        return NULL;
+
+    if (allow_customize)
+        allow_customize = 0;
+    if (malloc_debug_func != NULL) {
+        if (allow_customize_debug)
+            allow_customize_debug = 0;
+        malloc_debug_func(NULL, num, file, line, 0);
+    }
+    ret = malloc_locked_ex_func(num, file, line);
+#ifdef LEVITTE_DEBUG_MEM
+    fprintf(stderr, "LEVITTE_DEBUG_MEM:         > 0x%p (%d)\n", ret, num);
+#endif
+    if (malloc_debug_func != NULL)
+        malloc_debug_func(ret, num, file, line, 1);
+
+    return ret;
+}
+
+void CRYPTO_free_locked(void *str)
+{
+    if (free_debug_func != NULL)
+        free_debug_func(str, 0);
+#ifdef LEVITTE_DEBUG_MEM
+    fprintf(stderr, "LEVITTE_DEBUG_MEM:         < 0x%p\n", str);
+#endif
+    free_locked_func(str);
+    if (free_debug_func != NULL)
+        free_debug_func(NULL, 1);
+}
+
+void *CRYPTO_malloc(int num, const char *file, int line)
+{
+    void *ret = NULL;
 
     if (num <= 0)
         return NULL;
 
-    allow_customize = 0;
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
-    if (call_malloc_debug) {
-        CRYPTO_mem_debug_malloc(NULL, num, 0, file, line);
-        ret = malloc(num);
-        CRYPTO_mem_debug_malloc(ret, num, 1, file, line);
-    } else {
-        ret = malloc(num);
+    if (allow_customize)
+        allow_customize = 0;
+    if (malloc_debug_func != NULL) {
+        if (allow_customize_debug)
+            allow_customize_debug = 0;
+        malloc_debug_func(NULL, num, file, line, 0);
     }
-#else
-    osslargused(file); osslargused(line);
-    ret = malloc(num);
+    ret = malloc_ex_func(num, file, line);
+#ifdef LEVITTE_DEBUG_MEM
+    fprintf(stderr, "LEVITTE_DEBUG_MEM:         > 0x%p (%d)\n", ret, num);
 #endif
+    if (malloc_debug_func != NULL)
+        malloc_debug_func(ret, num, file, line, 1);
 
     return ret;
 }
 
-void *CRYPTO_zalloc(size_t num, const char *file, int line)
+char *CRYPTO_strdup(const char *str, const char *file, int line)
 {
-    void *ret = CRYPTO_malloc(num, file, line);
+    char *ret = CRYPTO_malloc(strlen(str) + 1, file, line);
 
-    if (ret != NULL)
-        memset(ret, 0, num);
+    if (ret == NULL)
+        return NULL;
+
+    strcpy(ret, str);
     return ret;
 }
 
-void *CRYPTO_realloc(void *str, size_t num, const char *file, int line)
+void *CRYPTO_realloc(void *str, int num, const char *file, int line)
 {
-    if (realloc_impl != NULL && realloc_impl != &CRYPTO_realloc)
-        return realloc_impl(str, num, file, line);
+    void *ret = NULL;
 
     if (str == NULL)
         return CRYPTO_malloc(num, file, line);
 
-    if (num == 0) {
-        CRYPTO_free(str, file, line);
+    if (num <= 0)
         return NULL;
-    }
 
-    allow_customize = 0;
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
-    if (call_malloc_debug) {
-        void *ret;
-        CRYPTO_mem_debug_realloc(str, NULL, num, 0, file, line);
-        ret = realloc(str, num);
-        CRYPTO_mem_debug_realloc(str, ret, num, 1, file, line);
-        return ret;
-    }
-#else
-    osslargused(file); osslargused(line);
+    if (realloc_debug_func != NULL)
+        realloc_debug_func(str, NULL, num, file, line, 0);
+    ret = realloc_ex_func(str, num, file, line);
+#ifdef LEVITTE_DEBUG_MEM
+    fprintf(stderr, "LEVITTE_DEBUG_MEM:         | 0x%p -> 0x%p (%d)\n", str,
+            ret, num);
 #endif
-    return realloc(str, num);
+    if (realloc_debug_func != NULL)
+        realloc_debug_func(str, ret, num, file, line, 1);
 
+    return ret;
 }
 
-void *CRYPTO_clear_realloc(void *str, size_t old_len, size_t num,
-                           const char *file, int line)
+void *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file,
+                           int line)
 {
     void *ret = NULL;
 
     if (str == NULL)
         return CRYPTO_malloc(num, file, line);
 
-    if (num == 0) {
-        CRYPTO_clear_free(str, old_len, file, line);
+    if (num <= 0)
         return NULL;
-    }
 
-    /* Can't shrink the buffer since memcpy below copies |old_len| bytes. */
-    if (num < old_len) {
-        OPENSSL_cleanse((char*)str + num, old_len - num);
-        return str;
-    }
+    /*
+     * We don't support shrinking the buffer. Note the memcpy that copies
+     * |old_len| bytes to the new buffer, below.
+     */
+    if (num < old_len)
+        return NULL;
 
-    ret = CRYPTO_malloc(num, file, line);
-    if (ret != NULL) {
+    if (realloc_debug_func != NULL)
+        realloc_debug_func(str, NULL, num, file, line, 0);
+    ret = malloc_ex_func(num, file, line);
+    if (ret) {
         memcpy(ret, str, old_len);
-        CRYPTO_clear_free(str, old_len, file, line);
+        OPENSSL_cleanse(str, old_len);
+        free_func(str);
     }
+#ifdef LEVITTE_DEBUG_MEM
+    fprintf(stderr,
+            "LEVITTE_DEBUG_MEM:         | 0x%p -> 0x%p (%d)\n",
+            str, ret, num);
+#endif
+    if (realloc_debug_func != NULL)
+        realloc_debug_func(str, ret, num, file, line, 1);
+
     return ret;
 }
 
-void CRYPTO_free(void *str, const char *file, int line)
+void CRYPTO_free(void *str)
 {
-    if (free_impl != NULL && free_impl != &CRYPTO_free) {
-        free_impl(str, file, line);
-        return;
-    }
-
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
-    if (call_malloc_debug) {
-        CRYPTO_mem_debug_free(str, 0, file, line);
-        free(str);
-        CRYPTO_mem_debug_free(str, 1, file, line);
-    } else {
-        free(str);
-    }
-#else
-    free(str);
+    if (free_debug_func != NULL)
+        free_debug_func(str, 0);
+#ifdef LEVITTE_DEBUG_MEM
+    fprintf(stderr, "LEVITTE_DEBUG_MEM:         < 0x%p\n", str);
 #endif
+    free_func(str);
+    if (free_debug_func != NULL)
+        free_debug_func(NULL, 1);
 }
 
-void CRYPTO_clear_free(void *str, size_t num, const char *file, int line)
+void *CRYPTO_remalloc(void *a, int num, const char *file, int line)
 {
-    if (str == NULL)
-        return;
-    if (num)
-        OPENSSL_cleanse(str, num);
-    CRYPTO_free(str, file, line);
+    if (a != NULL)
+        OPENSSL_free(a);
+    a = (char *)OPENSSL_malloc(num);
+    return (a);
+}
+
+void CRYPTO_set_mem_debug_options(long bits)
+{
+    if (set_debug_options_func != NULL)
+        set_debug_options_func(bits);
+}
+
+long CRYPTO_get_mem_debug_options(void)
+{
+    if (get_debug_options_func != NULL)
+        return get_debug_options_func();
+    return 0;
 }
diff --git a/Cryptlib/OpenSSL/crypto/mem_clr.c b/Cryptlib/OpenSSL/crypto/mem_clr.c
index 35bfb74e..579e9d18 100644
--- a/Cryptlib/OpenSSL/crypto/mem_clr.c
+++ b/Cryptlib/OpenSSL/crypto/mem_clr.c
@@ -1,10 +1,60 @@
+/* crypto/mem_clr.c */
 /*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL project
+ * 2002.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <string.h>
@@ -15,7 +65,7 @@
  * the pointer and can't assume that it points to any function in
  * particular (such as memset, which it then might further "optimize")
  */
-typedef void *(*memset_t)(void *, int, size_t);
+typedef void *(*memset_t)(void *,int,size_t);
 
 static volatile memset_t memset_func = memset;
 
diff --git a/Cryptlib/OpenSSL/crypto/mem_dbg.c b/Cryptlib/OpenSSL/crypto/mem_dbg.c
index dc3f8ff5..c98c1b88 100644
--- a/Cryptlib/OpenSSL/crypto/mem_dbg.c
+++ b/Cryptlib/OpenSSL/crypto/mem_dbg.c
@@ -1,26 +1,124 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/mem_dbg.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <stdlib.h>
 #include <time.h>
-#include "internal/cryptlib.h"
-#include "internal/thread_once.h"
+#include "cryptlib.h"
 #include <openssl/crypto.h>
 #include <openssl/buffer.h>
-#include "internal/bio.h"
+#include <openssl/bio.h>
 #include <openssl/lhash.h>
 
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE
-# include <execinfo.h>
-#endif
-
+static int mh_mode = CRYPTO_MEM_CHECK_OFF;
 /*
  * The state changes to CRYPTO_MEM_CHECK_ON | CRYPTO_MEM_CHECK_ENABLE when
  * the application asks for it (usually after library initialisation for
@@ -32,183 +130,178 @@
  * checking temporarily. State CRYPTO_MEM_CHECK_ENABLE without ..._ON makes
  * no sense whatsoever.
  */
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
-static int mh_mode = CRYPTO_MEM_CHECK_OFF;
-#endif
 
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
 static unsigned long order = 0; /* number of memory requests */
 
+DECLARE_LHASH_OF(MEM);
+static LHASH_OF(MEM) *mh = NULL; /* hash-table of memory requests (address as
+                                  * key); access requires MALLOC2 lock */
+
+typedef struct app_mem_info_st
 /*-
  * For application-defined information (static C-string `info')
  * to be displayed in memory leak list.
  * Each thread has its own stack.  For applications, there is
- *   OPENSSL_mem_debug_push("...")     to push an entry,
- *   OPENSSL_mem_debug_pop()     to pop an entry,
+ *   CRYPTO_push_info("...")     to push an entry,
+ *   CRYPTO_pop_info()           to pop an entry,
+ *   CRYPTO_remove_all_info()    to pop all entries.
  */
-struct app_mem_info_st {
-    CRYPTO_THREAD_ID threadid;
+{
+    CRYPTO_THREADID threadid;
     const char *file;
     int line;
     const char *info;
     struct app_mem_info_st *next; /* tail of thread's stack */
     int references;
-};
+} APP_INFO;
+
+static void app_info_free(APP_INFO *);
 
-static CRYPTO_ONCE memdbg_init = CRYPTO_ONCE_STATIC_INIT;
-static CRYPTO_RWLOCK *malloc_lock = NULL;
-static CRYPTO_RWLOCK *long_malloc_lock = NULL;
-static CRYPTO_THREAD_LOCAL appinfokey;
+DECLARE_LHASH_OF(APP_INFO);
+static LHASH_OF(APP_INFO) *amih = NULL; /* hash-table with those
+                                         * app_mem_info_st's that are at the
+                                         * top of their thread's stack (with
+                                         * `thread' as key); access requires
+                                         * MALLOC2 lock */
 
+typedef struct mem_st
 /* memory-block description */
-struct mem_st {
+{
     void *addr;
     int num;
     const char *file;
     int line;
-    CRYPTO_THREAD_ID threadid;
+    CRYPTO_THREADID threadid;
     unsigned long order;
     time_t time;
     APP_INFO *app_info;
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE
-    void *array[30];
-    size_t array_siz;
-#endif
-};
+} MEM;
 
-static LHASH_OF(MEM) *mh = NULL; /* hash-table of memory requests (address as
-                                  * key); access requires MALLOC2 lock */
+static long options =           /* extra information to be recorded */
+#if defined(CRYPTO_MDEBUG_TIME) || defined(CRYPTO_MDEBUG_ALL)
+    V_CRYPTO_MDEBUG_TIME |
+#endif
+#if defined(CRYPTO_MDEBUG_THREAD) || defined(CRYPTO_MDEBUG_ALL)
+    V_CRYPTO_MDEBUG_THREAD |
+#endif
+    0;
 
-/* num_disable > 0 iff mh_mode == CRYPTO_MEM_CHECK_ON (w/o ..._ENABLE) */
-static unsigned int num_disable = 0;
+static unsigned int num_disable = 0; /* num_disable > 0 iff mh_mode ==
+                                      * CRYPTO_MEM_CHECK_ON (w/o ..._ENABLE) */
 
 /*
- * Valid iff num_disable > 0.  long_malloc_lock is locked exactly in this
+ * Valid iff num_disable > 0.  CRYPTO_LOCK_MALLOC2 is locked exactly in this
  * case (by the thread named in disabling_thread).
  */
-static CRYPTO_THREAD_ID disabling_threadid;
-
-DEFINE_RUN_ONCE_STATIC(do_memdbg_init)
-{
-    malloc_lock = CRYPTO_THREAD_lock_new();
-    long_malloc_lock = CRYPTO_THREAD_lock_new();
-    if (malloc_lock == NULL || long_malloc_lock == NULL
-        || !CRYPTO_THREAD_init_local(&appinfokey, NULL)) {
-        CRYPTO_THREAD_lock_free(malloc_lock);
-        malloc_lock = NULL;
-        CRYPTO_THREAD_lock_free(long_malloc_lock);
-        long_malloc_lock = NULL;
-        return 0;
-    }
-    return 1;
-}
+static CRYPTO_THREADID disabling_threadid;
 
 static void app_info_free(APP_INFO *inf)
 {
-    if (!inf)
-        return;
     if (--(inf->references) <= 0) {
-        app_info_free(inf->next);
+        if (inf->next != NULL) {
+            app_info_free(inf->next);
+        }
         OPENSSL_free(inf);
     }
 }
-#endif
 
 int CRYPTO_mem_ctrl(int mode)
 {
-#ifdef OPENSSL_NO_CRYPTO_MDEBUG
-    return mode - mode;
-#else
     int ret = mh_mode;
 
-    if (!RUN_ONCE(&memdbg_init, do_memdbg_init))
-        return -1;
-
-    CRYPTO_THREAD_write_lock(malloc_lock);
+    CRYPTO_w_lock(CRYPTO_LOCK_MALLOC);
     switch (mode) {
-    default:
-        break;
-
-    case CRYPTO_MEM_CHECK_ON:
+        /*
+         * for applications (not to be called while multiple threads use the
+         * library):
+         */
+    case CRYPTO_MEM_CHECK_ON:  /* aka MemCheck_start() */
         mh_mode = CRYPTO_MEM_CHECK_ON | CRYPTO_MEM_CHECK_ENABLE;
         num_disable = 0;
         break;
-
-    case CRYPTO_MEM_CHECK_OFF:
+    case CRYPTO_MEM_CHECK_OFF: /* aka MemCheck_stop() */
         mh_mode = 0;
-        num_disable = 0;
+        num_disable = 0;        /* should be true *before* MemCheck_stop is
+                                 * used, or there'll be a lot of confusion */
         break;
 
-    /* switch off temporarily (for library-internal use): */
-    case CRYPTO_MEM_CHECK_DISABLE:
+        /* switch off temporarily (for library-internal use): */
+    case CRYPTO_MEM_CHECK_DISABLE: /* aka MemCheck_off() */
         if (mh_mode & CRYPTO_MEM_CHECK_ON) {
-            CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id();
-            /* see if we don't have long_malloc_lock already */
+            CRYPTO_THREADID cur;
+            CRYPTO_THREADID_current(&cur);
+            /* see if we don't have the MALLOC2 lock already */
             if (!num_disable
-                || !CRYPTO_THREAD_compare_id(disabling_threadid, cur)) {
+                || CRYPTO_THREADID_cmp(&disabling_threadid, &cur)) {
                 /*
-                 * Long-time lock long_malloc_lock must not be claimed
-                 * while we're holding malloc_lock, or we'll deadlock
-                 * if somebody else holds long_malloc_lock (and cannot
+                 * Long-time lock CRYPTO_LOCK_MALLOC2 must not be claimed
+                 * while we're holding CRYPTO_LOCK_MALLOC, or we'll deadlock
+                 * if somebody else holds CRYPTO_LOCK_MALLOC2 (and cannot
                  * release it because we block entry to this function). Give
                  * them a chance, first, and then claim the locks in
                  * appropriate order (long-time lock first).
                  */
-                CRYPTO_THREAD_unlock(malloc_lock);
+                CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC);
                 /*
-                 * Note that after we have waited for long_malloc_lock and
-                 * malloc_lock, we'll still be in the right "case" and
+                 * Note that after we have waited for CRYPTO_LOCK_MALLOC2 and
+                 * CRYPTO_LOCK_MALLOC, we'll still be in the right "case" and
                  * "if" branch because MemCheck_start and MemCheck_stop may
                  * never be used while there are multiple OpenSSL threads.
                  */
-                CRYPTO_THREAD_write_lock(long_malloc_lock);
-                CRYPTO_THREAD_write_lock(malloc_lock);
+                CRYPTO_w_lock(CRYPTO_LOCK_MALLOC2);
+                CRYPTO_w_lock(CRYPTO_LOCK_MALLOC);
                 mh_mode &= ~CRYPTO_MEM_CHECK_ENABLE;
-                disabling_threadid = cur;
+                CRYPTO_THREADID_cpy(&disabling_threadid, &cur);
             }
             num_disable++;
         }
         break;
-
-    case CRYPTO_MEM_CHECK_ENABLE:
+    case CRYPTO_MEM_CHECK_ENABLE: /* aka MemCheck_on() */
         if (mh_mode & CRYPTO_MEM_CHECK_ON) {
             if (num_disable) {  /* always true, or something is going wrong */
                 num_disable--;
                 if (num_disable == 0) {
                     mh_mode |= CRYPTO_MEM_CHECK_ENABLE;
-                    CRYPTO_THREAD_unlock(long_malloc_lock);
+                    CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC2);
                 }
             }
         }
         break;
+
+    default:
+        break;
     }
-    CRYPTO_THREAD_unlock(malloc_lock);
+    CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC);
     return (ret);
-#endif
 }
 
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
-
-static int mem_check_on(void)
+int CRYPTO_is_mem_check_on(void)
 {
     int ret = 0;
-    CRYPTO_THREAD_ID cur;
 
     if (mh_mode & CRYPTO_MEM_CHECK_ON) {
-        if (!RUN_ONCE(&memdbg_init, do_memdbg_init))
-            return 0;
-
-        cur = CRYPTO_THREAD_get_current_id();
-        CRYPTO_THREAD_read_lock(malloc_lock);
+        CRYPTO_THREADID cur;
+        CRYPTO_THREADID_current(&cur);
+        CRYPTO_r_lock(CRYPTO_LOCK_MALLOC);
 
         ret = (mh_mode & CRYPTO_MEM_CHECK_ENABLE)
-            || !CRYPTO_THREAD_compare_id(disabling_threadid, cur);
+            || CRYPTO_THREADID_cmp(&disabling_threadid, &cur);
 
-        CRYPTO_THREAD_unlock(malloc_lock);
+        CRYPTO_r_unlock(CRYPTO_LOCK_MALLOC);
     }
     return (ret);
 }
 
+void CRYPTO_dbg_set_options(long bits)
+{
+    options = bits;
+}
+
+long CRYPTO_dbg_get_options(void)
+{
+    return options;
+}
+
 static int mem_cmp(const MEM *a, const MEM *b)
 {
 #ifdef _WIN64
@@ -224,96 +317,157 @@ static int mem_cmp(const MEM *a, const MEM *b)
 #endif
 }
 
+static IMPLEMENT_LHASH_COMP_FN(mem, MEM)
+
 static unsigned long mem_hash(const MEM *a)
 {
-    size_t ret;
+    unsigned long ret;
 
-    ret = (size_t)a->addr;
+    ret = (unsigned long)a->addr;
 
     ret = ret * 17851 + (ret >> 14) * 7 + (ret >> 4) * 251;
     return (ret);
 }
 
-/* returns 1 if there was an info to pop, 0 if the stack was empty. */
-static int pop_info(void)
+static IMPLEMENT_LHASH_HASH_FN(mem, MEM)
+
+/* static int app_info_cmp(APP_INFO *a, APP_INFO *b) */
+static int app_info_cmp(const void *a_void, const void *b_void)
 {
-    APP_INFO *current = NULL;
+    return CRYPTO_THREADID_cmp(&((const APP_INFO *)a_void)->threadid,
+                               &((const APP_INFO *)b_void)->threadid);
+}
 
-    if (!RUN_ONCE(&memdbg_init, do_memdbg_init))
-        return 0;
+static IMPLEMENT_LHASH_COMP_FN(app_info, APP_INFO)
 
-    current = (APP_INFO *)CRYPTO_THREAD_get_local(&appinfokey);
-    if (current != NULL) {
-        APP_INFO *next = current->next;
+static unsigned long app_info_hash(const APP_INFO *a)
+{
+    unsigned long ret;
 
-        if (next != NULL) {
-            next->references++;
-            CRYPTO_THREAD_set_local(&appinfokey, next);
-        } else {
-            CRYPTO_THREAD_set_local(&appinfokey, NULL);
-        }
-        if (--(current->references) <= 0) {
-            current->next = NULL;
-            if (next != NULL)
-                next->references--;
-            OPENSSL_free(current);
+    ret = CRYPTO_THREADID_hash(&a->threadid);
+    /* This is left in as a "who am I to question legacy?" measure */
+    ret = ret * 17851 + (ret >> 14) * 7 + (ret >> 4) * 251;
+    return (ret);
+}
+
+static IMPLEMENT_LHASH_HASH_FN(app_info, APP_INFO)
+
+static APP_INFO *pop_info(void)
+{
+    APP_INFO tmp;
+    APP_INFO *ret = NULL;
+
+    if (amih != NULL) {
+        CRYPTO_THREADID_current(&tmp.threadid);
+        if ((ret = lh_APP_INFO_delete(amih, &tmp)) != NULL) {
+            APP_INFO *next = ret->next;
+
+            if (next != NULL) {
+                next->references++;
+                (void)lh_APP_INFO_insert(amih, next);
+            }
+#ifdef LEVITTE_DEBUG_MEM
+            if (CRYPTO_THREADID_cmp(&ret->threadid, &tmp.threadid)) {
+                fprintf(stderr,
+                        "pop_info(): deleted info has other thread ID (%lu) than the current thread (%lu)!!!!\n",
+                        CRYPTO_THREADID_hash(&ret->threadid),
+                        CRYPTO_THREADID_hash(&tmp.threadid));
+                abort();
+            }
+#endif
+            if (--(ret->references) <= 0) {
+                ret->next = NULL;
+                if (next != NULL)
+                    next->references--;
+                OPENSSL_free(ret);
+            }
         }
-        return 1;
     }
-    return 0;
+    return (ret);
 }
 
-int CRYPTO_mem_debug_push(const char *info, const char *file, int line)
+int CRYPTO_push_info_(const char *info, const char *file, int line)
 {
     APP_INFO *ami, *amim;
     int ret = 0;
 
-    if (mem_check_on()) {
-        CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE);
+    if (is_MemCheck_on()) {
+        MemCheck_off();         /* obtain MALLOC2 lock */
 
-        if (!RUN_ONCE(&memdbg_init, do_memdbg_init)
-            || (ami = OPENSSL_malloc(sizeof(*ami))) == NULL)
+        if ((ami = (APP_INFO *)OPENSSL_malloc(sizeof(APP_INFO))) == NULL) {
+            ret = 0;
             goto err;
+        }
+        if (amih == NULL) {
+            if ((amih = lh_APP_INFO_new()) == NULL) {
+                OPENSSL_free(ami);
+                ret = 0;
+                goto err;
+            }
+        }
 
-        ami->threadid = CRYPTO_THREAD_get_current_id();
+        CRYPTO_THREADID_current(&ami->threadid);
         ami->file = file;
         ami->line = line;
         ami->info = info;
         ami->references = 1;
         ami->next = NULL;
 
-        amim = (APP_INFO *)CRYPTO_THREAD_get_local(&appinfokey);
-        CRYPTO_THREAD_set_local(&appinfokey, ami);
-
-        if (amim != NULL)
+        if ((amim = lh_APP_INFO_insert(amih, ami)) != NULL) {
+#ifdef LEVITTE_DEBUG_MEM
+            if (CRYPTO_THREADID_cmp(&ami->threadid, &amim->threadid)) {
+                fprintf(stderr,
+                        "CRYPTO_push_info(): previous info has other thread ID (%lu) than the current thread (%lu)!!!!\n",
+                        CRYPTO_THREADID_hash(&amim->threadid),
+                        CRYPTO_THREADID_hash(&ami->threadid));
+                abort();
+            }
+#endif
             ami->next = amim;
-        ret = 1;
+        }
  err:
-        CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);
+        MemCheck_on();          /* release MALLOC2 lock */
     }
 
     return (ret);
 }
 
-int CRYPTO_mem_debug_pop(void)
+int CRYPTO_pop_info(void)
 {
     int ret = 0;
 
-    if (mem_check_on()) {
-        CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE);
-        ret = pop_info();
-        CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);
+    if (is_MemCheck_on()) {     /* _must_ be true, or something went severely
+                                 * wrong */
+        MemCheck_off();         /* obtain MALLOC2 lock */
+
+        ret = (pop_info() != NULL);
+
+        MemCheck_on();          /* release MALLOC2 lock */
     }
     return (ret);
 }
 
-static unsigned long break_order_num = 0;
+int CRYPTO_remove_all_info(void)
+{
+    int ret = 0;
+
+    if (is_MemCheck_on()) {     /* _must_ be true */
+        MemCheck_off();         /* obtain MALLOC2 lock */
+
+        while (pop_info() != NULL)
+            ret++;
 
-void CRYPTO_mem_debug_malloc(void *addr, size_t num, int before_p,
-                             const char *file, int line)
+        MemCheck_on();          /* release MALLOC2 lock */
+    }
+    return (ret);
+}
+
+static unsigned long break_order_num = 0;
+void CRYPTO_dbg_malloc(void *addr, int num, const char *file, int line,
+                       int before_p)
 {
     MEM *m, *mm;
-    APP_INFO *amim;
+    APP_INFO tmp, *amim;
 
     switch (before_p & 127) {
     case 0:
@@ -322,17 +476,16 @@ void CRYPTO_mem_debug_malloc(void *addr, size_t num, int before_p,
         if (addr == NULL)
             break;
 
-        if (mem_check_on()) {
-            CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE);
-
-            if (!RUN_ONCE(&memdbg_init, do_memdbg_init)
-                || (m = OPENSSL_malloc(sizeof(*m))) == NULL) {
+        if (is_MemCheck_on()) {
+            MemCheck_off();     /* make sure we hold MALLOC2 lock */
+            if ((m = (MEM *)OPENSSL_malloc(sizeof(MEM))) == NULL) {
                 OPENSSL_free(addr);
-                CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);
+                MemCheck_on();  /* release MALLOC2 lock if num_disabled drops
+                                 * to 0 */
                 return;
             }
             if (mh == NULL) {
-                if ((mh = lh_MEM_new(mem_hash, mem_cmp)) == NULL) {
+                if ((mh = lh_MEM_new()) == NULL) {
                     OPENSSL_free(addr);
                     OPENSSL_free(m);
                     addr = NULL;
@@ -344,22 +497,32 @@ void CRYPTO_mem_debug_malloc(void *addr, size_t num, int before_p,
             m->file = file;
             m->line = line;
             m->num = num;
-            m->threadid = CRYPTO_THREAD_get_current_id();
+            if (options & V_CRYPTO_MDEBUG_THREAD)
+                CRYPTO_THREADID_current(&m->threadid);
+            else
+                memset(&m->threadid, 0, sizeof(m->threadid));
 
             if (order == break_order_num) {
                 /* BREAK HERE */
                 m->order = order;
             }
             m->order = order++;
-# ifndef OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE
-            m->array_siz = backtrace(m->array, OSSL_NELEM(m->array));
-# endif
-            m->time = time(NULL);
-
-            amim = (APP_INFO *)CRYPTO_THREAD_get_local(&appinfokey);
-            m->app_info = amim;
-            if (amim != NULL)
+#ifdef LEVITTE_DEBUG_MEM
+            fprintf(stderr, "LEVITTE_DEBUG_MEM: [%5ld] %c 0x%p (%d)\n",
+                    m->order, (before_p & 128) ? '*' : '+', m->addr, m->num);
+#endif
+            if (options & V_CRYPTO_MDEBUG_TIME)
+                m->time = time(NULL);
+            else
+                m->time = 0;
+
+            CRYPTO_THREADID_current(&tmp.threadid);
+            m->app_info = NULL;
+            if (amih != NULL
+                && (amim = lh_APP_INFO_retrieve(amih, &tmp)) != NULL) {
+                m->app_info = amim;
                 amim->references++;
+            }
 
             if ((mm = lh_MEM_insert(mh, m)) != NULL) {
                 /* Not good, but don't sweat it */
@@ -369,15 +532,15 @@ void CRYPTO_mem_debug_malloc(void *addr, size_t num, int before_p,
                 OPENSSL_free(mm);
             }
  err:
-            CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);
+            MemCheck_on();      /* release MALLOC2 lock if num_disabled drops
+                                 * to 0 */
         }
         break;
     }
     return;
 }
 
-void CRYPTO_mem_debug_free(void *addr, int before_p,
-        const char *file, int line)
+void CRYPTO_dbg_free(void *addr, int before_p)
 {
     MEM m, *mp;
 
@@ -386,17 +549,23 @@ void CRYPTO_mem_debug_free(void *addr, int before_p,
         if (addr == NULL)
             break;
 
-        if (mem_check_on() && (mh != NULL)) {
-            CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE);
+        if (is_MemCheck_on() && (mh != NULL)) {
+            MemCheck_off();     /* make sure we hold MALLOC2 lock */
 
             m.addr = addr;
             mp = lh_MEM_delete(mh, &m);
             if (mp != NULL) {
-                app_info_free(mp->app_info);
+#ifdef LEVITTE_DEBUG_MEM
+                fprintf(stderr, "LEVITTE_DEBUG_MEM: [%5ld] - 0x%p (%d)\n",
+                        mp->order, mp->addr, mp->num);
+#endif
+                if (mp->app_info != NULL)
+                    app_info_free(mp->app_info);
                 OPENSSL_free(mp);
             }
 
-            CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);
+            MemCheck_on();      /* release MALLOC2 lock if num_disabled drops
+                                 * to 0 */
         }
         break;
     case 1:
@@ -404,11 +573,17 @@ void CRYPTO_mem_debug_free(void *addr, int before_p,
     }
 }
 
-void CRYPTO_mem_debug_realloc(void *addr1, void *addr2, size_t num,
-                              int before_p, const char *file, int line)
+void CRYPTO_dbg_realloc(void *addr1, void *addr2, int num,
+                        const char *file, int line, int before_p)
 {
     MEM m, *mp;
 
+#ifdef LEVITTE_DEBUG_MEM
+    fprintf(stderr,
+            "LEVITTE_DEBUG_MEM: --> CRYPTO_dbg_malloc(addr1 = %p, addr2 = %p, num = %d, file = \"%s\", line = %d, before_p = %d)\n",
+            addr1, addr2, num, file, line, before_p);
+#endif
+
     switch (before_p) {
     case 0:
         break;
@@ -417,25 +592,28 @@ void CRYPTO_mem_debug_realloc(void *addr1, void *addr2, size_t num,
             break;
 
         if (addr1 == NULL) {
-            CRYPTO_mem_debug_malloc(addr2, num, 128 | before_p, file, line);
+            CRYPTO_dbg_malloc(addr2, num, file, line, 128 | before_p);
             break;
         }
 
-        if (mem_check_on()) {
-            CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE);
+        if (is_MemCheck_on()) {
+            MemCheck_off();     /* make sure we hold MALLOC2 lock */
 
             m.addr = addr1;
             mp = lh_MEM_delete(mh, &m);
             if (mp != NULL) {
+#ifdef LEVITTE_DEBUG_MEM
+                fprintf(stderr,
+                        "LEVITTE_DEBUG_MEM: [%5ld] * 0x%p (%d) -> 0x%p (%d)\n",
+                        mp->order, mp->addr, mp->num, addr2, num);
+#endif
                 mp->addr = addr2;
                 mp->num = num;
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE
-                mp->array_siz = backtrace(mp->array, OSSL_NELEM(mp->array));
-#endif
                 (void)lh_MEM_insert(mh, mp);
             }
 
-            CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);
+            MemCheck_on();      /* release MALLOC2 lock if num_disabled drops
+                                 * to 0 */
         }
         break;
     }
@@ -448,42 +626,45 @@ typedef struct mem_leak_st {
     long bytes;
 } MEM_LEAK;
 
-static void print_leak(const MEM *m, MEM_LEAK *l)
+static void print_leak_doall_arg(const MEM *m, MEM_LEAK *l)
 {
     char buf[1024];
     char *bufp = buf;
     APP_INFO *amip;
     int ami_cnt;
     struct tm *lcl = NULL;
-    /*
-     * Convert between CRYPTO_THREAD_ID (which could be anything at all) and
-     * a long. This may not be meaningful depending on what CRYPTO_THREAD_ID is
-     * but hopefully should give something sensible on most platforms
-     */
-    union {
-        CRYPTO_THREAD_ID tid;
-        unsigned long ltid;
-    } tid;
-    CRYPTO_THREAD_ID ti;
+    CRYPTO_THREADID ti;
 
 #define BUF_REMAIN (sizeof buf - (size_t)(bufp - buf))
 
-    lcl = localtime(&m->time);
-    BIO_snprintf(bufp, BUF_REMAIN, "[%02d:%02d:%02d] ",
-                 lcl->tm_hour, lcl->tm_min, lcl->tm_sec);
-    bufp += strlen(bufp);
+    if (m->addr == (char *)l->bio)
+        return;
+
+    if (!bufp)
+        return;
+
+    if (options & V_CRYPTO_MDEBUG_TIME) {
+        lcl = localtime(&m->time);
+	if (!lcl)
+		return;
+
+        BIO_snprintf(bufp, BUF_REMAIN, "[%02d:%02d:%02d] ",
+                     lcl->tm_hour, lcl->tm_min, lcl->tm_sec);
+        bufp += strlen(bufp);
+    }
 
     BIO_snprintf(bufp, BUF_REMAIN, "%5lu file=%s, line=%d, ",
                  m->order, m->file, m->line);
     bufp += strlen(bufp);
 
-    tid.ltid = 0;
-    tid.tid = m->threadid;
-    BIO_snprintf(bufp, BUF_REMAIN, "thread=%lu, ", tid.ltid);
-    bufp += strlen(bufp);
+    if (options & V_CRYPTO_MDEBUG_THREAD) {
+        BIO_snprintf(bufp, BUF_REMAIN, "thread=%lu, ",
+                     CRYPTO_THREADID_hash(&m->threadid));
+        bufp += strlen(bufp);
+    }
 
-    BIO_snprintf(bufp, BUF_REMAIN, "number=%d, address=%p\n",
-                 m->num, m->addr);
+    BIO_snprintf(bufp, BUF_REMAIN, "number=%d, address=%08lX\n",
+                 m->num, (unsigned long)m->addr);
     bufp += strlen(bufp);
 
     BIO_puts(l->bio, buf);
@@ -493,137 +674,162 @@ static void print_leak(const MEM *m, MEM_LEAK *l)
 
     amip = m->app_info;
     ami_cnt = 0;
-
-    if (amip) {
-        ti = amip->threadid;
-
-        do {
-            int buf_len;
-            int info_len;
-
-            ami_cnt++;
-            memset(buf, '>', ami_cnt);
-            tid.ltid = 0;
-            tid.tid = amip->threadid;
-            BIO_snprintf(buf + ami_cnt, sizeof buf - ami_cnt,
-                         " thread=%lu, file=%s, line=%d, info=\"",
-                         tid.ltid, amip->file,
-                         amip->line);
+    if (!amip)
+        return;
+    CRYPTO_THREADID_cpy(&ti, &amip->threadid);
+
+    do {
+        int buf_len;
+        int info_len;
+
+        ami_cnt++;
+        memset(buf, '>', ami_cnt);
+        BIO_snprintf(buf + ami_cnt, sizeof buf - ami_cnt,
+                     " thread=%lu, file=%s, line=%d, info=\"",
+                     CRYPTO_THREADID_hash(&amip->threadid), amip->file,
+                     amip->line);
+        buf_len = strlen(buf);
+        info_len = strlen(amip->info);
+        if (128 - buf_len - 3 < info_len) {
+            memcpy(buf + buf_len, amip->info, 128 - buf_len - 3);
+            buf_len = 128 - 3;
+        } else {
+            BUF_strlcpy(buf + buf_len, amip->info, sizeof buf - buf_len);
             buf_len = strlen(buf);
-            info_len = strlen(amip->info);
-            if (128 - buf_len - 3 < info_len) {
-                memcpy(buf + buf_len, amip->info, 128 - buf_len - 3);
-                buf_len = 128 - 3;
-            } else {
-                OPENSSL_strlcpy(buf + buf_len, amip->info, sizeof buf - buf_len);
-                buf_len = strlen(buf);
-            }
-            BIO_snprintf(buf + buf_len, sizeof buf - buf_len, "\"\n");
+        }
+        BIO_snprintf(buf + buf_len, sizeof buf - buf_len, "\"\n");
 
-            BIO_puts(l->bio, buf);
+        BIO_puts(l->bio, buf);
 
-            amip = amip->next;
-        }
-        while (amip && CRYPTO_THREAD_compare_id(amip->threadid, ti));
+        amip = amip->next;
     }
+    while (amip && !CRYPTO_THREADID_cmp(&amip->threadid, &ti));
 
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE
-    {
-        size_t i;
-        char **strings = backtrace_symbols(m->array, m->array_siz);
-
-        for (i = 0; i < m->array_siz; i++)
-            fprintf(stderr, "##> %s\n", strings[i]);
-        free(strings);
+#ifdef LEVITTE_DEBUG_MEM
+    if (amip) {
+        fprintf(stderr, "Thread switch detected in backtrace!!!!\n");
+        abort();
     }
 #endif
 }
 
-IMPLEMENT_LHASH_DOALL_ARG_CONST(MEM, MEM_LEAK);
+static IMPLEMENT_LHASH_DOALL_ARG_FN(print_leak, const MEM, MEM_LEAK)
 
-int CRYPTO_mem_leaks(BIO *b)
+void CRYPTO_mem_leaks(BIO *b)
 {
     MEM_LEAK ml;
 
-    /*
-     * OPENSSL_cleanup() will free the ex_data locks so we can't have any
-     * ex_data hanging around
-     */
-    bio_free_ex_data(b);
-
-    /* Ensure all resources are released */
-    OPENSSL_cleanup();
-
-    if (!RUN_ONCE(&memdbg_init, do_memdbg_init))
-        return -1;
+    if (mh == NULL && amih == NULL)
+        return;
 
-    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE);
+    MemCheck_off();             /* obtain MALLOC2 lock */
 
     ml.bio = b;
     ml.bytes = 0;
     ml.chunks = 0;
     if (mh != NULL)
-        lh_MEM_doall_MEM_LEAK(mh, print_leak, &ml);
-
+        lh_MEM_doall_arg(mh, LHASH_DOALL_ARG_FN(print_leak), MEM_LEAK, &ml);
     if (ml.chunks != 0) {
         BIO_printf(b, "%ld bytes leaked in %d chunks\n", ml.bytes, ml.chunks);
+#ifdef CRYPTO_MDEBUG_ABORT
+        abort();
+#endif
     } else {
         /*
          * Make sure that, if we found no leaks, memory-leak debugging itself
          * does not introduce memory leaks (which might irritate external
          * debugging tools). (When someone enables leak checking, but does not
-         * call this function, we declare it to be their fault.)
+         * call this function, we declare it to be their fault.) XXX This
+         * should be in CRYPTO_mem_leaks_cb, and CRYPTO_mem_leaks should be
+         * implemented by using CRYPTO_mem_leaks_cb. (Also there should be a
+         * variant of lh_doall_arg that takes a function pointer instead of a
+         * void *; this would obviate the ugly and illegal void_fn_to_char
+         * kludge in CRYPTO_mem_leaks_cb. Otherwise the code police will come
+         * and get us.)
          */
         int old_mh_mode;
 
-        CRYPTO_THREAD_write_lock(malloc_lock);
+        CRYPTO_w_lock(CRYPTO_LOCK_MALLOC);
 
         /*
-         * avoid deadlock when lh_free() uses CRYPTO_mem_debug_free(), which uses
-         * mem_check_on
+         * avoid deadlock when lh_free() uses CRYPTO_dbg_free(), which uses
+         * CRYPTO_is_mem_check_on
          */
         old_mh_mode = mh_mode;
         mh_mode = CRYPTO_MEM_CHECK_OFF;
 
-        lh_MEM_free(mh);
-        mh = NULL;
+        if (mh != NULL) {
+            lh_MEM_free(mh);
+            mh = NULL;
+        }
+        if (amih != NULL) {
+            if (lh_APP_INFO_num_items(amih) == 0) {
+                lh_APP_INFO_free(amih);
+                amih = NULL;
+            }
+        }
 
         mh_mode = old_mh_mode;
-        CRYPTO_THREAD_unlock(malloc_lock);
+        CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC);
     }
-    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF);
-
-    /* Clean up locks etc */
-    CRYPTO_THREAD_cleanup_local(&appinfokey);
-    CRYPTO_THREAD_lock_free(malloc_lock);
-    CRYPTO_THREAD_lock_free(long_malloc_lock);
-    malloc_lock = NULL;
-    long_malloc_lock = NULL;
-
-    return ml.chunks == 0 ? 1 : 0;
+    MemCheck_on();              /* release MALLOC2 lock */
 }
 
-# ifndef OPENSSL_NO_STDIO
-int CRYPTO_mem_leaks_fp(FILE *fp)
+#ifndef OPENSSL_NO_FP_API
+void CRYPTO_mem_leaks_fp(FILE *fp)
 {
     BIO *b;
-    int ret;
 
+    if (mh == NULL)
+        return;
     /*
      * Need to turn off memory checking when allocated BIOs ... especially as
      * we're creating them at a time when we're trying to check we've not
      * left anything un-free()'d!!
      */
-    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE);
+    MemCheck_off();
     b = BIO_new(BIO_s_file());
-    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);
-    if (b == NULL)
-        return -1;
+    MemCheck_on();
+    if (!b)
+        return;
     BIO_set_fp(b, fp, BIO_NOCLOSE);
-    ret = CRYPTO_mem_leaks(b);
+    CRYPTO_mem_leaks(b);
     BIO_free(b);
-    return ret;
 }
-# endif
-
 #endif
+
+/*
+ * FIXME: We really don't allow much to the callback.  For example, it has no
+ * chance of reaching the info stack for the item it processes.  Should it
+ * really be this way? -- Richard Levitte
+ */
+/*
+ * NB: The prototypes have been typedef'd to CRYPTO_MEM_LEAK_CB inside
+ * crypto.h If this code is restructured, remove the callback type if it is
+ * no longer needed. -- Geoff Thorpe
+ */
+
+/*
+ * Can't pass CRYPTO_MEM_LEAK_CB directly to lh_MEM_doall_arg because it is a
+ * function pointer and conversion to void * is prohibited. Instead pass its
+ * address
+ */
+
+typedef CRYPTO_MEM_LEAK_CB *PCRYPTO_MEM_LEAK_CB;
+
+static void cb_leak_doall_arg(const MEM *m, PCRYPTO_MEM_LEAK_CB *cb)
+{
+    (*cb) (m->order, m->file, m->line, m->num, m->addr);
+}
+
+static IMPLEMENT_LHASH_DOALL_ARG_FN(cb_leak, const MEM, PCRYPTO_MEM_LEAK_CB)
+
+void CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb)
+{
+    if (mh == NULL)
+        return;
+    CRYPTO_w_lock(CRYPTO_LOCK_MALLOC2);
+    lh_MEM_doall_arg(mh, LHASH_DOALL_ARG_FN(cb_leak), PCRYPTO_MEM_LEAK_CB,
+                     &cb);
+    CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC2);
+}
diff --git a/Cryptlib/OpenSSL/crypto/mem_sec.c b/Cryptlib/OpenSSL/crypto/mem_sec.c
deleted file mode 100644
index 0c79b436..00000000
--- a/Cryptlib/OpenSSL/crypto/mem_sec.c
+++ /dev/null
@@ -1,585 +0,0 @@
-/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*
- * Copyright 2004-2014, Akamai Technologies. All Rights Reserved.
- * This file is distributed under the terms of the OpenSSL license.
- */
-
-/*
- * This file is in two halves. The first half implements the public API
- * to be used by external consumers, and to be used by OpenSSL to store
- * data in a "secure arena." The second half implements the secure arena.
- * For details on that implementation, see below (look for uppercase
- * "SECURE HEAP IMPLEMENTATION").
- */
-#include <openssl/crypto.h>
-#include <e_os.h>
-
-#include <string.h>
-
-#if defined(OPENSSL_SYS_LINUX) || defined(OPENSSL_SYS_UNIX)
-# define IMPLEMENTED
-# include <stdlib.h>
-# include <assert.h>
-# include <unistd.h>
-# include <sys/types.h>
-# include <sys/mman.h>
-# include <sys/param.h>
-# include <sys/stat.h>
-# include <fcntl.h>
-#endif
-
-#define CLEAR(p, s) OPENSSL_cleanse(p, s)
-#ifndef PAGE_SIZE
-# define PAGE_SIZE    4096
-#endif
-
-#ifdef IMPLEMENTED
-static size_t secure_mem_used;
-
-static int secure_mem_initialized;
-
-static CRYPTO_RWLOCK *sec_malloc_lock = NULL;
-
-/*
- * These are the functions that must be implemented by a secure heap (sh).
- */
-static int sh_init(size_t size, int minsize);
-static char *sh_malloc(size_t size);
-static void sh_free(char *ptr);
-static void sh_done(void);
-static size_t sh_actual_size(char *ptr);
-static int sh_allocated(const char *ptr);
-#endif
-
-int CRYPTO_secure_malloc_init(size_t size, int minsize)
-{
-#ifdef IMPLEMENTED
-    int ret = 0;
-
-    if (!secure_mem_initialized) {
-        sec_malloc_lock = CRYPTO_THREAD_lock_new();
-        if (sec_malloc_lock == NULL)
-            return 0;
-        ret = sh_init(size, minsize);
-        secure_mem_initialized = 1;
-    }
-
-    return ret;
-#else
-    return 0;
-#endif /* IMPLEMENTED */
-}
-
-int CRYPTO_secure_malloc_done()
-{
-#ifdef IMPLEMENTED
-    if (secure_mem_used == 0) {
-        sh_done();
-        secure_mem_initialized = 0;
-        CRYPTO_THREAD_lock_free(sec_malloc_lock);
-        return 1;
-    }
-#endif /* IMPLEMENTED */
-    return 0;
-}
-
-int CRYPTO_secure_malloc_initialized()
-{
-#ifdef IMPLEMENTED
-    return secure_mem_initialized;
-#else
-    return 0;
-#endif /* IMPLEMENTED */
-}
-
-void *CRYPTO_secure_malloc(size_t num, const char *file, int line)
-{
-#ifdef IMPLEMENTED
-    void *ret;
-    size_t actual_size;
-
-    if (!secure_mem_initialized) {
-        return CRYPTO_malloc(num, file, line);
-    }
-    CRYPTO_THREAD_write_lock(sec_malloc_lock);
-    ret = sh_malloc(num);
-    actual_size = ret ? sh_actual_size(ret) : 0;
-    secure_mem_used += actual_size;
-    CRYPTO_THREAD_unlock(sec_malloc_lock);
-    return ret;
-#else
-    return CRYPTO_malloc(num, file, line);
-#endif /* IMPLEMENTED */
-}
-
-void *CRYPTO_secure_zalloc(size_t num, const char *file, int line)
-{
-    void *ret = CRYPTO_secure_malloc(num, file, line);
-
-    if (ret != NULL)
-        memset(ret, 0, num);
-    return ret;
-}
-
-void CRYPTO_secure_free(void *ptr, const char *file, int line)
-{
-#ifdef IMPLEMENTED
-    size_t actual_size;
-
-    if (ptr == NULL)
-        return;
-    if (!CRYPTO_secure_allocated(ptr)) {
-        CRYPTO_free(ptr, file, line);
-        return;
-    }
-    CRYPTO_THREAD_write_lock(sec_malloc_lock);
-    actual_size = sh_actual_size(ptr);
-    CLEAR(ptr, actual_size);
-    secure_mem_used -= actual_size;
-    sh_free(ptr);
-    CRYPTO_THREAD_unlock(sec_malloc_lock);
-#else
-    CRYPTO_free(ptr, file, line);
-#endif /* IMPLEMENTED */
-}
-
-int CRYPTO_secure_allocated(const void *ptr)
-{
-#ifdef IMPLEMENTED
-    int ret;
-
-    if (!secure_mem_initialized)
-        return 0;
-    CRYPTO_THREAD_write_lock(sec_malloc_lock);
-    ret = sh_allocated(ptr);
-    CRYPTO_THREAD_unlock(sec_malloc_lock);
-    return ret;
-#else
-    return 0;
-#endif /* IMPLEMENTED */
-}
-
-size_t CRYPTO_secure_used()
-{
-#ifdef IMPLEMENTED
-    return secure_mem_used;
-#else
-    return 0;
-#endif /* IMPLEMENTED */
-}
-
-size_t CRYPTO_secure_actual_size(void *ptr)
-{
-#ifdef IMPLEMENTED
-    size_t actual_size;
-
-    CRYPTO_THREAD_write_lock(sec_malloc_lock);
-    actual_size = sh_actual_size(ptr);
-    CRYPTO_THREAD_unlock(sec_malloc_lock);
-    return actual_size;
-#else
-    return 0;
-#endif
-}
-/* END OF PAGE ...
-
-   ... START OF PAGE */
-
-/*
- * SECURE HEAP IMPLEMENTATION
- */
-#ifdef IMPLEMENTED
-
-
-/*
- * The implementation provided here uses a fixed-sized mmap() heap,
- * which is locked into memory, not written to core files, and protected
- * on either side by an unmapped page, which will catch pointer overruns
- * (or underruns) and an attempt to read data out of the secure heap.
- * Free'd memory is zero'd or otherwise cleansed.
- *
- * This is a pretty standard buddy allocator.  We keep areas in a multiple
- * of "sh.minsize" units.  The freelist and bitmaps are kept separately,
- * so all (and only) data is kept in the mmap'd heap.
- *
- * This code assumes eight-bit bytes.  The numbers 3 and 7 are all over the
- * place.
- */
-
-#define ONE ((size_t)1)
-
-# define TESTBIT(t, b)  (t[(b) >> 3] &  (ONE << ((b) & 7)))
-# define SETBIT(t, b)   (t[(b) >> 3] |= (ONE << ((b) & 7)))
-# define CLEARBIT(t, b) (t[(b) >> 3] &= (0xFF & ~(ONE << ((b) & 7))))
-
-#define WITHIN_ARENA(p) \
-    ((char*)(p) >= sh.arena && (char*)(p) < &sh.arena[sh.arena_size])
-#define WITHIN_FREELIST(p) \
-    ((char*)(p) >= (char*)sh.freelist && (char*)(p) < (char*)&sh.freelist[sh.freelist_size])
-
-
-typedef struct sh_list_st
-{
-    struct sh_list_st *next;
-    struct sh_list_st **p_next;
-} SH_LIST;
-
-typedef struct sh_st
-{
-    char* map_result;
-    size_t map_size;
-    char *arena;
-    size_t arena_size;
-    char **freelist;
-    ossl_ssize_t freelist_size;
-    size_t minsize;
-    unsigned char *bittable;
-    unsigned char *bitmalloc;
-    size_t bittable_size; /* size in bits */
-} SH;
-
-static SH sh;
-
-static size_t sh_getlist(char *ptr)
-{
-    ossl_ssize_t list = sh.freelist_size - 1;
-    size_t bit = (sh.arena_size + ptr - sh.arena) / sh.minsize;
-
-    for (; bit; bit >>= 1, list--) {
-        if (TESTBIT(sh.bittable, bit))
-            break;
-        OPENSSL_assert((bit & 1) == 0);
-    }
-
-    return list;
-}
-
-
-static int sh_testbit(char *ptr, int list, unsigned char *table)
-{
-    size_t bit;
-
-    OPENSSL_assert(list >= 0 && list < sh.freelist_size);
-    OPENSSL_assert(((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0);
-    bit = (ONE << list) + ((ptr - sh.arena) / (sh.arena_size >> list));
-    OPENSSL_assert(bit > 0 && bit < sh.bittable_size);
-    return TESTBIT(table, bit);
-}
-
-static void sh_clearbit(char *ptr, int list, unsigned char *table)
-{
-    size_t bit;
-
-    OPENSSL_assert(list >= 0 && list < sh.freelist_size);
-    OPENSSL_assert(((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0);
-    bit = (ONE << list) + ((ptr - sh.arena) / (sh.arena_size >> list));
-    OPENSSL_assert(bit > 0 && bit < sh.bittable_size);
-    OPENSSL_assert(TESTBIT(table, bit));
-    CLEARBIT(table, bit);
-}
-
-static void sh_setbit(char *ptr, int list, unsigned char *table)
-{
-    size_t bit;
-
-    OPENSSL_assert(list >= 0 && list < sh.freelist_size);
-    OPENSSL_assert(((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0);
-    bit = (ONE << list) + ((ptr - sh.arena) / (sh.arena_size >> list));
-    OPENSSL_assert(bit > 0 && bit < sh.bittable_size);
-    OPENSSL_assert(!TESTBIT(table, bit));
-    SETBIT(table, bit);
-}
-
-static void sh_add_to_list(char **list, char *ptr)
-{
-    SH_LIST *temp;
-
-    OPENSSL_assert(WITHIN_FREELIST(list));
-    OPENSSL_assert(WITHIN_ARENA(ptr));
-
-    temp = (SH_LIST *)ptr;
-    temp->next = *(SH_LIST **)list;
-    OPENSSL_assert(temp->next == NULL || WITHIN_ARENA(temp->next));
-    temp->p_next = (SH_LIST **)list;
-
-    if (temp->next != NULL) {
-        OPENSSL_assert((char **)temp->next->p_next == list);
-        temp->next->p_next = &(temp->next);
-    }
-
-    *list = ptr;
-}
-
-static void sh_remove_from_list(char *ptr)
-{
-    SH_LIST *temp, *temp2;
-
-    temp = (SH_LIST *)ptr;
-    if (temp->next != NULL)
-        temp->next->p_next = temp->p_next;
-    *temp->p_next = temp->next;
-    if (temp->next == NULL)
-        return;
-
-    temp2 = temp->next;
-    OPENSSL_assert(WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next));
-}
-
-
-static int sh_init(size_t size, int minsize)
-{
-    int i, ret;
-    size_t pgsize;
-    size_t aligned;
-
-    memset(&sh, 0, sizeof sh);
-
-    /* make sure size and minsize are powers of 2 */
-    OPENSSL_assert(size > 0);
-    OPENSSL_assert((size & (size - 1)) == 0);
-    OPENSSL_assert(minsize > 0);
-    OPENSSL_assert((minsize & (minsize - 1)) == 0);
-    if (size <= 0 || (size & (size - 1)) != 0)
-        goto err;
-    if (minsize <= 0 || (minsize & (minsize - 1)) != 0)
-        goto err;
-
-    sh.arena_size = size;
-    sh.minsize = minsize;
-    sh.bittable_size = (sh.arena_size / sh.minsize) * 2;
-
-    /* Prevent allocations of size 0 later on */
-    if (sh.bittable_size >> 3 == 0)
-        goto err;
-
-    sh.freelist_size = -1;
-    for (i = sh.bittable_size; i; i >>= 1)
-        sh.freelist_size++;
-
-    sh.freelist = OPENSSL_zalloc(sh.freelist_size * sizeof (char *));
-    OPENSSL_assert(sh.freelist != NULL);
-    if (sh.freelist == NULL)
-        goto err;
-
-    sh.bittable = OPENSSL_zalloc(sh.bittable_size >> 3);
-    OPENSSL_assert(sh.bittable != NULL);
-    if (sh.bittable == NULL)
-        goto err;
-
-    sh.bitmalloc = OPENSSL_zalloc(sh.bittable_size >> 3);
-    OPENSSL_assert(sh.bitmalloc != NULL);
-    if (sh.bitmalloc == NULL)
-        goto err;
-
-    /* Allocate space for heap, and two extra pages as guards */
-#if defined(_SC_PAGE_SIZE) || defined (_SC_PAGESIZE)
-    {
-# if defined(_SC_PAGE_SIZE)
-        long tmppgsize = sysconf(_SC_PAGE_SIZE);
-# else
-        long tmppgsize = sysconf(_SC_PAGESIZE);
-# endif
-        if (tmppgsize < 1)
-            pgsize = PAGE_SIZE;
-        else
-            pgsize = (size_t)tmppgsize;
-    }
-#else
-    pgsize = PAGE_SIZE;
-#endif
-    sh.map_size = pgsize + sh.arena_size + pgsize;
-    if (1) {
-#ifdef MAP_ANON
-        sh.map_result = mmap(NULL, sh.map_size,
-                             PROT_READ|PROT_WRITE, MAP_ANON|MAP_PRIVATE, -1, 0);
-    } else {
-#endif
-        int fd;
-
-        sh.map_result = MAP_FAILED;
-        if ((fd = open("/dev/zero", O_RDWR)) >= 0) {
-            sh.map_result = mmap(NULL, sh.map_size,
-                                 PROT_READ|PROT_WRITE, MAP_PRIVATE, fd, 0);
-            close(fd);
-        }
-    }
-    OPENSSL_assert(sh.map_result != MAP_FAILED);
-    if (sh.map_result == MAP_FAILED)
-        goto err;
-    sh.arena = (char *)(sh.map_result + pgsize);
-    sh_setbit(sh.arena, 0, sh.bittable);
-    sh_add_to_list(&sh.freelist[0], sh.arena);
-
-    /* Now try to add guard pages and lock into memory. */
-    ret = 1;
-
-    /* Starting guard is already aligned from mmap. */
-    if (mprotect(sh.map_result, pgsize, PROT_NONE) < 0)
-        ret = 2;
-
-    /* Ending guard page - need to round up to page boundary */
-    aligned = (pgsize + sh.arena_size + (pgsize - 1)) & ~(pgsize - 1);
-    if (mprotect(sh.map_result + aligned, pgsize, PROT_NONE) < 0)
-        ret = 2;
-
-    if (mlock(sh.arena, sh.arena_size) < 0)
-        ret = 2;
-#ifdef MADV_DONTDUMP
-    if (madvise(sh.arena, sh.arena_size, MADV_DONTDUMP) < 0)
-        ret = 2;
-#endif
-
-    return ret;
-
- err:
-    sh_done();
-    return 0;
-}
-
-static void sh_done()
-{
-    OPENSSL_free(sh.freelist);
-    OPENSSL_free(sh.bittable);
-    OPENSSL_free(sh.bitmalloc);
-    if (sh.map_result != NULL && sh.map_size)
-        munmap(sh.map_result, sh.map_size);
-    memset(&sh, 0, sizeof sh);
-}
-
-static int sh_allocated(const char *ptr)
-{
-    return WITHIN_ARENA(ptr) ? 1 : 0;
-}
-
-static char *sh_find_my_buddy(char *ptr, int list)
-{
-    size_t bit;
-    char *chunk = NULL;
-
-    bit = (ONE << list) + (ptr - sh.arena) / (sh.arena_size >> list);
-    bit ^= 1;
-
-    if (TESTBIT(sh.bittable, bit) && !TESTBIT(sh.bitmalloc, bit))
-        chunk = sh.arena + ((bit & ((ONE << list) - 1)) * (sh.arena_size >> list));
-
-    return chunk;
-}
-
-static char *sh_malloc(size_t size)
-{
-    ossl_ssize_t list, slist;
-    size_t i;
-    char *chunk;
-
-    list = sh.freelist_size - 1;
-    for (i = sh.minsize; i < size; i <<= 1)
-        list--;
-    if (list < 0)
-        return NULL;
-
-    /* try to find a larger entry to split */
-    for (slist = list; slist >= 0; slist--)
-        if (sh.freelist[slist] != NULL)
-            break;
-    if (slist < 0)
-        return NULL;
-
-    /* split larger entry */
-    while (slist != list) {
-        char *temp = sh.freelist[slist];
-
-        /* remove from bigger list */
-        OPENSSL_assert(!sh_testbit(temp, slist, sh.bitmalloc));
-        sh_clearbit(temp, slist, sh.bittable);
-        sh_remove_from_list(temp);
-        OPENSSL_assert(temp != sh.freelist[slist]);
-
-        /* done with bigger list */
-        slist++;
-
-        /* add to smaller list */
-        OPENSSL_assert(!sh_testbit(temp, slist, sh.bitmalloc));
-        sh_setbit(temp, slist, sh.bittable);
-        sh_add_to_list(&sh.freelist[slist], temp);
-        OPENSSL_assert(sh.freelist[slist] == temp);
-
-        /* split in 2 */
-        temp += sh.arena_size >> slist;
-        OPENSSL_assert(!sh_testbit(temp, slist, sh.bitmalloc));
-        sh_setbit(temp, slist, sh.bittable);
-        sh_add_to_list(&sh.freelist[slist], temp);
-        OPENSSL_assert(sh.freelist[slist] == temp);
-
-        OPENSSL_assert(temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist));
-    }
-
-    /* peel off memory to hand back */
-    chunk = sh.freelist[list];
-    OPENSSL_assert(sh_testbit(chunk, list, sh.bittable));
-    sh_setbit(chunk, list, sh.bitmalloc);
-    sh_remove_from_list(chunk);
-
-    OPENSSL_assert(WITHIN_ARENA(chunk));
-
-    return chunk;
-}
-
-static void sh_free(char *ptr)
-{
-    size_t list;
-    char *buddy;
-
-    if (ptr == NULL)
-        return;
-    OPENSSL_assert(WITHIN_ARENA(ptr));
-    if (!WITHIN_ARENA(ptr))
-        return;
-
-    list = sh_getlist(ptr);
-    OPENSSL_assert(sh_testbit(ptr, list, sh.bittable));
-    sh_clearbit(ptr, list, sh.bitmalloc);
-    sh_add_to_list(&sh.freelist[list], ptr);
-
-    /* Try to coalesce two adjacent free areas. */
-    while ((buddy = sh_find_my_buddy(ptr, list)) != NULL) {
-        OPENSSL_assert(ptr == sh_find_my_buddy(buddy, list));
-        OPENSSL_assert(ptr != NULL);
-        OPENSSL_assert(!sh_testbit(ptr, list, sh.bitmalloc));
-        sh_clearbit(ptr, list, sh.bittable);
-        sh_remove_from_list(ptr);
-        OPENSSL_assert(!sh_testbit(ptr, list, sh.bitmalloc));
-        sh_clearbit(buddy, list, sh.bittable);
-        sh_remove_from_list(buddy);
-
-        list--;
-
-        if (ptr > buddy)
-            ptr = buddy;
-
-        OPENSSL_assert(!sh_testbit(ptr, list, sh.bitmalloc));
-        sh_setbit(ptr, list, sh.bittable);
-        sh_add_to_list(&sh.freelist[list], ptr);
-        OPENSSL_assert(sh.freelist[list] == ptr);
-    }
-}
-
-static size_t sh_actual_size(char *ptr)
-{
-    int list;
-
-    OPENSSL_assert(WITHIN_ARENA(ptr));
-    if (!WITHIN_ARENA(ptr))
-        return 0;
-    list = sh_getlist(ptr);
-    OPENSSL_assert(sh_testbit(ptr, list, sh.bittable));
-    return sh.arena_size / (ONE << list);
-}
-#endif /* IMPLEMENTED */
diff --git a/Cryptlib/OpenSSL/crypto/modes/cbc128.c b/Cryptlib/OpenSSL/crypto/modes/cbc128.c
index 4c9bc85e..c13caea5 100644
--- a/Cryptlib/OpenSSL/crypto/modes/cbc128.c
+++ b/Cryptlib/OpenSSL/crypto/modes/cbc128.c
@@ -1,16 +1,64 @@
-/*
- * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* ====================================================================
+ * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <openssl/crypto.h>
 #include "modes_lcl.h"
 #include <string.h>
 
+#ifndef MODES_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
+#include <assert.h>
+
 #if !defined(STRICT_ALIGNMENT) && !defined(PEDANTIC)
 # define STRICT_ALIGNMENT 0
 #endif
@@ -22,6 +70,8 @@ void CRYPTO_cbc128_encrypt(const unsigned char *in, unsigned char *out,
     size_t n;
     const unsigned char *iv = ivec;
 
+    assert(in && out && key && ivec);
+
 #if !defined(OPENSSL_SMALL_FOOTPRINT)
     if (STRICT_ALIGNMENT &&
         ((size_t)in | (size_t)out | (size_t)ivec) % sizeof(size_t) != 0) {
@@ -73,6 +123,8 @@ void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,
         unsigned char c[16];
     } tmp;
 
+    assert(in && out && key && ivec);
+
 #if !defined(OPENSSL_SMALL_FOOTPRINT)
     if (in != out) {
         const unsigned char *iv = ivec;
diff --git a/Cryptlib/OpenSSL/crypto/modes/ccm128.c b/Cryptlib/OpenSSL/crypto/modes/ccm128.c
index 85ce84f1..c1ded0f9 100644
--- a/Cryptlib/OpenSSL/crypto/modes/ccm128.c
+++ b/Cryptlib/OpenSSL/crypto/modes/ccm128.c
@@ -1,16 +1,63 @@
-/*
- * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  */
 
 #include <openssl/crypto.h>
 #include "modes_lcl.h"
 #include <string.h>
 
+#ifndef MODES_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
+#include <assert.h>
+
 /*
  * First you setup M and L parameters and pass the key schedule. This is
  * called once per session setup...
diff --git a/Cryptlib/OpenSSL/crypto/modes/cfb128.c b/Cryptlib/OpenSSL/crypto/modes/cfb128.c
index e439567f..d4ecbd08 100644
--- a/Cryptlib/OpenSSL/crypto/modes/cfb128.c
+++ b/Cryptlib/OpenSSL/crypto/modes/cfb128.c
@@ -1,16 +1,64 @@
-/*
- * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* ====================================================================
+ * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <openssl/crypto.h>
 #include "modes_lcl.h"
 #include <string.h>
 
+#ifndef MODES_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
+#include <assert.h>
+
 /*
  * The input and output encrypted as though 128bit cfb mode is being used.
  * The extra state information to record how much of the 128bit block we have
@@ -24,6 +72,8 @@ void CRYPTO_cfb128_encrypt(const unsigned char *in, unsigned char *out,
     unsigned int n;
     size_t l = 0;
 
+    assert(in && out && key && ivec && num);
+
     n = *num;
 
     if (enc) {
@@ -140,7 +190,7 @@ static void cfbr_encrypt_block(const unsigned char *in, unsigned char *out,
                                block128_f block)
 {
     int n, rem, num;
-    unsigned char ovec[16 * 2 + 1]; /* +1 because we dereference (but don't
+    unsigned char ovec[16 * 2 + 1]; /* +1 because we dererefence (but don't
                                      * use) one byte off the end */
 
     if (nbits <= 0 || nbits > 128)
@@ -178,6 +228,9 @@ void CRYPTO_cfb128_1_encrypt(const unsigned char *in, unsigned char *out,
     size_t n;
     unsigned char c[1], d[1];
 
+    assert(in && out && key && ivec && num);
+    assert(*num == 0);
+
     for (n = 0; n < bits; ++n) {
         c[0] = (in[n / 8] & (1 << (7 - n % 8))) ? 0x80 : 0;
         cfbr_encrypt_block(c, d, 1, key, ivec, enc, block);
@@ -193,6 +246,9 @@ void CRYPTO_cfb128_8_encrypt(const unsigned char *in, unsigned char *out,
 {
     size_t n;
 
+    assert(in && out && key && ivec && num);
+    assert(*num == 0);
+
     for (n = 0; n < length; ++n)
         cfbr_encrypt_block(&in[n], &out[n], 8, key, ivec, enc, block);
 }
diff --git a/Cryptlib/OpenSSL/crypto/modes/ctr128.c b/Cryptlib/OpenSSL/crypto/modes/ctr128.c
index 03920b44..d4b22728 100644
--- a/Cryptlib/OpenSSL/crypto/modes/ctr128.c
+++ b/Cryptlib/OpenSSL/crypto/modes/ctr128.c
@@ -1,16 +1,64 @@
-/*
- * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* ====================================================================
+ * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <openssl/crypto.h>
 #include "modes_lcl.h"
 #include <string.h>
 
+#ifndef MODES_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
+#include <assert.h>
+
 /*
  * NOTE: the IV/counter CTR mode is big-endian.  The code itself is
  * endian-neutral.
@@ -65,7 +113,7 @@ static void ctr128_inc_aligned(unsigned char *counter)
  * before the first call to CRYPTO_ctr128_encrypt(). This algorithm assumes
  * that the counter is in the x lower bits of the IV (ivec), and that the
  * application has full control over overflow and the rest of the IV.  This
- * implementation takes NO responsibility for checking that the counter
+ * implementation takes NO responsability for checking that the counter
  * doesn't overflow into the rest of the IV when incremented.
  */
 void CRYPTO_ctr128_encrypt(const unsigned char *in, unsigned char *out,
@@ -77,6 +125,9 @@ void CRYPTO_ctr128_encrypt(const unsigned char *in, unsigned char *out,
     unsigned int n;
     size_t l = 0;
 
+    assert(in && out && key && ecount_buf && num);
+    assert(*num < 16);
+
     n = *num;
 
 #if !defined(OPENSSL_SMALL_FOOTPRINT)
@@ -152,6 +203,9 @@ void CRYPTO_ctr128_encrypt_ctr32(const unsigned char *in, unsigned char *out,
 {
     unsigned int n, ctr32;
 
+    assert(in && out && key && ecount_buf && num);
+    assert(*num < 16);
+
     n = *num;
 
     while (n && len) {
@@ -184,7 +238,7 @@ void CRYPTO_ctr128_encrypt_ctr32(const unsigned char *in, unsigned char *out,
         (*func) (in, out, blocks, key, ivec);
         /* (*ctr) does not update ivec, caller does: */
         PUTU32(ivec + 12, ctr32);
-        /* ... overflow was detected, propagate carry. */
+        /* ... overflow was detected, propogate carry. */
         if (ctr32 == 0)
             ctr96_inc(ivec);
         blocks *= 16;
diff --git a/Cryptlib/OpenSSL/crypto/modes/cts128.c b/Cryptlib/OpenSSL/crypto/modes/cts128.c
index 77ec994b..137be595 100644
--- a/Cryptlib/OpenSSL/crypto/modes/cts128.c
+++ b/Cryptlib/OpenSSL/crypto/modes/cts128.c
@@ -1,16 +1,21 @@
-/*
- * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* ====================================================================
+ * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Rights for redistribution and usage in source and binary
+ * forms are granted according to the OpenSSL license.
  */
 
 #include <openssl/crypto.h>
 #include "modes_lcl.h"
 #include <string.h>
 
+#ifndef MODES_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
+#include <assert.h>
+
 /*
  * Trouble with Ciphertext Stealing, CTS, mode is that there is no
  * common official specification, but couple of cipher/application
@@ -31,6 +36,8 @@ size_t CRYPTO_cts128_encrypt_block(const unsigned char *in,
 {
     size_t residue, n;
 
+    assert(in && out && key && ivec);
+
     if (len <= 16)
         return 0;
 
@@ -61,6 +68,8 @@ size_t CRYPTO_nistcts128_encrypt_block(const unsigned char *in,
 {
     size_t residue, n;
 
+    assert(in && out && key && ivec);
+
     if (len < 16)
         return 0;
 
@@ -94,6 +103,8 @@ size_t CRYPTO_cts128_encrypt(const unsigned char *in, unsigned char *out,
         unsigned char c[16];
     } tmp;
 
+    assert(in && out && key && ivec);
+
     if (len <= 16)
         return 0;
 
@@ -130,6 +141,8 @@ size_t CRYPTO_nistcts128_encrypt(const unsigned char *in, unsigned char *out,
         unsigned char c[16];
     } tmp;
 
+    assert(in && out && key && ivec);
+
     if (len < 16)
         return 0;
 
@@ -166,6 +179,8 @@ size_t CRYPTO_cts128_decrypt_block(const unsigned char *in,
         unsigned char c[32];
     } tmp;
 
+    assert(in && out && key && ivec);
+
     if (len <= 16)
         return 0;
 
@@ -209,6 +224,8 @@ size_t CRYPTO_nistcts128_decrypt_block(const unsigned char *in,
         unsigned char c[32];
     } tmp;
 
+    assert(in && out && key && ivec);
+
     if (len < 16)
         return 0;
 
@@ -255,6 +272,8 @@ size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
         unsigned char c[32];
     } tmp;
 
+    assert(in && out && key && ivec);
+
     if (len <= 16)
         return 0;
 
@@ -295,6 +314,8 @@ size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out,
         unsigned char c[32];
     } tmp;
 
+    assert(in && out && key && ivec);
+
     if (len < 16)
         return 0;
 
diff --git a/Cryptlib/OpenSSL/crypto/modes/gcm128.c b/Cryptlib/OpenSSL/crypto/modes/gcm128.c
index df9f6547..e299131c 100644
--- a/Cryptlib/OpenSSL/crypto/modes/gcm128.c
+++ b/Cryptlib/OpenSSL/crypto/modes/gcm128.c
@@ -1,16 +1,65 @@
-/*
- * Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* ====================================================================
+ * Copyright (c) 2010 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  */
 
+#define OPENSSL_FIPSAPI
+
 #include <openssl/crypto.h>
 #include "modes_lcl.h"
 #include <string.h>
 
+#ifndef MODES_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
+#include <assert.h>
+
 #if defined(BSWAP4) && defined(STRICT_ALIGNMENT)
 /* redefine, because alignment is ensured */
 # undef  GETU32
@@ -101,7 +150,9 @@ static void gcm_gmult_8bit(u64 Xi[2], const u128 Htable[256])
     const union {
         long one;
         char little;
-    } is_endian = { 1 };
+    } is_endian = {
+        1
+    };
     static const size_t rem_8bit[256] = {
         PACK(0x0000), PACK(0x01C2), PACK(0x0384), PACK(0x0246),
         PACK(0x0708), PACK(0x06CA), PACK(0x048C), PACK(0x054E),
@@ -270,7 +321,9 @@ static void gcm_init_4bit(u128 Htable[16], u64 H[2])
         const union {
             long one;
             char little;
-        } is_endian = { 1 };
+        } is_endian = {
+            1
+        };
 
         if (is_endian.little)
             for (j = 0; j < 16; ++j) {
@@ -303,7 +356,9 @@ static void gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16])
     const union {
         long one;
         char little;
-    } is_endian = { 1 };
+    } is_endian = {
+        1
+    };
 
     nlo = ((const u8 *)Xi)[15];
     nhi = nlo >> 4;
@@ -382,7 +437,9 @@ static void gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16],
     const union {
         long one;
         char little;
-    } is_endian = { 1 };
+    } is_endian = {
+        1
+    };
 
 #   if 1
     do {
@@ -572,7 +629,9 @@ static void gcm_gmult_1bit(u64 Xi[2], const u64 H[2])
     const union {
         long one;
         char little;
-    } is_endian = { 1 };
+    } is_endian = {
+        1
+    };
 
     V.hi = H[0];                /* H is in host byte order, no byte swapping */
     V.lo = H[1];
@@ -715,7 +774,9 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block)
     const union {
         long one;
         char little;
-    } is_endian = { 1 };
+    } is_endian = {
+        1
+    };
 
     memset(ctx, 0, sizeof(*ctx));
     ctx->block = block;
@@ -740,11 +801,6 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block)
 #if     TABLE_BITS==8
     gcm_init_8bit(ctx->Htable, ctx->H.u);
 #elif   TABLE_BITS==4
-# if    defined(GHASH)
-#  define CTX__GHASH(f) (ctx->ghash = (f))
-# else
-#  define CTX__GHASH(f) (ctx->ghash = NULL)
-# endif
 # if    defined(GHASH_ASM_X86_OR_64)
 #  if   !defined(GHASH_ASM_X86) || defined(OPENSSL_IA32_SSE2)
     if (OPENSSL_ia32cap_P[0] & (1 << 24) && /* check FXSR bit */
@@ -752,11 +808,11 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block)
         if (((OPENSSL_ia32cap_P[1] >> 22) & 0x41) == 0x41) { /* AVX+MOVBE */
             gcm_init_avx(ctx->Htable, ctx->H.u);
             ctx->gmult = gcm_gmult_avx;
-            CTX__GHASH(gcm_ghash_avx);
+            ctx->ghash = gcm_ghash_avx;
         } else {
             gcm_init_clmul(ctx->Htable, ctx->H.u);
             ctx->gmult = gcm_gmult_clmul;
-            CTX__GHASH(gcm_ghash_clmul);
+            ctx->ghash = gcm_ghash_clmul;
         }
         return;
     }
@@ -769,59 +825,66 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block)
     if (OPENSSL_ia32cap_P[0] & (1 << 23)) { /* check MMX bit */
 #   endif
         ctx->gmult = gcm_gmult_4bit_mmx;
-        CTX__GHASH(gcm_ghash_4bit_mmx);
+        ctx->ghash = gcm_ghash_4bit_mmx;
     } else {
         ctx->gmult = gcm_gmult_4bit_x86;
-        CTX__GHASH(gcm_ghash_4bit_x86);
+        ctx->ghash = gcm_ghash_4bit_x86;
     }
 #  else
     ctx->gmult = gcm_gmult_4bit;
-    CTX__GHASH(gcm_ghash_4bit);
+    ctx->ghash = gcm_ghash_4bit;
 #  endif
 # elif  defined(GHASH_ASM_ARM)
 #  ifdef PMULL_CAPABLE
     if (PMULL_CAPABLE) {
         gcm_init_v8(ctx->Htable, ctx->H.u);
         ctx->gmult = gcm_gmult_v8;
-        CTX__GHASH(gcm_ghash_v8);
+        ctx->ghash = gcm_ghash_v8;
     } else
 #  endif
 #  ifdef NEON_CAPABLE
     if (NEON_CAPABLE) {
         gcm_init_neon(ctx->Htable, ctx->H.u);
         ctx->gmult = gcm_gmult_neon;
-        CTX__GHASH(gcm_ghash_neon);
+        ctx->ghash = gcm_ghash_neon;
     } else
 #  endif
     {
         gcm_init_4bit(ctx->Htable, ctx->H.u);
         ctx->gmult = gcm_gmult_4bit;
-        CTX__GHASH(gcm_ghash_4bit);
+#  if defined(GHASH)
+        ctx->ghash = gcm_ghash_4bit;
+#  else
+        ctx->ghash = NULL;
+#  endif
     }
 # elif  defined(GHASH_ASM_SPARC)
     if (OPENSSL_sparcv9cap_P[0] & SPARCV9_VIS3) {
         gcm_init_vis3(ctx->Htable, ctx->H.u);
         ctx->gmult = gcm_gmult_vis3;
-        CTX__GHASH(gcm_ghash_vis3);
+        ctx->ghash = gcm_ghash_vis3;
     } else {
         gcm_init_4bit(ctx->Htable, ctx->H.u);
         ctx->gmult = gcm_gmult_4bit;
-        CTX__GHASH(gcm_ghash_4bit);
+        ctx->ghash = gcm_ghash_4bit;
     }
 # elif  defined(GHASH_ASM_PPC)
     if (OPENSSL_ppccap_P & PPC_CRYPTO207) {
         gcm_init_p8(ctx->Htable, ctx->H.u);
         ctx->gmult = gcm_gmult_p8;
-        CTX__GHASH(gcm_ghash_p8);
+        ctx->ghash = gcm_ghash_p8;
     } else {
         gcm_init_4bit(ctx->Htable, ctx->H.u);
         ctx->gmult = gcm_gmult_4bit;
-        CTX__GHASH(gcm_ghash_4bit);
+#  if defined(GHASH)
+        ctx->ghash = gcm_ghash_4bit;
+#  else
+        ctx->ghash = NULL;
+#  endif
     }
 # else
     gcm_init_4bit(ctx->Htable, ctx->H.u);
 # endif
-# undef CTX__GHASH
 #endif
 }
 
@@ -831,7 +894,9 @@ void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const unsigned char *iv,
     const union {
         long one;
         char little;
-    } is_endian = { 1 };
+    } is_endian = {
+        1
+    };
     unsigned int ctr;
 #ifdef GCM_FUNCREF_4BIT
     void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
@@ -975,7 +1040,9 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
     const union {
         long one;
         char little;
-    } is_endian = { 1 };
+    } is_endian = {
+        1
+    };
     unsigned int n, ctr;
     size_t i;
     u64 mlen = ctx->len.u[1];
@@ -983,12 +1050,15 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
     void *key = ctx->key;
 #ifdef GCM_FUNCREF_4BIT
     void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
-# if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT)
+# ifdef GHASH
     void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16],
                          const u8 *inp, size_t len) = ctx->ghash;
 # endif
 #endif
 
+#if 0
+    n = (unsigned int)mlen % 16; /* alternative to ctx->mres */
+#endif
     mlen += len;
     if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
         return -1;
@@ -1030,8 +1100,7 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
             if (((size_t)in | (size_t)out) % sizeof(size_t) != 0)
                 break;
 # endif
-# if defined(GHASH)
-#  if defined(GHASH_CHUNK)
+# if defined(GHASH) && defined(GHASH_CHUNK)
             while (len >= GHASH_CHUNK) {
                 size_t j = GHASH_CHUNK;
 
@@ -1042,11 +1111,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
                     (*block) (ctx->Yi.c, ctx->EKi.c, key);
                     ++ctr;
                     if (is_endian.little)
-#   ifdef BSWAP4
+#  ifdef BSWAP4
                         ctx->Yi.d[3] = BSWAP4(ctr);
-#   else
+#  else
                         PUTU32(ctx->Yi.c + 12, ctr);
-#   endif
+#  endif
                     else
                         ctx->Yi.d[3] = ctr;
                     for (i = 0; i < 16 / sizeof(size_t); ++i)
@@ -1058,7 +1127,6 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
                 GHASH(ctx, out - GHASH_CHUNK, GHASH_CHUNK);
                 len -= GHASH_CHUNK;
             }
-#  endif
             if ((i = (len & (size_t)-16))) {
                 size_t j = i;
 
@@ -1159,7 +1227,9 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
     const union {
         long one;
         char little;
-    } is_endian = { 1 };
+    } is_endian = {
+        1
+    };
     unsigned int n, ctr;
     size_t i;
     u64 mlen = ctx->len.u[1];
@@ -1167,7 +1237,7 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
     void *key = ctx->key;
 #ifdef GCM_FUNCREF_4BIT
     void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
-# if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT)
+# ifdef GHASH
     void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16],
                          const u8 *inp, size_t len) = ctx->ghash;
 # endif
@@ -1216,8 +1286,7 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
             if (((size_t)in | (size_t)out) % sizeof(size_t) != 0)
                 break;
 # endif
-# if defined(GHASH)
-#  if defined(GHASH_CHUNK)
+# if defined(GHASH) && defined(GHASH_CHUNK)
             while (len >= GHASH_CHUNK) {
                 size_t j = GHASH_CHUNK;
 
@@ -1229,11 +1298,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
                     (*block) (ctx->Yi.c, ctx->EKi.c, key);
                     ++ctr;
                     if (is_endian.little)
-#   ifdef BSWAP4
+#  ifdef BSWAP4
                         ctx->Yi.d[3] = BSWAP4(ctr);
-#   else
+#  else
                         PUTU32(ctx->Yi.c + 12, ctr);
-#   endif
+#  endif
                     else
                         ctx->Yi.d[3] = ctr;
                     for (i = 0; i < 16 / sizeof(size_t); ++i)
@@ -1244,7 +1313,6 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
                 }
                 len -= GHASH_CHUNK;
             }
-#  endif
             if ((i = (len & (size_t)-16))) {
                 GHASH(ctx, in, i);
                 while (len >= 16) {
@@ -1348,24 +1416,23 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
                                 const unsigned char *in, unsigned char *out,
                                 size_t len, ctr128_f stream)
 {
-#if defined(OPENSSL_SMALL_FOOTPRINT)
-    return CRYPTO_gcm128_encrypt(ctx, in, out, len);
-#else
     const union {
         long one;
         char little;
-    } is_endian = { 1 };
+    } is_endian = {
+        1
+    };
     unsigned int n, ctr;
     size_t i;
     u64 mlen = ctx->len.u[1];
     void *key = ctx->key;
-# ifdef GCM_FUNCREF_4BIT
+#ifdef GCM_FUNCREF_4BIT
     void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
-#  ifdef GHASH
+# ifdef GHASH
     void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16],
                          const u8 *inp, size_t len) = ctx->ghash;
-#  endif
 # endif
+#endif
 
     mlen += len;
     if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
@@ -1379,11 +1446,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
     }
 
     if (is_endian.little)
-# ifdef BSWAP4
+#ifdef BSWAP4
         ctr = BSWAP4(ctx->Yi.d[3]);
-# else
+#else
         ctr = GETU32(ctx->Yi.c + 12);
-# endif
+#endif
     else
         ctr = ctx->Yi.d[3];
 
@@ -1401,16 +1468,16 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
             return 0;
         }
     }
-# if defined(GHASH) && defined(GHASH_CHUNK)
+#if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT)
     while (len >= GHASH_CHUNK) {
         (*stream) (in, out, GHASH_CHUNK / 16, key, ctx->Yi.c);
         ctr += GHASH_CHUNK / 16;
         if (is_endian.little)
-#  ifdef BSWAP4
+# ifdef BSWAP4
             ctx->Yi.d[3] = BSWAP4(ctr);
-#  else
+# else
             PUTU32(ctx->Yi.c + 12, ctr);
-#  endif
+# endif
         else
             ctx->Yi.d[3] = ctr;
         GHASH(ctx, out, GHASH_CHUNK);
@@ -1418,43 +1485,43 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
         in += GHASH_CHUNK;
         len -= GHASH_CHUNK;
     }
-# endif
+#endif
     if ((i = (len & (size_t)-16))) {
         size_t j = i / 16;
 
         (*stream) (in, out, j, key, ctx->Yi.c);
         ctr += (unsigned int)j;
         if (is_endian.little)
-# ifdef BSWAP4
+#ifdef BSWAP4
             ctx->Yi.d[3] = BSWAP4(ctr);
-# else
+#else
             PUTU32(ctx->Yi.c + 12, ctr);
-# endif
+#endif
         else
             ctx->Yi.d[3] = ctr;
         in += i;
         len -= i;
-# if defined(GHASH)
+#if defined(GHASH)
         GHASH(ctx, out, i);
         out += i;
-# else
+#else
         while (j--) {
             for (i = 0; i < 16; ++i)
                 ctx->Xi.c[i] ^= out[i];
             GCM_MUL(ctx, Xi);
             out += 16;
         }
-# endif
+#endif
     }
     if (len) {
         (*ctx->block) (ctx->Yi.c, ctx->EKi.c, key);
         ++ctr;
         if (is_endian.little)
-# ifdef BSWAP4
+#ifdef BSWAP4
             ctx->Yi.d[3] = BSWAP4(ctr);
-# else
+#else
             PUTU32(ctx->Yi.c + 12, ctr);
-# endif
+#endif
         else
             ctx->Yi.d[3] = ctr;
         while (len--) {
@@ -1465,31 +1532,29 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
 
     ctx->mres = n;
     return 0;
-#endif
 }
 
 int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
                                 const unsigned char *in, unsigned char *out,
                                 size_t len, ctr128_f stream)
 {
-#if defined(OPENSSL_SMALL_FOOTPRINT)
-    return CRYPTO_gcm128_decrypt(ctx, in, out, len);
-#else
     const union {
         long one;
         char little;
-    } is_endian = { 1 };
+    } is_endian = {
+        1
+    };
     unsigned int n, ctr;
     size_t i;
     u64 mlen = ctx->len.u[1];
     void *key = ctx->key;
-# ifdef GCM_FUNCREF_4BIT
+#ifdef GCM_FUNCREF_4BIT
     void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
-#  ifdef GHASH
+# ifdef GHASH
     void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16],
                          const u8 *inp, size_t len) = ctx->ghash;
-#  endif
 # endif
+#endif
 
     mlen += len;
     if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
@@ -1503,11 +1568,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
     }
 
     if (is_endian.little)
-# ifdef BSWAP4
+#ifdef BSWAP4
         ctr = BSWAP4(ctx->Yi.d[3]);
-# else
+#else
         ctr = GETU32(ctx->Yi.c + 12);
-# endif
+#endif
     else
         ctr = ctx->Yi.d[3];
 
@@ -1527,30 +1592,30 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
             return 0;
         }
     }
-# if defined(GHASH) && defined(GHASH_CHUNK)
+#if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT)
     while (len >= GHASH_CHUNK) {
         GHASH(ctx, in, GHASH_CHUNK);
         (*stream) (in, out, GHASH_CHUNK / 16, key, ctx->Yi.c);
         ctr += GHASH_CHUNK / 16;
         if (is_endian.little)
-#  ifdef BSWAP4
+# ifdef BSWAP4
             ctx->Yi.d[3] = BSWAP4(ctr);
-#  else
+# else
             PUTU32(ctx->Yi.c + 12, ctr);
-#  endif
+# endif
         else
             ctx->Yi.d[3] = ctr;
         out += GHASH_CHUNK;
         in += GHASH_CHUNK;
         len -= GHASH_CHUNK;
     }
-# endif
+#endif
     if ((i = (len & (size_t)-16))) {
         size_t j = i / 16;
 
-# if defined(GHASH)
+#if defined(GHASH)
         GHASH(ctx, in, i);
-# else
+#else
         while (j--) {
             size_t k;
             for (k = 0; k < 16; ++k)
@@ -1560,15 +1625,15 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
         }
         j = i / 16;
         in -= i;
-# endif
+#endif
         (*stream) (in, out, j, key, ctx->Yi.c);
         ctr += (unsigned int)j;
         if (is_endian.little)
-# ifdef BSWAP4
+#ifdef BSWAP4
             ctx->Yi.d[3] = BSWAP4(ctr);
-# else
+#else
             PUTU32(ctx->Yi.c + 12, ctr);
-# endif
+#endif
         else
             ctx->Yi.d[3] = ctr;
         out += i;
@@ -1579,11 +1644,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
         (*ctx->block) (ctx->Yi.c, ctx->EKi.c, key);
         ++ctr;
         if (is_endian.little)
-# ifdef BSWAP4
+#ifdef BSWAP4
             ctx->Yi.d[3] = BSWAP4(ctr);
-# else
+#else
             PUTU32(ctx->Yi.c + 12, ctr);
-# endif
+#endif
         else
             ctx->Yi.d[3] = ctr;
         while (len--) {
@@ -1596,7 +1661,6 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
 
     ctx->mres = n;
     return 0;
-#endif
 }
 
 int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const unsigned char *tag,
@@ -1605,7 +1669,9 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const unsigned char *tag,
     const union {
         long one;
         char little;
-    } is_endian = { 1 };
+    } is_endian = {
+        1
+    };
     u64 alen = ctx->len.u[0] << 3;
     u64 clen = ctx->len.u[1] << 3;
 #ifdef GCM_FUNCREF_4BIT
@@ -1654,7 +1720,7 @@ GCM128_CONTEXT *CRYPTO_gcm128_new(void *key, block128_f block)
 {
     GCM128_CONTEXT *ret;
 
-    if ((ret = OPENSSL_malloc(sizeof(*ret))) != NULL)
+    if ((ret = (GCM128_CONTEXT *)OPENSSL_malloc(sizeof(GCM128_CONTEXT))))
         CRYPTO_gcm128_init(ret, key, block);
 
     return ret;
@@ -1662,7 +1728,10 @@ GCM128_CONTEXT *CRYPTO_gcm128_new(void *key, block128_f block)
 
 void CRYPTO_gcm128_release(GCM128_CONTEXT *ctx)
 {
-    OPENSSL_clear_free(ctx, sizeof(*ctx));
+    if (ctx) {
+        OPENSSL_cleanse(ctx, sizeof(*ctx));
+        OPENSSL_free(ctx);
+    }
 }
 
 #if defined(SELFTEST)
diff --git a/Cryptlib/OpenSSL/crypto/modes/modes_lcl.h b/Cryptlib/OpenSSL/crypto/modes/modes_lcl.h
index 7a1603bf..fe14ec70 100644
--- a/Cryptlib/OpenSSL/crypto/modes/modes_lcl.h
+++ b/Cryptlib/OpenSSL/crypto/modes/modes_lcl.h
@@ -1,10 +1,8 @@
-/*
- * Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* ====================================================================
+ * Copyright (c) 2010 The OpenSSL Project.  All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use is governed by OpenSSL license.
+ * ====================================================================
  */
 
 #include <openssl/modes.h>
@@ -143,43 +141,3 @@ struct ccm128_context {
     block128_f block;
     void *key;
 };
-
-#ifndef OPENSSL_NO_OCB
-
-typedef union {
-    u64 a[2];
-    unsigned char c[16];
-} OCB_BLOCK;
-# define ocb_block16_xor(in1,in2,out) \
-    ( (out)->a[0]=(in1)->a[0]^(in2)->a[0], \
-      (out)->a[1]=(in1)->a[1]^(in2)->a[1] )
-# if STRICT_ALIGNMENT
-#  define ocb_block16_xor_misaligned(in1,in2,out) \
-    ocb_block_xor((in1)->c,(in2)->c,16,(out)->c)
-# else
-#  define ocb_block16_xor_misaligned ocb_block16_xor
-# endif
-
-struct ocb128_context {
-    /* Need both encrypt and decrypt key schedules for decryption */
-    block128_f encrypt;
-    block128_f decrypt;
-    void *keyenc;
-    void *keydec;
-    ocb128_f stream;    /* direction dependent */
-    /* Key dependent variables. Can be reused if key remains the same */
-    size_t l_index;
-    size_t max_l_index;
-    OCB_BLOCK l_star;
-    OCB_BLOCK l_dollar;
-    OCB_BLOCK *l;
-    /* Must be reset for each session */
-    u64 blocks_hashed;
-    u64 blocks_processed;
-    OCB_BLOCK tag;
-    OCB_BLOCK offset_aad;
-    OCB_BLOCK sum;
-    OCB_BLOCK offset;
-    OCB_BLOCK checksum;
-};
-#endif                          /* OPENSSL_NO_OCB */
diff --git a/Cryptlib/OpenSSL/crypto/modes/ocb128.c b/Cryptlib/OpenSSL/crypto/modes/ocb128.c
deleted file mode 100644
index c3bd13bb..00000000
--- a/Cryptlib/OpenSSL/crypto/modes/ocb128.c
+++ /dev/null
@@ -1,568 +0,0 @@
-/*
- * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <string.h>
-#include <openssl/crypto.h>
-#include "modes_lcl.h"
-
-#ifndef OPENSSL_NO_OCB
-
-/*
- * Calculate the number of binary trailing zero's in any given number
- */
-static u32 ocb_ntz(u64 n)
-{
-    u32 cnt = 0;
-
-    /*
-     * We do a right-to-left simple sequential search. This is surprisingly
-     * efficient as the distribution of trailing zeros is not uniform,
-     * e.g. the number of possible inputs with no trailing zeros is equal to
-     * the number with 1 or more; the number with exactly 1 is equal to the
-     * number with 2 or more, etc. Checking the last two bits covers 75% of
-     * all numbers. Checking the last three covers 87.5%
-     */
-    while (!(n & 1)) {
-        n >>= 1;
-        cnt++;
-    }
-    return cnt;
-}
-
-/*
- * Shift a block of 16 bytes left by shift bits
- */
-static void ocb_block_lshift(const unsigned char *in, size_t shift,
-                             unsigned char *out)
-{
-    unsigned char shift_mask;
-    int i;
-    unsigned char mask[15];
-
-    shift_mask = 0xff;
-    shift_mask <<= (8 - shift);
-    for (i = 15; i >= 0; i--) {
-        if (i > 0) {
-            mask[i - 1] = in[i] & shift_mask;
-            mask[i - 1] >>= 8 - shift;
-        }
-        out[i] = in[i] << shift;
-
-        if (i != 15) {
-            out[i] ^= mask[i];
-        }
-    }
-}
-
-/*
- * Perform a "double" operation as per OCB spec
- */
-static void ocb_double(OCB_BLOCK *in, OCB_BLOCK *out)
-{
-    unsigned char mask;
-
-    /*
-     * Calculate the mask based on the most significant bit. There are more
-     * efficient ways to do this - but this way is constant time
-     */
-    mask = in->c[0] & 0x80;
-    mask >>= 7;
-    mask *= 135;
-
-    ocb_block_lshift(in->c, 1, out->c);
-
-    out->c[15] ^= mask;
-}
-
-/*
- * Perform an xor on in1 and in2 - each of len bytes. Store result in out
- */
-static void ocb_block_xor(const unsigned char *in1,
-                          const unsigned char *in2, size_t len,
-                          unsigned char *out)
-{
-    size_t i;
-    for (i = 0; i < len; i++) {
-        out[i] = in1[i] ^ in2[i];
-    }
-}
-
-/*
- * Lookup L_index in our lookup table. If we haven't already got it we need to
- * calculate it
- */
-static OCB_BLOCK *ocb_lookup_l(OCB128_CONTEXT *ctx, size_t idx)
-{
-    size_t l_index = ctx->l_index;
-
-    if (idx <= l_index) {
-        return ctx->l + idx;
-    }
-
-    /* We don't have it - so calculate it */
-    if (idx >= ctx->max_l_index) {
-        void *tmp_ptr;
-        /*
-         * Each additional entry allows to process almost double as
-         * much data, so that in linear world the table will need to
-         * be expanded with smaller and smaller increments. Originally
-         * it was doubling in size, which was a waste. Growing it
-         * linearly is not formally optimal, but is simpler to implement.
-         * We grow table by minimally required 4*n that would accommodate
-         * the index.
-         */
-        ctx->max_l_index += (idx - ctx->max_l_index + 4) & ~3;
-        tmp_ptr =
-            OPENSSL_realloc(ctx->l, ctx->max_l_index * sizeof(OCB_BLOCK));
-        if (tmp_ptr == NULL) /* prevent ctx->l from being clobbered */
-            return NULL;
-        ctx->l = tmp_ptr;
-    }
-    while (l_index < idx) {
-        ocb_double(ctx->l + l_index, ctx->l + l_index + 1);
-        l_index++;
-    }
-    ctx->l_index = l_index;
-
-    return ctx->l + idx;
-}
-
-/*
- * Create a new OCB128_CONTEXT
- */
-OCB128_CONTEXT *CRYPTO_ocb128_new(void *keyenc, void *keydec,
-                                  block128_f encrypt, block128_f decrypt,
-                                  ocb128_f stream)
-{
-    OCB128_CONTEXT *octx;
-    int ret;
-
-    if ((octx = OPENSSL_malloc(sizeof(*octx))) != NULL) {
-        ret = CRYPTO_ocb128_init(octx, keyenc, keydec, encrypt, decrypt,
-                                 stream);
-        if (ret)
-            return octx;
-        OPENSSL_free(octx);
-    }
-
-    return NULL;
-}
-
-/*
- * Initialise an existing OCB128_CONTEXT
- */
-int CRYPTO_ocb128_init(OCB128_CONTEXT *ctx, void *keyenc, void *keydec,
-                       block128_f encrypt, block128_f decrypt,
-                       ocb128_f stream)
-{
-    memset(ctx, 0, sizeof(*ctx));
-    ctx->l_index = 0;
-    ctx->max_l_index = 5;
-    ctx->l = OPENSSL_malloc(ctx->max_l_index * 16);
-    if (ctx->l == NULL)
-        return 0;
-
-    /*
-     * We set both the encryption and decryption key schedules - decryption
-     * needs both. Don't really need decryption schedule if only doing
-     * encryption - but it simplifies things to take it anyway
-     */
-    ctx->encrypt = encrypt;
-    ctx->decrypt = decrypt;
-    ctx->stream = stream;
-    ctx->keyenc = keyenc;
-    ctx->keydec = keydec;
-
-    /* L_* = ENCIPHER(K, zeros(128)) */
-    ctx->encrypt(ctx->l_star.c, ctx->l_star.c, ctx->keyenc);
-
-    /* L_$ = double(L_*) */
-    ocb_double(&ctx->l_star, &ctx->l_dollar);
-
-    /* L_0 = double(L_$) */
-    ocb_double(&ctx->l_dollar, ctx->l);
-
-    /* L_{i} = double(L_{i-1}) */
-    ocb_double(ctx->l, ctx->l+1);
-    ocb_double(ctx->l+1, ctx->l+2);
-    ocb_double(ctx->l+2, ctx->l+3);
-    ocb_double(ctx->l+3, ctx->l+4);
-    ctx->l_index = 4;   /* enough to process up to 496 bytes */
-
-    return 1;
-}
-
-/*
- * Copy an OCB128_CONTEXT object
- */
-int CRYPTO_ocb128_copy_ctx(OCB128_CONTEXT *dest, OCB128_CONTEXT *src,
-                           void *keyenc, void *keydec)
-{
-    memcpy(dest, src, sizeof(OCB128_CONTEXT));
-    if (keyenc)
-        dest->keyenc = keyenc;
-    if (keydec)
-        dest->keydec = keydec;
-    if (src->l) {
-        dest->l = OPENSSL_malloc(src->max_l_index * 16);
-        if (dest->l == NULL)
-            return 0;
-        memcpy(dest->l, src->l, (src->l_index + 1) * 16);
-    }
-    return 1;
-}
-
-/*
- * Set the IV to be used for this operation. Must be 1 - 15 bytes.
- */
-int CRYPTO_ocb128_setiv(OCB128_CONTEXT *ctx, const unsigned char *iv,
-                        size_t len, size_t taglen)
-{
-    unsigned char ktop[16], tmp[16], mask;
-    unsigned char stretch[24], nonce[16];
-    size_t bottom, shift;
-
-    /*
-     * Spec says IV is 120 bits or fewer - it allows non byte aligned lengths.
-     * We don't support this at this stage
-     */
-    if ((len > 15) || (len < 1) || (taglen > 16) || (taglen < 1)) {
-        return -1;
-    }
-
-    /* Nonce = num2str(TAGLEN mod 128,7) || zeros(120-bitlen(N)) || 1 || N */
-    nonce[0] = ((taglen * 8) % 128) << 1;
-    memset(nonce + 1, 0, 15);
-    memcpy(nonce + 16 - len, iv, len);
-    nonce[15 - len] |= 1;
-
-    /* Ktop = ENCIPHER(K, Nonce[1..122] || zeros(6)) */
-    memcpy(tmp, nonce, 16);
-    tmp[15] &= 0xc0;
-    ctx->encrypt(tmp, ktop, ctx->keyenc);
-
-    /* Stretch = Ktop || (Ktop[1..64] xor Ktop[9..72]) */
-    memcpy(stretch, ktop, 16);
-    ocb_block_xor(ktop, ktop + 1, 8, stretch + 16);
-
-    /* bottom = str2num(Nonce[123..128]) */
-    bottom = nonce[15] & 0x3f;
-
-    /* Offset_0 = Stretch[1+bottom..128+bottom] */
-    shift = bottom % 8;
-    ocb_block_lshift(stretch + (bottom / 8), shift, ctx->offset.c);
-    mask = 0xff;
-    mask <<= 8 - shift;
-    ctx->offset.c[15] |=
-        (*(stretch + (bottom / 8) + 16) & mask) >> (8 - shift);
-
-    return 1;
-}
-
-/*
- * Provide any AAD. This can be called multiple times. Only the final time can
- * have a partial block
- */
-int CRYPTO_ocb128_aad(OCB128_CONTEXT *ctx, const unsigned char *aad,
-                      size_t len)
-{
-    u64 i, all_num_blocks;
-    size_t num_blocks, last_len;
-    OCB_BLOCK tmp1;
-    OCB_BLOCK tmp2;
-
-    /* Calculate the number of blocks of AAD provided now, and so far */
-    num_blocks = len / 16;
-    all_num_blocks = num_blocks + ctx->blocks_hashed;
-
-    /* Loop through all full blocks of AAD */
-    for (i = ctx->blocks_hashed + 1; i <= all_num_blocks; i++) {
-        OCB_BLOCK *lookup;
-        OCB_BLOCK *aad_block;
-
-        /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
-        lookup = ocb_lookup_l(ctx, ocb_ntz(i));
-        if (lookup == NULL)
-            return 0;
-        ocb_block16_xor(&ctx->offset_aad, lookup, &ctx->offset_aad);
-
-        /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */
-        aad_block = (OCB_BLOCK *)(aad + ((i - ctx->blocks_hashed - 1) * 16));
-        ocb_block16_xor(&ctx->offset_aad, aad_block, &tmp1);
-        ctx->encrypt(tmp1.c, tmp2.c, ctx->keyenc);
-        ocb_block16_xor(&ctx->sum, &tmp2, &ctx->sum);
-    }
-
-    /*
-     * Check if we have any partial blocks left over. This is only valid in the
-     * last call to this function
-     */
-    last_len = len % 16;
-
-    if (last_len > 0) {
-        /* Offset_* = Offset_m xor L_* */
-        ocb_block16_xor(&ctx->offset_aad, &ctx->l_star, &ctx->offset_aad);
-
-        /* CipherInput = (A_* || 1 || zeros(127-bitlen(A_*))) xor Offset_* */
-        memset(&tmp1, 0, 16);
-        memcpy(&tmp1, aad + (num_blocks * 16), last_len);
-        ((unsigned char *)&tmp1)[last_len] = 0x80;
-        ocb_block16_xor(&ctx->offset_aad, &tmp1, &tmp2);
-
-        /* Sum = Sum_m xor ENCIPHER(K, CipherInput) */
-        ctx->encrypt(tmp2.c, tmp1.c, ctx->keyenc);
-        ocb_block16_xor(&ctx->sum, &tmp1, &ctx->sum);
-    }
-
-    ctx->blocks_hashed = all_num_blocks;
-
-    return 1;
-}
-
-/*
- * Provide any data to be encrypted. This can be called multiple times. Only
- * the final time can have a partial block
- */
-int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx,
-                          const unsigned char *in, unsigned char *out,
-                          size_t len)
-{
-    u64 i, all_num_blocks;
-    size_t num_blocks, last_len;
-    OCB_BLOCK tmp1;
-    OCB_BLOCK tmp2;
-    OCB_BLOCK pad;
-
-    /*
-     * Calculate the number of blocks of data to be encrypted provided now, and
-     * so far
-     */
-    num_blocks = len / 16;
-    all_num_blocks = num_blocks + ctx->blocks_processed;
-
-    if (num_blocks && all_num_blocks == (size_t)all_num_blocks
-        && ctx->stream != NULL) {
-        size_t max_idx = 0, top = (size_t)all_num_blocks;
-
-        /*
-         * See how many L_{i} entries we need to process data at hand
-         * and pre-compute missing entries in the table [if any]...
-         */
-        while (top >>= 1)
-            max_idx++;
-        if (ocb_lookup_l(ctx, max_idx) == NULL)
-            return 0;
-
-        ctx->stream(in, out, num_blocks, ctx->keyenc,
-                    (size_t)ctx->blocks_processed + 1, ctx->offset.c,
-                    (const unsigned char (*)[16])ctx->l, ctx->checksum.c);
-    } else {
-        /* Loop through all full blocks to be encrypted */
-        for (i = ctx->blocks_processed + 1; i <= all_num_blocks; i++) {
-            OCB_BLOCK *lookup;
-            OCB_BLOCK *inblock;
-            OCB_BLOCK *outblock;
-
-            /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
-            lookup = ocb_lookup_l(ctx, ocb_ntz(i));
-            if (lookup == NULL)
-                return 0;
-            ocb_block16_xor(&ctx->offset, lookup, &ctx->offset);
-
-            /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */
-            inblock =
-                (OCB_BLOCK *)(in + ((i - ctx->blocks_processed - 1) * 16));
-            ocb_block16_xor_misaligned(&ctx->offset, inblock, &tmp1);
-            /* Checksum_i = Checksum_{i-1} xor P_i */
-            ocb_block16_xor_misaligned(&ctx->checksum, inblock, &ctx->checksum);
-            ctx->encrypt(tmp1.c, tmp2.c, ctx->keyenc);
-            outblock =
-                (OCB_BLOCK *)(out + ((i - ctx->blocks_processed - 1) * 16));
-            ocb_block16_xor_misaligned(&ctx->offset, &tmp2, outblock);
-        }
-    }
-
-    /*
-     * Check if we have any partial blocks left over. This is only valid in the
-     * last call to this function
-     */
-    last_len = len % 16;
-
-    if (last_len > 0) {
-        /* Offset_* = Offset_m xor L_* */
-        ocb_block16_xor(&ctx->offset, &ctx->l_star, &ctx->offset);
-
-        /* Pad = ENCIPHER(K, Offset_*) */
-        ctx->encrypt(ctx->offset.c, pad.c, ctx->keyenc);
-
-        /* C_* = P_* xor Pad[1..bitlen(P_*)] */
-        ocb_block_xor(in + (len / 16) * 16, (unsigned char *)&pad, last_len,
-                      out + (num_blocks * 16));
-
-        /* Checksum_* = Checksum_m xor (P_* || 1 || zeros(127-bitlen(P_*))) */
-        memset(&tmp1, 0, 16);
-        memcpy(&tmp1, in + (len / 16) * 16, last_len);
-        ((unsigned char *)(&tmp1))[last_len] = 0x80;
-        ocb_block16_xor(&ctx->checksum, &tmp1, &ctx->checksum);
-    }
-
-    ctx->blocks_processed = all_num_blocks;
-
-    return 1;
-}
-
-/*
- * Provide any data to be decrypted. This can be called multiple times. Only
- * the final time can have a partial block
- */
-int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx,
-                          const unsigned char *in, unsigned char *out,
-                          size_t len)
-{
-    u64 i, all_num_blocks;
-    size_t num_blocks, last_len;
-    OCB_BLOCK tmp1;
-    OCB_BLOCK tmp2;
-    OCB_BLOCK pad;
-
-    /*
-     * Calculate the number of blocks of data to be decrypted provided now, and
-     * so far
-     */
-    num_blocks = len / 16;
-    all_num_blocks = num_blocks + ctx->blocks_processed;
-
-    if (num_blocks && all_num_blocks == (size_t)all_num_blocks
-        && ctx->stream != NULL) {
-        size_t max_idx = 0, top = (size_t)all_num_blocks;
-
-        /*
-         * See how many L_{i} entries we need to process data at hand
-         * and pre-compute missing entries in the table [if any]...
-         */
-        while (top >>= 1)
-            max_idx++;
-        if (ocb_lookup_l(ctx, max_idx) == NULL)
-            return 0;
-
-        ctx->stream(in, out, num_blocks, ctx->keydec,
-                    (size_t)ctx->blocks_processed + 1, ctx->offset.c,
-                    (const unsigned char (*)[16])ctx->l, ctx->checksum.c);
-    } else {
-        /* Loop through all full blocks to be decrypted */
-        for (i = ctx->blocks_processed + 1; i <= all_num_blocks; i++) {
-            OCB_BLOCK *inblock;
-            OCB_BLOCK *outblock;
-
-            /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
-            OCB_BLOCK *lookup = ocb_lookup_l(ctx, ocb_ntz(i));
-            if (lookup == NULL)
-                return 0;
-            ocb_block16_xor(&ctx->offset, lookup, &ctx->offset);
-
-            /* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */
-            inblock =
-                (OCB_BLOCK *)(in + ((i - ctx->blocks_processed - 1) * 16));
-            ocb_block16_xor_misaligned(&ctx->offset, inblock, &tmp1);
-            ctx->decrypt(tmp1.c, tmp2.c, ctx->keydec);
-            outblock =
-                (OCB_BLOCK *)(out + ((i - ctx->blocks_processed - 1) * 16));
-            ocb_block16_xor_misaligned(&ctx->offset, &tmp2, outblock);
-
-            /* Checksum_i = Checksum_{i-1} xor P_i */
-            ocb_block16_xor_misaligned(&ctx->checksum, outblock, &ctx->checksum);
-        }
-    }
-
-    /*
-     * Check if we have any partial blocks left over. This is only valid in the
-     * last call to this function
-     */
-    last_len = len % 16;
-
-    if (last_len > 0) {
-        /* Offset_* = Offset_m xor L_* */
-        ocb_block16_xor(&ctx->offset, &ctx->l_star, &ctx->offset);
-
-        /* Pad = ENCIPHER(K, Offset_*) */
-        ctx->encrypt(ctx->offset.c, pad.c, ctx->keyenc);
-
-        /* P_* = C_* xor Pad[1..bitlen(C_*)] */
-        ocb_block_xor(in + (len / 16) * 16, (unsigned char *)&pad, last_len,
-                      out + (num_blocks * 16));
-
-        /* Checksum_* = Checksum_m xor (P_* || 1 || zeros(127-bitlen(P_*))) */
-        memset(&tmp1, 0, 16);
-        memcpy(&tmp1, out + (len / 16) * 16, last_len);
-        ((unsigned char *)(&tmp1))[last_len] = 0x80;
-        ocb_block16_xor(&ctx->checksum, &tmp1, &ctx->checksum);
-    }
-
-    ctx->blocks_processed = all_num_blocks;
-
-    return 1;
-}
-
-/*
- * Calculate the tag and verify it against the supplied tag
- */
-int CRYPTO_ocb128_finish(OCB128_CONTEXT *ctx, const unsigned char *tag,
-                         size_t len)
-{
-    OCB_BLOCK tmp1, tmp2;
-
-    /*
-     * Tag = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) xor HASH(K,A)
-     */
-    ocb_block16_xor(&ctx->checksum, &ctx->offset, &tmp1);
-    ocb_block16_xor(&tmp1, &ctx->l_dollar, &tmp2);
-    ctx->encrypt(tmp2.c, tmp1.c, ctx->keyenc);
-    ocb_block16_xor(&tmp1, &ctx->sum, &ctx->tag);
-
-    if (len > 16 || len < 1) {
-        return -1;
-    }
-
-    /* Compare the tag if we've been given one */
-    if (tag)
-        return CRYPTO_memcmp(&ctx->tag, tag, len);
-    else
-        return -1;
-}
-
-/*
- * Retrieve the calculated tag
- */
-int CRYPTO_ocb128_tag(OCB128_CONTEXT *ctx, unsigned char *tag, size_t len)
-{
-    if (len > 16 || len < 1) {
-        return -1;
-    }
-
-    /* Calculate the tag */
-    CRYPTO_ocb128_finish(ctx, NULL, 0);
-
-    /* Copy the tag into the supplied buffer */
-    memcpy(tag, &ctx->tag, len);
-
-    return 1;
-}
-
-/*
- * Release all resources
- */
-void CRYPTO_ocb128_cleanup(OCB128_CONTEXT *ctx)
-{
-    if (ctx) {
-        OPENSSL_clear_free(ctx->l, ctx->max_l_index * 16);
-        OPENSSL_cleanse(ctx, sizeof(*ctx));
-    }
-}
-
-#endif                          /* OPENSSL_NO_OCB */
diff --git a/Cryptlib/OpenSSL/crypto/modes/ofb128.c b/Cryptlib/OpenSSL/crypto/modes/ofb128.c
index 83092564..4dbaccd7 100644
--- a/Cryptlib/OpenSSL/crypto/modes/ofb128.c
+++ b/Cryptlib/OpenSSL/crypto/modes/ofb128.c
@@ -1,16 +1,64 @@
-/*
- * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* ====================================================================
+ * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <openssl/crypto.h>
 #include "modes_lcl.h"
 #include <string.h>
 
+#ifndef MODES_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
+#include <assert.h>
+
 /*
  * The input and output encrypted as though 128bit ofb mode is being used.
  * The extra state information to record how much of the 128bit block we have
@@ -23,6 +71,8 @@ void CRYPTO_ofb128_encrypt(const unsigned char *in, unsigned char *out,
     unsigned int n;
     size_t l = 0;
 
+    assert(in && out && key && ivec && num);
+
     n = *num;
 
 #if !defined(OPENSSL_SMALL_FOOTPRINT)
diff --git a/Cryptlib/OpenSSL/crypto/modes/wrap128.c b/Cryptlib/OpenSSL/crypto/modes/wrap128.c
index 46809a0e..38497837 100644
--- a/Cryptlib/OpenSSL/crypto/modes/wrap128.c
+++ b/Cryptlib/OpenSSL/crypto/modes/wrap128.c
@@ -1,50 +1,70 @@
+/* crypto/modes/wrap128.c */
 /*
- * Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
  */
-
-/**  Beware!
+/* ====================================================================
+ * Copyright (c) 2013 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
  *
- *  Following wrapping modes were designed for AES but this implementation
- *  allows you to use them for any 128 bit block cipher.
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  */
 
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/modes.h>
 
-/** RFC 3394 section 2.2.3.1 Default Initial Value */
 static const unsigned char default_iv[] = {
     0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6,
 };
 
-/** RFC 5649 section 3 Alternative Initial Value 32-bit constant */
-static const unsigned char default_aiv[] = {
-    0xA6, 0x59, 0x59, 0xA6
-};
-
-/** Input size limit: lower than maximum of standards but far larger than
- *  anything that will be used in practice.
+/*
+ * Input size limit: lower than maximum of standards but far larger than
+ * anything that will be used in practice.
  */
 #define CRYPTO128_WRAP_MAX (1UL << 31)
 
-/** Wrapping according to RFC 3394 section 2.2.1.
- *
- *  @param[in]  key    Key value.
- *  @param[in]  iv     IV value. Length = 8 bytes. NULL = use default_iv.
- *  @param[in]  in     Plaintext as n 64-bit blocks, n >= 2.
- *  @param[in]  inlen  Length of in.
- *  @param[out] out    Ciphertext. Minimal buffer length = (inlen + 8) bytes.
- *                     Input and output buffers can overlap if block function
- *                     supports that.
- *  @param[in]  block  Block processing function.
- *  @return            0 if inlen does not consist of n 64-bit blocks, n >= 2.
- *                     or if inlen > CRYPTO128_WRAP_MAX.
- *                     Output length if wrapping succeeded.
- */
 size_t CRYPTO_128_wrap(void *key, const unsigned char *iv,
                        unsigned char *out,
                        const unsigned char *in, size_t inlen,
@@ -52,7 +72,7 @@ size_t CRYPTO_128_wrap(void *key, const unsigned char *iv,
 {
     unsigned char *A, B[16], *R;
     size_t i, j, t;
-    if ((inlen & 0x7) || (inlen < 16) || (inlen > CRYPTO128_WRAP_MAX))
+    if ((inlen & 0x7) || (inlen < 8) || (inlen > CRYPTO128_WRAP_MAX))
         return 0;
     A = B;
     t = 1;
@@ -80,26 +100,10 @@ size_t CRYPTO_128_wrap(void *key, const unsigned char *iv,
     return inlen + 8;
 }
 
-/** Unwrapping according to RFC 3394 section 2.2.2 steps 1-2.
- *  The IV check (step 3) is responsibility of the caller.
- *
- *  @param[in]  key    Key value.
- *  @param[out] iv     Unchecked IV value. Minimal buffer length = 8 bytes.
- *  @param[out] out    Plaintext without IV.
- *                     Minimal buffer length = (inlen - 8) bytes.
- *                     Input and output buffers can overlap if block function
- *                     supports that.
- *  @param[in]  in     Ciphertext as n 64-bit blocks.
- *  @param[in]  inlen  Length of in.
- *  @param[in]  block  Block processing function.
- *  @return            0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
- *                     or if inlen is not a multiple of 8.
- *                     Output length otherwise.
- */
-static size_t crypto_128_unwrap_raw(void *key, unsigned char *iv,
-                                    unsigned char *out,
-                                    const unsigned char *in, size_t inlen,
-                                    block128_f block)
+size_t CRYPTO_128_unwrap(void *key, const unsigned char *iv,
+                         unsigned char *out,
+                         const unsigned char *in, size_t inlen,
+                         block128_f block)
 {
     unsigned char *A, B[16], *R;
     size_t i, j, t;
@@ -124,206 +128,11 @@ static size_t crypto_128_unwrap_raw(void *key, unsigned char *iv,
             memcpy(R, B + 8, 8);
         }
     }
-    memcpy(iv, A, 8);
-    return inlen;
-}
-
-/** Unwrapping according to RFC 3394 section 2.2.2, including the IV check.
- *  The first block of plaintext has to match the supplied IV, otherwise an
- *  error is returned.
- *
- *  @param[in]  key    Key value.
- *  @param[out] iv     IV value to match against. Length = 8 bytes.
- *                     NULL = use default_iv.
- *  @param[out] out    Plaintext without IV.
- *                     Minimal buffer length = (inlen - 8) bytes.
- *                     Input and output buffers can overlap if block function
- *                     supports that.
- *  @param[in]  in     Ciphertext as n 64-bit blocks.
- *  @param[in]  inlen  Length of in.
- *  @param[in]  block  Block processing function.
- *  @return            0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
- *                     or if inlen is not a multiple of 8
- *                     or if IV doesn't match expected value.
- *                     Output length otherwise.
- */
-size_t CRYPTO_128_unwrap(void *key, const unsigned char *iv,
-                         unsigned char *out, const unsigned char *in,
-                         size_t inlen, block128_f block)
-{
-    size_t ret;
-    unsigned char got_iv[8];
-
-    ret = crypto_128_unwrap_raw(key, got_iv, out, in, inlen, block);
-    if (ret == 0)
-        return 0;
-
     if (!iv)
         iv = default_iv;
-    if (CRYPTO_memcmp(got_iv, iv, 8)) {
-        OPENSSL_cleanse(out, ret);
-        return 0;
-    }
-    return ret;
-}
-
-/** Wrapping according to RFC 5649 section 4.1.
- *
- *  @param[in]  key    Key value.
- *  @param[in]  icv    (Non-standard) IV, 4 bytes. NULL = use default_aiv.
- *  @param[out] out    Ciphertext. Minimal buffer length = (inlen + 15) bytes.
- *                     Input and output buffers can overlap if block function
- *                     supports that.
- *  @param[in]  in     Plaintext as n 64-bit blocks, n >= 2.
- *  @param[in]  inlen  Length of in.
- *  @param[in]  block  Block processing function.
- *  @return            0 if inlen is out of range [1, CRYPTO128_WRAP_MAX].
- *                     Output length if wrapping succeeded.
- */
-size_t CRYPTO_128_wrap_pad(void *key, const unsigned char *icv,
-                           unsigned char *out,
-                           const unsigned char *in, size_t inlen,
-                           block128_f block)
-{
-    /* n: number of 64-bit blocks in the padded key data
-     *
-     * If length of plain text is not a multiple of 8, pad the plain text octet
-     * string on the right with octets of zeros, where final length is the
-     * smallest multiple of 8 that is greater than length of plain text.
-     * If length of plain text is a multiple of 8, then there is no padding. */
-    const size_t blocks_padded = (inlen + 7) / 8; /* CEILING(m/8) */
-    const size_t padded_len = blocks_padded * 8;
-    const size_t padding_len = padded_len - inlen;
-    /* RFC 5649 section 3: Alternative Initial Value */
-    unsigned char aiv[8];
-    int ret;
-
-    /* Section 1: use 32-bit fixed field for plaintext octet length */
-    if (inlen == 0 || inlen >= CRYPTO128_WRAP_MAX)
-        return 0;
-
-    /* Section 3: Alternative Initial Value */
-    if (!icv)
-        memcpy(aiv, default_aiv, 4);
-    else
-        memcpy(aiv, icv, 4);    /* Standard doesn't mention this. */
-
-    aiv[4] = (inlen >> 24) & 0xFF;
-    aiv[5] = (inlen >> 16) & 0xFF;
-    aiv[6] = (inlen >> 8) & 0xFF;
-    aiv[7] = inlen & 0xFF;
-
-    if (padded_len == 8) {
-        /*
-         * Section 4.1 - special case in step 2: If the padded plaintext
-         * contains exactly eight octets, then prepend the AIV and encrypt
-         * the resulting 128-bit block using AES in ECB mode.
-         */
-        memmove(out + 8, in, inlen);
-        memcpy(out, aiv, 8);
-        memset(out + 8 + inlen, 0, padding_len);
-        block(out, out, key);
-        ret = 16;               /* AIV + padded input */
-    } else {
-        memmove(out, in, inlen);
-        memset(out + inlen, 0, padding_len); /* Section 4.1 step 1 */
-        ret = CRYPTO_128_wrap(key, aiv, out, out, padded_len, block);
-    }
-
-    return ret;
-}
-
-/** Unwrapping according to RFC 5649 section 4.2.
- *
- *  @param[in]  key    Key value.
- *  @param[in]  icv    (Non-standard) IV, 4 bytes. NULL = use default_aiv.
- *  @param[out] out    Plaintext. Minimal buffer length = inlen bytes.
- *                     Input and output buffers can overlap if block function
- *                     supports that.
- *  @param[in]  in     Ciphertext as n 64-bit blocks.
- *  @param[in]  inlen  Length of in.
- *  @param[in]  block  Block processing function.
- *  @return            0 if inlen is out of range [16, CRYPTO128_WRAP_MAX],
- *                     or if inlen is not a multiple of 8
- *                     or if IV and message length indicator doesn't match.
- *                     Output length if unwrapping succeeded and IV matches.
- */
-size_t CRYPTO_128_unwrap_pad(void *key, const unsigned char *icv,
-                             unsigned char *out,
-                             const unsigned char *in, size_t inlen,
-                             block128_f block)
-{
-    /* n: number of 64-bit blocks in the padded key data */
-    size_t n = inlen / 8 - 1;
-    size_t padded_len;
-    size_t padding_len;
-    size_t ptext_len;
-    /* RFC 5649 section 3: Alternative Initial Value */
-    unsigned char aiv[8];
-    static unsigned char zeros[8] = { 0x0 };
-    size_t ret;
-
-    /* Section 4.2: Ciphertext length has to be (n+1) 64-bit blocks. */
-    if ((inlen & 0x7) != 0 || inlen < 16 || inlen >= CRYPTO128_WRAP_MAX)
-        return 0;
-
-    memmove(out, in, inlen);
-    if (inlen == 16) {
-        /*
-         * Section 4.2 - special case in step 1: When n=1, the ciphertext
-         * contains exactly two 64-bit blocks and they are decrypted as a
-         * single AES block using AES in ECB mode: AIV | P[1] = DEC(K, C[0] |
-         * C[1])
-         */
-        block(out, out, key);
-        memcpy(aiv, out, 8);
-        /* Remove AIV */
-        memmove(out, out + 8, 8);
-        padded_len = 8;
-    } else {
-        padded_len = inlen - 8;
-        ret = crypto_128_unwrap_raw(key, aiv, out, out, inlen, block);
-        if (padded_len != ret) {
-            OPENSSL_cleanse(out, inlen);
-            return 0;
-        }
-    }
-
-    /*
-     * Section 3: AIV checks: Check that MSB(32,A) = A65959A6. Optionally a
-     * user-supplied value can be used (even if standard doesn't mention
-     * this).
-     */
-    if ((!icv && CRYPTO_memcmp(aiv, default_aiv, 4))
-        || (icv && CRYPTO_memcmp(aiv, icv, 4))) {
-        OPENSSL_cleanse(out, inlen);
-        return 0;
-    }
-
-    /*
-     * Check that 8*(n-1) < LSB(32,AIV) <= 8*n. If so, let ptext_len =
-     * LSB(32,AIV).
-     */
-
-    ptext_len =   ((unsigned int)aiv[4] << 24)
-                | ((unsigned int)aiv[5] << 16)
-                | ((unsigned int)aiv[6] <<  8)
-                |  (unsigned int)aiv[7];
-    if (8 * (n - 1) >= ptext_len || ptext_len > 8 * n) {
-        OPENSSL_cleanse(out, inlen);
-        return 0;
-    }
-
-    /*
-     * Check that the rightmost padding_len octets of the output data are
-     * zero.
-     */
-    padding_len = padded_len - ptext_len;
-    if (CRYPTO_memcmp(out + ptext_len, zeros, padding_len) != 0) {
+    if (memcmp(A, iv, 8)) {
         OPENSSL_cleanse(out, inlen);
         return 0;
     }
-
-    /* Section 4.2 step 3: Remove padding */
-    return ptext_len;
+    return inlen;
 }
diff --git a/Cryptlib/OpenSSL/crypto/modes/xts128.c b/Cryptlib/OpenSSL/crypto/modes/xts128.c
index 81b1eacd..8f2af588 100644
--- a/Cryptlib/OpenSSL/crypto/modes/xts128.c
+++ b/Cryptlib/OpenSSL/crypto/modes/xts128.c
@@ -1,16 +1,63 @@
-/*
- * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  */
 
 #include <openssl/crypto.h>
 #include "modes_lcl.h"
 #include <string.h>
 
+#ifndef MODES_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
+#include <assert.h>
+
 int CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx,
                           const unsigned char iv[16],
                           const unsigned char *inp, unsigned char *out,
diff --git a/Cryptlib/OpenSSL/crypto/o_dir.c b/Cryptlib/OpenSSL/crypto/o_dir.c
index 89c8c5c5..f9dbed87 100644
--- a/Cryptlib/OpenSSL/crypto/o_dir.c
+++ b/Cryptlib/OpenSSL/crypto/o_dir.c
@@ -1,10 +1,60 @@
+/* crypto/o_dir.c */
 /*
- * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project
+ * 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <errno.h>
@@ -20,7 +70,7 @@
 #define LP_find_file OPENSSL_DIR_read
 #define LP_find_file_end OPENSSL_DIR_end
 
-#include "internal/o_dir.h"
+#include "o_dir.h"
 
 #define LPDIR_H
 #if defined OPENSSL_SYS_UNIX || defined DJGPP
diff --git a/Cryptlib/OpenSSL/crypto/o_dir.h b/Cryptlib/OpenSSL/crypto/o_dir.h
new file mode 100644
index 00000000..bf45a14d
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/o_dir.h
@@ -0,0 +1,55 @@
+/* crypto/o_dir.h */
+/*
+ * Copied from Richard Levitte's (richard@levitte.org) LP library.  All
+ * symbol names have been changed, with permission from the author.
+ */
+
+/* $LP: LPlib/source/LPdir.h,v 1.1 2004/06/14 08:56:04 _cvs_levitte Exp $ */
+/*
+ * Copyright (c) 2004, Richard Levitte <richard@levitte.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef O_DIR_H
+# define O_DIR_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct OPENSSL_dir_context_st OPENSSL_DIR_CTX;
+
+  /*
+   * returns NULL on error or end-of-directory. If it is end-of-directory,
+   * errno will be zero
+   */
+const char *OPENSSL_DIR_read(OPENSSL_DIR_CTX **ctx, const char *directory);
+  /* returns 1 on success, 0 on error */
+int OPENSSL_DIR_end(OPENSSL_DIR_CTX **ctx);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif                          /* LPDIR_H */
diff --git a/Cryptlib/OpenSSL/crypto/o_fips.c b/Cryptlib/OpenSSL/crypto/o_fips.c
index bf6db65f..f56d5bb7 100644
--- a/Cryptlib/OpenSSL/crypto/o_fips.c
+++ b/Cryptlib/OpenSSL/crypto/o_fips.c
@@ -1,19 +1,71 @@
 /*
- * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Stephen henson (steve@openssl.org) for the OpenSSL project
+ * 2011.
+ */
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #ifdef OPENSSL_FIPS
 # include <openssl/fips.h>
+# include <openssl/fips_rand.h>
+# include <openssl/rand.h>
 #endif
 
 int FIPS_mode(void)
 {
+    OPENSSL_init();
 #ifdef OPENSSL_FIPS
     return FIPS_module_mode();
 #else
@@ -23,8 +75,18 @@ int FIPS_mode(void)
 
 int FIPS_mode_set(int r)
 {
+    OPENSSL_init();
 #ifdef OPENSSL_FIPS
-    return FIPS_module_mode_set(r);
+# ifndef FIPS_AUTH_USER_PASS
+#  define FIPS_AUTH_USER_PASS     "Default FIPS Crypto User Password"
+# endif
+    if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS))
+        return 0;
+    if (r)
+        RAND_set_rand_method(FIPS_rand_get_method());
+    else
+        RAND_set_rand_method(NULL);
+    return 1;
 #else
     if (r == 0)
         return 1;
diff --git a/Cryptlib/OpenSSL/crypto/o_fopen.c b/Cryptlib/OpenSSL/crypto/o_fopen.c
deleted file mode 100644
index a3a00657..00000000
--- a/Cryptlib/OpenSSL/crypto/o_fopen.c
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include "internal/cryptlib.h"
-
-#if !defined(OPENSSL_NO_STDIO)
-
-# include <stdio.h>
-
-FILE *openssl_fopen(const char *filename, const char *mode)
-{
-    FILE *file = NULL;
-# if defined(_WIN32) && defined(CP_UTF8)
-    int sz, len_0 = (int)strlen(filename) + 1;
-    DWORD flags;
-
-    /*
-     * Basically there are three cases to cover: a) filename is
-     * pure ASCII string; b) actual UTF-8 encoded string and
-     * c) locale-ized string, i.e. one containing 8-bit
-     * characters that are meaningful in current system locale.
-     * If filename is pure ASCII or real UTF-8 encoded string,
-     * MultiByteToWideChar succeeds and _wfopen works. If
-     * filename is locale-ized string, chances are that
-     * MultiByteToWideChar fails reporting
-     * ERROR_NO_UNICODE_TRANSLATION, in which case we fall
-     * back to fopen...
-     */
-    if ((sz = MultiByteToWideChar(CP_UTF8, (flags = MB_ERR_INVALID_CHARS),
-                                  filename, len_0, NULL, 0)) > 0 ||
-        (GetLastError() == ERROR_INVALID_FLAGS &&
-         (sz = MultiByteToWideChar(CP_UTF8, (flags = 0),
-                                   filename, len_0, NULL, 0)) > 0)
-        ) {
-        WCHAR wmode[8];
-        WCHAR *wfilename = _alloca(sz * sizeof(WCHAR));
-
-        if (MultiByteToWideChar(CP_UTF8, flags,
-                                filename, len_0, wfilename, sz) &&
-            MultiByteToWideChar(CP_UTF8, 0, mode, strlen(mode) + 1,
-                                wmode, OSSL_NELEM(wmode)) &&
-            (file = _wfopen(wfilename, wmode)) == NULL &&
-            (errno == ENOENT || errno == EBADF)
-            ) {
-            /*
-             * UTF-8 decode succeeded, but no file, filename
-             * could still have been locale-ized...
-             */
-            file = fopen(filename, mode);
-        }
-    } else if (GetLastError() == ERROR_NO_UNICODE_TRANSLATION) {
-        file = fopen(filename, mode);
-    }
-# elif defined(__DJGPP__)
-    {
-        char *newname = NULL;
-
-        if (!HAS_LFN_SUPPORT(filename)) {
-            char *iterator;
-            char lastchar;
-
-            newname = OPENSSL_malloc(strlen(filename) + 1);
-            if (newname == NULL)
-                return NULL;
-
-            for (iterator = newname, lastchar = '\0';
-                *filename; filename++, iterator++) {
-                if (lastchar == '/' && filename[0] == '.'
-                    && filename[1] != '.' && filename[1] != '/') {
-                    /* Leading dots are not permitted in plain DOS. */
-                    *iterator = '_';
-                } else {
-                    *iterator = *filename;
-                }
-                lastchar = *filename;
-            }
-            *iterator = '\0';
-            filename = newname;
-        }
-        file = fopen(filename, mode);
-
-        OPENSSL_free(newname);
-    }
-# else
-    file = fopen(filename, mode);
-# endif
-    return file;
-}
-
-#else
-
-void *openssl_fopen(const char *filename, const char *mode)
-{
-    return NULL;
-}
-
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/o_init.c b/Cryptlib/OpenSSL/crypto/o_init.c
index 2e0c1260..185841ea 100644
--- a/Cryptlib/OpenSSL/crypto/o_init.c
+++ b/Cryptlib/OpenSSL/crypto/o_init.c
@@ -1,10 +1,56 @@
+/* o_init.c */
 /*
- * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <e_os.h>
@@ -27,8 +73,14 @@ void OPENSSL_init(void)
     done = 1;
 #ifdef OPENSSL_FIPS
     FIPS_set_locking_callbacks(CRYPTO_lock, CRYPTO_add_lock);
+# ifndef OPENSSL_NO_DEPRECATED
+    FIPS_crypto_set_id_callback(CRYPTO_thread_id);
+# endif
     FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata);
     FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free);
     RAND_init_fips();
 #endif
+#if 0
+    fprintf(stderr, "Called OPENSSL_init\n");
+#endif
 }
diff --git a/Cryptlib/OpenSSL/crypto/o_str.c b/Cryptlib/OpenSSL/crypto/o_str.c
index beabec0d..7e61cde8 100644
--- a/Cryptlib/OpenSSL/crypto/o_str.c
+++ b/Cryptlib/OpenSSL/crypto/o_str.c
@@ -1,250 +1,116 @@
+/* crypto/o_str.c */
 /*
- * Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project
+ * 2003.
+ */
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <ctype.h>
-#include <limits.h>
 #include <e_os.h>
-#include <openssl/crypto.h>
-#include "internal/cryptlib.h"
-#include "internal/o_str.h"
-
-int OPENSSL_memcmp(const void *v1, const void *v2, size_t n)
-{
-    const unsigned char *c1 = v1, *c2 = v2;
-    int ret = 0;
-
-    while (n && (ret = *c1 - *c2) == 0)
-        n--, c1++, c2++;
-
-    return ret;
-}
-
-char *CRYPTO_strdup(const char *str, const char* file, int line)
-{
-    char *ret;
-    size_t size;
-
-    if (str == NULL)
-        return NULL;
-    size = strlen(str) + 1;
-    ret = CRYPTO_malloc(size, file, line);
-    if (ret != NULL)
-        memcpy(ret, str, size);
-    return ret;
-}
-
-char *CRYPTO_strndup(const char *str, size_t s, const char* file, int line)
-{
-    size_t maxlen;
-    char *ret;
-
-    if (str == NULL)
-        return NULL;
-
-    maxlen = OPENSSL_strnlen(str, s);
-
-    ret = CRYPTO_malloc(maxlen + 1, file, line);
-    if (ret) {
-        memcpy(ret, str, maxlen);
-        ret[maxlen] = '\0';
-    }
-    return ret;
-}
-
-void *CRYPTO_memdup(const void *data, size_t siz, const char* file, int line)
-{
-    void *ret;
+#include "o_str.h"
 
-    if (data == NULL || siz >= INT_MAX)
-        return NULL;
-
-    ret = CRYPTO_malloc(siz, file, line);
-    if (ret == NULL) {
-        CRYPTOerr(CRYPTO_F_CRYPTO_MEMDUP, ERR_R_MALLOC_FAILURE);
-        return NULL;
-    }
-    return memcpy(ret, data, siz);
-}
-
-size_t OPENSSL_strnlen(const char *str, size_t maxlen)
-{
-    const char *p;
-
-    for (p = str; maxlen-- != 0 && *p != '\0'; ++p) ;
-
-    return p - str;
-}
+#if !defined(OPENSSL_IMPLEMENTS_strncasecmp) && \
+    !defined(OPENSSL_SYSNAME_WIN32) && !defined(OPENSSL_SYSNAME_WINCE) && \
+    !defined(NETWARE_CLIB)
+# include <strings.h>
+#endif
 
-size_t OPENSSL_strlcpy(char *dst, const char *src, size_t size)
+int OPENSSL_strncasecmp(const char *str1, const char *str2, size_t n)
 {
-    size_t l = 0;
-    for (; size > 1 && *src; size--) {
-        *dst++ = *src++;
-        l++;
+#if defined(OPENSSL_IMPLEMENTS_strncasecmp)
+    while (*str1 && *str2 && n) {
+        int res = toupper(*str1) - toupper(*str2);
+        if (res)
+            return res < 0 ? -1 : 1;
+        str1++;
+        str2++;
+        n--;
     }
-    if (size)
-        *dst = '\0';
-    return l + strlen(src);
-}
-
-size_t OPENSSL_strlcat(char *dst, const char *src, size_t size)
-{
-    size_t l = 0;
-    for (; size > 0 && *dst; size--, dst++)
-        l++;
-    return l + OPENSSL_strlcpy(dst, src, size);
-}
-
-int OPENSSL_hexchar2int(unsigned char c)
-{
-#ifdef CHARSET_EBCDIC
-    c = os_toebcdic[c];
-#endif
-
-    switch (c) {
-    case '0':
+    if (n == 0)
         return 0;
-    case '1':
+    if (*str1)
         return 1;
-    case '2':
-        return 2;
-    case '3':
-        return 3;
-    case '4':
-          return 4;
-    case '5':
-          return 5;
-    case '6':
-          return 6;
-    case '7':
-          return 7;
-    case '8':
-          return 8;
-    case '9':
-          return 9;
-    case 'a': case 'A':
-          return 0x0A;
-    case 'b': case 'B':
-          return 0x0B;
-    case 'c': case 'C':
-          return 0x0C;
-    case 'd': case 'D':
-          return 0x0D;
-    case 'e': case 'E':
-          return 0x0E;
-    case 'f': case 'F':
-          return 0x0F;
-    }
-    return -1;
+    if (*str2)
+        return -1;
+    return 0;
+#else
+    /*
+     * Recursion hazard warning! Whenever strncasecmp is #defined as
+     * OPENSSL_strncasecmp, OPENSSL_IMPLEMENTS_strncasecmp must be defined as
+     * well.
+     */
+    return strncasecmp(str1, str2, n);
+#endif
 }
 
-/*
- * Give a string of hex digits convert to a buffer
- */
-unsigned char *OPENSSL_hexstr2buf(const char *str, long *len)
+int OPENSSL_strcasecmp(const char *str1, const char *str2)
 {
-    unsigned char *hexbuf, *q;
-    unsigned char ch, cl;
-    int chi, cli;
-    const unsigned char *p;
-    size_t s;
-
-    s = strlen(str);
-    if ((hexbuf = OPENSSL_malloc(s >> 1)) == NULL) {
-        CRYPTOerr(CRYPTO_F_OPENSSL_HEXSTR2BUF, ERR_R_MALLOC_FAILURE);
-        return NULL;
-    }
-    for (p = (const unsigned char *)str, q = hexbuf; *p; ) {
-        ch = *p++;
-        if (ch == ':')
-            continue;
-        cl = *p++;
-        if (!cl) {
-            CRYPTOerr(CRYPTO_F_OPENSSL_HEXSTR2BUF,
-                      CRYPTO_R_ODD_NUMBER_OF_DIGITS);
-            OPENSSL_free(hexbuf);
-            return NULL;
-        }
-        cli = OPENSSL_hexchar2int(cl);
-        chi = OPENSSL_hexchar2int(ch);
-        if (cli < 0 || chi < 0) {
-            OPENSSL_free(hexbuf);
-            CRYPTOerr(CRYPTO_F_OPENSSL_HEXSTR2BUF, CRYPTO_R_ILLEGAL_HEX_DIGIT);
-            return NULL;
-        }
-        *q++ = (unsigned char)((chi << 4) | cli);
-    }
-
-    if (len)
-        *len = q - hexbuf;
-    return hexbuf;
+#if defined(OPENSSL_IMPLEMENTS_strncasecmp)
+    return OPENSSL_strncasecmp(str1, str2, (size_t)-1);
+#else
+    return strcasecmp(str1, str2);
+#endif
 }
 
-/*
- * Given a buffer of length 'len' return a OPENSSL_malloc'ed string with its
- * hex representation @@@ (Contents of buffer are always kept in ASCII, also
- * on EBCDIC machines)
- */
-char *OPENSSL_buf2hexstr(const unsigned char *buffer, long len)
+int OPENSSL_memcmp(const void *v1, const void *v2, size_t n)
 {
-    const static char hexdig[] = "0123456789ABCDEF";
-    char *tmp, *q;
-    const unsigned char *p;
-    int i;
-
-    if (len == 0)
-    {
-        return OPENSSL_zalloc(1);
-    }
-
-    if ((tmp = OPENSSL_malloc(len * 3)) == NULL) {
-        CRYPTOerr(CRYPTO_F_OPENSSL_BUF2HEXSTR, ERR_R_MALLOC_FAILURE);
-        return NULL;
-    }
-    q = tmp;
-    for (i = 0, p = buffer; i < len; i++, p++) {
-        *q++ = hexdig[(*p >> 4) & 0xf];
-        *q++ = hexdig[*p & 0xf];
-        *q++ = ':';
-    }
-    q[-1] = 0;
-#ifdef CHARSET_EBCDIC
-    ebcdic2ascii(tmp, tmp, q - tmp - 1);
-#endif
+    const unsigned char *c1 = v1, *c2 = v2;
+    int ret = 0;
 
-    return tmp;
-}
+    while (n && (ret = *c1 - *c2) == 0)
+        n--, c1++, c2++;
 
-int openssl_strerror_r(int errnum, char *buf, size_t buflen)
-{
-#if defined(_MSC_VER) && _MSC_VER>=1400
-    return !strerror_s(buf, buflen, errnum);
-#elif defined(_GNU_SOURCE)
-    return strerror_r(errnum, buf, buflen) != NULL;
-#elif (_POSIX_C_SOURCE >= 200112L || _XOPEN_SOURCE >= 600)
-    /*
-     * We can use "real" strerror_r. The OpenSSL version differs in that it
-     * gives 1 on success and 0 on failure for consistency with other OpenSSL
-     * functions. Real strerror_r does it the other way around
-     */
-    return !strerror_r(errnum, buf, buflen);
-#else
-    char *err;
-    /* Fall back to non-thread safe strerror()...its all we can do */
-    if (buflen < 2)
-        return 0;
-    err = strerror(errnum);
-    /* Can this ever happen? */
-    if (err == NULL)
-        return 0;
-    strncpy(buf, err, buflen - 1);
-    buf[buflen - 1] = '\0';
-    return 1;
-#endif
+    return ret;
 }
diff --git a/Cryptlib/OpenSSL/crypto/o_str.h b/Cryptlib/OpenSSL/crypto/o_str.h
new file mode 100644
index 00000000..fa512eb3
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/o_str.h
@@ -0,0 +1,69 @@
+/* crypto/o_str.h */
+/*
+ * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project
+ * 2003.
+ */
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_O_STR_H
+# define HEADER_O_STR_H
+
+# include <stddef.h>            /* to get size_t */
+
+int OPENSSL_strcasecmp(const char *str1, const char *str2);
+int OPENSSL_strncasecmp(const char *str1, const char *str2, size_t n);
+int OPENSSL_memcmp(const void *p1, const void *p2, size_t n);
+
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/o_time.c b/Cryptlib/OpenSSL/crypto/o_time.c
index 4b902e09..b99e5990 100644
--- a/Cryptlib/OpenSSL/crypto/o_time.c
+++ b/Cryptlib/OpenSSL/crypto/o_time.c
@@ -1,15 +1,69 @@
+/* crypto/o_time.c */
 /*
- * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project
+ * 2001.
+ */
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2008.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <openssl/e_os2.h>
 #include <string.h>
-#include <openssl/crypto.h>
+#include "o_time.h"
 
 #ifdef OPENSSL_SYS_VMS
 # if __CRTL_VER >= 70000000 && \
@@ -51,9 +105,12 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
 {
     struct tm *ts = NULL;
 
-#if defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32) && (!defined(OPENSSL_SYS_VMS) || defined(gmtime_r)) && !defined(OPENSSL_SYS_MACOSX)
-    if (gmtime_r(timer, result) == NULL)
-        return NULL;
+#if defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_OS2) && (!defined(OPENSSL_SYS_VMS) || defined(gmtime_r)) && !defined(OPENSSL_SYS_MACOSX) && !defined(OPENSSL_SYS_SUNOS)
+    /*
+     * should return &data, but doesn't on some systems, so we don't even
+     * look at the return value
+     */
+    gmtime_r(timer, result);
     ts = result;
 #elif !defined(OPENSSL_SYS_VMS) || defined(VMS_GMTIME_OK)
     ts = gmtime(timer);
@@ -142,7 +199,7 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
             /*-
              * The VMS epoch is the astronomical Smithsonian date,
                if I remember correctly, which is November 17, 1858.
-               Furthermore, time is measure in tenths of microseconds
+               Furthermore, time is measure in thenths of microseconds
                and stored in quadwords (64 bit integers).  unix_epoch
                below is January 1st 1970 expressed as a VMS time.  The
                following code was used to get this number:
@@ -234,7 +291,7 @@ int OPENSSL_gmtime_adj(struct tm *tm, int off_day, long offset_sec)
     int time_sec, time_year, time_month, time_day;
     long time_jd;
 
-    /* Convert time and offset into Julian day and seconds */
+    /* Convert time and offset into julian day and seconds */
     if (!julian_adj(tm, off_day, offset_sec, &time_jd, &time_sec))
         return 0;
 
@@ -358,3 +415,63 @@ static void julian_to_date(long jd, int *y, int *m, int *d)
     *m = j + 2 - (12 * L);
     *y = 100 * (n - 49) + i + L;
 }
+
+#ifdef OPENSSL_TIME_TEST
+
+# include <stdio.h>
+
+/*
+ * Time checking test code. Check times are identical for a wide range of
+ * offsets. This should be run on a machine with 64 bit time_t or it will
+ * trigger the very errors the routines fix.
+ */
+
+int main(int argc, char **argv)
+{
+    long offset;
+    for (offset = 0; offset < 1000000; offset++) {
+        check_time(offset);
+        check_time(-offset);
+        check_time(offset * 1000);
+        check_time(-offset * 1000);
+    }
+}
+
+int check_time(long offset)
+{
+    struct tm tm1, tm2, o1;
+    int off_day, off_sec;
+    long toffset;
+    time_t t1, t2;
+    time(&t1);
+    t2 = t1 + offset;
+    OPENSSL_gmtime(&t2, &tm2);
+    OPENSSL_gmtime(&t1, &tm1);
+    o1 = tm1;
+    OPENSSL_gmtime_adj(&tm1, 0, offset);
+    if ((tm1.tm_year != tm2.tm_year) ||
+        (tm1.tm_mon != tm2.tm_mon) ||
+        (tm1.tm_mday != tm2.tm_mday) ||
+        (tm1.tm_hour != tm2.tm_hour) ||
+        (tm1.tm_min != tm2.tm_min) || (tm1.tm_sec != tm2.tm_sec)) {
+        fprintf(stderr, "TIME ERROR!!\n");
+        fprintf(stderr, "Time1: %d/%d/%d, %d:%02d:%02d\n",
+                tm2.tm_mday, tm2.tm_mon + 1, tm2.tm_year + 1900,
+                tm2.tm_hour, tm2.tm_min, tm2.tm_sec);
+        fprintf(stderr, "Time2: %d/%d/%d, %d:%02d:%02d\n",
+                tm1.tm_mday, tm1.tm_mon + 1, tm1.tm_year + 1900,
+                tm1.tm_hour, tm1.tm_min, tm1.tm_sec);
+        return 0;
+    }
+    OPENSSL_gmtime_diff(&o1, &tm1, &off_day, &off_sec);
+    toffset = (long)off_day *SECS_PER_DAY + off_sec;
+    if (offset != toffset) {
+        fprintf(stderr, "TIME OFFSET ERROR!!\n");
+        fprintf(stderr, "Expected %ld, Got %ld (%d:%d)\n",
+                offset, toffset, off_day, off_sec);
+        return 0;
+    }
+    return 1;
+}
+
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/o_time.h b/Cryptlib/OpenSSL/crypto/o_time.h
new file mode 100644
index 00000000..f192c6dc
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/o_time.h
@@ -0,0 +1,70 @@
+/* crypto/o_time.h */
+/*
+ * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project
+ * 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_O_TIME_H
+# define HEADER_O_TIME_H
+
+# include <time.h>
+
+struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result);
+int OPENSSL_gmtime_adj(struct tm *tm, int offset_day, long offset_sec);
+int OPENSSL_gmtime_diff(int *pday, int *psec,
+                        const struct tm *from, const struct tm *to);
+
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/objects/o_names.c b/Cryptlib/OpenSSL/crypto/objects/o_names.c
index ed98df8c..f106905f 100644
--- a/Cryptlib/OpenSSL/crypto/objects/o_names.c
+++ b/Cryptlib/OpenSSL/crypto/objects/o_names.c
@@ -1,12 +1,3 @@
-/*
- * Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -16,40 +7,35 @@
 #include <openssl/objects.h>
 #include <openssl/safestack.h>
 #include <openssl/e_os2.h>
-#include "obj_lcl.h"
 
 /*
- * We define this wrapper for two reasons. Firstly, later versions of
- * DEC C add linkage information to certain functions, which makes it
- * tricky to use them as values to regular function pointers.
- * Secondly, in the EDK2 build environment, the strcmp function is
- * actually an external function (AsciiStrCmp) with the Microsoft ABI,
- * so we can't transparently assign function pointers to it.
- * Arguably the latter is a stupidity of the UEFI environment, but
- * since the wrapper solves the DEC C issue too, let's just use the
- * same solution.
+ * Later versions of DEC C has started to add lnkage information to certain
+ * functions, which makes it tricky to use them as values to regular function
+ * pointers.  One way is to define a macro that takes care of casting them
+ * correctly.
  */
-#if defined(OPENSSL_SYS_VMS_DECC) || defined(OPENSSL_SYS_UEFI)
-static int obj_strcmp(const char *a, const char *b)
-{
-    return strcmp(a, b);
-}
+#ifdef OPENSSL_SYS_VMS_DECC
+# define OPENSSL_strcmp (int (*)(const char *,const char *))strcmp
 #else
-#define obj_strcmp strcmp
+# define OPENSSL_strcmp strcmp
 #endif
 
 /*
  * I use the ex_data stuff to manage the identifiers for the obj_name_types
  * that applications may define.  I only really use the free function field.
  */
+DECLARE_LHASH_OF(OBJ_NAME);
 static LHASH_OF(OBJ_NAME) *names_lh = NULL;
 static int names_type_num = OBJ_NAME_TYPE_NUM;
 
-struct name_funcs_st {
+typedef struct name_funcs_st {
     unsigned long (*hash_func) (const char *name);
     int (*cmp_func) (const char *a, const char *b);
     void (*free_func) (const char *, int, const char *);
-};
+} NAME_FUNCS;
+
+DECLARE_STACK_OF(NAME_FUNCS)
+IMPLEMENT_STACK_OF(NAME_FUNCS)
 
 static STACK_OF(NAME_FUNCS) *name_funcs_stack;
 
@@ -59,16 +45,21 @@ static STACK_OF(NAME_FUNCS) *name_funcs_stack;
  * casting without the need for macro-generated wrapper functions.
  */
 
-static unsigned long obj_name_hash(const OBJ_NAME *a);
-static int obj_name_cmp(const OBJ_NAME *a, const OBJ_NAME *b);
+/* static unsigned long obj_name_hash(OBJ_NAME *a); */
+static unsigned long obj_name_hash(const void *a_void);
+/* static int obj_name_cmp(OBJ_NAME *a,OBJ_NAME *b); */
+static int obj_name_cmp(const void *a_void, const void *b_void);
+
+static IMPLEMENT_LHASH_HASH_FN(obj_name, OBJ_NAME)
+static IMPLEMENT_LHASH_COMP_FN(obj_name, OBJ_NAME)
 
 int OBJ_NAME_init(void)
 {
     if (names_lh != NULL)
         return (1);
-    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE);
-    names_lh = lh_OBJ_NAME_new(obj_name_hash, obj_name_cmp);
-    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);
+    MemCheck_off();
+    names_lh = lh_OBJ_NAME_new();
+    MemCheck_on();
     return (names_lh != NULL);
 }
 
@@ -76,13 +67,14 @@ int OBJ_NAME_new_index(unsigned long (*hash_func) (const char *),
                        int (*cmp_func) (const char *, const char *),
                        void (*free_func) (const char *, int, const char *))
 {
-    int ret, i, push;
+    int ret;
+    int i;
     NAME_FUNCS *name_funcs;
 
     if (name_funcs_stack == NULL) {
-        CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE);
+        MemCheck_off();
         name_funcs_stack = sk_NAME_FUNCS_new_null();
-        CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);
+        MemCheck_on();
     }
     if (name_funcs_stack == NULL) {
         /* ERROR */
@@ -91,25 +83,22 @@ int OBJ_NAME_new_index(unsigned long (*hash_func) (const char *),
     ret = names_type_num;
     names_type_num++;
     for (i = sk_NAME_FUNCS_num(name_funcs_stack); i < names_type_num; i++) {
-        CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE);
-        name_funcs = OPENSSL_zalloc(sizeof(*name_funcs));
-        CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);
-        if (name_funcs == NULL) {
+        MemCheck_off();
+        name_funcs = OPENSSL_malloc(sizeof(NAME_FUNCS));
+        MemCheck_on();
+        if (!name_funcs) {
             OBJerr(OBJ_F_OBJ_NAME_NEW_INDEX, ERR_R_MALLOC_FAILURE);
             return (0);
         }
-        name_funcs->hash_func = OPENSSL_LH_strhash;
-        name_funcs->cmp_func = obj_strcmp;
-        CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE);
-
-        push = sk_NAME_FUNCS_push(name_funcs_stack, name_funcs);
-        CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);
-
-        if (!push) {
-            OBJerr(OBJ_F_OBJ_NAME_NEW_INDEX, ERR_R_MALLOC_FAILURE);
-            OPENSSL_free(name_funcs);
-            return 0;
-        }
+        name_funcs->hash_func = lh_strhash;
+        name_funcs->cmp_func = OPENSSL_strcmp;
+        name_funcs->free_func = 0; /* NULL is often declared to * ((void
+                                    * *)0), which according * to Compaq C is
+                                    * not really * compatible with a function
+                                    * * pointer.  -- Richard Levitte */
+        MemCheck_off();
+        sk_NAME_FUNCS_push(name_funcs_stack, name_funcs);
+        MemCheck_on();
     }
     name_funcs = sk_NAME_FUNCS_value(name_funcs_stack, ret);
     if (hash_func != NULL)
@@ -121,9 +110,12 @@ int OBJ_NAME_new_index(unsigned long (*hash_func) (const char *),
     return (ret);
 }
 
-static int obj_name_cmp(const OBJ_NAME *a, const OBJ_NAME *b)
+/* static int obj_name_cmp(OBJ_NAME *a, OBJ_NAME *b) */
+static int obj_name_cmp(const void *a_void, const void *b_void)
 {
     int ret;
+    const OBJ_NAME *a = (const OBJ_NAME *)a_void;
+    const OBJ_NAME *b = (const OBJ_NAME *)b_void;
 
     ret = a->type - b->type;
     if (ret == 0) {
@@ -137,9 +129,11 @@ static int obj_name_cmp(const OBJ_NAME *a, const OBJ_NAME *b)
     return (ret);
 }
 
-static unsigned long obj_name_hash(const OBJ_NAME *a)
+/* static unsigned long obj_name_hash(OBJ_NAME *a) */
+static unsigned long obj_name_hash(const void *a_void)
 {
     unsigned long ret;
+    const OBJ_NAME *a = (const OBJ_NAME *)a_void;
 
     if ((name_funcs_stack != NULL)
         && (sk_NAME_FUNCS_num(name_funcs_stack) > a->type)) {
@@ -147,7 +141,7 @@ static unsigned long obj_name_hash(const OBJ_NAME *a)
             sk_NAME_FUNCS_value(name_funcs_stack,
                                 a->type)->hash_func(a->name);
     } else {
-        ret = OPENSSL_LH_strhash(a->name);
+        ret = lh_strhash(a->name);
     }
     ret ^= a->type;
     return (ret);
@@ -194,7 +188,7 @@ int OBJ_NAME_add(const char *name, int type, const char *data)
     alias = type & OBJ_NAME_ALIAS;
     type &= ~OBJ_NAME_ALIAS;
 
-    onp = OPENSSL_malloc(sizeof(*onp));
+    onp = (OBJ_NAME *)OPENSSL_malloc(sizeof(OBJ_NAME));
     if (onp == NULL) {
         /* ERROR */
         return 0;
@@ -258,30 +252,31 @@ int OBJ_NAME_remove(const char *name, int type)
         return (0);
 }
 
-typedef struct {
+struct doall {
     int type;
     void (*fn) (const OBJ_NAME *, void *arg);
     void *arg;
-} OBJ_DOALL;
+};
 
-static void do_all_fn(const OBJ_NAME *name, OBJ_DOALL *d)
+static void do_all_fn_doall_arg(const OBJ_NAME *name, struct doall *d)
 {
     if (name->type == d->type)
         d->fn(name, d->arg);
 }
 
-IMPLEMENT_LHASH_DOALL_ARG_CONST(OBJ_NAME, OBJ_DOALL);
+static IMPLEMENT_LHASH_DOALL_ARG_FN(do_all_fn, const OBJ_NAME, struct doall)
 
 void OBJ_NAME_do_all(int type, void (*fn) (const OBJ_NAME *, void *arg),
                      void *arg)
 {
-    OBJ_DOALL d;
+    struct doall d;
 
     d.type = type;
     d.fn = fn;
     d.arg = arg;
 
-    lh_OBJ_NAME_doall_OBJ_DOALL(names_lh, do_all_fn, &d);
+    lh_OBJ_NAME_doall_arg(names_lh, LHASH_DOALL_ARG_FN(do_all_fn),
+                          struct doall, &d);
 }
 
 struct doall_sorted {
@@ -317,13 +312,13 @@ void OBJ_NAME_do_all_sorted(int type,
 
     d.type = type;
     d.names =
-        OPENSSL_malloc(sizeof(*d.names) * lh_OBJ_NAME_num_items(names_lh));
+        OPENSSL_malloc(lh_OBJ_NAME_num_items(names_lh) * sizeof *d.names);
     /* Really should return an error if !d.names...but its a void function! */
-    if (d.names != NULL) {
+    if (d.names) {
         d.n = 0;
         OBJ_NAME_do_all(type, do_all_sorted_fn, &d);
 
-        qsort((void *)d.names, d.n, sizeof(*d.names), do_all_sorted_cmp);
+        qsort((void *)d.names, d.n, sizeof *d.names, do_all_sorted_cmp);
 
         for (n = 0; n < d.n; ++n)
             fn(d.names[n], arg);
@@ -343,6 +338,8 @@ static void names_lh_free_doall(OBJ_NAME *onp)
         OBJ_NAME_remove(onp->name, onp->type);
 }
 
+static IMPLEMENT_LHASH_DOALL_FN(names_lh_free, OBJ_NAME)
+
 static void name_funcs_free(NAME_FUNCS *ptr)
 {
     OPENSSL_free(ptr);
@@ -356,15 +353,15 @@ void OBJ_NAME_cleanup(int type)
         return;
 
     free_type = type;
-    down_load = lh_OBJ_NAME_get_down_load(names_lh);
-    lh_OBJ_NAME_set_down_load(names_lh, 0);
+    down_load = lh_OBJ_NAME_down_load(names_lh);
+    lh_OBJ_NAME_down_load(names_lh) = 0;
 
-    lh_OBJ_NAME_doall(names_lh, names_lh_free_doall);
+    lh_OBJ_NAME_doall(names_lh, LHASH_DOALL_FN(names_lh_free));
     if (type < 0) {
         lh_OBJ_NAME_free(names_lh);
         sk_NAME_FUNCS_pop_free(name_funcs_stack, name_funcs_free);
         names_lh = NULL;
         name_funcs_stack = NULL;
     } else
-        lh_OBJ_NAME_set_down_load(names_lh, down_load);
+        lh_OBJ_NAME_down_load(names_lh) = down_load;
 }
diff --git a/Cryptlib/OpenSSL/crypto/objects/obj_dat.c b/Cryptlib/OpenSSL/crypto/objects/obj_dat.c
index 259851bc..aca382a6 100644
--- a/Cryptlib/OpenSSL/crypto/objects/obj_dat.c
+++ b/Cryptlib/OpenSSL/crypto/objects/obj_dat.c
@@ -1,25 +1,85 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/objects/obj_dat.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <ctype.h>
 #include <limits.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/lhash.h>
 #include <openssl/asn1.h>
-#include "internal/objects.h"
+#include <openssl/objects.h>
 #include <openssl/bn.h>
-#include "internal/asn1_int.h"
-#include "obj_lcl.h"
 
 /* obj_dat.h is generated from objects.h by obj_dat.pl */
-#include "obj_dat.h"
+#ifndef OPENSSL_NO_OBJECT
+# include "obj_dat.h"
+#else
+/* You will have to load all the objects needed manually in the application */
+# define NUM_NID 0
+# define NUM_SN 0
+# define NUM_LN 0
+# define NUM_OBJ 0
+static const unsigned char lvalues[1];
+static const ASN1_OBJECT nid_objs[1];
+static const unsigned int sn_objs[1];
+static const unsigned int ln_objs[1];
+static const unsigned int obj_objs[1];
+#endif
 
 DECLARE_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, unsigned int, sn);
 DECLARE_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, unsigned int, ln);
@@ -30,10 +90,11 @@ DECLARE_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, unsigned int, obj);
 #define ADDED_LNAME     2
 #define ADDED_NID       3
 
-struct added_obj_st {
+typedef struct added_obj_st {
     int type;
     ASN1_OBJECT *obj;
-};
+} ADDED_OBJ;
+DECLARE_LHASH_OF(ADDED_OBJ);
 
 static int new_nid = NUM_NID;
 static LHASH_OF(ADDED_OBJ) *added = NULL;
@@ -68,10 +129,10 @@ static unsigned long added_obj_hash(const ADDED_OBJ *ca)
             ret ^= p[i] << ((i * 3) % 24);
         break;
     case ADDED_SNAME:
-        ret = OPENSSL_LH_strhash(a->sn);
+        ret = lh_strhash(a->sn);
         break;
     case ADDED_LNAME:
-        ret = OPENSSL_LH_strhash(a->ln);
+        ret = lh_strhash(a->ln);
         break;
     case ADDED_NID:
         ret = a->nid;
@@ -85,6 +146,8 @@ static unsigned long added_obj_hash(const ADDED_OBJ *ca)
     return (ret);
 }
 
+static IMPLEMENT_LHASH_HASH_FN(added_obj, ADDED_OBJ)
+
 static int added_obj_cmp(const ADDED_OBJ *ca, const ADDED_OBJ *cb)
 {
     ASN1_OBJECT *a, *b;
@@ -123,11 +186,13 @@ static int added_obj_cmp(const ADDED_OBJ *ca, const ADDED_OBJ *cb)
     }
 }
 
+static IMPLEMENT_LHASH_COMP_FN(added_obj, ADDED_OBJ)
+
 static int init_added(void)
 {
     if (added != NULL)
         return (1);
-    added = lh_ADDED_OBJ_new(added_obj_hash, added_obj_cmp);
+    added = lh_ADDED_OBJ_new();
     return (added != NULL);
 }
 
@@ -150,14 +215,34 @@ static void cleanup3_doall(ADDED_OBJ *a)
     OPENSSL_free(a);
 }
 
-void obj_cleanup_int(void)
+static IMPLEMENT_LHASH_DOALL_FN(cleanup1, ADDED_OBJ)
+static IMPLEMENT_LHASH_DOALL_FN(cleanup2, ADDED_OBJ)
+static IMPLEMENT_LHASH_DOALL_FN(cleanup3, ADDED_OBJ)
+
+/*
+ * The purpose of obj_cleanup_defer is to avoid EVP_cleanup() attempting to
+ * use freed up OIDs. If neccessary the actual freeing up of OIDs is delayed.
+ */
+int obj_cleanup_defer = 0;
+
+void check_defer(int nid)
+{
+    if (!obj_cleanup_defer && nid >= NUM_NID)
+        obj_cleanup_defer = 1;
+}
+
+void OBJ_cleanup(void)
 {
+    if (obj_cleanup_defer) {
+        obj_cleanup_defer = 2;
+        return;
+    }
     if (added == NULL)
         return;
-    lh_ADDED_OBJ_set_down_load(added, 0);
-    lh_ADDED_OBJ_doall(added, cleanup1_doall); /* zero counters */
-    lh_ADDED_OBJ_doall(added, cleanup2_doall); /* set counters */
-    lh_ADDED_OBJ_doall(added, cleanup3_doall); /* free objects */
+    lh_ADDED_OBJ_down_load(added) = 0;
+    lh_ADDED_OBJ_doall(added, LHASH_DOALL_FN(cleanup1)); /* zero counters */
+    lh_ADDED_OBJ_doall(added, LHASH_DOALL_FN(cleanup2)); /* set counters */
+    lh_ADDED_OBJ_doall(added, LHASH_DOALL_FN(cleanup3)); /* free objects */
     lh_ADDED_OBJ_free(added);
     added = NULL;
 }
@@ -182,16 +267,21 @@ int OBJ_add_object(const ASN1_OBJECT *obj)
             return (0);
     if ((o = OBJ_dup(obj)) == NULL)
         goto err;
-    if ((ao[ADDED_NID] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
+    if (!(ao[ADDED_NID] = (ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ))))
         goto err2;
     if ((o->length != 0) && (obj->data != NULL))
-        if ((ao[ADDED_DATA] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
+        if (!
+            (ao[ADDED_DATA] = (ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ))))
             goto err2;
     if (o->sn != NULL)
-        if ((ao[ADDED_SNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
+        if (!
+            (ao[ADDED_SNAME] =
+             (ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ))))
             goto err2;
     if (o->ln != NULL)
-        if ((ao[ADDED_LNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
+        if (!
+            (ao[ADDED_LNAME] =
+             (ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ))))
             goto err2;
 
     for (i = ADDED_DATA; i <= ADDED_NID; i++) {
@@ -199,8 +289,9 @@ int OBJ_add_object(const ASN1_OBJECT *obj)
             ao[i]->type = i;
             ao[i]->obj = o;
             aop = lh_ADDED_OBJ_insert(added, ao[i]);
-            /* memory leak, but should not normally matter */
-            OPENSSL_free(aop);
+            /* memory leak, buit should not normally matter */
+            if (aop != NULL)
+                OPENSSL_free(aop);
         }
     }
     o->flags &=
@@ -212,8 +303,10 @@ int OBJ_add_object(const ASN1_OBJECT *obj)
     OBJerr(OBJ_F_OBJ_ADD_OBJECT, ERR_R_MALLOC_FAILURE);
  err:
     for (i = ADDED_DATA; i <= ADDED_NID; i++)
-        OPENSSL_free(ao[i]);
-    OPENSSL_free(o);
+        if (ao[i] != NULL)
+            OPENSSL_free(ao[i]);
+    if (o != NULL)
+        OPENSSL_free(o);
     return (NID_undef);
 }
 
@@ -373,10 +466,8 @@ ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name)
     }
     /* Work out total size */
     j = ASN1_object_size(0, i, V_ASN1_OBJECT);
-    if (j < 0)
-        return NULL;
 
-    if ((buf = OPENSSL_malloc(j)) == NULL)
+    if ((buf = (unsigned char *)OPENSSL_malloc(j)) == NULL)
         return NULL;
 
     p = buf;
@@ -413,7 +504,7 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
             s = OBJ_nid2sn(nid);
         if (s) {
             if (buf)
-                OPENSSL_strlcpy(buf, s, buf_len);
+                BUF_strlcpy(buf, s, buf_len);
             n = strlen(s);
             return n;
         }
@@ -441,7 +532,7 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
             if (!(c & 0x80))
                 break;
             if (!use_bn && (l > (ULONG_MAX >> 7L))) {
-                if (bl == NULL && (bl = BN_new()) == NULL)
+                if (!bl && !(bl = BN_new()))
                     goto err;
                 if (!BN_set_word(bl, l))
                     goto err;
@@ -487,7 +578,7 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
                     *buf = '\0';
                     buf_len--;
                 }
-                OPENSSL_strlcpy(buf, bndec, buf_len);
+                BUF_strlcpy(buf, bndec, buf_len);
                 if (i > buf_len) {
                     buf += buf_len;
                     buf_len = 0;
@@ -503,7 +594,7 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
             BIO_snprintf(tbuf, sizeof tbuf, ".%lu", l);
             i = strlen(tbuf);
             if (buf && (buf_len > 0)) {
-                OPENSSL_strlcpy(buf, tbuf, buf_len);
+                BUF_strlcpy(buf, tbuf, buf_len);
                 if (i > buf_len) {
                     buf += buf_len;
                     buf_len = 0;
@@ -517,11 +608,13 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
         }
     }
 
-    BN_free(bl);
+    if (bl)
+        BN_free(bl);
     return n;
 
  err:
-    BN_free(bl);
+    if (bl)
+        BN_free(bl);
     return -1;
 }
 
@@ -634,7 +727,7 @@ const void *OBJ_bsearch_ex_(const void *key, const void *base_, int num,
 
 int OBJ_create_objects(BIO *in)
 {
-    char buf[512];
+    MS_STATIC char buf[512];
     int i, num = 0;
     char *o, *s, *l = NULL;
 
@@ -681,48 +774,28 @@ int OBJ_create_objects(BIO *in)
 
 int OBJ_create(const char *oid, const char *sn, const char *ln)
 {
-    ASN1_OBJECT *tmpoid = NULL;
     int ok = 0;
+    ASN1_OBJECT *op = NULL;
+    unsigned char *buf;
+    int i;
 
-    /* Check to see if short or long name already present */
-    if (OBJ_sn2nid(sn) != NID_undef || OBJ_ln2nid(ln) != NID_undef) {
-        OBJerr(OBJ_F_OBJ_CREATE, OBJ_R_OID_EXISTS);
-        return 0;
-    }
-
-    /* Convert numerical OID string to an ASN1_OBJECT structure */
-    tmpoid = OBJ_txt2obj(oid, 1);
+    i = a2d_ASN1_OBJECT(NULL, 0, oid, -1);
+    if (i <= 0)
+        return (0);
 
-    /* If NID is not NID_undef then object already exists */
-    if (OBJ_obj2nid(tmpoid) != NID_undef) {
-        OBJerr(OBJ_F_OBJ_CREATE, OBJ_R_OID_EXISTS);
-        goto err;
+    if ((buf = (unsigned char *)OPENSSL_malloc(i)) == NULL) {
+        OBJerr(OBJ_F_OBJ_CREATE, ERR_R_MALLOC_FAILURE);
+        return (0);
     }
-
-    tmpoid->nid = OBJ_new_nid(1);
-    tmpoid->sn = (char *)sn;
-    tmpoid->ln = (char *)ln;
-
-    ok = OBJ_add_object(tmpoid);
-
-    tmpoid->sn = NULL;
-    tmpoid->ln = NULL;
-
+    i = a2d_ASN1_OBJECT(buf, i, oid, -1);
+    if (i == 0)
+        goto err;
+    op = (ASN1_OBJECT *)ASN1_OBJECT_create(OBJ_new_nid(1), buf, i, sn, ln);
+    if (op == NULL)
+        goto err;
+    ok = OBJ_add_object(op);
  err:
-    ASN1_OBJECT_free(tmpoid);
-    return ok;
-}
-
-size_t OBJ_length(const ASN1_OBJECT *obj)
-{
-    if (obj == NULL)
-        return 0;
-    return obj->length;
-}
-
-const unsigned char *OBJ_get0_data(const ASN1_OBJECT *obj)
-{
-    if (obj == NULL)
-        return NULL;
-    return obj->data;
+    ASN1_OBJECT_free(op);
+    OPENSSL_free(buf);
+    return (ok);
 }
diff --git a/Cryptlib/OpenSSL/crypto/objects/obj_dat.h b/Cryptlib/OpenSSL/crypto/objects/obj_dat.h
index e1fc64f7..b7e3cf28 100644
--- a/Cryptlib/OpenSSL/crypto/objects/obj_dat.h
+++ b/Cryptlib/OpenSSL/crypto/objects/obj_dat.h
@@ -1,5101 +1,5319 @@
-/*
- * WARNING: do not edit!
- * Generated by crypto/objects/obj_dat.pl
+/* crypto/objects/obj_dat.h */
+
+/* THIS FILE IS GENERATED FROM objects.h by obj_dat.pl via the
+ * following command:
+ * perl obj_dat.pl obj_mac.h obj_dat.h
+ */
+
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
-/* Serialized OID's */
-static const unsigned char so[6765] = {
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,                 /* [    0] OBJ_rsadsi */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,            /* [    6] OBJ_pkcs */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02,       /* [   13] OBJ_md2 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x05,       /* [   21] OBJ_md5 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x04,       /* [   29] OBJ_rc4 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,  /* [   37] OBJ_rsaEncryption */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x02,  /* [   46] OBJ_md2WithRSAEncryption */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x04,  /* [   55] OBJ_md5WithRSAEncryption */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x01,  /* [   64] OBJ_pbeWithMD2AndDES_CBC */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x03,  /* [   73] OBJ_pbeWithMD5AndDES_CBC */
-    0x55,                                          /* [   82] OBJ_X500 */
-    0x55,0x04,                                     /* [   83] OBJ_X509 */
-    0x55,0x04,0x03,                                /* [   85] OBJ_commonName */
-    0x55,0x04,0x06,                                /* [   88] OBJ_countryName */
-    0x55,0x04,0x07,                                /* [   91] OBJ_localityName */
-    0x55,0x04,0x08,                                /* [   94] OBJ_stateOrProvinceName */
-    0x55,0x04,0x0A,                                /* [   97] OBJ_organizationName */
-    0x55,0x04,0x0B,                                /* [  100] OBJ_organizationalUnitName */
-    0x55,0x08,0x01,0x01,                           /* [  103] OBJ_rsa */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,       /* [  107] OBJ_pkcs7 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x01,  /* [  115] OBJ_pkcs7_data */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x02,  /* [  124] OBJ_pkcs7_signed */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x03,  /* [  133] OBJ_pkcs7_enveloped */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x04,  /* [  142] OBJ_pkcs7_signedAndEnveloped */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x05,  /* [  151] OBJ_pkcs7_digest */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x06,  /* [  160] OBJ_pkcs7_encrypted */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x03,       /* [  169] OBJ_pkcs3 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x03,0x01,  /* [  177] OBJ_dhKeyAgreement */
-    0x2B,0x0E,0x03,0x02,0x06,                      /* [  186] OBJ_des_ecb */
-    0x2B,0x0E,0x03,0x02,0x09,                      /* [  191] OBJ_des_cfb64 */
-    0x2B,0x0E,0x03,0x02,0x07,                      /* [  196] OBJ_des_cbc */
-    0x2B,0x0E,0x03,0x02,0x11,                      /* [  201] OBJ_des_ede_ecb */
-    0x2B,0x06,0x01,0x04,0x01,0x81,0x3C,0x07,0x01,0x01,0x02,  /* [  206] OBJ_idea_cbc */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x02,       /* [  217] OBJ_rc2_cbc */
-    0x2B,0x0E,0x03,0x02,0x12,                      /* [  225] OBJ_sha */
-    0x2B,0x0E,0x03,0x02,0x0F,                      /* [  230] OBJ_shaWithRSAEncryption */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x07,       /* [  235] OBJ_des_ede3_cbc */
-    0x2B,0x0E,0x03,0x02,0x08,                      /* [  243] OBJ_des_ofb64 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,       /* [  248] OBJ_pkcs9 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x01,  /* [  256] OBJ_pkcs9_emailAddress */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x02,  /* [  265] OBJ_pkcs9_unstructuredName */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x03,  /* [  274] OBJ_pkcs9_contentType */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x04,  /* [  283] OBJ_pkcs9_messageDigest */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x05,  /* [  292] OBJ_pkcs9_signingTime */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x06,  /* [  301] OBJ_pkcs9_countersignature */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x07,  /* [  310] OBJ_pkcs9_challengePassword */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x08,  /* [  319] OBJ_pkcs9_unstructuredAddress */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x09,  /* [  328] OBJ_pkcs9_extCertAttributes */
-    0x60,0x86,0x48,0x01,0x86,0xF8,0x42,            /* [  337] OBJ_netscape */
-    0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,       /* [  344] OBJ_netscape_cert_extension */
-    0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x02,       /* [  352] OBJ_netscape_data_type */
-    0x2B,0x0E,0x03,0x02,0x1A,                      /* [  360] OBJ_sha1 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,  /* [  365] OBJ_sha1WithRSAEncryption */
-    0x2B,0x0E,0x03,0x02,0x0D,                      /* [  374] OBJ_dsaWithSHA */
-    0x2B,0x0E,0x03,0x02,0x0C,                      /* [  379] OBJ_dsa_2 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0B,  /* [  384] OBJ_pbeWithSHA1AndRC2_CBC */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0C,  /* [  393] OBJ_id_pbkdf2 */
-    0x2B,0x0E,0x03,0x02,0x1B,                      /* [  402] OBJ_dsaWithSHA1_2 */
-    0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x01,  /* [  407] OBJ_netscape_cert_type */
-    0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x02,  /* [  416] OBJ_netscape_base_url */
-    0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x03,  /* [  425] OBJ_netscape_revocation_url */
-    0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x04,  /* [  434] OBJ_netscape_ca_revocation_url */
-    0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x07,  /* [  443] OBJ_netscape_renewal_url */
-    0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x08,  /* [  452] OBJ_netscape_ca_policy_url */
-    0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x0C,  /* [  461] OBJ_netscape_ssl_server_name */
-    0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x0D,  /* [  470] OBJ_netscape_comment */
-    0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x02,0x05,  /* [  479] OBJ_netscape_cert_sequence */
-    0x55,0x1D,                                     /* [  488] OBJ_id_ce */
-    0x55,0x1D,0x0E,                                /* [  490] OBJ_subject_key_identifier */
-    0x55,0x1D,0x0F,                                /* [  493] OBJ_key_usage */
-    0x55,0x1D,0x10,                                /* [  496] OBJ_private_key_usage_period */
-    0x55,0x1D,0x11,                                /* [  499] OBJ_subject_alt_name */
-    0x55,0x1D,0x12,                                /* [  502] OBJ_issuer_alt_name */
-    0x55,0x1D,0x13,                                /* [  505] OBJ_basic_constraints */
-    0x55,0x1D,0x14,                                /* [  508] OBJ_crl_number */
-    0x55,0x1D,0x20,                                /* [  511] OBJ_certificate_policies */
-    0x55,0x1D,0x23,                                /* [  514] OBJ_authority_key_identifier */
-    0x2B,0x06,0x01,0x04,0x01,0x97,0x55,0x01,0x02,  /* [  517] OBJ_bf_cbc */
-    0x55,0x08,0x03,0x65,                           /* [  526] OBJ_mdc2 */
-    0x55,0x08,0x03,0x64,                           /* [  530] OBJ_mdc2WithRSA */
-    0x55,0x04,0x2A,                                /* [  534] OBJ_givenName */
-    0x55,0x04,0x04,                                /* [  537] OBJ_surname */
-    0x55,0x04,0x2B,                                /* [  540] OBJ_initials */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2C,  /* [  543] OBJ_uniqueIdentifier */
-    0x55,0x1D,0x1F,                                /* [  553] OBJ_crl_distribution_points */
-    0x2B,0x0E,0x03,0x02,0x03,                      /* [  556] OBJ_md5WithRSA */
-    0x55,0x04,0x05,                                /* [  561] OBJ_serialNumber */
-    0x55,0x04,0x0C,                                /* [  564] OBJ_title */
-    0x55,0x04,0x0D,                                /* [  567] OBJ_description */
-    0x2A,0x86,0x48,0x86,0xF6,0x7D,0x07,0x42,0x0A,  /* [  570] OBJ_cast5_cbc */
-    0x2A,0x86,0x48,0x86,0xF6,0x7D,0x07,0x42,0x0C,  /* [  579] OBJ_pbeWithMD5AndCast5_CBC */
-    0x2A,0x86,0x48,0xCE,0x38,0x04,0x03,            /* [  588] OBJ_dsaWithSHA1 */
-    0x2B,0x0E,0x03,0x02,0x1D,                      /* [  595] OBJ_sha1WithRSA */
-    0x2A,0x86,0x48,0xCE,0x38,0x04,0x01,            /* [  600] OBJ_dsa */
-    0x2B,0x24,0x03,0x02,0x01,                      /* [  607] OBJ_ripemd160 */
-    0x2B,0x24,0x03,0x03,0x01,0x02,                 /* [  612] OBJ_ripemd160WithRSA */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x08,       /* [  618] OBJ_rc5_cbc */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x08,  /* [  626] OBJ_zlib_compression */
-    0x55,0x1D,0x25,                                /* [  637] OBJ_ext_key_usage */
-    0x2B,0x06,0x01,0x05,0x05,0x07,                 /* [  640] OBJ_id_pkix */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x03,            /* [  646] OBJ_id_kp */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,       /* [  653] OBJ_server_auth */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,       /* [  661] OBJ_client_auth */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x03,       /* [  669] OBJ_code_sign */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x04,       /* [  677] OBJ_email_protect */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x08,       /* [  685] OBJ_time_stamp */
-    0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x15,  /* [  693] OBJ_ms_code_ind */
-    0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x16,  /* [  703] OBJ_ms_code_com */
-    0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x0A,0x03,0x01,  /* [  713] OBJ_ms_ctl_sign */
-    0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x0A,0x03,0x03,  /* [  723] OBJ_ms_sgc */
-    0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x0A,0x03,0x04,  /* [  733] OBJ_ms_efs */
-    0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x04,0x01,  /* [  743] OBJ_ns_sgc */
-    0x55,0x1D,0x1B,                                /* [  752] OBJ_delta_crl */
-    0x55,0x1D,0x15,                                /* [  755] OBJ_crl_reason */
-    0x55,0x1D,0x18,                                /* [  758] OBJ_invalidity_date */
-    0x2B,0x65,0x01,0x04,0x01,                      /* [  761] OBJ_sxnet */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x01,  /* [  766] OBJ_pbe_WithSHA1And128BitRC4 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x02,  /* [  776] OBJ_pbe_WithSHA1And40BitRC4 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x03,  /* [  786] OBJ_pbe_WithSHA1And3_Key_TripleDES_CBC */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x04,  /* [  796] OBJ_pbe_WithSHA1And2_Key_TripleDES_CBC */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x05,  /* [  806] OBJ_pbe_WithSHA1And128BitRC2_CBC */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x06,  /* [  816] OBJ_pbe_WithSHA1And40BitRC2_CBC */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x01,  /* [  826] OBJ_keyBag */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x02,  /* [  837] OBJ_pkcs8ShroudedKeyBag */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x03,  /* [  848] OBJ_certBag */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x04,  /* [  859] OBJ_crlBag */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x05,  /* [  870] OBJ_secretBag */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x06,  /* [  881] OBJ_safeContentsBag */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x14,  /* [  892] OBJ_friendlyName */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x15,  /* [  901] OBJ_localKeyID */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x16,0x01,  /* [  910] OBJ_x509Certificate */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x16,0x02,  /* [  920] OBJ_sdsiCertificate */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x17,0x01,  /* [  930] OBJ_x509Crl */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0D,  /* [  940] OBJ_pbes2 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0E,  /* [  949] OBJ_pbmac1 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x07,       /* [  958] OBJ_hmacWithSHA1 */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,       /* [  966] OBJ_id_qt_cps */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x02,       /* [  974] OBJ_id_qt_unotice */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x0F,  /* [  982] OBJ_SMIMECapabilities */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x04,  /* [  991] OBJ_pbeWithMD2AndRC2_CBC */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x06,  /* [ 1000] OBJ_pbeWithMD5AndRC2_CBC */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0A,  /* [ 1009] OBJ_pbeWithSHA1AndDES_CBC */
-    0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x0E,  /* [ 1018] OBJ_ms_ext_req */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x0E,  /* [ 1028] OBJ_ext_req */
-    0x55,0x04,0x29,                                /* [ 1037] OBJ_name */
-    0x55,0x04,0x2E,                                /* [ 1040] OBJ_dnQualifier */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x01,            /* [ 1043] OBJ_id_pe */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x30,            /* [ 1050] OBJ_id_ad */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,       /* [ 1057] OBJ_info_access */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,       /* [ 1065] OBJ_ad_OCSP */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x02,       /* [ 1073] OBJ_ad_ca_issuers */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x09,       /* [ 1081] OBJ_OCSP_sign */
-    0x2A,                                          /* [ 1089] OBJ_member_body */
-    0x2A,0x86,0x48,                                /* [ 1090] OBJ_ISO_US */
-    0x2A,0x86,0x48,0xCE,0x38,                      /* [ 1093] OBJ_X9_57 */
-    0x2A,0x86,0x48,0xCE,0x38,0x04,                 /* [ 1098] OBJ_X9cm */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,       /* [ 1104] OBJ_pkcs1 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,       /* [ 1112] OBJ_pkcs5 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,  /* [ 1120] OBJ_SMIME */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,  /* [ 1129] OBJ_id_smime_mod */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,  /* [ 1139] OBJ_id_smime_ct */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,  /* [ 1149] OBJ_id_smime_aa */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,  /* [ 1159] OBJ_id_smime_alg */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x04,  /* [ 1169] OBJ_id_smime_cd */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x05,  /* [ 1179] OBJ_id_smime_spq */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,  /* [ 1189] OBJ_id_smime_cti */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x01,  /* [ 1199] OBJ_id_smime_mod_cms */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x02,  /* [ 1210] OBJ_id_smime_mod_ess */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x03,  /* [ 1221] OBJ_id_smime_mod_oid */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x04,  /* [ 1232] OBJ_id_smime_mod_msg_v3 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x05,  /* [ 1243] OBJ_id_smime_mod_ets_eSignature_88 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x06,  /* [ 1254] OBJ_id_smime_mod_ets_eSignature_97 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x07,  /* [ 1265] OBJ_id_smime_mod_ets_eSigPolicy_88 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x08,  /* [ 1276] OBJ_id_smime_mod_ets_eSigPolicy_97 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x01,  /* [ 1287] OBJ_id_smime_ct_receipt */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x02,  /* [ 1298] OBJ_id_smime_ct_authData */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x03,  /* [ 1309] OBJ_id_smime_ct_publishCert */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x04,  /* [ 1320] OBJ_id_smime_ct_TSTInfo */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x05,  /* [ 1331] OBJ_id_smime_ct_TDTInfo */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x06,  /* [ 1342] OBJ_id_smime_ct_contentInfo */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x07,  /* [ 1353] OBJ_id_smime_ct_DVCSRequestData */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x08,  /* [ 1364] OBJ_id_smime_ct_DVCSResponseData */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x01,  /* [ 1375] OBJ_id_smime_aa_receiptRequest */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x02,  /* [ 1386] OBJ_id_smime_aa_securityLabel */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x03,  /* [ 1397] OBJ_id_smime_aa_mlExpandHistory */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x04,  /* [ 1408] OBJ_id_smime_aa_contentHint */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x05,  /* [ 1419] OBJ_id_smime_aa_msgSigDigest */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x06,  /* [ 1430] OBJ_id_smime_aa_encapContentType */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x07,  /* [ 1441] OBJ_id_smime_aa_contentIdentifier */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x08,  /* [ 1452] OBJ_id_smime_aa_macValue */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x09,  /* [ 1463] OBJ_id_smime_aa_equivalentLabels */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0A,  /* [ 1474] OBJ_id_smime_aa_contentReference */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0B,  /* [ 1485] OBJ_id_smime_aa_encrypKeyPref */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0C,  /* [ 1496] OBJ_id_smime_aa_signingCertificate */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0D,  /* [ 1507] OBJ_id_smime_aa_smimeEncryptCerts */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0E,  /* [ 1518] OBJ_id_smime_aa_timeStampToken */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0F,  /* [ 1529] OBJ_id_smime_aa_ets_sigPolicyId */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x10,  /* [ 1540] OBJ_id_smime_aa_ets_commitmentType */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x11,  /* [ 1551] OBJ_id_smime_aa_ets_signerLocation */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x12,  /* [ 1562] OBJ_id_smime_aa_ets_signerAttr */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x13,  /* [ 1573] OBJ_id_smime_aa_ets_otherSigCert */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x14,  /* [ 1584] OBJ_id_smime_aa_ets_contentTimestamp */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x15,  /* [ 1595] OBJ_id_smime_aa_ets_CertificateRefs */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x16,  /* [ 1606] OBJ_id_smime_aa_ets_RevocationRefs */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x17,  /* [ 1617] OBJ_id_smime_aa_ets_certValues */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x18,  /* [ 1628] OBJ_id_smime_aa_ets_revocationValues */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x19,  /* [ 1639] OBJ_id_smime_aa_ets_escTimeStamp */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1A,  /* [ 1650] OBJ_id_smime_aa_ets_certCRLTimestamp */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1B,  /* [ 1661] OBJ_id_smime_aa_ets_archiveTimeStamp */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1C,  /* [ 1672] OBJ_id_smime_aa_signatureType */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1D,  /* [ 1683] OBJ_id_smime_aa_dvcs_dvc */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x01,  /* [ 1694] OBJ_id_smime_alg_ESDHwith3DES */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x02,  /* [ 1705] OBJ_id_smime_alg_ESDHwithRC2 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x03,  /* [ 1716] OBJ_id_smime_alg_3DESwrap */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x04,  /* [ 1727] OBJ_id_smime_alg_RC2wrap */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x05,  /* [ 1738] OBJ_id_smime_alg_ESDH */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x06,  /* [ 1749] OBJ_id_smime_alg_CMS3DESwrap */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x07,  /* [ 1760] OBJ_id_smime_alg_CMSRC2wrap */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x04,0x01,  /* [ 1771] OBJ_id_smime_cd_ldap */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x05,0x01,  /* [ 1782] OBJ_id_smime_spq_ets_sqt_uri */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x05,0x02,  /* [ 1793] OBJ_id_smime_spq_ets_sqt_unotice */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x01,  /* [ 1804] OBJ_id_smime_cti_ets_proofOfOrigin */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x02,  /* [ 1815] OBJ_id_smime_cti_ets_proofOfReceipt */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x03,  /* [ 1826] OBJ_id_smime_cti_ets_proofOfDelivery */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x04,  /* [ 1837] OBJ_id_smime_cti_ets_proofOfSender */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x05,  /* [ 1848] OBJ_id_smime_cti_ets_proofOfApproval */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x06,  /* [ 1859] OBJ_id_smime_cti_ets_proofOfCreation */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x04,       /* [ 1870] OBJ_md4 */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x00,            /* [ 1878] OBJ_id_pkix_mod */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x02,            /* [ 1885] OBJ_id_qt */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x04,            /* [ 1892] OBJ_id_it */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x05,            /* [ 1899] OBJ_id_pkip */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x06,            /* [ 1906] OBJ_id_alg */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x07,            /* [ 1913] OBJ_id_cmc */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x08,            /* [ 1920] OBJ_id_on */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x09,            /* [ 1927] OBJ_id_pda */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,            /* [ 1934] OBJ_id_aca */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x0B,            /* [ 1941] OBJ_id_qcs */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,            /* [ 1948] OBJ_id_cct */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x01,       /* [ 1955] OBJ_id_pkix1_explicit_88 */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x02,       /* [ 1963] OBJ_id_pkix1_implicit_88 */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x03,       /* [ 1971] OBJ_id_pkix1_explicit_93 */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x04,       /* [ 1979] OBJ_id_pkix1_implicit_93 */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x05,       /* [ 1987] OBJ_id_mod_crmf */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x06,       /* [ 1995] OBJ_id_mod_cmc */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x07,       /* [ 2003] OBJ_id_mod_kea_profile_88 */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x08,       /* [ 2011] OBJ_id_mod_kea_profile_93 */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x09,       /* [ 2019] OBJ_id_mod_cmp */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0A,       /* [ 2027] OBJ_id_mod_qualified_cert_88 */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0B,       /* [ 2035] OBJ_id_mod_qualified_cert_93 */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0C,       /* [ 2043] OBJ_id_mod_attribute_cert */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0D,       /* [ 2051] OBJ_id_mod_timestamp_protocol */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0E,       /* [ 2059] OBJ_id_mod_ocsp */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0F,       /* [ 2067] OBJ_id_mod_dvcs */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x10,       /* [ 2075] OBJ_id_mod_cmp2000 */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x02,       /* [ 2083] OBJ_biometricInfo */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x03,       /* [ 2091] OBJ_qcStatements */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x04,       /* [ 2099] OBJ_ac_auditEntity */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x05,       /* [ 2107] OBJ_ac_targeting */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x06,       /* [ 2115] OBJ_aaControls */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x07,       /* [ 2123] OBJ_sbgp_ipAddrBlock */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x08,       /* [ 2131] OBJ_sbgp_autonomousSysNum */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x09,       /* [ 2139] OBJ_sbgp_routerIdentifier */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x03,       /* [ 2147] OBJ_textNotice */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x05,       /* [ 2155] OBJ_ipsecEndSystem */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x06,       /* [ 2163] OBJ_ipsecTunnel */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x07,       /* [ 2171] OBJ_ipsecUser */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x0A,       /* [ 2179] OBJ_dvcs */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x01,       /* [ 2187] OBJ_id_it_caProtEncCert */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x02,       /* [ 2195] OBJ_id_it_signKeyPairTypes */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x03,       /* [ 2203] OBJ_id_it_encKeyPairTypes */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x04,       /* [ 2211] OBJ_id_it_preferredSymmAlg */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x05,       /* [ 2219] OBJ_id_it_caKeyUpdateInfo */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x06,       /* [ 2227] OBJ_id_it_currentCRL */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x07,       /* [ 2235] OBJ_id_it_unsupportedOIDs */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x08,       /* [ 2243] OBJ_id_it_subscriptionRequest */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x09,       /* [ 2251] OBJ_id_it_subscriptionResponse */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0A,       /* [ 2259] OBJ_id_it_keyPairParamReq */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0B,       /* [ 2267] OBJ_id_it_keyPairParamRep */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0C,       /* [ 2275] OBJ_id_it_revPassphrase */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0D,       /* [ 2283] OBJ_id_it_implicitConfirm */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0E,       /* [ 2291] OBJ_id_it_confirmWaitTime */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0F,       /* [ 2299] OBJ_id_it_origPKIMessage */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,       /* [ 2307] OBJ_id_regCtrl */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x02,       /* [ 2315] OBJ_id_regInfo */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x01,  /* [ 2323] OBJ_id_regCtrl_regToken */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x02,  /* [ 2332] OBJ_id_regCtrl_authenticator */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x03,  /* [ 2341] OBJ_id_regCtrl_pkiPublicationInfo */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x04,  /* [ 2350] OBJ_id_regCtrl_pkiArchiveOptions */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x05,  /* [ 2359] OBJ_id_regCtrl_oldCertID */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x06,  /* [ 2368] OBJ_id_regCtrl_protocolEncrKey */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x02,0x01,  /* [ 2377] OBJ_id_regInfo_utf8Pairs */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x02,0x02,  /* [ 2386] OBJ_id_regInfo_certReq */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x06,0x01,       /* [ 2395] OBJ_id_alg_des40 */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x06,0x02,       /* [ 2403] OBJ_id_alg_noSignature */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x06,0x03,       /* [ 2411] OBJ_id_alg_dh_sig_hmac_sha1 */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x06,0x04,       /* [ 2419] OBJ_id_alg_dh_pop */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x01,       /* [ 2427] OBJ_id_cmc_statusInfo */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x02,       /* [ 2435] OBJ_id_cmc_identification */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x03,       /* [ 2443] OBJ_id_cmc_identityProof */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x04,       /* [ 2451] OBJ_id_cmc_dataReturn */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x05,       /* [ 2459] OBJ_id_cmc_transactionId */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x06,       /* [ 2467] OBJ_id_cmc_senderNonce */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x07,       /* [ 2475] OBJ_id_cmc_recipientNonce */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x08,       /* [ 2483] OBJ_id_cmc_addExtensions */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x09,       /* [ 2491] OBJ_id_cmc_encryptedPOP */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x0A,       /* [ 2499] OBJ_id_cmc_decryptedPOP */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x0B,       /* [ 2507] OBJ_id_cmc_lraPOPWitness */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x0F,       /* [ 2515] OBJ_id_cmc_getCert */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x10,       /* [ 2523] OBJ_id_cmc_getCRL */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x11,       /* [ 2531] OBJ_id_cmc_revokeRequest */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x12,       /* [ 2539] OBJ_id_cmc_regInfo */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x13,       /* [ 2547] OBJ_id_cmc_responseInfo */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x15,       /* [ 2555] OBJ_id_cmc_queryPending */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x16,       /* [ 2563] OBJ_id_cmc_popLinkRandom */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x17,       /* [ 2571] OBJ_id_cmc_popLinkWitness */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x18,       /* [ 2579] OBJ_id_cmc_confirmCertAcceptance */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x08,0x01,       /* [ 2587] OBJ_id_on_personalData */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x01,       /* [ 2595] OBJ_id_pda_dateOfBirth */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x02,       /* [ 2603] OBJ_id_pda_placeOfBirth */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x03,       /* [ 2611] OBJ_id_pda_gender */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x04,       /* [ 2619] OBJ_id_pda_countryOfCitizenship */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x05,       /* [ 2627] OBJ_id_pda_countryOfResidence */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x01,       /* [ 2635] OBJ_id_aca_authenticationInfo */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x02,       /* [ 2643] OBJ_id_aca_accessIdentity */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x03,       /* [ 2651] OBJ_id_aca_chargingIdentity */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x04,       /* [ 2659] OBJ_id_aca_group */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x05,       /* [ 2667] OBJ_id_aca_role */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x0B,0x01,       /* [ 2675] OBJ_id_qcs_pkixQCSyntax_v1 */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,0x01,       /* [ 2683] OBJ_id_cct_crs */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,0x02,       /* [ 2691] OBJ_id_cct_PKIData */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,0x03,       /* [ 2699] OBJ_id_cct_PKIResponse */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x03,       /* [ 2707] OBJ_ad_timeStamping */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x04,       /* [ 2715] OBJ_ad_dvcs */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x01,  /* [ 2723] OBJ_id_pkix_OCSP_basic */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x02,  /* [ 2732] OBJ_id_pkix_OCSP_Nonce */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x03,  /* [ 2741] OBJ_id_pkix_OCSP_CrlID */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x04,  /* [ 2750] OBJ_id_pkix_OCSP_acceptableResponses */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x05,  /* [ 2759] OBJ_id_pkix_OCSP_noCheck */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x06,  /* [ 2768] OBJ_id_pkix_OCSP_archiveCutoff */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x07,  /* [ 2777] OBJ_id_pkix_OCSP_serviceLocator */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x08,  /* [ 2786] OBJ_id_pkix_OCSP_extendedStatus */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x09,  /* [ 2795] OBJ_id_pkix_OCSP_valid */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x0A,  /* [ 2804] OBJ_id_pkix_OCSP_path */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x0B,  /* [ 2813] OBJ_id_pkix_OCSP_trustRoot */
-    0x2B,0x0E,0x03,0x02,                           /* [ 2822] OBJ_algorithm */
-    0x2B,0x0E,0x03,0x02,0x0B,                      /* [ 2826] OBJ_rsaSignature */
-    0x55,0x08,                                     /* [ 2831] OBJ_X500algorithms */
-    0x2B,                                          /* [ 2833] OBJ_org */
-    0x2B,0x06,                                     /* [ 2834] OBJ_dod */
-    0x2B,0x06,0x01,                                /* [ 2836] OBJ_iana */
-    0x2B,0x06,0x01,0x01,                           /* [ 2839] OBJ_Directory */
-    0x2B,0x06,0x01,0x02,                           /* [ 2843] OBJ_Management */
-    0x2B,0x06,0x01,0x03,                           /* [ 2847] OBJ_Experimental */
-    0x2B,0x06,0x01,0x04,                           /* [ 2851] OBJ_Private */
-    0x2B,0x06,0x01,0x05,                           /* [ 2855] OBJ_Security */
-    0x2B,0x06,0x01,0x06,                           /* [ 2859] OBJ_SNMPv2 */
-    0x2B,0x06,0x01,0x07,                           /* [ 2863] OBJ_Mail */
-    0x2B,0x06,0x01,0x04,0x01,                      /* [ 2867] OBJ_Enterprises */
-    0x2B,0x06,0x01,0x04,0x01,0x8B,0x3A,0x82,0x58,  /* [ 2872] OBJ_dcObject */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x19,  /* [ 2881] OBJ_domainComponent */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x0D,  /* [ 2891] OBJ_Domain */
-    0x55,0x01,0x05,                                /* [ 2901] OBJ_selected_attribute_types */
-    0x55,0x01,0x05,0x37,                           /* [ 2904] OBJ_clearance */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x03,  /* [ 2908] OBJ_md4WithRSAEncryption */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0A,       /* [ 2917] OBJ_ac_proxying */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0B,       /* [ 2925] OBJ_sinfo_access */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x06,       /* [ 2933] OBJ_id_aca_encAttrs */
-    0x55,0x04,0x48,                                /* [ 2941] OBJ_role */
-    0x55,0x1D,0x24,                                /* [ 2944] OBJ_policy_constraints */
-    0x55,0x1D,0x37,                                /* [ 2947] OBJ_target_information */
-    0x55,0x1D,0x38,                                /* [ 2950] OBJ_no_rev_avail */
-    0x2A,0x86,0x48,0xCE,0x3D,                      /* [ 2953] OBJ_ansi_X9_62 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x01,0x01,            /* [ 2958] OBJ_X9_62_prime_field */
-    0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,            /* [ 2965] OBJ_X9_62_characteristic_two_field */
-    0x2A,0x86,0x48,0xCE,0x3D,0x02,0x01,            /* [ 2972] OBJ_X9_62_id_ecPublicKey */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x01,       /* [ 2979] OBJ_X9_62_prime192v1 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x02,       /* [ 2987] OBJ_X9_62_prime192v2 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x03,       /* [ 2995] OBJ_X9_62_prime192v3 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x04,       /* [ 3003] OBJ_X9_62_prime239v1 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x05,       /* [ 3011] OBJ_X9_62_prime239v2 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x06,       /* [ 3019] OBJ_X9_62_prime239v3 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07,       /* [ 3027] OBJ_X9_62_prime256v1 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x04,0x01,            /* [ 3035] OBJ_ecdsa_with_SHA1 */
-    0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x11,0x01,  /* [ 3042] OBJ_ms_csp_name */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x01,  /* [ 3051] OBJ_aes_128_ecb */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x02,  /* [ 3060] OBJ_aes_128_cbc */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x03,  /* [ 3069] OBJ_aes_128_ofb128 */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x04,  /* [ 3078] OBJ_aes_128_cfb128 */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x15,  /* [ 3087] OBJ_aes_192_ecb */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x16,  /* [ 3096] OBJ_aes_192_cbc */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x17,  /* [ 3105] OBJ_aes_192_ofb128 */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x18,  /* [ 3114] OBJ_aes_192_cfb128 */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x29,  /* [ 3123] OBJ_aes_256_ecb */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2A,  /* [ 3132] OBJ_aes_256_cbc */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2B,  /* [ 3141] OBJ_aes_256_ofb128 */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2C,  /* [ 3150] OBJ_aes_256_cfb128 */
-    0x55,0x1D,0x17,                                /* [ 3159] OBJ_hold_instruction_code */
-    0x2A,0x86,0x48,0xCE,0x38,0x02,0x01,            /* [ 3162] OBJ_hold_instruction_none */
-    0x2A,0x86,0x48,0xCE,0x38,0x02,0x02,            /* [ 3169] OBJ_hold_instruction_call_issuer */
-    0x2A,0x86,0x48,0xCE,0x38,0x02,0x03,            /* [ 3176] OBJ_hold_instruction_reject */
-    0x09,                                          /* [ 3183] OBJ_data */
-    0x09,0x92,0x26,                                /* [ 3184] OBJ_pss */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,            /* [ 3187] OBJ_ucl */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,       /* [ 3194] OBJ_pilot */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,  /* [ 3202] OBJ_pilotAttributeType */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x03,  /* [ 3211] OBJ_pilotAttributeSyntax */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,  /* [ 3220] OBJ_pilotObjectClass */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x0A,  /* [ 3229] OBJ_pilotGroups */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x03,0x04,  /* [ 3238] OBJ_iA5StringSyntax */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x03,0x05,  /* [ 3248] OBJ_caseIgnoreIA5StringSyntax */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x03,  /* [ 3258] OBJ_pilotObject */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x04,  /* [ 3268] OBJ_pilotPerson */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x05,  /* [ 3278] OBJ_account */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x06,  /* [ 3288] OBJ_document */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x07,  /* [ 3298] OBJ_room */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x09,  /* [ 3308] OBJ_documentSeries */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x0E,  /* [ 3318] OBJ_rFC822localPart */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x0F,  /* [ 3328] OBJ_dNSDomain */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x11,  /* [ 3338] OBJ_domainRelatedObject */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x12,  /* [ 3348] OBJ_friendlyCountry */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x13,  /* [ 3358] OBJ_simpleSecurityObject */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x14,  /* [ 3368] OBJ_pilotOrganization */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x15,  /* [ 3378] OBJ_pilotDSA */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x16,  /* [ 3388] OBJ_qualityLabelledData */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x01,  /* [ 3398] OBJ_userId */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x02,  /* [ 3408] OBJ_textEncodedORAddress */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x03,  /* [ 3418] OBJ_rfc822Mailbox */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x04,  /* [ 3428] OBJ_info */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x05,  /* [ 3438] OBJ_favouriteDrink */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x06,  /* [ 3448] OBJ_roomNumber */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x07,  /* [ 3458] OBJ_photo */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x08,  /* [ 3468] OBJ_userClass */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x09,  /* [ 3478] OBJ_host */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0A,  /* [ 3488] OBJ_manager */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0B,  /* [ 3498] OBJ_documentIdentifier */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0C,  /* [ 3508] OBJ_documentTitle */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0D,  /* [ 3518] OBJ_documentVersion */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0E,  /* [ 3528] OBJ_documentAuthor */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0F,  /* [ 3538] OBJ_documentLocation */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x14,  /* [ 3548] OBJ_homeTelephoneNumber */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x15,  /* [ 3558] OBJ_secretary */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x16,  /* [ 3568] OBJ_otherMailbox */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x17,  /* [ 3578] OBJ_lastModifiedTime */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x18,  /* [ 3588] OBJ_lastModifiedBy */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1A,  /* [ 3598] OBJ_aRecord */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1B,  /* [ 3608] OBJ_pilotAttributeType27 */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1C,  /* [ 3618] OBJ_mXRecord */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1D,  /* [ 3628] OBJ_nSRecord */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1E,  /* [ 3638] OBJ_sOARecord */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1F,  /* [ 3648] OBJ_cNAMERecord */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x25,  /* [ 3658] OBJ_associatedDomain */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x26,  /* [ 3668] OBJ_associatedName */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x27,  /* [ 3678] OBJ_homePostalAddress */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x28,  /* [ 3688] OBJ_personalTitle */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x29,  /* [ 3698] OBJ_mobileTelephoneNumber */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2A,  /* [ 3708] OBJ_pagerTelephoneNumber */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2B,  /* [ 3718] OBJ_friendlyCountryName */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2D,  /* [ 3728] OBJ_organizationalStatus */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2E,  /* [ 3738] OBJ_janetMailbox */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2F,  /* [ 3748] OBJ_mailPreferenceOption */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x30,  /* [ 3758] OBJ_buildingName */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x31,  /* [ 3768] OBJ_dSAQuality */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x32,  /* [ 3778] OBJ_singleLevelQuality */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x33,  /* [ 3788] OBJ_subtreeMinimumQuality */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x34,  /* [ 3798] OBJ_subtreeMaximumQuality */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x35,  /* [ 3808] OBJ_personalSignature */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x36,  /* [ 3818] OBJ_dITRedirect */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x37,  /* [ 3828] OBJ_audio */
-    0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x38,  /* [ 3838] OBJ_documentPublisher */
-    0x55,0x04,0x2D,                                /* [ 3848] OBJ_x500UniqueIdentifier */
-    0x2B,0x06,0x01,0x07,0x01,                      /* [ 3851] OBJ_mime_mhs */
-    0x2B,0x06,0x01,0x07,0x01,0x01,                 /* [ 3856] OBJ_mime_mhs_headings */
-    0x2B,0x06,0x01,0x07,0x01,0x02,                 /* [ 3862] OBJ_mime_mhs_bodies */
-    0x2B,0x06,0x01,0x07,0x01,0x01,0x01,            /* [ 3868] OBJ_id_hex_partial_message */
-    0x2B,0x06,0x01,0x07,0x01,0x01,0x02,            /* [ 3875] OBJ_id_hex_multipart_message */
-    0x55,0x04,0x2C,                                /* [ 3882] OBJ_generationQualifier */
-    0x55,0x04,0x41,                                /* [ 3885] OBJ_pseudonym */
-    0x67,0x2A,                                     /* [ 3888] OBJ_id_set */
-    0x67,0x2A,0x00,                                /* [ 3890] OBJ_set_ctype */
-    0x67,0x2A,0x01,                                /* [ 3893] OBJ_set_msgExt */
-    0x67,0x2A,0x03,                                /* [ 3896] OBJ_set_attr */
-    0x67,0x2A,0x05,                                /* [ 3899] OBJ_set_policy */
-    0x67,0x2A,0x07,                                /* [ 3902] OBJ_set_certExt */
-    0x67,0x2A,0x08,                                /* [ 3905] OBJ_set_brand */
-    0x67,0x2A,0x00,0x00,                           /* [ 3908] OBJ_setct_PANData */
-    0x67,0x2A,0x00,0x01,                           /* [ 3912] OBJ_setct_PANToken */
-    0x67,0x2A,0x00,0x02,                           /* [ 3916] OBJ_setct_PANOnly */
-    0x67,0x2A,0x00,0x03,                           /* [ 3920] OBJ_setct_OIData */
-    0x67,0x2A,0x00,0x04,                           /* [ 3924] OBJ_setct_PI */
-    0x67,0x2A,0x00,0x05,                           /* [ 3928] OBJ_setct_PIData */
-    0x67,0x2A,0x00,0x06,                           /* [ 3932] OBJ_setct_PIDataUnsigned */
-    0x67,0x2A,0x00,0x07,                           /* [ 3936] OBJ_setct_HODInput */
-    0x67,0x2A,0x00,0x08,                           /* [ 3940] OBJ_setct_AuthResBaggage */
-    0x67,0x2A,0x00,0x09,                           /* [ 3944] OBJ_setct_AuthRevReqBaggage */
-    0x67,0x2A,0x00,0x0A,                           /* [ 3948] OBJ_setct_AuthRevResBaggage */
-    0x67,0x2A,0x00,0x0B,                           /* [ 3952] OBJ_setct_CapTokenSeq */
-    0x67,0x2A,0x00,0x0C,                           /* [ 3956] OBJ_setct_PInitResData */
-    0x67,0x2A,0x00,0x0D,                           /* [ 3960] OBJ_setct_PI_TBS */
-    0x67,0x2A,0x00,0x0E,                           /* [ 3964] OBJ_setct_PResData */
-    0x67,0x2A,0x00,0x10,                           /* [ 3968] OBJ_setct_AuthReqTBS */
-    0x67,0x2A,0x00,0x11,                           /* [ 3972] OBJ_setct_AuthResTBS */
-    0x67,0x2A,0x00,0x12,                           /* [ 3976] OBJ_setct_AuthResTBSX */
-    0x67,0x2A,0x00,0x13,                           /* [ 3980] OBJ_setct_AuthTokenTBS */
-    0x67,0x2A,0x00,0x14,                           /* [ 3984] OBJ_setct_CapTokenData */
-    0x67,0x2A,0x00,0x15,                           /* [ 3988] OBJ_setct_CapTokenTBS */
-    0x67,0x2A,0x00,0x16,                           /* [ 3992] OBJ_setct_AcqCardCodeMsg */
-    0x67,0x2A,0x00,0x17,                           /* [ 3996] OBJ_setct_AuthRevReqTBS */
-    0x67,0x2A,0x00,0x18,                           /* [ 4000] OBJ_setct_AuthRevResData */
-    0x67,0x2A,0x00,0x19,                           /* [ 4004] OBJ_setct_AuthRevResTBS */
-    0x67,0x2A,0x00,0x1A,                           /* [ 4008] OBJ_setct_CapReqTBS */
-    0x67,0x2A,0x00,0x1B,                           /* [ 4012] OBJ_setct_CapReqTBSX */
-    0x67,0x2A,0x00,0x1C,                           /* [ 4016] OBJ_setct_CapResData */
-    0x67,0x2A,0x00,0x1D,                           /* [ 4020] OBJ_setct_CapRevReqTBS */
-    0x67,0x2A,0x00,0x1E,                           /* [ 4024] OBJ_setct_CapRevReqTBSX */
-    0x67,0x2A,0x00,0x1F,                           /* [ 4028] OBJ_setct_CapRevResData */
-    0x67,0x2A,0x00,0x20,                           /* [ 4032] OBJ_setct_CredReqTBS */
-    0x67,0x2A,0x00,0x21,                           /* [ 4036] OBJ_setct_CredReqTBSX */
-    0x67,0x2A,0x00,0x22,                           /* [ 4040] OBJ_setct_CredResData */
-    0x67,0x2A,0x00,0x23,                           /* [ 4044] OBJ_setct_CredRevReqTBS */
-    0x67,0x2A,0x00,0x24,                           /* [ 4048] OBJ_setct_CredRevReqTBSX */
-    0x67,0x2A,0x00,0x25,                           /* [ 4052] OBJ_setct_CredRevResData */
-    0x67,0x2A,0x00,0x26,                           /* [ 4056] OBJ_setct_PCertReqData */
-    0x67,0x2A,0x00,0x27,                           /* [ 4060] OBJ_setct_PCertResTBS */
-    0x67,0x2A,0x00,0x28,                           /* [ 4064] OBJ_setct_BatchAdminReqData */
-    0x67,0x2A,0x00,0x29,                           /* [ 4068] OBJ_setct_BatchAdminResData */
-    0x67,0x2A,0x00,0x2A,                           /* [ 4072] OBJ_setct_CardCInitResTBS */
-    0x67,0x2A,0x00,0x2B,                           /* [ 4076] OBJ_setct_MeAqCInitResTBS */
-    0x67,0x2A,0x00,0x2C,                           /* [ 4080] OBJ_setct_RegFormResTBS */
-    0x67,0x2A,0x00,0x2D,                           /* [ 4084] OBJ_setct_CertReqData */
-    0x67,0x2A,0x00,0x2E,                           /* [ 4088] OBJ_setct_CertReqTBS */
-    0x67,0x2A,0x00,0x2F,                           /* [ 4092] OBJ_setct_CertResData */
-    0x67,0x2A,0x00,0x30,                           /* [ 4096] OBJ_setct_CertInqReqTBS */
-    0x67,0x2A,0x00,0x31,                           /* [ 4100] OBJ_setct_ErrorTBS */
-    0x67,0x2A,0x00,0x32,                           /* [ 4104] OBJ_setct_PIDualSignedTBE */
-    0x67,0x2A,0x00,0x33,                           /* [ 4108] OBJ_setct_PIUnsignedTBE */
-    0x67,0x2A,0x00,0x34,                           /* [ 4112] OBJ_setct_AuthReqTBE */
-    0x67,0x2A,0x00,0x35,                           /* [ 4116] OBJ_setct_AuthResTBE */
-    0x67,0x2A,0x00,0x36,                           /* [ 4120] OBJ_setct_AuthResTBEX */
-    0x67,0x2A,0x00,0x37,                           /* [ 4124] OBJ_setct_AuthTokenTBE */
-    0x67,0x2A,0x00,0x38,                           /* [ 4128] OBJ_setct_CapTokenTBE */
-    0x67,0x2A,0x00,0x39,                           /* [ 4132] OBJ_setct_CapTokenTBEX */
-    0x67,0x2A,0x00,0x3A,                           /* [ 4136] OBJ_setct_AcqCardCodeMsgTBE */
-    0x67,0x2A,0x00,0x3B,                           /* [ 4140] OBJ_setct_AuthRevReqTBE */
-    0x67,0x2A,0x00,0x3C,                           /* [ 4144] OBJ_setct_AuthRevResTBE */
-    0x67,0x2A,0x00,0x3D,                           /* [ 4148] OBJ_setct_AuthRevResTBEB */
-    0x67,0x2A,0x00,0x3E,                           /* [ 4152] OBJ_setct_CapReqTBE */
-    0x67,0x2A,0x00,0x3F,                           /* [ 4156] OBJ_setct_CapReqTBEX */
-    0x67,0x2A,0x00,0x40,                           /* [ 4160] OBJ_setct_CapResTBE */
-    0x67,0x2A,0x00,0x41,                           /* [ 4164] OBJ_setct_CapRevReqTBE */
-    0x67,0x2A,0x00,0x42,                           /* [ 4168] OBJ_setct_CapRevReqTBEX */
-    0x67,0x2A,0x00,0x43,                           /* [ 4172] OBJ_setct_CapRevResTBE */
-    0x67,0x2A,0x00,0x44,                           /* [ 4176] OBJ_setct_CredReqTBE */
-    0x67,0x2A,0x00,0x45,                           /* [ 4180] OBJ_setct_CredReqTBEX */
-    0x67,0x2A,0x00,0x46,                           /* [ 4184] OBJ_setct_CredResTBE */
-    0x67,0x2A,0x00,0x47,                           /* [ 4188] OBJ_setct_CredRevReqTBE */
-    0x67,0x2A,0x00,0x48,                           /* [ 4192] OBJ_setct_CredRevReqTBEX */
-    0x67,0x2A,0x00,0x49,                           /* [ 4196] OBJ_setct_CredRevResTBE */
-    0x67,0x2A,0x00,0x4A,                           /* [ 4200] OBJ_setct_BatchAdminReqTBE */
-    0x67,0x2A,0x00,0x4B,                           /* [ 4204] OBJ_setct_BatchAdminResTBE */
-    0x67,0x2A,0x00,0x4C,                           /* [ 4208] OBJ_setct_RegFormReqTBE */
-    0x67,0x2A,0x00,0x4D,                           /* [ 4212] OBJ_setct_CertReqTBE */
-    0x67,0x2A,0x00,0x4E,                           /* [ 4216] OBJ_setct_CertReqTBEX */
-    0x67,0x2A,0x00,0x4F,                           /* [ 4220] OBJ_setct_CertResTBE */
-    0x67,0x2A,0x00,0x50,                           /* [ 4224] OBJ_setct_CRLNotificationTBS */
-    0x67,0x2A,0x00,0x51,                           /* [ 4228] OBJ_setct_CRLNotificationResTBS */
-    0x67,0x2A,0x00,0x52,                           /* [ 4232] OBJ_setct_BCIDistributionTBS */
-    0x67,0x2A,0x01,0x01,                           /* [ 4236] OBJ_setext_genCrypt */
-    0x67,0x2A,0x01,0x03,                           /* [ 4240] OBJ_setext_miAuth */
-    0x67,0x2A,0x01,0x04,                           /* [ 4244] OBJ_setext_pinSecure */
-    0x67,0x2A,0x01,0x05,                           /* [ 4248] OBJ_setext_pinAny */
-    0x67,0x2A,0x01,0x07,                           /* [ 4252] OBJ_setext_track2 */
-    0x67,0x2A,0x01,0x08,                           /* [ 4256] OBJ_setext_cv */
-    0x67,0x2A,0x05,0x00,                           /* [ 4260] OBJ_set_policy_root */
-    0x67,0x2A,0x07,0x00,                           /* [ 4264] OBJ_setCext_hashedRoot */
-    0x67,0x2A,0x07,0x01,                           /* [ 4268] OBJ_setCext_certType */
-    0x67,0x2A,0x07,0x02,                           /* [ 4272] OBJ_setCext_merchData */
-    0x67,0x2A,0x07,0x03,                           /* [ 4276] OBJ_setCext_cCertRequired */
-    0x67,0x2A,0x07,0x04,                           /* [ 4280] OBJ_setCext_tunneling */
-    0x67,0x2A,0x07,0x05,                           /* [ 4284] OBJ_setCext_setExt */
-    0x67,0x2A,0x07,0x06,                           /* [ 4288] OBJ_setCext_setQualf */
-    0x67,0x2A,0x07,0x07,                           /* [ 4292] OBJ_setCext_PGWYcapabilities */
-    0x67,0x2A,0x07,0x08,                           /* [ 4296] OBJ_setCext_TokenIdentifier */
-    0x67,0x2A,0x07,0x09,                           /* [ 4300] OBJ_setCext_Track2Data */
-    0x67,0x2A,0x07,0x0A,                           /* [ 4304] OBJ_setCext_TokenType */
-    0x67,0x2A,0x07,0x0B,                           /* [ 4308] OBJ_setCext_IssuerCapabilities */
-    0x67,0x2A,0x03,0x00,                           /* [ 4312] OBJ_setAttr_Cert */
-    0x67,0x2A,0x03,0x01,                           /* [ 4316] OBJ_setAttr_PGWYcap */
-    0x67,0x2A,0x03,0x02,                           /* [ 4320] OBJ_setAttr_TokenType */
-    0x67,0x2A,0x03,0x03,                           /* [ 4324] OBJ_setAttr_IssCap */
-    0x67,0x2A,0x03,0x00,0x00,                      /* [ 4328] OBJ_set_rootKeyThumb */
-    0x67,0x2A,0x03,0x00,0x01,                      /* [ 4333] OBJ_set_addPolicy */
-    0x67,0x2A,0x03,0x02,0x01,                      /* [ 4338] OBJ_setAttr_Token_EMV */
-    0x67,0x2A,0x03,0x02,0x02,                      /* [ 4343] OBJ_setAttr_Token_B0Prime */
-    0x67,0x2A,0x03,0x03,0x03,                      /* [ 4348] OBJ_setAttr_IssCap_CVM */
-    0x67,0x2A,0x03,0x03,0x04,                      /* [ 4353] OBJ_setAttr_IssCap_T2 */
-    0x67,0x2A,0x03,0x03,0x05,                      /* [ 4358] OBJ_setAttr_IssCap_Sig */
-    0x67,0x2A,0x03,0x03,0x03,0x01,                 /* [ 4363] OBJ_setAttr_GenCryptgrm */
-    0x67,0x2A,0x03,0x03,0x04,0x01,                 /* [ 4369] OBJ_setAttr_T2Enc */
-    0x67,0x2A,0x03,0x03,0x04,0x02,                 /* [ 4375] OBJ_setAttr_T2cleartxt */
-    0x67,0x2A,0x03,0x03,0x05,0x01,                 /* [ 4381] OBJ_setAttr_TokICCsig */
-    0x67,0x2A,0x03,0x03,0x05,0x02,                 /* [ 4387] OBJ_setAttr_SecDevSig */
-    0x67,0x2A,0x08,0x01,                           /* [ 4393] OBJ_set_brand_IATA_ATA */
-    0x67,0x2A,0x08,0x1E,                           /* [ 4397] OBJ_set_brand_Diners */
-    0x67,0x2A,0x08,0x22,                           /* [ 4401] OBJ_set_brand_AmericanExpress */
-    0x67,0x2A,0x08,0x23,                           /* [ 4405] OBJ_set_brand_JCB */
-    0x67,0x2A,0x08,0x04,                           /* [ 4409] OBJ_set_brand_Visa */
-    0x67,0x2A,0x08,0x05,                           /* [ 4413] OBJ_set_brand_MasterCard */
-    0x67,0x2A,0x08,0xAE,0x7B,                      /* [ 4417] OBJ_set_brand_Novus */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x0A,       /* [ 4422] OBJ_des_cdmf */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x06,  /* [ 4430] OBJ_rsaOAEPEncryptionSET */
-    0x67,                                          /* [ 4439] OBJ_international_organizations */
-    0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x02,  /* [ 4440] OBJ_ms_smartcard_login */
-    0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x03,  /* [ 4450] OBJ_ms_upn */
-    0x55,0x04,0x09,                                /* [ 4460] OBJ_streetAddress */
-    0x55,0x04,0x11,                                /* [ 4463] OBJ_postalCode */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x15,            /* [ 4466] OBJ_id_ppl */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0E,       /* [ 4473] OBJ_proxyCertInfo */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x00,       /* [ 4481] OBJ_id_ppl_anyLanguage */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x01,       /* [ 4489] OBJ_id_ppl_inheritAll */
-    0x55,0x1D,0x1E,                                /* [ 4497] OBJ_name_constraints */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x02,       /* [ 4500] OBJ_Independent */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,  /* [ 4508] OBJ_sha256WithRSAEncryption */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0C,  /* [ 4517] OBJ_sha384WithRSAEncryption */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0D,  /* [ 4526] OBJ_sha512WithRSAEncryption */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0E,  /* [ 4535] OBJ_sha224WithRSAEncryption */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,  /* [ 4544] OBJ_sha256 */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x02,  /* [ 4553] OBJ_sha384 */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,  /* [ 4562] OBJ_sha512 */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x04,  /* [ 4571] OBJ_sha224 */
-    0x2B,                                          /* [ 4580] OBJ_identified_organization */
-    0x2B,0x81,0x04,                                /* [ 4581] OBJ_certicom_arc */
-    0x67,0x2B,                                     /* [ 4584] OBJ_wap */
-    0x67,0x2B,0x01,                                /* [ 4586] OBJ_wap_wsg */
-    0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,       /* [ 4589] OBJ_X9_62_id_characteristic_two_basis */
-    0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,0x01,  /* [ 4597] OBJ_X9_62_onBasis */
-    0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,0x02,  /* [ 4606] OBJ_X9_62_tpBasis */
-    0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,0x03,  /* [ 4615] OBJ_X9_62_ppBasis */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x01,       /* [ 4624] OBJ_X9_62_c2pnb163v1 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x02,       /* [ 4632] OBJ_X9_62_c2pnb163v2 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x03,       /* [ 4640] OBJ_X9_62_c2pnb163v3 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x04,       /* [ 4648] OBJ_X9_62_c2pnb176v1 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x05,       /* [ 4656] OBJ_X9_62_c2tnb191v1 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x06,       /* [ 4664] OBJ_X9_62_c2tnb191v2 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x07,       /* [ 4672] OBJ_X9_62_c2tnb191v3 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x08,       /* [ 4680] OBJ_X9_62_c2onb191v4 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x09,       /* [ 4688] OBJ_X9_62_c2onb191v5 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0A,       /* [ 4696] OBJ_X9_62_c2pnb208w1 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0B,       /* [ 4704] OBJ_X9_62_c2tnb239v1 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0C,       /* [ 4712] OBJ_X9_62_c2tnb239v2 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0D,       /* [ 4720] OBJ_X9_62_c2tnb239v3 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0E,       /* [ 4728] OBJ_X9_62_c2onb239v4 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0F,       /* [ 4736] OBJ_X9_62_c2onb239v5 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x10,       /* [ 4744] OBJ_X9_62_c2pnb272w1 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x11,       /* [ 4752] OBJ_X9_62_c2pnb304w1 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x12,       /* [ 4760] OBJ_X9_62_c2tnb359v1 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x13,       /* [ 4768] OBJ_X9_62_c2pnb368w1 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x14,       /* [ 4776] OBJ_X9_62_c2tnb431r1 */
-    0x2B,0x81,0x04,0x00,0x06,                      /* [ 4784] OBJ_secp112r1 */
-    0x2B,0x81,0x04,0x00,0x07,                      /* [ 4789] OBJ_secp112r2 */
-    0x2B,0x81,0x04,0x00,0x1C,                      /* [ 4794] OBJ_secp128r1 */
-    0x2B,0x81,0x04,0x00,0x1D,                      /* [ 4799] OBJ_secp128r2 */
-    0x2B,0x81,0x04,0x00,0x09,                      /* [ 4804] OBJ_secp160k1 */
-    0x2B,0x81,0x04,0x00,0x08,                      /* [ 4809] OBJ_secp160r1 */
-    0x2B,0x81,0x04,0x00,0x1E,                      /* [ 4814] OBJ_secp160r2 */
-    0x2B,0x81,0x04,0x00,0x1F,                      /* [ 4819] OBJ_secp192k1 */
-    0x2B,0x81,0x04,0x00,0x20,                      /* [ 4824] OBJ_secp224k1 */
-    0x2B,0x81,0x04,0x00,0x21,                      /* [ 4829] OBJ_secp224r1 */
-    0x2B,0x81,0x04,0x00,0x0A,                      /* [ 4834] OBJ_secp256k1 */
-    0x2B,0x81,0x04,0x00,0x22,                      /* [ 4839] OBJ_secp384r1 */
-    0x2B,0x81,0x04,0x00,0x23,                      /* [ 4844] OBJ_secp521r1 */
-    0x2B,0x81,0x04,0x00,0x04,                      /* [ 4849] OBJ_sect113r1 */
-    0x2B,0x81,0x04,0x00,0x05,                      /* [ 4854] OBJ_sect113r2 */
-    0x2B,0x81,0x04,0x00,0x16,                      /* [ 4859] OBJ_sect131r1 */
-    0x2B,0x81,0x04,0x00,0x17,                      /* [ 4864] OBJ_sect131r2 */
-    0x2B,0x81,0x04,0x00,0x01,                      /* [ 4869] OBJ_sect163k1 */
-    0x2B,0x81,0x04,0x00,0x02,                      /* [ 4874] OBJ_sect163r1 */
-    0x2B,0x81,0x04,0x00,0x0F,                      /* [ 4879] OBJ_sect163r2 */
-    0x2B,0x81,0x04,0x00,0x18,                      /* [ 4884] OBJ_sect193r1 */
-    0x2B,0x81,0x04,0x00,0x19,                      /* [ 4889] OBJ_sect193r2 */
-    0x2B,0x81,0x04,0x00,0x1A,                      /* [ 4894] OBJ_sect233k1 */
-    0x2B,0x81,0x04,0x00,0x1B,                      /* [ 4899] OBJ_sect233r1 */
-    0x2B,0x81,0x04,0x00,0x03,                      /* [ 4904] OBJ_sect239k1 */
-    0x2B,0x81,0x04,0x00,0x10,                      /* [ 4909] OBJ_sect283k1 */
-    0x2B,0x81,0x04,0x00,0x11,                      /* [ 4914] OBJ_sect283r1 */
-    0x2B,0x81,0x04,0x00,0x24,                      /* [ 4919] OBJ_sect409k1 */
-    0x2B,0x81,0x04,0x00,0x25,                      /* [ 4924] OBJ_sect409r1 */
-    0x2B,0x81,0x04,0x00,0x26,                      /* [ 4929] OBJ_sect571k1 */
-    0x2B,0x81,0x04,0x00,0x27,                      /* [ 4934] OBJ_sect571r1 */
-    0x67,0x2B,0x01,0x04,0x01,                      /* [ 4939] OBJ_wap_wsg_idm_ecid_wtls1 */
-    0x67,0x2B,0x01,0x04,0x03,                      /* [ 4944] OBJ_wap_wsg_idm_ecid_wtls3 */
-    0x67,0x2B,0x01,0x04,0x04,                      /* [ 4949] OBJ_wap_wsg_idm_ecid_wtls4 */
-    0x67,0x2B,0x01,0x04,0x05,                      /* [ 4954] OBJ_wap_wsg_idm_ecid_wtls5 */
-    0x67,0x2B,0x01,0x04,0x06,                      /* [ 4959] OBJ_wap_wsg_idm_ecid_wtls6 */
-    0x67,0x2B,0x01,0x04,0x07,                      /* [ 4964] OBJ_wap_wsg_idm_ecid_wtls7 */
-    0x67,0x2B,0x01,0x04,0x08,                      /* [ 4969] OBJ_wap_wsg_idm_ecid_wtls8 */
-    0x67,0x2B,0x01,0x04,0x09,                      /* [ 4974] OBJ_wap_wsg_idm_ecid_wtls9 */
-    0x67,0x2B,0x01,0x04,0x0A,                      /* [ 4979] OBJ_wap_wsg_idm_ecid_wtls10 */
-    0x67,0x2B,0x01,0x04,0x0B,                      /* [ 4984] OBJ_wap_wsg_idm_ecid_wtls11 */
-    0x67,0x2B,0x01,0x04,0x0C,                      /* [ 4989] OBJ_wap_wsg_idm_ecid_wtls12 */
-    0x55,0x1D,0x20,0x00,                           /* [ 4994] OBJ_any_policy */
-    0x55,0x1D,0x21,                                /* [ 4998] OBJ_policy_mappings */
-    0x55,0x1D,0x36,                                /* [ 5001] OBJ_inhibit_any_policy */
-    0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x01,0x02,  /* [ 5004] OBJ_camellia_128_cbc */
-    0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x01,0x03,  /* [ 5015] OBJ_camellia_192_cbc */
-    0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x01,0x04,  /* [ 5026] OBJ_camellia_256_cbc */
-    0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x01,       /* [ 5037] OBJ_camellia_128_ecb */
-    0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x15,       /* [ 5045] OBJ_camellia_192_ecb */
-    0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x29,       /* [ 5053] OBJ_camellia_256_ecb */
-    0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x04,       /* [ 5061] OBJ_camellia_128_cfb128 */
-    0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x18,       /* [ 5069] OBJ_camellia_192_cfb128 */
-    0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x2C,       /* [ 5077] OBJ_camellia_256_cfb128 */
-    0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x03,       /* [ 5085] OBJ_camellia_128_ofb128 */
-    0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x17,       /* [ 5093] OBJ_camellia_192_ofb128 */
-    0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x2B,       /* [ 5101] OBJ_camellia_256_ofb128 */
-    0x55,0x1D,0x09,                                /* [ 5109] OBJ_subject_directory_attributes */
-    0x55,0x1D,0x1C,                                /* [ 5112] OBJ_issuing_distribution_point */
-    0x55,0x1D,0x1D,                                /* [ 5115] OBJ_certificate_issuer */
-    0x2A,0x83,0x1A,0x8C,0x9A,0x44,                 /* [ 5118] OBJ_kisa */
-    0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x03,       /* [ 5124] OBJ_seed_ecb */
-    0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x04,       /* [ 5132] OBJ_seed_cbc */
-    0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x06,       /* [ 5140] OBJ_seed_ofb128 */
-    0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x05,       /* [ 5148] OBJ_seed_cfb128 */
-    0x2B,0x06,0x01,0x05,0x05,0x08,0x01,0x01,       /* [ 5156] OBJ_hmac_md5 */
-    0x2B,0x06,0x01,0x05,0x05,0x08,0x01,0x02,       /* [ 5164] OBJ_hmac_sha1 */
-    0x2A,0x86,0x48,0x86,0xF6,0x7D,0x07,0x42,0x0D,  /* [ 5172] OBJ_id_PasswordBasedMAC */
-    0x2A,0x86,0x48,0x86,0xF6,0x7D,0x07,0x42,0x1E,  /* [ 5181] OBJ_id_DHBasedMac */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x10,       /* [ 5190] OBJ_id_it_suppLangTags */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x05,       /* [ 5198] OBJ_caRepository */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x09,  /* [ 5206] OBJ_id_smime_ct_compressedData */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x1B,  /* [ 5217] OBJ_id_ct_asciiTextWithCRLF */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x05,  /* [ 5228] OBJ_id_aes128_wrap */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x19,  /* [ 5237] OBJ_id_aes192_wrap */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2D,  /* [ 5246] OBJ_id_aes256_wrap */
-    0x2A,0x86,0x48,0xCE,0x3D,0x04,0x02,            /* [ 5255] OBJ_ecdsa_with_Recommended */
-    0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,            /* [ 5262] OBJ_ecdsa_with_Specified */
-    0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x01,       /* [ 5269] OBJ_ecdsa_with_SHA224 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x02,       /* [ 5277] OBJ_ecdsa_with_SHA256 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x03,       /* [ 5285] OBJ_ecdsa_with_SHA384 */
-    0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x04,       /* [ 5293] OBJ_ecdsa_with_SHA512 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x06,       /* [ 5301] OBJ_hmacWithMD5 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x08,       /* [ 5309] OBJ_hmacWithSHA224 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x09,       /* [ 5317] OBJ_hmacWithSHA256 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0A,       /* [ 5325] OBJ_hmacWithSHA384 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0B,       /* [ 5333] OBJ_hmacWithSHA512 */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x01,  /* [ 5341] OBJ_dsa_with_SHA224 */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x02,  /* [ 5350] OBJ_dsa_with_SHA256 */
-    0x28,0xCF,0x06,0x03,0x00,0x37,                 /* [ 5359] OBJ_whirlpool */
-    0x2A,0x85,0x03,0x02,0x02,                      /* [ 5365] OBJ_cryptopro */
-    0x2A,0x85,0x03,0x02,0x09,                      /* [ 5370] OBJ_cryptocom */
-    0x2A,0x85,0x03,0x02,0x02,0x03,                 /* [ 5375] OBJ_id_GostR3411_94_with_GostR3410_2001 */
-    0x2A,0x85,0x03,0x02,0x02,0x04,                 /* [ 5381] OBJ_id_GostR3411_94_with_GostR3410_94 */
-    0x2A,0x85,0x03,0x02,0x02,0x09,                 /* [ 5387] OBJ_id_GostR3411_94 */
-    0x2A,0x85,0x03,0x02,0x02,0x0A,                 /* [ 5393] OBJ_id_HMACGostR3411_94 */
-    0x2A,0x85,0x03,0x02,0x02,0x13,                 /* [ 5399] OBJ_id_GostR3410_2001 */
-    0x2A,0x85,0x03,0x02,0x02,0x14,                 /* [ 5405] OBJ_id_GostR3410_94 */
-    0x2A,0x85,0x03,0x02,0x02,0x15,                 /* [ 5411] OBJ_id_Gost28147_89 */
-    0x2A,0x85,0x03,0x02,0x02,0x16,                 /* [ 5417] OBJ_id_Gost28147_89_MAC */
-    0x2A,0x85,0x03,0x02,0x02,0x17,                 /* [ 5423] OBJ_id_GostR3411_94_prf */
-    0x2A,0x85,0x03,0x02,0x02,0x62,                 /* [ 5429] OBJ_id_GostR3410_2001DH */
-    0x2A,0x85,0x03,0x02,0x02,0x63,                 /* [ 5435] OBJ_id_GostR3410_94DH */
-    0x2A,0x85,0x03,0x02,0x02,0x0E,0x01,            /* [ 5441] OBJ_id_Gost28147_89_CryptoPro_KeyMeshing */
-    0x2A,0x85,0x03,0x02,0x02,0x0E,0x00,            /* [ 5448] OBJ_id_Gost28147_89_None_KeyMeshing */
-    0x2A,0x85,0x03,0x02,0x02,0x1E,0x00,            /* [ 5455] OBJ_id_GostR3411_94_TestParamSet */
-    0x2A,0x85,0x03,0x02,0x02,0x1E,0x01,            /* [ 5462] OBJ_id_GostR3411_94_CryptoProParamSet */
-    0x2A,0x85,0x03,0x02,0x02,0x1F,0x00,            /* [ 5469] OBJ_id_Gost28147_89_TestParamSet */
-    0x2A,0x85,0x03,0x02,0x02,0x1F,0x01,            /* [ 5476] OBJ_id_Gost28147_89_CryptoPro_A_ParamSet */
-    0x2A,0x85,0x03,0x02,0x02,0x1F,0x02,            /* [ 5483] OBJ_id_Gost28147_89_CryptoPro_B_ParamSet */
-    0x2A,0x85,0x03,0x02,0x02,0x1F,0x03,            /* [ 5490] OBJ_id_Gost28147_89_CryptoPro_C_ParamSet */
-    0x2A,0x85,0x03,0x02,0x02,0x1F,0x04,            /* [ 5497] OBJ_id_Gost28147_89_CryptoPro_D_ParamSet */
-    0x2A,0x85,0x03,0x02,0x02,0x1F,0x05,            /* [ 5504] OBJ_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet */
-    0x2A,0x85,0x03,0x02,0x02,0x1F,0x06,            /* [ 5511] OBJ_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet */
-    0x2A,0x85,0x03,0x02,0x02,0x1F,0x07,            /* [ 5518] OBJ_id_Gost28147_89_CryptoPro_RIC_1_ParamSet */
-    0x2A,0x85,0x03,0x02,0x02,0x20,0x00,            /* [ 5525] OBJ_id_GostR3410_94_TestParamSet */
-    0x2A,0x85,0x03,0x02,0x02,0x20,0x02,            /* [ 5532] OBJ_id_GostR3410_94_CryptoPro_A_ParamSet */
-    0x2A,0x85,0x03,0x02,0x02,0x20,0x03,            /* [ 5539] OBJ_id_GostR3410_94_CryptoPro_B_ParamSet */
-    0x2A,0x85,0x03,0x02,0x02,0x20,0x04,            /* [ 5546] OBJ_id_GostR3410_94_CryptoPro_C_ParamSet */
-    0x2A,0x85,0x03,0x02,0x02,0x20,0x05,            /* [ 5553] OBJ_id_GostR3410_94_CryptoPro_D_ParamSet */
-    0x2A,0x85,0x03,0x02,0x02,0x21,0x01,            /* [ 5560] OBJ_id_GostR3410_94_CryptoPro_XchA_ParamSet */
-    0x2A,0x85,0x03,0x02,0x02,0x21,0x02,            /* [ 5567] OBJ_id_GostR3410_94_CryptoPro_XchB_ParamSet */
-    0x2A,0x85,0x03,0x02,0x02,0x21,0x03,            /* [ 5574] OBJ_id_GostR3410_94_CryptoPro_XchC_ParamSet */
-    0x2A,0x85,0x03,0x02,0x02,0x23,0x00,            /* [ 5581] OBJ_id_GostR3410_2001_TestParamSet */
-    0x2A,0x85,0x03,0x02,0x02,0x23,0x01,            /* [ 5588] OBJ_id_GostR3410_2001_CryptoPro_A_ParamSet */
-    0x2A,0x85,0x03,0x02,0x02,0x23,0x02,            /* [ 5595] OBJ_id_GostR3410_2001_CryptoPro_B_ParamSet */
-    0x2A,0x85,0x03,0x02,0x02,0x23,0x03,            /* [ 5602] OBJ_id_GostR3410_2001_CryptoPro_C_ParamSet */
-    0x2A,0x85,0x03,0x02,0x02,0x24,0x00,            /* [ 5609] OBJ_id_GostR3410_2001_CryptoPro_XchA_ParamSet */
-    0x2A,0x85,0x03,0x02,0x02,0x24,0x01,            /* [ 5616] OBJ_id_GostR3410_2001_CryptoPro_XchB_ParamSet */
-    0x2A,0x85,0x03,0x02,0x02,0x14,0x01,            /* [ 5623] OBJ_id_GostR3410_94_a */
-    0x2A,0x85,0x03,0x02,0x02,0x14,0x02,            /* [ 5630] OBJ_id_GostR3410_94_aBis */
-    0x2A,0x85,0x03,0x02,0x02,0x14,0x03,            /* [ 5637] OBJ_id_GostR3410_94_b */
-    0x2A,0x85,0x03,0x02,0x02,0x14,0x04,            /* [ 5644] OBJ_id_GostR3410_94_bBis */
-    0x2A,0x85,0x03,0x02,0x09,0x01,0x06,0x01,       /* [ 5651] OBJ_id_Gost28147_89_cc */
-    0x2A,0x85,0x03,0x02,0x09,0x01,0x05,0x03,       /* [ 5659] OBJ_id_GostR3410_94_cc */
-    0x2A,0x85,0x03,0x02,0x09,0x01,0x05,0x04,       /* [ 5667] OBJ_id_GostR3410_2001_cc */
-    0x2A,0x85,0x03,0x02,0x09,0x01,0x03,0x03,       /* [ 5675] OBJ_id_GostR3411_94_with_GostR3410_94_cc */
-    0x2A,0x85,0x03,0x02,0x09,0x01,0x03,0x04,       /* [ 5683] OBJ_id_GostR3411_94_with_GostR3410_2001_cc */
-    0x2A,0x85,0x03,0x02,0x09,0x01,0x08,0x01,       /* [ 5691] OBJ_id_GostR3410_2001_ParamSet_cc */
-    0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x11,0x02,  /* [ 5699] OBJ_LocalKeySet */
-    0x55,0x1D,0x2E,                                /* [ 5708] OBJ_freshest_crl */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x08,0x03,       /* [ 5711] OBJ_id_on_permanentIdentifier */
-    0x55,0x04,0x0E,                                /* [ 5719] OBJ_searchGuide */
-    0x55,0x04,0x0F,                                /* [ 5722] OBJ_businessCategory */
-    0x55,0x04,0x10,                                /* [ 5725] OBJ_postalAddress */
-    0x55,0x04,0x12,                                /* [ 5728] OBJ_postOfficeBox */
-    0x55,0x04,0x13,                                /* [ 5731] OBJ_physicalDeliveryOfficeName */
-    0x55,0x04,0x14,                                /* [ 5734] OBJ_telephoneNumber */
-    0x55,0x04,0x15,                                /* [ 5737] OBJ_telexNumber */
-    0x55,0x04,0x16,                                /* [ 5740] OBJ_teletexTerminalIdentifier */
-    0x55,0x04,0x17,                                /* [ 5743] OBJ_facsimileTelephoneNumber */
-    0x55,0x04,0x18,                                /* [ 5746] OBJ_x121Address */
-    0x55,0x04,0x19,                                /* [ 5749] OBJ_internationaliSDNNumber */
-    0x55,0x04,0x1A,                                /* [ 5752] OBJ_registeredAddress */
-    0x55,0x04,0x1B,                                /* [ 5755] OBJ_destinationIndicator */
-    0x55,0x04,0x1C,                                /* [ 5758] OBJ_preferredDeliveryMethod */
-    0x55,0x04,0x1D,                                /* [ 5761] OBJ_presentationAddress */
-    0x55,0x04,0x1E,                                /* [ 5764] OBJ_supportedApplicationContext */
-    0x55,0x04,0x1F,                                /* [ 5767] OBJ_member */
-    0x55,0x04,0x20,                                /* [ 5770] OBJ_owner */
-    0x55,0x04,0x21,                                /* [ 5773] OBJ_roleOccupant */
-    0x55,0x04,0x22,                                /* [ 5776] OBJ_seeAlso */
-    0x55,0x04,0x23,                                /* [ 5779] OBJ_userPassword */
-    0x55,0x04,0x24,                                /* [ 5782] OBJ_userCertificate */
-    0x55,0x04,0x25,                                /* [ 5785] OBJ_cACertificate */
-    0x55,0x04,0x26,                                /* [ 5788] OBJ_authorityRevocationList */
-    0x55,0x04,0x27,                                /* [ 5791] OBJ_certificateRevocationList */
-    0x55,0x04,0x28,                                /* [ 5794] OBJ_crossCertificatePair */
-    0x55,0x04,0x2F,                                /* [ 5797] OBJ_enhancedSearchGuide */
-    0x55,0x04,0x30,                                /* [ 5800] OBJ_protocolInformation */
-    0x55,0x04,0x31,                                /* [ 5803] OBJ_distinguishedName */
-    0x55,0x04,0x32,                                /* [ 5806] OBJ_uniqueMember */
-    0x55,0x04,0x33,                                /* [ 5809] OBJ_houseIdentifier */
-    0x55,0x04,0x34,                                /* [ 5812] OBJ_supportedAlgorithms */
-    0x55,0x04,0x35,                                /* [ 5815] OBJ_deltaRevocationList */
-    0x55,0x04,0x36,                                /* [ 5818] OBJ_dmdName */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x09,  /* [ 5821] OBJ_id_alg_PWRI_KEK */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x06,  /* [ 5832] OBJ_aes_128_gcm */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x07,  /* [ 5841] OBJ_aes_128_ccm */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x08,  /* [ 5850] OBJ_id_aes128_wrap_pad */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x1A,  /* [ 5859] OBJ_aes_192_gcm */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x1B,  /* [ 5868] OBJ_aes_192_ccm */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x1C,  /* [ 5877] OBJ_id_aes192_wrap_pad */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2E,  /* [ 5886] OBJ_aes_256_gcm */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2F,  /* [ 5895] OBJ_aes_256_ccm */
-    0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x30,  /* [ 5904] OBJ_id_aes256_wrap_pad */
-    0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x03,0x02,  /* [ 5913] OBJ_id_camellia128_wrap */
-    0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x03,0x03,  /* [ 5924] OBJ_id_camellia192_wrap */
-    0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x03,0x04,  /* [ 5935] OBJ_id_camellia256_wrap */
-    0x55,0x1D,0x25,0x00,                           /* [ 5946] OBJ_anyExtendedKeyUsage */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x08,  /* [ 5950] OBJ_mgf1 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0A,  /* [ 5959] OBJ_rsassaPss */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x07,  /* [ 5968] OBJ_rsaesOaep */
-    0x2A,0x86,0x48,0xCE,0x3E,0x02,0x01,            /* [ 5977] OBJ_dhpublicnumber */
-    0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x01,  /* [ 5984] OBJ_brainpoolP160r1 */
-    0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x02,  /* [ 5993] OBJ_brainpoolP160t1 */
-    0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x03,  /* [ 6002] OBJ_brainpoolP192r1 */
-    0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x04,  /* [ 6011] OBJ_brainpoolP192t1 */
-    0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x05,  /* [ 6020] OBJ_brainpoolP224r1 */
-    0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x06,  /* [ 6029] OBJ_brainpoolP224t1 */
-    0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x07,  /* [ 6038] OBJ_brainpoolP256r1 */
-    0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x08,  /* [ 6047] OBJ_brainpoolP256t1 */
-    0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x09,  /* [ 6056] OBJ_brainpoolP320r1 */
-    0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0A,  /* [ 6065] OBJ_brainpoolP320t1 */
-    0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0B,  /* [ 6074] OBJ_brainpoolP384r1 */
-    0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0C,  /* [ 6083] OBJ_brainpoolP384t1 */
-    0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0D,  /* [ 6092] OBJ_brainpoolP512r1 */
-    0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0E,  /* [ 6101] OBJ_brainpoolP512t1 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x09,  /* [ 6110] OBJ_pSpecified */
-    0x2B,0x81,0x05,0x10,0x86,0x48,0x3F,0x00,0x02,  /* [ 6119] OBJ_dhSinglePass_stdDH_sha1kdf_scheme */
-    0x2B,0x81,0x04,0x01,0x0B,0x00,                 /* [ 6128] OBJ_dhSinglePass_stdDH_sha224kdf_scheme */
-    0x2B,0x81,0x04,0x01,0x0B,0x01,                 /* [ 6134] OBJ_dhSinglePass_stdDH_sha256kdf_scheme */
-    0x2B,0x81,0x04,0x01,0x0B,0x02,                 /* [ 6140] OBJ_dhSinglePass_stdDH_sha384kdf_scheme */
-    0x2B,0x81,0x04,0x01,0x0B,0x03,                 /* [ 6146] OBJ_dhSinglePass_stdDH_sha512kdf_scheme */
-    0x2B,0x81,0x05,0x10,0x86,0x48,0x3F,0x00,0x03,  /* [ 6152] OBJ_dhSinglePass_cofactorDH_sha1kdf_scheme */
-    0x2B,0x81,0x04,0x01,0x0E,0x00,                 /* [ 6161] OBJ_dhSinglePass_cofactorDH_sha224kdf_scheme */
-    0x2B,0x81,0x04,0x01,0x0E,0x01,                 /* [ 6167] OBJ_dhSinglePass_cofactorDH_sha256kdf_scheme */
-    0x2B,0x81,0x04,0x01,0x0E,0x02,                 /* [ 6173] OBJ_dhSinglePass_cofactorDH_sha384kdf_scheme */
-    0x2B,0x81,0x04,0x01,0x0E,0x03,                 /* [ 6179] OBJ_dhSinglePass_cofactorDH_sha512kdf_scheme */
-    0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x02,  /* [ 6185] OBJ_ct_precert_scts */
-    0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x03,  /* [ 6195] OBJ_ct_precert_poison */
-    0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x04,  /* [ 6205] OBJ_ct_precert_signer */
-    0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x05,  /* [ 6215] OBJ_ct_cert_scts */
-    0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,0x01,0x01,  /* [ 6225] OBJ_jurisdictionLocalityName */
-    0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,0x01,0x02,  /* [ 6236] OBJ_jurisdictionStateOrProvinceName */
-    0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,0x01,0x03,  /* [ 6247] OBJ_jurisdictionCountryName */
-    0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x06,       /* [ 6258] OBJ_camellia_128_gcm */
-    0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x07,       /* [ 6266] OBJ_camellia_128_ccm */
-    0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x09,       /* [ 6274] OBJ_camellia_128_ctr */
-    0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x0A,       /* [ 6282] OBJ_camellia_128_cmac */
-    0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x1A,       /* [ 6290] OBJ_camellia_192_gcm */
-    0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x1B,       /* [ 6298] OBJ_camellia_192_ccm */
-    0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x1D,       /* [ 6306] OBJ_camellia_192_ctr */
-    0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x1E,       /* [ 6314] OBJ_camellia_192_cmac */
-    0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x2E,       /* [ 6322] OBJ_camellia_256_gcm */
-    0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x2F,       /* [ 6330] OBJ_camellia_256_ccm */
-    0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x31,       /* [ 6338] OBJ_camellia_256_ctr */
-    0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x32,       /* [ 6346] OBJ_camellia_256_cmac */
-    0x2B,0x06,0x01,0x04,0x01,0xDA,0x47,0x04,0x0B,  /* [ 6354] OBJ_id_scrypt */
-    0x2A,0x85,0x03,0x07,0x01,                      /* [ 6363] OBJ_id_tc26 */
-    0x2A,0x85,0x03,0x07,0x01,0x01,                 /* [ 6368] OBJ_id_tc26_algorithms */
-    0x2A,0x85,0x03,0x07,0x01,0x01,0x01,            /* [ 6374] OBJ_id_tc26_sign */
-    0x2A,0x85,0x03,0x07,0x01,0x01,0x01,0x01,       /* [ 6381] OBJ_id_GostR3410_2012_256 */
-    0x2A,0x85,0x03,0x07,0x01,0x01,0x01,0x02,       /* [ 6389] OBJ_id_GostR3410_2012_512 */
-    0x2A,0x85,0x03,0x07,0x01,0x01,0x02,            /* [ 6397] OBJ_id_tc26_digest */
-    0x2A,0x85,0x03,0x07,0x01,0x01,0x02,0x02,       /* [ 6404] OBJ_id_GostR3411_2012_256 */
-    0x2A,0x85,0x03,0x07,0x01,0x01,0x02,0x03,       /* [ 6412] OBJ_id_GostR3411_2012_512 */
-    0x2A,0x85,0x03,0x07,0x01,0x01,0x03,            /* [ 6420] OBJ_id_tc26_signwithdigest */
-    0x2A,0x85,0x03,0x07,0x01,0x01,0x03,0x02,       /* [ 6427] OBJ_id_tc26_signwithdigest_gost3410_2012_256 */
-    0x2A,0x85,0x03,0x07,0x01,0x01,0x03,0x03,       /* [ 6435] OBJ_id_tc26_signwithdigest_gost3410_2012_512 */
-    0x2A,0x85,0x03,0x07,0x01,0x01,0x04,            /* [ 6443] OBJ_id_tc26_mac */
-    0x2A,0x85,0x03,0x07,0x01,0x01,0x04,0x01,       /* [ 6450] OBJ_id_tc26_hmac_gost_3411_2012_256 */
-    0x2A,0x85,0x03,0x07,0x01,0x01,0x04,0x02,       /* [ 6458] OBJ_id_tc26_hmac_gost_3411_2012_512 */
-    0x2A,0x85,0x03,0x07,0x01,0x01,0x05,            /* [ 6466] OBJ_id_tc26_cipher */
-    0x2A,0x85,0x03,0x07,0x01,0x01,0x06,            /* [ 6473] OBJ_id_tc26_agreement */
-    0x2A,0x85,0x03,0x07,0x01,0x01,0x06,0x01,       /* [ 6480] OBJ_id_tc26_agreement_gost_3410_2012_256 */
-    0x2A,0x85,0x03,0x07,0x01,0x01,0x06,0x02,       /* [ 6488] OBJ_id_tc26_agreement_gost_3410_2012_512 */
-    0x2A,0x85,0x03,0x07,0x01,0x02,                 /* [ 6496] OBJ_id_tc26_constants */
-    0x2A,0x85,0x03,0x07,0x01,0x02,0x01,            /* [ 6502] OBJ_id_tc26_sign_constants */
-    0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,       /* [ 6509] OBJ_id_tc26_gost_3410_2012_512_constants */
-    0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,0x00,  /* [ 6517] OBJ_id_tc26_gost_3410_2012_512_paramSetTest */
-    0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,0x01,  /* [ 6526] OBJ_id_tc26_gost_3410_2012_512_paramSetA */
-    0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,0x02,  /* [ 6535] OBJ_id_tc26_gost_3410_2012_512_paramSetB */
-    0x2A,0x85,0x03,0x07,0x01,0x02,0x02,            /* [ 6544] OBJ_id_tc26_digest_constants */
-    0x2A,0x85,0x03,0x07,0x01,0x02,0x05,            /* [ 6551] OBJ_id_tc26_cipher_constants */
-    0x2A,0x85,0x03,0x07,0x01,0x02,0x05,0x01,       /* [ 6558] OBJ_id_tc26_gost_28147_constants */
-    0x2A,0x85,0x03,0x07,0x01,0x02,0x05,0x01,0x01,  /* [ 6566] OBJ_id_tc26_gost_28147_param_Z */
-    0x2A,0x85,0x03,0x03,0x81,0x03,0x01,0x01,       /* [ 6575] OBJ_INN */
-    0x2A,0x85,0x03,0x64,0x01,                      /* [ 6583] OBJ_OGRN */
-    0x2A,0x85,0x03,0x64,0x03,                      /* [ 6588] OBJ_SNILS */
-    0x2A,0x85,0x03,0x64,0x6F,                      /* [ 6593] OBJ_subjectSignTool */
-    0x2A,0x85,0x03,0x64,0x70,                      /* [ 6598] OBJ_issuerSignTool */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x18,       /* [ 6603] OBJ_tlsfeature */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x11,       /* [ 6611] OBJ_ipsec_IKE */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x12,       /* [ 6619] OBJ_capwapAC */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x13,       /* [ 6627] OBJ_capwapWTP */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x15,       /* [ 6635] OBJ_sshClient */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x16,       /* [ 6643] OBJ_sshServer */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x17,       /* [ 6651] OBJ_sendRouter */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x18,       /* [ 6659] OBJ_sendProxiedRouter */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x19,       /* [ 6667] OBJ_sendOwner */
-    0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x1A,       /* [ 6675] OBJ_sendProxiedOwner */
-    0x2B,0x06,0x01,0x05,0x02,0x03,                 /* [ 6683] OBJ_id_pkinit */
-    0x2B,0x06,0x01,0x05,0x02,0x03,0x04,            /* [ 6689] OBJ_pkInitClientAuth */
-    0x2B,0x06,0x01,0x05,0x02,0x03,0x05,            /* [ 6696] OBJ_pkInitKDC */
-    0x2B,0x65,0x6E,                                /* [ 6703] OBJ_X25519 */
-    0x2B,0x65,0x6F,                                /* [ 6706] OBJ_X448 */
-    0x2B,0x06,0x01,0x04,0x01,0x8D,0x3A,0x0C,0x02,0x01,0x10,  /* [ 6709] OBJ_blake2b512 */
-    0x2B,0x06,0x01,0x04,0x01,0x8D,0x3A,0x0C,0x02,0x02,0x08,  /* [ 6720] OBJ_blake2s256 */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x13,  /* [ 6731] OBJ_id_smime_ct_contentCollection */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x17,  /* [ 6742] OBJ_id_smime_ct_authEnvelopedData */
-    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x1C,  /* [ 6753] OBJ_id_ct_xml */
+#define NUM_NID 958
+#define NUM_SN 951
+#define NUM_LN 951
+#define NUM_OBJ 890
+
+static const unsigned char lvalues[6255]={
+0x2A,0x86,0x48,0x86,0xF7,0x0D,               /* [  0] OBJ_rsadsi */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,          /* [  6] OBJ_pkcs */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02,     /* [ 13] OBJ_md2 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x05,     /* [ 21] OBJ_md5 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x04,     /* [ 29] OBJ_rc4 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,/* [ 37] OBJ_rsaEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x02,/* [ 46] OBJ_md2WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x04,/* [ 55] OBJ_md5WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x01,/* [ 64] OBJ_pbeWithMD2AndDES_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x03,/* [ 73] OBJ_pbeWithMD5AndDES_CBC */
+0x55,                                        /* [ 82] OBJ_X500 */
+0x55,0x04,                                   /* [ 83] OBJ_X509 */
+0x55,0x04,0x03,                              /* [ 85] OBJ_commonName */
+0x55,0x04,0x06,                              /* [ 88] OBJ_countryName */
+0x55,0x04,0x07,                              /* [ 91] OBJ_localityName */
+0x55,0x04,0x08,                              /* [ 94] OBJ_stateOrProvinceName */
+0x55,0x04,0x0A,                              /* [ 97] OBJ_organizationName */
+0x55,0x04,0x0B,                              /* [100] OBJ_organizationalUnitName */
+0x55,0x08,0x01,0x01,                         /* [103] OBJ_rsa */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,     /* [107] OBJ_pkcs7 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x01,/* [115] OBJ_pkcs7_data */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x02,/* [124] OBJ_pkcs7_signed */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x03,/* [133] OBJ_pkcs7_enveloped */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x04,/* [142] OBJ_pkcs7_signedAndEnveloped */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x05,/* [151] OBJ_pkcs7_digest */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x06,/* [160] OBJ_pkcs7_encrypted */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x03,     /* [169] OBJ_pkcs3 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x03,0x01,/* [177] OBJ_dhKeyAgreement */
+0x2B,0x0E,0x03,0x02,0x06,                    /* [186] OBJ_des_ecb */
+0x2B,0x0E,0x03,0x02,0x09,                    /* [191] OBJ_des_cfb64 */
+0x2B,0x0E,0x03,0x02,0x07,                    /* [196] OBJ_des_cbc */
+0x2B,0x0E,0x03,0x02,0x11,                    /* [201] OBJ_des_ede_ecb */
+0x2B,0x06,0x01,0x04,0x01,0x81,0x3C,0x07,0x01,0x01,0x02,/* [206] OBJ_idea_cbc */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x02,     /* [217] OBJ_rc2_cbc */
+0x2B,0x0E,0x03,0x02,0x12,                    /* [225] OBJ_sha */
+0x2B,0x0E,0x03,0x02,0x0F,                    /* [230] OBJ_shaWithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x07,     /* [235] OBJ_des_ede3_cbc */
+0x2B,0x0E,0x03,0x02,0x08,                    /* [243] OBJ_des_ofb64 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,     /* [248] OBJ_pkcs9 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x01,/* [256] OBJ_pkcs9_emailAddress */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x02,/* [265] OBJ_pkcs9_unstructuredName */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x03,/* [274] OBJ_pkcs9_contentType */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x04,/* [283] OBJ_pkcs9_messageDigest */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x05,/* [292] OBJ_pkcs9_signingTime */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x06,/* [301] OBJ_pkcs9_countersignature */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x07,/* [310] OBJ_pkcs9_challengePassword */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x08,/* [319] OBJ_pkcs9_unstructuredAddress */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x09,/* [328] OBJ_pkcs9_extCertAttributes */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,          /* [337] OBJ_netscape */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,     /* [344] OBJ_netscape_cert_extension */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x02,     /* [352] OBJ_netscape_data_type */
+0x2B,0x0E,0x03,0x02,0x1A,                    /* [360] OBJ_sha1 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,/* [365] OBJ_sha1WithRSAEncryption */
+0x2B,0x0E,0x03,0x02,0x0D,                    /* [374] OBJ_dsaWithSHA */
+0x2B,0x0E,0x03,0x02,0x0C,                    /* [379] OBJ_dsa_2 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0B,/* [384] OBJ_pbeWithSHA1AndRC2_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0C,/* [393] OBJ_id_pbkdf2 */
+0x2B,0x0E,0x03,0x02,0x1B,                    /* [402] OBJ_dsaWithSHA1_2 */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x01,/* [407] OBJ_netscape_cert_type */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x02,/* [416] OBJ_netscape_base_url */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x03,/* [425] OBJ_netscape_revocation_url */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x04,/* [434] OBJ_netscape_ca_revocation_url */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x07,/* [443] OBJ_netscape_renewal_url */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x08,/* [452] OBJ_netscape_ca_policy_url */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x0C,/* [461] OBJ_netscape_ssl_server_name */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x0D,/* [470] OBJ_netscape_comment */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x02,0x05,/* [479] OBJ_netscape_cert_sequence */
+0x55,0x1D,                                   /* [488] OBJ_id_ce */
+0x55,0x1D,0x0E,                              /* [490] OBJ_subject_key_identifier */
+0x55,0x1D,0x0F,                              /* [493] OBJ_key_usage */
+0x55,0x1D,0x10,                              /* [496] OBJ_private_key_usage_period */
+0x55,0x1D,0x11,                              /* [499] OBJ_subject_alt_name */
+0x55,0x1D,0x12,                              /* [502] OBJ_issuer_alt_name */
+0x55,0x1D,0x13,                              /* [505] OBJ_basic_constraints */
+0x55,0x1D,0x14,                              /* [508] OBJ_crl_number */
+0x55,0x1D,0x20,                              /* [511] OBJ_certificate_policies */
+0x55,0x1D,0x23,                              /* [514] OBJ_authority_key_identifier */
+0x2B,0x06,0x01,0x04,0x01,0x97,0x55,0x01,0x02,/* [517] OBJ_bf_cbc */
+0x55,0x08,0x03,0x65,                         /* [526] OBJ_mdc2 */
+0x55,0x08,0x03,0x64,                         /* [530] OBJ_mdc2WithRSA */
+0x55,0x04,0x2A,                              /* [534] OBJ_givenName */
+0x55,0x04,0x04,                              /* [537] OBJ_surname */
+0x55,0x04,0x2B,                              /* [540] OBJ_initials */
+0x55,0x1D,0x1F,                              /* [543] OBJ_crl_distribution_points */
+0x2B,0x0E,0x03,0x02,0x03,                    /* [546] OBJ_md5WithRSA */
+0x55,0x04,0x05,                              /* [551] OBJ_serialNumber */
+0x55,0x04,0x0C,                              /* [554] OBJ_title */
+0x55,0x04,0x0D,                              /* [557] OBJ_description */
+0x2A,0x86,0x48,0x86,0xF6,0x7D,0x07,0x42,0x0A,/* [560] OBJ_cast5_cbc */
+0x2A,0x86,0x48,0x86,0xF6,0x7D,0x07,0x42,0x0C,/* [569] OBJ_pbeWithMD5AndCast5_CBC */
+0x2A,0x86,0x48,0xCE,0x38,0x04,0x03,          /* [578] OBJ_dsaWithSHA1 */
+0x2B,0x0E,0x03,0x02,0x1D,                    /* [585] OBJ_sha1WithRSA */
+0x2A,0x86,0x48,0xCE,0x38,0x04,0x01,          /* [590] OBJ_dsa */
+0x2B,0x24,0x03,0x02,0x01,                    /* [597] OBJ_ripemd160 */
+0x2B,0x24,0x03,0x03,0x01,0x02,               /* [602] OBJ_ripemd160WithRSA */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x08,     /* [608] OBJ_rc5_cbc */
+0x29,0x01,0x01,0x85,0x1A,0x01,               /* [616] OBJ_rle_compression */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x08,/* [622] OBJ_zlib_compression */
+0x55,0x1D,0x25,                              /* [633] OBJ_ext_key_usage */
+0x2B,0x06,0x01,0x05,0x05,0x07,               /* [636] OBJ_id_pkix */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,          /* [642] OBJ_id_kp */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,     /* [649] OBJ_server_auth */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,     /* [657] OBJ_client_auth */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x03,     /* [665] OBJ_code_sign */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x04,     /* [673] OBJ_email_protect */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x08,     /* [681] OBJ_time_stamp */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x15,/* [689] OBJ_ms_code_ind */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x16,/* [699] OBJ_ms_code_com */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x0A,0x03,0x01,/* [709] OBJ_ms_ctl_sign */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x0A,0x03,0x03,/* [719] OBJ_ms_sgc */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x0A,0x03,0x04,/* [729] OBJ_ms_efs */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x04,0x01,/* [739] OBJ_ns_sgc */
+0x55,0x1D,0x1B,                              /* [748] OBJ_delta_crl */
+0x55,0x1D,0x15,                              /* [751] OBJ_crl_reason */
+0x55,0x1D,0x18,                              /* [754] OBJ_invalidity_date */
+0x2B,0x65,0x01,0x04,0x01,                    /* [757] OBJ_sxnet */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x01,/* [762] OBJ_pbe_WithSHA1And128BitRC4 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x02,/* [772] OBJ_pbe_WithSHA1And40BitRC4 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x03,/* [782] OBJ_pbe_WithSHA1And3_Key_TripleDES_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x04,/* [792] OBJ_pbe_WithSHA1And2_Key_TripleDES_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x05,/* [802] OBJ_pbe_WithSHA1And128BitRC2_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x06,/* [812] OBJ_pbe_WithSHA1And40BitRC2_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x01,/* [822] OBJ_keyBag */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x02,/* [833] OBJ_pkcs8ShroudedKeyBag */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x03,/* [844] OBJ_certBag */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x04,/* [855] OBJ_crlBag */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x05,/* [866] OBJ_secretBag */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x06,/* [877] OBJ_safeContentsBag */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x14,/* [888] OBJ_friendlyName */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x15,/* [897] OBJ_localKeyID */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x16,0x01,/* [906] OBJ_x509Certificate */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x16,0x02,/* [916] OBJ_sdsiCertificate */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x17,0x01,/* [926] OBJ_x509Crl */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0D,/* [936] OBJ_pbes2 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0E,/* [945] OBJ_pbmac1 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x07,     /* [954] OBJ_hmacWithSHA1 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,     /* [962] OBJ_id_qt_cps */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x02,     /* [970] OBJ_id_qt_unotice */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x0F,/* [978] OBJ_SMIMECapabilities */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x04,/* [987] OBJ_pbeWithMD2AndRC2_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x06,/* [996] OBJ_pbeWithMD5AndRC2_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0A,/* [1005] OBJ_pbeWithSHA1AndDES_CBC */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x0E,/* [1014] OBJ_ms_ext_req */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x0E,/* [1024] OBJ_ext_req */
+0x55,0x04,0x29,                              /* [1033] OBJ_name */
+0x55,0x04,0x2E,                              /* [1036] OBJ_dnQualifier */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,          /* [1039] OBJ_id_pe */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,          /* [1046] OBJ_id_ad */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,     /* [1053] OBJ_info_access */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,     /* [1061] OBJ_ad_OCSP */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x02,     /* [1069] OBJ_ad_ca_issuers */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x09,     /* [1077] OBJ_OCSP_sign */
+0x2A,                                        /* [1085] OBJ_member_body */
+0x2A,0x86,0x48,                              /* [1086] OBJ_ISO_US */
+0x2A,0x86,0x48,0xCE,0x38,                    /* [1089] OBJ_X9_57 */
+0x2A,0x86,0x48,0xCE,0x38,0x04,               /* [1094] OBJ_X9cm */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,     /* [1100] OBJ_pkcs1 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,     /* [1108] OBJ_pkcs5 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,/* [1116] OBJ_SMIME */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,/* [1125] OBJ_id_smime_mod */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,/* [1135] OBJ_id_smime_ct */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,/* [1145] OBJ_id_smime_aa */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,/* [1155] OBJ_id_smime_alg */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x04,/* [1165] OBJ_id_smime_cd */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x05,/* [1175] OBJ_id_smime_spq */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,/* [1185] OBJ_id_smime_cti */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x01,/* [1195] OBJ_id_smime_mod_cms */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x02,/* [1206] OBJ_id_smime_mod_ess */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x03,/* [1217] OBJ_id_smime_mod_oid */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x04,/* [1228] OBJ_id_smime_mod_msg_v3 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x05,/* [1239] OBJ_id_smime_mod_ets_eSignature_88 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x06,/* [1250] OBJ_id_smime_mod_ets_eSignature_97 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x07,/* [1261] OBJ_id_smime_mod_ets_eSigPolicy_88 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x08,/* [1272] OBJ_id_smime_mod_ets_eSigPolicy_97 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x01,/* [1283] OBJ_id_smime_ct_receipt */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x02,/* [1294] OBJ_id_smime_ct_authData */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x03,/* [1305] OBJ_id_smime_ct_publishCert */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x04,/* [1316] OBJ_id_smime_ct_TSTInfo */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x05,/* [1327] OBJ_id_smime_ct_TDTInfo */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x06,/* [1338] OBJ_id_smime_ct_contentInfo */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x07,/* [1349] OBJ_id_smime_ct_DVCSRequestData */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x08,/* [1360] OBJ_id_smime_ct_DVCSResponseData */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x01,/* [1371] OBJ_id_smime_aa_receiptRequest */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x02,/* [1382] OBJ_id_smime_aa_securityLabel */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x03,/* [1393] OBJ_id_smime_aa_mlExpandHistory */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x04,/* [1404] OBJ_id_smime_aa_contentHint */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x05,/* [1415] OBJ_id_smime_aa_msgSigDigest */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x06,/* [1426] OBJ_id_smime_aa_encapContentType */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x07,/* [1437] OBJ_id_smime_aa_contentIdentifier */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x08,/* [1448] OBJ_id_smime_aa_macValue */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x09,/* [1459] OBJ_id_smime_aa_equivalentLabels */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0A,/* [1470] OBJ_id_smime_aa_contentReference */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0B,/* [1481] OBJ_id_smime_aa_encrypKeyPref */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0C,/* [1492] OBJ_id_smime_aa_signingCertificate */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0D,/* [1503] OBJ_id_smime_aa_smimeEncryptCerts */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0E,/* [1514] OBJ_id_smime_aa_timeStampToken */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0F,/* [1525] OBJ_id_smime_aa_ets_sigPolicyId */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x10,/* [1536] OBJ_id_smime_aa_ets_commitmentType */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x11,/* [1547] OBJ_id_smime_aa_ets_signerLocation */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x12,/* [1558] OBJ_id_smime_aa_ets_signerAttr */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x13,/* [1569] OBJ_id_smime_aa_ets_otherSigCert */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x14,/* [1580] OBJ_id_smime_aa_ets_contentTimestamp */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x15,/* [1591] OBJ_id_smime_aa_ets_CertificateRefs */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x16,/* [1602] OBJ_id_smime_aa_ets_RevocationRefs */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x17,/* [1613] OBJ_id_smime_aa_ets_certValues */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x18,/* [1624] OBJ_id_smime_aa_ets_revocationValues */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x19,/* [1635] OBJ_id_smime_aa_ets_escTimeStamp */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1A,/* [1646] OBJ_id_smime_aa_ets_certCRLTimestamp */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1B,/* [1657] OBJ_id_smime_aa_ets_archiveTimeStamp */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1C,/* [1668] OBJ_id_smime_aa_signatureType */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1D,/* [1679] OBJ_id_smime_aa_dvcs_dvc */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x01,/* [1690] OBJ_id_smime_alg_ESDHwith3DES */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x02,/* [1701] OBJ_id_smime_alg_ESDHwithRC2 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x03,/* [1712] OBJ_id_smime_alg_3DESwrap */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x04,/* [1723] OBJ_id_smime_alg_RC2wrap */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x05,/* [1734] OBJ_id_smime_alg_ESDH */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x06,/* [1745] OBJ_id_smime_alg_CMS3DESwrap */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x07,/* [1756] OBJ_id_smime_alg_CMSRC2wrap */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x04,0x01,/* [1767] OBJ_id_smime_cd_ldap */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x05,0x01,/* [1778] OBJ_id_smime_spq_ets_sqt_uri */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x05,0x02,/* [1789] OBJ_id_smime_spq_ets_sqt_unotice */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x01,/* [1800] OBJ_id_smime_cti_ets_proofOfOrigin */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x02,/* [1811] OBJ_id_smime_cti_ets_proofOfReceipt */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x03,/* [1822] OBJ_id_smime_cti_ets_proofOfDelivery */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x04,/* [1833] OBJ_id_smime_cti_ets_proofOfSender */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x05,/* [1844] OBJ_id_smime_cti_ets_proofOfApproval */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x06,/* [1855] OBJ_id_smime_cti_ets_proofOfCreation */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x04,     /* [1866] OBJ_md4 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,          /* [1874] OBJ_id_pkix_mod */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x02,          /* [1881] OBJ_id_qt */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,          /* [1888] OBJ_id_it */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,          /* [1895] OBJ_id_pkip */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x06,          /* [1902] OBJ_id_alg */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,          /* [1909] OBJ_id_cmc */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x08,          /* [1916] OBJ_id_on */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x09,          /* [1923] OBJ_id_pda */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,          /* [1930] OBJ_id_aca */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0B,          /* [1937] OBJ_id_qcs */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,          /* [1944] OBJ_id_cct */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x01,     /* [1951] OBJ_id_pkix1_explicit_88 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x02,     /* [1959] OBJ_id_pkix1_implicit_88 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x03,     /* [1967] OBJ_id_pkix1_explicit_93 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x04,     /* [1975] OBJ_id_pkix1_implicit_93 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x05,     /* [1983] OBJ_id_mod_crmf */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x06,     /* [1991] OBJ_id_mod_cmc */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x07,     /* [1999] OBJ_id_mod_kea_profile_88 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x08,     /* [2007] OBJ_id_mod_kea_profile_93 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x09,     /* [2015] OBJ_id_mod_cmp */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0A,     /* [2023] OBJ_id_mod_qualified_cert_88 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0B,     /* [2031] OBJ_id_mod_qualified_cert_93 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0C,     /* [2039] OBJ_id_mod_attribute_cert */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0D,     /* [2047] OBJ_id_mod_timestamp_protocol */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0E,     /* [2055] OBJ_id_mod_ocsp */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0F,     /* [2063] OBJ_id_mod_dvcs */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x10,     /* [2071] OBJ_id_mod_cmp2000 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x02,     /* [2079] OBJ_biometricInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x03,     /* [2087] OBJ_qcStatements */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x04,     /* [2095] OBJ_ac_auditEntity */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x05,     /* [2103] OBJ_ac_targeting */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x06,     /* [2111] OBJ_aaControls */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x07,     /* [2119] OBJ_sbgp_ipAddrBlock */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x08,     /* [2127] OBJ_sbgp_autonomousSysNum */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x09,     /* [2135] OBJ_sbgp_routerIdentifier */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x03,     /* [2143] OBJ_textNotice */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x05,     /* [2151] OBJ_ipsecEndSystem */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x06,     /* [2159] OBJ_ipsecTunnel */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x07,     /* [2167] OBJ_ipsecUser */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x0A,     /* [2175] OBJ_dvcs */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x01,     /* [2183] OBJ_id_it_caProtEncCert */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x02,     /* [2191] OBJ_id_it_signKeyPairTypes */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x03,     /* [2199] OBJ_id_it_encKeyPairTypes */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x04,     /* [2207] OBJ_id_it_preferredSymmAlg */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x05,     /* [2215] OBJ_id_it_caKeyUpdateInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x06,     /* [2223] OBJ_id_it_currentCRL */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x07,     /* [2231] OBJ_id_it_unsupportedOIDs */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x08,     /* [2239] OBJ_id_it_subscriptionRequest */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x09,     /* [2247] OBJ_id_it_subscriptionResponse */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0A,     /* [2255] OBJ_id_it_keyPairParamReq */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0B,     /* [2263] OBJ_id_it_keyPairParamRep */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0C,     /* [2271] OBJ_id_it_revPassphrase */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0D,     /* [2279] OBJ_id_it_implicitConfirm */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0E,     /* [2287] OBJ_id_it_confirmWaitTime */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0F,     /* [2295] OBJ_id_it_origPKIMessage */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,     /* [2303] OBJ_id_regCtrl */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x02,     /* [2311] OBJ_id_regInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x01,/* [2319] OBJ_id_regCtrl_regToken */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x02,/* [2328] OBJ_id_regCtrl_authenticator */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x03,/* [2337] OBJ_id_regCtrl_pkiPublicationInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x04,/* [2346] OBJ_id_regCtrl_pkiArchiveOptions */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x05,/* [2355] OBJ_id_regCtrl_oldCertID */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x06,/* [2364] OBJ_id_regCtrl_protocolEncrKey */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x02,0x01,/* [2373] OBJ_id_regInfo_utf8Pairs */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x02,0x02,/* [2382] OBJ_id_regInfo_certReq */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x06,0x01,     /* [2391] OBJ_id_alg_des40 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x06,0x02,     /* [2399] OBJ_id_alg_noSignature */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x06,0x03,     /* [2407] OBJ_id_alg_dh_sig_hmac_sha1 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x06,0x04,     /* [2415] OBJ_id_alg_dh_pop */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x01,     /* [2423] OBJ_id_cmc_statusInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x02,     /* [2431] OBJ_id_cmc_identification */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x03,     /* [2439] OBJ_id_cmc_identityProof */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x04,     /* [2447] OBJ_id_cmc_dataReturn */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x05,     /* [2455] OBJ_id_cmc_transactionId */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x06,     /* [2463] OBJ_id_cmc_senderNonce */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x07,     /* [2471] OBJ_id_cmc_recipientNonce */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x08,     /* [2479] OBJ_id_cmc_addExtensions */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x09,     /* [2487] OBJ_id_cmc_encryptedPOP */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x0A,     /* [2495] OBJ_id_cmc_decryptedPOP */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x0B,     /* [2503] OBJ_id_cmc_lraPOPWitness */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x0F,     /* [2511] OBJ_id_cmc_getCert */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x10,     /* [2519] OBJ_id_cmc_getCRL */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x11,     /* [2527] OBJ_id_cmc_revokeRequest */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x12,     /* [2535] OBJ_id_cmc_regInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x13,     /* [2543] OBJ_id_cmc_responseInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x15,     /* [2551] OBJ_id_cmc_queryPending */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x16,     /* [2559] OBJ_id_cmc_popLinkRandom */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x17,     /* [2567] OBJ_id_cmc_popLinkWitness */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x18,     /* [2575] OBJ_id_cmc_confirmCertAcceptance */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x08,0x01,     /* [2583] OBJ_id_on_personalData */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x01,     /* [2591] OBJ_id_pda_dateOfBirth */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x02,     /* [2599] OBJ_id_pda_placeOfBirth */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x03,     /* [2607] OBJ_id_pda_gender */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x04,     /* [2615] OBJ_id_pda_countryOfCitizenship */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x05,     /* [2623] OBJ_id_pda_countryOfResidence */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x01,     /* [2631] OBJ_id_aca_authenticationInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x02,     /* [2639] OBJ_id_aca_accessIdentity */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x03,     /* [2647] OBJ_id_aca_chargingIdentity */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x04,     /* [2655] OBJ_id_aca_group */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x05,     /* [2663] OBJ_id_aca_role */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0B,0x01,     /* [2671] OBJ_id_qcs_pkixQCSyntax_v1 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,0x01,     /* [2679] OBJ_id_cct_crs */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,0x02,     /* [2687] OBJ_id_cct_PKIData */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,0x03,     /* [2695] OBJ_id_cct_PKIResponse */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x03,     /* [2703] OBJ_ad_timeStamping */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x04,     /* [2711] OBJ_ad_dvcs */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x01,/* [2719] OBJ_id_pkix_OCSP_basic */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x02,/* [2728] OBJ_id_pkix_OCSP_Nonce */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x03,/* [2737] OBJ_id_pkix_OCSP_CrlID */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x04,/* [2746] OBJ_id_pkix_OCSP_acceptableResponses */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x05,/* [2755] OBJ_id_pkix_OCSP_noCheck */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x06,/* [2764] OBJ_id_pkix_OCSP_archiveCutoff */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x07,/* [2773] OBJ_id_pkix_OCSP_serviceLocator */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x08,/* [2782] OBJ_id_pkix_OCSP_extendedStatus */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x09,/* [2791] OBJ_id_pkix_OCSP_valid */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x0A,/* [2800] OBJ_id_pkix_OCSP_path */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x0B,/* [2809] OBJ_id_pkix_OCSP_trustRoot */
+0x2B,0x0E,0x03,0x02,                         /* [2818] OBJ_algorithm */
+0x2B,0x0E,0x03,0x02,0x0B,                    /* [2822] OBJ_rsaSignature */
+0x55,0x08,                                   /* [2827] OBJ_X500algorithms */
+0x2B,                                        /* [2829] OBJ_org */
+0x2B,0x06,                                   /* [2830] OBJ_dod */
+0x2B,0x06,0x01,                              /* [2832] OBJ_iana */
+0x2B,0x06,0x01,0x01,                         /* [2835] OBJ_Directory */
+0x2B,0x06,0x01,0x02,                         /* [2839] OBJ_Management */
+0x2B,0x06,0x01,0x03,                         /* [2843] OBJ_Experimental */
+0x2B,0x06,0x01,0x04,                         /* [2847] OBJ_Private */
+0x2B,0x06,0x01,0x05,                         /* [2851] OBJ_Security */
+0x2B,0x06,0x01,0x06,                         /* [2855] OBJ_SNMPv2 */
+0x2B,0x06,0x01,0x07,                         /* [2859] OBJ_Mail */
+0x2B,0x06,0x01,0x04,0x01,                    /* [2863] OBJ_Enterprises */
+0x2B,0x06,0x01,0x04,0x01,0x8B,0x3A,0x82,0x58,/* [2868] OBJ_dcObject */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x19,/* [2877] OBJ_domainComponent */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x0D,/* [2887] OBJ_Domain */
+0x55,0x01,0x05,                              /* [2897] OBJ_selected_attribute_types */
+0x55,0x01,0x05,0x37,                         /* [2900] OBJ_clearance */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x03,/* [2904] OBJ_md4WithRSAEncryption */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0A,     /* [2913] OBJ_ac_proxying */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0B,     /* [2921] OBJ_sinfo_access */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x06,     /* [2929] OBJ_id_aca_encAttrs */
+0x55,0x04,0x48,                              /* [2937] OBJ_role */
+0x55,0x1D,0x24,                              /* [2940] OBJ_policy_constraints */
+0x55,0x1D,0x37,                              /* [2943] OBJ_target_information */
+0x55,0x1D,0x38,                              /* [2946] OBJ_no_rev_avail */
+0x2A,0x86,0x48,0xCE,0x3D,                    /* [2949] OBJ_ansi_X9_62 */
+0x2A,0x86,0x48,0xCE,0x3D,0x01,0x01,          /* [2954] OBJ_X9_62_prime_field */
+0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,          /* [2961] OBJ_X9_62_characteristic_two_field */
+0x2A,0x86,0x48,0xCE,0x3D,0x02,0x01,          /* [2968] OBJ_X9_62_id_ecPublicKey */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x01,     /* [2975] OBJ_X9_62_prime192v1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x02,     /* [2983] OBJ_X9_62_prime192v2 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x03,     /* [2991] OBJ_X9_62_prime192v3 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x04,     /* [2999] OBJ_X9_62_prime239v1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x05,     /* [3007] OBJ_X9_62_prime239v2 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x06,     /* [3015] OBJ_X9_62_prime239v3 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07,     /* [3023] OBJ_X9_62_prime256v1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x01,          /* [3031] OBJ_ecdsa_with_SHA1 */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x11,0x01,/* [3038] OBJ_ms_csp_name */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x01,/* [3047] OBJ_aes_128_ecb */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x02,/* [3056] OBJ_aes_128_cbc */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x03,/* [3065] OBJ_aes_128_ofb128 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x04,/* [3074] OBJ_aes_128_cfb128 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x15,/* [3083] OBJ_aes_192_ecb */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x16,/* [3092] OBJ_aes_192_cbc */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x17,/* [3101] OBJ_aes_192_ofb128 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x18,/* [3110] OBJ_aes_192_cfb128 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x29,/* [3119] OBJ_aes_256_ecb */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2A,/* [3128] OBJ_aes_256_cbc */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2B,/* [3137] OBJ_aes_256_ofb128 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2C,/* [3146] OBJ_aes_256_cfb128 */
+0x55,0x1D,0x17,                              /* [3155] OBJ_hold_instruction_code */
+0x2A,0x86,0x48,0xCE,0x38,0x02,0x01,          /* [3158] OBJ_hold_instruction_none */
+0x2A,0x86,0x48,0xCE,0x38,0x02,0x02,          /* [3165] OBJ_hold_instruction_call_issuer */
+0x2A,0x86,0x48,0xCE,0x38,0x02,0x03,          /* [3172] OBJ_hold_instruction_reject */
+0x09,                                        /* [3179] OBJ_data */
+0x09,0x92,0x26,                              /* [3180] OBJ_pss */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,          /* [3183] OBJ_ucl */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,     /* [3190] OBJ_pilot */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,/* [3198] OBJ_pilotAttributeType */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x03,/* [3207] OBJ_pilotAttributeSyntax */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,/* [3216] OBJ_pilotObjectClass */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x0A,/* [3225] OBJ_pilotGroups */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x03,0x04,/* [3234] OBJ_iA5StringSyntax */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x03,0x05,/* [3244] OBJ_caseIgnoreIA5StringSyntax */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x03,/* [3254] OBJ_pilotObject */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x04,/* [3264] OBJ_pilotPerson */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x05,/* [3274] OBJ_account */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x06,/* [3284] OBJ_document */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x07,/* [3294] OBJ_room */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x09,/* [3304] OBJ_documentSeries */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x0E,/* [3314] OBJ_rFC822localPart */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x0F,/* [3324] OBJ_dNSDomain */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x11,/* [3334] OBJ_domainRelatedObject */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x12,/* [3344] OBJ_friendlyCountry */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x13,/* [3354] OBJ_simpleSecurityObject */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x14,/* [3364] OBJ_pilotOrganization */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x15,/* [3374] OBJ_pilotDSA */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x16,/* [3384] OBJ_qualityLabelledData */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x01,/* [3394] OBJ_userId */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x02,/* [3404] OBJ_textEncodedORAddress */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x03,/* [3414] OBJ_rfc822Mailbox */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x04,/* [3424] OBJ_info */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x05,/* [3434] OBJ_favouriteDrink */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x06,/* [3444] OBJ_roomNumber */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x07,/* [3454] OBJ_photo */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x08,/* [3464] OBJ_userClass */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x09,/* [3474] OBJ_host */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0A,/* [3484] OBJ_manager */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0B,/* [3494] OBJ_documentIdentifier */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0C,/* [3504] OBJ_documentTitle */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0D,/* [3514] OBJ_documentVersion */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0E,/* [3524] OBJ_documentAuthor */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0F,/* [3534] OBJ_documentLocation */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x14,/* [3544] OBJ_homeTelephoneNumber */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x15,/* [3554] OBJ_secretary */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x16,/* [3564] OBJ_otherMailbox */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x17,/* [3574] OBJ_lastModifiedTime */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x18,/* [3584] OBJ_lastModifiedBy */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1A,/* [3594] OBJ_aRecord */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1B,/* [3604] OBJ_pilotAttributeType27 */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1C,/* [3614] OBJ_mXRecord */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1D,/* [3624] OBJ_nSRecord */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1E,/* [3634] OBJ_sOARecord */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1F,/* [3644] OBJ_cNAMERecord */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x25,/* [3654] OBJ_associatedDomain */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x26,/* [3664] OBJ_associatedName */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x27,/* [3674] OBJ_homePostalAddress */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x28,/* [3684] OBJ_personalTitle */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x29,/* [3694] OBJ_mobileTelephoneNumber */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2A,/* [3704] OBJ_pagerTelephoneNumber */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2B,/* [3714] OBJ_friendlyCountryName */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2D,/* [3724] OBJ_organizationalStatus */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2E,/* [3734] OBJ_janetMailbox */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2F,/* [3744] OBJ_mailPreferenceOption */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x30,/* [3754] OBJ_buildingName */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x31,/* [3764] OBJ_dSAQuality */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x32,/* [3774] OBJ_singleLevelQuality */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x33,/* [3784] OBJ_subtreeMinimumQuality */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x34,/* [3794] OBJ_subtreeMaximumQuality */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x35,/* [3804] OBJ_personalSignature */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x36,/* [3814] OBJ_dITRedirect */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x37,/* [3824] OBJ_audio */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x38,/* [3834] OBJ_documentPublisher */
+0x55,0x04,0x2D,                              /* [3844] OBJ_x500UniqueIdentifier */
+0x2B,0x06,0x01,0x07,0x01,                    /* [3847] OBJ_mime_mhs */
+0x2B,0x06,0x01,0x07,0x01,0x01,               /* [3852] OBJ_mime_mhs_headings */
+0x2B,0x06,0x01,0x07,0x01,0x02,               /* [3858] OBJ_mime_mhs_bodies */
+0x2B,0x06,0x01,0x07,0x01,0x01,0x01,          /* [3864] OBJ_id_hex_partial_message */
+0x2B,0x06,0x01,0x07,0x01,0x01,0x02,          /* [3871] OBJ_id_hex_multipart_message */
+0x55,0x04,0x2C,                              /* [3878] OBJ_generationQualifier */
+0x55,0x04,0x41,                              /* [3881] OBJ_pseudonym */
+0x67,0x2A,                                   /* [3884] OBJ_id_set */
+0x67,0x2A,0x00,                              /* [3886] OBJ_set_ctype */
+0x67,0x2A,0x01,                              /* [3889] OBJ_set_msgExt */
+0x67,0x2A,0x03,                              /* [3892] OBJ_set_attr */
+0x67,0x2A,0x05,                              /* [3895] OBJ_set_policy */
+0x67,0x2A,0x07,                              /* [3898] OBJ_set_certExt */
+0x67,0x2A,0x08,                              /* [3901] OBJ_set_brand */
+0x67,0x2A,0x00,0x00,                         /* [3904] OBJ_setct_PANData */
+0x67,0x2A,0x00,0x01,                         /* [3908] OBJ_setct_PANToken */
+0x67,0x2A,0x00,0x02,                         /* [3912] OBJ_setct_PANOnly */
+0x67,0x2A,0x00,0x03,                         /* [3916] OBJ_setct_OIData */
+0x67,0x2A,0x00,0x04,                         /* [3920] OBJ_setct_PI */
+0x67,0x2A,0x00,0x05,                         /* [3924] OBJ_setct_PIData */
+0x67,0x2A,0x00,0x06,                         /* [3928] OBJ_setct_PIDataUnsigned */
+0x67,0x2A,0x00,0x07,                         /* [3932] OBJ_setct_HODInput */
+0x67,0x2A,0x00,0x08,                         /* [3936] OBJ_setct_AuthResBaggage */
+0x67,0x2A,0x00,0x09,                         /* [3940] OBJ_setct_AuthRevReqBaggage */
+0x67,0x2A,0x00,0x0A,                         /* [3944] OBJ_setct_AuthRevResBaggage */
+0x67,0x2A,0x00,0x0B,                         /* [3948] OBJ_setct_CapTokenSeq */
+0x67,0x2A,0x00,0x0C,                         /* [3952] OBJ_setct_PInitResData */
+0x67,0x2A,0x00,0x0D,                         /* [3956] OBJ_setct_PI_TBS */
+0x67,0x2A,0x00,0x0E,                         /* [3960] OBJ_setct_PResData */
+0x67,0x2A,0x00,0x10,                         /* [3964] OBJ_setct_AuthReqTBS */
+0x67,0x2A,0x00,0x11,                         /* [3968] OBJ_setct_AuthResTBS */
+0x67,0x2A,0x00,0x12,                         /* [3972] OBJ_setct_AuthResTBSX */
+0x67,0x2A,0x00,0x13,                         /* [3976] OBJ_setct_AuthTokenTBS */
+0x67,0x2A,0x00,0x14,                         /* [3980] OBJ_setct_CapTokenData */
+0x67,0x2A,0x00,0x15,                         /* [3984] OBJ_setct_CapTokenTBS */
+0x67,0x2A,0x00,0x16,                         /* [3988] OBJ_setct_AcqCardCodeMsg */
+0x67,0x2A,0x00,0x17,                         /* [3992] OBJ_setct_AuthRevReqTBS */
+0x67,0x2A,0x00,0x18,                         /* [3996] OBJ_setct_AuthRevResData */
+0x67,0x2A,0x00,0x19,                         /* [4000] OBJ_setct_AuthRevResTBS */
+0x67,0x2A,0x00,0x1A,                         /* [4004] OBJ_setct_CapReqTBS */
+0x67,0x2A,0x00,0x1B,                         /* [4008] OBJ_setct_CapReqTBSX */
+0x67,0x2A,0x00,0x1C,                         /* [4012] OBJ_setct_CapResData */
+0x67,0x2A,0x00,0x1D,                         /* [4016] OBJ_setct_CapRevReqTBS */
+0x67,0x2A,0x00,0x1E,                         /* [4020] OBJ_setct_CapRevReqTBSX */
+0x67,0x2A,0x00,0x1F,                         /* [4024] OBJ_setct_CapRevResData */
+0x67,0x2A,0x00,0x20,                         /* [4028] OBJ_setct_CredReqTBS */
+0x67,0x2A,0x00,0x21,                         /* [4032] OBJ_setct_CredReqTBSX */
+0x67,0x2A,0x00,0x22,                         /* [4036] OBJ_setct_CredResData */
+0x67,0x2A,0x00,0x23,                         /* [4040] OBJ_setct_CredRevReqTBS */
+0x67,0x2A,0x00,0x24,                         /* [4044] OBJ_setct_CredRevReqTBSX */
+0x67,0x2A,0x00,0x25,                         /* [4048] OBJ_setct_CredRevResData */
+0x67,0x2A,0x00,0x26,                         /* [4052] OBJ_setct_PCertReqData */
+0x67,0x2A,0x00,0x27,                         /* [4056] OBJ_setct_PCertResTBS */
+0x67,0x2A,0x00,0x28,                         /* [4060] OBJ_setct_BatchAdminReqData */
+0x67,0x2A,0x00,0x29,                         /* [4064] OBJ_setct_BatchAdminResData */
+0x67,0x2A,0x00,0x2A,                         /* [4068] OBJ_setct_CardCInitResTBS */
+0x67,0x2A,0x00,0x2B,                         /* [4072] OBJ_setct_MeAqCInitResTBS */
+0x67,0x2A,0x00,0x2C,                         /* [4076] OBJ_setct_RegFormResTBS */
+0x67,0x2A,0x00,0x2D,                         /* [4080] OBJ_setct_CertReqData */
+0x67,0x2A,0x00,0x2E,                         /* [4084] OBJ_setct_CertReqTBS */
+0x67,0x2A,0x00,0x2F,                         /* [4088] OBJ_setct_CertResData */
+0x67,0x2A,0x00,0x30,                         /* [4092] OBJ_setct_CertInqReqTBS */
+0x67,0x2A,0x00,0x31,                         /* [4096] OBJ_setct_ErrorTBS */
+0x67,0x2A,0x00,0x32,                         /* [4100] OBJ_setct_PIDualSignedTBE */
+0x67,0x2A,0x00,0x33,                         /* [4104] OBJ_setct_PIUnsignedTBE */
+0x67,0x2A,0x00,0x34,                         /* [4108] OBJ_setct_AuthReqTBE */
+0x67,0x2A,0x00,0x35,                         /* [4112] OBJ_setct_AuthResTBE */
+0x67,0x2A,0x00,0x36,                         /* [4116] OBJ_setct_AuthResTBEX */
+0x67,0x2A,0x00,0x37,                         /* [4120] OBJ_setct_AuthTokenTBE */
+0x67,0x2A,0x00,0x38,                         /* [4124] OBJ_setct_CapTokenTBE */
+0x67,0x2A,0x00,0x39,                         /* [4128] OBJ_setct_CapTokenTBEX */
+0x67,0x2A,0x00,0x3A,                         /* [4132] OBJ_setct_AcqCardCodeMsgTBE */
+0x67,0x2A,0x00,0x3B,                         /* [4136] OBJ_setct_AuthRevReqTBE */
+0x67,0x2A,0x00,0x3C,                         /* [4140] OBJ_setct_AuthRevResTBE */
+0x67,0x2A,0x00,0x3D,                         /* [4144] OBJ_setct_AuthRevResTBEB */
+0x67,0x2A,0x00,0x3E,                         /* [4148] OBJ_setct_CapReqTBE */
+0x67,0x2A,0x00,0x3F,                         /* [4152] OBJ_setct_CapReqTBEX */
+0x67,0x2A,0x00,0x40,                         /* [4156] OBJ_setct_CapResTBE */
+0x67,0x2A,0x00,0x41,                         /* [4160] OBJ_setct_CapRevReqTBE */
+0x67,0x2A,0x00,0x42,                         /* [4164] OBJ_setct_CapRevReqTBEX */
+0x67,0x2A,0x00,0x43,                         /* [4168] OBJ_setct_CapRevResTBE */
+0x67,0x2A,0x00,0x44,                         /* [4172] OBJ_setct_CredReqTBE */
+0x67,0x2A,0x00,0x45,                         /* [4176] OBJ_setct_CredReqTBEX */
+0x67,0x2A,0x00,0x46,                         /* [4180] OBJ_setct_CredResTBE */
+0x67,0x2A,0x00,0x47,                         /* [4184] OBJ_setct_CredRevReqTBE */
+0x67,0x2A,0x00,0x48,                         /* [4188] OBJ_setct_CredRevReqTBEX */
+0x67,0x2A,0x00,0x49,                         /* [4192] OBJ_setct_CredRevResTBE */
+0x67,0x2A,0x00,0x4A,                         /* [4196] OBJ_setct_BatchAdminReqTBE */
+0x67,0x2A,0x00,0x4B,                         /* [4200] OBJ_setct_BatchAdminResTBE */
+0x67,0x2A,0x00,0x4C,                         /* [4204] OBJ_setct_RegFormReqTBE */
+0x67,0x2A,0x00,0x4D,                         /* [4208] OBJ_setct_CertReqTBE */
+0x67,0x2A,0x00,0x4E,                         /* [4212] OBJ_setct_CertReqTBEX */
+0x67,0x2A,0x00,0x4F,                         /* [4216] OBJ_setct_CertResTBE */
+0x67,0x2A,0x00,0x50,                         /* [4220] OBJ_setct_CRLNotificationTBS */
+0x67,0x2A,0x00,0x51,                         /* [4224] OBJ_setct_CRLNotificationResTBS */
+0x67,0x2A,0x00,0x52,                         /* [4228] OBJ_setct_BCIDistributionTBS */
+0x67,0x2A,0x01,0x01,                         /* [4232] OBJ_setext_genCrypt */
+0x67,0x2A,0x01,0x03,                         /* [4236] OBJ_setext_miAuth */
+0x67,0x2A,0x01,0x04,                         /* [4240] OBJ_setext_pinSecure */
+0x67,0x2A,0x01,0x05,                         /* [4244] OBJ_setext_pinAny */
+0x67,0x2A,0x01,0x07,                         /* [4248] OBJ_setext_track2 */
+0x67,0x2A,0x01,0x08,                         /* [4252] OBJ_setext_cv */
+0x67,0x2A,0x05,0x00,                         /* [4256] OBJ_set_policy_root */
+0x67,0x2A,0x07,0x00,                         /* [4260] OBJ_setCext_hashedRoot */
+0x67,0x2A,0x07,0x01,                         /* [4264] OBJ_setCext_certType */
+0x67,0x2A,0x07,0x02,                         /* [4268] OBJ_setCext_merchData */
+0x67,0x2A,0x07,0x03,                         /* [4272] OBJ_setCext_cCertRequired */
+0x67,0x2A,0x07,0x04,                         /* [4276] OBJ_setCext_tunneling */
+0x67,0x2A,0x07,0x05,                         /* [4280] OBJ_setCext_setExt */
+0x67,0x2A,0x07,0x06,                         /* [4284] OBJ_setCext_setQualf */
+0x67,0x2A,0x07,0x07,                         /* [4288] OBJ_setCext_PGWYcapabilities */
+0x67,0x2A,0x07,0x08,                         /* [4292] OBJ_setCext_TokenIdentifier */
+0x67,0x2A,0x07,0x09,                         /* [4296] OBJ_setCext_Track2Data */
+0x67,0x2A,0x07,0x0A,                         /* [4300] OBJ_setCext_TokenType */
+0x67,0x2A,0x07,0x0B,                         /* [4304] OBJ_setCext_IssuerCapabilities */
+0x67,0x2A,0x03,0x00,                         /* [4308] OBJ_setAttr_Cert */
+0x67,0x2A,0x03,0x01,                         /* [4312] OBJ_setAttr_PGWYcap */
+0x67,0x2A,0x03,0x02,                         /* [4316] OBJ_setAttr_TokenType */
+0x67,0x2A,0x03,0x03,                         /* [4320] OBJ_setAttr_IssCap */
+0x67,0x2A,0x03,0x00,0x00,                    /* [4324] OBJ_set_rootKeyThumb */
+0x67,0x2A,0x03,0x00,0x01,                    /* [4329] OBJ_set_addPolicy */
+0x67,0x2A,0x03,0x02,0x01,                    /* [4334] OBJ_setAttr_Token_EMV */
+0x67,0x2A,0x03,0x02,0x02,                    /* [4339] OBJ_setAttr_Token_B0Prime */
+0x67,0x2A,0x03,0x03,0x03,                    /* [4344] OBJ_setAttr_IssCap_CVM */
+0x67,0x2A,0x03,0x03,0x04,                    /* [4349] OBJ_setAttr_IssCap_T2 */
+0x67,0x2A,0x03,0x03,0x05,                    /* [4354] OBJ_setAttr_IssCap_Sig */
+0x67,0x2A,0x03,0x03,0x03,0x01,               /* [4359] OBJ_setAttr_GenCryptgrm */
+0x67,0x2A,0x03,0x03,0x04,0x01,               /* [4365] OBJ_setAttr_T2Enc */
+0x67,0x2A,0x03,0x03,0x04,0x02,               /* [4371] OBJ_setAttr_T2cleartxt */
+0x67,0x2A,0x03,0x03,0x05,0x01,               /* [4377] OBJ_setAttr_TokICCsig */
+0x67,0x2A,0x03,0x03,0x05,0x02,               /* [4383] OBJ_setAttr_SecDevSig */
+0x67,0x2A,0x08,0x01,                         /* [4389] OBJ_set_brand_IATA_ATA */
+0x67,0x2A,0x08,0x1E,                         /* [4393] OBJ_set_brand_Diners */
+0x67,0x2A,0x08,0x22,                         /* [4397] OBJ_set_brand_AmericanExpress */
+0x67,0x2A,0x08,0x23,                         /* [4401] OBJ_set_brand_JCB */
+0x67,0x2A,0x08,0x04,                         /* [4405] OBJ_set_brand_Visa */
+0x67,0x2A,0x08,0x05,                         /* [4409] OBJ_set_brand_MasterCard */
+0x67,0x2A,0x08,0xAE,0x7B,                    /* [4413] OBJ_set_brand_Novus */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x0A,     /* [4418] OBJ_des_cdmf */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x06,/* [4426] OBJ_rsaOAEPEncryptionSET */
+0x67,                                        /* [4435] OBJ_international_organizations */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x02,/* [4436] OBJ_ms_smartcard_login */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x03,/* [4446] OBJ_ms_upn */
+0x55,0x04,0x09,                              /* [4456] OBJ_streetAddress */
+0x55,0x04,0x11,                              /* [4459] OBJ_postalCode */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x15,          /* [4462] OBJ_id_ppl */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0E,     /* [4469] OBJ_proxyCertInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x00,     /* [4477] OBJ_id_ppl_anyLanguage */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x01,     /* [4485] OBJ_id_ppl_inheritAll */
+0x55,0x1D,0x1E,                              /* [4493] OBJ_name_constraints */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x02,     /* [4496] OBJ_Independent */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,/* [4504] OBJ_sha256WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0C,/* [4513] OBJ_sha384WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0D,/* [4522] OBJ_sha512WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0E,/* [4531] OBJ_sha224WithRSAEncryption */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,/* [4540] OBJ_sha256 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x02,/* [4549] OBJ_sha384 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,/* [4558] OBJ_sha512 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x04,/* [4567] OBJ_sha224 */
+0x2B,                                        /* [4576] OBJ_identified_organization */
+0x2B,0x81,0x04,                              /* [4577] OBJ_certicom_arc */
+0x67,0x2B,                                   /* [4580] OBJ_wap */
+0x67,0x2B,0x01,                              /* [4582] OBJ_wap_wsg */
+0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,     /* [4585] OBJ_X9_62_id_characteristic_two_basis */
+0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,0x01,/* [4593] OBJ_X9_62_onBasis */
+0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,0x02,/* [4602] OBJ_X9_62_tpBasis */
+0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,0x03,/* [4611] OBJ_X9_62_ppBasis */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x01,     /* [4620] OBJ_X9_62_c2pnb163v1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x02,     /* [4628] OBJ_X9_62_c2pnb163v2 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x03,     /* [4636] OBJ_X9_62_c2pnb163v3 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x04,     /* [4644] OBJ_X9_62_c2pnb176v1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x05,     /* [4652] OBJ_X9_62_c2tnb191v1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x06,     /* [4660] OBJ_X9_62_c2tnb191v2 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x07,     /* [4668] OBJ_X9_62_c2tnb191v3 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x08,     /* [4676] OBJ_X9_62_c2onb191v4 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x09,     /* [4684] OBJ_X9_62_c2onb191v5 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0A,     /* [4692] OBJ_X9_62_c2pnb208w1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0B,     /* [4700] OBJ_X9_62_c2tnb239v1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0C,     /* [4708] OBJ_X9_62_c2tnb239v2 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0D,     /* [4716] OBJ_X9_62_c2tnb239v3 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0E,     /* [4724] OBJ_X9_62_c2onb239v4 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0F,     /* [4732] OBJ_X9_62_c2onb239v5 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x10,     /* [4740] OBJ_X9_62_c2pnb272w1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x11,     /* [4748] OBJ_X9_62_c2pnb304w1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x12,     /* [4756] OBJ_X9_62_c2tnb359v1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x13,     /* [4764] OBJ_X9_62_c2pnb368w1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x14,     /* [4772] OBJ_X9_62_c2tnb431r1 */
+0x2B,0x81,0x04,0x00,0x06,                    /* [4780] OBJ_secp112r1 */
+0x2B,0x81,0x04,0x00,0x07,                    /* [4785] OBJ_secp112r2 */
+0x2B,0x81,0x04,0x00,0x1C,                    /* [4790] OBJ_secp128r1 */
+0x2B,0x81,0x04,0x00,0x1D,                    /* [4795] OBJ_secp128r2 */
+0x2B,0x81,0x04,0x00,0x09,                    /* [4800] OBJ_secp160k1 */
+0x2B,0x81,0x04,0x00,0x08,                    /* [4805] OBJ_secp160r1 */
+0x2B,0x81,0x04,0x00,0x1E,                    /* [4810] OBJ_secp160r2 */
+0x2B,0x81,0x04,0x00,0x1F,                    /* [4815] OBJ_secp192k1 */
+0x2B,0x81,0x04,0x00,0x20,                    /* [4820] OBJ_secp224k1 */
+0x2B,0x81,0x04,0x00,0x21,                    /* [4825] OBJ_secp224r1 */
+0x2B,0x81,0x04,0x00,0x0A,                    /* [4830] OBJ_secp256k1 */
+0x2B,0x81,0x04,0x00,0x22,                    /* [4835] OBJ_secp384r1 */
+0x2B,0x81,0x04,0x00,0x23,                    /* [4840] OBJ_secp521r1 */
+0x2B,0x81,0x04,0x00,0x04,                    /* [4845] OBJ_sect113r1 */
+0x2B,0x81,0x04,0x00,0x05,                    /* [4850] OBJ_sect113r2 */
+0x2B,0x81,0x04,0x00,0x16,                    /* [4855] OBJ_sect131r1 */
+0x2B,0x81,0x04,0x00,0x17,                    /* [4860] OBJ_sect131r2 */
+0x2B,0x81,0x04,0x00,0x01,                    /* [4865] OBJ_sect163k1 */
+0x2B,0x81,0x04,0x00,0x02,                    /* [4870] OBJ_sect163r1 */
+0x2B,0x81,0x04,0x00,0x0F,                    /* [4875] OBJ_sect163r2 */
+0x2B,0x81,0x04,0x00,0x18,                    /* [4880] OBJ_sect193r1 */
+0x2B,0x81,0x04,0x00,0x19,                    /* [4885] OBJ_sect193r2 */
+0x2B,0x81,0x04,0x00,0x1A,                    /* [4890] OBJ_sect233k1 */
+0x2B,0x81,0x04,0x00,0x1B,                    /* [4895] OBJ_sect233r1 */
+0x2B,0x81,0x04,0x00,0x03,                    /* [4900] OBJ_sect239k1 */
+0x2B,0x81,0x04,0x00,0x10,                    /* [4905] OBJ_sect283k1 */
+0x2B,0x81,0x04,0x00,0x11,                    /* [4910] OBJ_sect283r1 */
+0x2B,0x81,0x04,0x00,0x24,                    /* [4915] OBJ_sect409k1 */
+0x2B,0x81,0x04,0x00,0x25,                    /* [4920] OBJ_sect409r1 */
+0x2B,0x81,0x04,0x00,0x26,                    /* [4925] OBJ_sect571k1 */
+0x2B,0x81,0x04,0x00,0x27,                    /* [4930] OBJ_sect571r1 */
+0x67,0x2B,0x01,0x04,0x01,                    /* [4935] OBJ_wap_wsg_idm_ecid_wtls1 */
+0x67,0x2B,0x01,0x04,0x03,                    /* [4940] OBJ_wap_wsg_idm_ecid_wtls3 */
+0x67,0x2B,0x01,0x04,0x04,                    /* [4945] OBJ_wap_wsg_idm_ecid_wtls4 */
+0x67,0x2B,0x01,0x04,0x05,                    /* [4950] OBJ_wap_wsg_idm_ecid_wtls5 */
+0x67,0x2B,0x01,0x04,0x06,                    /* [4955] OBJ_wap_wsg_idm_ecid_wtls6 */
+0x67,0x2B,0x01,0x04,0x07,                    /* [4960] OBJ_wap_wsg_idm_ecid_wtls7 */
+0x67,0x2B,0x01,0x04,0x08,                    /* [4965] OBJ_wap_wsg_idm_ecid_wtls8 */
+0x67,0x2B,0x01,0x04,0x09,                    /* [4970] OBJ_wap_wsg_idm_ecid_wtls9 */
+0x67,0x2B,0x01,0x04,0x0A,                    /* [4975] OBJ_wap_wsg_idm_ecid_wtls10 */
+0x67,0x2B,0x01,0x04,0x0B,                    /* [4980] OBJ_wap_wsg_idm_ecid_wtls11 */
+0x67,0x2B,0x01,0x04,0x0C,                    /* [4985] OBJ_wap_wsg_idm_ecid_wtls12 */
+0x55,0x1D,0x20,0x00,                         /* [4990] OBJ_any_policy */
+0x55,0x1D,0x21,                              /* [4994] OBJ_policy_mappings */
+0x55,0x1D,0x36,                              /* [4997] OBJ_inhibit_any_policy */
+0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x01,0x02,/* [5000] OBJ_camellia_128_cbc */
+0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x01,0x03,/* [5011] OBJ_camellia_192_cbc */
+0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x01,0x04,/* [5022] OBJ_camellia_256_cbc */
+0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x01,     /* [5033] OBJ_camellia_128_ecb */
+0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x15,     /* [5041] OBJ_camellia_192_ecb */
+0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x29,     /* [5049] OBJ_camellia_256_ecb */
+0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x04,     /* [5057] OBJ_camellia_128_cfb128 */
+0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x18,     /* [5065] OBJ_camellia_192_cfb128 */
+0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x2C,     /* [5073] OBJ_camellia_256_cfb128 */
+0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x03,     /* [5081] OBJ_camellia_128_ofb128 */
+0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x17,     /* [5089] OBJ_camellia_192_ofb128 */
+0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x2B,     /* [5097] OBJ_camellia_256_ofb128 */
+0x55,0x1D,0x09,                              /* [5105] OBJ_subject_directory_attributes */
+0x55,0x1D,0x1C,                              /* [5108] OBJ_issuing_distribution_point */
+0x55,0x1D,0x1D,                              /* [5111] OBJ_certificate_issuer */
+0x2A,0x83,0x1A,0x8C,0x9A,0x44,               /* [5114] OBJ_kisa */
+0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x03,     /* [5120] OBJ_seed_ecb */
+0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x04,     /* [5128] OBJ_seed_cbc */
+0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x06,     /* [5136] OBJ_seed_ofb128 */
+0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x05,     /* [5144] OBJ_seed_cfb128 */
+0x2B,0x06,0x01,0x05,0x05,0x08,0x01,0x01,     /* [5152] OBJ_hmac_md5 */
+0x2B,0x06,0x01,0x05,0x05,0x08,0x01,0x02,     /* [5160] OBJ_hmac_sha1 */
+0x2A,0x86,0x48,0x86,0xF6,0x7D,0x07,0x42,0x0D,/* [5168] OBJ_id_PasswordBasedMAC */
+0x2A,0x86,0x48,0x86,0xF6,0x7D,0x07,0x42,0x1E,/* [5177] OBJ_id_DHBasedMac */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x10,     /* [5186] OBJ_id_it_suppLangTags */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x05,     /* [5194] OBJ_caRepository */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x09,/* [5202] OBJ_id_smime_ct_compressedData */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x1B,/* [5213] OBJ_id_ct_asciiTextWithCRLF */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x05,/* [5224] OBJ_id_aes128_wrap */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x19,/* [5233] OBJ_id_aes192_wrap */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2D,/* [5242] OBJ_id_aes256_wrap */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x02,          /* [5251] OBJ_ecdsa_with_Recommended */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,          /* [5258] OBJ_ecdsa_with_Specified */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x01,     /* [5265] OBJ_ecdsa_with_SHA224 */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x02,     /* [5273] OBJ_ecdsa_with_SHA256 */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x03,     /* [5281] OBJ_ecdsa_with_SHA384 */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x04,     /* [5289] OBJ_ecdsa_with_SHA512 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x06,     /* [5297] OBJ_hmacWithMD5 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x08,     /* [5305] OBJ_hmacWithSHA224 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x09,     /* [5313] OBJ_hmacWithSHA256 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0A,     /* [5321] OBJ_hmacWithSHA384 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0B,     /* [5329] OBJ_hmacWithSHA512 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x01,/* [5337] OBJ_dsa_with_SHA224 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x02,/* [5346] OBJ_dsa_with_SHA256 */
+0x28,0xCF,0x06,0x03,0x00,0x37,               /* [5355] OBJ_whirlpool */
+0x2A,0x85,0x03,0x02,0x02,                    /* [5361] OBJ_cryptopro */
+0x2A,0x85,0x03,0x02,0x09,                    /* [5366] OBJ_cryptocom */
+0x2A,0x85,0x03,0x02,0x02,0x03,               /* [5371] OBJ_id_GostR3411_94_with_GostR3410_2001 */
+0x2A,0x85,0x03,0x02,0x02,0x04,               /* [5377] OBJ_id_GostR3411_94_with_GostR3410_94 */
+0x2A,0x85,0x03,0x02,0x02,0x09,               /* [5383] OBJ_id_GostR3411_94 */
+0x2A,0x85,0x03,0x02,0x02,0x0A,               /* [5389] OBJ_id_HMACGostR3411_94 */
+0x2A,0x85,0x03,0x02,0x02,0x13,               /* [5395] OBJ_id_GostR3410_2001 */
+0x2A,0x85,0x03,0x02,0x02,0x14,               /* [5401] OBJ_id_GostR3410_94 */
+0x2A,0x85,0x03,0x02,0x02,0x15,               /* [5407] OBJ_id_Gost28147_89 */
+0x2A,0x85,0x03,0x02,0x02,0x16,               /* [5413] OBJ_id_Gost28147_89_MAC */
+0x2A,0x85,0x03,0x02,0x02,0x17,               /* [5419] OBJ_id_GostR3411_94_prf */
+0x2A,0x85,0x03,0x02,0x02,0x62,               /* [5425] OBJ_id_GostR3410_2001DH */
+0x2A,0x85,0x03,0x02,0x02,0x63,               /* [5431] OBJ_id_GostR3410_94DH */
+0x2A,0x85,0x03,0x02,0x02,0x0E,0x01,          /* [5437] OBJ_id_Gost28147_89_CryptoPro_KeyMeshing */
+0x2A,0x85,0x03,0x02,0x02,0x0E,0x00,          /* [5444] OBJ_id_Gost28147_89_None_KeyMeshing */
+0x2A,0x85,0x03,0x02,0x02,0x1E,0x00,          /* [5451] OBJ_id_GostR3411_94_TestParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1E,0x01,          /* [5458] OBJ_id_GostR3411_94_CryptoProParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x00,          /* [5465] OBJ_id_Gost28147_89_TestParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x01,          /* [5472] OBJ_id_Gost28147_89_CryptoPro_A_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x02,          /* [5479] OBJ_id_Gost28147_89_CryptoPro_B_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x03,          /* [5486] OBJ_id_Gost28147_89_CryptoPro_C_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x04,          /* [5493] OBJ_id_Gost28147_89_CryptoPro_D_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x05,          /* [5500] OBJ_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x06,          /* [5507] OBJ_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x07,          /* [5514] OBJ_id_Gost28147_89_CryptoPro_RIC_1_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x20,0x00,          /* [5521] OBJ_id_GostR3410_94_TestParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x20,0x02,          /* [5528] OBJ_id_GostR3410_94_CryptoPro_A_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x20,0x03,          /* [5535] OBJ_id_GostR3410_94_CryptoPro_B_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x20,0x04,          /* [5542] OBJ_id_GostR3410_94_CryptoPro_C_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x20,0x05,          /* [5549] OBJ_id_GostR3410_94_CryptoPro_D_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x21,0x01,          /* [5556] OBJ_id_GostR3410_94_CryptoPro_XchA_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x21,0x02,          /* [5563] OBJ_id_GostR3410_94_CryptoPro_XchB_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x21,0x03,          /* [5570] OBJ_id_GostR3410_94_CryptoPro_XchC_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x23,0x00,          /* [5577] OBJ_id_GostR3410_2001_TestParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x23,0x01,          /* [5584] OBJ_id_GostR3410_2001_CryptoPro_A_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x23,0x02,          /* [5591] OBJ_id_GostR3410_2001_CryptoPro_B_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x23,0x03,          /* [5598] OBJ_id_GostR3410_2001_CryptoPro_C_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x24,0x00,          /* [5605] OBJ_id_GostR3410_2001_CryptoPro_XchA_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x24,0x01,          /* [5612] OBJ_id_GostR3410_2001_CryptoPro_XchB_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x14,0x01,          /* [5619] OBJ_id_GostR3410_94_a */
+0x2A,0x85,0x03,0x02,0x02,0x14,0x02,          /* [5626] OBJ_id_GostR3410_94_aBis */
+0x2A,0x85,0x03,0x02,0x02,0x14,0x03,          /* [5633] OBJ_id_GostR3410_94_b */
+0x2A,0x85,0x03,0x02,0x02,0x14,0x04,          /* [5640] OBJ_id_GostR3410_94_bBis */
+0x2A,0x85,0x03,0x02,0x09,0x01,0x06,0x01,     /* [5647] OBJ_id_Gost28147_89_cc */
+0x2A,0x85,0x03,0x02,0x09,0x01,0x05,0x03,     /* [5655] OBJ_id_GostR3410_94_cc */
+0x2A,0x85,0x03,0x02,0x09,0x01,0x05,0x04,     /* [5663] OBJ_id_GostR3410_2001_cc */
+0x2A,0x85,0x03,0x02,0x09,0x01,0x03,0x03,     /* [5671] OBJ_id_GostR3411_94_with_GostR3410_94_cc */
+0x2A,0x85,0x03,0x02,0x09,0x01,0x03,0x04,     /* [5679] OBJ_id_GostR3411_94_with_GostR3410_2001_cc */
+0x2A,0x85,0x03,0x02,0x09,0x01,0x08,0x01,     /* [5687] OBJ_id_GostR3410_2001_ParamSet_cc */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x11,0x02,/* [5695] OBJ_LocalKeySet */
+0x55,0x1D,0x2E,                              /* [5704] OBJ_freshest_crl */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x08,0x03,     /* [5707] OBJ_id_on_permanentIdentifier */
+0x55,0x04,0x0E,                              /* [5715] OBJ_searchGuide */
+0x55,0x04,0x0F,                              /* [5718] OBJ_businessCategory */
+0x55,0x04,0x10,                              /* [5721] OBJ_postalAddress */
+0x55,0x04,0x12,                              /* [5724] OBJ_postOfficeBox */
+0x55,0x04,0x13,                              /* [5727] OBJ_physicalDeliveryOfficeName */
+0x55,0x04,0x14,                              /* [5730] OBJ_telephoneNumber */
+0x55,0x04,0x15,                              /* [5733] OBJ_telexNumber */
+0x55,0x04,0x16,                              /* [5736] OBJ_teletexTerminalIdentifier */
+0x55,0x04,0x17,                              /* [5739] OBJ_facsimileTelephoneNumber */
+0x55,0x04,0x18,                              /* [5742] OBJ_x121Address */
+0x55,0x04,0x19,                              /* [5745] OBJ_internationaliSDNNumber */
+0x55,0x04,0x1A,                              /* [5748] OBJ_registeredAddress */
+0x55,0x04,0x1B,                              /* [5751] OBJ_destinationIndicator */
+0x55,0x04,0x1C,                              /* [5754] OBJ_preferredDeliveryMethod */
+0x55,0x04,0x1D,                              /* [5757] OBJ_presentationAddress */
+0x55,0x04,0x1E,                              /* [5760] OBJ_supportedApplicationContext */
+0x55,0x04,0x1F,                              /* [5763] OBJ_member */
+0x55,0x04,0x20,                              /* [5766] OBJ_owner */
+0x55,0x04,0x21,                              /* [5769] OBJ_roleOccupant */
+0x55,0x04,0x22,                              /* [5772] OBJ_seeAlso */
+0x55,0x04,0x23,                              /* [5775] OBJ_userPassword */
+0x55,0x04,0x24,                              /* [5778] OBJ_userCertificate */
+0x55,0x04,0x25,                              /* [5781] OBJ_cACertificate */
+0x55,0x04,0x26,                              /* [5784] OBJ_authorityRevocationList */
+0x55,0x04,0x27,                              /* [5787] OBJ_certificateRevocationList */
+0x55,0x04,0x28,                              /* [5790] OBJ_crossCertificatePair */
+0x55,0x04,0x2F,                              /* [5793] OBJ_enhancedSearchGuide */
+0x55,0x04,0x30,                              /* [5796] OBJ_protocolInformation */
+0x55,0x04,0x31,                              /* [5799] OBJ_distinguishedName */
+0x55,0x04,0x32,                              /* [5802] OBJ_uniqueMember */
+0x55,0x04,0x33,                              /* [5805] OBJ_houseIdentifier */
+0x55,0x04,0x34,                              /* [5808] OBJ_supportedAlgorithms */
+0x55,0x04,0x35,                              /* [5811] OBJ_deltaRevocationList */
+0x55,0x04,0x36,                              /* [5814] OBJ_dmdName */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x09,/* [5817] OBJ_id_alg_PWRI_KEK */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x06,/* [5828] OBJ_aes_128_gcm */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x07,/* [5837] OBJ_aes_128_ccm */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x08,/* [5846] OBJ_id_aes128_wrap_pad */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x1A,/* [5855] OBJ_aes_192_gcm */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x1B,/* [5864] OBJ_aes_192_ccm */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x1C,/* [5873] OBJ_id_aes192_wrap_pad */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2E,/* [5882] OBJ_aes_256_gcm */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2F,/* [5891] OBJ_aes_256_ccm */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x30,/* [5900] OBJ_id_aes256_wrap_pad */
+0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x03,0x02,/* [5909] OBJ_id_camellia128_wrap */
+0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x03,0x03,/* [5920] OBJ_id_camellia192_wrap */
+0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x03,0x04,/* [5931] OBJ_id_camellia256_wrap */
+0x55,0x1D,0x25,0x00,                         /* [5942] OBJ_anyExtendedKeyUsage */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x08,/* [5946] OBJ_mgf1 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0A,/* [5955] OBJ_rsassaPss */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x07,/* [5964] OBJ_rsaesOaep */
+0x2A,0x86,0x48,0xCE,0x3E,0x02,0x01,          /* [5973] OBJ_dhpublicnumber */
+0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x01,/* [5980] OBJ_brainpoolP160r1 */
+0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x02,/* [5989] OBJ_brainpoolP160t1 */
+0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x03,/* [5998] OBJ_brainpoolP192r1 */
+0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x04,/* [6007] OBJ_brainpoolP192t1 */
+0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x05,/* [6016] OBJ_brainpoolP224r1 */
+0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x06,/* [6025] OBJ_brainpoolP224t1 */
+0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x07,/* [6034] OBJ_brainpoolP256r1 */
+0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x08,/* [6043] OBJ_brainpoolP256t1 */
+0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x09,/* [6052] OBJ_brainpoolP320r1 */
+0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0A,/* [6061] OBJ_brainpoolP320t1 */
+0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0B,/* [6070] OBJ_brainpoolP384r1 */
+0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0C,/* [6079] OBJ_brainpoolP384t1 */
+0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0D,/* [6088] OBJ_brainpoolP512r1 */
+0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0E,/* [6097] OBJ_brainpoolP512t1 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x09,/* [6106] OBJ_pSpecified */
+0x2B,0x81,0x05,0x10,0x86,0x48,0x3F,0x00,0x02,/* [6115] OBJ_dhSinglePass_stdDH_sha1kdf_scheme */
+0x2B,0x81,0x04,0x01,0x0B,0x00,               /* [6124] OBJ_dhSinglePass_stdDH_sha224kdf_scheme */
+0x2B,0x81,0x04,0x01,0x0B,0x01,               /* [6130] OBJ_dhSinglePass_stdDH_sha256kdf_scheme */
+0x2B,0x81,0x04,0x01,0x0B,0x02,               /* [6136] OBJ_dhSinglePass_stdDH_sha384kdf_scheme */
+0x2B,0x81,0x04,0x01,0x0B,0x03,               /* [6142] OBJ_dhSinglePass_stdDH_sha512kdf_scheme */
+0x2B,0x81,0x05,0x10,0x86,0x48,0x3F,0x00,0x03,/* [6148] OBJ_dhSinglePass_cofactorDH_sha1kdf_scheme */
+0x2B,0x81,0x04,0x01,0x0E,0x00,               /* [6157] OBJ_dhSinglePass_cofactorDH_sha224kdf_scheme */
+0x2B,0x81,0x04,0x01,0x0E,0x01,               /* [6163] OBJ_dhSinglePass_cofactorDH_sha256kdf_scheme */
+0x2B,0x81,0x04,0x01,0x0E,0x02,               /* [6169] OBJ_dhSinglePass_cofactorDH_sha384kdf_scheme */
+0x2B,0x81,0x04,0x01,0x0E,0x03,               /* [6175] OBJ_dhSinglePass_cofactorDH_sha512kdf_scheme */
+0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x02,/* [6181] OBJ_ct_precert_scts */
+0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x03,/* [6191] OBJ_ct_precert_poison */
+0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x04,/* [6201] OBJ_ct_precert_signer */
+0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x05,/* [6211] OBJ_ct_cert_scts */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,0x01,0x01,/* [6221] OBJ_jurisdictionLocalityName */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,0x01,0x02,/* [6232] OBJ_jurisdictionStateOrProvinceName */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,0x01,0x03,/* [6243] OBJ_jurisdictionCountryName */
 };
 
-#define NUM_NID 1061
-static const ASN1_OBJECT nid_objs[NUM_NID] = {
-    {"UNDEF", "undefined", NID_undef},
-    {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
-    {"pkcs", "RSA Data Security, Inc. PKCS", NID_pkcs, 7, &so[6]},
-    {"MD2", "md2", NID_md2, 8, &so[13]},
-    {"MD5", "md5", NID_md5, 8, &so[21]},
-    {"RC4", "rc4", NID_rc4, 8, &so[29]},
-    {"rsaEncryption", "rsaEncryption", NID_rsaEncryption, 9, &so[37]},
-    {"RSA-MD2", "md2WithRSAEncryption", NID_md2WithRSAEncryption, 9, &so[46]},
-    {"RSA-MD5", "md5WithRSAEncryption", NID_md5WithRSAEncryption, 9, &so[55]},
-    {"PBE-MD2-DES", "pbeWithMD2AndDES-CBC", NID_pbeWithMD2AndDES_CBC, 9, &so[64]},
-    {"PBE-MD5-DES", "pbeWithMD5AndDES-CBC", NID_pbeWithMD5AndDES_CBC, 9, &so[73]},
-    {"X500", "directory services (X.500)", NID_X500, 1, &so[82]},
-    {"X509", "X509", NID_X509, 2, &so[83]},
-    {"CN", "commonName", NID_commonName, 3, &so[85]},
-    {"C", "countryName", NID_countryName, 3, &so[88]},
-    {"L", "localityName", NID_localityName, 3, &so[91]},
-    {"ST", "stateOrProvinceName", NID_stateOrProvinceName, 3, &so[94]},
-    {"O", "organizationName", NID_organizationName, 3, &so[97]},
-    {"OU", "organizationalUnitName", NID_organizationalUnitName, 3, &so[100]},
-    {"RSA", "rsa", NID_rsa, 4, &so[103]},
-    {"pkcs7", "pkcs7", NID_pkcs7, 8, &so[107]},
-    {"pkcs7-data", "pkcs7-data", NID_pkcs7_data, 9, &so[115]},
-    {"pkcs7-signedData", "pkcs7-signedData", NID_pkcs7_signed, 9, &so[124]},
-    {"pkcs7-envelopedData", "pkcs7-envelopedData", NID_pkcs7_enveloped, 9, &so[133]},
-    {"pkcs7-signedAndEnvelopedData", "pkcs7-signedAndEnvelopedData", NID_pkcs7_signedAndEnveloped, 9, &so[142]},
-    {"pkcs7-digestData", "pkcs7-digestData", NID_pkcs7_digest, 9, &so[151]},
-    {"pkcs7-encryptedData", "pkcs7-encryptedData", NID_pkcs7_encrypted, 9, &so[160]},
-    {"pkcs3", "pkcs3", NID_pkcs3, 8, &so[169]},
-    {"dhKeyAgreement", "dhKeyAgreement", NID_dhKeyAgreement, 9, &so[177]},
-    {"DES-ECB", "des-ecb", NID_des_ecb, 5, &so[186]},
-    {"DES-CFB", "des-cfb", NID_des_cfb64, 5, &so[191]},
-    {"DES-CBC", "des-cbc", NID_des_cbc, 5, &so[196]},
-    {"DES-EDE", "des-ede", NID_des_ede_ecb, 5, &so[201]},
-    {"DES-EDE3", "des-ede3", NID_des_ede3_ecb},
-    {"IDEA-CBC", "idea-cbc", NID_idea_cbc, 11, &so[206]},
-    {"IDEA-CFB", "idea-cfb", NID_idea_cfb64},
-    {"IDEA-ECB", "idea-ecb", NID_idea_ecb},
-    {"RC2-CBC", "rc2-cbc", NID_rc2_cbc, 8, &so[217]},
-    {"RC2-ECB", "rc2-ecb", NID_rc2_ecb},
-    {"RC2-CFB", "rc2-cfb", NID_rc2_cfb64},
-    {"RC2-OFB", "rc2-ofb", NID_rc2_ofb64},
-    {"SHA", "sha", NID_sha, 5, &so[225]},
-    {"RSA-SHA", "shaWithRSAEncryption", NID_shaWithRSAEncryption, 5, &so[230]},
-    {"DES-EDE-CBC", "des-ede-cbc", NID_des_ede_cbc},
-    {"DES-EDE3-CBC", "des-ede3-cbc", NID_des_ede3_cbc, 8, &so[235]},
-    {"DES-OFB", "des-ofb", NID_des_ofb64, 5, &so[243]},
-    {"IDEA-OFB", "idea-ofb", NID_idea_ofb64},
-    {"pkcs9", "pkcs9", NID_pkcs9, 8, &so[248]},
-    {"emailAddress", "emailAddress", NID_pkcs9_emailAddress, 9, &so[256]},
-    {"unstructuredName", "unstructuredName", NID_pkcs9_unstructuredName, 9, &so[265]},
-    {"contentType", "contentType", NID_pkcs9_contentType, 9, &so[274]},
-    {"messageDigest", "messageDigest", NID_pkcs9_messageDigest, 9, &so[283]},
-    {"signingTime", "signingTime", NID_pkcs9_signingTime, 9, &so[292]},
-    {"countersignature", "countersignature", NID_pkcs9_countersignature, 9, &so[301]},
-    {"challengePassword", "challengePassword", NID_pkcs9_challengePassword, 9, &so[310]},
-    {"unstructuredAddress", "unstructuredAddress", NID_pkcs9_unstructuredAddress, 9, &so[319]},
-    {"extendedCertificateAttributes", "extendedCertificateAttributes", NID_pkcs9_extCertAttributes, 9, &so[328]},
-    {"Netscape", "Netscape Communications Corp.", NID_netscape, 7, &so[337]},
-    {"nsCertExt", "Netscape Certificate Extension", NID_netscape_cert_extension, 8, &so[344]},
-    {"nsDataType", "Netscape Data Type", NID_netscape_data_type, 8, &so[352]},
-    {"DES-EDE-CFB", "des-ede-cfb", NID_des_ede_cfb64},
-    {"DES-EDE3-CFB", "des-ede3-cfb", NID_des_ede3_cfb64},
-    {"DES-EDE-OFB", "des-ede-ofb", NID_des_ede_ofb64},
-    {"DES-EDE3-OFB", "des-ede3-ofb", NID_des_ede3_ofb64},
-    {"SHA1", "sha1", NID_sha1, 5, &so[360]},
-    {"RSA-SHA1", "sha1WithRSAEncryption", NID_sha1WithRSAEncryption, 9, &so[365]},
-    {"DSA-SHA", "dsaWithSHA", NID_dsaWithSHA, 5, &so[374]},
-    {"DSA-old", "dsaEncryption-old", NID_dsa_2, 5, &so[379]},
-    {"PBE-SHA1-RC2-64", "pbeWithSHA1AndRC2-CBC", NID_pbeWithSHA1AndRC2_CBC, 9, &so[384]},
-    {"PBKDF2", "PBKDF2", NID_id_pbkdf2, 9, &so[393]},
-    {"DSA-SHA1-old", "dsaWithSHA1-old", NID_dsaWithSHA1_2, 5, &so[402]},
-    {"nsCertType", "Netscape Cert Type", NID_netscape_cert_type, 9, &so[407]},
-    {"nsBaseUrl", "Netscape Base Url", NID_netscape_base_url, 9, &so[416]},
-    {"nsRevocationUrl", "Netscape Revocation Url", NID_netscape_revocation_url, 9, &so[425]},
-    {"nsCaRevocationUrl", "Netscape CA Revocation Url", NID_netscape_ca_revocation_url, 9, &so[434]},
-    {"nsRenewalUrl", "Netscape Renewal Url", NID_netscape_renewal_url, 9, &so[443]},
-    {"nsCaPolicyUrl", "Netscape CA Policy Url", NID_netscape_ca_policy_url, 9, &so[452]},
-    {"nsSslServerName", "Netscape SSL Server Name", NID_netscape_ssl_server_name, 9, &so[461]},
-    {"nsComment", "Netscape Comment", NID_netscape_comment, 9, &so[470]},
-    {"nsCertSequence", "Netscape Certificate Sequence", NID_netscape_cert_sequence, 9, &so[479]},
-    {"DESX-CBC", "desx-cbc", NID_desx_cbc},
-    {"id-ce", "id-ce", NID_id_ce, 2, &so[488]},
-    {"subjectKeyIdentifier", "X509v3 Subject Key Identifier", NID_subject_key_identifier, 3, &so[490]},
-    {"keyUsage", "X509v3 Key Usage", NID_key_usage, 3, &so[493]},
-    {"privateKeyUsagePeriod", "X509v3 Private Key Usage Period", NID_private_key_usage_period, 3, &so[496]},
-    {"subjectAltName", "X509v3 Subject Alternative Name", NID_subject_alt_name, 3, &so[499]},
-    {"issuerAltName", "X509v3 Issuer Alternative Name", NID_issuer_alt_name, 3, &so[502]},
-    {"basicConstraints", "X509v3 Basic Constraints", NID_basic_constraints, 3, &so[505]},
-    {"crlNumber", "X509v3 CRL Number", NID_crl_number, 3, &so[508]},
-    {"certificatePolicies", "X509v3 Certificate Policies", NID_certificate_policies, 3, &so[511]},
-    {"authorityKeyIdentifier", "X509v3 Authority Key Identifier", NID_authority_key_identifier, 3, &so[514]},
-    {"BF-CBC", "bf-cbc", NID_bf_cbc, 9, &so[517]},
-    {"BF-ECB", "bf-ecb", NID_bf_ecb},
-    {"BF-CFB", "bf-cfb", NID_bf_cfb64},
-    {"BF-OFB", "bf-ofb", NID_bf_ofb64},
-    {"MDC2", "mdc2", NID_mdc2, 4, &so[526]},
-    {"RSA-MDC2", "mdc2WithRSA", NID_mdc2WithRSA, 4, &so[530]},
-    {"RC4-40", "rc4-40", NID_rc4_40},
-    {"RC2-40-CBC", "rc2-40-cbc", NID_rc2_40_cbc},
-    {"GN", "givenName", NID_givenName, 3, &so[534]},
-    {"SN", "surname", NID_surname, 3, &so[537]},
-    {"initials", "initials", NID_initials, 3, &so[540]},
-    {"uid", "uniqueIdentifier", NID_uniqueIdentifier, 10, &so[543]},
-    {"crlDistributionPoints", "X509v3 CRL Distribution Points", NID_crl_distribution_points, 3, &so[553]},
-    {"RSA-NP-MD5", "md5WithRSA", NID_md5WithRSA, 5, &so[556]},
-    {"serialNumber", "serialNumber", NID_serialNumber, 3, &so[561]},
-    {"title", "title", NID_title, 3, &so[564]},
-    {"description", "description", NID_description, 3, &so[567]},
-    {"CAST5-CBC", "cast5-cbc", NID_cast5_cbc, 9, &so[570]},
-    {"CAST5-ECB", "cast5-ecb", NID_cast5_ecb},
-    {"CAST5-CFB", "cast5-cfb", NID_cast5_cfb64},
-    {"CAST5-OFB", "cast5-ofb", NID_cast5_ofb64},
-    {"pbeWithMD5AndCast5CBC", "pbeWithMD5AndCast5CBC", NID_pbeWithMD5AndCast5_CBC, 9, &so[579]},
-    {"DSA-SHA1", "dsaWithSHA1", NID_dsaWithSHA1, 7, &so[588]},
-    {"MD5-SHA1", "md5-sha1", NID_md5_sha1},
-    {"RSA-SHA1-2", "sha1WithRSA", NID_sha1WithRSA, 5, &so[595]},
-    {"DSA", "dsaEncryption", NID_dsa, 7, &so[600]},
-    {"RIPEMD160", "ripemd160", NID_ripemd160, 5, &so[607]},
-    { NULL, NULL, NID_undef },
-    {"RSA-RIPEMD160", "ripemd160WithRSA", NID_ripemd160WithRSA, 6, &so[612]},
-    {"RC5-CBC", "rc5-cbc", NID_rc5_cbc, 8, &so[618]},
-    {"RC5-ECB", "rc5-ecb", NID_rc5_ecb},
-    {"RC5-CFB", "rc5-cfb", NID_rc5_cfb64},
-    {"RC5-OFB", "rc5-ofb", NID_rc5_ofb64},
-    { NULL, NULL, NID_undef },
-    {"ZLIB", "zlib compression", NID_zlib_compression, 11, &so[626]},
-    {"extendedKeyUsage", "X509v3 Extended Key Usage", NID_ext_key_usage, 3, &so[637]},
-    {"PKIX", "PKIX", NID_id_pkix, 6, &so[640]},
-    {"id-kp", "id-kp", NID_id_kp, 7, &so[646]},
-    {"serverAuth", "TLS Web Server Authentication", NID_server_auth, 8, &so[653]},
-    {"clientAuth", "TLS Web Client Authentication", NID_client_auth, 8, &so[661]},
-    {"codeSigning", "Code Signing", NID_code_sign, 8, &so[669]},
-    {"emailProtection", "E-mail Protection", NID_email_protect, 8, &so[677]},
-    {"timeStamping", "Time Stamping", NID_time_stamp, 8, &so[685]},
-    {"msCodeInd", "Microsoft Individual Code Signing", NID_ms_code_ind, 10, &so[693]},
-    {"msCodeCom", "Microsoft Commercial Code Signing", NID_ms_code_com, 10, &so[703]},
-    {"msCTLSign", "Microsoft Trust List Signing", NID_ms_ctl_sign, 10, &so[713]},
-    {"msSGC", "Microsoft Server Gated Crypto", NID_ms_sgc, 10, &so[723]},
-    {"msEFS", "Microsoft Encrypted File System", NID_ms_efs, 10, &so[733]},
-    {"nsSGC", "Netscape Server Gated Crypto", NID_ns_sgc, 9, &so[743]},
-    {"deltaCRL", "X509v3 Delta CRL Indicator", NID_delta_crl, 3, &so[752]},
-    {"CRLReason", "X509v3 CRL Reason Code", NID_crl_reason, 3, &so[755]},
-    {"invalidityDate", "Invalidity Date", NID_invalidity_date, 3, &so[758]},
-    {"SXNetID", "Strong Extranet ID", NID_sxnet, 5, &so[761]},
-    {"PBE-SHA1-RC4-128", "pbeWithSHA1And128BitRC4", NID_pbe_WithSHA1And128BitRC4, 10, &so[766]},
-    {"PBE-SHA1-RC4-40", "pbeWithSHA1And40BitRC4", NID_pbe_WithSHA1And40BitRC4, 10, &so[776]},
-    {"PBE-SHA1-3DES", "pbeWithSHA1And3-KeyTripleDES-CBC", NID_pbe_WithSHA1And3_Key_TripleDES_CBC, 10, &so[786]},
-    {"PBE-SHA1-2DES", "pbeWithSHA1And2-KeyTripleDES-CBC", NID_pbe_WithSHA1And2_Key_TripleDES_CBC, 10, &so[796]},
-    {"PBE-SHA1-RC2-128", "pbeWithSHA1And128BitRC2-CBC", NID_pbe_WithSHA1And128BitRC2_CBC, 10, &so[806]},
-    {"PBE-SHA1-RC2-40", "pbeWithSHA1And40BitRC2-CBC", NID_pbe_WithSHA1And40BitRC2_CBC, 10, &so[816]},
-    {"keyBag", "keyBag", NID_keyBag, 11, &so[826]},
-    {"pkcs8ShroudedKeyBag", "pkcs8ShroudedKeyBag", NID_pkcs8ShroudedKeyBag, 11, &so[837]},
-    {"certBag", "certBag", NID_certBag, 11, &so[848]},
-    {"crlBag", "crlBag", NID_crlBag, 11, &so[859]},
-    {"secretBag", "secretBag", NID_secretBag, 11, &so[870]},
-    {"safeContentsBag", "safeContentsBag", NID_safeContentsBag, 11, &so[881]},
-    {"friendlyName", "friendlyName", NID_friendlyName, 9, &so[892]},
-    {"localKeyID", "localKeyID", NID_localKeyID, 9, &so[901]},
-    {"x509Certificate", "x509Certificate", NID_x509Certificate, 10, &so[910]},
-    {"sdsiCertificate", "sdsiCertificate", NID_sdsiCertificate, 10, &so[920]},
-    {"x509Crl", "x509Crl", NID_x509Crl, 10, &so[930]},
-    {"PBES2", "PBES2", NID_pbes2, 9, &so[940]},
-    {"PBMAC1", "PBMAC1", NID_pbmac1, 9, &so[949]},
-    {"hmacWithSHA1", "hmacWithSHA1", NID_hmacWithSHA1, 8, &so[958]},
-    {"id-qt-cps", "Policy Qualifier CPS", NID_id_qt_cps, 8, &so[966]},
-    {"id-qt-unotice", "Policy Qualifier User Notice", NID_id_qt_unotice, 8, &so[974]},
-    {"RC2-64-CBC", "rc2-64-cbc", NID_rc2_64_cbc},
-    {"SMIME-CAPS", "S/MIME Capabilities", NID_SMIMECapabilities, 9, &so[982]},
-    {"PBE-MD2-RC2-64", "pbeWithMD2AndRC2-CBC", NID_pbeWithMD2AndRC2_CBC, 9, &so[991]},
-    {"PBE-MD5-RC2-64", "pbeWithMD5AndRC2-CBC", NID_pbeWithMD5AndRC2_CBC, 9, &so[1000]},
-    {"PBE-SHA1-DES", "pbeWithSHA1AndDES-CBC", NID_pbeWithSHA1AndDES_CBC, 9, &so[1009]},
-    {"msExtReq", "Microsoft Extension Request", NID_ms_ext_req, 10, &so[1018]},
-    {"extReq", "Extension Request", NID_ext_req, 9, &so[1028]},
-    {"name", "name", NID_name, 3, &so[1037]},
-    {"dnQualifier", "dnQualifier", NID_dnQualifier, 3, &so[1040]},
-    {"id-pe", "id-pe", NID_id_pe, 7, &so[1043]},
-    {"id-ad", "id-ad", NID_id_ad, 7, &so[1050]},
-    {"authorityInfoAccess", "Authority Information Access", NID_info_access, 8, &so[1057]},
-    {"OCSP", "OCSP", NID_ad_OCSP, 8, &so[1065]},
-    {"caIssuers", "CA Issuers", NID_ad_ca_issuers, 8, &so[1073]},
-    {"OCSPSigning", "OCSP Signing", NID_OCSP_sign, 8, &so[1081]},
-    {"ISO", "iso", NID_iso},
-    {"member-body", "ISO Member Body", NID_member_body, 1, &so[1089]},
-    {"ISO-US", "ISO US Member Body", NID_ISO_US, 3, &so[1090]},
-    {"X9-57", "X9.57", NID_X9_57, 5, &so[1093]},
-    {"X9cm", "X9.57 CM ?", NID_X9cm, 6, &so[1098]},
-    {"pkcs1", "pkcs1", NID_pkcs1, 8, &so[1104]},
-    {"pkcs5", "pkcs5", NID_pkcs5, 8, &so[1112]},
-    {"SMIME", "S/MIME", NID_SMIME, 9, &so[1120]},
-    {"id-smime-mod", "id-smime-mod", NID_id_smime_mod, 10, &so[1129]},
-    {"id-smime-ct", "id-smime-ct", NID_id_smime_ct, 10, &so[1139]},
-    {"id-smime-aa", "id-smime-aa", NID_id_smime_aa, 10, &so[1149]},
-    {"id-smime-alg", "id-smime-alg", NID_id_smime_alg, 10, &so[1159]},
-    {"id-smime-cd", "id-smime-cd", NID_id_smime_cd, 10, &so[1169]},
-    {"id-smime-spq", "id-smime-spq", NID_id_smime_spq, 10, &so[1179]},
-    {"id-smime-cti", "id-smime-cti", NID_id_smime_cti, 10, &so[1189]},
-    {"id-smime-mod-cms", "id-smime-mod-cms", NID_id_smime_mod_cms, 11, &so[1199]},
-    {"id-smime-mod-ess", "id-smime-mod-ess", NID_id_smime_mod_ess, 11, &so[1210]},
-    {"id-smime-mod-oid", "id-smime-mod-oid", NID_id_smime_mod_oid, 11, &so[1221]},
-    {"id-smime-mod-msg-v3", "id-smime-mod-msg-v3", NID_id_smime_mod_msg_v3, 11, &so[1232]},
-    {"id-smime-mod-ets-eSignature-88", "id-smime-mod-ets-eSignature-88", NID_id_smime_mod_ets_eSignature_88, 11, &so[1243]},
-    {"id-smime-mod-ets-eSignature-97", "id-smime-mod-ets-eSignature-97", NID_id_smime_mod_ets_eSignature_97, 11, &so[1254]},
-    {"id-smime-mod-ets-eSigPolicy-88", "id-smime-mod-ets-eSigPolicy-88", NID_id_smime_mod_ets_eSigPolicy_88, 11, &so[1265]},
-    {"id-smime-mod-ets-eSigPolicy-97", "id-smime-mod-ets-eSigPolicy-97", NID_id_smime_mod_ets_eSigPolicy_97, 11, &so[1276]},
-    {"id-smime-ct-receipt", "id-smime-ct-receipt", NID_id_smime_ct_receipt, 11, &so[1287]},
-    {"id-smime-ct-authData", "id-smime-ct-authData", NID_id_smime_ct_authData, 11, &so[1298]},
-    {"id-smime-ct-publishCert", "id-smime-ct-publishCert", NID_id_smime_ct_publishCert, 11, &so[1309]},
-    {"id-smime-ct-TSTInfo", "id-smime-ct-TSTInfo", NID_id_smime_ct_TSTInfo, 11, &so[1320]},
-    {"id-smime-ct-TDTInfo", "id-smime-ct-TDTInfo", NID_id_smime_ct_TDTInfo, 11, &so[1331]},
-    {"id-smime-ct-contentInfo", "id-smime-ct-contentInfo", NID_id_smime_ct_contentInfo, 11, &so[1342]},
-    {"id-smime-ct-DVCSRequestData", "id-smime-ct-DVCSRequestData", NID_id_smime_ct_DVCSRequestData, 11, &so[1353]},
-    {"id-smime-ct-DVCSResponseData", "id-smime-ct-DVCSResponseData", NID_id_smime_ct_DVCSResponseData, 11, &so[1364]},
-    {"id-smime-aa-receiptRequest", "id-smime-aa-receiptRequest", NID_id_smime_aa_receiptRequest, 11, &so[1375]},
-    {"id-smime-aa-securityLabel", "id-smime-aa-securityLabel", NID_id_smime_aa_securityLabel, 11, &so[1386]},
-    {"id-smime-aa-mlExpandHistory", "id-smime-aa-mlExpandHistory", NID_id_smime_aa_mlExpandHistory, 11, &so[1397]},
-    {"id-smime-aa-contentHint", "id-smime-aa-contentHint", NID_id_smime_aa_contentHint, 11, &so[1408]},
-    {"id-smime-aa-msgSigDigest", "id-smime-aa-msgSigDigest", NID_id_smime_aa_msgSigDigest, 11, &so[1419]},
-    {"id-smime-aa-encapContentType", "id-smime-aa-encapContentType", NID_id_smime_aa_encapContentType, 11, &so[1430]},
-    {"id-smime-aa-contentIdentifier", "id-smime-aa-contentIdentifier", NID_id_smime_aa_contentIdentifier, 11, &so[1441]},
-    {"id-smime-aa-macValue", "id-smime-aa-macValue", NID_id_smime_aa_macValue, 11, &so[1452]},
-    {"id-smime-aa-equivalentLabels", "id-smime-aa-equivalentLabels", NID_id_smime_aa_equivalentLabels, 11, &so[1463]},
-    {"id-smime-aa-contentReference", "id-smime-aa-contentReference", NID_id_smime_aa_contentReference, 11, &so[1474]},
-    {"id-smime-aa-encrypKeyPref", "id-smime-aa-encrypKeyPref", NID_id_smime_aa_encrypKeyPref, 11, &so[1485]},
-    {"id-smime-aa-signingCertificate", "id-smime-aa-signingCertificate", NID_id_smime_aa_signingCertificate, 11, &so[1496]},
-    {"id-smime-aa-smimeEncryptCerts", "id-smime-aa-smimeEncryptCerts", NID_id_smime_aa_smimeEncryptCerts, 11, &so[1507]},
-    {"id-smime-aa-timeStampToken", "id-smime-aa-timeStampToken", NID_id_smime_aa_timeStampToken, 11, &so[1518]},
-    {"id-smime-aa-ets-sigPolicyId", "id-smime-aa-ets-sigPolicyId", NID_id_smime_aa_ets_sigPolicyId, 11, &so[1529]},
-    {"id-smime-aa-ets-commitmentType", "id-smime-aa-ets-commitmentType", NID_id_smime_aa_ets_commitmentType, 11, &so[1540]},
-    {"id-smime-aa-ets-signerLocation", "id-smime-aa-ets-signerLocation", NID_id_smime_aa_ets_signerLocation, 11, &so[1551]},
-    {"id-smime-aa-ets-signerAttr", "id-smime-aa-ets-signerAttr", NID_id_smime_aa_ets_signerAttr, 11, &so[1562]},
-    {"id-smime-aa-ets-otherSigCert", "id-smime-aa-ets-otherSigCert", NID_id_smime_aa_ets_otherSigCert, 11, &so[1573]},
-    {"id-smime-aa-ets-contentTimestamp", "id-smime-aa-ets-contentTimestamp", NID_id_smime_aa_ets_contentTimestamp, 11, &so[1584]},
-    {"id-smime-aa-ets-CertificateRefs", "id-smime-aa-ets-CertificateRefs", NID_id_smime_aa_ets_CertificateRefs, 11, &so[1595]},
-    {"id-smime-aa-ets-RevocationRefs", "id-smime-aa-ets-RevocationRefs", NID_id_smime_aa_ets_RevocationRefs, 11, &so[1606]},
-    {"id-smime-aa-ets-certValues", "id-smime-aa-ets-certValues", NID_id_smime_aa_ets_certValues, 11, &so[1617]},
-    {"id-smime-aa-ets-revocationValues", "id-smime-aa-ets-revocationValues", NID_id_smime_aa_ets_revocationValues, 11, &so[1628]},
-    {"id-smime-aa-ets-escTimeStamp", "id-smime-aa-ets-escTimeStamp", NID_id_smime_aa_ets_escTimeStamp, 11, &so[1639]},
-    {"id-smime-aa-ets-certCRLTimestamp", "id-smime-aa-ets-certCRLTimestamp", NID_id_smime_aa_ets_certCRLTimestamp, 11, &so[1650]},
-    {"id-smime-aa-ets-archiveTimeStamp", "id-smime-aa-ets-archiveTimeStamp", NID_id_smime_aa_ets_archiveTimeStamp, 11, &so[1661]},
-    {"id-smime-aa-signatureType", "id-smime-aa-signatureType", NID_id_smime_aa_signatureType, 11, &so[1672]},
-    {"id-smime-aa-dvcs-dvc", "id-smime-aa-dvcs-dvc", NID_id_smime_aa_dvcs_dvc, 11, &so[1683]},
-    {"id-smime-alg-ESDHwith3DES", "id-smime-alg-ESDHwith3DES", NID_id_smime_alg_ESDHwith3DES, 11, &so[1694]},
-    {"id-smime-alg-ESDHwithRC2", "id-smime-alg-ESDHwithRC2", NID_id_smime_alg_ESDHwithRC2, 11, &so[1705]},
-    {"id-smime-alg-3DESwrap", "id-smime-alg-3DESwrap", NID_id_smime_alg_3DESwrap, 11, &so[1716]},
-    {"id-smime-alg-RC2wrap", "id-smime-alg-RC2wrap", NID_id_smime_alg_RC2wrap, 11, &so[1727]},
-    {"id-smime-alg-ESDH", "id-smime-alg-ESDH", NID_id_smime_alg_ESDH, 11, &so[1738]},
-    {"id-smime-alg-CMS3DESwrap", "id-smime-alg-CMS3DESwrap", NID_id_smime_alg_CMS3DESwrap, 11, &so[1749]},
-    {"id-smime-alg-CMSRC2wrap", "id-smime-alg-CMSRC2wrap", NID_id_smime_alg_CMSRC2wrap, 11, &so[1760]},
-    {"id-smime-cd-ldap", "id-smime-cd-ldap", NID_id_smime_cd_ldap, 11, &so[1771]},
-    {"id-smime-spq-ets-sqt-uri", "id-smime-spq-ets-sqt-uri", NID_id_smime_spq_ets_sqt_uri, 11, &so[1782]},
-    {"id-smime-spq-ets-sqt-unotice", "id-smime-spq-ets-sqt-unotice", NID_id_smime_spq_ets_sqt_unotice, 11, &so[1793]},
-    {"id-smime-cti-ets-proofOfOrigin", "id-smime-cti-ets-proofOfOrigin", NID_id_smime_cti_ets_proofOfOrigin, 11, &so[1804]},
-    {"id-smime-cti-ets-proofOfReceipt", "id-smime-cti-ets-proofOfReceipt", NID_id_smime_cti_ets_proofOfReceipt, 11, &so[1815]},
-    {"id-smime-cti-ets-proofOfDelivery", "id-smime-cti-ets-proofOfDelivery", NID_id_smime_cti_ets_proofOfDelivery, 11, &so[1826]},
-    {"id-smime-cti-ets-proofOfSender", "id-smime-cti-ets-proofOfSender", NID_id_smime_cti_ets_proofOfSender, 11, &so[1837]},
-    {"id-smime-cti-ets-proofOfApproval", "id-smime-cti-ets-proofOfApproval", NID_id_smime_cti_ets_proofOfApproval, 11, &so[1848]},
-    {"id-smime-cti-ets-proofOfCreation", "id-smime-cti-ets-proofOfCreation", NID_id_smime_cti_ets_proofOfCreation, 11, &so[1859]},
-    {"MD4", "md4", NID_md4, 8, &so[1870]},
-    {"id-pkix-mod", "id-pkix-mod", NID_id_pkix_mod, 7, &so[1878]},
-    {"id-qt", "id-qt", NID_id_qt, 7, &so[1885]},
-    {"id-it", "id-it", NID_id_it, 7, &so[1892]},
-    {"id-pkip", "id-pkip", NID_id_pkip, 7, &so[1899]},
-    {"id-alg", "id-alg", NID_id_alg, 7, &so[1906]},
-    {"id-cmc", "id-cmc", NID_id_cmc, 7, &so[1913]},
-    {"id-on", "id-on", NID_id_on, 7, &so[1920]},
-    {"id-pda", "id-pda", NID_id_pda, 7, &so[1927]},
-    {"id-aca", "id-aca", NID_id_aca, 7, &so[1934]},
-    {"id-qcs", "id-qcs", NID_id_qcs, 7, &so[1941]},
-    {"id-cct", "id-cct", NID_id_cct, 7, &so[1948]},
-    {"id-pkix1-explicit-88", "id-pkix1-explicit-88", NID_id_pkix1_explicit_88, 8, &so[1955]},
-    {"id-pkix1-implicit-88", "id-pkix1-implicit-88", NID_id_pkix1_implicit_88, 8, &so[1963]},
-    {"id-pkix1-explicit-93", "id-pkix1-explicit-93", NID_id_pkix1_explicit_93, 8, &so[1971]},
-    {"id-pkix1-implicit-93", "id-pkix1-implicit-93", NID_id_pkix1_implicit_93, 8, &so[1979]},
-    {"id-mod-crmf", "id-mod-crmf", NID_id_mod_crmf, 8, &so[1987]},
-    {"id-mod-cmc", "id-mod-cmc", NID_id_mod_cmc, 8, &so[1995]},
-    {"id-mod-kea-profile-88", "id-mod-kea-profile-88", NID_id_mod_kea_profile_88, 8, &so[2003]},
-    {"id-mod-kea-profile-93", "id-mod-kea-profile-93", NID_id_mod_kea_profile_93, 8, &so[2011]},
-    {"id-mod-cmp", "id-mod-cmp", NID_id_mod_cmp, 8, &so[2019]},
-    {"id-mod-qualified-cert-88", "id-mod-qualified-cert-88", NID_id_mod_qualified_cert_88, 8, &so[2027]},
-    {"id-mod-qualified-cert-93", "id-mod-qualified-cert-93", NID_id_mod_qualified_cert_93, 8, &so[2035]},
-    {"id-mod-attribute-cert", "id-mod-attribute-cert", NID_id_mod_attribute_cert, 8, &so[2043]},
-    {"id-mod-timestamp-protocol", "id-mod-timestamp-protocol", NID_id_mod_timestamp_protocol, 8, &so[2051]},
-    {"id-mod-ocsp", "id-mod-ocsp", NID_id_mod_ocsp, 8, &so[2059]},
-    {"id-mod-dvcs", "id-mod-dvcs", NID_id_mod_dvcs, 8, &so[2067]},
-    {"id-mod-cmp2000", "id-mod-cmp2000", NID_id_mod_cmp2000, 8, &so[2075]},
-    {"biometricInfo", "Biometric Info", NID_biometricInfo, 8, &so[2083]},
-    {"qcStatements", "qcStatements", NID_qcStatements, 8, &so[2091]},
-    {"ac-auditEntity", "ac-auditEntity", NID_ac_auditEntity, 8, &so[2099]},
-    {"ac-targeting", "ac-targeting", NID_ac_targeting, 8, &so[2107]},
-    {"aaControls", "aaControls", NID_aaControls, 8, &so[2115]},
-    {"sbgp-ipAddrBlock", "sbgp-ipAddrBlock", NID_sbgp_ipAddrBlock, 8, &so[2123]},
-    {"sbgp-autonomousSysNum", "sbgp-autonomousSysNum", NID_sbgp_autonomousSysNum, 8, &so[2131]},
-    {"sbgp-routerIdentifier", "sbgp-routerIdentifier", NID_sbgp_routerIdentifier, 8, &so[2139]},
-    {"textNotice", "textNotice", NID_textNotice, 8, &so[2147]},
-    {"ipsecEndSystem", "IPSec End System", NID_ipsecEndSystem, 8, &so[2155]},
-    {"ipsecTunnel", "IPSec Tunnel", NID_ipsecTunnel, 8, &so[2163]},
-    {"ipsecUser", "IPSec User", NID_ipsecUser, 8, &so[2171]},
-    {"DVCS", "dvcs", NID_dvcs, 8, &so[2179]},
-    {"id-it-caProtEncCert", "id-it-caProtEncCert", NID_id_it_caProtEncCert, 8, &so[2187]},
-    {"id-it-signKeyPairTypes", "id-it-signKeyPairTypes", NID_id_it_signKeyPairTypes, 8, &so[2195]},
-    {"id-it-encKeyPairTypes", "id-it-encKeyPairTypes", NID_id_it_encKeyPairTypes, 8, &so[2203]},
-    {"id-it-preferredSymmAlg", "id-it-preferredSymmAlg", NID_id_it_preferredSymmAlg, 8, &so[2211]},
-    {"id-it-caKeyUpdateInfo", "id-it-caKeyUpdateInfo", NID_id_it_caKeyUpdateInfo, 8, &so[2219]},
-    {"id-it-currentCRL", "id-it-currentCRL", NID_id_it_currentCRL, 8, &so[2227]},
-    {"id-it-unsupportedOIDs", "id-it-unsupportedOIDs", NID_id_it_unsupportedOIDs, 8, &so[2235]},
-    {"id-it-subscriptionRequest", "id-it-subscriptionRequest", NID_id_it_subscriptionRequest, 8, &so[2243]},
-    {"id-it-subscriptionResponse", "id-it-subscriptionResponse", NID_id_it_subscriptionResponse, 8, &so[2251]},
-    {"id-it-keyPairParamReq", "id-it-keyPairParamReq", NID_id_it_keyPairParamReq, 8, &so[2259]},
-    {"id-it-keyPairParamRep", "id-it-keyPairParamRep", NID_id_it_keyPairParamRep, 8, &so[2267]},
-    {"id-it-revPassphrase", "id-it-revPassphrase", NID_id_it_revPassphrase, 8, &so[2275]},
-    {"id-it-implicitConfirm", "id-it-implicitConfirm", NID_id_it_implicitConfirm, 8, &so[2283]},
-    {"id-it-confirmWaitTime", "id-it-confirmWaitTime", NID_id_it_confirmWaitTime, 8, &so[2291]},
-    {"id-it-origPKIMessage", "id-it-origPKIMessage", NID_id_it_origPKIMessage, 8, &so[2299]},
-    {"id-regCtrl", "id-regCtrl", NID_id_regCtrl, 8, &so[2307]},
-    {"id-regInfo", "id-regInfo", NID_id_regInfo, 8, &so[2315]},
-    {"id-regCtrl-regToken", "id-regCtrl-regToken", NID_id_regCtrl_regToken, 9, &so[2323]},
-    {"id-regCtrl-authenticator", "id-regCtrl-authenticator", NID_id_regCtrl_authenticator, 9, &so[2332]},
-    {"id-regCtrl-pkiPublicationInfo", "id-regCtrl-pkiPublicationInfo", NID_id_regCtrl_pkiPublicationInfo, 9, &so[2341]},
-    {"id-regCtrl-pkiArchiveOptions", "id-regCtrl-pkiArchiveOptions", NID_id_regCtrl_pkiArchiveOptions, 9, &so[2350]},
-    {"id-regCtrl-oldCertID", "id-regCtrl-oldCertID", NID_id_regCtrl_oldCertID, 9, &so[2359]},
-    {"id-regCtrl-protocolEncrKey", "id-regCtrl-protocolEncrKey", NID_id_regCtrl_protocolEncrKey, 9, &so[2368]},
-    {"id-regInfo-utf8Pairs", "id-regInfo-utf8Pairs", NID_id_regInfo_utf8Pairs, 9, &so[2377]},
-    {"id-regInfo-certReq", "id-regInfo-certReq", NID_id_regInfo_certReq, 9, &so[2386]},
-    {"id-alg-des40", "id-alg-des40", NID_id_alg_des40, 8, &so[2395]},
-    {"id-alg-noSignature", "id-alg-noSignature", NID_id_alg_noSignature, 8, &so[2403]},
-    {"id-alg-dh-sig-hmac-sha1", "id-alg-dh-sig-hmac-sha1", NID_id_alg_dh_sig_hmac_sha1, 8, &so[2411]},
-    {"id-alg-dh-pop", "id-alg-dh-pop", NID_id_alg_dh_pop, 8, &so[2419]},
-    {"id-cmc-statusInfo", "id-cmc-statusInfo", NID_id_cmc_statusInfo, 8, &so[2427]},
-    {"id-cmc-identification", "id-cmc-identification", NID_id_cmc_identification, 8, &so[2435]},
-    {"id-cmc-identityProof", "id-cmc-identityProof", NID_id_cmc_identityProof, 8, &so[2443]},
-    {"id-cmc-dataReturn", "id-cmc-dataReturn", NID_id_cmc_dataReturn, 8, &so[2451]},
-    {"id-cmc-transactionId", "id-cmc-transactionId", NID_id_cmc_transactionId, 8, &so[2459]},
-    {"id-cmc-senderNonce", "id-cmc-senderNonce", NID_id_cmc_senderNonce, 8, &so[2467]},
-    {"id-cmc-recipientNonce", "id-cmc-recipientNonce", NID_id_cmc_recipientNonce, 8, &so[2475]},
-    {"id-cmc-addExtensions", "id-cmc-addExtensions", NID_id_cmc_addExtensions, 8, &so[2483]},
-    {"id-cmc-encryptedPOP", "id-cmc-encryptedPOP", NID_id_cmc_encryptedPOP, 8, &so[2491]},
-    {"id-cmc-decryptedPOP", "id-cmc-decryptedPOP", NID_id_cmc_decryptedPOP, 8, &so[2499]},
-    {"id-cmc-lraPOPWitness", "id-cmc-lraPOPWitness", NID_id_cmc_lraPOPWitness, 8, &so[2507]},
-    {"id-cmc-getCert", "id-cmc-getCert", NID_id_cmc_getCert, 8, &so[2515]},
-    {"id-cmc-getCRL", "id-cmc-getCRL", NID_id_cmc_getCRL, 8, &so[2523]},
-    {"id-cmc-revokeRequest", "id-cmc-revokeRequest", NID_id_cmc_revokeRequest, 8, &so[2531]},
-    {"id-cmc-regInfo", "id-cmc-regInfo", NID_id_cmc_regInfo, 8, &so[2539]},
-    {"id-cmc-responseInfo", "id-cmc-responseInfo", NID_id_cmc_responseInfo, 8, &so[2547]},
-    {"id-cmc-queryPending", "id-cmc-queryPending", NID_id_cmc_queryPending, 8, &so[2555]},
-    {"id-cmc-popLinkRandom", "id-cmc-popLinkRandom", NID_id_cmc_popLinkRandom, 8, &so[2563]},
-    {"id-cmc-popLinkWitness", "id-cmc-popLinkWitness", NID_id_cmc_popLinkWitness, 8, &so[2571]},
-    {"id-cmc-confirmCertAcceptance", "id-cmc-confirmCertAcceptance", NID_id_cmc_confirmCertAcceptance, 8, &so[2579]},
-    {"id-on-personalData", "id-on-personalData", NID_id_on_personalData, 8, &so[2587]},
-    {"id-pda-dateOfBirth", "id-pda-dateOfBirth", NID_id_pda_dateOfBirth, 8, &so[2595]},
-    {"id-pda-placeOfBirth", "id-pda-placeOfBirth", NID_id_pda_placeOfBirth, 8, &so[2603]},
-    { NULL, NULL, NID_undef },
-    {"id-pda-gender", "id-pda-gender", NID_id_pda_gender, 8, &so[2611]},
-    {"id-pda-countryOfCitizenship", "id-pda-countryOfCitizenship", NID_id_pda_countryOfCitizenship, 8, &so[2619]},
-    {"id-pda-countryOfResidence", "id-pda-countryOfResidence", NID_id_pda_countryOfResidence, 8, &so[2627]},
-    {"id-aca-authenticationInfo", "id-aca-authenticationInfo", NID_id_aca_authenticationInfo, 8, &so[2635]},
-    {"id-aca-accessIdentity", "id-aca-accessIdentity", NID_id_aca_accessIdentity, 8, &so[2643]},
-    {"id-aca-chargingIdentity", "id-aca-chargingIdentity", NID_id_aca_chargingIdentity, 8, &so[2651]},
-    {"id-aca-group", "id-aca-group", NID_id_aca_group, 8, &so[2659]},
-    {"id-aca-role", "id-aca-role", NID_id_aca_role, 8, &so[2667]},
-    {"id-qcs-pkixQCSyntax-v1", "id-qcs-pkixQCSyntax-v1", NID_id_qcs_pkixQCSyntax_v1, 8, &so[2675]},
-    {"id-cct-crs", "id-cct-crs", NID_id_cct_crs, 8, &so[2683]},
-    {"id-cct-PKIData", "id-cct-PKIData", NID_id_cct_PKIData, 8, &so[2691]},
-    {"id-cct-PKIResponse", "id-cct-PKIResponse", NID_id_cct_PKIResponse, 8, &so[2699]},
-    {"ad_timestamping", "AD Time Stamping", NID_ad_timeStamping, 8, &so[2707]},
-    {"AD_DVCS", "ad dvcs", NID_ad_dvcs, 8, &so[2715]},
-    {"basicOCSPResponse", "Basic OCSP Response", NID_id_pkix_OCSP_basic, 9, &so[2723]},
-    {"Nonce", "OCSP Nonce", NID_id_pkix_OCSP_Nonce, 9, &so[2732]},
-    {"CrlID", "OCSP CRL ID", NID_id_pkix_OCSP_CrlID, 9, &so[2741]},
-    {"acceptableResponses", "Acceptable OCSP Responses", NID_id_pkix_OCSP_acceptableResponses, 9, &so[2750]},
-    {"noCheck", "OCSP No Check", NID_id_pkix_OCSP_noCheck, 9, &so[2759]},
-    {"archiveCutoff", "OCSP Archive Cutoff", NID_id_pkix_OCSP_archiveCutoff, 9, &so[2768]},
-    {"serviceLocator", "OCSP Service Locator", NID_id_pkix_OCSP_serviceLocator, 9, &so[2777]},
-    {"extendedStatus", "Extended OCSP Status", NID_id_pkix_OCSP_extendedStatus, 9, &so[2786]},
-    {"valid", "valid", NID_id_pkix_OCSP_valid, 9, &so[2795]},
-    {"path", "path", NID_id_pkix_OCSP_path, 9, &so[2804]},
-    {"trustRoot", "Trust Root", NID_id_pkix_OCSP_trustRoot, 9, &so[2813]},
-    {"algorithm", "algorithm", NID_algorithm, 4, &so[2822]},
-    {"rsaSignature", "rsaSignature", NID_rsaSignature, 5, &so[2826]},
-    {"X500algorithms", "directory services - algorithms", NID_X500algorithms, 2, &so[2831]},
-    {"ORG", "org", NID_org, 1, &so[2833]},
-    {"DOD", "dod", NID_dod, 2, &so[2834]},
-    {"IANA", "iana", NID_iana, 3, &so[2836]},
-    {"directory", "Directory", NID_Directory, 4, &so[2839]},
-    {"mgmt", "Management", NID_Management, 4, &so[2843]},
-    {"experimental", "Experimental", NID_Experimental, 4, &so[2847]},
-    {"private", "Private", NID_Private, 4, &so[2851]},
-    {"security", "Security", NID_Security, 4, &so[2855]},
-    {"snmpv2", "SNMPv2", NID_SNMPv2, 4, &so[2859]},
-    {"Mail", "Mail", NID_Mail, 4, &so[2863]},
-    {"enterprises", "Enterprises", NID_Enterprises, 5, &so[2867]},
-    {"dcobject", "dcObject", NID_dcObject, 9, &so[2872]},
-    {"DC", "domainComponent", NID_domainComponent, 10, &so[2881]},
-    {"domain", "Domain", NID_Domain, 10, &so[2891]},
-    {"NULL", "NULL", NID_joint_iso_ccitt},
-    {"selected-attribute-types", "Selected Attribute Types", NID_selected_attribute_types, 3, &so[2901]},
-    {"clearance", "clearance", NID_clearance, 4, &so[2904]},
-    {"RSA-MD4", "md4WithRSAEncryption", NID_md4WithRSAEncryption, 9, &so[2908]},
-    {"ac-proxying", "ac-proxying", NID_ac_proxying, 8, &so[2917]},
-    {"subjectInfoAccess", "Subject Information Access", NID_sinfo_access, 8, &so[2925]},
-    {"id-aca-encAttrs", "id-aca-encAttrs", NID_id_aca_encAttrs, 8, &so[2933]},
-    {"role", "role", NID_role, 3, &so[2941]},
-    {"policyConstraints", "X509v3 Policy Constraints", NID_policy_constraints, 3, &so[2944]},
-    {"targetInformation", "X509v3 AC Targeting", NID_target_information, 3, &so[2947]},
-    {"noRevAvail", "X509v3 No Revocation Available", NID_no_rev_avail, 3, &so[2950]},
-    {"NULL", "NULL", NID_ccitt},
-    {"ansi-X9-62", "ANSI X9.62", NID_ansi_X9_62, 5, &so[2953]},
-    {"prime-field", "prime-field", NID_X9_62_prime_field, 7, &so[2958]},
-    {"characteristic-two-field", "characteristic-two-field", NID_X9_62_characteristic_two_field, 7, &so[2965]},
-    {"id-ecPublicKey", "id-ecPublicKey", NID_X9_62_id_ecPublicKey, 7, &so[2972]},
-    {"prime192v1", "prime192v1", NID_X9_62_prime192v1, 8, &so[2979]},
-    {"prime192v2", "prime192v2", NID_X9_62_prime192v2, 8, &so[2987]},
-    {"prime192v3", "prime192v3", NID_X9_62_prime192v3, 8, &so[2995]},
-    {"prime239v1", "prime239v1", NID_X9_62_prime239v1, 8, &so[3003]},
-    {"prime239v2", "prime239v2", NID_X9_62_prime239v2, 8, &so[3011]},
-    {"prime239v3", "prime239v3", NID_X9_62_prime239v3, 8, &so[3019]},
-    {"prime256v1", "prime256v1", NID_X9_62_prime256v1, 8, &so[3027]},
-    {"ecdsa-with-SHA1", "ecdsa-with-SHA1", NID_ecdsa_with_SHA1, 7, &so[3035]},
-    {"CSPName", "Microsoft CSP Name", NID_ms_csp_name, 9, &so[3042]},
-    {"AES-128-ECB", "aes-128-ecb", NID_aes_128_ecb, 9, &so[3051]},
-    {"AES-128-CBC", "aes-128-cbc", NID_aes_128_cbc, 9, &so[3060]},
-    {"AES-128-OFB", "aes-128-ofb", NID_aes_128_ofb128, 9, &so[3069]},
-    {"AES-128-CFB", "aes-128-cfb", NID_aes_128_cfb128, 9, &so[3078]},
-    {"AES-192-ECB", "aes-192-ecb", NID_aes_192_ecb, 9, &so[3087]},
-    {"AES-192-CBC", "aes-192-cbc", NID_aes_192_cbc, 9, &so[3096]},
-    {"AES-192-OFB", "aes-192-ofb", NID_aes_192_ofb128, 9, &so[3105]},
-    {"AES-192-CFB", "aes-192-cfb", NID_aes_192_cfb128, 9, &so[3114]},
-    {"AES-256-ECB", "aes-256-ecb", NID_aes_256_ecb, 9, &so[3123]},
-    {"AES-256-CBC", "aes-256-cbc", NID_aes_256_cbc, 9, &so[3132]},
-    {"AES-256-OFB", "aes-256-ofb", NID_aes_256_ofb128, 9, &so[3141]},
-    {"AES-256-CFB", "aes-256-cfb", NID_aes_256_cfb128, 9, &so[3150]},
-    {"holdInstructionCode", "Hold Instruction Code", NID_hold_instruction_code, 3, &so[3159]},
-    {"holdInstructionNone", "Hold Instruction None", NID_hold_instruction_none, 7, &so[3162]},
-    {"holdInstructionCallIssuer", "Hold Instruction Call Issuer", NID_hold_instruction_call_issuer, 7, &so[3169]},
-    {"holdInstructionReject", "Hold Instruction Reject", NID_hold_instruction_reject, 7, &so[3176]},
-    {"data", "data", NID_data, 1, &so[3183]},
-    {"pss", "pss", NID_pss, 3, &so[3184]},
-    {"ucl", "ucl", NID_ucl, 7, &so[3187]},
-    {"pilot", "pilot", NID_pilot, 8, &so[3194]},
-    {"pilotAttributeType", "pilotAttributeType", NID_pilotAttributeType, 9, &so[3202]},
-    {"pilotAttributeSyntax", "pilotAttributeSyntax", NID_pilotAttributeSyntax, 9, &so[3211]},
-    {"pilotObjectClass", "pilotObjectClass", NID_pilotObjectClass, 9, &so[3220]},
-    {"pilotGroups", "pilotGroups", NID_pilotGroups, 9, &so[3229]},
-    {"iA5StringSyntax", "iA5StringSyntax", NID_iA5StringSyntax, 10, &so[3238]},
-    {"caseIgnoreIA5StringSyntax", "caseIgnoreIA5StringSyntax", NID_caseIgnoreIA5StringSyntax, 10, &so[3248]},
-    {"pilotObject", "pilotObject", NID_pilotObject, 10, &so[3258]},
-    {"pilotPerson", "pilotPerson", NID_pilotPerson, 10, &so[3268]},
-    {"account", "account", NID_account, 10, &so[3278]},
-    {"document", "document", NID_document, 10, &so[3288]},
-    {"room", "room", NID_room, 10, &so[3298]},
-    {"documentSeries", "documentSeries", NID_documentSeries, 10, &so[3308]},
-    {"rFC822localPart", "rFC822localPart", NID_rFC822localPart, 10, &so[3318]},
-    {"dNSDomain", "dNSDomain", NID_dNSDomain, 10, &so[3328]},
-    {"domainRelatedObject", "domainRelatedObject", NID_domainRelatedObject, 10, &so[3338]},
-    {"friendlyCountry", "friendlyCountry", NID_friendlyCountry, 10, &so[3348]},
-    {"simpleSecurityObject", "simpleSecurityObject", NID_simpleSecurityObject, 10, &so[3358]},
-    {"pilotOrganization", "pilotOrganization", NID_pilotOrganization, 10, &so[3368]},
-    {"pilotDSA", "pilotDSA", NID_pilotDSA, 10, &so[3378]},
-    {"qualityLabelledData", "qualityLabelledData", NID_qualityLabelledData, 10, &so[3388]},
-    {"UID", "userId", NID_userId, 10, &so[3398]},
-    {"textEncodedORAddress", "textEncodedORAddress", NID_textEncodedORAddress, 10, &so[3408]},
-    {"mail", "rfc822Mailbox", NID_rfc822Mailbox, 10, &so[3418]},
-    {"info", "info", NID_info, 10, &so[3428]},
-    {"favouriteDrink", "favouriteDrink", NID_favouriteDrink, 10, &so[3438]},
-    {"roomNumber", "roomNumber", NID_roomNumber, 10, &so[3448]},
-    {"photo", "photo", NID_photo, 10, &so[3458]},
-    {"userClass", "userClass", NID_userClass, 10, &so[3468]},
-    {"host", "host", NID_host, 10, &so[3478]},
-    {"manager", "manager", NID_manager, 10, &so[3488]},
-    {"documentIdentifier", "documentIdentifier", NID_documentIdentifier, 10, &so[3498]},
-    {"documentTitle", "documentTitle", NID_documentTitle, 10, &so[3508]},
-    {"documentVersion", "documentVersion", NID_documentVersion, 10, &so[3518]},
-    {"documentAuthor", "documentAuthor", NID_documentAuthor, 10, &so[3528]},
-    {"documentLocation", "documentLocation", NID_documentLocation, 10, &so[3538]},
-    {"homeTelephoneNumber", "homeTelephoneNumber", NID_homeTelephoneNumber, 10, &so[3548]},
-    {"secretary", "secretary", NID_secretary, 10, &so[3558]},
-    {"otherMailbox", "otherMailbox", NID_otherMailbox, 10, &so[3568]},
-    {"lastModifiedTime", "lastModifiedTime", NID_lastModifiedTime, 10, &so[3578]},
-    {"lastModifiedBy", "lastModifiedBy", NID_lastModifiedBy, 10, &so[3588]},
-    {"aRecord", "aRecord", NID_aRecord, 10, &so[3598]},
-    {"pilotAttributeType27", "pilotAttributeType27", NID_pilotAttributeType27, 10, &so[3608]},
-    {"mXRecord", "mXRecord", NID_mXRecord, 10, &so[3618]},
-    {"nSRecord", "nSRecord", NID_nSRecord, 10, &so[3628]},
-    {"sOARecord", "sOARecord", NID_sOARecord, 10, &so[3638]},
-    {"cNAMERecord", "cNAMERecord", NID_cNAMERecord, 10, &so[3648]},
-    {"associatedDomain", "associatedDomain", NID_associatedDomain, 10, &so[3658]},
-    {"associatedName", "associatedName", NID_associatedName, 10, &so[3668]},
-    {"homePostalAddress", "homePostalAddress", NID_homePostalAddress, 10, &so[3678]},
-    {"personalTitle", "personalTitle", NID_personalTitle, 10, &so[3688]},
-    {"mobileTelephoneNumber", "mobileTelephoneNumber", NID_mobileTelephoneNumber, 10, &so[3698]},
-    {"pagerTelephoneNumber", "pagerTelephoneNumber", NID_pagerTelephoneNumber, 10, &so[3708]},
-    {"friendlyCountryName", "friendlyCountryName", NID_friendlyCountryName, 10, &so[3718]},
-    {"organizationalStatus", "organizationalStatus", NID_organizationalStatus, 10, &so[3728]},
-    {"janetMailbox", "janetMailbox", NID_janetMailbox, 10, &so[3738]},
-    {"mailPreferenceOption", "mailPreferenceOption", NID_mailPreferenceOption, 10, &so[3748]},
-    {"buildingName", "buildingName", NID_buildingName, 10, &so[3758]},
-    {"dSAQuality", "dSAQuality", NID_dSAQuality, 10, &so[3768]},
-    {"singleLevelQuality", "singleLevelQuality", NID_singleLevelQuality, 10, &so[3778]},
-    {"subtreeMinimumQuality", "subtreeMinimumQuality", NID_subtreeMinimumQuality, 10, &so[3788]},
-    {"subtreeMaximumQuality", "subtreeMaximumQuality", NID_subtreeMaximumQuality, 10, &so[3798]},
-    {"personalSignature", "personalSignature", NID_personalSignature, 10, &so[3808]},
-    {"dITRedirect", "dITRedirect", NID_dITRedirect, 10, &so[3818]},
-    {"audio", "audio", NID_audio, 10, &so[3828]},
-    {"documentPublisher", "documentPublisher", NID_documentPublisher, 10, &so[3838]},
-    {"x500UniqueIdentifier", "x500UniqueIdentifier", NID_x500UniqueIdentifier, 3, &so[3848]},
-    {"mime-mhs", "MIME MHS", NID_mime_mhs, 5, &so[3851]},
-    {"mime-mhs-headings", "mime-mhs-headings", NID_mime_mhs_headings, 6, &so[3856]},
-    {"mime-mhs-bodies", "mime-mhs-bodies", NID_mime_mhs_bodies, 6, &so[3862]},
-    {"id-hex-partial-message", "id-hex-partial-message", NID_id_hex_partial_message, 7, &so[3868]},
-    {"id-hex-multipart-message", "id-hex-multipart-message", NID_id_hex_multipart_message, 7, &so[3875]},
-    {"generationQualifier", "generationQualifier", NID_generationQualifier, 3, &so[3882]},
-    {"pseudonym", "pseudonym", NID_pseudonym, 3, &so[3885]},
-    { NULL, NULL, NID_undef },
-    {"id-set", "Secure Electronic Transactions", NID_id_set, 2, &so[3888]},
-    {"set-ctype", "content types", NID_set_ctype, 3, &so[3890]},
-    {"set-msgExt", "message extensions", NID_set_msgExt, 3, &so[3893]},
-    {"set-attr", "set-attr", NID_set_attr, 3, &so[3896]},
-    {"set-policy", "set-policy", NID_set_policy, 3, &so[3899]},
-    {"set-certExt", "certificate extensions", NID_set_certExt, 3, &so[3902]},
-    {"set-brand", "set-brand", NID_set_brand, 3, &so[3905]},
-    {"setct-PANData", "setct-PANData", NID_setct_PANData, 4, &so[3908]},
-    {"setct-PANToken", "setct-PANToken", NID_setct_PANToken, 4, &so[3912]},
-    {"setct-PANOnly", "setct-PANOnly", NID_setct_PANOnly, 4, &so[3916]},
-    {"setct-OIData", "setct-OIData", NID_setct_OIData, 4, &so[3920]},
-    {"setct-PI", "setct-PI", NID_setct_PI, 4, &so[3924]},
-    {"setct-PIData", "setct-PIData", NID_setct_PIData, 4, &so[3928]},
-    {"setct-PIDataUnsigned", "setct-PIDataUnsigned", NID_setct_PIDataUnsigned, 4, &so[3932]},
-    {"setct-HODInput", "setct-HODInput", NID_setct_HODInput, 4, &so[3936]},
-    {"setct-AuthResBaggage", "setct-AuthResBaggage", NID_setct_AuthResBaggage, 4, &so[3940]},
-    {"setct-AuthRevReqBaggage", "setct-AuthRevReqBaggage", NID_setct_AuthRevReqBaggage, 4, &so[3944]},
-    {"setct-AuthRevResBaggage", "setct-AuthRevResBaggage", NID_setct_AuthRevResBaggage, 4, &so[3948]},
-    {"setct-CapTokenSeq", "setct-CapTokenSeq", NID_setct_CapTokenSeq, 4, &so[3952]},
-    {"setct-PInitResData", "setct-PInitResData", NID_setct_PInitResData, 4, &so[3956]},
-    {"setct-PI-TBS", "setct-PI-TBS", NID_setct_PI_TBS, 4, &so[3960]},
-    {"setct-PResData", "setct-PResData", NID_setct_PResData, 4, &so[3964]},
-    {"setct-AuthReqTBS", "setct-AuthReqTBS", NID_setct_AuthReqTBS, 4, &so[3968]},
-    {"setct-AuthResTBS", "setct-AuthResTBS", NID_setct_AuthResTBS, 4, &so[3972]},
-    {"setct-AuthResTBSX", "setct-AuthResTBSX", NID_setct_AuthResTBSX, 4, &so[3976]},
-    {"setct-AuthTokenTBS", "setct-AuthTokenTBS", NID_setct_AuthTokenTBS, 4, &so[3980]},
-    {"setct-CapTokenData", "setct-CapTokenData", NID_setct_CapTokenData, 4, &so[3984]},
-    {"setct-CapTokenTBS", "setct-CapTokenTBS", NID_setct_CapTokenTBS, 4, &so[3988]},
-    {"setct-AcqCardCodeMsg", "setct-AcqCardCodeMsg", NID_setct_AcqCardCodeMsg, 4, &so[3992]},
-    {"setct-AuthRevReqTBS", "setct-AuthRevReqTBS", NID_setct_AuthRevReqTBS, 4, &so[3996]},
-    {"setct-AuthRevResData", "setct-AuthRevResData", NID_setct_AuthRevResData, 4, &so[4000]},
-    {"setct-AuthRevResTBS", "setct-AuthRevResTBS", NID_setct_AuthRevResTBS, 4, &so[4004]},
-    {"setct-CapReqTBS", "setct-CapReqTBS", NID_setct_CapReqTBS, 4, &so[4008]},
-    {"setct-CapReqTBSX", "setct-CapReqTBSX", NID_setct_CapReqTBSX, 4, &so[4012]},
-    {"setct-CapResData", "setct-CapResData", NID_setct_CapResData, 4, &so[4016]},
-    {"setct-CapRevReqTBS", "setct-CapRevReqTBS", NID_setct_CapRevReqTBS, 4, &so[4020]},
-    {"setct-CapRevReqTBSX", "setct-CapRevReqTBSX", NID_setct_CapRevReqTBSX, 4, &so[4024]},
-    {"setct-CapRevResData", "setct-CapRevResData", NID_setct_CapRevResData, 4, &so[4028]},
-    {"setct-CredReqTBS", "setct-CredReqTBS", NID_setct_CredReqTBS, 4, &so[4032]},
-    {"setct-CredReqTBSX", "setct-CredReqTBSX", NID_setct_CredReqTBSX, 4, &so[4036]},
-    {"setct-CredResData", "setct-CredResData", NID_setct_CredResData, 4, &so[4040]},
-    {"setct-CredRevReqTBS", "setct-CredRevReqTBS", NID_setct_CredRevReqTBS, 4, &so[4044]},
-    {"setct-CredRevReqTBSX", "setct-CredRevReqTBSX", NID_setct_CredRevReqTBSX, 4, &so[4048]},
-    {"setct-CredRevResData", "setct-CredRevResData", NID_setct_CredRevResData, 4, &so[4052]},
-    {"setct-PCertReqData", "setct-PCertReqData", NID_setct_PCertReqData, 4, &so[4056]},
-    {"setct-PCertResTBS", "setct-PCertResTBS", NID_setct_PCertResTBS, 4, &so[4060]},
-    {"setct-BatchAdminReqData", "setct-BatchAdminReqData", NID_setct_BatchAdminReqData, 4, &so[4064]},
-    {"setct-BatchAdminResData", "setct-BatchAdminResData", NID_setct_BatchAdminResData, 4, &so[4068]},
-    {"setct-CardCInitResTBS", "setct-CardCInitResTBS", NID_setct_CardCInitResTBS, 4, &so[4072]},
-    {"setct-MeAqCInitResTBS", "setct-MeAqCInitResTBS", NID_setct_MeAqCInitResTBS, 4, &so[4076]},
-    {"setct-RegFormResTBS", "setct-RegFormResTBS", NID_setct_RegFormResTBS, 4, &so[4080]},
-    {"setct-CertReqData", "setct-CertReqData", NID_setct_CertReqData, 4, &so[4084]},
-    {"setct-CertReqTBS", "setct-CertReqTBS", NID_setct_CertReqTBS, 4, &so[4088]},
-    {"setct-CertResData", "setct-CertResData", NID_setct_CertResData, 4, &so[4092]},
-    {"setct-CertInqReqTBS", "setct-CertInqReqTBS", NID_setct_CertInqReqTBS, 4, &so[4096]},
-    {"setct-ErrorTBS", "setct-ErrorTBS", NID_setct_ErrorTBS, 4, &so[4100]},
-    {"setct-PIDualSignedTBE", "setct-PIDualSignedTBE", NID_setct_PIDualSignedTBE, 4, &so[4104]},
-    {"setct-PIUnsignedTBE", "setct-PIUnsignedTBE", NID_setct_PIUnsignedTBE, 4, &so[4108]},
-    {"setct-AuthReqTBE", "setct-AuthReqTBE", NID_setct_AuthReqTBE, 4, &so[4112]},
-    {"setct-AuthResTBE", "setct-AuthResTBE", NID_setct_AuthResTBE, 4, &so[4116]},
-    {"setct-AuthResTBEX", "setct-AuthResTBEX", NID_setct_AuthResTBEX, 4, &so[4120]},
-    {"setct-AuthTokenTBE", "setct-AuthTokenTBE", NID_setct_AuthTokenTBE, 4, &so[4124]},
-    {"setct-CapTokenTBE", "setct-CapTokenTBE", NID_setct_CapTokenTBE, 4, &so[4128]},
-    {"setct-CapTokenTBEX", "setct-CapTokenTBEX", NID_setct_CapTokenTBEX, 4, &so[4132]},
-    {"setct-AcqCardCodeMsgTBE", "setct-AcqCardCodeMsgTBE", NID_setct_AcqCardCodeMsgTBE, 4, &so[4136]},
-    {"setct-AuthRevReqTBE", "setct-AuthRevReqTBE", NID_setct_AuthRevReqTBE, 4, &so[4140]},
-    {"setct-AuthRevResTBE", "setct-AuthRevResTBE", NID_setct_AuthRevResTBE, 4, &so[4144]},
-    {"setct-AuthRevResTBEB", "setct-AuthRevResTBEB", NID_setct_AuthRevResTBEB, 4, &so[4148]},
-    {"setct-CapReqTBE", "setct-CapReqTBE", NID_setct_CapReqTBE, 4, &so[4152]},
-    {"setct-CapReqTBEX", "setct-CapReqTBEX", NID_setct_CapReqTBEX, 4, &so[4156]},
-    {"setct-CapResTBE", "setct-CapResTBE", NID_setct_CapResTBE, 4, &so[4160]},
-    {"setct-CapRevReqTBE", "setct-CapRevReqTBE", NID_setct_CapRevReqTBE, 4, &so[4164]},
-    {"setct-CapRevReqTBEX", "setct-CapRevReqTBEX", NID_setct_CapRevReqTBEX, 4, &so[4168]},
-    {"setct-CapRevResTBE", "setct-CapRevResTBE", NID_setct_CapRevResTBE, 4, &so[4172]},
-    {"setct-CredReqTBE", "setct-CredReqTBE", NID_setct_CredReqTBE, 4, &so[4176]},
-    {"setct-CredReqTBEX", "setct-CredReqTBEX", NID_setct_CredReqTBEX, 4, &so[4180]},
-    {"setct-CredResTBE", "setct-CredResTBE", NID_setct_CredResTBE, 4, &so[4184]},
-    {"setct-CredRevReqTBE", "setct-CredRevReqTBE", NID_setct_CredRevReqTBE, 4, &so[4188]},
-    {"setct-CredRevReqTBEX", "setct-CredRevReqTBEX", NID_setct_CredRevReqTBEX, 4, &so[4192]},
-    {"setct-CredRevResTBE", "setct-CredRevResTBE", NID_setct_CredRevResTBE, 4, &so[4196]},
-    {"setct-BatchAdminReqTBE", "setct-BatchAdminReqTBE", NID_setct_BatchAdminReqTBE, 4, &so[4200]},
-    {"setct-BatchAdminResTBE", "setct-BatchAdminResTBE", NID_setct_BatchAdminResTBE, 4, &so[4204]},
-    {"setct-RegFormReqTBE", "setct-RegFormReqTBE", NID_setct_RegFormReqTBE, 4, &so[4208]},
-    {"setct-CertReqTBE", "setct-CertReqTBE", NID_setct_CertReqTBE, 4, &so[4212]},
-    {"setct-CertReqTBEX", "setct-CertReqTBEX", NID_setct_CertReqTBEX, 4, &so[4216]},
-    {"setct-CertResTBE", "setct-CertResTBE", NID_setct_CertResTBE, 4, &so[4220]},
-    {"setct-CRLNotificationTBS", "setct-CRLNotificationTBS", NID_setct_CRLNotificationTBS, 4, &so[4224]},
-    {"setct-CRLNotificationResTBS", "setct-CRLNotificationResTBS", NID_setct_CRLNotificationResTBS, 4, &so[4228]},
-    {"setct-BCIDistributionTBS", "setct-BCIDistributionTBS", NID_setct_BCIDistributionTBS, 4, &so[4232]},
-    {"setext-genCrypt", "generic cryptogram", NID_setext_genCrypt, 4, &so[4236]},
-    {"setext-miAuth", "merchant initiated auth", NID_setext_miAuth, 4, &so[4240]},
-    {"setext-pinSecure", "setext-pinSecure", NID_setext_pinSecure, 4, &so[4244]},
-    {"setext-pinAny", "setext-pinAny", NID_setext_pinAny, 4, &so[4248]},
-    {"setext-track2", "setext-track2", NID_setext_track2, 4, &so[4252]},
-    {"setext-cv", "additional verification", NID_setext_cv, 4, &so[4256]},
-    {"set-policy-root", "set-policy-root", NID_set_policy_root, 4, &so[4260]},
-    {"setCext-hashedRoot", "setCext-hashedRoot", NID_setCext_hashedRoot, 4, &so[4264]},
-    {"setCext-certType", "setCext-certType", NID_setCext_certType, 4, &so[4268]},
-    {"setCext-merchData", "setCext-merchData", NID_setCext_merchData, 4, &so[4272]},
-    {"setCext-cCertRequired", "setCext-cCertRequired", NID_setCext_cCertRequired, 4, &so[4276]},
-    {"setCext-tunneling", "setCext-tunneling", NID_setCext_tunneling, 4, &so[4280]},
-    {"setCext-setExt", "setCext-setExt", NID_setCext_setExt, 4, &so[4284]},
-    {"setCext-setQualf", "setCext-setQualf", NID_setCext_setQualf, 4, &so[4288]},
-    {"setCext-PGWYcapabilities", "setCext-PGWYcapabilities", NID_setCext_PGWYcapabilities, 4, &so[4292]},
-    {"setCext-TokenIdentifier", "setCext-TokenIdentifier", NID_setCext_TokenIdentifier, 4, &so[4296]},
-    {"setCext-Track2Data", "setCext-Track2Data", NID_setCext_Track2Data, 4, &so[4300]},
-    {"setCext-TokenType", "setCext-TokenType", NID_setCext_TokenType, 4, &so[4304]},
-    {"setCext-IssuerCapabilities", "setCext-IssuerCapabilities", NID_setCext_IssuerCapabilities, 4, &so[4308]},
-    {"setAttr-Cert", "setAttr-Cert", NID_setAttr_Cert, 4, &so[4312]},
-    {"setAttr-PGWYcap", "payment gateway capabilities", NID_setAttr_PGWYcap, 4, &so[4316]},
-    {"setAttr-TokenType", "setAttr-TokenType", NID_setAttr_TokenType, 4, &so[4320]},
-    {"setAttr-IssCap", "issuer capabilities", NID_setAttr_IssCap, 4, &so[4324]},
-    {"set-rootKeyThumb", "set-rootKeyThumb", NID_set_rootKeyThumb, 5, &so[4328]},
-    {"set-addPolicy", "set-addPolicy", NID_set_addPolicy, 5, &so[4333]},
-    {"setAttr-Token-EMV", "setAttr-Token-EMV", NID_setAttr_Token_EMV, 5, &so[4338]},
-    {"setAttr-Token-B0Prime", "setAttr-Token-B0Prime", NID_setAttr_Token_B0Prime, 5, &so[4343]},
-    {"setAttr-IssCap-CVM", "setAttr-IssCap-CVM", NID_setAttr_IssCap_CVM, 5, &so[4348]},
-    {"setAttr-IssCap-T2", "setAttr-IssCap-T2", NID_setAttr_IssCap_T2, 5, &so[4353]},
-    {"setAttr-IssCap-Sig", "setAttr-IssCap-Sig", NID_setAttr_IssCap_Sig, 5, &so[4358]},
-    {"setAttr-GenCryptgrm", "generate cryptogram", NID_setAttr_GenCryptgrm, 6, &so[4363]},
-    {"setAttr-T2Enc", "encrypted track 2", NID_setAttr_T2Enc, 6, &so[4369]},
-    {"setAttr-T2cleartxt", "cleartext track 2", NID_setAttr_T2cleartxt, 6, &so[4375]},
-    {"setAttr-TokICCsig", "ICC or token signature", NID_setAttr_TokICCsig, 6, &so[4381]},
-    {"setAttr-SecDevSig", "secure device signature", NID_setAttr_SecDevSig, 6, &so[4387]},
-    {"set-brand-IATA-ATA", "set-brand-IATA-ATA", NID_set_brand_IATA_ATA, 4, &so[4393]},
-    {"set-brand-Diners", "set-brand-Diners", NID_set_brand_Diners, 4, &so[4397]},
-    {"set-brand-AmericanExpress", "set-brand-AmericanExpress", NID_set_brand_AmericanExpress, 4, &so[4401]},
-    {"set-brand-JCB", "set-brand-JCB", NID_set_brand_JCB, 4, &so[4405]},
-    {"set-brand-Visa", "set-brand-Visa", NID_set_brand_Visa, 4, &so[4409]},
-    {"set-brand-MasterCard", "set-brand-MasterCard", NID_set_brand_MasterCard, 4, &so[4413]},
-    {"set-brand-Novus", "set-brand-Novus", NID_set_brand_Novus, 5, &so[4417]},
-    {"DES-CDMF", "des-cdmf", NID_des_cdmf, 8, &so[4422]},
-    {"rsaOAEPEncryptionSET", "rsaOAEPEncryptionSET", NID_rsaOAEPEncryptionSET, 9, &so[4430]},
-    {"ITU-T", "itu-t", NID_itu_t},
-    {"JOINT-ISO-ITU-T", "joint-iso-itu-t", NID_joint_iso_itu_t},
-    {"international-organizations", "International Organizations", NID_international_organizations, 1, &so[4439]},
-    {"msSmartcardLogin", "Microsoft Smartcardlogin", NID_ms_smartcard_login, 10, &so[4440]},
-    {"msUPN", "Microsoft Universal Principal Name", NID_ms_upn, 10, &so[4450]},
-    {"AES-128-CFB1", "aes-128-cfb1", NID_aes_128_cfb1},
-    {"AES-192-CFB1", "aes-192-cfb1", NID_aes_192_cfb1},
-    {"AES-256-CFB1", "aes-256-cfb1", NID_aes_256_cfb1},
-    {"AES-128-CFB8", "aes-128-cfb8", NID_aes_128_cfb8},
-    {"AES-192-CFB8", "aes-192-cfb8", NID_aes_192_cfb8},
-    {"AES-256-CFB8", "aes-256-cfb8", NID_aes_256_cfb8},
-    {"DES-CFB1", "des-cfb1", NID_des_cfb1},
-    {"DES-CFB8", "des-cfb8", NID_des_cfb8},
-    {"DES-EDE3-CFB1", "des-ede3-cfb1", NID_des_ede3_cfb1},
-    {"DES-EDE3-CFB8", "des-ede3-cfb8", NID_des_ede3_cfb8},
-    {"street", "streetAddress", NID_streetAddress, 3, &so[4460]},
-    {"postalCode", "postalCode", NID_postalCode, 3, &so[4463]},
-    {"id-ppl", "id-ppl", NID_id_ppl, 7, &so[4466]},
-    {"proxyCertInfo", "Proxy Certificate Information", NID_proxyCertInfo, 8, &so[4473]},
-    {"id-ppl-anyLanguage", "Any language", NID_id_ppl_anyLanguage, 8, &so[4481]},
-    {"id-ppl-inheritAll", "Inherit all", NID_id_ppl_inheritAll, 8, &so[4489]},
-    {"nameConstraints", "X509v3 Name Constraints", NID_name_constraints, 3, &so[4497]},
-    {"id-ppl-independent", "Independent", NID_Independent, 8, &so[4500]},
-    {"RSA-SHA256", "sha256WithRSAEncryption", NID_sha256WithRSAEncryption, 9, &so[4508]},
-    {"RSA-SHA384", "sha384WithRSAEncryption", NID_sha384WithRSAEncryption, 9, &so[4517]},
-    {"RSA-SHA512", "sha512WithRSAEncryption", NID_sha512WithRSAEncryption, 9, &so[4526]},
-    {"RSA-SHA224", "sha224WithRSAEncryption", NID_sha224WithRSAEncryption, 9, &so[4535]},
-    {"SHA256", "sha256", NID_sha256, 9, &so[4544]},
-    {"SHA384", "sha384", NID_sha384, 9, &so[4553]},
-    {"SHA512", "sha512", NID_sha512, 9, &so[4562]},
-    {"SHA224", "sha224", NID_sha224, 9, &so[4571]},
-    {"identified-organization", "identified-organization", NID_identified_organization, 1, &so[4580]},
-    {"certicom-arc", "certicom-arc", NID_certicom_arc, 3, &so[4581]},
-    {"wap", "wap", NID_wap, 2, &so[4584]},
-    {"wap-wsg", "wap-wsg", NID_wap_wsg, 3, &so[4586]},
-    {"id-characteristic-two-basis", "id-characteristic-two-basis", NID_X9_62_id_characteristic_two_basis, 8, &so[4589]},
-    {"onBasis", "onBasis", NID_X9_62_onBasis, 9, &so[4597]},
-    {"tpBasis", "tpBasis", NID_X9_62_tpBasis, 9, &so[4606]},
-    {"ppBasis", "ppBasis", NID_X9_62_ppBasis, 9, &so[4615]},
-    {"c2pnb163v1", "c2pnb163v1", NID_X9_62_c2pnb163v1, 8, &so[4624]},
-    {"c2pnb163v2", "c2pnb163v2", NID_X9_62_c2pnb163v2, 8, &so[4632]},
-    {"c2pnb163v3", "c2pnb163v3", NID_X9_62_c2pnb163v3, 8, &so[4640]},
-    {"c2pnb176v1", "c2pnb176v1", NID_X9_62_c2pnb176v1, 8, &so[4648]},
-    {"c2tnb191v1", "c2tnb191v1", NID_X9_62_c2tnb191v1, 8, &so[4656]},
-    {"c2tnb191v2", "c2tnb191v2", NID_X9_62_c2tnb191v2, 8, &so[4664]},
-    {"c2tnb191v3", "c2tnb191v3", NID_X9_62_c2tnb191v3, 8, &so[4672]},
-    {"c2onb191v4", "c2onb191v4", NID_X9_62_c2onb191v4, 8, &so[4680]},
-    {"c2onb191v5", "c2onb191v5", NID_X9_62_c2onb191v5, 8, &so[4688]},
-    {"c2pnb208w1", "c2pnb208w1", NID_X9_62_c2pnb208w1, 8, &so[4696]},
-    {"c2tnb239v1", "c2tnb239v1", NID_X9_62_c2tnb239v1, 8, &so[4704]},
-    {"c2tnb239v2", "c2tnb239v2", NID_X9_62_c2tnb239v2, 8, &so[4712]},
-    {"c2tnb239v3", "c2tnb239v3", NID_X9_62_c2tnb239v3, 8, &so[4720]},
-    {"c2onb239v4", "c2onb239v4", NID_X9_62_c2onb239v4, 8, &so[4728]},
-    {"c2onb239v5", "c2onb239v5", NID_X9_62_c2onb239v5, 8, &so[4736]},
-    {"c2pnb272w1", "c2pnb272w1", NID_X9_62_c2pnb272w1, 8, &so[4744]},
-    {"c2pnb304w1", "c2pnb304w1", NID_X9_62_c2pnb304w1, 8, &so[4752]},
-    {"c2tnb359v1", "c2tnb359v1", NID_X9_62_c2tnb359v1, 8, &so[4760]},
-    {"c2pnb368w1", "c2pnb368w1", NID_X9_62_c2pnb368w1, 8, &so[4768]},
-    {"c2tnb431r1", "c2tnb431r1", NID_X9_62_c2tnb431r1, 8, &so[4776]},
-    {"secp112r1", "secp112r1", NID_secp112r1, 5, &so[4784]},
-    {"secp112r2", "secp112r2", NID_secp112r2, 5, &so[4789]},
-    {"secp128r1", "secp128r1", NID_secp128r1, 5, &so[4794]},
-    {"secp128r2", "secp128r2", NID_secp128r2, 5, &so[4799]},
-    {"secp160k1", "secp160k1", NID_secp160k1, 5, &so[4804]},
-    {"secp160r1", "secp160r1", NID_secp160r1, 5, &so[4809]},
-    {"secp160r2", "secp160r2", NID_secp160r2, 5, &so[4814]},
-    {"secp192k1", "secp192k1", NID_secp192k1, 5, &so[4819]},
-    {"secp224k1", "secp224k1", NID_secp224k1, 5, &so[4824]},
-    {"secp224r1", "secp224r1", NID_secp224r1, 5, &so[4829]},
-    {"secp256k1", "secp256k1", NID_secp256k1, 5, &so[4834]},
-    {"secp384r1", "secp384r1", NID_secp384r1, 5, &so[4839]},
-    {"secp521r1", "secp521r1", NID_secp521r1, 5, &so[4844]},
-    {"sect113r1", "sect113r1", NID_sect113r1, 5, &so[4849]},
-    {"sect113r2", "sect113r2", NID_sect113r2, 5, &so[4854]},
-    {"sect131r1", "sect131r1", NID_sect131r1, 5, &so[4859]},
-    {"sect131r2", "sect131r2", NID_sect131r2, 5, &so[4864]},
-    {"sect163k1", "sect163k1", NID_sect163k1, 5, &so[4869]},
-    {"sect163r1", "sect163r1", NID_sect163r1, 5, &so[4874]},
-    {"sect163r2", "sect163r2", NID_sect163r2, 5, &so[4879]},
-    {"sect193r1", "sect193r1", NID_sect193r1, 5, &so[4884]},
-    {"sect193r2", "sect193r2", NID_sect193r2, 5, &so[4889]},
-    {"sect233k1", "sect233k1", NID_sect233k1, 5, &so[4894]},
-    {"sect233r1", "sect233r1", NID_sect233r1, 5, &so[4899]},
-    {"sect239k1", "sect239k1", NID_sect239k1, 5, &so[4904]},
-    {"sect283k1", "sect283k1", NID_sect283k1, 5, &so[4909]},
-    {"sect283r1", "sect283r1", NID_sect283r1, 5, &so[4914]},
-    {"sect409k1", "sect409k1", NID_sect409k1, 5, &so[4919]},
-    {"sect409r1", "sect409r1", NID_sect409r1, 5, &so[4924]},
-    {"sect571k1", "sect571k1", NID_sect571k1, 5, &so[4929]},
-    {"sect571r1", "sect571r1", NID_sect571r1, 5, &so[4934]},
-    {"wap-wsg-idm-ecid-wtls1", "wap-wsg-idm-ecid-wtls1", NID_wap_wsg_idm_ecid_wtls1, 5, &so[4939]},
-    {"wap-wsg-idm-ecid-wtls3", "wap-wsg-idm-ecid-wtls3", NID_wap_wsg_idm_ecid_wtls3, 5, &so[4944]},
-    {"wap-wsg-idm-ecid-wtls4", "wap-wsg-idm-ecid-wtls4", NID_wap_wsg_idm_ecid_wtls4, 5, &so[4949]},
-    {"wap-wsg-idm-ecid-wtls5", "wap-wsg-idm-ecid-wtls5", NID_wap_wsg_idm_ecid_wtls5, 5, &so[4954]},
-    {"wap-wsg-idm-ecid-wtls6", "wap-wsg-idm-ecid-wtls6", NID_wap_wsg_idm_ecid_wtls6, 5, &so[4959]},
-    {"wap-wsg-idm-ecid-wtls7", "wap-wsg-idm-ecid-wtls7", NID_wap_wsg_idm_ecid_wtls7, 5, &so[4964]},
-    {"wap-wsg-idm-ecid-wtls8", "wap-wsg-idm-ecid-wtls8", NID_wap_wsg_idm_ecid_wtls8, 5, &so[4969]},
-    {"wap-wsg-idm-ecid-wtls9", "wap-wsg-idm-ecid-wtls9", NID_wap_wsg_idm_ecid_wtls9, 5, &so[4974]},
-    {"wap-wsg-idm-ecid-wtls10", "wap-wsg-idm-ecid-wtls10", NID_wap_wsg_idm_ecid_wtls10, 5, &so[4979]},
-    {"wap-wsg-idm-ecid-wtls11", "wap-wsg-idm-ecid-wtls11", NID_wap_wsg_idm_ecid_wtls11, 5, &so[4984]},
-    {"wap-wsg-idm-ecid-wtls12", "wap-wsg-idm-ecid-wtls12", NID_wap_wsg_idm_ecid_wtls12, 5, &so[4989]},
-    {"anyPolicy", "X509v3 Any Policy", NID_any_policy, 4, &so[4994]},
-    {"policyMappings", "X509v3 Policy Mappings", NID_policy_mappings, 3, &so[4998]},
-    {"inhibitAnyPolicy", "X509v3 Inhibit Any Policy", NID_inhibit_any_policy, 3, &so[5001]},
-    {"Oakley-EC2N-3", "ipsec3", NID_ipsec3},
-    {"Oakley-EC2N-4", "ipsec4", NID_ipsec4},
-    {"CAMELLIA-128-CBC", "camellia-128-cbc", NID_camellia_128_cbc, 11, &so[5004]},
-    {"CAMELLIA-192-CBC", "camellia-192-cbc", NID_camellia_192_cbc, 11, &so[5015]},
-    {"CAMELLIA-256-CBC", "camellia-256-cbc", NID_camellia_256_cbc, 11, &so[5026]},
-    {"CAMELLIA-128-ECB", "camellia-128-ecb", NID_camellia_128_ecb, 8, &so[5037]},
-    {"CAMELLIA-192-ECB", "camellia-192-ecb", NID_camellia_192_ecb, 8, &so[5045]},
-    {"CAMELLIA-256-ECB", "camellia-256-ecb", NID_camellia_256_ecb, 8, &so[5053]},
-    {"CAMELLIA-128-CFB", "camellia-128-cfb", NID_camellia_128_cfb128, 8, &so[5061]},
-    {"CAMELLIA-192-CFB", "camellia-192-cfb", NID_camellia_192_cfb128, 8, &so[5069]},
-    {"CAMELLIA-256-CFB", "camellia-256-cfb", NID_camellia_256_cfb128, 8, &so[5077]},
-    {"CAMELLIA-128-CFB1", "camellia-128-cfb1", NID_camellia_128_cfb1},
-    {"CAMELLIA-192-CFB1", "camellia-192-cfb1", NID_camellia_192_cfb1},
-    {"CAMELLIA-256-CFB1", "camellia-256-cfb1", NID_camellia_256_cfb1},
-    {"CAMELLIA-128-CFB8", "camellia-128-cfb8", NID_camellia_128_cfb8},
-    {"CAMELLIA-192-CFB8", "camellia-192-cfb8", NID_camellia_192_cfb8},
-    {"CAMELLIA-256-CFB8", "camellia-256-cfb8", NID_camellia_256_cfb8},
-    {"CAMELLIA-128-OFB", "camellia-128-ofb", NID_camellia_128_ofb128, 8, &so[5085]},
-    {"CAMELLIA-192-OFB", "camellia-192-ofb", NID_camellia_192_ofb128, 8, &so[5093]},
-    {"CAMELLIA-256-OFB", "camellia-256-ofb", NID_camellia_256_ofb128, 8, &so[5101]},
-    {"subjectDirectoryAttributes", "X509v3 Subject Directory Attributes", NID_subject_directory_attributes, 3, &so[5109]},
-    {"issuingDistributionPoint", "X509v3 Issuing Distribution Point", NID_issuing_distribution_point, 3, &so[5112]},
-    {"certificateIssuer", "X509v3 Certificate Issuer", NID_certificate_issuer, 3, &so[5115]},
-    { NULL, NULL, NID_undef },
-    {"KISA", "kisa", NID_kisa, 6, &so[5118]},
-    { NULL, NULL, NID_undef },
-    { NULL, NULL, NID_undef },
-    {"SEED-ECB", "seed-ecb", NID_seed_ecb, 8, &so[5124]},
-    {"SEED-CBC", "seed-cbc", NID_seed_cbc, 8, &so[5132]},
-    {"SEED-OFB", "seed-ofb", NID_seed_ofb128, 8, &so[5140]},
-    {"SEED-CFB", "seed-cfb", NID_seed_cfb128, 8, &so[5148]},
-    {"HMAC-MD5", "hmac-md5", NID_hmac_md5, 8, &so[5156]},
-    {"HMAC-SHA1", "hmac-sha1", NID_hmac_sha1, 8, &so[5164]},
-    {"id-PasswordBasedMAC", "password based MAC", NID_id_PasswordBasedMAC, 9, &so[5172]},
-    {"id-DHBasedMac", "Diffie-Hellman based MAC", NID_id_DHBasedMac, 9, &so[5181]},
-    {"id-it-suppLangTags", "id-it-suppLangTags", NID_id_it_suppLangTags, 8, &so[5190]},
-    {"caRepository", "CA Repository", NID_caRepository, 8, &so[5198]},
-    {"id-smime-ct-compressedData", "id-smime-ct-compressedData", NID_id_smime_ct_compressedData, 11, &so[5206]},
-    {"id-ct-asciiTextWithCRLF", "id-ct-asciiTextWithCRLF", NID_id_ct_asciiTextWithCRLF, 11, &so[5217]},
-    {"id-aes128-wrap", "id-aes128-wrap", NID_id_aes128_wrap, 9, &so[5228]},
-    {"id-aes192-wrap", "id-aes192-wrap", NID_id_aes192_wrap, 9, &so[5237]},
-    {"id-aes256-wrap", "id-aes256-wrap", NID_id_aes256_wrap, 9, &so[5246]},
-    {"ecdsa-with-Recommended", "ecdsa-with-Recommended", NID_ecdsa_with_Recommended, 7, &so[5255]},
-    {"ecdsa-with-Specified", "ecdsa-with-Specified", NID_ecdsa_with_Specified, 7, &so[5262]},
-    {"ecdsa-with-SHA224", "ecdsa-with-SHA224", NID_ecdsa_with_SHA224, 8, &so[5269]},
-    {"ecdsa-with-SHA256", "ecdsa-with-SHA256", NID_ecdsa_with_SHA256, 8, &so[5277]},
-    {"ecdsa-with-SHA384", "ecdsa-with-SHA384", NID_ecdsa_with_SHA384, 8, &so[5285]},
-    {"ecdsa-with-SHA512", "ecdsa-with-SHA512", NID_ecdsa_with_SHA512, 8, &so[5293]},
-    {"hmacWithMD5", "hmacWithMD5", NID_hmacWithMD5, 8, &so[5301]},
-    {"hmacWithSHA224", "hmacWithSHA224", NID_hmacWithSHA224, 8, &so[5309]},
-    {"hmacWithSHA256", "hmacWithSHA256", NID_hmacWithSHA256, 8, &so[5317]},
-    {"hmacWithSHA384", "hmacWithSHA384", NID_hmacWithSHA384, 8, &so[5325]},
-    {"hmacWithSHA512", "hmacWithSHA512", NID_hmacWithSHA512, 8, &so[5333]},
-    {"dsa_with_SHA224", "dsa_with_SHA224", NID_dsa_with_SHA224, 9, &so[5341]},
-    {"dsa_with_SHA256", "dsa_with_SHA256", NID_dsa_with_SHA256, 9, &so[5350]},
-    {"whirlpool", "whirlpool", NID_whirlpool, 6, &so[5359]},
-    {"cryptopro", "cryptopro", NID_cryptopro, 5, &so[5365]},
-    {"cryptocom", "cryptocom", NID_cryptocom, 5, &so[5370]},
-    {"id-GostR3411-94-with-GostR3410-2001", "GOST R 34.11-94 with GOST R 34.10-2001", NID_id_GostR3411_94_with_GostR3410_2001, 6, &so[5375]},
-    {"id-GostR3411-94-with-GostR3410-94", "GOST R 34.11-94 with GOST R 34.10-94", NID_id_GostR3411_94_with_GostR3410_94, 6, &so[5381]},
-    {"md_gost94", "GOST R 34.11-94", NID_id_GostR3411_94, 6, &so[5387]},
-    {"id-HMACGostR3411-94", "HMAC GOST 34.11-94", NID_id_HMACGostR3411_94, 6, &so[5393]},
-    {"gost2001", "GOST R 34.10-2001", NID_id_GostR3410_2001, 6, &so[5399]},
-    {"gost94", "GOST R 34.10-94", NID_id_GostR3410_94, 6, &so[5405]},
-    {"gost89", "GOST 28147-89", NID_id_Gost28147_89, 6, &so[5411]},
-    {"gost89-cnt", "gost89-cnt", NID_gost89_cnt},
-    {"gost-mac", "GOST 28147-89 MAC", NID_id_Gost28147_89_MAC, 6, &so[5417]},
-    {"prf-gostr3411-94", "GOST R 34.11-94 PRF", NID_id_GostR3411_94_prf, 6, &so[5423]},
-    {"id-GostR3410-2001DH", "GOST R 34.10-2001 DH", NID_id_GostR3410_2001DH, 6, &so[5429]},
-    {"id-GostR3410-94DH", "GOST R 34.10-94 DH", NID_id_GostR3410_94DH, 6, &so[5435]},
-    {"id-Gost28147-89-CryptoPro-KeyMeshing", "id-Gost28147-89-CryptoPro-KeyMeshing", NID_id_Gost28147_89_CryptoPro_KeyMeshing, 7, &so[5441]},
-    {"id-Gost28147-89-None-KeyMeshing", "id-Gost28147-89-None-KeyMeshing", NID_id_Gost28147_89_None_KeyMeshing, 7, &so[5448]},
-    {"id-GostR3411-94-TestParamSet", "id-GostR3411-94-TestParamSet", NID_id_GostR3411_94_TestParamSet, 7, &so[5455]},
-    {"id-GostR3411-94-CryptoProParamSet", "id-GostR3411-94-CryptoProParamSet", NID_id_GostR3411_94_CryptoProParamSet, 7, &so[5462]},
-    {"id-Gost28147-89-TestParamSet", "id-Gost28147-89-TestParamSet", NID_id_Gost28147_89_TestParamSet, 7, &so[5469]},
-    {"id-Gost28147-89-CryptoPro-A-ParamSet", "id-Gost28147-89-CryptoPro-A-ParamSet", NID_id_Gost28147_89_CryptoPro_A_ParamSet, 7, &so[5476]},
-    {"id-Gost28147-89-CryptoPro-B-ParamSet", "id-Gost28147-89-CryptoPro-B-ParamSet", NID_id_Gost28147_89_CryptoPro_B_ParamSet, 7, &so[5483]},
-    {"id-Gost28147-89-CryptoPro-C-ParamSet", "id-Gost28147-89-CryptoPro-C-ParamSet", NID_id_Gost28147_89_CryptoPro_C_ParamSet, 7, &so[5490]},
-    {"id-Gost28147-89-CryptoPro-D-ParamSet", "id-Gost28147-89-CryptoPro-D-ParamSet", NID_id_Gost28147_89_CryptoPro_D_ParamSet, 7, &so[5497]},
-    {"id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet", "id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet", NID_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet, 7, &so[5504]},
-    {"id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet", "id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet", NID_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet, 7, &so[5511]},
-    {"id-Gost28147-89-CryptoPro-RIC-1-ParamSet", "id-Gost28147-89-CryptoPro-RIC-1-ParamSet", NID_id_Gost28147_89_CryptoPro_RIC_1_ParamSet, 7, &so[5518]},
-    {"id-GostR3410-94-TestParamSet", "id-GostR3410-94-TestParamSet", NID_id_GostR3410_94_TestParamSet, 7, &so[5525]},
-    {"id-GostR3410-94-CryptoPro-A-ParamSet", "id-GostR3410-94-CryptoPro-A-ParamSet", NID_id_GostR3410_94_CryptoPro_A_ParamSet, 7, &so[5532]},
-    {"id-GostR3410-94-CryptoPro-B-ParamSet", "id-GostR3410-94-CryptoPro-B-ParamSet", NID_id_GostR3410_94_CryptoPro_B_ParamSet, 7, &so[5539]},
-    {"id-GostR3410-94-CryptoPro-C-ParamSet", "id-GostR3410-94-CryptoPro-C-ParamSet", NID_id_GostR3410_94_CryptoPro_C_ParamSet, 7, &so[5546]},
-    {"id-GostR3410-94-CryptoPro-D-ParamSet", "id-GostR3410-94-CryptoPro-D-ParamSet", NID_id_GostR3410_94_CryptoPro_D_ParamSet, 7, &so[5553]},
-    {"id-GostR3410-94-CryptoPro-XchA-ParamSet", "id-GostR3410-94-CryptoPro-XchA-ParamSet", NID_id_GostR3410_94_CryptoPro_XchA_ParamSet, 7, &so[5560]},
-    {"id-GostR3410-94-CryptoPro-XchB-ParamSet", "id-GostR3410-94-CryptoPro-XchB-ParamSet", NID_id_GostR3410_94_CryptoPro_XchB_ParamSet, 7, &so[5567]},
-    {"id-GostR3410-94-CryptoPro-XchC-ParamSet", "id-GostR3410-94-CryptoPro-XchC-ParamSet", NID_id_GostR3410_94_CryptoPro_XchC_ParamSet, 7, &so[5574]},
-    {"id-GostR3410-2001-TestParamSet", "id-GostR3410-2001-TestParamSet", NID_id_GostR3410_2001_TestParamSet, 7, &so[5581]},
-    {"id-GostR3410-2001-CryptoPro-A-ParamSet", "id-GostR3410-2001-CryptoPro-A-ParamSet", NID_id_GostR3410_2001_CryptoPro_A_ParamSet, 7, &so[5588]},
-    {"id-GostR3410-2001-CryptoPro-B-ParamSet", "id-GostR3410-2001-CryptoPro-B-ParamSet", NID_id_GostR3410_2001_CryptoPro_B_ParamSet, 7, &so[5595]},
-    {"id-GostR3410-2001-CryptoPro-C-ParamSet", "id-GostR3410-2001-CryptoPro-C-ParamSet", NID_id_GostR3410_2001_CryptoPro_C_ParamSet, 7, &so[5602]},
-    {"id-GostR3410-2001-CryptoPro-XchA-ParamSet", "id-GostR3410-2001-CryptoPro-XchA-ParamSet", NID_id_GostR3410_2001_CryptoPro_XchA_ParamSet, 7, &so[5609]},
-    {"id-GostR3410-2001-CryptoPro-XchB-ParamSet", "id-GostR3410-2001-CryptoPro-XchB-ParamSet", NID_id_GostR3410_2001_CryptoPro_XchB_ParamSet, 7, &so[5616]},
-    {"id-GostR3410-94-a", "id-GostR3410-94-a", NID_id_GostR3410_94_a, 7, &so[5623]},
-    {"id-GostR3410-94-aBis", "id-GostR3410-94-aBis", NID_id_GostR3410_94_aBis, 7, &so[5630]},
-    {"id-GostR3410-94-b", "id-GostR3410-94-b", NID_id_GostR3410_94_b, 7, &so[5637]},
-    {"id-GostR3410-94-bBis", "id-GostR3410-94-bBis", NID_id_GostR3410_94_bBis, 7, &so[5644]},
-    {"id-Gost28147-89-cc", "GOST 28147-89 Cryptocom ParamSet", NID_id_Gost28147_89_cc, 8, &so[5651]},
-    {"gost94cc", "GOST 34.10-94 Cryptocom", NID_id_GostR3410_94_cc, 8, &so[5659]},
-    {"gost2001cc", "GOST 34.10-2001 Cryptocom", NID_id_GostR3410_2001_cc, 8, &so[5667]},
-    {"id-GostR3411-94-with-GostR3410-94-cc", "GOST R 34.11-94 with GOST R 34.10-94 Cryptocom", NID_id_GostR3411_94_with_GostR3410_94_cc, 8, &so[5675]},
-    {"id-GostR3411-94-with-GostR3410-2001-cc", "GOST R 34.11-94 with GOST R 34.10-2001 Cryptocom", NID_id_GostR3411_94_with_GostR3410_2001_cc, 8, &so[5683]},
-    {"id-GostR3410-2001-ParamSet-cc", "GOST R 3410-2001 Parameter Set Cryptocom", NID_id_GostR3410_2001_ParamSet_cc, 8, &so[5691]},
-    {"HMAC", "hmac", NID_hmac},
-    {"LocalKeySet", "Microsoft Local Key set", NID_LocalKeySet, 9, &so[5699]},
-    {"freshestCRL", "X509v3 Freshest CRL", NID_freshest_crl, 3, &so[5708]},
-    {"id-on-permanentIdentifier", "Permanent Identifier", NID_id_on_permanentIdentifier, 8, &so[5711]},
-    {"searchGuide", "searchGuide", NID_searchGuide, 3, &so[5719]},
-    {"businessCategory", "businessCategory", NID_businessCategory, 3, &so[5722]},
-    {"postalAddress", "postalAddress", NID_postalAddress, 3, &so[5725]},
-    {"postOfficeBox", "postOfficeBox", NID_postOfficeBox, 3, &so[5728]},
-    {"physicalDeliveryOfficeName", "physicalDeliveryOfficeName", NID_physicalDeliveryOfficeName, 3, &so[5731]},
-    {"telephoneNumber", "telephoneNumber", NID_telephoneNumber, 3, &so[5734]},
-    {"telexNumber", "telexNumber", NID_telexNumber, 3, &so[5737]},
-    {"teletexTerminalIdentifier", "teletexTerminalIdentifier", NID_teletexTerminalIdentifier, 3, &so[5740]},
-    {"facsimileTelephoneNumber", "facsimileTelephoneNumber", NID_facsimileTelephoneNumber, 3, &so[5743]},
-    {"x121Address", "x121Address", NID_x121Address, 3, &so[5746]},
-    {"internationaliSDNNumber", "internationaliSDNNumber", NID_internationaliSDNNumber, 3, &so[5749]},
-    {"registeredAddress", "registeredAddress", NID_registeredAddress, 3, &so[5752]},
-    {"destinationIndicator", "destinationIndicator", NID_destinationIndicator, 3, &so[5755]},
-    {"preferredDeliveryMethod", "preferredDeliveryMethod", NID_preferredDeliveryMethod, 3, &so[5758]},
-    {"presentationAddress", "presentationAddress", NID_presentationAddress, 3, &so[5761]},
-    {"supportedApplicationContext", "supportedApplicationContext", NID_supportedApplicationContext, 3, &so[5764]},
-    {"member", "member", NID_member, 3, &so[5767]},
-    {"owner", "owner", NID_owner, 3, &so[5770]},
-    {"roleOccupant", "roleOccupant", NID_roleOccupant, 3, &so[5773]},
-    {"seeAlso", "seeAlso", NID_seeAlso, 3, &so[5776]},
-    {"userPassword", "userPassword", NID_userPassword, 3, &so[5779]},
-    {"userCertificate", "userCertificate", NID_userCertificate, 3, &so[5782]},
-    {"cACertificate", "cACertificate", NID_cACertificate, 3, &so[5785]},
-    {"authorityRevocationList", "authorityRevocationList", NID_authorityRevocationList, 3, &so[5788]},
-    {"certificateRevocationList", "certificateRevocationList", NID_certificateRevocationList, 3, &so[5791]},
-    {"crossCertificatePair", "crossCertificatePair", NID_crossCertificatePair, 3, &so[5794]},
-    {"enhancedSearchGuide", "enhancedSearchGuide", NID_enhancedSearchGuide, 3, &so[5797]},
-    {"protocolInformation", "protocolInformation", NID_protocolInformation, 3, &so[5800]},
-    {"distinguishedName", "distinguishedName", NID_distinguishedName, 3, &so[5803]},
-    {"uniqueMember", "uniqueMember", NID_uniqueMember, 3, &so[5806]},
-    {"houseIdentifier", "houseIdentifier", NID_houseIdentifier, 3, &so[5809]},
-    {"supportedAlgorithms", "supportedAlgorithms", NID_supportedAlgorithms, 3, &so[5812]},
-    {"deltaRevocationList", "deltaRevocationList", NID_deltaRevocationList, 3, &so[5815]},
-    {"dmdName", "dmdName", NID_dmdName, 3, &so[5818]},
-    {"id-alg-PWRI-KEK", "id-alg-PWRI-KEK", NID_id_alg_PWRI_KEK, 11, &so[5821]},
-    {"CMAC", "cmac", NID_cmac},
-    {"id-aes128-GCM", "aes-128-gcm", NID_aes_128_gcm, 9, &so[5832]},
-    {"id-aes128-CCM", "aes-128-ccm", NID_aes_128_ccm, 9, &so[5841]},
-    {"id-aes128-wrap-pad", "id-aes128-wrap-pad", NID_id_aes128_wrap_pad, 9, &so[5850]},
-    {"id-aes192-GCM", "aes-192-gcm", NID_aes_192_gcm, 9, &so[5859]},
-    {"id-aes192-CCM", "aes-192-ccm", NID_aes_192_ccm, 9, &so[5868]},
-    {"id-aes192-wrap-pad", "id-aes192-wrap-pad", NID_id_aes192_wrap_pad, 9, &so[5877]},
-    {"id-aes256-GCM", "aes-256-gcm", NID_aes_256_gcm, 9, &so[5886]},
-    {"id-aes256-CCM", "aes-256-ccm", NID_aes_256_ccm, 9, &so[5895]},
-    {"id-aes256-wrap-pad", "id-aes256-wrap-pad", NID_id_aes256_wrap_pad, 9, &so[5904]},
-    {"AES-128-CTR", "aes-128-ctr", NID_aes_128_ctr},
-    {"AES-192-CTR", "aes-192-ctr", NID_aes_192_ctr},
-    {"AES-256-CTR", "aes-256-ctr", NID_aes_256_ctr},
-    {"id-camellia128-wrap", "id-camellia128-wrap", NID_id_camellia128_wrap, 11, &so[5913]},
-    {"id-camellia192-wrap", "id-camellia192-wrap", NID_id_camellia192_wrap, 11, &so[5924]},
-    {"id-camellia256-wrap", "id-camellia256-wrap", NID_id_camellia256_wrap, 11, &so[5935]},
-    {"anyExtendedKeyUsage", "Any Extended Key Usage", NID_anyExtendedKeyUsage, 4, &so[5946]},
-    {"MGF1", "mgf1", NID_mgf1, 9, &so[5950]},
-    {"RSASSA-PSS", "rsassaPss", NID_rsassaPss, 9, &so[5959]},
-    {"AES-128-XTS", "aes-128-xts", NID_aes_128_xts},
-    {"AES-256-XTS", "aes-256-xts", NID_aes_256_xts},
-    {"RC4-HMAC-MD5", "rc4-hmac-md5", NID_rc4_hmac_md5},
-    {"AES-128-CBC-HMAC-SHA1", "aes-128-cbc-hmac-sha1", NID_aes_128_cbc_hmac_sha1},
-    {"AES-192-CBC-HMAC-SHA1", "aes-192-cbc-hmac-sha1", NID_aes_192_cbc_hmac_sha1},
-    {"AES-256-CBC-HMAC-SHA1", "aes-256-cbc-hmac-sha1", NID_aes_256_cbc_hmac_sha1},
-    {"RSAES-OAEP", "rsaesOaep", NID_rsaesOaep, 9, &so[5968]},
-    {"dhpublicnumber", "X9.42 DH", NID_dhpublicnumber, 7, &so[5977]},
-    {"brainpoolP160r1", "brainpoolP160r1", NID_brainpoolP160r1, 9, &so[5984]},
-    {"brainpoolP160t1", "brainpoolP160t1", NID_brainpoolP160t1, 9, &so[5993]},
-    {"brainpoolP192r1", "brainpoolP192r1", NID_brainpoolP192r1, 9, &so[6002]},
-    {"brainpoolP192t1", "brainpoolP192t1", NID_brainpoolP192t1, 9, &so[6011]},
-    {"brainpoolP224r1", "brainpoolP224r1", NID_brainpoolP224r1, 9, &so[6020]},
-    {"brainpoolP224t1", "brainpoolP224t1", NID_brainpoolP224t1, 9, &so[6029]},
-    {"brainpoolP256r1", "brainpoolP256r1", NID_brainpoolP256r1, 9, &so[6038]},
-    {"brainpoolP256t1", "brainpoolP256t1", NID_brainpoolP256t1, 9, &so[6047]},
-    {"brainpoolP320r1", "brainpoolP320r1", NID_brainpoolP320r1, 9, &so[6056]},
-    {"brainpoolP320t1", "brainpoolP320t1", NID_brainpoolP320t1, 9, &so[6065]},
-    {"brainpoolP384r1", "brainpoolP384r1", NID_brainpoolP384r1, 9, &so[6074]},
-    {"brainpoolP384t1", "brainpoolP384t1", NID_brainpoolP384t1, 9, &so[6083]},
-    {"brainpoolP512r1", "brainpoolP512r1", NID_brainpoolP512r1, 9, &so[6092]},
-    {"brainpoolP512t1", "brainpoolP512t1", NID_brainpoolP512t1, 9, &so[6101]},
-    {"PSPECIFIED", "pSpecified", NID_pSpecified, 9, &so[6110]},
-    {"dhSinglePass-stdDH-sha1kdf-scheme", "dhSinglePass-stdDH-sha1kdf-scheme", NID_dhSinglePass_stdDH_sha1kdf_scheme, 9, &so[6119]},
-    {"dhSinglePass-stdDH-sha224kdf-scheme", "dhSinglePass-stdDH-sha224kdf-scheme", NID_dhSinglePass_stdDH_sha224kdf_scheme, 6, &so[6128]},
-    {"dhSinglePass-stdDH-sha256kdf-scheme", "dhSinglePass-stdDH-sha256kdf-scheme", NID_dhSinglePass_stdDH_sha256kdf_scheme, 6, &so[6134]},
-    {"dhSinglePass-stdDH-sha384kdf-scheme", "dhSinglePass-stdDH-sha384kdf-scheme", NID_dhSinglePass_stdDH_sha384kdf_scheme, 6, &so[6140]},
-    {"dhSinglePass-stdDH-sha512kdf-scheme", "dhSinglePass-stdDH-sha512kdf-scheme", NID_dhSinglePass_stdDH_sha512kdf_scheme, 6, &so[6146]},
-    {"dhSinglePass-cofactorDH-sha1kdf-scheme", "dhSinglePass-cofactorDH-sha1kdf-scheme", NID_dhSinglePass_cofactorDH_sha1kdf_scheme, 9, &so[6152]},
-    {"dhSinglePass-cofactorDH-sha224kdf-scheme", "dhSinglePass-cofactorDH-sha224kdf-scheme", NID_dhSinglePass_cofactorDH_sha224kdf_scheme, 6, &so[6161]},
-    {"dhSinglePass-cofactorDH-sha256kdf-scheme", "dhSinglePass-cofactorDH-sha256kdf-scheme", NID_dhSinglePass_cofactorDH_sha256kdf_scheme, 6, &so[6167]},
-    {"dhSinglePass-cofactorDH-sha384kdf-scheme", "dhSinglePass-cofactorDH-sha384kdf-scheme", NID_dhSinglePass_cofactorDH_sha384kdf_scheme, 6, &so[6173]},
-    {"dhSinglePass-cofactorDH-sha512kdf-scheme", "dhSinglePass-cofactorDH-sha512kdf-scheme", NID_dhSinglePass_cofactorDH_sha512kdf_scheme, 6, &so[6179]},
-    {"dh-std-kdf", "dh-std-kdf", NID_dh_std_kdf},
-    {"dh-cofactor-kdf", "dh-cofactor-kdf", NID_dh_cofactor_kdf},
-    {"AES-128-CBC-HMAC-SHA256", "aes-128-cbc-hmac-sha256", NID_aes_128_cbc_hmac_sha256},
-    {"AES-192-CBC-HMAC-SHA256", "aes-192-cbc-hmac-sha256", NID_aes_192_cbc_hmac_sha256},
-    {"AES-256-CBC-HMAC-SHA256", "aes-256-cbc-hmac-sha256", NID_aes_256_cbc_hmac_sha256},
-    {"ct_precert_scts", "CT Precertificate SCTs", NID_ct_precert_scts, 10, &so[6185]},
-    {"ct_precert_poison", "CT Precertificate Poison", NID_ct_precert_poison, 10, &so[6195]},
-    {"ct_precert_signer", "CT Precertificate Signer", NID_ct_precert_signer, 10, &so[6205]},
-    {"ct_cert_scts", "CT Certificate SCTs", NID_ct_cert_scts, 10, &so[6215]},
-    {"jurisdictionL", "jurisdictionLocalityName", NID_jurisdictionLocalityName, 11, &so[6225]},
-    {"jurisdictionST", "jurisdictionStateOrProvinceName", NID_jurisdictionStateOrProvinceName, 11, &so[6236]},
-    {"jurisdictionC", "jurisdictionCountryName", NID_jurisdictionCountryName, 11, &so[6247]},
-    {"AES-128-OCB", "aes-128-ocb", NID_aes_128_ocb},
-    {"AES-192-OCB", "aes-192-ocb", NID_aes_192_ocb},
-    {"AES-256-OCB", "aes-256-ocb", NID_aes_256_ocb},
-    {"CAMELLIA-128-GCM", "camellia-128-gcm", NID_camellia_128_gcm, 8, &so[6258]},
-    {"CAMELLIA-128-CCM", "camellia-128-ccm", NID_camellia_128_ccm, 8, &so[6266]},
-    {"CAMELLIA-128-CTR", "camellia-128-ctr", NID_camellia_128_ctr, 8, &so[6274]},
-    {"CAMELLIA-128-CMAC", "camellia-128-cmac", NID_camellia_128_cmac, 8, &so[6282]},
-    {"CAMELLIA-192-GCM", "camellia-192-gcm", NID_camellia_192_gcm, 8, &so[6290]},
-    {"CAMELLIA-192-CCM", "camellia-192-ccm", NID_camellia_192_ccm, 8, &so[6298]},
-    {"CAMELLIA-192-CTR", "camellia-192-ctr", NID_camellia_192_ctr, 8, &so[6306]},
-    {"CAMELLIA-192-CMAC", "camellia-192-cmac", NID_camellia_192_cmac, 8, &so[6314]},
-    {"CAMELLIA-256-GCM", "camellia-256-gcm", NID_camellia_256_gcm, 8, &so[6322]},
-    {"CAMELLIA-256-CCM", "camellia-256-ccm", NID_camellia_256_ccm, 8, &so[6330]},
-    {"CAMELLIA-256-CTR", "camellia-256-ctr", NID_camellia_256_ctr, 8, &so[6338]},
-    {"CAMELLIA-256-CMAC", "camellia-256-cmac", NID_camellia_256_cmac, 8, &so[6346]},
-    {"id-scrypt", "id-scrypt", NID_id_scrypt, 9, &so[6354]},
-    {"id-tc26", "id-tc26", NID_id_tc26, 5, &so[6363]},
-    {"gost89-cnt-12", "gost89-cnt-12", NID_gost89_cnt_12},
-    {"gost-mac-12", "gost-mac-12", NID_gost_mac_12},
-    {"id-tc26-algorithms", "id-tc26-algorithms", NID_id_tc26_algorithms, 6, &so[6368]},
-    {"id-tc26-sign", "id-tc26-sign", NID_id_tc26_sign, 7, &so[6374]},
-    {"gost2012_256", "GOST R 34.10-2012 with 256 bit modulus", NID_id_GostR3410_2012_256, 8, &so[6381]},
-    {"gost2012_512", "GOST R 34.10-2012 with 512 bit modulus", NID_id_GostR3410_2012_512, 8, &so[6389]},
-    {"id-tc26-digest", "id-tc26-digest", NID_id_tc26_digest, 7, &so[6397]},
-    {"md_gost12_256", "GOST R 34.11-2012 with 256 bit hash", NID_id_GostR3411_2012_256, 8, &so[6404]},
-    {"md_gost12_512", "GOST R 34.11-2012 with 512 bit hash", NID_id_GostR3411_2012_512, 8, &so[6412]},
-    {"id-tc26-signwithdigest", "id-tc26-signwithdigest", NID_id_tc26_signwithdigest, 7, &so[6420]},
-    {"id-tc26-signwithdigest-gost3410-2012-256", "GOST R 34.10-2012 with GOST R 34.11-2012 (256 bit)", NID_id_tc26_signwithdigest_gost3410_2012_256, 8, &so[6427]},
-    {"id-tc26-signwithdigest-gost3410-2012-512", "GOST R 34.10-2012 with GOST R 34.11-2012 (512 bit)", NID_id_tc26_signwithdigest_gost3410_2012_512, 8, &so[6435]},
-    {"id-tc26-mac", "id-tc26-mac", NID_id_tc26_mac, 7, &so[6443]},
-    {"id-tc26-hmac-gost-3411-2012-256", "HMAC GOST 34.11-2012 256 bit", NID_id_tc26_hmac_gost_3411_2012_256, 8, &so[6450]},
-    {"id-tc26-hmac-gost-3411-2012-512", "HMAC GOST 34.11-2012 512 bit", NID_id_tc26_hmac_gost_3411_2012_512, 8, &so[6458]},
-    {"id-tc26-cipher", "id-tc26-cipher", NID_id_tc26_cipher, 7, &so[6466]},
-    {"id-tc26-agreement", "id-tc26-agreement", NID_id_tc26_agreement, 7, &so[6473]},
-    {"id-tc26-agreement-gost-3410-2012-256", "id-tc26-agreement-gost-3410-2012-256", NID_id_tc26_agreement_gost_3410_2012_256, 8, &so[6480]},
-    {"id-tc26-agreement-gost-3410-2012-512", "id-tc26-agreement-gost-3410-2012-512", NID_id_tc26_agreement_gost_3410_2012_512, 8, &so[6488]},
-    {"id-tc26-constants", "id-tc26-constants", NID_id_tc26_constants, 6, &so[6496]},
-    {"id-tc26-sign-constants", "id-tc26-sign-constants", NID_id_tc26_sign_constants, 7, &so[6502]},
-    {"id-tc26-gost-3410-2012-512-constants", "id-tc26-gost-3410-2012-512-constants", NID_id_tc26_gost_3410_2012_512_constants, 8, &so[6509]},
-    {"id-tc26-gost-3410-2012-512-paramSetTest", "GOST R 34.10-2012 (512 bit) testing parameter set", NID_id_tc26_gost_3410_2012_512_paramSetTest, 9, &so[6517]},
-    {"id-tc26-gost-3410-2012-512-paramSetA", "GOST R 34.10-2012 (512 bit) ParamSet A", NID_id_tc26_gost_3410_2012_512_paramSetA, 9, &so[6526]},
-    {"id-tc26-gost-3410-2012-512-paramSetB", "GOST R 34.10-2012 (512 bit) ParamSet B", NID_id_tc26_gost_3410_2012_512_paramSetB, 9, &so[6535]},
-    {"id-tc26-digest-constants", "id-tc26-digest-constants", NID_id_tc26_digest_constants, 7, &so[6544]},
-    {"id-tc26-cipher-constants", "id-tc26-cipher-constants", NID_id_tc26_cipher_constants, 7, &so[6551]},
-    {"id-tc26-gost-28147-constants", "id-tc26-gost-28147-constants", NID_id_tc26_gost_28147_constants, 8, &so[6558]},
-    {"id-tc26-gost-28147-param-Z", "GOST 28147-89 TC26 parameter set", NID_id_tc26_gost_28147_param_Z, 9, &so[6566]},
-    {"INN", "INN", NID_INN, 8, &so[6575]},
-    {"OGRN", "OGRN", NID_OGRN, 5, &so[6583]},
-    {"SNILS", "SNILS", NID_SNILS, 5, &so[6588]},
-    {"subjectSignTool", "Signing Tool of Subject", NID_subjectSignTool, 5, &so[6593]},
-    {"issuerSignTool", "Signing Tool of Issuer", NID_issuerSignTool, 5, &so[6598]},
-    {"gost89-cbc", "gost89-cbc", NID_gost89_cbc},
-    {"gost89-ecb", "gost89-ecb", NID_gost89_ecb},
-    {"gost89-ctr", "gost89-ctr", NID_gost89_ctr},
-    {"grasshopper-ecb", "grasshopper-ecb", NID_grasshopper_ecb},
-    {"grasshopper-ctr", "grasshopper-ctr", NID_grasshopper_ctr},
-    {"grasshopper-ofb", "grasshopper-ofb", NID_grasshopper_ofb},
-    {"grasshopper-cbc", "grasshopper-cbc", NID_grasshopper_cbc},
-    {"grasshopper-cfb", "grasshopper-cfb", NID_grasshopper_cfb},
-    {"grasshopper-mac", "grasshopper-mac", NID_grasshopper_mac},
-    {"ChaCha20-Poly1305", "chacha20-poly1305", NID_chacha20_poly1305},
-    {"ChaCha20", "chacha20", NID_chacha20},
-    {"tlsfeature", "TLS Feature", NID_tlsfeature, 8, &so[6603]},
-    {"TLS1-PRF", "tls1-prf", NID_tls1_prf},
-    {"ipsecIKE", "ipsec Internet Key Exchange", NID_ipsec_IKE, 8, &so[6611]},
-    {"capwapAC", "Ctrl/provision WAP Access", NID_capwapAC, 8, &so[6619]},
-    {"capwapWTP", "Ctrl/Provision WAP Termination", NID_capwapWTP, 8, &so[6627]},
-    {"secureShellClient", "SSH Client", NID_sshClient, 8, &so[6635]},
-    {"secureShellServer", "SSH Server", NID_sshServer, 8, &so[6643]},
-    {"sendRouter", "Send Router", NID_sendRouter, 8, &so[6651]},
-    {"sendProxiedRouter", "Send Proxied Router", NID_sendProxiedRouter, 8, &so[6659]},
-    {"sendOwner", "Send Owner", NID_sendOwner, 8, &so[6667]},
-    {"sendProxiedOwner", "Send Proxied Owner", NID_sendProxiedOwner, 8, &so[6675]},
-    {"id-pkinit", "id-pkinit", NID_id_pkinit, 6, &so[6683]},
-    {"pkInitClientAuth", "PKINIT Client Auth", NID_pkInitClientAuth, 7, &so[6689]},
-    {"pkInitKDC", "Signing KDC Response", NID_pkInitKDC, 7, &so[6696]},
-    {"X25519", "X25519", NID_X25519, 3, &so[6703]},
-    {"X448", "X448", NID_X448, 3, &so[6706]},
-    {"HKDF", "hkdf", NID_hkdf},
-    {"KxRSA", "kx-rsa", NID_kx_rsa},
-    {"KxECDHE", "kx-ecdhe", NID_kx_ecdhe},
-    {"KxDHE", "kx-dhe", NID_kx_dhe},
-    {"KxECDHE-PSK", "kx-ecdhe-psk", NID_kx_ecdhe_psk},
-    {"KxDHE-PSK", "kx-dhe-psk", NID_kx_dhe_psk},
-    {"KxRSA_PSK", "kx-rsa-psk", NID_kx_rsa_psk},
-    {"KxPSK", "kx-psk", NID_kx_psk},
-    {"KxSRP", "kx-srp", NID_kx_srp},
-    {"KxGOST", "kx-gost", NID_kx_gost},
-    {"AuthRSA", "auth-rsa", NID_auth_rsa},
-    {"AuthECDSA", "auth-ecdsa", NID_auth_ecdsa},
-    {"AuthPSK", "auth-psk", NID_auth_psk},
-    {"AuthDSS", "auth-dss", NID_auth_dss},
-    {"AuthGOST01", "auth-gost01", NID_auth_gost01},
-    {"AuthGOST12", "auth-gost12", NID_auth_gost12},
-    {"AuthSRP", "auth-srp", NID_auth_srp},
-    {"AuthNULL", "auth-null", NID_auth_null},
-    { NULL, NULL, NID_undef },
-    { NULL, NULL, NID_undef },
-    {"BLAKE2b512", "blake2b512", NID_blake2b512, 11, &so[6709]},
-    {"BLAKE2s256", "blake2s256", NID_blake2s256, 11, &so[6720]},
-    {"id-smime-ct-contentCollection", "id-smime-ct-contentCollection", NID_id_smime_ct_contentCollection, 11, &so[6731]},
-    {"id-smime-ct-authEnvelopedData", "id-smime-ct-authEnvelopedData", NID_id_smime_ct_authEnvelopedData, 11, &so[6742]},
-    {"id-ct-xml", "id-ct-xml", NID_id_ct_xml, 11, &so[6753]},
+static const ASN1_OBJECT nid_objs[NUM_NID]={
+{"UNDEF","undefined",NID_undef,0,NULL,0},
+{"rsadsi","RSA Data Security, Inc.",NID_rsadsi,6,&(lvalues[0]),0},
+{"pkcs","RSA Data Security, Inc. PKCS",NID_pkcs,7,&(lvalues[6]),0},
+{"MD2","md2",NID_md2,8,&(lvalues[13]),0},
+{"MD5","md5",NID_md5,8,&(lvalues[21]),0},
+{"RC4","rc4",NID_rc4,8,&(lvalues[29]),0},
+{"rsaEncryption","rsaEncryption",NID_rsaEncryption,9,&(lvalues[37]),0},
+{"RSA-MD2","md2WithRSAEncryption",NID_md2WithRSAEncryption,9,
+	&(lvalues[46]),0},
+{"RSA-MD5","md5WithRSAEncryption",NID_md5WithRSAEncryption,9,
+	&(lvalues[55]),0},
+{"PBE-MD2-DES","pbeWithMD2AndDES-CBC",NID_pbeWithMD2AndDES_CBC,9,
+	&(lvalues[64]),0},
+{"PBE-MD5-DES","pbeWithMD5AndDES-CBC",NID_pbeWithMD5AndDES_CBC,9,
+	&(lvalues[73]),0},
+{"X500","directory services (X.500)",NID_X500,1,&(lvalues[82]),0},
+{"X509","X509",NID_X509,2,&(lvalues[83]),0},
+{"CN","commonName",NID_commonName,3,&(lvalues[85]),0},
+{"C","countryName",NID_countryName,3,&(lvalues[88]),0},
+{"L","localityName",NID_localityName,3,&(lvalues[91]),0},
+{"ST","stateOrProvinceName",NID_stateOrProvinceName,3,&(lvalues[94]),0},
+{"O","organizationName",NID_organizationName,3,&(lvalues[97]),0},
+{"OU","organizationalUnitName",NID_organizationalUnitName,3,
+	&(lvalues[100]),0},
+{"RSA","rsa",NID_rsa,4,&(lvalues[103]),0},
+{"pkcs7","pkcs7",NID_pkcs7,8,&(lvalues[107]),0},
+{"pkcs7-data","pkcs7-data",NID_pkcs7_data,9,&(lvalues[115]),0},
+{"pkcs7-signedData","pkcs7-signedData",NID_pkcs7_signed,9,
+	&(lvalues[124]),0},
+{"pkcs7-envelopedData","pkcs7-envelopedData",NID_pkcs7_enveloped,9,
+	&(lvalues[133]),0},
+{"pkcs7-signedAndEnvelopedData","pkcs7-signedAndEnvelopedData",
+	NID_pkcs7_signedAndEnveloped,9,&(lvalues[142]),0},
+{"pkcs7-digestData","pkcs7-digestData",NID_pkcs7_digest,9,
+	&(lvalues[151]),0},
+{"pkcs7-encryptedData","pkcs7-encryptedData",NID_pkcs7_encrypted,9,
+	&(lvalues[160]),0},
+{"pkcs3","pkcs3",NID_pkcs3,8,&(lvalues[169]),0},
+{"dhKeyAgreement","dhKeyAgreement",NID_dhKeyAgreement,9,
+	&(lvalues[177]),0},
+{"DES-ECB","des-ecb",NID_des_ecb,5,&(lvalues[186]),0},
+{"DES-CFB","des-cfb",NID_des_cfb64,5,&(lvalues[191]),0},
+{"DES-CBC","des-cbc",NID_des_cbc,5,&(lvalues[196]),0},
+{"DES-EDE","des-ede",NID_des_ede_ecb,5,&(lvalues[201]),0},
+{"DES-EDE3","des-ede3",NID_des_ede3_ecb,0,NULL,0},
+{"IDEA-CBC","idea-cbc",NID_idea_cbc,11,&(lvalues[206]),0},
+{"IDEA-CFB","idea-cfb",NID_idea_cfb64,0,NULL,0},
+{"IDEA-ECB","idea-ecb",NID_idea_ecb,0,NULL,0},
+{"RC2-CBC","rc2-cbc",NID_rc2_cbc,8,&(lvalues[217]),0},
+{"RC2-ECB","rc2-ecb",NID_rc2_ecb,0,NULL,0},
+{"RC2-CFB","rc2-cfb",NID_rc2_cfb64,0,NULL,0},
+{"RC2-OFB","rc2-ofb",NID_rc2_ofb64,0,NULL,0},
+{"SHA","sha",NID_sha,5,&(lvalues[225]),0},
+{"RSA-SHA","shaWithRSAEncryption",NID_shaWithRSAEncryption,5,
+	&(lvalues[230]),0},
+{"DES-EDE-CBC","des-ede-cbc",NID_des_ede_cbc,0,NULL,0},
+{"DES-EDE3-CBC","des-ede3-cbc",NID_des_ede3_cbc,8,&(lvalues[235]),0},
+{"DES-OFB","des-ofb",NID_des_ofb64,5,&(lvalues[243]),0},
+{"IDEA-OFB","idea-ofb",NID_idea_ofb64,0,NULL,0},
+{"pkcs9","pkcs9",NID_pkcs9,8,&(lvalues[248]),0},
+{"emailAddress","emailAddress",NID_pkcs9_emailAddress,9,
+	&(lvalues[256]),0},
+{"unstructuredName","unstructuredName",NID_pkcs9_unstructuredName,9,
+	&(lvalues[265]),0},
+{"contentType","contentType",NID_pkcs9_contentType,9,&(lvalues[274]),0},
+{"messageDigest","messageDigest",NID_pkcs9_messageDigest,9,
+	&(lvalues[283]),0},
+{"signingTime","signingTime",NID_pkcs9_signingTime,9,&(lvalues[292]),0},
+{"countersignature","countersignature",NID_pkcs9_countersignature,9,
+	&(lvalues[301]),0},
+{"challengePassword","challengePassword",NID_pkcs9_challengePassword,
+	9,&(lvalues[310]),0},
+{"unstructuredAddress","unstructuredAddress",
+	NID_pkcs9_unstructuredAddress,9,&(lvalues[319]),0},
+{"extendedCertificateAttributes","extendedCertificateAttributes",
+	NID_pkcs9_extCertAttributes,9,&(lvalues[328]),0},
+{"Netscape","Netscape Communications Corp.",NID_netscape,7,
+	&(lvalues[337]),0},
+{"nsCertExt","Netscape Certificate Extension",
+	NID_netscape_cert_extension,8,&(lvalues[344]),0},
+{"nsDataType","Netscape Data Type",NID_netscape_data_type,8,
+	&(lvalues[352]),0},
+{"DES-EDE-CFB","des-ede-cfb",NID_des_ede_cfb64,0,NULL,0},
+{"DES-EDE3-CFB","des-ede3-cfb",NID_des_ede3_cfb64,0,NULL,0},
+{"DES-EDE-OFB","des-ede-ofb",NID_des_ede_ofb64,0,NULL,0},
+{"DES-EDE3-OFB","des-ede3-ofb",NID_des_ede3_ofb64,0,NULL,0},
+{"SHA1","sha1",NID_sha1,5,&(lvalues[360]),0},
+{"RSA-SHA1","sha1WithRSAEncryption",NID_sha1WithRSAEncryption,9,
+	&(lvalues[365]),0},
+{"DSA-SHA","dsaWithSHA",NID_dsaWithSHA,5,&(lvalues[374]),0},
+{"DSA-old","dsaEncryption-old",NID_dsa_2,5,&(lvalues[379]),0},
+{"PBE-SHA1-RC2-64","pbeWithSHA1AndRC2-CBC",NID_pbeWithSHA1AndRC2_CBC,
+	9,&(lvalues[384]),0},
+{"PBKDF2","PBKDF2",NID_id_pbkdf2,9,&(lvalues[393]),0},
+{"DSA-SHA1-old","dsaWithSHA1-old",NID_dsaWithSHA1_2,5,&(lvalues[402]),0},
+{"nsCertType","Netscape Cert Type",NID_netscape_cert_type,9,
+	&(lvalues[407]),0},
+{"nsBaseUrl","Netscape Base Url",NID_netscape_base_url,9,
+	&(lvalues[416]),0},
+{"nsRevocationUrl","Netscape Revocation Url",
+	NID_netscape_revocation_url,9,&(lvalues[425]),0},
+{"nsCaRevocationUrl","Netscape CA Revocation Url",
+	NID_netscape_ca_revocation_url,9,&(lvalues[434]),0},
+{"nsRenewalUrl","Netscape Renewal Url",NID_netscape_renewal_url,9,
+	&(lvalues[443]),0},
+{"nsCaPolicyUrl","Netscape CA Policy Url",NID_netscape_ca_policy_url,
+	9,&(lvalues[452]),0},
+{"nsSslServerName","Netscape SSL Server Name",
+	NID_netscape_ssl_server_name,9,&(lvalues[461]),0},
+{"nsComment","Netscape Comment",NID_netscape_comment,9,&(lvalues[470]),0},
+{"nsCertSequence","Netscape Certificate Sequence",
+	NID_netscape_cert_sequence,9,&(lvalues[479]),0},
+{"DESX-CBC","desx-cbc",NID_desx_cbc,0,NULL,0},
+{"id-ce","id-ce",NID_id_ce,2,&(lvalues[488]),0},
+{"subjectKeyIdentifier","X509v3 Subject Key Identifier",
+	NID_subject_key_identifier,3,&(lvalues[490]),0},
+{"keyUsage","X509v3 Key Usage",NID_key_usage,3,&(lvalues[493]),0},
+{"privateKeyUsagePeriod","X509v3 Private Key Usage Period",
+	NID_private_key_usage_period,3,&(lvalues[496]),0},
+{"subjectAltName","X509v3 Subject Alternative Name",
+	NID_subject_alt_name,3,&(lvalues[499]),0},
+{"issuerAltName","X509v3 Issuer Alternative Name",NID_issuer_alt_name,
+	3,&(lvalues[502]),0},
+{"basicConstraints","X509v3 Basic Constraints",NID_basic_constraints,
+	3,&(lvalues[505]),0},
+{"crlNumber","X509v3 CRL Number",NID_crl_number,3,&(lvalues[508]),0},
+{"certificatePolicies","X509v3 Certificate Policies",
+	NID_certificate_policies,3,&(lvalues[511]),0},
+{"authorityKeyIdentifier","X509v3 Authority Key Identifier",
+	NID_authority_key_identifier,3,&(lvalues[514]),0},
+{"BF-CBC","bf-cbc",NID_bf_cbc,9,&(lvalues[517]),0},
+{"BF-ECB","bf-ecb",NID_bf_ecb,0,NULL,0},
+{"BF-CFB","bf-cfb",NID_bf_cfb64,0,NULL,0},
+{"BF-OFB","bf-ofb",NID_bf_ofb64,0,NULL,0},
+{"MDC2","mdc2",NID_mdc2,4,&(lvalues[526]),0},
+{"RSA-MDC2","mdc2WithRSA",NID_mdc2WithRSA,4,&(lvalues[530]),0},
+{"RC4-40","rc4-40",NID_rc4_40,0,NULL,0},
+{"RC2-40-CBC","rc2-40-cbc",NID_rc2_40_cbc,0,NULL,0},
+{"GN","givenName",NID_givenName,3,&(lvalues[534]),0},
+{"SN","surname",NID_surname,3,&(lvalues[537]),0},
+{"initials","initials",NID_initials,3,&(lvalues[540]),0},
+{NULL,NULL,NID_undef,0,NULL,0},
+{"crlDistributionPoints","X509v3 CRL Distribution Points",
+	NID_crl_distribution_points,3,&(lvalues[543]),0},
+{"RSA-NP-MD5","md5WithRSA",NID_md5WithRSA,5,&(lvalues[546]),0},
+{"serialNumber","serialNumber",NID_serialNumber,3,&(lvalues[551]),0},
+{"title","title",NID_title,3,&(lvalues[554]),0},
+{"description","description",NID_description,3,&(lvalues[557]),0},
+{"CAST5-CBC","cast5-cbc",NID_cast5_cbc,9,&(lvalues[560]),0},
+{"CAST5-ECB","cast5-ecb",NID_cast5_ecb,0,NULL,0},
+{"CAST5-CFB","cast5-cfb",NID_cast5_cfb64,0,NULL,0},
+{"CAST5-OFB","cast5-ofb",NID_cast5_ofb64,0,NULL,0},
+{"pbeWithMD5AndCast5CBC","pbeWithMD5AndCast5CBC",
+	NID_pbeWithMD5AndCast5_CBC,9,&(lvalues[569]),0},
+{"DSA-SHA1","dsaWithSHA1",NID_dsaWithSHA1,7,&(lvalues[578]),0},
+{"MD5-SHA1","md5-sha1",NID_md5_sha1,0,NULL,0},
+{"RSA-SHA1-2","sha1WithRSA",NID_sha1WithRSA,5,&(lvalues[585]),0},
+{"DSA","dsaEncryption",NID_dsa,7,&(lvalues[590]),0},
+{"RIPEMD160","ripemd160",NID_ripemd160,5,&(lvalues[597]),0},
+{NULL,NULL,NID_undef,0,NULL,0},
+{"RSA-RIPEMD160","ripemd160WithRSA",NID_ripemd160WithRSA,6,
+	&(lvalues[602]),0},
+{"RC5-CBC","rc5-cbc",NID_rc5_cbc,8,&(lvalues[608]),0},
+{"RC5-ECB","rc5-ecb",NID_rc5_ecb,0,NULL,0},
+{"RC5-CFB","rc5-cfb",NID_rc5_cfb64,0,NULL,0},
+{"RC5-OFB","rc5-ofb",NID_rc5_ofb64,0,NULL,0},
+{"RLE","run length compression",NID_rle_compression,6,&(lvalues[616]),0},
+{"ZLIB","zlib compression",NID_zlib_compression,11,&(lvalues[622]),0},
+{"extendedKeyUsage","X509v3 Extended Key Usage",NID_ext_key_usage,3,
+	&(lvalues[633]),0},
+{"PKIX","PKIX",NID_id_pkix,6,&(lvalues[636]),0},
+{"id-kp","id-kp",NID_id_kp,7,&(lvalues[642]),0},
+{"serverAuth","TLS Web Server Authentication",NID_server_auth,8,
+	&(lvalues[649]),0},
+{"clientAuth","TLS Web Client Authentication",NID_client_auth,8,
+	&(lvalues[657]),0},
+{"codeSigning","Code Signing",NID_code_sign,8,&(lvalues[665]),0},
+{"emailProtection","E-mail Protection",NID_email_protect,8,
+	&(lvalues[673]),0},
+{"timeStamping","Time Stamping",NID_time_stamp,8,&(lvalues[681]),0},
+{"msCodeInd","Microsoft Individual Code Signing",NID_ms_code_ind,10,
+	&(lvalues[689]),0},
+{"msCodeCom","Microsoft Commercial Code Signing",NID_ms_code_com,10,
+	&(lvalues[699]),0},
+{"msCTLSign","Microsoft Trust List Signing",NID_ms_ctl_sign,10,
+	&(lvalues[709]),0},
+{"msSGC","Microsoft Server Gated Crypto",NID_ms_sgc,10,&(lvalues[719]),0},
+{"msEFS","Microsoft Encrypted File System",NID_ms_efs,10,
+	&(lvalues[729]),0},
+{"nsSGC","Netscape Server Gated Crypto",NID_ns_sgc,9,&(lvalues[739]),0},
+{"deltaCRL","X509v3 Delta CRL Indicator",NID_delta_crl,3,
+	&(lvalues[748]),0},
+{"CRLReason","X509v3 CRL Reason Code",NID_crl_reason,3,&(lvalues[751]),0},
+{"invalidityDate","Invalidity Date",NID_invalidity_date,3,
+	&(lvalues[754]),0},
+{"SXNetID","Strong Extranet ID",NID_sxnet,5,&(lvalues[757]),0},
+{"PBE-SHA1-RC4-128","pbeWithSHA1And128BitRC4",
+	NID_pbe_WithSHA1And128BitRC4,10,&(lvalues[762]),0},
+{"PBE-SHA1-RC4-40","pbeWithSHA1And40BitRC4",
+	NID_pbe_WithSHA1And40BitRC4,10,&(lvalues[772]),0},
+{"PBE-SHA1-3DES","pbeWithSHA1And3-KeyTripleDES-CBC",
+	NID_pbe_WithSHA1And3_Key_TripleDES_CBC,10,&(lvalues[782]),0},
+{"PBE-SHA1-2DES","pbeWithSHA1And2-KeyTripleDES-CBC",
+	NID_pbe_WithSHA1And2_Key_TripleDES_CBC,10,&(lvalues[792]),0},
+{"PBE-SHA1-RC2-128","pbeWithSHA1And128BitRC2-CBC",
+	NID_pbe_WithSHA1And128BitRC2_CBC,10,&(lvalues[802]),0},
+{"PBE-SHA1-RC2-40","pbeWithSHA1And40BitRC2-CBC",
+	NID_pbe_WithSHA1And40BitRC2_CBC,10,&(lvalues[812]),0},
+{"keyBag","keyBag",NID_keyBag,11,&(lvalues[822]),0},
+{"pkcs8ShroudedKeyBag","pkcs8ShroudedKeyBag",NID_pkcs8ShroudedKeyBag,
+	11,&(lvalues[833]),0},
+{"certBag","certBag",NID_certBag,11,&(lvalues[844]),0},
+{"crlBag","crlBag",NID_crlBag,11,&(lvalues[855]),0},
+{"secretBag","secretBag",NID_secretBag,11,&(lvalues[866]),0},
+{"safeContentsBag","safeContentsBag",NID_safeContentsBag,11,
+	&(lvalues[877]),0},
+{"friendlyName","friendlyName",NID_friendlyName,9,&(lvalues[888]),0},
+{"localKeyID","localKeyID",NID_localKeyID,9,&(lvalues[897]),0},
+{"x509Certificate","x509Certificate",NID_x509Certificate,10,
+	&(lvalues[906]),0},
+{"sdsiCertificate","sdsiCertificate",NID_sdsiCertificate,10,
+	&(lvalues[916]),0},
+{"x509Crl","x509Crl",NID_x509Crl,10,&(lvalues[926]),0},
+{"PBES2","PBES2",NID_pbes2,9,&(lvalues[936]),0},
+{"PBMAC1","PBMAC1",NID_pbmac1,9,&(lvalues[945]),0},
+{"hmacWithSHA1","hmacWithSHA1",NID_hmacWithSHA1,8,&(lvalues[954]),0},
+{"id-qt-cps","Policy Qualifier CPS",NID_id_qt_cps,8,&(lvalues[962]),0},
+{"id-qt-unotice","Policy Qualifier User Notice",NID_id_qt_unotice,8,
+	&(lvalues[970]),0},
+{"RC2-64-CBC","rc2-64-cbc",NID_rc2_64_cbc,0,NULL,0},
+{"SMIME-CAPS","S/MIME Capabilities",NID_SMIMECapabilities,9,
+	&(lvalues[978]),0},
+{"PBE-MD2-RC2-64","pbeWithMD2AndRC2-CBC",NID_pbeWithMD2AndRC2_CBC,9,
+	&(lvalues[987]),0},
+{"PBE-MD5-RC2-64","pbeWithMD5AndRC2-CBC",NID_pbeWithMD5AndRC2_CBC,9,
+	&(lvalues[996]),0},
+{"PBE-SHA1-DES","pbeWithSHA1AndDES-CBC",NID_pbeWithSHA1AndDES_CBC,9,
+	&(lvalues[1005]),0},
+{"msExtReq","Microsoft Extension Request",NID_ms_ext_req,10,
+	&(lvalues[1014]),0},
+{"extReq","Extension Request",NID_ext_req,9,&(lvalues[1024]),0},
+{"name","name",NID_name,3,&(lvalues[1033]),0},
+{"dnQualifier","dnQualifier",NID_dnQualifier,3,&(lvalues[1036]),0},
+{"id-pe","id-pe",NID_id_pe,7,&(lvalues[1039]),0},
+{"id-ad","id-ad",NID_id_ad,7,&(lvalues[1046]),0},
+{"authorityInfoAccess","Authority Information Access",NID_info_access,
+	8,&(lvalues[1053]),0},
+{"OCSP","OCSP",NID_ad_OCSP,8,&(lvalues[1061]),0},
+{"caIssuers","CA Issuers",NID_ad_ca_issuers,8,&(lvalues[1069]),0},
+{"OCSPSigning","OCSP Signing",NID_OCSP_sign,8,&(lvalues[1077]),0},
+{"ISO","iso",NID_iso,0,NULL,0},
+{"member-body","ISO Member Body",NID_member_body,1,&(lvalues[1085]),0},
+{"ISO-US","ISO US Member Body",NID_ISO_US,3,&(lvalues[1086]),0},
+{"X9-57","X9.57",NID_X9_57,5,&(lvalues[1089]),0},
+{"X9cm","X9.57 CM ?",NID_X9cm,6,&(lvalues[1094]),0},
+{"pkcs1","pkcs1",NID_pkcs1,8,&(lvalues[1100]),0},
+{"pkcs5","pkcs5",NID_pkcs5,8,&(lvalues[1108]),0},
+{"SMIME","S/MIME",NID_SMIME,9,&(lvalues[1116]),0},
+{"id-smime-mod","id-smime-mod",NID_id_smime_mod,10,&(lvalues[1125]),0},
+{"id-smime-ct","id-smime-ct",NID_id_smime_ct,10,&(lvalues[1135]),0},
+{"id-smime-aa","id-smime-aa",NID_id_smime_aa,10,&(lvalues[1145]),0},
+{"id-smime-alg","id-smime-alg",NID_id_smime_alg,10,&(lvalues[1155]),0},
+{"id-smime-cd","id-smime-cd",NID_id_smime_cd,10,&(lvalues[1165]),0},
+{"id-smime-spq","id-smime-spq",NID_id_smime_spq,10,&(lvalues[1175]),0},
+{"id-smime-cti","id-smime-cti",NID_id_smime_cti,10,&(lvalues[1185]),0},
+{"id-smime-mod-cms","id-smime-mod-cms",NID_id_smime_mod_cms,11,
+	&(lvalues[1195]),0},
+{"id-smime-mod-ess","id-smime-mod-ess",NID_id_smime_mod_ess,11,
+	&(lvalues[1206]),0},
+{"id-smime-mod-oid","id-smime-mod-oid",NID_id_smime_mod_oid,11,
+	&(lvalues[1217]),0},
+{"id-smime-mod-msg-v3","id-smime-mod-msg-v3",NID_id_smime_mod_msg_v3,
+	11,&(lvalues[1228]),0},
+{"id-smime-mod-ets-eSignature-88","id-smime-mod-ets-eSignature-88",
+	NID_id_smime_mod_ets_eSignature_88,11,&(lvalues[1239]),0},
+{"id-smime-mod-ets-eSignature-97","id-smime-mod-ets-eSignature-97",
+	NID_id_smime_mod_ets_eSignature_97,11,&(lvalues[1250]),0},
+{"id-smime-mod-ets-eSigPolicy-88","id-smime-mod-ets-eSigPolicy-88",
+	NID_id_smime_mod_ets_eSigPolicy_88,11,&(lvalues[1261]),0},
+{"id-smime-mod-ets-eSigPolicy-97","id-smime-mod-ets-eSigPolicy-97",
+	NID_id_smime_mod_ets_eSigPolicy_97,11,&(lvalues[1272]),0},
+{"id-smime-ct-receipt","id-smime-ct-receipt",NID_id_smime_ct_receipt,
+	11,&(lvalues[1283]),0},
+{"id-smime-ct-authData","id-smime-ct-authData",
+	NID_id_smime_ct_authData,11,&(lvalues[1294]),0},
+{"id-smime-ct-publishCert","id-smime-ct-publishCert",
+	NID_id_smime_ct_publishCert,11,&(lvalues[1305]),0},
+{"id-smime-ct-TSTInfo","id-smime-ct-TSTInfo",NID_id_smime_ct_TSTInfo,
+	11,&(lvalues[1316]),0},
+{"id-smime-ct-TDTInfo","id-smime-ct-TDTInfo",NID_id_smime_ct_TDTInfo,
+	11,&(lvalues[1327]),0},
+{"id-smime-ct-contentInfo","id-smime-ct-contentInfo",
+	NID_id_smime_ct_contentInfo,11,&(lvalues[1338]),0},
+{"id-smime-ct-DVCSRequestData","id-smime-ct-DVCSRequestData",
+	NID_id_smime_ct_DVCSRequestData,11,&(lvalues[1349]),0},
+{"id-smime-ct-DVCSResponseData","id-smime-ct-DVCSResponseData",
+	NID_id_smime_ct_DVCSResponseData,11,&(lvalues[1360]),0},
+{"id-smime-aa-receiptRequest","id-smime-aa-receiptRequest",
+	NID_id_smime_aa_receiptRequest,11,&(lvalues[1371]),0},
+{"id-smime-aa-securityLabel","id-smime-aa-securityLabel",
+	NID_id_smime_aa_securityLabel,11,&(lvalues[1382]),0},
+{"id-smime-aa-mlExpandHistory","id-smime-aa-mlExpandHistory",
+	NID_id_smime_aa_mlExpandHistory,11,&(lvalues[1393]),0},
+{"id-smime-aa-contentHint","id-smime-aa-contentHint",
+	NID_id_smime_aa_contentHint,11,&(lvalues[1404]),0},
+{"id-smime-aa-msgSigDigest","id-smime-aa-msgSigDigest",
+	NID_id_smime_aa_msgSigDigest,11,&(lvalues[1415]),0},
+{"id-smime-aa-encapContentType","id-smime-aa-encapContentType",
+	NID_id_smime_aa_encapContentType,11,&(lvalues[1426]),0},
+{"id-smime-aa-contentIdentifier","id-smime-aa-contentIdentifier",
+	NID_id_smime_aa_contentIdentifier,11,&(lvalues[1437]),0},
+{"id-smime-aa-macValue","id-smime-aa-macValue",
+	NID_id_smime_aa_macValue,11,&(lvalues[1448]),0},
+{"id-smime-aa-equivalentLabels","id-smime-aa-equivalentLabels",
+	NID_id_smime_aa_equivalentLabels,11,&(lvalues[1459]),0},
+{"id-smime-aa-contentReference","id-smime-aa-contentReference",
+	NID_id_smime_aa_contentReference,11,&(lvalues[1470]),0},
+{"id-smime-aa-encrypKeyPref","id-smime-aa-encrypKeyPref",
+	NID_id_smime_aa_encrypKeyPref,11,&(lvalues[1481]),0},
+{"id-smime-aa-signingCertificate","id-smime-aa-signingCertificate",
+	NID_id_smime_aa_signingCertificate,11,&(lvalues[1492]),0},
+{"id-smime-aa-smimeEncryptCerts","id-smime-aa-smimeEncryptCerts",
+	NID_id_smime_aa_smimeEncryptCerts,11,&(lvalues[1503]),0},
+{"id-smime-aa-timeStampToken","id-smime-aa-timeStampToken",
+	NID_id_smime_aa_timeStampToken,11,&(lvalues[1514]),0},
+{"id-smime-aa-ets-sigPolicyId","id-smime-aa-ets-sigPolicyId",
+	NID_id_smime_aa_ets_sigPolicyId,11,&(lvalues[1525]),0},
+{"id-smime-aa-ets-commitmentType","id-smime-aa-ets-commitmentType",
+	NID_id_smime_aa_ets_commitmentType,11,&(lvalues[1536]),0},
+{"id-smime-aa-ets-signerLocation","id-smime-aa-ets-signerLocation",
+	NID_id_smime_aa_ets_signerLocation,11,&(lvalues[1547]),0},
+{"id-smime-aa-ets-signerAttr","id-smime-aa-ets-signerAttr",
+	NID_id_smime_aa_ets_signerAttr,11,&(lvalues[1558]),0},
+{"id-smime-aa-ets-otherSigCert","id-smime-aa-ets-otherSigCert",
+	NID_id_smime_aa_ets_otherSigCert,11,&(lvalues[1569]),0},
+{"id-smime-aa-ets-contentTimestamp",
+	"id-smime-aa-ets-contentTimestamp",
+	NID_id_smime_aa_ets_contentTimestamp,11,&(lvalues[1580]),0},
+{"id-smime-aa-ets-CertificateRefs","id-smime-aa-ets-CertificateRefs",
+	NID_id_smime_aa_ets_CertificateRefs,11,&(lvalues[1591]),0},
+{"id-smime-aa-ets-RevocationRefs","id-smime-aa-ets-RevocationRefs",
+	NID_id_smime_aa_ets_RevocationRefs,11,&(lvalues[1602]),0},
+{"id-smime-aa-ets-certValues","id-smime-aa-ets-certValues",
+	NID_id_smime_aa_ets_certValues,11,&(lvalues[1613]),0},
+{"id-smime-aa-ets-revocationValues",
+	"id-smime-aa-ets-revocationValues",
+	NID_id_smime_aa_ets_revocationValues,11,&(lvalues[1624]),0},
+{"id-smime-aa-ets-escTimeStamp","id-smime-aa-ets-escTimeStamp",
+	NID_id_smime_aa_ets_escTimeStamp,11,&(lvalues[1635]),0},
+{"id-smime-aa-ets-certCRLTimestamp",
+	"id-smime-aa-ets-certCRLTimestamp",
+	NID_id_smime_aa_ets_certCRLTimestamp,11,&(lvalues[1646]),0},
+{"id-smime-aa-ets-archiveTimeStamp",
+	"id-smime-aa-ets-archiveTimeStamp",
+	NID_id_smime_aa_ets_archiveTimeStamp,11,&(lvalues[1657]),0},
+{"id-smime-aa-signatureType","id-smime-aa-signatureType",
+	NID_id_smime_aa_signatureType,11,&(lvalues[1668]),0},
+{"id-smime-aa-dvcs-dvc","id-smime-aa-dvcs-dvc",
+	NID_id_smime_aa_dvcs_dvc,11,&(lvalues[1679]),0},
+{"id-smime-alg-ESDHwith3DES","id-smime-alg-ESDHwith3DES",
+	NID_id_smime_alg_ESDHwith3DES,11,&(lvalues[1690]),0},
+{"id-smime-alg-ESDHwithRC2","id-smime-alg-ESDHwithRC2",
+	NID_id_smime_alg_ESDHwithRC2,11,&(lvalues[1701]),0},
+{"id-smime-alg-3DESwrap","id-smime-alg-3DESwrap",
+	NID_id_smime_alg_3DESwrap,11,&(lvalues[1712]),0},
+{"id-smime-alg-RC2wrap","id-smime-alg-RC2wrap",
+	NID_id_smime_alg_RC2wrap,11,&(lvalues[1723]),0},
+{"id-smime-alg-ESDH","id-smime-alg-ESDH",NID_id_smime_alg_ESDH,11,
+	&(lvalues[1734]),0},
+{"id-smime-alg-CMS3DESwrap","id-smime-alg-CMS3DESwrap",
+	NID_id_smime_alg_CMS3DESwrap,11,&(lvalues[1745]),0},
+{"id-smime-alg-CMSRC2wrap","id-smime-alg-CMSRC2wrap",
+	NID_id_smime_alg_CMSRC2wrap,11,&(lvalues[1756]),0},
+{"id-smime-cd-ldap","id-smime-cd-ldap",NID_id_smime_cd_ldap,11,
+	&(lvalues[1767]),0},
+{"id-smime-spq-ets-sqt-uri","id-smime-spq-ets-sqt-uri",
+	NID_id_smime_spq_ets_sqt_uri,11,&(lvalues[1778]),0},
+{"id-smime-spq-ets-sqt-unotice","id-smime-spq-ets-sqt-unotice",
+	NID_id_smime_spq_ets_sqt_unotice,11,&(lvalues[1789]),0},
+{"id-smime-cti-ets-proofOfOrigin","id-smime-cti-ets-proofOfOrigin",
+	NID_id_smime_cti_ets_proofOfOrigin,11,&(lvalues[1800]),0},
+{"id-smime-cti-ets-proofOfReceipt","id-smime-cti-ets-proofOfReceipt",
+	NID_id_smime_cti_ets_proofOfReceipt,11,&(lvalues[1811]),0},
+{"id-smime-cti-ets-proofOfDelivery",
+	"id-smime-cti-ets-proofOfDelivery",
+	NID_id_smime_cti_ets_proofOfDelivery,11,&(lvalues[1822]),0},
+{"id-smime-cti-ets-proofOfSender","id-smime-cti-ets-proofOfSender",
+	NID_id_smime_cti_ets_proofOfSender,11,&(lvalues[1833]),0},
+{"id-smime-cti-ets-proofOfApproval",
+	"id-smime-cti-ets-proofOfApproval",
+	NID_id_smime_cti_ets_proofOfApproval,11,&(lvalues[1844]),0},
+{"id-smime-cti-ets-proofOfCreation",
+	"id-smime-cti-ets-proofOfCreation",
+	NID_id_smime_cti_ets_proofOfCreation,11,&(lvalues[1855]),0},
+{"MD4","md4",NID_md4,8,&(lvalues[1866]),0},
+{"id-pkix-mod","id-pkix-mod",NID_id_pkix_mod,7,&(lvalues[1874]),0},
+{"id-qt","id-qt",NID_id_qt,7,&(lvalues[1881]),0},
+{"id-it","id-it",NID_id_it,7,&(lvalues[1888]),0},
+{"id-pkip","id-pkip",NID_id_pkip,7,&(lvalues[1895]),0},
+{"id-alg","id-alg",NID_id_alg,7,&(lvalues[1902]),0},
+{"id-cmc","id-cmc",NID_id_cmc,7,&(lvalues[1909]),0},
+{"id-on","id-on",NID_id_on,7,&(lvalues[1916]),0},
+{"id-pda","id-pda",NID_id_pda,7,&(lvalues[1923]),0},
+{"id-aca","id-aca",NID_id_aca,7,&(lvalues[1930]),0},
+{"id-qcs","id-qcs",NID_id_qcs,7,&(lvalues[1937]),0},
+{"id-cct","id-cct",NID_id_cct,7,&(lvalues[1944]),0},
+{"id-pkix1-explicit-88","id-pkix1-explicit-88",
+	NID_id_pkix1_explicit_88,8,&(lvalues[1951]),0},
+{"id-pkix1-implicit-88","id-pkix1-implicit-88",
+	NID_id_pkix1_implicit_88,8,&(lvalues[1959]),0},
+{"id-pkix1-explicit-93","id-pkix1-explicit-93",
+	NID_id_pkix1_explicit_93,8,&(lvalues[1967]),0},
+{"id-pkix1-implicit-93","id-pkix1-implicit-93",
+	NID_id_pkix1_implicit_93,8,&(lvalues[1975]),0},
+{"id-mod-crmf","id-mod-crmf",NID_id_mod_crmf,8,&(lvalues[1983]),0},
+{"id-mod-cmc","id-mod-cmc",NID_id_mod_cmc,8,&(lvalues[1991]),0},
+{"id-mod-kea-profile-88","id-mod-kea-profile-88",
+	NID_id_mod_kea_profile_88,8,&(lvalues[1999]),0},
+{"id-mod-kea-profile-93","id-mod-kea-profile-93",
+	NID_id_mod_kea_profile_93,8,&(lvalues[2007]),0},
+{"id-mod-cmp","id-mod-cmp",NID_id_mod_cmp,8,&(lvalues[2015]),0},
+{"id-mod-qualified-cert-88","id-mod-qualified-cert-88",
+	NID_id_mod_qualified_cert_88,8,&(lvalues[2023]),0},
+{"id-mod-qualified-cert-93","id-mod-qualified-cert-93",
+	NID_id_mod_qualified_cert_93,8,&(lvalues[2031]),0},
+{"id-mod-attribute-cert","id-mod-attribute-cert",
+	NID_id_mod_attribute_cert,8,&(lvalues[2039]),0},
+{"id-mod-timestamp-protocol","id-mod-timestamp-protocol",
+	NID_id_mod_timestamp_protocol,8,&(lvalues[2047]),0},
+{"id-mod-ocsp","id-mod-ocsp",NID_id_mod_ocsp,8,&(lvalues[2055]),0},
+{"id-mod-dvcs","id-mod-dvcs",NID_id_mod_dvcs,8,&(lvalues[2063]),0},
+{"id-mod-cmp2000","id-mod-cmp2000",NID_id_mod_cmp2000,8,
+	&(lvalues[2071]),0},
+{"biometricInfo","Biometric Info",NID_biometricInfo,8,&(lvalues[2079]),0},
+{"qcStatements","qcStatements",NID_qcStatements,8,&(lvalues[2087]),0},
+{"ac-auditEntity","ac-auditEntity",NID_ac_auditEntity,8,
+	&(lvalues[2095]),0},
+{"ac-targeting","ac-targeting",NID_ac_targeting,8,&(lvalues[2103]),0},
+{"aaControls","aaControls",NID_aaControls,8,&(lvalues[2111]),0},
+{"sbgp-ipAddrBlock","sbgp-ipAddrBlock",NID_sbgp_ipAddrBlock,8,
+	&(lvalues[2119]),0},
+{"sbgp-autonomousSysNum","sbgp-autonomousSysNum",
+	NID_sbgp_autonomousSysNum,8,&(lvalues[2127]),0},
+{"sbgp-routerIdentifier","sbgp-routerIdentifier",
+	NID_sbgp_routerIdentifier,8,&(lvalues[2135]),0},
+{"textNotice","textNotice",NID_textNotice,8,&(lvalues[2143]),0},
+{"ipsecEndSystem","IPSec End System",NID_ipsecEndSystem,8,
+	&(lvalues[2151]),0},
+{"ipsecTunnel","IPSec Tunnel",NID_ipsecTunnel,8,&(lvalues[2159]),0},
+{"ipsecUser","IPSec User",NID_ipsecUser,8,&(lvalues[2167]),0},
+{"DVCS","dvcs",NID_dvcs,8,&(lvalues[2175]),0},
+{"id-it-caProtEncCert","id-it-caProtEncCert",NID_id_it_caProtEncCert,
+	8,&(lvalues[2183]),0},
+{"id-it-signKeyPairTypes","id-it-signKeyPairTypes",
+	NID_id_it_signKeyPairTypes,8,&(lvalues[2191]),0},
+{"id-it-encKeyPairTypes","id-it-encKeyPairTypes",
+	NID_id_it_encKeyPairTypes,8,&(lvalues[2199]),0},
+{"id-it-preferredSymmAlg","id-it-preferredSymmAlg",
+	NID_id_it_preferredSymmAlg,8,&(lvalues[2207]),0},
+{"id-it-caKeyUpdateInfo","id-it-caKeyUpdateInfo",
+	NID_id_it_caKeyUpdateInfo,8,&(lvalues[2215]),0},
+{"id-it-currentCRL","id-it-currentCRL",NID_id_it_currentCRL,8,
+	&(lvalues[2223]),0},
+{"id-it-unsupportedOIDs","id-it-unsupportedOIDs",
+	NID_id_it_unsupportedOIDs,8,&(lvalues[2231]),0},
+{"id-it-subscriptionRequest","id-it-subscriptionRequest",
+	NID_id_it_subscriptionRequest,8,&(lvalues[2239]),0},
+{"id-it-subscriptionResponse","id-it-subscriptionResponse",
+	NID_id_it_subscriptionResponse,8,&(lvalues[2247]),0},
+{"id-it-keyPairParamReq","id-it-keyPairParamReq",
+	NID_id_it_keyPairParamReq,8,&(lvalues[2255]),0},
+{"id-it-keyPairParamRep","id-it-keyPairParamRep",
+	NID_id_it_keyPairParamRep,8,&(lvalues[2263]),0},
+{"id-it-revPassphrase","id-it-revPassphrase",NID_id_it_revPassphrase,
+	8,&(lvalues[2271]),0},
+{"id-it-implicitConfirm","id-it-implicitConfirm",
+	NID_id_it_implicitConfirm,8,&(lvalues[2279]),0},
+{"id-it-confirmWaitTime","id-it-confirmWaitTime",
+	NID_id_it_confirmWaitTime,8,&(lvalues[2287]),0},
+{"id-it-origPKIMessage","id-it-origPKIMessage",
+	NID_id_it_origPKIMessage,8,&(lvalues[2295]),0},
+{"id-regCtrl","id-regCtrl",NID_id_regCtrl,8,&(lvalues[2303]),0},
+{"id-regInfo","id-regInfo",NID_id_regInfo,8,&(lvalues[2311]),0},
+{"id-regCtrl-regToken","id-regCtrl-regToken",NID_id_regCtrl_regToken,
+	9,&(lvalues[2319]),0},
+{"id-regCtrl-authenticator","id-regCtrl-authenticator",
+	NID_id_regCtrl_authenticator,9,&(lvalues[2328]),0},
+{"id-regCtrl-pkiPublicationInfo","id-regCtrl-pkiPublicationInfo",
+	NID_id_regCtrl_pkiPublicationInfo,9,&(lvalues[2337]),0},
+{"id-regCtrl-pkiArchiveOptions","id-regCtrl-pkiArchiveOptions",
+	NID_id_regCtrl_pkiArchiveOptions,9,&(lvalues[2346]),0},
+{"id-regCtrl-oldCertID","id-regCtrl-oldCertID",
+	NID_id_regCtrl_oldCertID,9,&(lvalues[2355]),0},
+{"id-regCtrl-protocolEncrKey","id-regCtrl-protocolEncrKey",
+	NID_id_regCtrl_protocolEncrKey,9,&(lvalues[2364]),0},
+{"id-regInfo-utf8Pairs","id-regInfo-utf8Pairs",
+	NID_id_regInfo_utf8Pairs,9,&(lvalues[2373]),0},
+{"id-regInfo-certReq","id-regInfo-certReq",NID_id_regInfo_certReq,9,
+	&(lvalues[2382]),0},
+{"id-alg-des40","id-alg-des40",NID_id_alg_des40,8,&(lvalues[2391]),0},
+{"id-alg-noSignature","id-alg-noSignature",NID_id_alg_noSignature,8,
+	&(lvalues[2399]),0},
+{"id-alg-dh-sig-hmac-sha1","id-alg-dh-sig-hmac-sha1",
+	NID_id_alg_dh_sig_hmac_sha1,8,&(lvalues[2407]),0},
+{"id-alg-dh-pop","id-alg-dh-pop",NID_id_alg_dh_pop,8,&(lvalues[2415]),0},
+{"id-cmc-statusInfo","id-cmc-statusInfo",NID_id_cmc_statusInfo,8,
+	&(lvalues[2423]),0},
+{"id-cmc-identification","id-cmc-identification",
+	NID_id_cmc_identification,8,&(lvalues[2431]),0},
+{"id-cmc-identityProof","id-cmc-identityProof",
+	NID_id_cmc_identityProof,8,&(lvalues[2439]),0},
+{"id-cmc-dataReturn","id-cmc-dataReturn",NID_id_cmc_dataReturn,8,
+	&(lvalues[2447]),0},
+{"id-cmc-transactionId","id-cmc-transactionId",
+	NID_id_cmc_transactionId,8,&(lvalues[2455]),0},
+{"id-cmc-senderNonce","id-cmc-senderNonce",NID_id_cmc_senderNonce,8,
+	&(lvalues[2463]),0},
+{"id-cmc-recipientNonce","id-cmc-recipientNonce",
+	NID_id_cmc_recipientNonce,8,&(lvalues[2471]),0},
+{"id-cmc-addExtensions","id-cmc-addExtensions",
+	NID_id_cmc_addExtensions,8,&(lvalues[2479]),0},
+{"id-cmc-encryptedPOP","id-cmc-encryptedPOP",NID_id_cmc_encryptedPOP,
+	8,&(lvalues[2487]),0},
+{"id-cmc-decryptedPOP","id-cmc-decryptedPOP",NID_id_cmc_decryptedPOP,
+	8,&(lvalues[2495]),0},
+{"id-cmc-lraPOPWitness","id-cmc-lraPOPWitness",
+	NID_id_cmc_lraPOPWitness,8,&(lvalues[2503]),0},
+{"id-cmc-getCert","id-cmc-getCert",NID_id_cmc_getCert,8,
+	&(lvalues[2511]),0},
+{"id-cmc-getCRL","id-cmc-getCRL",NID_id_cmc_getCRL,8,&(lvalues[2519]),0},
+{"id-cmc-revokeRequest","id-cmc-revokeRequest",
+	NID_id_cmc_revokeRequest,8,&(lvalues[2527]),0},
+{"id-cmc-regInfo","id-cmc-regInfo",NID_id_cmc_regInfo,8,
+	&(lvalues[2535]),0},
+{"id-cmc-responseInfo","id-cmc-responseInfo",NID_id_cmc_responseInfo,
+	8,&(lvalues[2543]),0},
+{"id-cmc-queryPending","id-cmc-queryPending",NID_id_cmc_queryPending,
+	8,&(lvalues[2551]),0},
+{"id-cmc-popLinkRandom","id-cmc-popLinkRandom",
+	NID_id_cmc_popLinkRandom,8,&(lvalues[2559]),0},
+{"id-cmc-popLinkWitness","id-cmc-popLinkWitness",
+	NID_id_cmc_popLinkWitness,8,&(lvalues[2567]),0},
+{"id-cmc-confirmCertAcceptance","id-cmc-confirmCertAcceptance",
+	NID_id_cmc_confirmCertAcceptance,8,&(lvalues[2575]),0},
+{"id-on-personalData","id-on-personalData",NID_id_on_personalData,8,
+	&(lvalues[2583]),0},
+{"id-pda-dateOfBirth","id-pda-dateOfBirth",NID_id_pda_dateOfBirth,8,
+	&(lvalues[2591]),0},
+{"id-pda-placeOfBirth","id-pda-placeOfBirth",NID_id_pda_placeOfBirth,
+	8,&(lvalues[2599]),0},
+{NULL,NULL,NID_undef,0,NULL,0},
+{"id-pda-gender","id-pda-gender",NID_id_pda_gender,8,&(lvalues[2607]),0},
+{"id-pda-countryOfCitizenship","id-pda-countryOfCitizenship",
+	NID_id_pda_countryOfCitizenship,8,&(lvalues[2615]),0},
+{"id-pda-countryOfResidence","id-pda-countryOfResidence",
+	NID_id_pda_countryOfResidence,8,&(lvalues[2623]),0},
+{"id-aca-authenticationInfo","id-aca-authenticationInfo",
+	NID_id_aca_authenticationInfo,8,&(lvalues[2631]),0},
+{"id-aca-accessIdentity","id-aca-accessIdentity",
+	NID_id_aca_accessIdentity,8,&(lvalues[2639]),0},
+{"id-aca-chargingIdentity","id-aca-chargingIdentity",
+	NID_id_aca_chargingIdentity,8,&(lvalues[2647]),0},
+{"id-aca-group","id-aca-group",NID_id_aca_group,8,&(lvalues[2655]),0},
+{"id-aca-role","id-aca-role",NID_id_aca_role,8,&(lvalues[2663]),0},
+{"id-qcs-pkixQCSyntax-v1","id-qcs-pkixQCSyntax-v1",
+	NID_id_qcs_pkixQCSyntax_v1,8,&(lvalues[2671]),0},
+{"id-cct-crs","id-cct-crs",NID_id_cct_crs,8,&(lvalues[2679]),0},
+{"id-cct-PKIData","id-cct-PKIData",NID_id_cct_PKIData,8,
+	&(lvalues[2687]),0},
+{"id-cct-PKIResponse","id-cct-PKIResponse",NID_id_cct_PKIResponse,8,
+	&(lvalues[2695]),0},
+{"ad_timestamping","AD Time Stamping",NID_ad_timeStamping,8,
+	&(lvalues[2703]),0},
+{"AD_DVCS","ad dvcs",NID_ad_dvcs,8,&(lvalues[2711]),0},
+{"basicOCSPResponse","Basic OCSP Response",NID_id_pkix_OCSP_basic,9,
+	&(lvalues[2719]),0},
+{"Nonce","OCSP Nonce",NID_id_pkix_OCSP_Nonce,9,&(lvalues[2728]),0},
+{"CrlID","OCSP CRL ID",NID_id_pkix_OCSP_CrlID,9,&(lvalues[2737]),0},
+{"acceptableResponses","Acceptable OCSP Responses",
+	NID_id_pkix_OCSP_acceptableResponses,9,&(lvalues[2746]),0},
+{"noCheck","OCSP No Check",NID_id_pkix_OCSP_noCheck,9,&(lvalues[2755]),0},
+{"archiveCutoff","OCSP Archive Cutoff",NID_id_pkix_OCSP_archiveCutoff,
+	9,&(lvalues[2764]),0},
+{"serviceLocator","OCSP Service Locator",
+	NID_id_pkix_OCSP_serviceLocator,9,&(lvalues[2773]),0},
+{"extendedStatus","Extended OCSP Status",
+	NID_id_pkix_OCSP_extendedStatus,9,&(lvalues[2782]),0},
+{"valid","valid",NID_id_pkix_OCSP_valid,9,&(lvalues[2791]),0},
+{"path","path",NID_id_pkix_OCSP_path,9,&(lvalues[2800]),0},
+{"trustRoot","Trust Root",NID_id_pkix_OCSP_trustRoot,9,
+	&(lvalues[2809]),0},
+{"algorithm","algorithm",NID_algorithm,4,&(lvalues[2818]),0},
+{"rsaSignature","rsaSignature",NID_rsaSignature,5,&(lvalues[2822]),0},
+{"X500algorithms","directory services - algorithms",
+	NID_X500algorithms,2,&(lvalues[2827]),0},
+{"ORG","org",NID_org,1,&(lvalues[2829]),0},
+{"DOD","dod",NID_dod,2,&(lvalues[2830]),0},
+{"IANA","iana",NID_iana,3,&(lvalues[2832]),0},
+{"directory","Directory",NID_Directory,4,&(lvalues[2835]),0},
+{"mgmt","Management",NID_Management,4,&(lvalues[2839]),0},
+{"experimental","Experimental",NID_Experimental,4,&(lvalues[2843]),0},
+{"private","Private",NID_Private,4,&(lvalues[2847]),0},
+{"security","Security",NID_Security,4,&(lvalues[2851]),0},
+{"snmpv2","SNMPv2",NID_SNMPv2,4,&(lvalues[2855]),0},
+{"Mail","Mail",NID_Mail,4,&(lvalues[2859]),0},
+{"enterprises","Enterprises",NID_Enterprises,5,&(lvalues[2863]),0},
+{"dcobject","dcObject",NID_dcObject,9,&(lvalues[2868]),0},
+{"DC","domainComponent",NID_domainComponent,10,&(lvalues[2877]),0},
+{"domain","Domain",NID_Domain,10,&(lvalues[2887]),0},
+{"NULL","NULL",NID_joint_iso_ccitt,0,NULL,0},
+{"selected-attribute-types","Selected Attribute Types",
+	NID_selected_attribute_types,3,&(lvalues[2897]),0},
+{"clearance","clearance",NID_clearance,4,&(lvalues[2900]),0},
+{"RSA-MD4","md4WithRSAEncryption",NID_md4WithRSAEncryption,9,
+	&(lvalues[2904]),0},
+{"ac-proxying","ac-proxying",NID_ac_proxying,8,&(lvalues[2913]),0},
+{"subjectInfoAccess","Subject Information Access",NID_sinfo_access,8,
+	&(lvalues[2921]),0},
+{"id-aca-encAttrs","id-aca-encAttrs",NID_id_aca_encAttrs,8,
+	&(lvalues[2929]),0},
+{"role","role",NID_role,3,&(lvalues[2937]),0},
+{"policyConstraints","X509v3 Policy Constraints",
+	NID_policy_constraints,3,&(lvalues[2940]),0},
+{"targetInformation","X509v3 AC Targeting",NID_target_information,3,
+	&(lvalues[2943]),0},
+{"noRevAvail","X509v3 No Revocation Available",NID_no_rev_avail,3,
+	&(lvalues[2946]),0},
+{"NULL","NULL",NID_ccitt,0,NULL,0},
+{"ansi-X9-62","ANSI X9.62",NID_ansi_X9_62,5,&(lvalues[2949]),0},
+{"prime-field","prime-field",NID_X9_62_prime_field,7,&(lvalues[2954]),0},
+{"characteristic-two-field","characteristic-two-field",
+	NID_X9_62_characteristic_two_field,7,&(lvalues[2961]),0},
+{"id-ecPublicKey","id-ecPublicKey",NID_X9_62_id_ecPublicKey,7,
+	&(lvalues[2968]),0},
+{"prime192v1","prime192v1",NID_X9_62_prime192v1,8,&(lvalues[2975]),0},
+{"prime192v2","prime192v2",NID_X9_62_prime192v2,8,&(lvalues[2983]),0},
+{"prime192v3","prime192v3",NID_X9_62_prime192v3,8,&(lvalues[2991]),0},
+{"prime239v1","prime239v1",NID_X9_62_prime239v1,8,&(lvalues[2999]),0},
+{"prime239v2","prime239v2",NID_X9_62_prime239v2,8,&(lvalues[3007]),0},
+{"prime239v3","prime239v3",NID_X9_62_prime239v3,8,&(lvalues[3015]),0},
+{"prime256v1","prime256v1",NID_X9_62_prime256v1,8,&(lvalues[3023]),0},
+{"ecdsa-with-SHA1","ecdsa-with-SHA1",NID_ecdsa_with_SHA1,7,
+	&(lvalues[3031]),0},
+{"CSPName","Microsoft CSP Name",NID_ms_csp_name,9,&(lvalues[3038]),0},
+{"AES-128-ECB","aes-128-ecb",NID_aes_128_ecb,9,&(lvalues[3047]),0},
+{"AES-128-CBC","aes-128-cbc",NID_aes_128_cbc,9,&(lvalues[3056]),0},
+{"AES-128-OFB","aes-128-ofb",NID_aes_128_ofb128,9,&(lvalues[3065]),0},
+{"AES-128-CFB","aes-128-cfb",NID_aes_128_cfb128,9,&(lvalues[3074]),0},
+{"AES-192-ECB","aes-192-ecb",NID_aes_192_ecb,9,&(lvalues[3083]),0},
+{"AES-192-CBC","aes-192-cbc",NID_aes_192_cbc,9,&(lvalues[3092]),0},
+{"AES-192-OFB","aes-192-ofb",NID_aes_192_ofb128,9,&(lvalues[3101]),0},
+{"AES-192-CFB","aes-192-cfb",NID_aes_192_cfb128,9,&(lvalues[3110]),0},
+{"AES-256-ECB","aes-256-ecb",NID_aes_256_ecb,9,&(lvalues[3119]),0},
+{"AES-256-CBC","aes-256-cbc",NID_aes_256_cbc,9,&(lvalues[3128]),0},
+{"AES-256-OFB","aes-256-ofb",NID_aes_256_ofb128,9,&(lvalues[3137]),0},
+{"AES-256-CFB","aes-256-cfb",NID_aes_256_cfb128,9,&(lvalues[3146]),0},
+{"holdInstructionCode","Hold Instruction Code",
+	NID_hold_instruction_code,3,&(lvalues[3155]),0},
+{"holdInstructionNone","Hold Instruction None",
+	NID_hold_instruction_none,7,&(lvalues[3158]),0},
+{"holdInstructionCallIssuer","Hold Instruction Call Issuer",
+	NID_hold_instruction_call_issuer,7,&(lvalues[3165]),0},
+{"holdInstructionReject","Hold Instruction Reject",
+	NID_hold_instruction_reject,7,&(lvalues[3172]),0},
+{"data","data",NID_data,1,&(lvalues[3179]),0},
+{"pss","pss",NID_pss,3,&(lvalues[3180]),0},
+{"ucl","ucl",NID_ucl,7,&(lvalues[3183]),0},
+{"pilot","pilot",NID_pilot,8,&(lvalues[3190]),0},
+{"pilotAttributeType","pilotAttributeType",NID_pilotAttributeType,9,
+	&(lvalues[3198]),0},
+{"pilotAttributeSyntax","pilotAttributeSyntax",
+	NID_pilotAttributeSyntax,9,&(lvalues[3207]),0},
+{"pilotObjectClass","pilotObjectClass",NID_pilotObjectClass,9,
+	&(lvalues[3216]),0},
+{"pilotGroups","pilotGroups",NID_pilotGroups,9,&(lvalues[3225]),0},
+{"iA5StringSyntax","iA5StringSyntax",NID_iA5StringSyntax,10,
+	&(lvalues[3234]),0},
+{"caseIgnoreIA5StringSyntax","caseIgnoreIA5StringSyntax",
+	NID_caseIgnoreIA5StringSyntax,10,&(lvalues[3244]),0},
+{"pilotObject","pilotObject",NID_pilotObject,10,&(lvalues[3254]),0},
+{"pilotPerson","pilotPerson",NID_pilotPerson,10,&(lvalues[3264]),0},
+{"account","account",NID_account,10,&(lvalues[3274]),0},
+{"document","document",NID_document,10,&(lvalues[3284]),0},
+{"room","room",NID_room,10,&(lvalues[3294]),0},
+{"documentSeries","documentSeries",NID_documentSeries,10,
+	&(lvalues[3304]),0},
+{"rFC822localPart","rFC822localPart",NID_rFC822localPart,10,
+	&(lvalues[3314]),0},
+{"dNSDomain","dNSDomain",NID_dNSDomain,10,&(lvalues[3324]),0},
+{"domainRelatedObject","domainRelatedObject",NID_domainRelatedObject,
+	10,&(lvalues[3334]),0},
+{"friendlyCountry","friendlyCountry",NID_friendlyCountry,10,
+	&(lvalues[3344]),0},
+{"simpleSecurityObject","simpleSecurityObject",
+	NID_simpleSecurityObject,10,&(lvalues[3354]),0},
+{"pilotOrganization","pilotOrganization",NID_pilotOrganization,10,
+	&(lvalues[3364]),0},
+{"pilotDSA","pilotDSA",NID_pilotDSA,10,&(lvalues[3374]),0},
+{"qualityLabelledData","qualityLabelledData",NID_qualityLabelledData,
+	10,&(lvalues[3384]),0},
+{"UID","userId",NID_userId,10,&(lvalues[3394]),0},
+{"textEncodedORAddress","textEncodedORAddress",
+	NID_textEncodedORAddress,10,&(lvalues[3404]),0},
+{"mail","rfc822Mailbox",NID_rfc822Mailbox,10,&(lvalues[3414]),0},
+{"info","info",NID_info,10,&(lvalues[3424]),0},
+{"favouriteDrink","favouriteDrink",NID_favouriteDrink,10,
+	&(lvalues[3434]),0},
+{"roomNumber","roomNumber",NID_roomNumber,10,&(lvalues[3444]),0},
+{"photo","photo",NID_photo,10,&(lvalues[3454]),0},
+{"userClass","userClass",NID_userClass,10,&(lvalues[3464]),0},
+{"host","host",NID_host,10,&(lvalues[3474]),0},
+{"manager","manager",NID_manager,10,&(lvalues[3484]),0},
+{"documentIdentifier","documentIdentifier",NID_documentIdentifier,10,
+	&(lvalues[3494]),0},
+{"documentTitle","documentTitle",NID_documentTitle,10,&(lvalues[3504]),0},
+{"documentVersion","documentVersion",NID_documentVersion,10,
+	&(lvalues[3514]),0},
+{"documentAuthor","documentAuthor",NID_documentAuthor,10,
+	&(lvalues[3524]),0},
+{"documentLocation","documentLocation",NID_documentLocation,10,
+	&(lvalues[3534]),0},
+{"homeTelephoneNumber","homeTelephoneNumber",NID_homeTelephoneNumber,
+	10,&(lvalues[3544]),0},
+{"secretary","secretary",NID_secretary,10,&(lvalues[3554]),0},
+{"otherMailbox","otherMailbox",NID_otherMailbox,10,&(lvalues[3564]),0},
+{"lastModifiedTime","lastModifiedTime",NID_lastModifiedTime,10,
+	&(lvalues[3574]),0},
+{"lastModifiedBy","lastModifiedBy",NID_lastModifiedBy,10,
+	&(lvalues[3584]),0},
+{"aRecord","aRecord",NID_aRecord,10,&(lvalues[3594]),0},
+{"pilotAttributeType27","pilotAttributeType27",
+	NID_pilotAttributeType27,10,&(lvalues[3604]),0},
+{"mXRecord","mXRecord",NID_mXRecord,10,&(lvalues[3614]),0},
+{"nSRecord","nSRecord",NID_nSRecord,10,&(lvalues[3624]),0},
+{"sOARecord","sOARecord",NID_sOARecord,10,&(lvalues[3634]),0},
+{"cNAMERecord","cNAMERecord",NID_cNAMERecord,10,&(lvalues[3644]),0},
+{"associatedDomain","associatedDomain",NID_associatedDomain,10,
+	&(lvalues[3654]),0},
+{"associatedName","associatedName",NID_associatedName,10,
+	&(lvalues[3664]),0},
+{"homePostalAddress","homePostalAddress",NID_homePostalAddress,10,
+	&(lvalues[3674]),0},
+{"personalTitle","personalTitle",NID_personalTitle,10,&(lvalues[3684]),0},
+{"mobileTelephoneNumber","mobileTelephoneNumber",
+	NID_mobileTelephoneNumber,10,&(lvalues[3694]),0},
+{"pagerTelephoneNumber","pagerTelephoneNumber",
+	NID_pagerTelephoneNumber,10,&(lvalues[3704]),0},
+{"friendlyCountryName","friendlyCountryName",NID_friendlyCountryName,
+	10,&(lvalues[3714]),0},
+{"organizationalStatus","organizationalStatus",
+	NID_organizationalStatus,10,&(lvalues[3724]),0},
+{"janetMailbox","janetMailbox",NID_janetMailbox,10,&(lvalues[3734]),0},
+{"mailPreferenceOption","mailPreferenceOption",
+	NID_mailPreferenceOption,10,&(lvalues[3744]),0},
+{"buildingName","buildingName",NID_buildingName,10,&(lvalues[3754]),0},
+{"dSAQuality","dSAQuality",NID_dSAQuality,10,&(lvalues[3764]),0},
+{"singleLevelQuality","singleLevelQuality",NID_singleLevelQuality,10,
+	&(lvalues[3774]),0},
+{"subtreeMinimumQuality","subtreeMinimumQuality",
+	NID_subtreeMinimumQuality,10,&(lvalues[3784]),0},
+{"subtreeMaximumQuality","subtreeMaximumQuality",
+	NID_subtreeMaximumQuality,10,&(lvalues[3794]),0},
+{"personalSignature","personalSignature",NID_personalSignature,10,
+	&(lvalues[3804]),0},
+{"dITRedirect","dITRedirect",NID_dITRedirect,10,&(lvalues[3814]),0},
+{"audio","audio",NID_audio,10,&(lvalues[3824]),0},
+{"documentPublisher","documentPublisher",NID_documentPublisher,10,
+	&(lvalues[3834]),0},
+{"x500UniqueIdentifier","x500UniqueIdentifier",
+	NID_x500UniqueIdentifier,3,&(lvalues[3844]),0},
+{"mime-mhs","MIME MHS",NID_mime_mhs,5,&(lvalues[3847]),0},
+{"mime-mhs-headings","mime-mhs-headings",NID_mime_mhs_headings,6,
+	&(lvalues[3852]),0},
+{"mime-mhs-bodies","mime-mhs-bodies",NID_mime_mhs_bodies,6,
+	&(lvalues[3858]),0},
+{"id-hex-partial-message","id-hex-partial-message",
+	NID_id_hex_partial_message,7,&(lvalues[3864]),0},
+{"id-hex-multipart-message","id-hex-multipart-message",
+	NID_id_hex_multipart_message,7,&(lvalues[3871]),0},
+{"generationQualifier","generationQualifier",NID_generationQualifier,
+	3,&(lvalues[3878]),0},
+{"pseudonym","pseudonym",NID_pseudonym,3,&(lvalues[3881]),0},
+{NULL,NULL,NID_undef,0,NULL,0},
+{"id-set","Secure Electronic Transactions",NID_id_set,2,
+	&(lvalues[3884]),0},
+{"set-ctype","content types",NID_set_ctype,3,&(lvalues[3886]),0},
+{"set-msgExt","message extensions",NID_set_msgExt,3,&(lvalues[3889]),0},
+{"set-attr","set-attr",NID_set_attr,3,&(lvalues[3892]),0},
+{"set-policy","set-policy",NID_set_policy,3,&(lvalues[3895]),0},
+{"set-certExt","certificate extensions",NID_set_certExt,3,
+	&(lvalues[3898]),0},
+{"set-brand","set-brand",NID_set_brand,3,&(lvalues[3901]),0},
+{"setct-PANData","setct-PANData",NID_setct_PANData,4,&(lvalues[3904]),0},
+{"setct-PANToken","setct-PANToken",NID_setct_PANToken,4,
+	&(lvalues[3908]),0},
+{"setct-PANOnly","setct-PANOnly",NID_setct_PANOnly,4,&(lvalues[3912]),0},
+{"setct-OIData","setct-OIData",NID_setct_OIData,4,&(lvalues[3916]),0},
+{"setct-PI","setct-PI",NID_setct_PI,4,&(lvalues[3920]),0},
+{"setct-PIData","setct-PIData",NID_setct_PIData,4,&(lvalues[3924]),0},
+{"setct-PIDataUnsigned","setct-PIDataUnsigned",
+	NID_setct_PIDataUnsigned,4,&(lvalues[3928]),0},
+{"setct-HODInput","setct-HODInput",NID_setct_HODInput,4,
+	&(lvalues[3932]),0},
+{"setct-AuthResBaggage","setct-AuthResBaggage",
+	NID_setct_AuthResBaggage,4,&(lvalues[3936]),0},
+{"setct-AuthRevReqBaggage","setct-AuthRevReqBaggage",
+	NID_setct_AuthRevReqBaggage,4,&(lvalues[3940]),0},
+{"setct-AuthRevResBaggage","setct-AuthRevResBaggage",
+	NID_setct_AuthRevResBaggage,4,&(lvalues[3944]),0},
+{"setct-CapTokenSeq","setct-CapTokenSeq",NID_setct_CapTokenSeq,4,
+	&(lvalues[3948]),0},
+{"setct-PInitResData","setct-PInitResData",NID_setct_PInitResData,4,
+	&(lvalues[3952]),0},
+{"setct-PI-TBS","setct-PI-TBS",NID_setct_PI_TBS,4,&(lvalues[3956]),0},
+{"setct-PResData","setct-PResData",NID_setct_PResData,4,
+	&(lvalues[3960]),0},
+{"setct-AuthReqTBS","setct-AuthReqTBS",NID_setct_AuthReqTBS,4,
+	&(lvalues[3964]),0},
+{"setct-AuthResTBS","setct-AuthResTBS",NID_setct_AuthResTBS,4,
+	&(lvalues[3968]),0},
+{"setct-AuthResTBSX","setct-AuthResTBSX",NID_setct_AuthResTBSX,4,
+	&(lvalues[3972]),0},
+{"setct-AuthTokenTBS","setct-AuthTokenTBS",NID_setct_AuthTokenTBS,4,
+	&(lvalues[3976]),0},
+{"setct-CapTokenData","setct-CapTokenData",NID_setct_CapTokenData,4,
+	&(lvalues[3980]),0},
+{"setct-CapTokenTBS","setct-CapTokenTBS",NID_setct_CapTokenTBS,4,
+	&(lvalues[3984]),0},
+{"setct-AcqCardCodeMsg","setct-AcqCardCodeMsg",
+	NID_setct_AcqCardCodeMsg,4,&(lvalues[3988]),0},
+{"setct-AuthRevReqTBS","setct-AuthRevReqTBS",NID_setct_AuthRevReqTBS,
+	4,&(lvalues[3992]),0},
+{"setct-AuthRevResData","setct-AuthRevResData",
+	NID_setct_AuthRevResData,4,&(lvalues[3996]),0},
+{"setct-AuthRevResTBS","setct-AuthRevResTBS",NID_setct_AuthRevResTBS,
+	4,&(lvalues[4000]),0},
+{"setct-CapReqTBS","setct-CapReqTBS",NID_setct_CapReqTBS,4,
+	&(lvalues[4004]),0},
+{"setct-CapReqTBSX","setct-CapReqTBSX",NID_setct_CapReqTBSX,4,
+	&(lvalues[4008]),0},
+{"setct-CapResData","setct-CapResData",NID_setct_CapResData,4,
+	&(lvalues[4012]),0},
+{"setct-CapRevReqTBS","setct-CapRevReqTBS",NID_setct_CapRevReqTBS,4,
+	&(lvalues[4016]),0},
+{"setct-CapRevReqTBSX","setct-CapRevReqTBSX",NID_setct_CapRevReqTBSX,
+	4,&(lvalues[4020]),0},
+{"setct-CapRevResData","setct-CapRevResData",NID_setct_CapRevResData,
+	4,&(lvalues[4024]),0},
+{"setct-CredReqTBS","setct-CredReqTBS",NID_setct_CredReqTBS,4,
+	&(lvalues[4028]),0},
+{"setct-CredReqTBSX","setct-CredReqTBSX",NID_setct_CredReqTBSX,4,
+	&(lvalues[4032]),0},
+{"setct-CredResData","setct-CredResData",NID_setct_CredResData,4,
+	&(lvalues[4036]),0},
+{"setct-CredRevReqTBS","setct-CredRevReqTBS",NID_setct_CredRevReqTBS,
+	4,&(lvalues[4040]),0},
+{"setct-CredRevReqTBSX","setct-CredRevReqTBSX",
+	NID_setct_CredRevReqTBSX,4,&(lvalues[4044]),0},
+{"setct-CredRevResData","setct-CredRevResData",
+	NID_setct_CredRevResData,4,&(lvalues[4048]),0},
+{"setct-PCertReqData","setct-PCertReqData",NID_setct_PCertReqData,4,
+	&(lvalues[4052]),0},
+{"setct-PCertResTBS","setct-PCertResTBS",NID_setct_PCertResTBS,4,
+	&(lvalues[4056]),0},
+{"setct-BatchAdminReqData","setct-BatchAdminReqData",
+	NID_setct_BatchAdminReqData,4,&(lvalues[4060]),0},
+{"setct-BatchAdminResData","setct-BatchAdminResData",
+	NID_setct_BatchAdminResData,4,&(lvalues[4064]),0},
+{"setct-CardCInitResTBS","setct-CardCInitResTBS",
+	NID_setct_CardCInitResTBS,4,&(lvalues[4068]),0},
+{"setct-MeAqCInitResTBS","setct-MeAqCInitResTBS",
+	NID_setct_MeAqCInitResTBS,4,&(lvalues[4072]),0},
+{"setct-RegFormResTBS","setct-RegFormResTBS",NID_setct_RegFormResTBS,
+	4,&(lvalues[4076]),0},
+{"setct-CertReqData","setct-CertReqData",NID_setct_CertReqData,4,
+	&(lvalues[4080]),0},
+{"setct-CertReqTBS","setct-CertReqTBS",NID_setct_CertReqTBS,4,
+	&(lvalues[4084]),0},
+{"setct-CertResData","setct-CertResData",NID_setct_CertResData,4,
+	&(lvalues[4088]),0},
+{"setct-CertInqReqTBS","setct-CertInqReqTBS",NID_setct_CertInqReqTBS,
+	4,&(lvalues[4092]),0},
+{"setct-ErrorTBS","setct-ErrorTBS",NID_setct_ErrorTBS,4,
+	&(lvalues[4096]),0},
+{"setct-PIDualSignedTBE","setct-PIDualSignedTBE",
+	NID_setct_PIDualSignedTBE,4,&(lvalues[4100]),0},
+{"setct-PIUnsignedTBE","setct-PIUnsignedTBE",NID_setct_PIUnsignedTBE,
+	4,&(lvalues[4104]),0},
+{"setct-AuthReqTBE","setct-AuthReqTBE",NID_setct_AuthReqTBE,4,
+	&(lvalues[4108]),0},
+{"setct-AuthResTBE","setct-AuthResTBE",NID_setct_AuthResTBE,4,
+	&(lvalues[4112]),0},
+{"setct-AuthResTBEX","setct-AuthResTBEX",NID_setct_AuthResTBEX,4,
+	&(lvalues[4116]),0},
+{"setct-AuthTokenTBE","setct-AuthTokenTBE",NID_setct_AuthTokenTBE,4,
+	&(lvalues[4120]),0},
+{"setct-CapTokenTBE","setct-CapTokenTBE",NID_setct_CapTokenTBE,4,
+	&(lvalues[4124]),0},
+{"setct-CapTokenTBEX","setct-CapTokenTBEX",NID_setct_CapTokenTBEX,4,
+	&(lvalues[4128]),0},
+{"setct-AcqCardCodeMsgTBE","setct-AcqCardCodeMsgTBE",
+	NID_setct_AcqCardCodeMsgTBE,4,&(lvalues[4132]),0},
+{"setct-AuthRevReqTBE","setct-AuthRevReqTBE",NID_setct_AuthRevReqTBE,
+	4,&(lvalues[4136]),0},
+{"setct-AuthRevResTBE","setct-AuthRevResTBE",NID_setct_AuthRevResTBE,
+	4,&(lvalues[4140]),0},
+{"setct-AuthRevResTBEB","setct-AuthRevResTBEB",
+	NID_setct_AuthRevResTBEB,4,&(lvalues[4144]),0},
+{"setct-CapReqTBE","setct-CapReqTBE",NID_setct_CapReqTBE,4,
+	&(lvalues[4148]),0},
+{"setct-CapReqTBEX","setct-CapReqTBEX",NID_setct_CapReqTBEX,4,
+	&(lvalues[4152]),0},
+{"setct-CapResTBE","setct-CapResTBE",NID_setct_CapResTBE,4,
+	&(lvalues[4156]),0},
+{"setct-CapRevReqTBE","setct-CapRevReqTBE",NID_setct_CapRevReqTBE,4,
+	&(lvalues[4160]),0},
+{"setct-CapRevReqTBEX","setct-CapRevReqTBEX",NID_setct_CapRevReqTBEX,
+	4,&(lvalues[4164]),0},
+{"setct-CapRevResTBE","setct-CapRevResTBE",NID_setct_CapRevResTBE,4,
+	&(lvalues[4168]),0},
+{"setct-CredReqTBE","setct-CredReqTBE",NID_setct_CredReqTBE,4,
+	&(lvalues[4172]),0},
+{"setct-CredReqTBEX","setct-CredReqTBEX",NID_setct_CredReqTBEX,4,
+	&(lvalues[4176]),0},
+{"setct-CredResTBE","setct-CredResTBE",NID_setct_CredResTBE,4,
+	&(lvalues[4180]),0},
+{"setct-CredRevReqTBE","setct-CredRevReqTBE",NID_setct_CredRevReqTBE,
+	4,&(lvalues[4184]),0},
+{"setct-CredRevReqTBEX","setct-CredRevReqTBEX",
+	NID_setct_CredRevReqTBEX,4,&(lvalues[4188]),0},
+{"setct-CredRevResTBE","setct-CredRevResTBE",NID_setct_CredRevResTBE,
+	4,&(lvalues[4192]),0},
+{"setct-BatchAdminReqTBE","setct-BatchAdminReqTBE",
+	NID_setct_BatchAdminReqTBE,4,&(lvalues[4196]),0},
+{"setct-BatchAdminResTBE","setct-BatchAdminResTBE",
+	NID_setct_BatchAdminResTBE,4,&(lvalues[4200]),0},
+{"setct-RegFormReqTBE","setct-RegFormReqTBE",NID_setct_RegFormReqTBE,
+	4,&(lvalues[4204]),0},
+{"setct-CertReqTBE","setct-CertReqTBE",NID_setct_CertReqTBE,4,
+	&(lvalues[4208]),0},
+{"setct-CertReqTBEX","setct-CertReqTBEX",NID_setct_CertReqTBEX,4,
+	&(lvalues[4212]),0},
+{"setct-CertResTBE","setct-CertResTBE",NID_setct_CertResTBE,4,
+	&(lvalues[4216]),0},
+{"setct-CRLNotificationTBS","setct-CRLNotificationTBS",
+	NID_setct_CRLNotificationTBS,4,&(lvalues[4220]),0},
+{"setct-CRLNotificationResTBS","setct-CRLNotificationResTBS",
+	NID_setct_CRLNotificationResTBS,4,&(lvalues[4224]),0},
+{"setct-BCIDistributionTBS","setct-BCIDistributionTBS",
+	NID_setct_BCIDistributionTBS,4,&(lvalues[4228]),0},
+{"setext-genCrypt","generic cryptogram",NID_setext_genCrypt,4,
+	&(lvalues[4232]),0},
+{"setext-miAuth","merchant initiated auth",NID_setext_miAuth,4,
+	&(lvalues[4236]),0},
+{"setext-pinSecure","setext-pinSecure",NID_setext_pinSecure,4,
+	&(lvalues[4240]),0},
+{"setext-pinAny","setext-pinAny",NID_setext_pinAny,4,&(lvalues[4244]),0},
+{"setext-track2","setext-track2",NID_setext_track2,4,&(lvalues[4248]),0},
+{"setext-cv","additional verification",NID_setext_cv,4,
+	&(lvalues[4252]),0},
+{"set-policy-root","set-policy-root",NID_set_policy_root,4,
+	&(lvalues[4256]),0},
+{"setCext-hashedRoot","setCext-hashedRoot",NID_setCext_hashedRoot,4,
+	&(lvalues[4260]),0},
+{"setCext-certType","setCext-certType",NID_setCext_certType,4,
+	&(lvalues[4264]),0},
+{"setCext-merchData","setCext-merchData",NID_setCext_merchData,4,
+	&(lvalues[4268]),0},
+{"setCext-cCertRequired","setCext-cCertRequired",
+	NID_setCext_cCertRequired,4,&(lvalues[4272]),0},
+{"setCext-tunneling","setCext-tunneling",NID_setCext_tunneling,4,
+	&(lvalues[4276]),0},
+{"setCext-setExt","setCext-setExt",NID_setCext_setExt,4,
+	&(lvalues[4280]),0},
+{"setCext-setQualf","setCext-setQualf",NID_setCext_setQualf,4,
+	&(lvalues[4284]),0},
+{"setCext-PGWYcapabilities","setCext-PGWYcapabilities",
+	NID_setCext_PGWYcapabilities,4,&(lvalues[4288]),0},
+{"setCext-TokenIdentifier","setCext-TokenIdentifier",
+	NID_setCext_TokenIdentifier,4,&(lvalues[4292]),0},
+{"setCext-Track2Data","setCext-Track2Data",NID_setCext_Track2Data,4,
+	&(lvalues[4296]),0},
+{"setCext-TokenType","setCext-TokenType",NID_setCext_TokenType,4,
+	&(lvalues[4300]),0},
+{"setCext-IssuerCapabilities","setCext-IssuerCapabilities",
+	NID_setCext_IssuerCapabilities,4,&(lvalues[4304]),0},
+{"setAttr-Cert","setAttr-Cert",NID_setAttr_Cert,4,&(lvalues[4308]),0},
+{"setAttr-PGWYcap","payment gateway capabilities",NID_setAttr_PGWYcap,
+	4,&(lvalues[4312]),0},
+{"setAttr-TokenType","setAttr-TokenType",NID_setAttr_TokenType,4,
+	&(lvalues[4316]),0},
+{"setAttr-IssCap","issuer capabilities",NID_setAttr_IssCap,4,
+	&(lvalues[4320]),0},
+{"set-rootKeyThumb","set-rootKeyThumb",NID_set_rootKeyThumb,5,
+	&(lvalues[4324]),0},
+{"set-addPolicy","set-addPolicy",NID_set_addPolicy,5,&(lvalues[4329]),0},
+{"setAttr-Token-EMV","setAttr-Token-EMV",NID_setAttr_Token_EMV,5,
+	&(lvalues[4334]),0},
+{"setAttr-Token-B0Prime","setAttr-Token-B0Prime",
+	NID_setAttr_Token_B0Prime,5,&(lvalues[4339]),0},
+{"setAttr-IssCap-CVM","setAttr-IssCap-CVM",NID_setAttr_IssCap_CVM,5,
+	&(lvalues[4344]),0},
+{"setAttr-IssCap-T2","setAttr-IssCap-T2",NID_setAttr_IssCap_T2,5,
+	&(lvalues[4349]),0},
+{"setAttr-IssCap-Sig","setAttr-IssCap-Sig",NID_setAttr_IssCap_Sig,5,
+	&(lvalues[4354]),0},
+{"setAttr-GenCryptgrm","generate cryptogram",NID_setAttr_GenCryptgrm,
+	6,&(lvalues[4359]),0},
+{"setAttr-T2Enc","encrypted track 2",NID_setAttr_T2Enc,6,
+	&(lvalues[4365]),0},
+{"setAttr-T2cleartxt","cleartext track 2",NID_setAttr_T2cleartxt,6,
+	&(lvalues[4371]),0},
+{"setAttr-TokICCsig","ICC or token signature",NID_setAttr_TokICCsig,6,
+	&(lvalues[4377]),0},
+{"setAttr-SecDevSig","secure device signature",NID_setAttr_SecDevSig,
+	6,&(lvalues[4383]),0},
+{"set-brand-IATA-ATA","set-brand-IATA-ATA",NID_set_brand_IATA_ATA,4,
+	&(lvalues[4389]),0},
+{"set-brand-Diners","set-brand-Diners",NID_set_brand_Diners,4,
+	&(lvalues[4393]),0},
+{"set-brand-AmericanExpress","set-brand-AmericanExpress",
+	NID_set_brand_AmericanExpress,4,&(lvalues[4397]),0},
+{"set-brand-JCB","set-brand-JCB",NID_set_brand_JCB,4,&(lvalues[4401]),0},
+{"set-brand-Visa","set-brand-Visa",NID_set_brand_Visa,4,
+	&(lvalues[4405]),0},
+{"set-brand-MasterCard","set-brand-MasterCard",
+	NID_set_brand_MasterCard,4,&(lvalues[4409]),0},
+{"set-brand-Novus","set-brand-Novus",NID_set_brand_Novus,5,
+	&(lvalues[4413]),0},
+{"DES-CDMF","des-cdmf",NID_des_cdmf,8,&(lvalues[4418]),0},
+{"rsaOAEPEncryptionSET","rsaOAEPEncryptionSET",
+	NID_rsaOAEPEncryptionSET,9,&(lvalues[4426]),0},
+{"ITU-T","itu-t",NID_itu_t,0,NULL,0},
+{"JOINT-ISO-ITU-T","joint-iso-itu-t",NID_joint_iso_itu_t,0,NULL,0},
+{"international-organizations","International Organizations",
+	NID_international_organizations,1,&(lvalues[4435]),0},
+{"msSmartcardLogin","Microsoft Smartcardlogin",NID_ms_smartcard_login,
+	10,&(lvalues[4436]),0},
+{"msUPN","Microsoft Universal Principal Name",NID_ms_upn,10,
+	&(lvalues[4446]),0},
+{"AES-128-CFB1","aes-128-cfb1",NID_aes_128_cfb1,0,NULL,0},
+{"AES-192-CFB1","aes-192-cfb1",NID_aes_192_cfb1,0,NULL,0},
+{"AES-256-CFB1","aes-256-cfb1",NID_aes_256_cfb1,0,NULL,0},
+{"AES-128-CFB8","aes-128-cfb8",NID_aes_128_cfb8,0,NULL,0},
+{"AES-192-CFB8","aes-192-cfb8",NID_aes_192_cfb8,0,NULL,0},
+{"AES-256-CFB8","aes-256-cfb8",NID_aes_256_cfb8,0,NULL,0},
+{"DES-CFB1","des-cfb1",NID_des_cfb1,0,NULL,0},
+{"DES-CFB8","des-cfb8",NID_des_cfb8,0,NULL,0},
+{"DES-EDE3-CFB1","des-ede3-cfb1",NID_des_ede3_cfb1,0,NULL,0},
+{"DES-EDE3-CFB8","des-ede3-cfb8",NID_des_ede3_cfb8,0,NULL,0},
+{"street","streetAddress",NID_streetAddress,3,&(lvalues[4456]),0},
+{"postalCode","postalCode",NID_postalCode,3,&(lvalues[4459]),0},
+{"id-ppl","id-ppl",NID_id_ppl,7,&(lvalues[4462]),0},
+{"proxyCertInfo","Proxy Certificate Information",NID_proxyCertInfo,8,
+	&(lvalues[4469]),0},
+{"id-ppl-anyLanguage","Any language",NID_id_ppl_anyLanguage,8,
+	&(lvalues[4477]),0},
+{"id-ppl-inheritAll","Inherit all",NID_id_ppl_inheritAll,8,
+	&(lvalues[4485]),0},
+{"nameConstraints","X509v3 Name Constraints",NID_name_constraints,3,
+	&(lvalues[4493]),0},
+{"id-ppl-independent","Independent",NID_Independent,8,&(lvalues[4496]),0},
+{"RSA-SHA256","sha256WithRSAEncryption",NID_sha256WithRSAEncryption,9,
+	&(lvalues[4504]),0},
+{"RSA-SHA384","sha384WithRSAEncryption",NID_sha384WithRSAEncryption,9,
+	&(lvalues[4513]),0},
+{"RSA-SHA512","sha512WithRSAEncryption",NID_sha512WithRSAEncryption,9,
+	&(lvalues[4522]),0},
+{"RSA-SHA224","sha224WithRSAEncryption",NID_sha224WithRSAEncryption,9,
+	&(lvalues[4531]),0},
+{"SHA256","sha256",NID_sha256,9,&(lvalues[4540]),0},
+{"SHA384","sha384",NID_sha384,9,&(lvalues[4549]),0},
+{"SHA512","sha512",NID_sha512,9,&(lvalues[4558]),0},
+{"SHA224","sha224",NID_sha224,9,&(lvalues[4567]),0},
+{"identified-organization","identified-organization",
+	NID_identified_organization,1,&(lvalues[4576]),0},
+{"certicom-arc","certicom-arc",NID_certicom_arc,3,&(lvalues[4577]),0},
+{"wap","wap",NID_wap,2,&(lvalues[4580]),0},
+{"wap-wsg","wap-wsg",NID_wap_wsg,3,&(lvalues[4582]),0},
+{"id-characteristic-two-basis","id-characteristic-two-basis",
+	NID_X9_62_id_characteristic_two_basis,8,&(lvalues[4585]),0},
+{"onBasis","onBasis",NID_X9_62_onBasis,9,&(lvalues[4593]),0},
+{"tpBasis","tpBasis",NID_X9_62_tpBasis,9,&(lvalues[4602]),0},
+{"ppBasis","ppBasis",NID_X9_62_ppBasis,9,&(lvalues[4611]),0},
+{"c2pnb163v1","c2pnb163v1",NID_X9_62_c2pnb163v1,8,&(lvalues[4620]),0},
+{"c2pnb163v2","c2pnb163v2",NID_X9_62_c2pnb163v2,8,&(lvalues[4628]),0},
+{"c2pnb163v3","c2pnb163v3",NID_X9_62_c2pnb163v3,8,&(lvalues[4636]),0},
+{"c2pnb176v1","c2pnb176v1",NID_X9_62_c2pnb176v1,8,&(lvalues[4644]),0},
+{"c2tnb191v1","c2tnb191v1",NID_X9_62_c2tnb191v1,8,&(lvalues[4652]),0},
+{"c2tnb191v2","c2tnb191v2",NID_X9_62_c2tnb191v2,8,&(lvalues[4660]),0},
+{"c2tnb191v3","c2tnb191v3",NID_X9_62_c2tnb191v3,8,&(lvalues[4668]),0},
+{"c2onb191v4","c2onb191v4",NID_X9_62_c2onb191v4,8,&(lvalues[4676]),0},
+{"c2onb191v5","c2onb191v5",NID_X9_62_c2onb191v5,8,&(lvalues[4684]),0},
+{"c2pnb208w1","c2pnb208w1",NID_X9_62_c2pnb208w1,8,&(lvalues[4692]),0},
+{"c2tnb239v1","c2tnb239v1",NID_X9_62_c2tnb239v1,8,&(lvalues[4700]),0},
+{"c2tnb239v2","c2tnb239v2",NID_X9_62_c2tnb239v2,8,&(lvalues[4708]),0},
+{"c2tnb239v3","c2tnb239v3",NID_X9_62_c2tnb239v3,8,&(lvalues[4716]),0},
+{"c2onb239v4","c2onb239v4",NID_X9_62_c2onb239v4,8,&(lvalues[4724]),0},
+{"c2onb239v5","c2onb239v5",NID_X9_62_c2onb239v5,8,&(lvalues[4732]),0},
+{"c2pnb272w1","c2pnb272w1",NID_X9_62_c2pnb272w1,8,&(lvalues[4740]),0},
+{"c2pnb304w1","c2pnb304w1",NID_X9_62_c2pnb304w1,8,&(lvalues[4748]),0},
+{"c2tnb359v1","c2tnb359v1",NID_X9_62_c2tnb359v1,8,&(lvalues[4756]),0},
+{"c2pnb368w1","c2pnb368w1",NID_X9_62_c2pnb368w1,8,&(lvalues[4764]),0},
+{"c2tnb431r1","c2tnb431r1",NID_X9_62_c2tnb431r1,8,&(lvalues[4772]),0},
+{"secp112r1","secp112r1",NID_secp112r1,5,&(lvalues[4780]),0},
+{"secp112r2","secp112r2",NID_secp112r2,5,&(lvalues[4785]),0},
+{"secp128r1","secp128r1",NID_secp128r1,5,&(lvalues[4790]),0},
+{"secp128r2","secp128r2",NID_secp128r2,5,&(lvalues[4795]),0},
+{"secp160k1","secp160k1",NID_secp160k1,5,&(lvalues[4800]),0},
+{"secp160r1","secp160r1",NID_secp160r1,5,&(lvalues[4805]),0},
+{"secp160r2","secp160r2",NID_secp160r2,5,&(lvalues[4810]),0},
+{"secp192k1","secp192k1",NID_secp192k1,5,&(lvalues[4815]),0},
+{"secp224k1","secp224k1",NID_secp224k1,5,&(lvalues[4820]),0},
+{"secp224r1","secp224r1",NID_secp224r1,5,&(lvalues[4825]),0},
+{"secp256k1","secp256k1",NID_secp256k1,5,&(lvalues[4830]),0},
+{"secp384r1","secp384r1",NID_secp384r1,5,&(lvalues[4835]),0},
+{"secp521r1","secp521r1",NID_secp521r1,5,&(lvalues[4840]),0},
+{"sect113r1","sect113r1",NID_sect113r1,5,&(lvalues[4845]),0},
+{"sect113r2","sect113r2",NID_sect113r2,5,&(lvalues[4850]),0},
+{"sect131r1","sect131r1",NID_sect131r1,5,&(lvalues[4855]),0},
+{"sect131r2","sect131r2",NID_sect131r2,5,&(lvalues[4860]),0},
+{"sect163k1","sect163k1",NID_sect163k1,5,&(lvalues[4865]),0},
+{"sect163r1","sect163r1",NID_sect163r1,5,&(lvalues[4870]),0},
+{"sect163r2","sect163r2",NID_sect163r2,5,&(lvalues[4875]),0},
+{"sect193r1","sect193r1",NID_sect193r1,5,&(lvalues[4880]),0},
+{"sect193r2","sect193r2",NID_sect193r2,5,&(lvalues[4885]),0},
+{"sect233k1","sect233k1",NID_sect233k1,5,&(lvalues[4890]),0},
+{"sect233r1","sect233r1",NID_sect233r1,5,&(lvalues[4895]),0},
+{"sect239k1","sect239k1",NID_sect239k1,5,&(lvalues[4900]),0},
+{"sect283k1","sect283k1",NID_sect283k1,5,&(lvalues[4905]),0},
+{"sect283r1","sect283r1",NID_sect283r1,5,&(lvalues[4910]),0},
+{"sect409k1","sect409k1",NID_sect409k1,5,&(lvalues[4915]),0},
+{"sect409r1","sect409r1",NID_sect409r1,5,&(lvalues[4920]),0},
+{"sect571k1","sect571k1",NID_sect571k1,5,&(lvalues[4925]),0},
+{"sect571r1","sect571r1",NID_sect571r1,5,&(lvalues[4930]),0},
+{"wap-wsg-idm-ecid-wtls1","wap-wsg-idm-ecid-wtls1",
+	NID_wap_wsg_idm_ecid_wtls1,5,&(lvalues[4935]),0},
+{"wap-wsg-idm-ecid-wtls3","wap-wsg-idm-ecid-wtls3",
+	NID_wap_wsg_idm_ecid_wtls3,5,&(lvalues[4940]),0},
+{"wap-wsg-idm-ecid-wtls4","wap-wsg-idm-ecid-wtls4",
+	NID_wap_wsg_idm_ecid_wtls4,5,&(lvalues[4945]),0},
+{"wap-wsg-idm-ecid-wtls5","wap-wsg-idm-ecid-wtls5",
+	NID_wap_wsg_idm_ecid_wtls5,5,&(lvalues[4950]),0},
+{"wap-wsg-idm-ecid-wtls6","wap-wsg-idm-ecid-wtls6",
+	NID_wap_wsg_idm_ecid_wtls6,5,&(lvalues[4955]),0},
+{"wap-wsg-idm-ecid-wtls7","wap-wsg-idm-ecid-wtls7",
+	NID_wap_wsg_idm_ecid_wtls7,5,&(lvalues[4960]),0},
+{"wap-wsg-idm-ecid-wtls8","wap-wsg-idm-ecid-wtls8",
+	NID_wap_wsg_idm_ecid_wtls8,5,&(lvalues[4965]),0},
+{"wap-wsg-idm-ecid-wtls9","wap-wsg-idm-ecid-wtls9",
+	NID_wap_wsg_idm_ecid_wtls9,5,&(lvalues[4970]),0},
+{"wap-wsg-idm-ecid-wtls10","wap-wsg-idm-ecid-wtls10",
+	NID_wap_wsg_idm_ecid_wtls10,5,&(lvalues[4975]),0},
+{"wap-wsg-idm-ecid-wtls11","wap-wsg-idm-ecid-wtls11",
+	NID_wap_wsg_idm_ecid_wtls11,5,&(lvalues[4980]),0},
+{"wap-wsg-idm-ecid-wtls12","wap-wsg-idm-ecid-wtls12",
+	NID_wap_wsg_idm_ecid_wtls12,5,&(lvalues[4985]),0},
+{"anyPolicy","X509v3 Any Policy",NID_any_policy,4,&(lvalues[4990]),0},
+{"policyMappings","X509v3 Policy Mappings",NID_policy_mappings,3,
+	&(lvalues[4994]),0},
+{"inhibitAnyPolicy","X509v3 Inhibit Any Policy",
+	NID_inhibit_any_policy,3,&(lvalues[4997]),0},
+{"Oakley-EC2N-3","ipsec3",NID_ipsec3,0,NULL,0},
+{"Oakley-EC2N-4","ipsec4",NID_ipsec4,0,NULL,0},
+{"CAMELLIA-128-CBC","camellia-128-cbc",NID_camellia_128_cbc,11,
+	&(lvalues[5000]),0},
+{"CAMELLIA-192-CBC","camellia-192-cbc",NID_camellia_192_cbc,11,
+	&(lvalues[5011]),0},
+{"CAMELLIA-256-CBC","camellia-256-cbc",NID_camellia_256_cbc,11,
+	&(lvalues[5022]),0},
+{"CAMELLIA-128-ECB","camellia-128-ecb",NID_camellia_128_ecb,8,
+	&(lvalues[5033]),0},
+{"CAMELLIA-192-ECB","camellia-192-ecb",NID_camellia_192_ecb,8,
+	&(lvalues[5041]),0},
+{"CAMELLIA-256-ECB","camellia-256-ecb",NID_camellia_256_ecb,8,
+	&(lvalues[5049]),0},
+{"CAMELLIA-128-CFB","camellia-128-cfb",NID_camellia_128_cfb128,8,
+	&(lvalues[5057]),0},
+{"CAMELLIA-192-CFB","camellia-192-cfb",NID_camellia_192_cfb128,8,
+	&(lvalues[5065]),0},
+{"CAMELLIA-256-CFB","camellia-256-cfb",NID_camellia_256_cfb128,8,
+	&(lvalues[5073]),0},
+{"CAMELLIA-128-CFB1","camellia-128-cfb1",NID_camellia_128_cfb1,0,NULL,0},
+{"CAMELLIA-192-CFB1","camellia-192-cfb1",NID_camellia_192_cfb1,0,NULL,0},
+{"CAMELLIA-256-CFB1","camellia-256-cfb1",NID_camellia_256_cfb1,0,NULL,0},
+{"CAMELLIA-128-CFB8","camellia-128-cfb8",NID_camellia_128_cfb8,0,NULL,0},
+{"CAMELLIA-192-CFB8","camellia-192-cfb8",NID_camellia_192_cfb8,0,NULL,0},
+{"CAMELLIA-256-CFB8","camellia-256-cfb8",NID_camellia_256_cfb8,0,NULL,0},
+{"CAMELLIA-128-OFB","camellia-128-ofb",NID_camellia_128_ofb128,8,
+	&(lvalues[5081]),0},
+{"CAMELLIA-192-OFB","camellia-192-ofb",NID_camellia_192_ofb128,8,
+	&(lvalues[5089]),0},
+{"CAMELLIA-256-OFB","camellia-256-ofb",NID_camellia_256_ofb128,8,
+	&(lvalues[5097]),0},
+{"subjectDirectoryAttributes","X509v3 Subject Directory Attributes",
+	NID_subject_directory_attributes,3,&(lvalues[5105]),0},
+{"issuingDistributionPoint","X509v3 Issuing Distrubution Point",
+	NID_issuing_distribution_point,3,&(lvalues[5108]),0},
+{"certificateIssuer","X509v3 Certificate Issuer",
+	NID_certificate_issuer,3,&(lvalues[5111]),0},
+{NULL,NULL,NID_undef,0,NULL,0},
+{"KISA","kisa",NID_kisa,6,&(lvalues[5114]),0},
+{NULL,NULL,NID_undef,0,NULL,0},
+{NULL,NULL,NID_undef,0,NULL,0},
+{"SEED-ECB","seed-ecb",NID_seed_ecb,8,&(lvalues[5120]),0},
+{"SEED-CBC","seed-cbc",NID_seed_cbc,8,&(lvalues[5128]),0},
+{"SEED-OFB","seed-ofb",NID_seed_ofb128,8,&(lvalues[5136]),0},
+{"SEED-CFB","seed-cfb",NID_seed_cfb128,8,&(lvalues[5144]),0},
+{"HMAC-MD5","hmac-md5",NID_hmac_md5,8,&(lvalues[5152]),0},
+{"HMAC-SHA1","hmac-sha1",NID_hmac_sha1,8,&(lvalues[5160]),0},
+{"id-PasswordBasedMAC","password based MAC",NID_id_PasswordBasedMAC,9,
+	&(lvalues[5168]),0},
+{"id-DHBasedMac","Diffie-Hellman based MAC",NID_id_DHBasedMac,9,
+	&(lvalues[5177]),0},
+{"id-it-suppLangTags","id-it-suppLangTags",NID_id_it_suppLangTags,8,
+	&(lvalues[5186]),0},
+{"caRepository","CA Repository",NID_caRepository,8,&(lvalues[5194]),0},
+{"id-smime-ct-compressedData","id-smime-ct-compressedData",
+	NID_id_smime_ct_compressedData,11,&(lvalues[5202]),0},
+{"id-ct-asciiTextWithCRLF","id-ct-asciiTextWithCRLF",
+	NID_id_ct_asciiTextWithCRLF,11,&(lvalues[5213]),0},
+{"id-aes128-wrap","id-aes128-wrap",NID_id_aes128_wrap,9,
+	&(lvalues[5224]),0},
+{"id-aes192-wrap","id-aes192-wrap",NID_id_aes192_wrap,9,
+	&(lvalues[5233]),0},
+{"id-aes256-wrap","id-aes256-wrap",NID_id_aes256_wrap,9,
+	&(lvalues[5242]),0},
+{"ecdsa-with-Recommended","ecdsa-with-Recommended",
+	NID_ecdsa_with_Recommended,7,&(lvalues[5251]),0},
+{"ecdsa-with-Specified","ecdsa-with-Specified",
+	NID_ecdsa_with_Specified,7,&(lvalues[5258]),0},
+{"ecdsa-with-SHA224","ecdsa-with-SHA224",NID_ecdsa_with_SHA224,8,
+	&(lvalues[5265]),0},
+{"ecdsa-with-SHA256","ecdsa-with-SHA256",NID_ecdsa_with_SHA256,8,
+	&(lvalues[5273]),0},
+{"ecdsa-with-SHA384","ecdsa-with-SHA384",NID_ecdsa_with_SHA384,8,
+	&(lvalues[5281]),0},
+{"ecdsa-with-SHA512","ecdsa-with-SHA512",NID_ecdsa_with_SHA512,8,
+	&(lvalues[5289]),0},
+{"hmacWithMD5","hmacWithMD5",NID_hmacWithMD5,8,&(lvalues[5297]),0},
+{"hmacWithSHA224","hmacWithSHA224",NID_hmacWithSHA224,8,
+	&(lvalues[5305]),0},
+{"hmacWithSHA256","hmacWithSHA256",NID_hmacWithSHA256,8,
+	&(lvalues[5313]),0},
+{"hmacWithSHA384","hmacWithSHA384",NID_hmacWithSHA384,8,
+	&(lvalues[5321]),0},
+{"hmacWithSHA512","hmacWithSHA512",NID_hmacWithSHA512,8,
+	&(lvalues[5329]),0},
+{"dsa_with_SHA224","dsa_with_SHA224",NID_dsa_with_SHA224,9,
+	&(lvalues[5337]),0},
+{"dsa_with_SHA256","dsa_with_SHA256",NID_dsa_with_SHA256,9,
+	&(lvalues[5346]),0},
+{"whirlpool","whirlpool",NID_whirlpool,6,&(lvalues[5355]),0},
+{"cryptopro","cryptopro",NID_cryptopro,5,&(lvalues[5361]),0},
+{"cryptocom","cryptocom",NID_cryptocom,5,&(lvalues[5366]),0},
+{"id-GostR3411-94-with-GostR3410-2001",
+	"GOST R 34.11-94 with GOST R 34.10-2001",
+	NID_id_GostR3411_94_with_GostR3410_2001,6,&(lvalues[5371]),0},
+{"id-GostR3411-94-with-GostR3410-94",
+	"GOST R 34.11-94 with GOST R 34.10-94",
+	NID_id_GostR3411_94_with_GostR3410_94,6,&(lvalues[5377]),0},
+{"md_gost94","GOST R 34.11-94",NID_id_GostR3411_94,6,&(lvalues[5383]),0},
+{"id-HMACGostR3411-94","HMAC GOST 34.11-94",NID_id_HMACGostR3411_94,6,
+	&(lvalues[5389]),0},
+{"gost2001","GOST R 34.10-2001",NID_id_GostR3410_2001,6,
+	&(lvalues[5395]),0},
+{"gost94","GOST R 34.10-94",NID_id_GostR3410_94,6,&(lvalues[5401]),0},
+{"gost89","GOST 28147-89",NID_id_Gost28147_89,6,&(lvalues[5407]),0},
+{"gost89-cnt","gost89-cnt",NID_gost89_cnt,0,NULL,0},
+{"gost-mac","GOST 28147-89 MAC",NID_id_Gost28147_89_MAC,6,
+	&(lvalues[5413]),0},
+{"prf-gostr3411-94","GOST R 34.11-94 PRF",NID_id_GostR3411_94_prf,6,
+	&(lvalues[5419]),0},
+{"id-GostR3410-2001DH","GOST R 34.10-2001 DH",NID_id_GostR3410_2001DH,
+	6,&(lvalues[5425]),0},
+{"id-GostR3410-94DH","GOST R 34.10-94 DH",NID_id_GostR3410_94DH,6,
+	&(lvalues[5431]),0},
+{"id-Gost28147-89-CryptoPro-KeyMeshing",
+	"id-Gost28147-89-CryptoPro-KeyMeshing",
+	NID_id_Gost28147_89_CryptoPro_KeyMeshing,7,&(lvalues[5437]),0},
+{"id-Gost28147-89-None-KeyMeshing","id-Gost28147-89-None-KeyMeshing",
+	NID_id_Gost28147_89_None_KeyMeshing,7,&(lvalues[5444]),0},
+{"id-GostR3411-94-TestParamSet","id-GostR3411-94-TestParamSet",
+	NID_id_GostR3411_94_TestParamSet,7,&(lvalues[5451]),0},
+{"id-GostR3411-94-CryptoProParamSet",
+	"id-GostR3411-94-CryptoProParamSet",
+	NID_id_GostR3411_94_CryptoProParamSet,7,&(lvalues[5458]),0},
+{"id-Gost28147-89-TestParamSet","id-Gost28147-89-TestParamSet",
+	NID_id_Gost28147_89_TestParamSet,7,&(lvalues[5465]),0},
+{"id-Gost28147-89-CryptoPro-A-ParamSet",
+	"id-Gost28147-89-CryptoPro-A-ParamSet",
+	NID_id_Gost28147_89_CryptoPro_A_ParamSet,7,&(lvalues[5472]),0},
+{"id-Gost28147-89-CryptoPro-B-ParamSet",
+	"id-Gost28147-89-CryptoPro-B-ParamSet",
+	NID_id_Gost28147_89_CryptoPro_B_ParamSet,7,&(lvalues[5479]),0},
+{"id-Gost28147-89-CryptoPro-C-ParamSet",
+	"id-Gost28147-89-CryptoPro-C-ParamSet",
+	NID_id_Gost28147_89_CryptoPro_C_ParamSet,7,&(lvalues[5486]),0},
+{"id-Gost28147-89-CryptoPro-D-ParamSet",
+	"id-Gost28147-89-CryptoPro-D-ParamSet",
+	NID_id_Gost28147_89_CryptoPro_D_ParamSet,7,&(lvalues[5493]),0},
+{"id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet",
+	"id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet",
+	NID_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet,7,&(lvalues[5500]),
+	0},
+{"id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet",
+	"id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet",
+	NID_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet,7,&(lvalues[5507]),
+	0},
+{"id-Gost28147-89-CryptoPro-RIC-1-ParamSet",
+	"id-Gost28147-89-CryptoPro-RIC-1-ParamSet",
+	NID_id_Gost28147_89_CryptoPro_RIC_1_ParamSet,7,&(lvalues[5514]),0},
+{"id-GostR3410-94-TestParamSet","id-GostR3410-94-TestParamSet",
+	NID_id_GostR3410_94_TestParamSet,7,&(lvalues[5521]),0},
+{"id-GostR3410-94-CryptoPro-A-ParamSet",
+	"id-GostR3410-94-CryptoPro-A-ParamSet",
+	NID_id_GostR3410_94_CryptoPro_A_ParamSet,7,&(lvalues[5528]),0},
+{"id-GostR3410-94-CryptoPro-B-ParamSet",
+	"id-GostR3410-94-CryptoPro-B-ParamSet",
+	NID_id_GostR3410_94_CryptoPro_B_ParamSet,7,&(lvalues[5535]),0},
+{"id-GostR3410-94-CryptoPro-C-ParamSet",
+	"id-GostR3410-94-CryptoPro-C-ParamSet",
+	NID_id_GostR3410_94_CryptoPro_C_ParamSet,7,&(lvalues[5542]),0},
+{"id-GostR3410-94-CryptoPro-D-ParamSet",
+	"id-GostR3410-94-CryptoPro-D-ParamSet",
+	NID_id_GostR3410_94_CryptoPro_D_ParamSet,7,&(lvalues[5549]),0},
+{"id-GostR3410-94-CryptoPro-XchA-ParamSet",
+	"id-GostR3410-94-CryptoPro-XchA-ParamSet",
+	NID_id_GostR3410_94_CryptoPro_XchA_ParamSet,7,&(lvalues[5556]),0},
+{"id-GostR3410-94-CryptoPro-XchB-ParamSet",
+	"id-GostR3410-94-CryptoPro-XchB-ParamSet",
+	NID_id_GostR3410_94_CryptoPro_XchB_ParamSet,7,&(lvalues[5563]),0},
+{"id-GostR3410-94-CryptoPro-XchC-ParamSet",
+	"id-GostR3410-94-CryptoPro-XchC-ParamSet",
+	NID_id_GostR3410_94_CryptoPro_XchC_ParamSet,7,&(lvalues[5570]),0},
+{"id-GostR3410-2001-TestParamSet","id-GostR3410-2001-TestParamSet",
+	NID_id_GostR3410_2001_TestParamSet,7,&(lvalues[5577]),0},
+{"id-GostR3410-2001-CryptoPro-A-ParamSet",
+	"id-GostR3410-2001-CryptoPro-A-ParamSet",
+	NID_id_GostR3410_2001_CryptoPro_A_ParamSet,7,&(lvalues[5584]),0},
+{"id-GostR3410-2001-CryptoPro-B-ParamSet",
+	"id-GostR3410-2001-CryptoPro-B-ParamSet",
+	NID_id_GostR3410_2001_CryptoPro_B_ParamSet,7,&(lvalues[5591]),0},
+{"id-GostR3410-2001-CryptoPro-C-ParamSet",
+	"id-GostR3410-2001-CryptoPro-C-ParamSet",
+	NID_id_GostR3410_2001_CryptoPro_C_ParamSet,7,&(lvalues[5598]),0},
+{"id-GostR3410-2001-CryptoPro-XchA-ParamSet",
+	"id-GostR3410-2001-CryptoPro-XchA-ParamSet",
+	NID_id_GostR3410_2001_CryptoPro_XchA_ParamSet,7,&(lvalues[5605]),0},
+	
+{"id-GostR3410-2001-CryptoPro-XchB-ParamSet",
+	"id-GostR3410-2001-CryptoPro-XchB-ParamSet",
+	NID_id_GostR3410_2001_CryptoPro_XchB_ParamSet,7,&(lvalues[5612]),0},
+	
+{"id-GostR3410-94-a","id-GostR3410-94-a",NID_id_GostR3410_94_a,7,
+	&(lvalues[5619]),0},
+{"id-GostR3410-94-aBis","id-GostR3410-94-aBis",
+	NID_id_GostR3410_94_aBis,7,&(lvalues[5626]),0},
+{"id-GostR3410-94-b","id-GostR3410-94-b",NID_id_GostR3410_94_b,7,
+	&(lvalues[5633]),0},
+{"id-GostR3410-94-bBis","id-GostR3410-94-bBis",
+	NID_id_GostR3410_94_bBis,7,&(lvalues[5640]),0},
+{"id-Gost28147-89-cc","GOST 28147-89 Cryptocom ParamSet",
+	NID_id_Gost28147_89_cc,8,&(lvalues[5647]),0},
+{"gost94cc","GOST 34.10-94 Cryptocom",NID_id_GostR3410_94_cc,8,
+	&(lvalues[5655]),0},
+{"gost2001cc","GOST 34.10-2001 Cryptocom",NID_id_GostR3410_2001_cc,8,
+	&(lvalues[5663]),0},
+{"id-GostR3411-94-with-GostR3410-94-cc",
+	"GOST R 34.11-94 with GOST R 34.10-94 Cryptocom",
+	NID_id_GostR3411_94_with_GostR3410_94_cc,8,&(lvalues[5671]),0},
+{"id-GostR3411-94-with-GostR3410-2001-cc",
+	"GOST R 34.11-94 with GOST R 34.10-2001 Cryptocom",
+	NID_id_GostR3411_94_with_GostR3410_2001_cc,8,&(lvalues[5679]),0},
+{"id-GostR3410-2001-ParamSet-cc",
+	"GOST R 3410-2001 Parameter Set Cryptocom",
+	NID_id_GostR3410_2001_ParamSet_cc,8,&(lvalues[5687]),0},
+{"HMAC","hmac",NID_hmac,0,NULL,0},
+{"LocalKeySet","Microsoft Local Key set",NID_LocalKeySet,9,
+	&(lvalues[5695]),0},
+{"freshestCRL","X509v3 Freshest CRL",NID_freshest_crl,3,
+	&(lvalues[5704]),0},
+{"id-on-permanentIdentifier","Permanent Identifier",
+	NID_id_on_permanentIdentifier,8,&(lvalues[5707]),0},
+{"searchGuide","searchGuide",NID_searchGuide,3,&(lvalues[5715]),0},
+{"businessCategory","businessCategory",NID_businessCategory,3,
+	&(lvalues[5718]),0},
+{"postalAddress","postalAddress",NID_postalAddress,3,&(lvalues[5721]),0},
+{"postOfficeBox","postOfficeBox",NID_postOfficeBox,3,&(lvalues[5724]),0},
+{"physicalDeliveryOfficeName","physicalDeliveryOfficeName",
+	NID_physicalDeliveryOfficeName,3,&(lvalues[5727]),0},
+{"telephoneNumber","telephoneNumber",NID_telephoneNumber,3,
+	&(lvalues[5730]),0},
+{"telexNumber","telexNumber",NID_telexNumber,3,&(lvalues[5733]),0},
+{"teletexTerminalIdentifier","teletexTerminalIdentifier",
+	NID_teletexTerminalIdentifier,3,&(lvalues[5736]),0},
+{"facsimileTelephoneNumber","facsimileTelephoneNumber",
+	NID_facsimileTelephoneNumber,3,&(lvalues[5739]),0},
+{"x121Address","x121Address",NID_x121Address,3,&(lvalues[5742]),0},
+{"internationaliSDNNumber","internationaliSDNNumber",
+	NID_internationaliSDNNumber,3,&(lvalues[5745]),0},
+{"registeredAddress","registeredAddress",NID_registeredAddress,3,
+	&(lvalues[5748]),0},
+{"destinationIndicator","destinationIndicator",
+	NID_destinationIndicator,3,&(lvalues[5751]),0},
+{"preferredDeliveryMethod","preferredDeliveryMethod",
+	NID_preferredDeliveryMethod,3,&(lvalues[5754]),0},
+{"presentationAddress","presentationAddress",NID_presentationAddress,
+	3,&(lvalues[5757]),0},
+{"supportedApplicationContext","supportedApplicationContext",
+	NID_supportedApplicationContext,3,&(lvalues[5760]),0},
+{"member","member",NID_member,3,&(lvalues[5763]),0},
+{"owner","owner",NID_owner,3,&(lvalues[5766]),0},
+{"roleOccupant","roleOccupant",NID_roleOccupant,3,&(lvalues[5769]),0},
+{"seeAlso","seeAlso",NID_seeAlso,3,&(lvalues[5772]),0},
+{"userPassword","userPassword",NID_userPassword,3,&(lvalues[5775]),0},
+{"userCertificate","userCertificate",NID_userCertificate,3,
+	&(lvalues[5778]),0},
+{"cACertificate","cACertificate",NID_cACertificate,3,&(lvalues[5781]),0},
+{"authorityRevocationList","authorityRevocationList",
+	NID_authorityRevocationList,3,&(lvalues[5784]),0},
+{"certificateRevocationList","certificateRevocationList",
+	NID_certificateRevocationList,3,&(lvalues[5787]),0},
+{"crossCertificatePair","crossCertificatePair",
+	NID_crossCertificatePair,3,&(lvalues[5790]),0},
+{"enhancedSearchGuide","enhancedSearchGuide",NID_enhancedSearchGuide,
+	3,&(lvalues[5793]),0},
+{"protocolInformation","protocolInformation",NID_protocolInformation,
+	3,&(lvalues[5796]),0},
+{"distinguishedName","distinguishedName",NID_distinguishedName,3,
+	&(lvalues[5799]),0},
+{"uniqueMember","uniqueMember",NID_uniqueMember,3,&(lvalues[5802]),0},
+{"houseIdentifier","houseIdentifier",NID_houseIdentifier,3,
+	&(lvalues[5805]),0},
+{"supportedAlgorithms","supportedAlgorithms",NID_supportedAlgorithms,
+	3,&(lvalues[5808]),0},
+{"deltaRevocationList","deltaRevocationList",NID_deltaRevocationList,
+	3,&(lvalues[5811]),0},
+{"dmdName","dmdName",NID_dmdName,3,&(lvalues[5814]),0},
+{"id-alg-PWRI-KEK","id-alg-PWRI-KEK",NID_id_alg_PWRI_KEK,11,
+	&(lvalues[5817]),0},
+{"CMAC","cmac",NID_cmac,0,NULL,0},
+{"id-aes128-GCM","aes-128-gcm",NID_aes_128_gcm,9,&(lvalues[5828]),0},
+{"id-aes128-CCM","aes-128-ccm",NID_aes_128_ccm,9,&(lvalues[5837]),0},
+{"id-aes128-wrap-pad","id-aes128-wrap-pad",NID_id_aes128_wrap_pad,9,
+	&(lvalues[5846]),0},
+{"id-aes192-GCM","aes-192-gcm",NID_aes_192_gcm,9,&(lvalues[5855]),0},
+{"id-aes192-CCM","aes-192-ccm",NID_aes_192_ccm,9,&(lvalues[5864]),0},
+{"id-aes192-wrap-pad","id-aes192-wrap-pad",NID_id_aes192_wrap_pad,9,
+	&(lvalues[5873]),0},
+{"id-aes256-GCM","aes-256-gcm",NID_aes_256_gcm,9,&(lvalues[5882]),0},
+{"id-aes256-CCM","aes-256-ccm",NID_aes_256_ccm,9,&(lvalues[5891]),0},
+{"id-aes256-wrap-pad","id-aes256-wrap-pad",NID_id_aes256_wrap_pad,9,
+	&(lvalues[5900]),0},
+{"AES-128-CTR","aes-128-ctr",NID_aes_128_ctr,0,NULL,0},
+{"AES-192-CTR","aes-192-ctr",NID_aes_192_ctr,0,NULL,0},
+{"AES-256-CTR","aes-256-ctr",NID_aes_256_ctr,0,NULL,0},
+{"id-camellia128-wrap","id-camellia128-wrap",NID_id_camellia128_wrap,
+	11,&(lvalues[5909]),0},
+{"id-camellia192-wrap","id-camellia192-wrap",NID_id_camellia192_wrap,
+	11,&(lvalues[5920]),0},
+{"id-camellia256-wrap","id-camellia256-wrap",NID_id_camellia256_wrap,
+	11,&(lvalues[5931]),0},
+{"anyExtendedKeyUsage","Any Extended Key Usage",
+	NID_anyExtendedKeyUsage,4,&(lvalues[5942]),0},
+{"MGF1","mgf1",NID_mgf1,9,&(lvalues[5946]),0},
+{"RSASSA-PSS","rsassaPss",NID_rsassaPss,9,&(lvalues[5955]),0},
+{"AES-128-XTS","aes-128-xts",NID_aes_128_xts,0,NULL,0},
+{"AES-256-XTS","aes-256-xts",NID_aes_256_xts,0,NULL,0},
+{"RC4-HMAC-MD5","rc4-hmac-md5",NID_rc4_hmac_md5,0,NULL,0},
+{"AES-128-CBC-HMAC-SHA1","aes-128-cbc-hmac-sha1",
+	NID_aes_128_cbc_hmac_sha1,0,NULL,0},
+{"AES-192-CBC-HMAC-SHA1","aes-192-cbc-hmac-sha1",
+	NID_aes_192_cbc_hmac_sha1,0,NULL,0},
+{"AES-256-CBC-HMAC-SHA1","aes-256-cbc-hmac-sha1",
+	NID_aes_256_cbc_hmac_sha1,0,NULL,0},
+{"RSAES-OAEP","rsaesOaep",NID_rsaesOaep,9,&(lvalues[5964]),0},
+{"dhpublicnumber","X9.42 DH",NID_dhpublicnumber,7,&(lvalues[5973]),0},
+{"brainpoolP160r1","brainpoolP160r1",NID_brainpoolP160r1,9,
+	&(lvalues[5980]),0},
+{"brainpoolP160t1","brainpoolP160t1",NID_brainpoolP160t1,9,
+	&(lvalues[5989]),0},
+{"brainpoolP192r1","brainpoolP192r1",NID_brainpoolP192r1,9,
+	&(lvalues[5998]),0},
+{"brainpoolP192t1","brainpoolP192t1",NID_brainpoolP192t1,9,
+	&(lvalues[6007]),0},
+{"brainpoolP224r1","brainpoolP224r1",NID_brainpoolP224r1,9,
+	&(lvalues[6016]),0},
+{"brainpoolP224t1","brainpoolP224t1",NID_brainpoolP224t1,9,
+	&(lvalues[6025]),0},
+{"brainpoolP256r1","brainpoolP256r1",NID_brainpoolP256r1,9,
+	&(lvalues[6034]),0},
+{"brainpoolP256t1","brainpoolP256t1",NID_brainpoolP256t1,9,
+	&(lvalues[6043]),0},
+{"brainpoolP320r1","brainpoolP320r1",NID_brainpoolP320r1,9,
+	&(lvalues[6052]),0},
+{"brainpoolP320t1","brainpoolP320t1",NID_brainpoolP320t1,9,
+	&(lvalues[6061]),0},
+{"brainpoolP384r1","brainpoolP384r1",NID_brainpoolP384r1,9,
+	&(lvalues[6070]),0},
+{"brainpoolP384t1","brainpoolP384t1",NID_brainpoolP384t1,9,
+	&(lvalues[6079]),0},
+{"brainpoolP512r1","brainpoolP512r1",NID_brainpoolP512r1,9,
+	&(lvalues[6088]),0},
+{"brainpoolP512t1","brainpoolP512t1",NID_brainpoolP512t1,9,
+	&(lvalues[6097]),0},
+{"PSPECIFIED","pSpecified",NID_pSpecified,9,&(lvalues[6106]),0},
+{"dhSinglePass-stdDH-sha1kdf-scheme",
+	"dhSinglePass-stdDH-sha1kdf-scheme",
+	NID_dhSinglePass_stdDH_sha1kdf_scheme,9,&(lvalues[6115]),0},
+{"dhSinglePass-stdDH-sha224kdf-scheme",
+	"dhSinglePass-stdDH-sha224kdf-scheme",
+	NID_dhSinglePass_stdDH_sha224kdf_scheme,6,&(lvalues[6124]),0},
+{"dhSinglePass-stdDH-sha256kdf-scheme",
+	"dhSinglePass-stdDH-sha256kdf-scheme",
+	NID_dhSinglePass_stdDH_sha256kdf_scheme,6,&(lvalues[6130]),0},
+{"dhSinglePass-stdDH-sha384kdf-scheme",
+	"dhSinglePass-stdDH-sha384kdf-scheme",
+	NID_dhSinglePass_stdDH_sha384kdf_scheme,6,&(lvalues[6136]),0},
+{"dhSinglePass-stdDH-sha512kdf-scheme",
+	"dhSinglePass-stdDH-sha512kdf-scheme",
+	NID_dhSinglePass_stdDH_sha512kdf_scheme,6,&(lvalues[6142]),0},
+{"dhSinglePass-cofactorDH-sha1kdf-scheme",
+	"dhSinglePass-cofactorDH-sha1kdf-scheme",
+	NID_dhSinglePass_cofactorDH_sha1kdf_scheme,9,&(lvalues[6148]),0},
+{"dhSinglePass-cofactorDH-sha224kdf-scheme",
+	"dhSinglePass-cofactorDH-sha224kdf-scheme",
+	NID_dhSinglePass_cofactorDH_sha224kdf_scheme,6,&(lvalues[6157]),0},
+{"dhSinglePass-cofactorDH-sha256kdf-scheme",
+	"dhSinglePass-cofactorDH-sha256kdf-scheme",
+	NID_dhSinglePass_cofactorDH_sha256kdf_scheme,6,&(lvalues[6163]),0},
+{"dhSinglePass-cofactorDH-sha384kdf-scheme",
+	"dhSinglePass-cofactorDH-sha384kdf-scheme",
+	NID_dhSinglePass_cofactorDH_sha384kdf_scheme,6,&(lvalues[6169]),0},
+{"dhSinglePass-cofactorDH-sha512kdf-scheme",
+	"dhSinglePass-cofactorDH-sha512kdf-scheme",
+	NID_dhSinglePass_cofactorDH_sha512kdf_scheme,6,&(lvalues[6175]),0},
+{"dh-std-kdf","dh-std-kdf",NID_dh_std_kdf,0,NULL,0},
+{"dh-cofactor-kdf","dh-cofactor-kdf",NID_dh_cofactor_kdf,0,NULL,0},
+{"AES-128-CBC-HMAC-SHA256","aes-128-cbc-hmac-sha256",
+	NID_aes_128_cbc_hmac_sha256,0,NULL,0},
+{"AES-192-CBC-HMAC-SHA256","aes-192-cbc-hmac-sha256",
+	NID_aes_192_cbc_hmac_sha256,0,NULL,0},
+{"AES-256-CBC-HMAC-SHA256","aes-256-cbc-hmac-sha256",
+	NID_aes_256_cbc_hmac_sha256,0,NULL,0},
+{"ct_precert_scts","CT Precertificate SCTs",NID_ct_precert_scts,10,
+	&(lvalues[6181]),0},
+{"ct_precert_poison","CT Precertificate Poison",NID_ct_precert_poison,
+	10,&(lvalues[6191]),0},
+{"ct_precert_signer","CT Precertificate Signer",NID_ct_precert_signer,
+	10,&(lvalues[6201]),0},
+{"ct_cert_scts","CT Certificate SCTs",NID_ct_cert_scts,10,
+	&(lvalues[6211]),0},
+{"jurisdictionL","jurisdictionLocalityName",
+	NID_jurisdictionLocalityName,11,&(lvalues[6221]),0},
+{"jurisdictionST","jurisdictionStateOrProvinceName",
+	NID_jurisdictionStateOrProvinceName,11,&(lvalues[6232]),0},
+{"jurisdictionC","jurisdictionCountryName",
+	NID_jurisdictionCountryName,11,&(lvalues[6243]),0},
 };
 
-#define NUM_SN 1052
-static const unsigned int sn_objs[NUM_SN] = {
-     364,    /* "AD_DVCS" */
-     419,    /* "AES-128-CBC" */
-     916,    /* "AES-128-CBC-HMAC-SHA1" */
-     948,    /* "AES-128-CBC-HMAC-SHA256" */
-     421,    /* "AES-128-CFB" */
-     650,    /* "AES-128-CFB1" */
-     653,    /* "AES-128-CFB8" */
-     904,    /* "AES-128-CTR" */
-     418,    /* "AES-128-ECB" */
-     958,    /* "AES-128-OCB" */
-     420,    /* "AES-128-OFB" */
-     913,    /* "AES-128-XTS" */
-     423,    /* "AES-192-CBC" */
-     917,    /* "AES-192-CBC-HMAC-SHA1" */
-     949,    /* "AES-192-CBC-HMAC-SHA256" */
-     425,    /* "AES-192-CFB" */
-     651,    /* "AES-192-CFB1" */
-     654,    /* "AES-192-CFB8" */
-     905,    /* "AES-192-CTR" */
-     422,    /* "AES-192-ECB" */
-     959,    /* "AES-192-OCB" */
-     424,    /* "AES-192-OFB" */
-     427,    /* "AES-256-CBC" */
-     918,    /* "AES-256-CBC-HMAC-SHA1" */
-     950,    /* "AES-256-CBC-HMAC-SHA256" */
-     429,    /* "AES-256-CFB" */
-     652,    /* "AES-256-CFB1" */
-     655,    /* "AES-256-CFB8" */
-     906,    /* "AES-256-CTR" */
-     426,    /* "AES-256-ECB" */
-     960,    /* "AES-256-OCB" */
-     428,    /* "AES-256-OFB" */
-     914,    /* "AES-256-XTS" */
-    1049,    /* "AuthDSS" */
-    1047,    /* "AuthECDSA" */
-    1050,    /* "AuthGOST01" */
-    1051,    /* "AuthGOST12" */
-    1053,    /* "AuthNULL" */
-    1048,    /* "AuthPSK" */
-    1046,    /* "AuthRSA" */
-    1052,    /* "AuthSRP" */
-      91,    /* "BF-CBC" */
-      93,    /* "BF-CFB" */
-      92,    /* "BF-ECB" */
-      94,    /* "BF-OFB" */
-    1056,    /* "BLAKE2b512" */
-    1057,    /* "BLAKE2s256" */
-      14,    /* "C" */
-     751,    /* "CAMELLIA-128-CBC" */
-     962,    /* "CAMELLIA-128-CCM" */
-     757,    /* "CAMELLIA-128-CFB" */
-     760,    /* "CAMELLIA-128-CFB1" */
-     763,    /* "CAMELLIA-128-CFB8" */
-     964,    /* "CAMELLIA-128-CMAC" */
-     963,    /* "CAMELLIA-128-CTR" */
-     754,    /* "CAMELLIA-128-ECB" */
-     961,    /* "CAMELLIA-128-GCM" */
-     766,    /* "CAMELLIA-128-OFB" */
-     752,    /* "CAMELLIA-192-CBC" */
-     966,    /* "CAMELLIA-192-CCM" */
-     758,    /* "CAMELLIA-192-CFB" */
-     761,    /* "CAMELLIA-192-CFB1" */
-     764,    /* "CAMELLIA-192-CFB8" */
-     968,    /* "CAMELLIA-192-CMAC" */
-     967,    /* "CAMELLIA-192-CTR" */
-     755,    /* "CAMELLIA-192-ECB" */
-     965,    /* "CAMELLIA-192-GCM" */
-     767,    /* "CAMELLIA-192-OFB" */
-     753,    /* "CAMELLIA-256-CBC" */
-     970,    /* "CAMELLIA-256-CCM" */
-     759,    /* "CAMELLIA-256-CFB" */
-     762,    /* "CAMELLIA-256-CFB1" */
-     765,    /* "CAMELLIA-256-CFB8" */
-     972,    /* "CAMELLIA-256-CMAC" */
-     971,    /* "CAMELLIA-256-CTR" */
-     756,    /* "CAMELLIA-256-ECB" */
-     969,    /* "CAMELLIA-256-GCM" */
-     768,    /* "CAMELLIA-256-OFB" */
-     108,    /* "CAST5-CBC" */
-     110,    /* "CAST5-CFB" */
-     109,    /* "CAST5-ECB" */
-     111,    /* "CAST5-OFB" */
-     894,    /* "CMAC" */
-      13,    /* "CN" */
-     141,    /* "CRLReason" */
-     417,    /* "CSPName" */
-    1019,    /* "ChaCha20" */
-    1018,    /* "ChaCha20-Poly1305" */
-     367,    /* "CrlID" */
-     391,    /* "DC" */
-      31,    /* "DES-CBC" */
-     643,    /* "DES-CDMF" */
-      30,    /* "DES-CFB" */
-     656,    /* "DES-CFB1" */
-     657,    /* "DES-CFB8" */
-      29,    /* "DES-ECB" */
-      32,    /* "DES-EDE" */
-      43,    /* "DES-EDE-CBC" */
-      60,    /* "DES-EDE-CFB" */
-      62,    /* "DES-EDE-OFB" */
-      33,    /* "DES-EDE3" */
-      44,    /* "DES-EDE3-CBC" */
-      61,    /* "DES-EDE3-CFB" */
-     658,    /* "DES-EDE3-CFB1" */
-     659,    /* "DES-EDE3-CFB8" */
-      63,    /* "DES-EDE3-OFB" */
-      45,    /* "DES-OFB" */
-      80,    /* "DESX-CBC" */
-     380,    /* "DOD" */
-     116,    /* "DSA" */
-      66,    /* "DSA-SHA" */
-     113,    /* "DSA-SHA1" */
-      70,    /* "DSA-SHA1-old" */
-      67,    /* "DSA-old" */
-     297,    /* "DVCS" */
-      99,    /* "GN" */
-    1036,    /* "HKDF" */
-     855,    /* "HMAC" */
-     780,    /* "HMAC-MD5" */
-     781,    /* "HMAC-SHA1" */
-     381,    /* "IANA" */
-      34,    /* "IDEA-CBC" */
-      35,    /* "IDEA-CFB" */
-      36,    /* "IDEA-ECB" */
-      46,    /* "IDEA-OFB" */
-    1004,    /* "INN" */
-     181,    /* "ISO" */
-     183,    /* "ISO-US" */
-     645,    /* "ITU-T" */
-     646,    /* "JOINT-ISO-ITU-T" */
-     773,    /* "KISA" */
-    1039,    /* "KxDHE" */
-    1041,    /* "KxDHE-PSK" */
-    1038,    /* "KxECDHE" */
-    1040,    /* "KxECDHE-PSK" */
-    1045,    /* "KxGOST" */
-    1043,    /* "KxPSK" */
-    1037,    /* "KxRSA" */
-    1042,    /* "KxRSA_PSK" */
-    1044,    /* "KxSRP" */
-      15,    /* "L" */
-     856,    /* "LocalKeySet" */
-       3,    /* "MD2" */
-     257,    /* "MD4" */
-       4,    /* "MD5" */
-     114,    /* "MD5-SHA1" */
-      95,    /* "MDC2" */
-     911,    /* "MGF1" */
-     388,    /* "Mail" */
-     393,    /* "NULL" */
-     404,    /* "NULL" */
-      57,    /* "Netscape" */
-     366,    /* "Nonce" */
-      17,    /* "O" */
-     178,    /* "OCSP" */
-     180,    /* "OCSPSigning" */
-    1005,    /* "OGRN" */
-     379,    /* "ORG" */
-      18,    /* "OU" */
-     749,    /* "Oakley-EC2N-3" */
-     750,    /* "Oakley-EC2N-4" */
-       9,    /* "PBE-MD2-DES" */
-     168,    /* "PBE-MD2-RC2-64" */
-      10,    /* "PBE-MD5-DES" */
-     169,    /* "PBE-MD5-RC2-64" */
-     147,    /* "PBE-SHA1-2DES" */
-     146,    /* "PBE-SHA1-3DES" */
-     170,    /* "PBE-SHA1-DES" */
-     148,    /* "PBE-SHA1-RC2-128" */
-     149,    /* "PBE-SHA1-RC2-40" */
-      68,    /* "PBE-SHA1-RC2-64" */
-     144,    /* "PBE-SHA1-RC4-128" */
-     145,    /* "PBE-SHA1-RC4-40" */
-     161,    /* "PBES2" */
-      69,    /* "PBKDF2" */
-     162,    /* "PBMAC1" */
-     127,    /* "PKIX" */
-     935,    /* "PSPECIFIED" */
-      98,    /* "RC2-40-CBC" */
-     166,    /* "RC2-64-CBC" */
-      37,    /* "RC2-CBC" */
-      39,    /* "RC2-CFB" */
-      38,    /* "RC2-ECB" */
-      40,    /* "RC2-OFB" */
-       5,    /* "RC4" */
-      97,    /* "RC4-40" */
-     915,    /* "RC4-HMAC-MD5" */
-     120,    /* "RC5-CBC" */
-     122,    /* "RC5-CFB" */
-     121,    /* "RC5-ECB" */
-     123,    /* "RC5-OFB" */
-     117,    /* "RIPEMD160" */
-      19,    /* "RSA" */
-       7,    /* "RSA-MD2" */
-     396,    /* "RSA-MD4" */
-       8,    /* "RSA-MD5" */
-      96,    /* "RSA-MDC2" */
-     104,    /* "RSA-NP-MD5" */
-     119,    /* "RSA-RIPEMD160" */
-      42,    /* "RSA-SHA" */
-      65,    /* "RSA-SHA1" */
-     115,    /* "RSA-SHA1-2" */
-     671,    /* "RSA-SHA224" */
-     668,    /* "RSA-SHA256" */
-     669,    /* "RSA-SHA384" */
-     670,    /* "RSA-SHA512" */
-     919,    /* "RSAES-OAEP" */
-     912,    /* "RSASSA-PSS" */
-     777,    /* "SEED-CBC" */
-     779,    /* "SEED-CFB" */
-     776,    /* "SEED-ECB" */
-     778,    /* "SEED-OFB" */
-      41,    /* "SHA" */
-      64,    /* "SHA1" */
-     675,    /* "SHA224" */
-     672,    /* "SHA256" */
-     673,    /* "SHA384" */
-     674,    /* "SHA512" */
-     188,    /* "SMIME" */
-     167,    /* "SMIME-CAPS" */
-     100,    /* "SN" */
-    1006,    /* "SNILS" */
-      16,    /* "ST" */
-     143,    /* "SXNetID" */
-    1021,    /* "TLS1-PRF" */
-     458,    /* "UID" */
-       0,    /* "UNDEF" */
-    1034,    /* "X25519" */
-    1035,    /* "X448" */
-      11,    /* "X500" */
-     378,    /* "X500algorithms" */
-      12,    /* "X509" */
-     184,    /* "X9-57" */
-     185,    /* "X9cm" */
-     125,    /* "ZLIB" */
-     478,    /* "aRecord" */
-     289,    /* "aaControls" */
-     287,    /* "ac-auditEntity" */
-     397,    /* "ac-proxying" */
-     288,    /* "ac-targeting" */
-     368,    /* "acceptableResponses" */
-     446,    /* "account" */
-     363,    /* "ad_timestamping" */
-     376,    /* "algorithm" */
-     405,    /* "ansi-X9-62" */
-     910,    /* "anyExtendedKeyUsage" */
-     746,    /* "anyPolicy" */
-     370,    /* "archiveCutoff" */
-     484,    /* "associatedDomain" */
-     485,    /* "associatedName" */
-     501,    /* "audio" */
-     177,    /* "authorityInfoAccess" */
-      90,    /* "authorityKeyIdentifier" */
-     882,    /* "authorityRevocationList" */
-      87,    /* "basicConstraints" */
-     365,    /* "basicOCSPResponse" */
-     285,    /* "biometricInfo" */
-     921,    /* "brainpoolP160r1" */
-     922,    /* "brainpoolP160t1" */
-     923,    /* "brainpoolP192r1" */
-     924,    /* "brainpoolP192t1" */
-     925,    /* "brainpoolP224r1" */
-     926,    /* "brainpoolP224t1" */
-     927,    /* "brainpoolP256r1" */
-     928,    /* "brainpoolP256t1" */
-     929,    /* "brainpoolP320r1" */
-     930,    /* "brainpoolP320t1" */
-     931,    /* "brainpoolP384r1" */
-     932,    /* "brainpoolP384t1" */
-     933,    /* "brainpoolP512r1" */
-     934,    /* "brainpoolP512t1" */
-     494,    /* "buildingName" */
-     860,    /* "businessCategory" */
-     691,    /* "c2onb191v4" */
-     692,    /* "c2onb191v5" */
-     697,    /* "c2onb239v4" */
-     698,    /* "c2onb239v5" */
-     684,    /* "c2pnb163v1" */
-     685,    /* "c2pnb163v2" */
-     686,    /* "c2pnb163v3" */
-     687,    /* "c2pnb176v1" */
-     693,    /* "c2pnb208w1" */
-     699,    /* "c2pnb272w1" */
-     700,    /* "c2pnb304w1" */
-     702,    /* "c2pnb368w1" */
-     688,    /* "c2tnb191v1" */
-     689,    /* "c2tnb191v2" */
-     690,    /* "c2tnb191v3" */
-     694,    /* "c2tnb239v1" */
-     695,    /* "c2tnb239v2" */
-     696,    /* "c2tnb239v3" */
-     701,    /* "c2tnb359v1" */
-     703,    /* "c2tnb431r1" */
-     881,    /* "cACertificate" */
-     483,    /* "cNAMERecord" */
-     179,    /* "caIssuers" */
-     785,    /* "caRepository" */
-    1023,    /* "capwapAC" */
-    1024,    /* "capwapWTP" */
-     443,    /* "caseIgnoreIA5StringSyntax" */
-     152,    /* "certBag" */
-     677,    /* "certicom-arc" */
-     771,    /* "certificateIssuer" */
-      89,    /* "certificatePolicies" */
-     883,    /* "certificateRevocationList" */
-      54,    /* "challengePassword" */
-     407,    /* "characteristic-two-field" */
-     395,    /* "clearance" */
-     130,    /* "clientAuth" */
-     131,    /* "codeSigning" */
-      50,    /* "contentType" */
-      53,    /* "countersignature" */
-     153,    /* "crlBag" */
-     103,    /* "crlDistributionPoints" */
-      88,    /* "crlNumber" */
-     884,    /* "crossCertificatePair" */
-     806,    /* "cryptocom" */
-     805,    /* "cryptopro" */
-     954,    /* "ct_cert_scts" */
-     952,    /* "ct_precert_poison" */
-     951,    /* "ct_precert_scts" */
-     953,    /* "ct_precert_signer" */
-     500,    /* "dITRedirect" */
-     451,    /* "dNSDomain" */
-     495,    /* "dSAQuality" */
-     434,    /* "data" */
-     390,    /* "dcobject" */
-     140,    /* "deltaCRL" */
-     891,    /* "deltaRevocationList" */
-     107,    /* "description" */
-     871,    /* "destinationIndicator" */
-     947,    /* "dh-cofactor-kdf" */
-     946,    /* "dh-std-kdf" */
-      28,    /* "dhKeyAgreement" */
-     941,    /* "dhSinglePass-cofactorDH-sha1kdf-scheme" */
-     942,    /* "dhSinglePass-cofactorDH-sha224kdf-scheme" */
-     943,    /* "dhSinglePass-cofactorDH-sha256kdf-scheme" */
-     944,    /* "dhSinglePass-cofactorDH-sha384kdf-scheme" */
-     945,    /* "dhSinglePass-cofactorDH-sha512kdf-scheme" */
-     936,    /* "dhSinglePass-stdDH-sha1kdf-scheme" */
-     937,    /* "dhSinglePass-stdDH-sha224kdf-scheme" */
-     938,    /* "dhSinglePass-stdDH-sha256kdf-scheme" */
-     939,    /* "dhSinglePass-stdDH-sha384kdf-scheme" */
-     940,    /* "dhSinglePass-stdDH-sha512kdf-scheme" */
-     920,    /* "dhpublicnumber" */
-     382,    /* "directory" */
-     887,    /* "distinguishedName" */
-     892,    /* "dmdName" */
-     174,    /* "dnQualifier" */
-     447,    /* "document" */
-     471,    /* "documentAuthor" */
-     468,    /* "documentIdentifier" */
-     472,    /* "documentLocation" */
-     502,    /* "documentPublisher" */
-     449,    /* "documentSeries" */
-     469,    /* "documentTitle" */
-     470,    /* "documentVersion" */
-     392,    /* "domain" */
-     452,    /* "domainRelatedObject" */
-     802,    /* "dsa_with_SHA224" */
-     803,    /* "dsa_with_SHA256" */
-     791,    /* "ecdsa-with-Recommended" */
-     416,    /* "ecdsa-with-SHA1" */
-     793,    /* "ecdsa-with-SHA224" */
-     794,    /* "ecdsa-with-SHA256" */
-     795,    /* "ecdsa-with-SHA384" */
-     796,    /* "ecdsa-with-SHA512" */
-     792,    /* "ecdsa-with-Specified" */
-      48,    /* "emailAddress" */
-     132,    /* "emailProtection" */
-     885,    /* "enhancedSearchGuide" */
-     389,    /* "enterprises" */
-     384,    /* "experimental" */
-     172,    /* "extReq" */
-      56,    /* "extendedCertificateAttributes" */
-     126,    /* "extendedKeyUsage" */
-     372,    /* "extendedStatus" */
-     867,    /* "facsimileTelephoneNumber" */
-     462,    /* "favouriteDrink" */
-     857,    /* "freshestCRL" */
-     453,    /* "friendlyCountry" */
-     490,    /* "friendlyCountryName" */
-     156,    /* "friendlyName" */
-     509,    /* "generationQualifier" */
-     815,    /* "gost-mac" */
-     976,    /* "gost-mac-12" */
-     811,    /* "gost2001" */
-     851,    /* "gost2001cc" */
-     979,    /* "gost2012_256" */
-     980,    /* "gost2012_512" */
-     813,    /* "gost89" */
-    1009,    /* "gost89-cbc" */
-     814,    /* "gost89-cnt" */
-     975,    /* "gost89-cnt-12" */
-    1011,    /* "gost89-ctr" */
-    1010,    /* "gost89-ecb" */
-     812,    /* "gost94" */
-     850,    /* "gost94cc" */
-    1015,    /* "grasshopper-cbc" */
-    1016,    /* "grasshopper-cfb" */
-    1013,    /* "grasshopper-ctr" */
-    1012,    /* "grasshopper-ecb" */
-    1017,    /* "grasshopper-mac" */
-    1014,    /* "grasshopper-ofb" */
-     797,    /* "hmacWithMD5" */
-     163,    /* "hmacWithSHA1" */
-     798,    /* "hmacWithSHA224" */
-     799,    /* "hmacWithSHA256" */
-     800,    /* "hmacWithSHA384" */
-     801,    /* "hmacWithSHA512" */
-     432,    /* "holdInstructionCallIssuer" */
-     430,    /* "holdInstructionCode" */
-     431,    /* "holdInstructionNone" */
-     433,    /* "holdInstructionReject" */
-     486,    /* "homePostalAddress" */
-     473,    /* "homeTelephoneNumber" */
-     466,    /* "host" */
-     889,    /* "houseIdentifier" */
-     442,    /* "iA5StringSyntax" */
-     783,    /* "id-DHBasedMac" */
-     824,    /* "id-Gost28147-89-CryptoPro-A-ParamSet" */
-     825,    /* "id-Gost28147-89-CryptoPro-B-ParamSet" */
-     826,    /* "id-Gost28147-89-CryptoPro-C-ParamSet" */
-     827,    /* "id-Gost28147-89-CryptoPro-D-ParamSet" */
-     819,    /* "id-Gost28147-89-CryptoPro-KeyMeshing" */
-     829,    /* "id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet" */
-     828,    /* "id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet" */
-     830,    /* "id-Gost28147-89-CryptoPro-RIC-1-ParamSet" */
-     820,    /* "id-Gost28147-89-None-KeyMeshing" */
-     823,    /* "id-Gost28147-89-TestParamSet" */
-     849,    /* "id-Gost28147-89-cc" */
-     840,    /* "id-GostR3410-2001-CryptoPro-A-ParamSet" */
-     841,    /* "id-GostR3410-2001-CryptoPro-B-ParamSet" */
-     842,    /* "id-GostR3410-2001-CryptoPro-C-ParamSet" */
-     843,    /* "id-GostR3410-2001-CryptoPro-XchA-ParamSet" */
-     844,    /* "id-GostR3410-2001-CryptoPro-XchB-ParamSet" */
-     854,    /* "id-GostR3410-2001-ParamSet-cc" */
-     839,    /* "id-GostR3410-2001-TestParamSet" */
-     817,    /* "id-GostR3410-2001DH" */
-     832,    /* "id-GostR3410-94-CryptoPro-A-ParamSet" */
-     833,    /* "id-GostR3410-94-CryptoPro-B-ParamSet" */
-     834,    /* "id-GostR3410-94-CryptoPro-C-ParamSet" */
-     835,    /* "id-GostR3410-94-CryptoPro-D-ParamSet" */
-     836,    /* "id-GostR3410-94-CryptoPro-XchA-ParamSet" */
-     837,    /* "id-GostR3410-94-CryptoPro-XchB-ParamSet" */
-     838,    /* "id-GostR3410-94-CryptoPro-XchC-ParamSet" */
-     831,    /* "id-GostR3410-94-TestParamSet" */
-     845,    /* "id-GostR3410-94-a" */
-     846,    /* "id-GostR3410-94-aBis" */
-     847,    /* "id-GostR3410-94-b" */
-     848,    /* "id-GostR3410-94-bBis" */
-     818,    /* "id-GostR3410-94DH" */
-     822,    /* "id-GostR3411-94-CryptoProParamSet" */
-     821,    /* "id-GostR3411-94-TestParamSet" */
-     807,    /* "id-GostR3411-94-with-GostR3410-2001" */
-     853,    /* "id-GostR3411-94-with-GostR3410-2001-cc" */
-     808,    /* "id-GostR3411-94-with-GostR3410-94" */
-     852,    /* "id-GostR3411-94-with-GostR3410-94-cc" */
-     810,    /* "id-HMACGostR3411-94" */
-     782,    /* "id-PasswordBasedMAC" */
-     266,    /* "id-aca" */
-     355,    /* "id-aca-accessIdentity" */
-     354,    /* "id-aca-authenticationInfo" */
-     356,    /* "id-aca-chargingIdentity" */
-     399,    /* "id-aca-encAttrs" */
-     357,    /* "id-aca-group" */
-     358,    /* "id-aca-role" */
-     176,    /* "id-ad" */
-     896,    /* "id-aes128-CCM" */
-     895,    /* "id-aes128-GCM" */
-     788,    /* "id-aes128-wrap" */
-     897,    /* "id-aes128-wrap-pad" */
-     899,    /* "id-aes192-CCM" */
-     898,    /* "id-aes192-GCM" */
-     789,    /* "id-aes192-wrap" */
-     900,    /* "id-aes192-wrap-pad" */
-     902,    /* "id-aes256-CCM" */
-     901,    /* "id-aes256-GCM" */
-     790,    /* "id-aes256-wrap" */
-     903,    /* "id-aes256-wrap-pad" */
-     262,    /* "id-alg" */
-     893,    /* "id-alg-PWRI-KEK" */
-     323,    /* "id-alg-des40" */
-     326,    /* "id-alg-dh-pop" */
-     325,    /* "id-alg-dh-sig-hmac-sha1" */
-     324,    /* "id-alg-noSignature" */
-     907,    /* "id-camellia128-wrap" */
-     908,    /* "id-camellia192-wrap" */
-     909,    /* "id-camellia256-wrap" */
-     268,    /* "id-cct" */
-     361,    /* "id-cct-PKIData" */
-     362,    /* "id-cct-PKIResponse" */
-     360,    /* "id-cct-crs" */
-      81,    /* "id-ce" */
-     680,    /* "id-characteristic-two-basis" */
-     263,    /* "id-cmc" */
-     334,    /* "id-cmc-addExtensions" */
-     346,    /* "id-cmc-confirmCertAcceptance" */
-     330,    /* "id-cmc-dataReturn" */
-     336,    /* "id-cmc-decryptedPOP" */
-     335,    /* "id-cmc-encryptedPOP" */
-     339,    /* "id-cmc-getCRL" */
-     338,    /* "id-cmc-getCert" */
-     328,    /* "id-cmc-identification" */
-     329,    /* "id-cmc-identityProof" */
-     337,    /* "id-cmc-lraPOPWitness" */
-     344,    /* "id-cmc-popLinkRandom" */
-     345,    /* "id-cmc-popLinkWitness" */
-     343,    /* "id-cmc-queryPending" */
-     333,    /* "id-cmc-recipientNonce" */
-     341,    /* "id-cmc-regInfo" */
-     342,    /* "id-cmc-responseInfo" */
-     340,    /* "id-cmc-revokeRequest" */
-     332,    /* "id-cmc-senderNonce" */
-     327,    /* "id-cmc-statusInfo" */
-     331,    /* "id-cmc-transactionId" */
-     787,    /* "id-ct-asciiTextWithCRLF" */
-    1060,    /* "id-ct-xml" */
-     408,    /* "id-ecPublicKey" */
-     508,    /* "id-hex-multipart-message" */
-     507,    /* "id-hex-partial-message" */
-     260,    /* "id-it" */
-     302,    /* "id-it-caKeyUpdateInfo" */
-     298,    /* "id-it-caProtEncCert" */
-     311,    /* "id-it-confirmWaitTime" */
-     303,    /* "id-it-currentCRL" */
-     300,    /* "id-it-encKeyPairTypes" */
-     310,    /* "id-it-implicitConfirm" */
-     308,    /* "id-it-keyPairParamRep" */
-     307,    /* "id-it-keyPairParamReq" */
-     312,    /* "id-it-origPKIMessage" */
-     301,    /* "id-it-preferredSymmAlg" */
-     309,    /* "id-it-revPassphrase" */
-     299,    /* "id-it-signKeyPairTypes" */
-     305,    /* "id-it-subscriptionRequest" */
-     306,    /* "id-it-subscriptionResponse" */
-     784,    /* "id-it-suppLangTags" */
-     304,    /* "id-it-unsupportedOIDs" */
-     128,    /* "id-kp" */
-     280,    /* "id-mod-attribute-cert" */
-     274,    /* "id-mod-cmc" */
-     277,    /* "id-mod-cmp" */
-     284,    /* "id-mod-cmp2000" */
-     273,    /* "id-mod-crmf" */
-     283,    /* "id-mod-dvcs" */
-     275,    /* "id-mod-kea-profile-88" */
-     276,    /* "id-mod-kea-profile-93" */
-     282,    /* "id-mod-ocsp" */
-     278,    /* "id-mod-qualified-cert-88" */
-     279,    /* "id-mod-qualified-cert-93" */
-     281,    /* "id-mod-timestamp-protocol" */
-     264,    /* "id-on" */
-     858,    /* "id-on-permanentIdentifier" */
-     347,    /* "id-on-personalData" */
-     265,    /* "id-pda" */
-     352,    /* "id-pda-countryOfCitizenship" */
-     353,    /* "id-pda-countryOfResidence" */
-     348,    /* "id-pda-dateOfBirth" */
-     351,    /* "id-pda-gender" */
-     349,    /* "id-pda-placeOfBirth" */
-     175,    /* "id-pe" */
-    1031,    /* "id-pkinit" */
-     261,    /* "id-pkip" */
-     258,    /* "id-pkix-mod" */
-     269,    /* "id-pkix1-explicit-88" */
-     271,    /* "id-pkix1-explicit-93" */
-     270,    /* "id-pkix1-implicit-88" */
-     272,    /* "id-pkix1-implicit-93" */
-     662,    /* "id-ppl" */
-     664,    /* "id-ppl-anyLanguage" */
-     667,    /* "id-ppl-independent" */
-     665,    /* "id-ppl-inheritAll" */
-     267,    /* "id-qcs" */
-     359,    /* "id-qcs-pkixQCSyntax-v1" */
-     259,    /* "id-qt" */
-     164,    /* "id-qt-cps" */
-     165,    /* "id-qt-unotice" */
-     313,    /* "id-regCtrl" */
-     316,    /* "id-regCtrl-authenticator" */
-     319,    /* "id-regCtrl-oldCertID" */
-     318,    /* "id-regCtrl-pkiArchiveOptions" */
-     317,    /* "id-regCtrl-pkiPublicationInfo" */
-     320,    /* "id-regCtrl-protocolEncrKey" */
-     315,    /* "id-regCtrl-regToken" */
-     314,    /* "id-regInfo" */
-     322,    /* "id-regInfo-certReq" */
-     321,    /* "id-regInfo-utf8Pairs" */
-     973,    /* "id-scrypt" */
-     512,    /* "id-set" */
-     191,    /* "id-smime-aa" */
-     215,    /* "id-smime-aa-contentHint" */
-     218,    /* "id-smime-aa-contentIdentifier" */
-     221,    /* "id-smime-aa-contentReference" */
-     240,    /* "id-smime-aa-dvcs-dvc" */
-     217,    /* "id-smime-aa-encapContentType" */
-     222,    /* "id-smime-aa-encrypKeyPref" */
-     220,    /* "id-smime-aa-equivalentLabels" */
-     232,    /* "id-smime-aa-ets-CertificateRefs" */
-     233,    /* "id-smime-aa-ets-RevocationRefs" */
-     238,    /* "id-smime-aa-ets-archiveTimeStamp" */
-     237,    /* "id-smime-aa-ets-certCRLTimestamp" */
-     234,    /* "id-smime-aa-ets-certValues" */
-     227,    /* "id-smime-aa-ets-commitmentType" */
-     231,    /* "id-smime-aa-ets-contentTimestamp" */
-     236,    /* "id-smime-aa-ets-escTimeStamp" */
-     230,    /* "id-smime-aa-ets-otherSigCert" */
-     235,    /* "id-smime-aa-ets-revocationValues" */
-     226,    /* "id-smime-aa-ets-sigPolicyId" */
-     229,    /* "id-smime-aa-ets-signerAttr" */
-     228,    /* "id-smime-aa-ets-signerLocation" */
-     219,    /* "id-smime-aa-macValue" */
-     214,    /* "id-smime-aa-mlExpandHistory" */
-     216,    /* "id-smime-aa-msgSigDigest" */
-     212,    /* "id-smime-aa-receiptRequest" */
-     213,    /* "id-smime-aa-securityLabel" */
-     239,    /* "id-smime-aa-signatureType" */
-     223,    /* "id-smime-aa-signingCertificate" */
-     224,    /* "id-smime-aa-smimeEncryptCerts" */
-     225,    /* "id-smime-aa-timeStampToken" */
-     192,    /* "id-smime-alg" */
-     243,    /* "id-smime-alg-3DESwrap" */
-     246,    /* "id-smime-alg-CMS3DESwrap" */
-     247,    /* "id-smime-alg-CMSRC2wrap" */
-     245,    /* "id-smime-alg-ESDH" */
-     241,    /* "id-smime-alg-ESDHwith3DES" */
-     242,    /* "id-smime-alg-ESDHwithRC2" */
-     244,    /* "id-smime-alg-RC2wrap" */
-     193,    /* "id-smime-cd" */
-     248,    /* "id-smime-cd-ldap" */
-     190,    /* "id-smime-ct" */
-     210,    /* "id-smime-ct-DVCSRequestData" */
-     211,    /* "id-smime-ct-DVCSResponseData" */
-     208,    /* "id-smime-ct-TDTInfo" */
-     207,    /* "id-smime-ct-TSTInfo" */
-     205,    /* "id-smime-ct-authData" */
-    1059,    /* "id-smime-ct-authEnvelopedData" */
-     786,    /* "id-smime-ct-compressedData" */
-    1058,    /* "id-smime-ct-contentCollection" */
-     209,    /* "id-smime-ct-contentInfo" */
-     206,    /* "id-smime-ct-publishCert" */
-     204,    /* "id-smime-ct-receipt" */
-     195,    /* "id-smime-cti" */
-     255,    /* "id-smime-cti-ets-proofOfApproval" */
-     256,    /* "id-smime-cti-ets-proofOfCreation" */
-     253,    /* "id-smime-cti-ets-proofOfDelivery" */
-     251,    /* "id-smime-cti-ets-proofOfOrigin" */
-     252,    /* "id-smime-cti-ets-proofOfReceipt" */
-     254,    /* "id-smime-cti-ets-proofOfSender" */
-     189,    /* "id-smime-mod" */
-     196,    /* "id-smime-mod-cms" */
-     197,    /* "id-smime-mod-ess" */
-     202,    /* "id-smime-mod-ets-eSigPolicy-88" */
-     203,    /* "id-smime-mod-ets-eSigPolicy-97" */
-     200,    /* "id-smime-mod-ets-eSignature-88" */
-     201,    /* "id-smime-mod-ets-eSignature-97" */
-     199,    /* "id-smime-mod-msg-v3" */
-     198,    /* "id-smime-mod-oid" */
-     194,    /* "id-smime-spq" */
-     250,    /* "id-smime-spq-ets-sqt-unotice" */
-     249,    /* "id-smime-spq-ets-sqt-uri" */
-     974,    /* "id-tc26" */
-     991,    /* "id-tc26-agreement" */
-     992,    /* "id-tc26-agreement-gost-3410-2012-256" */
-     993,    /* "id-tc26-agreement-gost-3410-2012-512" */
-     977,    /* "id-tc26-algorithms" */
-     990,    /* "id-tc26-cipher" */
-    1001,    /* "id-tc26-cipher-constants" */
-     994,    /* "id-tc26-constants" */
-     981,    /* "id-tc26-digest" */
-    1000,    /* "id-tc26-digest-constants" */
-    1002,    /* "id-tc26-gost-28147-constants" */
-    1003,    /* "id-tc26-gost-28147-param-Z" */
-     996,    /* "id-tc26-gost-3410-2012-512-constants" */
-     998,    /* "id-tc26-gost-3410-2012-512-paramSetA" */
-     999,    /* "id-tc26-gost-3410-2012-512-paramSetB" */
-     997,    /* "id-tc26-gost-3410-2012-512-paramSetTest" */
-     988,    /* "id-tc26-hmac-gost-3411-2012-256" */
-     989,    /* "id-tc26-hmac-gost-3411-2012-512" */
-     987,    /* "id-tc26-mac" */
-     978,    /* "id-tc26-sign" */
-     995,    /* "id-tc26-sign-constants" */
-     984,    /* "id-tc26-signwithdigest" */
-     985,    /* "id-tc26-signwithdigest-gost3410-2012-256" */
-     986,    /* "id-tc26-signwithdigest-gost3410-2012-512" */
-     676,    /* "identified-organization" */
-     461,    /* "info" */
-     748,    /* "inhibitAnyPolicy" */
-     101,    /* "initials" */
-     647,    /* "international-organizations" */
-     869,    /* "internationaliSDNNumber" */
-     142,    /* "invalidityDate" */
-     294,    /* "ipsecEndSystem" */
-    1022,    /* "ipsecIKE" */
-     295,    /* "ipsecTunnel" */
-     296,    /* "ipsecUser" */
-      86,    /* "issuerAltName" */
-    1008,    /* "issuerSignTool" */
-     770,    /* "issuingDistributionPoint" */
-     492,    /* "janetMailbox" */
-     957,    /* "jurisdictionC" */
-     955,    /* "jurisdictionL" */
-     956,    /* "jurisdictionST" */
-     150,    /* "keyBag" */
-      83,    /* "keyUsage" */
-     477,    /* "lastModifiedBy" */
-     476,    /* "lastModifiedTime" */
-     157,    /* "localKeyID" */
-     480,    /* "mXRecord" */
-     460,    /* "mail" */
-     493,    /* "mailPreferenceOption" */
-     467,    /* "manager" */
-     982,    /* "md_gost12_256" */
-     983,    /* "md_gost12_512" */
-     809,    /* "md_gost94" */
-     875,    /* "member" */
-     182,    /* "member-body" */
-      51,    /* "messageDigest" */
-     383,    /* "mgmt" */
-     504,    /* "mime-mhs" */
-     506,    /* "mime-mhs-bodies" */
-     505,    /* "mime-mhs-headings" */
-     488,    /* "mobileTelephoneNumber" */
-     136,    /* "msCTLSign" */
-     135,    /* "msCodeCom" */
-     134,    /* "msCodeInd" */
-     138,    /* "msEFS" */
-     171,    /* "msExtReq" */
-     137,    /* "msSGC" */
-     648,    /* "msSmartcardLogin" */
-     649,    /* "msUPN" */
-     481,    /* "nSRecord" */
-     173,    /* "name" */
-     666,    /* "nameConstraints" */
-     369,    /* "noCheck" */
-     403,    /* "noRevAvail" */
-      72,    /* "nsBaseUrl" */
-      76,    /* "nsCaPolicyUrl" */
-      74,    /* "nsCaRevocationUrl" */
-      58,    /* "nsCertExt" */
-      79,    /* "nsCertSequence" */
-      71,    /* "nsCertType" */
-      78,    /* "nsComment" */
-      59,    /* "nsDataType" */
-      75,    /* "nsRenewalUrl" */
-      73,    /* "nsRevocationUrl" */
-     139,    /* "nsSGC" */
-      77,    /* "nsSslServerName" */
-     681,    /* "onBasis" */
-     491,    /* "organizationalStatus" */
-     475,    /* "otherMailbox" */
-     876,    /* "owner" */
-     489,    /* "pagerTelephoneNumber" */
-     374,    /* "path" */
-     112,    /* "pbeWithMD5AndCast5CBC" */
-     499,    /* "personalSignature" */
-     487,    /* "personalTitle" */
-     464,    /* "photo" */
-     863,    /* "physicalDeliveryOfficeName" */
-     437,    /* "pilot" */
-     439,    /* "pilotAttributeSyntax" */
-     438,    /* "pilotAttributeType" */
-     479,    /* "pilotAttributeType27" */
-     456,    /* "pilotDSA" */
-     441,    /* "pilotGroups" */
-     444,    /* "pilotObject" */
-     440,    /* "pilotObjectClass" */
-     455,    /* "pilotOrganization" */
-     445,    /* "pilotPerson" */
-    1032,    /* "pkInitClientAuth" */
-    1033,    /* "pkInitKDC" */
-       2,    /* "pkcs" */
-     186,    /* "pkcs1" */
-      27,    /* "pkcs3" */
-     187,    /* "pkcs5" */
-      20,    /* "pkcs7" */
-      21,    /* "pkcs7-data" */
-      25,    /* "pkcs7-digestData" */
-      26,    /* "pkcs7-encryptedData" */
-      23,    /* "pkcs7-envelopedData" */
-      24,    /* "pkcs7-signedAndEnvelopedData" */
-      22,    /* "pkcs7-signedData" */
-     151,    /* "pkcs8ShroudedKeyBag" */
-      47,    /* "pkcs9" */
-     401,    /* "policyConstraints" */
-     747,    /* "policyMappings" */
-     862,    /* "postOfficeBox" */
-     861,    /* "postalAddress" */
-     661,    /* "postalCode" */
-     683,    /* "ppBasis" */
-     872,    /* "preferredDeliveryMethod" */
-     873,    /* "presentationAddress" */
-     816,    /* "prf-gostr3411-94" */
-     406,    /* "prime-field" */
-     409,    /* "prime192v1" */
-     410,    /* "prime192v2" */
-     411,    /* "prime192v3" */
-     412,    /* "prime239v1" */
-     413,    /* "prime239v2" */
-     414,    /* "prime239v3" */
-     415,    /* "prime256v1" */
-     385,    /* "private" */
-      84,    /* "privateKeyUsagePeriod" */
-     886,    /* "protocolInformation" */
-     663,    /* "proxyCertInfo" */
-     510,    /* "pseudonym" */
-     435,    /* "pss" */
-     286,    /* "qcStatements" */
-     457,    /* "qualityLabelledData" */
-     450,    /* "rFC822localPart" */
-     870,    /* "registeredAddress" */
-     400,    /* "role" */
-     877,    /* "roleOccupant" */
-     448,    /* "room" */
-     463,    /* "roomNumber" */
-       6,    /* "rsaEncryption" */
-     644,    /* "rsaOAEPEncryptionSET" */
-     377,    /* "rsaSignature" */
-       1,    /* "rsadsi" */
-     482,    /* "sOARecord" */
-     155,    /* "safeContentsBag" */
-     291,    /* "sbgp-autonomousSysNum" */
-     290,    /* "sbgp-ipAddrBlock" */
-     292,    /* "sbgp-routerIdentifier" */
-     159,    /* "sdsiCertificate" */
-     859,    /* "searchGuide" */
-     704,    /* "secp112r1" */
-     705,    /* "secp112r2" */
-     706,    /* "secp128r1" */
-     707,    /* "secp128r2" */
-     708,    /* "secp160k1" */
-     709,    /* "secp160r1" */
-     710,    /* "secp160r2" */
-     711,    /* "secp192k1" */
-     712,    /* "secp224k1" */
-     713,    /* "secp224r1" */
-     714,    /* "secp256k1" */
-     715,    /* "secp384r1" */
-     716,    /* "secp521r1" */
-     154,    /* "secretBag" */
-     474,    /* "secretary" */
-     717,    /* "sect113r1" */
-     718,    /* "sect113r2" */
-     719,    /* "sect131r1" */
-     720,    /* "sect131r2" */
-     721,    /* "sect163k1" */
-     722,    /* "sect163r1" */
-     723,    /* "sect163r2" */
-     724,    /* "sect193r1" */
-     725,    /* "sect193r2" */
-     726,    /* "sect233k1" */
-     727,    /* "sect233r1" */
-     728,    /* "sect239k1" */
-     729,    /* "sect283k1" */
-     730,    /* "sect283r1" */
-     731,    /* "sect409k1" */
-     732,    /* "sect409r1" */
-     733,    /* "sect571k1" */
-     734,    /* "sect571r1" */
-    1025,    /* "secureShellClient" */
-    1026,    /* "secureShellServer" */
-     386,    /* "security" */
-     878,    /* "seeAlso" */
-     394,    /* "selected-attribute-types" */
-    1029,    /* "sendOwner" */
-    1030,    /* "sendProxiedOwner" */
-    1028,    /* "sendProxiedRouter" */
-    1027,    /* "sendRouter" */
-     105,    /* "serialNumber" */
-     129,    /* "serverAuth" */
-     371,    /* "serviceLocator" */
-     625,    /* "set-addPolicy" */
-     515,    /* "set-attr" */
-     518,    /* "set-brand" */
-     638,    /* "set-brand-AmericanExpress" */
-     637,    /* "set-brand-Diners" */
-     636,    /* "set-brand-IATA-ATA" */
-     639,    /* "set-brand-JCB" */
-     641,    /* "set-brand-MasterCard" */
-     642,    /* "set-brand-Novus" */
-     640,    /* "set-brand-Visa" */
-     517,    /* "set-certExt" */
-     513,    /* "set-ctype" */
-     514,    /* "set-msgExt" */
-     516,    /* "set-policy" */
-     607,    /* "set-policy-root" */
-     624,    /* "set-rootKeyThumb" */
-     620,    /* "setAttr-Cert" */
-     631,    /* "setAttr-GenCryptgrm" */
-     623,    /* "setAttr-IssCap" */
-     628,    /* "setAttr-IssCap-CVM" */
-     630,    /* "setAttr-IssCap-Sig" */
-     629,    /* "setAttr-IssCap-T2" */
-     621,    /* "setAttr-PGWYcap" */
-     635,    /* "setAttr-SecDevSig" */
-     632,    /* "setAttr-T2Enc" */
-     633,    /* "setAttr-T2cleartxt" */
-     634,    /* "setAttr-TokICCsig" */
-     627,    /* "setAttr-Token-B0Prime" */
-     626,    /* "setAttr-Token-EMV" */
-     622,    /* "setAttr-TokenType" */
-     619,    /* "setCext-IssuerCapabilities" */
-     615,    /* "setCext-PGWYcapabilities" */
-     616,    /* "setCext-TokenIdentifier" */
-     618,    /* "setCext-TokenType" */
-     617,    /* "setCext-Track2Data" */
-     611,    /* "setCext-cCertRequired" */
-     609,    /* "setCext-certType" */
-     608,    /* "setCext-hashedRoot" */
-     610,    /* "setCext-merchData" */
-     613,    /* "setCext-setExt" */
-     614,    /* "setCext-setQualf" */
-     612,    /* "setCext-tunneling" */
-     540,    /* "setct-AcqCardCodeMsg" */
-     576,    /* "setct-AcqCardCodeMsgTBE" */
-     570,    /* "setct-AuthReqTBE" */
-     534,    /* "setct-AuthReqTBS" */
-     527,    /* "setct-AuthResBaggage" */
-     571,    /* "setct-AuthResTBE" */
-     572,    /* "setct-AuthResTBEX" */
-     535,    /* "setct-AuthResTBS" */
-     536,    /* "setct-AuthResTBSX" */
-     528,    /* "setct-AuthRevReqBaggage" */
-     577,    /* "setct-AuthRevReqTBE" */
-     541,    /* "setct-AuthRevReqTBS" */
-     529,    /* "setct-AuthRevResBaggage" */
-     542,    /* "setct-AuthRevResData" */
-     578,    /* "setct-AuthRevResTBE" */
-     579,    /* "setct-AuthRevResTBEB" */
-     543,    /* "setct-AuthRevResTBS" */
-     573,    /* "setct-AuthTokenTBE" */
-     537,    /* "setct-AuthTokenTBS" */
-     600,    /* "setct-BCIDistributionTBS" */
-     558,    /* "setct-BatchAdminReqData" */
-     592,    /* "setct-BatchAdminReqTBE" */
-     559,    /* "setct-BatchAdminResData" */
-     593,    /* "setct-BatchAdminResTBE" */
-     599,    /* "setct-CRLNotificationResTBS" */
-     598,    /* "setct-CRLNotificationTBS" */
-     580,    /* "setct-CapReqTBE" */
-     581,    /* "setct-CapReqTBEX" */
-     544,    /* "setct-CapReqTBS" */
-     545,    /* "setct-CapReqTBSX" */
-     546,    /* "setct-CapResData" */
-     582,    /* "setct-CapResTBE" */
-     583,    /* "setct-CapRevReqTBE" */
-     584,    /* "setct-CapRevReqTBEX" */
-     547,    /* "setct-CapRevReqTBS" */
-     548,    /* "setct-CapRevReqTBSX" */
-     549,    /* "setct-CapRevResData" */
-     585,    /* "setct-CapRevResTBE" */
-     538,    /* "setct-CapTokenData" */
-     530,    /* "setct-CapTokenSeq" */
-     574,    /* "setct-CapTokenTBE" */
-     575,    /* "setct-CapTokenTBEX" */
-     539,    /* "setct-CapTokenTBS" */
-     560,    /* "setct-CardCInitResTBS" */
-     566,    /* "setct-CertInqReqTBS" */
-     563,    /* "setct-CertReqData" */
-     595,    /* "setct-CertReqTBE" */
-     596,    /* "setct-CertReqTBEX" */
-     564,    /* "setct-CertReqTBS" */
-     565,    /* "setct-CertResData" */
-     597,    /* "setct-CertResTBE" */
-     586,    /* "setct-CredReqTBE" */
-     587,    /* "setct-CredReqTBEX" */
-     550,    /* "setct-CredReqTBS" */
-     551,    /* "setct-CredReqTBSX" */
-     552,    /* "setct-CredResData" */
-     588,    /* "setct-CredResTBE" */
-     589,    /* "setct-CredRevReqTBE" */
-     590,    /* "setct-CredRevReqTBEX" */
-     553,    /* "setct-CredRevReqTBS" */
-     554,    /* "setct-CredRevReqTBSX" */
-     555,    /* "setct-CredRevResData" */
-     591,    /* "setct-CredRevResTBE" */
-     567,    /* "setct-ErrorTBS" */
-     526,    /* "setct-HODInput" */
-     561,    /* "setct-MeAqCInitResTBS" */
-     522,    /* "setct-OIData" */
-     519,    /* "setct-PANData" */
-     521,    /* "setct-PANOnly" */
-     520,    /* "setct-PANToken" */
-     556,    /* "setct-PCertReqData" */
-     557,    /* "setct-PCertResTBS" */
-     523,    /* "setct-PI" */
-     532,    /* "setct-PI-TBS" */
-     524,    /* "setct-PIData" */
-     525,    /* "setct-PIDataUnsigned" */
-     568,    /* "setct-PIDualSignedTBE" */
-     569,    /* "setct-PIUnsignedTBE" */
-     531,    /* "setct-PInitResData" */
-     533,    /* "setct-PResData" */
-     594,    /* "setct-RegFormReqTBE" */
-     562,    /* "setct-RegFormResTBS" */
-     606,    /* "setext-cv" */
-     601,    /* "setext-genCrypt" */
-     602,    /* "setext-miAuth" */
-     604,    /* "setext-pinAny" */
-     603,    /* "setext-pinSecure" */
-     605,    /* "setext-track2" */
-      52,    /* "signingTime" */
-     454,    /* "simpleSecurityObject" */
-     496,    /* "singleLevelQuality" */
-     387,    /* "snmpv2" */
-     660,    /* "street" */
-      85,    /* "subjectAltName" */
-     769,    /* "subjectDirectoryAttributes" */
-     398,    /* "subjectInfoAccess" */
-      82,    /* "subjectKeyIdentifier" */
-    1007,    /* "subjectSignTool" */
-     498,    /* "subtreeMaximumQuality" */
-     497,    /* "subtreeMinimumQuality" */
-     890,    /* "supportedAlgorithms" */
-     874,    /* "supportedApplicationContext" */
-     402,    /* "targetInformation" */
-     864,    /* "telephoneNumber" */
-     866,    /* "teletexTerminalIdentifier" */
-     865,    /* "telexNumber" */
-     459,    /* "textEncodedORAddress" */
-     293,    /* "textNotice" */
-     133,    /* "timeStamping" */
-     106,    /* "title" */
-    1020,    /* "tlsfeature" */
-     682,    /* "tpBasis" */
-     375,    /* "trustRoot" */
-     436,    /* "ucl" */
-     102,    /* "uid" */
-     888,    /* "uniqueMember" */
-      55,    /* "unstructuredAddress" */
-      49,    /* "unstructuredName" */
-     880,    /* "userCertificate" */
-     465,    /* "userClass" */
-     879,    /* "userPassword" */
-     373,    /* "valid" */
-     678,    /* "wap" */
-     679,    /* "wap-wsg" */
-     735,    /* "wap-wsg-idm-ecid-wtls1" */
-     743,    /* "wap-wsg-idm-ecid-wtls10" */
-     744,    /* "wap-wsg-idm-ecid-wtls11" */
-     745,    /* "wap-wsg-idm-ecid-wtls12" */
-     736,    /* "wap-wsg-idm-ecid-wtls3" */
-     737,    /* "wap-wsg-idm-ecid-wtls4" */
-     738,    /* "wap-wsg-idm-ecid-wtls5" */
-     739,    /* "wap-wsg-idm-ecid-wtls6" */
-     740,    /* "wap-wsg-idm-ecid-wtls7" */
-     741,    /* "wap-wsg-idm-ecid-wtls8" */
-     742,    /* "wap-wsg-idm-ecid-wtls9" */
-     804,    /* "whirlpool" */
-     868,    /* "x121Address" */
-     503,    /* "x500UniqueIdentifier" */
-     158,    /* "x509Certificate" */
-     160,    /* "x509Crl" */
+static const unsigned int sn_objs[NUM_SN]={
+364,	/* "AD_DVCS" */
+419,	/* "AES-128-CBC" */
+916,	/* "AES-128-CBC-HMAC-SHA1" */
+948,	/* "AES-128-CBC-HMAC-SHA256" */
+421,	/* "AES-128-CFB" */
+650,	/* "AES-128-CFB1" */
+653,	/* "AES-128-CFB8" */
+904,	/* "AES-128-CTR" */
+418,	/* "AES-128-ECB" */
+420,	/* "AES-128-OFB" */
+913,	/* "AES-128-XTS" */
+423,	/* "AES-192-CBC" */
+917,	/* "AES-192-CBC-HMAC-SHA1" */
+949,	/* "AES-192-CBC-HMAC-SHA256" */
+425,	/* "AES-192-CFB" */
+651,	/* "AES-192-CFB1" */
+654,	/* "AES-192-CFB8" */
+905,	/* "AES-192-CTR" */
+422,	/* "AES-192-ECB" */
+424,	/* "AES-192-OFB" */
+427,	/* "AES-256-CBC" */
+918,	/* "AES-256-CBC-HMAC-SHA1" */
+950,	/* "AES-256-CBC-HMAC-SHA256" */
+429,	/* "AES-256-CFB" */
+652,	/* "AES-256-CFB1" */
+655,	/* "AES-256-CFB8" */
+906,	/* "AES-256-CTR" */
+426,	/* "AES-256-ECB" */
+428,	/* "AES-256-OFB" */
+914,	/* "AES-256-XTS" */
+91,	/* "BF-CBC" */
+93,	/* "BF-CFB" */
+92,	/* "BF-ECB" */
+94,	/* "BF-OFB" */
+14,	/* "C" */
+751,	/* "CAMELLIA-128-CBC" */
+757,	/* "CAMELLIA-128-CFB" */
+760,	/* "CAMELLIA-128-CFB1" */
+763,	/* "CAMELLIA-128-CFB8" */
+754,	/* "CAMELLIA-128-ECB" */
+766,	/* "CAMELLIA-128-OFB" */
+752,	/* "CAMELLIA-192-CBC" */
+758,	/* "CAMELLIA-192-CFB" */
+761,	/* "CAMELLIA-192-CFB1" */
+764,	/* "CAMELLIA-192-CFB8" */
+755,	/* "CAMELLIA-192-ECB" */
+767,	/* "CAMELLIA-192-OFB" */
+753,	/* "CAMELLIA-256-CBC" */
+759,	/* "CAMELLIA-256-CFB" */
+762,	/* "CAMELLIA-256-CFB1" */
+765,	/* "CAMELLIA-256-CFB8" */
+756,	/* "CAMELLIA-256-ECB" */
+768,	/* "CAMELLIA-256-OFB" */
+108,	/* "CAST5-CBC" */
+110,	/* "CAST5-CFB" */
+109,	/* "CAST5-ECB" */
+111,	/* "CAST5-OFB" */
+894,	/* "CMAC" */
+13,	/* "CN" */
+141,	/* "CRLReason" */
+417,	/* "CSPName" */
+367,	/* "CrlID" */
+391,	/* "DC" */
+31,	/* "DES-CBC" */
+643,	/* "DES-CDMF" */
+30,	/* "DES-CFB" */
+656,	/* "DES-CFB1" */
+657,	/* "DES-CFB8" */
+29,	/* "DES-ECB" */
+32,	/* "DES-EDE" */
+43,	/* "DES-EDE-CBC" */
+60,	/* "DES-EDE-CFB" */
+62,	/* "DES-EDE-OFB" */
+33,	/* "DES-EDE3" */
+44,	/* "DES-EDE3-CBC" */
+61,	/* "DES-EDE3-CFB" */
+658,	/* "DES-EDE3-CFB1" */
+659,	/* "DES-EDE3-CFB8" */
+63,	/* "DES-EDE3-OFB" */
+45,	/* "DES-OFB" */
+80,	/* "DESX-CBC" */
+380,	/* "DOD" */
+116,	/* "DSA" */
+66,	/* "DSA-SHA" */
+113,	/* "DSA-SHA1" */
+70,	/* "DSA-SHA1-old" */
+67,	/* "DSA-old" */
+297,	/* "DVCS" */
+99,	/* "GN" */
+855,	/* "HMAC" */
+780,	/* "HMAC-MD5" */
+781,	/* "HMAC-SHA1" */
+381,	/* "IANA" */
+34,	/* "IDEA-CBC" */
+35,	/* "IDEA-CFB" */
+36,	/* "IDEA-ECB" */
+46,	/* "IDEA-OFB" */
+181,	/* "ISO" */
+183,	/* "ISO-US" */
+645,	/* "ITU-T" */
+646,	/* "JOINT-ISO-ITU-T" */
+773,	/* "KISA" */
+15,	/* "L" */
+856,	/* "LocalKeySet" */
+ 3,	/* "MD2" */
+257,	/* "MD4" */
+ 4,	/* "MD5" */
+114,	/* "MD5-SHA1" */
+95,	/* "MDC2" */
+911,	/* "MGF1" */
+388,	/* "Mail" */
+393,	/* "NULL" */
+404,	/* "NULL" */
+57,	/* "Netscape" */
+366,	/* "Nonce" */
+17,	/* "O" */
+178,	/* "OCSP" */
+180,	/* "OCSPSigning" */
+379,	/* "ORG" */
+18,	/* "OU" */
+749,	/* "Oakley-EC2N-3" */
+750,	/* "Oakley-EC2N-4" */
+ 9,	/* "PBE-MD2-DES" */
+168,	/* "PBE-MD2-RC2-64" */
+10,	/* "PBE-MD5-DES" */
+169,	/* "PBE-MD5-RC2-64" */
+147,	/* "PBE-SHA1-2DES" */
+146,	/* "PBE-SHA1-3DES" */
+170,	/* "PBE-SHA1-DES" */
+148,	/* "PBE-SHA1-RC2-128" */
+149,	/* "PBE-SHA1-RC2-40" */
+68,	/* "PBE-SHA1-RC2-64" */
+144,	/* "PBE-SHA1-RC4-128" */
+145,	/* "PBE-SHA1-RC4-40" */
+161,	/* "PBES2" */
+69,	/* "PBKDF2" */
+162,	/* "PBMAC1" */
+127,	/* "PKIX" */
+935,	/* "PSPECIFIED" */
+98,	/* "RC2-40-CBC" */
+166,	/* "RC2-64-CBC" */
+37,	/* "RC2-CBC" */
+39,	/* "RC2-CFB" */
+38,	/* "RC2-ECB" */
+40,	/* "RC2-OFB" */
+ 5,	/* "RC4" */
+97,	/* "RC4-40" */
+915,	/* "RC4-HMAC-MD5" */
+120,	/* "RC5-CBC" */
+122,	/* "RC5-CFB" */
+121,	/* "RC5-ECB" */
+123,	/* "RC5-OFB" */
+117,	/* "RIPEMD160" */
+124,	/* "RLE" */
+19,	/* "RSA" */
+ 7,	/* "RSA-MD2" */
+396,	/* "RSA-MD4" */
+ 8,	/* "RSA-MD5" */
+96,	/* "RSA-MDC2" */
+104,	/* "RSA-NP-MD5" */
+119,	/* "RSA-RIPEMD160" */
+42,	/* "RSA-SHA" */
+65,	/* "RSA-SHA1" */
+115,	/* "RSA-SHA1-2" */
+671,	/* "RSA-SHA224" */
+668,	/* "RSA-SHA256" */
+669,	/* "RSA-SHA384" */
+670,	/* "RSA-SHA512" */
+919,	/* "RSAES-OAEP" */
+912,	/* "RSASSA-PSS" */
+777,	/* "SEED-CBC" */
+779,	/* "SEED-CFB" */
+776,	/* "SEED-ECB" */
+778,	/* "SEED-OFB" */
+41,	/* "SHA" */
+64,	/* "SHA1" */
+675,	/* "SHA224" */
+672,	/* "SHA256" */
+673,	/* "SHA384" */
+674,	/* "SHA512" */
+188,	/* "SMIME" */
+167,	/* "SMIME-CAPS" */
+100,	/* "SN" */
+16,	/* "ST" */
+143,	/* "SXNetID" */
+458,	/* "UID" */
+ 0,	/* "UNDEF" */
+11,	/* "X500" */
+378,	/* "X500algorithms" */
+12,	/* "X509" */
+184,	/* "X9-57" */
+185,	/* "X9cm" */
+125,	/* "ZLIB" */
+478,	/* "aRecord" */
+289,	/* "aaControls" */
+287,	/* "ac-auditEntity" */
+397,	/* "ac-proxying" */
+288,	/* "ac-targeting" */
+368,	/* "acceptableResponses" */
+446,	/* "account" */
+363,	/* "ad_timestamping" */
+376,	/* "algorithm" */
+405,	/* "ansi-X9-62" */
+910,	/* "anyExtendedKeyUsage" */
+746,	/* "anyPolicy" */
+370,	/* "archiveCutoff" */
+484,	/* "associatedDomain" */
+485,	/* "associatedName" */
+501,	/* "audio" */
+177,	/* "authorityInfoAccess" */
+90,	/* "authorityKeyIdentifier" */
+882,	/* "authorityRevocationList" */
+87,	/* "basicConstraints" */
+365,	/* "basicOCSPResponse" */
+285,	/* "biometricInfo" */
+921,	/* "brainpoolP160r1" */
+922,	/* "brainpoolP160t1" */
+923,	/* "brainpoolP192r1" */
+924,	/* "brainpoolP192t1" */
+925,	/* "brainpoolP224r1" */
+926,	/* "brainpoolP224t1" */
+927,	/* "brainpoolP256r1" */
+928,	/* "brainpoolP256t1" */
+929,	/* "brainpoolP320r1" */
+930,	/* "brainpoolP320t1" */
+931,	/* "brainpoolP384r1" */
+932,	/* "brainpoolP384t1" */
+933,	/* "brainpoolP512r1" */
+934,	/* "brainpoolP512t1" */
+494,	/* "buildingName" */
+860,	/* "businessCategory" */
+691,	/* "c2onb191v4" */
+692,	/* "c2onb191v5" */
+697,	/* "c2onb239v4" */
+698,	/* "c2onb239v5" */
+684,	/* "c2pnb163v1" */
+685,	/* "c2pnb163v2" */
+686,	/* "c2pnb163v3" */
+687,	/* "c2pnb176v1" */
+693,	/* "c2pnb208w1" */
+699,	/* "c2pnb272w1" */
+700,	/* "c2pnb304w1" */
+702,	/* "c2pnb368w1" */
+688,	/* "c2tnb191v1" */
+689,	/* "c2tnb191v2" */
+690,	/* "c2tnb191v3" */
+694,	/* "c2tnb239v1" */
+695,	/* "c2tnb239v2" */
+696,	/* "c2tnb239v3" */
+701,	/* "c2tnb359v1" */
+703,	/* "c2tnb431r1" */
+881,	/* "cACertificate" */
+483,	/* "cNAMERecord" */
+179,	/* "caIssuers" */
+785,	/* "caRepository" */
+443,	/* "caseIgnoreIA5StringSyntax" */
+152,	/* "certBag" */
+677,	/* "certicom-arc" */
+771,	/* "certificateIssuer" */
+89,	/* "certificatePolicies" */
+883,	/* "certificateRevocationList" */
+54,	/* "challengePassword" */
+407,	/* "characteristic-two-field" */
+395,	/* "clearance" */
+130,	/* "clientAuth" */
+131,	/* "codeSigning" */
+50,	/* "contentType" */
+53,	/* "countersignature" */
+153,	/* "crlBag" */
+103,	/* "crlDistributionPoints" */
+88,	/* "crlNumber" */
+884,	/* "crossCertificatePair" */
+806,	/* "cryptocom" */
+805,	/* "cryptopro" */
+954,	/* "ct_cert_scts" */
+952,	/* "ct_precert_poison" */
+951,	/* "ct_precert_scts" */
+953,	/* "ct_precert_signer" */
+500,	/* "dITRedirect" */
+451,	/* "dNSDomain" */
+495,	/* "dSAQuality" */
+434,	/* "data" */
+390,	/* "dcobject" */
+140,	/* "deltaCRL" */
+891,	/* "deltaRevocationList" */
+107,	/* "description" */
+871,	/* "destinationIndicator" */
+947,	/* "dh-cofactor-kdf" */
+946,	/* "dh-std-kdf" */
+28,	/* "dhKeyAgreement" */
+941,	/* "dhSinglePass-cofactorDH-sha1kdf-scheme" */
+942,	/* "dhSinglePass-cofactorDH-sha224kdf-scheme" */
+943,	/* "dhSinglePass-cofactorDH-sha256kdf-scheme" */
+944,	/* "dhSinglePass-cofactorDH-sha384kdf-scheme" */
+945,	/* "dhSinglePass-cofactorDH-sha512kdf-scheme" */
+936,	/* "dhSinglePass-stdDH-sha1kdf-scheme" */
+937,	/* "dhSinglePass-stdDH-sha224kdf-scheme" */
+938,	/* "dhSinglePass-stdDH-sha256kdf-scheme" */
+939,	/* "dhSinglePass-stdDH-sha384kdf-scheme" */
+940,	/* "dhSinglePass-stdDH-sha512kdf-scheme" */
+920,	/* "dhpublicnumber" */
+382,	/* "directory" */
+887,	/* "distinguishedName" */
+892,	/* "dmdName" */
+174,	/* "dnQualifier" */
+447,	/* "document" */
+471,	/* "documentAuthor" */
+468,	/* "documentIdentifier" */
+472,	/* "documentLocation" */
+502,	/* "documentPublisher" */
+449,	/* "documentSeries" */
+469,	/* "documentTitle" */
+470,	/* "documentVersion" */
+392,	/* "domain" */
+452,	/* "domainRelatedObject" */
+802,	/* "dsa_with_SHA224" */
+803,	/* "dsa_with_SHA256" */
+791,	/* "ecdsa-with-Recommended" */
+416,	/* "ecdsa-with-SHA1" */
+793,	/* "ecdsa-with-SHA224" */
+794,	/* "ecdsa-with-SHA256" */
+795,	/* "ecdsa-with-SHA384" */
+796,	/* "ecdsa-with-SHA512" */
+792,	/* "ecdsa-with-Specified" */
+48,	/* "emailAddress" */
+132,	/* "emailProtection" */
+885,	/* "enhancedSearchGuide" */
+389,	/* "enterprises" */
+384,	/* "experimental" */
+172,	/* "extReq" */
+56,	/* "extendedCertificateAttributes" */
+126,	/* "extendedKeyUsage" */
+372,	/* "extendedStatus" */
+867,	/* "facsimileTelephoneNumber" */
+462,	/* "favouriteDrink" */
+857,	/* "freshestCRL" */
+453,	/* "friendlyCountry" */
+490,	/* "friendlyCountryName" */
+156,	/* "friendlyName" */
+509,	/* "generationQualifier" */
+815,	/* "gost-mac" */
+811,	/* "gost2001" */
+851,	/* "gost2001cc" */
+813,	/* "gost89" */
+814,	/* "gost89-cnt" */
+812,	/* "gost94" */
+850,	/* "gost94cc" */
+797,	/* "hmacWithMD5" */
+163,	/* "hmacWithSHA1" */
+798,	/* "hmacWithSHA224" */
+799,	/* "hmacWithSHA256" */
+800,	/* "hmacWithSHA384" */
+801,	/* "hmacWithSHA512" */
+432,	/* "holdInstructionCallIssuer" */
+430,	/* "holdInstructionCode" */
+431,	/* "holdInstructionNone" */
+433,	/* "holdInstructionReject" */
+486,	/* "homePostalAddress" */
+473,	/* "homeTelephoneNumber" */
+466,	/* "host" */
+889,	/* "houseIdentifier" */
+442,	/* "iA5StringSyntax" */
+783,	/* "id-DHBasedMac" */
+824,	/* "id-Gost28147-89-CryptoPro-A-ParamSet" */
+825,	/* "id-Gost28147-89-CryptoPro-B-ParamSet" */
+826,	/* "id-Gost28147-89-CryptoPro-C-ParamSet" */
+827,	/* "id-Gost28147-89-CryptoPro-D-ParamSet" */
+819,	/* "id-Gost28147-89-CryptoPro-KeyMeshing" */
+829,	/* "id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet" */
+828,	/* "id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet" */
+830,	/* "id-Gost28147-89-CryptoPro-RIC-1-ParamSet" */
+820,	/* "id-Gost28147-89-None-KeyMeshing" */
+823,	/* "id-Gost28147-89-TestParamSet" */
+849,	/* "id-Gost28147-89-cc" */
+840,	/* "id-GostR3410-2001-CryptoPro-A-ParamSet" */
+841,	/* "id-GostR3410-2001-CryptoPro-B-ParamSet" */
+842,	/* "id-GostR3410-2001-CryptoPro-C-ParamSet" */
+843,	/* "id-GostR3410-2001-CryptoPro-XchA-ParamSet" */
+844,	/* "id-GostR3410-2001-CryptoPro-XchB-ParamSet" */
+854,	/* "id-GostR3410-2001-ParamSet-cc" */
+839,	/* "id-GostR3410-2001-TestParamSet" */
+817,	/* "id-GostR3410-2001DH" */
+832,	/* "id-GostR3410-94-CryptoPro-A-ParamSet" */
+833,	/* "id-GostR3410-94-CryptoPro-B-ParamSet" */
+834,	/* "id-GostR3410-94-CryptoPro-C-ParamSet" */
+835,	/* "id-GostR3410-94-CryptoPro-D-ParamSet" */
+836,	/* "id-GostR3410-94-CryptoPro-XchA-ParamSet" */
+837,	/* "id-GostR3410-94-CryptoPro-XchB-ParamSet" */
+838,	/* "id-GostR3410-94-CryptoPro-XchC-ParamSet" */
+831,	/* "id-GostR3410-94-TestParamSet" */
+845,	/* "id-GostR3410-94-a" */
+846,	/* "id-GostR3410-94-aBis" */
+847,	/* "id-GostR3410-94-b" */
+848,	/* "id-GostR3410-94-bBis" */
+818,	/* "id-GostR3410-94DH" */
+822,	/* "id-GostR3411-94-CryptoProParamSet" */
+821,	/* "id-GostR3411-94-TestParamSet" */
+807,	/* "id-GostR3411-94-with-GostR3410-2001" */
+853,	/* "id-GostR3411-94-with-GostR3410-2001-cc" */
+808,	/* "id-GostR3411-94-with-GostR3410-94" */
+852,	/* "id-GostR3411-94-with-GostR3410-94-cc" */
+810,	/* "id-HMACGostR3411-94" */
+782,	/* "id-PasswordBasedMAC" */
+266,	/* "id-aca" */
+355,	/* "id-aca-accessIdentity" */
+354,	/* "id-aca-authenticationInfo" */
+356,	/* "id-aca-chargingIdentity" */
+399,	/* "id-aca-encAttrs" */
+357,	/* "id-aca-group" */
+358,	/* "id-aca-role" */
+176,	/* "id-ad" */
+896,	/* "id-aes128-CCM" */
+895,	/* "id-aes128-GCM" */
+788,	/* "id-aes128-wrap" */
+897,	/* "id-aes128-wrap-pad" */
+899,	/* "id-aes192-CCM" */
+898,	/* "id-aes192-GCM" */
+789,	/* "id-aes192-wrap" */
+900,	/* "id-aes192-wrap-pad" */
+902,	/* "id-aes256-CCM" */
+901,	/* "id-aes256-GCM" */
+790,	/* "id-aes256-wrap" */
+903,	/* "id-aes256-wrap-pad" */
+262,	/* "id-alg" */
+893,	/* "id-alg-PWRI-KEK" */
+323,	/* "id-alg-des40" */
+326,	/* "id-alg-dh-pop" */
+325,	/* "id-alg-dh-sig-hmac-sha1" */
+324,	/* "id-alg-noSignature" */
+907,	/* "id-camellia128-wrap" */
+908,	/* "id-camellia192-wrap" */
+909,	/* "id-camellia256-wrap" */
+268,	/* "id-cct" */
+361,	/* "id-cct-PKIData" */
+362,	/* "id-cct-PKIResponse" */
+360,	/* "id-cct-crs" */
+81,	/* "id-ce" */
+680,	/* "id-characteristic-two-basis" */
+263,	/* "id-cmc" */
+334,	/* "id-cmc-addExtensions" */
+346,	/* "id-cmc-confirmCertAcceptance" */
+330,	/* "id-cmc-dataReturn" */
+336,	/* "id-cmc-decryptedPOP" */
+335,	/* "id-cmc-encryptedPOP" */
+339,	/* "id-cmc-getCRL" */
+338,	/* "id-cmc-getCert" */
+328,	/* "id-cmc-identification" */
+329,	/* "id-cmc-identityProof" */
+337,	/* "id-cmc-lraPOPWitness" */
+344,	/* "id-cmc-popLinkRandom" */
+345,	/* "id-cmc-popLinkWitness" */
+343,	/* "id-cmc-queryPending" */
+333,	/* "id-cmc-recipientNonce" */
+341,	/* "id-cmc-regInfo" */
+342,	/* "id-cmc-responseInfo" */
+340,	/* "id-cmc-revokeRequest" */
+332,	/* "id-cmc-senderNonce" */
+327,	/* "id-cmc-statusInfo" */
+331,	/* "id-cmc-transactionId" */
+787,	/* "id-ct-asciiTextWithCRLF" */
+408,	/* "id-ecPublicKey" */
+508,	/* "id-hex-multipart-message" */
+507,	/* "id-hex-partial-message" */
+260,	/* "id-it" */
+302,	/* "id-it-caKeyUpdateInfo" */
+298,	/* "id-it-caProtEncCert" */
+311,	/* "id-it-confirmWaitTime" */
+303,	/* "id-it-currentCRL" */
+300,	/* "id-it-encKeyPairTypes" */
+310,	/* "id-it-implicitConfirm" */
+308,	/* "id-it-keyPairParamRep" */
+307,	/* "id-it-keyPairParamReq" */
+312,	/* "id-it-origPKIMessage" */
+301,	/* "id-it-preferredSymmAlg" */
+309,	/* "id-it-revPassphrase" */
+299,	/* "id-it-signKeyPairTypes" */
+305,	/* "id-it-subscriptionRequest" */
+306,	/* "id-it-subscriptionResponse" */
+784,	/* "id-it-suppLangTags" */
+304,	/* "id-it-unsupportedOIDs" */
+128,	/* "id-kp" */
+280,	/* "id-mod-attribute-cert" */
+274,	/* "id-mod-cmc" */
+277,	/* "id-mod-cmp" */
+284,	/* "id-mod-cmp2000" */
+273,	/* "id-mod-crmf" */
+283,	/* "id-mod-dvcs" */
+275,	/* "id-mod-kea-profile-88" */
+276,	/* "id-mod-kea-profile-93" */
+282,	/* "id-mod-ocsp" */
+278,	/* "id-mod-qualified-cert-88" */
+279,	/* "id-mod-qualified-cert-93" */
+281,	/* "id-mod-timestamp-protocol" */
+264,	/* "id-on" */
+858,	/* "id-on-permanentIdentifier" */
+347,	/* "id-on-personalData" */
+265,	/* "id-pda" */
+352,	/* "id-pda-countryOfCitizenship" */
+353,	/* "id-pda-countryOfResidence" */
+348,	/* "id-pda-dateOfBirth" */
+351,	/* "id-pda-gender" */
+349,	/* "id-pda-placeOfBirth" */
+175,	/* "id-pe" */
+261,	/* "id-pkip" */
+258,	/* "id-pkix-mod" */
+269,	/* "id-pkix1-explicit-88" */
+271,	/* "id-pkix1-explicit-93" */
+270,	/* "id-pkix1-implicit-88" */
+272,	/* "id-pkix1-implicit-93" */
+662,	/* "id-ppl" */
+664,	/* "id-ppl-anyLanguage" */
+667,	/* "id-ppl-independent" */
+665,	/* "id-ppl-inheritAll" */
+267,	/* "id-qcs" */
+359,	/* "id-qcs-pkixQCSyntax-v1" */
+259,	/* "id-qt" */
+164,	/* "id-qt-cps" */
+165,	/* "id-qt-unotice" */
+313,	/* "id-regCtrl" */
+316,	/* "id-regCtrl-authenticator" */
+319,	/* "id-regCtrl-oldCertID" */
+318,	/* "id-regCtrl-pkiArchiveOptions" */
+317,	/* "id-regCtrl-pkiPublicationInfo" */
+320,	/* "id-regCtrl-protocolEncrKey" */
+315,	/* "id-regCtrl-regToken" */
+314,	/* "id-regInfo" */
+322,	/* "id-regInfo-certReq" */
+321,	/* "id-regInfo-utf8Pairs" */
+512,	/* "id-set" */
+191,	/* "id-smime-aa" */
+215,	/* "id-smime-aa-contentHint" */
+218,	/* "id-smime-aa-contentIdentifier" */
+221,	/* "id-smime-aa-contentReference" */
+240,	/* "id-smime-aa-dvcs-dvc" */
+217,	/* "id-smime-aa-encapContentType" */
+222,	/* "id-smime-aa-encrypKeyPref" */
+220,	/* "id-smime-aa-equivalentLabels" */
+232,	/* "id-smime-aa-ets-CertificateRefs" */
+233,	/* "id-smime-aa-ets-RevocationRefs" */
+238,	/* "id-smime-aa-ets-archiveTimeStamp" */
+237,	/* "id-smime-aa-ets-certCRLTimestamp" */
+234,	/* "id-smime-aa-ets-certValues" */
+227,	/* "id-smime-aa-ets-commitmentType" */
+231,	/* "id-smime-aa-ets-contentTimestamp" */
+236,	/* "id-smime-aa-ets-escTimeStamp" */
+230,	/* "id-smime-aa-ets-otherSigCert" */
+235,	/* "id-smime-aa-ets-revocationValues" */
+226,	/* "id-smime-aa-ets-sigPolicyId" */
+229,	/* "id-smime-aa-ets-signerAttr" */
+228,	/* "id-smime-aa-ets-signerLocation" */
+219,	/* "id-smime-aa-macValue" */
+214,	/* "id-smime-aa-mlExpandHistory" */
+216,	/* "id-smime-aa-msgSigDigest" */
+212,	/* "id-smime-aa-receiptRequest" */
+213,	/* "id-smime-aa-securityLabel" */
+239,	/* "id-smime-aa-signatureType" */
+223,	/* "id-smime-aa-signingCertificate" */
+224,	/* "id-smime-aa-smimeEncryptCerts" */
+225,	/* "id-smime-aa-timeStampToken" */
+192,	/* "id-smime-alg" */
+243,	/* "id-smime-alg-3DESwrap" */
+246,	/* "id-smime-alg-CMS3DESwrap" */
+247,	/* "id-smime-alg-CMSRC2wrap" */
+245,	/* "id-smime-alg-ESDH" */
+241,	/* "id-smime-alg-ESDHwith3DES" */
+242,	/* "id-smime-alg-ESDHwithRC2" */
+244,	/* "id-smime-alg-RC2wrap" */
+193,	/* "id-smime-cd" */
+248,	/* "id-smime-cd-ldap" */
+190,	/* "id-smime-ct" */
+210,	/* "id-smime-ct-DVCSRequestData" */
+211,	/* "id-smime-ct-DVCSResponseData" */
+208,	/* "id-smime-ct-TDTInfo" */
+207,	/* "id-smime-ct-TSTInfo" */
+205,	/* "id-smime-ct-authData" */
+786,	/* "id-smime-ct-compressedData" */
+209,	/* "id-smime-ct-contentInfo" */
+206,	/* "id-smime-ct-publishCert" */
+204,	/* "id-smime-ct-receipt" */
+195,	/* "id-smime-cti" */
+255,	/* "id-smime-cti-ets-proofOfApproval" */
+256,	/* "id-smime-cti-ets-proofOfCreation" */
+253,	/* "id-smime-cti-ets-proofOfDelivery" */
+251,	/* "id-smime-cti-ets-proofOfOrigin" */
+252,	/* "id-smime-cti-ets-proofOfReceipt" */
+254,	/* "id-smime-cti-ets-proofOfSender" */
+189,	/* "id-smime-mod" */
+196,	/* "id-smime-mod-cms" */
+197,	/* "id-smime-mod-ess" */
+202,	/* "id-smime-mod-ets-eSigPolicy-88" */
+203,	/* "id-smime-mod-ets-eSigPolicy-97" */
+200,	/* "id-smime-mod-ets-eSignature-88" */
+201,	/* "id-smime-mod-ets-eSignature-97" */
+199,	/* "id-smime-mod-msg-v3" */
+198,	/* "id-smime-mod-oid" */
+194,	/* "id-smime-spq" */
+250,	/* "id-smime-spq-ets-sqt-unotice" */
+249,	/* "id-smime-spq-ets-sqt-uri" */
+676,	/* "identified-organization" */
+461,	/* "info" */
+748,	/* "inhibitAnyPolicy" */
+101,	/* "initials" */
+647,	/* "international-organizations" */
+869,	/* "internationaliSDNNumber" */
+142,	/* "invalidityDate" */
+294,	/* "ipsecEndSystem" */
+295,	/* "ipsecTunnel" */
+296,	/* "ipsecUser" */
+86,	/* "issuerAltName" */
+770,	/* "issuingDistributionPoint" */
+492,	/* "janetMailbox" */
+957,	/* "jurisdictionC" */
+955,	/* "jurisdictionL" */
+956,	/* "jurisdictionST" */
+150,	/* "keyBag" */
+83,	/* "keyUsage" */
+477,	/* "lastModifiedBy" */
+476,	/* "lastModifiedTime" */
+157,	/* "localKeyID" */
+480,	/* "mXRecord" */
+460,	/* "mail" */
+493,	/* "mailPreferenceOption" */
+467,	/* "manager" */
+809,	/* "md_gost94" */
+875,	/* "member" */
+182,	/* "member-body" */
+51,	/* "messageDigest" */
+383,	/* "mgmt" */
+504,	/* "mime-mhs" */
+506,	/* "mime-mhs-bodies" */
+505,	/* "mime-mhs-headings" */
+488,	/* "mobileTelephoneNumber" */
+136,	/* "msCTLSign" */
+135,	/* "msCodeCom" */
+134,	/* "msCodeInd" */
+138,	/* "msEFS" */
+171,	/* "msExtReq" */
+137,	/* "msSGC" */
+648,	/* "msSmartcardLogin" */
+649,	/* "msUPN" */
+481,	/* "nSRecord" */
+173,	/* "name" */
+666,	/* "nameConstraints" */
+369,	/* "noCheck" */
+403,	/* "noRevAvail" */
+72,	/* "nsBaseUrl" */
+76,	/* "nsCaPolicyUrl" */
+74,	/* "nsCaRevocationUrl" */
+58,	/* "nsCertExt" */
+79,	/* "nsCertSequence" */
+71,	/* "nsCertType" */
+78,	/* "nsComment" */
+59,	/* "nsDataType" */
+75,	/* "nsRenewalUrl" */
+73,	/* "nsRevocationUrl" */
+139,	/* "nsSGC" */
+77,	/* "nsSslServerName" */
+681,	/* "onBasis" */
+491,	/* "organizationalStatus" */
+475,	/* "otherMailbox" */
+876,	/* "owner" */
+489,	/* "pagerTelephoneNumber" */
+374,	/* "path" */
+112,	/* "pbeWithMD5AndCast5CBC" */
+499,	/* "personalSignature" */
+487,	/* "personalTitle" */
+464,	/* "photo" */
+863,	/* "physicalDeliveryOfficeName" */
+437,	/* "pilot" */
+439,	/* "pilotAttributeSyntax" */
+438,	/* "pilotAttributeType" */
+479,	/* "pilotAttributeType27" */
+456,	/* "pilotDSA" */
+441,	/* "pilotGroups" */
+444,	/* "pilotObject" */
+440,	/* "pilotObjectClass" */
+455,	/* "pilotOrganization" */
+445,	/* "pilotPerson" */
+ 2,	/* "pkcs" */
+186,	/* "pkcs1" */
+27,	/* "pkcs3" */
+187,	/* "pkcs5" */
+20,	/* "pkcs7" */
+21,	/* "pkcs7-data" */
+25,	/* "pkcs7-digestData" */
+26,	/* "pkcs7-encryptedData" */
+23,	/* "pkcs7-envelopedData" */
+24,	/* "pkcs7-signedAndEnvelopedData" */
+22,	/* "pkcs7-signedData" */
+151,	/* "pkcs8ShroudedKeyBag" */
+47,	/* "pkcs9" */
+401,	/* "policyConstraints" */
+747,	/* "policyMappings" */
+862,	/* "postOfficeBox" */
+861,	/* "postalAddress" */
+661,	/* "postalCode" */
+683,	/* "ppBasis" */
+872,	/* "preferredDeliveryMethod" */
+873,	/* "presentationAddress" */
+816,	/* "prf-gostr3411-94" */
+406,	/* "prime-field" */
+409,	/* "prime192v1" */
+410,	/* "prime192v2" */
+411,	/* "prime192v3" */
+412,	/* "prime239v1" */
+413,	/* "prime239v2" */
+414,	/* "prime239v3" */
+415,	/* "prime256v1" */
+385,	/* "private" */
+84,	/* "privateKeyUsagePeriod" */
+886,	/* "protocolInformation" */
+663,	/* "proxyCertInfo" */
+510,	/* "pseudonym" */
+435,	/* "pss" */
+286,	/* "qcStatements" */
+457,	/* "qualityLabelledData" */
+450,	/* "rFC822localPart" */
+870,	/* "registeredAddress" */
+400,	/* "role" */
+877,	/* "roleOccupant" */
+448,	/* "room" */
+463,	/* "roomNumber" */
+ 6,	/* "rsaEncryption" */
+644,	/* "rsaOAEPEncryptionSET" */
+377,	/* "rsaSignature" */
+ 1,	/* "rsadsi" */
+482,	/* "sOARecord" */
+155,	/* "safeContentsBag" */
+291,	/* "sbgp-autonomousSysNum" */
+290,	/* "sbgp-ipAddrBlock" */
+292,	/* "sbgp-routerIdentifier" */
+159,	/* "sdsiCertificate" */
+859,	/* "searchGuide" */
+704,	/* "secp112r1" */
+705,	/* "secp112r2" */
+706,	/* "secp128r1" */
+707,	/* "secp128r2" */
+708,	/* "secp160k1" */
+709,	/* "secp160r1" */
+710,	/* "secp160r2" */
+711,	/* "secp192k1" */
+712,	/* "secp224k1" */
+713,	/* "secp224r1" */
+714,	/* "secp256k1" */
+715,	/* "secp384r1" */
+716,	/* "secp521r1" */
+154,	/* "secretBag" */
+474,	/* "secretary" */
+717,	/* "sect113r1" */
+718,	/* "sect113r2" */
+719,	/* "sect131r1" */
+720,	/* "sect131r2" */
+721,	/* "sect163k1" */
+722,	/* "sect163r1" */
+723,	/* "sect163r2" */
+724,	/* "sect193r1" */
+725,	/* "sect193r2" */
+726,	/* "sect233k1" */
+727,	/* "sect233r1" */
+728,	/* "sect239k1" */
+729,	/* "sect283k1" */
+730,	/* "sect283r1" */
+731,	/* "sect409k1" */
+732,	/* "sect409r1" */
+733,	/* "sect571k1" */
+734,	/* "sect571r1" */
+386,	/* "security" */
+878,	/* "seeAlso" */
+394,	/* "selected-attribute-types" */
+105,	/* "serialNumber" */
+129,	/* "serverAuth" */
+371,	/* "serviceLocator" */
+625,	/* "set-addPolicy" */
+515,	/* "set-attr" */
+518,	/* "set-brand" */
+638,	/* "set-brand-AmericanExpress" */
+637,	/* "set-brand-Diners" */
+636,	/* "set-brand-IATA-ATA" */
+639,	/* "set-brand-JCB" */
+641,	/* "set-brand-MasterCard" */
+642,	/* "set-brand-Novus" */
+640,	/* "set-brand-Visa" */
+517,	/* "set-certExt" */
+513,	/* "set-ctype" */
+514,	/* "set-msgExt" */
+516,	/* "set-policy" */
+607,	/* "set-policy-root" */
+624,	/* "set-rootKeyThumb" */
+620,	/* "setAttr-Cert" */
+631,	/* "setAttr-GenCryptgrm" */
+623,	/* "setAttr-IssCap" */
+628,	/* "setAttr-IssCap-CVM" */
+630,	/* "setAttr-IssCap-Sig" */
+629,	/* "setAttr-IssCap-T2" */
+621,	/* "setAttr-PGWYcap" */
+635,	/* "setAttr-SecDevSig" */
+632,	/* "setAttr-T2Enc" */
+633,	/* "setAttr-T2cleartxt" */
+634,	/* "setAttr-TokICCsig" */
+627,	/* "setAttr-Token-B0Prime" */
+626,	/* "setAttr-Token-EMV" */
+622,	/* "setAttr-TokenType" */
+619,	/* "setCext-IssuerCapabilities" */
+615,	/* "setCext-PGWYcapabilities" */
+616,	/* "setCext-TokenIdentifier" */
+618,	/* "setCext-TokenType" */
+617,	/* "setCext-Track2Data" */
+611,	/* "setCext-cCertRequired" */
+609,	/* "setCext-certType" */
+608,	/* "setCext-hashedRoot" */
+610,	/* "setCext-merchData" */
+613,	/* "setCext-setExt" */
+614,	/* "setCext-setQualf" */
+612,	/* "setCext-tunneling" */
+540,	/* "setct-AcqCardCodeMsg" */
+576,	/* "setct-AcqCardCodeMsgTBE" */
+570,	/* "setct-AuthReqTBE" */
+534,	/* "setct-AuthReqTBS" */
+527,	/* "setct-AuthResBaggage" */
+571,	/* "setct-AuthResTBE" */
+572,	/* "setct-AuthResTBEX" */
+535,	/* "setct-AuthResTBS" */
+536,	/* "setct-AuthResTBSX" */
+528,	/* "setct-AuthRevReqBaggage" */
+577,	/* "setct-AuthRevReqTBE" */
+541,	/* "setct-AuthRevReqTBS" */
+529,	/* "setct-AuthRevResBaggage" */
+542,	/* "setct-AuthRevResData" */
+578,	/* "setct-AuthRevResTBE" */
+579,	/* "setct-AuthRevResTBEB" */
+543,	/* "setct-AuthRevResTBS" */
+573,	/* "setct-AuthTokenTBE" */
+537,	/* "setct-AuthTokenTBS" */
+600,	/* "setct-BCIDistributionTBS" */
+558,	/* "setct-BatchAdminReqData" */
+592,	/* "setct-BatchAdminReqTBE" */
+559,	/* "setct-BatchAdminResData" */
+593,	/* "setct-BatchAdminResTBE" */
+599,	/* "setct-CRLNotificationResTBS" */
+598,	/* "setct-CRLNotificationTBS" */
+580,	/* "setct-CapReqTBE" */
+581,	/* "setct-CapReqTBEX" */
+544,	/* "setct-CapReqTBS" */
+545,	/* "setct-CapReqTBSX" */
+546,	/* "setct-CapResData" */
+582,	/* "setct-CapResTBE" */
+583,	/* "setct-CapRevReqTBE" */
+584,	/* "setct-CapRevReqTBEX" */
+547,	/* "setct-CapRevReqTBS" */
+548,	/* "setct-CapRevReqTBSX" */
+549,	/* "setct-CapRevResData" */
+585,	/* "setct-CapRevResTBE" */
+538,	/* "setct-CapTokenData" */
+530,	/* "setct-CapTokenSeq" */
+574,	/* "setct-CapTokenTBE" */
+575,	/* "setct-CapTokenTBEX" */
+539,	/* "setct-CapTokenTBS" */
+560,	/* "setct-CardCInitResTBS" */
+566,	/* "setct-CertInqReqTBS" */
+563,	/* "setct-CertReqData" */
+595,	/* "setct-CertReqTBE" */
+596,	/* "setct-CertReqTBEX" */
+564,	/* "setct-CertReqTBS" */
+565,	/* "setct-CertResData" */
+597,	/* "setct-CertResTBE" */
+586,	/* "setct-CredReqTBE" */
+587,	/* "setct-CredReqTBEX" */
+550,	/* "setct-CredReqTBS" */
+551,	/* "setct-CredReqTBSX" */
+552,	/* "setct-CredResData" */
+588,	/* "setct-CredResTBE" */
+589,	/* "setct-CredRevReqTBE" */
+590,	/* "setct-CredRevReqTBEX" */
+553,	/* "setct-CredRevReqTBS" */
+554,	/* "setct-CredRevReqTBSX" */
+555,	/* "setct-CredRevResData" */
+591,	/* "setct-CredRevResTBE" */
+567,	/* "setct-ErrorTBS" */
+526,	/* "setct-HODInput" */
+561,	/* "setct-MeAqCInitResTBS" */
+522,	/* "setct-OIData" */
+519,	/* "setct-PANData" */
+521,	/* "setct-PANOnly" */
+520,	/* "setct-PANToken" */
+556,	/* "setct-PCertReqData" */
+557,	/* "setct-PCertResTBS" */
+523,	/* "setct-PI" */
+532,	/* "setct-PI-TBS" */
+524,	/* "setct-PIData" */
+525,	/* "setct-PIDataUnsigned" */
+568,	/* "setct-PIDualSignedTBE" */
+569,	/* "setct-PIUnsignedTBE" */
+531,	/* "setct-PInitResData" */
+533,	/* "setct-PResData" */
+594,	/* "setct-RegFormReqTBE" */
+562,	/* "setct-RegFormResTBS" */
+606,	/* "setext-cv" */
+601,	/* "setext-genCrypt" */
+602,	/* "setext-miAuth" */
+604,	/* "setext-pinAny" */
+603,	/* "setext-pinSecure" */
+605,	/* "setext-track2" */
+52,	/* "signingTime" */
+454,	/* "simpleSecurityObject" */
+496,	/* "singleLevelQuality" */
+387,	/* "snmpv2" */
+660,	/* "street" */
+85,	/* "subjectAltName" */
+769,	/* "subjectDirectoryAttributes" */
+398,	/* "subjectInfoAccess" */
+82,	/* "subjectKeyIdentifier" */
+498,	/* "subtreeMaximumQuality" */
+497,	/* "subtreeMinimumQuality" */
+890,	/* "supportedAlgorithms" */
+874,	/* "supportedApplicationContext" */
+402,	/* "targetInformation" */
+864,	/* "telephoneNumber" */
+866,	/* "teletexTerminalIdentifier" */
+865,	/* "telexNumber" */
+459,	/* "textEncodedORAddress" */
+293,	/* "textNotice" */
+133,	/* "timeStamping" */
+106,	/* "title" */
+682,	/* "tpBasis" */
+375,	/* "trustRoot" */
+436,	/* "ucl" */
+888,	/* "uniqueMember" */
+55,	/* "unstructuredAddress" */
+49,	/* "unstructuredName" */
+880,	/* "userCertificate" */
+465,	/* "userClass" */
+879,	/* "userPassword" */
+373,	/* "valid" */
+678,	/* "wap" */
+679,	/* "wap-wsg" */
+735,	/* "wap-wsg-idm-ecid-wtls1" */
+743,	/* "wap-wsg-idm-ecid-wtls10" */
+744,	/* "wap-wsg-idm-ecid-wtls11" */
+745,	/* "wap-wsg-idm-ecid-wtls12" */
+736,	/* "wap-wsg-idm-ecid-wtls3" */
+737,	/* "wap-wsg-idm-ecid-wtls4" */
+738,	/* "wap-wsg-idm-ecid-wtls5" */
+739,	/* "wap-wsg-idm-ecid-wtls6" */
+740,	/* "wap-wsg-idm-ecid-wtls7" */
+741,	/* "wap-wsg-idm-ecid-wtls8" */
+742,	/* "wap-wsg-idm-ecid-wtls9" */
+804,	/* "whirlpool" */
+868,	/* "x121Address" */
+503,	/* "x500UniqueIdentifier" */
+158,	/* "x509Certificate" */
+160,	/* "x509Crl" */
 };
 
-#define NUM_LN 1052
-static const unsigned int ln_objs[NUM_LN] = {
-     363,    /* "AD Time Stamping" */
-     405,    /* "ANSI X9.62" */
-     368,    /* "Acceptable OCSP Responses" */
-     910,    /* "Any Extended Key Usage" */
-     664,    /* "Any language" */
-     177,    /* "Authority Information Access" */
-     365,    /* "Basic OCSP Response" */
-     285,    /* "Biometric Info" */
-     179,    /* "CA Issuers" */
-     785,    /* "CA Repository" */
-     954,    /* "CT Certificate SCTs" */
-     952,    /* "CT Precertificate Poison" */
-     951,    /* "CT Precertificate SCTs" */
-     953,    /* "CT Precertificate Signer" */
-     131,    /* "Code Signing" */
-    1024,    /* "Ctrl/Provision WAP Termination" */
-    1023,    /* "Ctrl/provision WAP Access" */
-     783,    /* "Diffie-Hellman based MAC" */
-     382,    /* "Directory" */
-     392,    /* "Domain" */
-     132,    /* "E-mail Protection" */
-     389,    /* "Enterprises" */
-     384,    /* "Experimental" */
-     372,    /* "Extended OCSP Status" */
-     172,    /* "Extension Request" */
-     813,    /* "GOST 28147-89" */
-     849,    /* "GOST 28147-89 Cryptocom ParamSet" */
-     815,    /* "GOST 28147-89 MAC" */
-    1003,    /* "GOST 28147-89 TC26 parameter set" */
-     851,    /* "GOST 34.10-2001 Cryptocom" */
-     850,    /* "GOST 34.10-94 Cryptocom" */
-     811,    /* "GOST R 34.10-2001" */
-     817,    /* "GOST R 34.10-2001 DH" */
-     998,    /* "GOST R 34.10-2012 (512 bit) ParamSet A" */
-     999,    /* "GOST R 34.10-2012 (512 bit) ParamSet B" */
-     997,    /* "GOST R 34.10-2012 (512 bit) testing parameter set" */
-     979,    /* "GOST R 34.10-2012 with 256 bit modulus" */
-     980,    /* "GOST R 34.10-2012 with 512 bit modulus" */
-     985,    /* "GOST R 34.10-2012 with GOST R 34.11-2012 (256 bit)" */
-     986,    /* "GOST R 34.10-2012 with GOST R 34.11-2012 (512 bit)" */
-     812,    /* "GOST R 34.10-94" */
-     818,    /* "GOST R 34.10-94 DH" */
-     982,    /* "GOST R 34.11-2012 with 256 bit hash" */
-     983,    /* "GOST R 34.11-2012 with 512 bit hash" */
-     809,    /* "GOST R 34.11-94" */
-     816,    /* "GOST R 34.11-94 PRF" */
-     807,    /* "GOST R 34.11-94 with GOST R 34.10-2001" */
-     853,    /* "GOST R 34.11-94 with GOST R 34.10-2001 Cryptocom" */
-     808,    /* "GOST R 34.11-94 with GOST R 34.10-94" */
-     852,    /* "GOST R 34.11-94 with GOST R 34.10-94 Cryptocom" */
-     854,    /* "GOST R 3410-2001 Parameter Set Cryptocom" */
-     988,    /* "HMAC GOST 34.11-2012 256 bit" */
-     989,    /* "HMAC GOST 34.11-2012 512 bit" */
-     810,    /* "HMAC GOST 34.11-94" */
-     432,    /* "Hold Instruction Call Issuer" */
-     430,    /* "Hold Instruction Code" */
-     431,    /* "Hold Instruction None" */
-     433,    /* "Hold Instruction Reject" */
-     634,    /* "ICC or token signature" */
-    1004,    /* "INN" */
-     294,    /* "IPSec End System" */
-     295,    /* "IPSec Tunnel" */
-     296,    /* "IPSec User" */
-     182,    /* "ISO Member Body" */
-     183,    /* "ISO US Member Body" */
-     667,    /* "Independent" */
-     665,    /* "Inherit all" */
-     647,    /* "International Organizations" */
-     142,    /* "Invalidity Date" */
-     504,    /* "MIME MHS" */
-     388,    /* "Mail" */
-     383,    /* "Management" */
-     417,    /* "Microsoft CSP Name" */
-     135,    /* "Microsoft Commercial Code Signing" */
-     138,    /* "Microsoft Encrypted File System" */
-     171,    /* "Microsoft Extension Request" */
-     134,    /* "Microsoft Individual Code Signing" */
-     856,    /* "Microsoft Local Key set" */
-     137,    /* "Microsoft Server Gated Crypto" */
-     648,    /* "Microsoft Smartcardlogin" */
-     136,    /* "Microsoft Trust List Signing" */
-     649,    /* "Microsoft Universal Principal Name" */
-     393,    /* "NULL" */
-     404,    /* "NULL" */
-      72,    /* "Netscape Base Url" */
-      76,    /* "Netscape CA Policy Url" */
-      74,    /* "Netscape CA Revocation Url" */
-      71,    /* "Netscape Cert Type" */
-      58,    /* "Netscape Certificate Extension" */
-      79,    /* "Netscape Certificate Sequence" */
-      78,    /* "Netscape Comment" */
-      57,    /* "Netscape Communications Corp." */
-      59,    /* "Netscape Data Type" */
-      75,    /* "Netscape Renewal Url" */
-      73,    /* "Netscape Revocation Url" */
-      77,    /* "Netscape SSL Server Name" */
-     139,    /* "Netscape Server Gated Crypto" */
-     178,    /* "OCSP" */
-     370,    /* "OCSP Archive Cutoff" */
-     367,    /* "OCSP CRL ID" */
-     369,    /* "OCSP No Check" */
-     366,    /* "OCSP Nonce" */
-     371,    /* "OCSP Service Locator" */
-     180,    /* "OCSP Signing" */
-    1005,    /* "OGRN" */
-     161,    /* "PBES2" */
-      69,    /* "PBKDF2" */
-     162,    /* "PBMAC1" */
-    1032,    /* "PKINIT Client Auth" */
-     127,    /* "PKIX" */
-     858,    /* "Permanent Identifier" */
-     164,    /* "Policy Qualifier CPS" */
-     165,    /* "Policy Qualifier User Notice" */
-     385,    /* "Private" */
-     663,    /* "Proxy Certificate Information" */
-       1,    /* "RSA Data Security, Inc." */
-       2,    /* "RSA Data Security, Inc. PKCS" */
-     188,    /* "S/MIME" */
-     167,    /* "S/MIME Capabilities" */
-    1006,    /* "SNILS" */
-     387,    /* "SNMPv2" */
-    1025,    /* "SSH Client" */
-    1026,    /* "SSH Server" */
-     512,    /* "Secure Electronic Transactions" */
-     386,    /* "Security" */
-     394,    /* "Selected Attribute Types" */
-    1029,    /* "Send Owner" */
-    1030,    /* "Send Proxied Owner" */
-    1028,    /* "Send Proxied Router" */
-    1027,    /* "Send Router" */
-    1033,    /* "Signing KDC Response" */
-    1008,    /* "Signing Tool of Issuer" */
-    1007,    /* "Signing Tool of Subject" */
-     143,    /* "Strong Extranet ID" */
-     398,    /* "Subject Information Access" */
-    1020,    /* "TLS Feature" */
-     130,    /* "TLS Web Client Authentication" */
-     129,    /* "TLS Web Server Authentication" */
-     133,    /* "Time Stamping" */
-     375,    /* "Trust Root" */
-    1034,    /* "X25519" */
-    1035,    /* "X448" */
-      12,    /* "X509" */
-     402,    /* "X509v3 AC Targeting" */
-     746,    /* "X509v3 Any Policy" */
-      90,    /* "X509v3 Authority Key Identifier" */
-      87,    /* "X509v3 Basic Constraints" */
-     103,    /* "X509v3 CRL Distribution Points" */
-      88,    /* "X509v3 CRL Number" */
-     141,    /* "X509v3 CRL Reason Code" */
-     771,    /* "X509v3 Certificate Issuer" */
-      89,    /* "X509v3 Certificate Policies" */
-     140,    /* "X509v3 Delta CRL Indicator" */
-     126,    /* "X509v3 Extended Key Usage" */
-     857,    /* "X509v3 Freshest CRL" */
-     748,    /* "X509v3 Inhibit Any Policy" */
-      86,    /* "X509v3 Issuer Alternative Name" */
-     770,    /* "X509v3 Issuing Distribution Point" */
-      83,    /* "X509v3 Key Usage" */
-     666,    /* "X509v3 Name Constraints" */
-     403,    /* "X509v3 No Revocation Available" */
-     401,    /* "X509v3 Policy Constraints" */
-     747,    /* "X509v3 Policy Mappings" */
-      84,    /* "X509v3 Private Key Usage Period" */
-      85,    /* "X509v3 Subject Alternative Name" */
-     769,    /* "X509v3 Subject Directory Attributes" */
-      82,    /* "X509v3 Subject Key Identifier" */
-     920,    /* "X9.42 DH" */
-     184,    /* "X9.57" */
-     185,    /* "X9.57 CM ?" */
-     478,    /* "aRecord" */
-     289,    /* "aaControls" */
-     287,    /* "ac-auditEntity" */
-     397,    /* "ac-proxying" */
-     288,    /* "ac-targeting" */
-     446,    /* "account" */
-     364,    /* "ad dvcs" */
-     606,    /* "additional verification" */
-     419,    /* "aes-128-cbc" */
-     916,    /* "aes-128-cbc-hmac-sha1" */
-     948,    /* "aes-128-cbc-hmac-sha256" */
-     896,    /* "aes-128-ccm" */
-     421,    /* "aes-128-cfb" */
-     650,    /* "aes-128-cfb1" */
-     653,    /* "aes-128-cfb8" */
-     904,    /* "aes-128-ctr" */
-     418,    /* "aes-128-ecb" */
-     895,    /* "aes-128-gcm" */
-     958,    /* "aes-128-ocb" */
-     420,    /* "aes-128-ofb" */
-     913,    /* "aes-128-xts" */
-     423,    /* "aes-192-cbc" */
-     917,    /* "aes-192-cbc-hmac-sha1" */
-     949,    /* "aes-192-cbc-hmac-sha256" */
-     899,    /* "aes-192-ccm" */
-     425,    /* "aes-192-cfb" */
-     651,    /* "aes-192-cfb1" */
-     654,    /* "aes-192-cfb8" */
-     905,    /* "aes-192-ctr" */
-     422,    /* "aes-192-ecb" */
-     898,    /* "aes-192-gcm" */
-     959,    /* "aes-192-ocb" */
-     424,    /* "aes-192-ofb" */
-     427,    /* "aes-256-cbc" */
-     918,    /* "aes-256-cbc-hmac-sha1" */
-     950,    /* "aes-256-cbc-hmac-sha256" */
-     902,    /* "aes-256-ccm" */
-     429,    /* "aes-256-cfb" */
-     652,    /* "aes-256-cfb1" */
-     655,    /* "aes-256-cfb8" */
-     906,    /* "aes-256-ctr" */
-     426,    /* "aes-256-ecb" */
-     901,    /* "aes-256-gcm" */
-     960,    /* "aes-256-ocb" */
-     428,    /* "aes-256-ofb" */
-     914,    /* "aes-256-xts" */
-     376,    /* "algorithm" */
-     484,    /* "associatedDomain" */
-     485,    /* "associatedName" */
-     501,    /* "audio" */
-    1049,    /* "auth-dss" */
-    1047,    /* "auth-ecdsa" */
-    1050,    /* "auth-gost01" */
-    1051,    /* "auth-gost12" */
-    1053,    /* "auth-null" */
-    1048,    /* "auth-psk" */
-    1046,    /* "auth-rsa" */
-    1052,    /* "auth-srp" */
-     882,    /* "authorityRevocationList" */
-      91,    /* "bf-cbc" */
-      93,    /* "bf-cfb" */
-      92,    /* "bf-ecb" */
-      94,    /* "bf-ofb" */
-    1056,    /* "blake2b512" */
-    1057,    /* "blake2s256" */
-     921,    /* "brainpoolP160r1" */
-     922,    /* "brainpoolP160t1" */
-     923,    /* "brainpoolP192r1" */
-     924,    /* "brainpoolP192t1" */
-     925,    /* "brainpoolP224r1" */
-     926,    /* "brainpoolP224t1" */
-     927,    /* "brainpoolP256r1" */
-     928,    /* "brainpoolP256t1" */
-     929,    /* "brainpoolP320r1" */
-     930,    /* "brainpoolP320t1" */
-     931,    /* "brainpoolP384r1" */
-     932,    /* "brainpoolP384t1" */
-     933,    /* "brainpoolP512r1" */
-     934,    /* "brainpoolP512t1" */
-     494,    /* "buildingName" */
-     860,    /* "businessCategory" */
-     691,    /* "c2onb191v4" */
-     692,    /* "c2onb191v5" */
-     697,    /* "c2onb239v4" */
-     698,    /* "c2onb239v5" */
-     684,    /* "c2pnb163v1" */
-     685,    /* "c2pnb163v2" */
-     686,    /* "c2pnb163v3" */
-     687,    /* "c2pnb176v1" */
-     693,    /* "c2pnb208w1" */
-     699,    /* "c2pnb272w1" */
-     700,    /* "c2pnb304w1" */
-     702,    /* "c2pnb368w1" */
-     688,    /* "c2tnb191v1" */
-     689,    /* "c2tnb191v2" */
-     690,    /* "c2tnb191v3" */
-     694,    /* "c2tnb239v1" */
-     695,    /* "c2tnb239v2" */
-     696,    /* "c2tnb239v3" */
-     701,    /* "c2tnb359v1" */
-     703,    /* "c2tnb431r1" */
-     881,    /* "cACertificate" */
-     483,    /* "cNAMERecord" */
-     751,    /* "camellia-128-cbc" */
-     962,    /* "camellia-128-ccm" */
-     757,    /* "camellia-128-cfb" */
-     760,    /* "camellia-128-cfb1" */
-     763,    /* "camellia-128-cfb8" */
-     964,    /* "camellia-128-cmac" */
-     963,    /* "camellia-128-ctr" */
-     754,    /* "camellia-128-ecb" */
-     961,    /* "camellia-128-gcm" */
-     766,    /* "camellia-128-ofb" */
-     752,    /* "camellia-192-cbc" */
-     966,    /* "camellia-192-ccm" */
-     758,    /* "camellia-192-cfb" */
-     761,    /* "camellia-192-cfb1" */
-     764,    /* "camellia-192-cfb8" */
-     968,    /* "camellia-192-cmac" */
-     967,    /* "camellia-192-ctr" */
-     755,    /* "camellia-192-ecb" */
-     965,    /* "camellia-192-gcm" */
-     767,    /* "camellia-192-ofb" */
-     753,    /* "camellia-256-cbc" */
-     970,    /* "camellia-256-ccm" */
-     759,    /* "camellia-256-cfb" */
-     762,    /* "camellia-256-cfb1" */
-     765,    /* "camellia-256-cfb8" */
-     972,    /* "camellia-256-cmac" */
-     971,    /* "camellia-256-ctr" */
-     756,    /* "camellia-256-ecb" */
-     969,    /* "camellia-256-gcm" */
-     768,    /* "camellia-256-ofb" */
-     443,    /* "caseIgnoreIA5StringSyntax" */
-     108,    /* "cast5-cbc" */
-     110,    /* "cast5-cfb" */
-     109,    /* "cast5-ecb" */
-     111,    /* "cast5-ofb" */
-     152,    /* "certBag" */
-     677,    /* "certicom-arc" */
-     517,    /* "certificate extensions" */
-     883,    /* "certificateRevocationList" */
-    1019,    /* "chacha20" */
-    1018,    /* "chacha20-poly1305" */
-      54,    /* "challengePassword" */
-     407,    /* "characteristic-two-field" */
-     395,    /* "clearance" */
-     633,    /* "cleartext track 2" */
-     894,    /* "cmac" */
-      13,    /* "commonName" */
-     513,    /* "content types" */
-      50,    /* "contentType" */
-      53,    /* "countersignature" */
-      14,    /* "countryName" */
-     153,    /* "crlBag" */
-     884,    /* "crossCertificatePair" */
-     806,    /* "cryptocom" */
-     805,    /* "cryptopro" */
-     500,    /* "dITRedirect" */
-     451,    /* "dNSDomain" */
-     495,    /* "dSAQuality" */
-     434,    /* "data" */
-     390,    /* "dcObject" */
-     891,    /* "deltaRevocationList" */
-      31,    /* "des-cbc" */
-     643,    /* "des-cdmf" */
-      30,    /* "des-cfb" */
-     656,    /* "des-cfb1" */
-     657,    /* "des-cfb8" */
-      29,    /* "des-ecb" */
-      32,    /* "des-ede" */
-      43,    /* "des-ede-cbc" */
-      60,    /* "des-ede-cfb" */
-      62,    /* "des-ede-ofb" */
-      33,    /* "des-ede3" */
-      44,    /* "des-ede3-cbc" */
-      61,    /* "des-ede3-cfb" */
-     658,    /* "des-ede3-cfb1" */
-     659,    /* "des-ede3-cfb8" */
-      63,    /* "des-ede3-ofb" */
-      45,    /* "des-ofb" */
-     107,    /* "description" */
-     871,    /* "destinationIndicator" */
-      80,    /* "desx-cbc" */
-     947,    /* "dh-cofactor-kdf" */
-     946,    /* "dh-std-kdf" */
-      28,    /* "dhKeyAgreement" */
-     941,    /* "dhSinglePass-cofactorDH-sha1kdf-scheme" */
-     942,    /* "dhSinglePass-cofactorDH-sha224kdf-scheme" */
-     943,    /* "dhSinglePass-cofactorDH-sha256kdf-scheme" */
-     944,    /* "dhSinglePass-cofactorDH-sha384kdf-scheme" */
-     945,    /* "dhSinglePass-cofactorDH-sha512kdf-scheme" */
-     936,    /* "dhSinglePass-stdDH-sha1kdf-scheme" */
-     937,    /* "dhSinglePass-stdDH-sha224kdf-scheme" */
-     938,    /* "dhSinglePass-stdDH-sha256kdf-scheme" */
-     939,    /* "dhSinglePass-stdDH-sha384kdf-scheme" */
-     940,    /* "dhSinglePass-stdDH-sha512kdf-scheme" */
-      11,    /* "directory services (X.500)" */
-     378,    /* "directory services - algorithms" */
-     887,    /* "distinguishedName" */
-     892,    /* "dmdName" */
-     174,    /* "dnQualifier" */
-     447,    /* "document" */
-     471,    /* "documentAuthor" */
-     468,    /* "documentIdentifier" */
-     472,    /* "documentLocation" */
-     502,    /* "documentPublisher" */
-     449,    /* "documentSeries" */
-     469,    /* "documentTitle" */
-     470,    /* "documentVersion" */
-     380,    /* "dod" */
-     391,    /* "domainComponent" */
-     452,    /* "domainRelatedObject" */
-     116,    /* "dsaEncryption" */
-      67,    /* "dsaEncryption-old" */
-      66,    /* "dsaWithSHA" */
-     113,    /* "dsaWithSHA1" */
-      70,    /* "dsaWithSHA1-old" */
-     802,    /* "dsa_with_SHA224" */
-     803,    /* "dsa_with_SHA256" */
-     297,    /* "dvcs" */
-     791,    /* "ecdsa-with-Recommended" */
-     416,    /* "ecdsa-with-SHA1" */
-     793,    /* "ecdsa-with-SHA224" */
-     794,    /* "ecdsa-with-SHA256" */
-     795,    /* "ecdsa-with-SHA384" */
-     796,    /* "ecdsa-with-SHA512" */
-     792,    /* "ecdsa-with-Specified" */
-      48,    /* "emailAddress" */
-     632,    /* "encrypted track 2" */
-     885,    /* "enhancedSearchGuide" */
-      56,    /* "extendedCertificateAttributes" */
-     867,    /* "facsimileTelephoneNumber" */
-     462,    /* "favouriteDrink" */
-     453,    /* "friendlyCountry" */
-     490,    /* "friendlyCountryName" */
-     156,    /* "friendlyName" */
-     631,    /* "generate cryptogram" */
-     509,    /* "generationQualifier" */
-     601,    /* "generic cryptogram" */
-      99,    /* "givenName" */
-     976,    /* "gost-mac-12" */
-    1009,    /* "gost89-cbc" */
-     814,    /* "gost89-cnt" */
-     975,    /* "gost89-cnt-12" */
-    1011,    /* "gost89-ctr" */
-    1010,    /* "gost89-ecb" */
-    1015,    /* "grasshopper-cbc" */
-    1016,    /* "grasshopper-cfb" */
-    1013,    /* "grasshopper-ctr" */
-    1012,    /* "grasshopper-ecb" */
-    1017,    /* "grasshopper-mac" */
-    1014,    /* "grasshopper-ofb" */
-    1036,    /* "hkdf" */
-     855,    /* "hmac" */
-     780,    /* "hmac-md5" */
-     781,    /* "hmac-sha1" */
-     797,    /* "hmacWithMD5" */
-     163,    /* "hmacWithSHA1" */
-     798,    /* "hmacWithSHA224" */
-     799,    /* "hmacWithSHA256" */
-     800,    /* "hmacWithSHA384" */
-     801,    /* "hmacWithSHA512" */
-     486,    /* "homePostalAddress" */
-     473,    /* "homeTelephoneNumber" */
-     466,    /* "host" */
-     889,    /* "houseIdentifier" */
-     442,    /* "iA5StringSyntax" */
-     381,    /* "iana" */
-     824,    /* "id-Gost28147-89-CryptoPro-A-ParamSet" */
-     825,    /* "id-Gost28147-89-CryptoPro-B-ParamSet" */
-     826,    /* "id-Gost28147-89-CryptoPro-C-ParamSet" */
-     827,    /* "id-Gost28147-89-CryptoPro-D-ParamSet" */
-     819,    /* "id-Gost28147-89-CryptoPro-KeyMeshing" */
-     829,    /* "id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet" */
-     828,    /* "id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet" */
-     830,    /* "id-Gost28147-89-CryptoPro-RIC-1-ParamSet" */
-     820,    /* "id-Gost28147-89-None-KeyMeshing" */
-     823,    /* "id-Gost28147-89-TestParamSet" */
-     840,    /* "id-GostR3410-2001-CryptoPro-A-ParamSet" */
-     841,    /* "id-GostR3410-2001-CryptoPro-B-ParamSet" */
-     842,    /* "id-GostR3410-2001-CryptoPro-C-ParamSet" */
-     843,    /* "id-GostR3410-2001-CryptoPro-XchA-ParamSet" */
-     844,    /* "id-GostR3410-2001-CryptoPro-XchB-ParamSet" */
-     839,    /* "id-GostR3410-2001-TestParamSet" */
-     832,    /* "id-GostR3410-94-CryptoPro-A-ParamSet" */
-     833,    /* "id-GostR3410-94-CryptoPro-B-ParamSet" */
-     834,    /* "id-GostR3410-94-CryptoPro-C-ParamSet" */
-     835,    /* "id-GostR3410-94-CryptoPro-D-ParamSet" */
-     836,    /* "id-GostR3410-94-CryptoPro-XchA-ParamSet" */
-     837,    /* "id-GostR3410-94-CryptoPro-XchB-ParamSet" */
-     838,    /* "id-GostR3410-94-CryptoPro-XchC-ParamSet" */
-     831,    /* "id-GostR3410-94-TestParamSet" */
-     845,    /* "id-GostR3410-94-a" */
-     846,    /* "id-GostR3410-94-aBis" */
-     847,    /* "id-GostR3410-94-b" */
-     848,    /* "id-GostR3410-94-bBis" */
-     822,    /* "id-GostR3411-94-CryptoProParamSet" */
-     821,    /* "id-GostR3411-94-TestParamSet" */
-     266,    /* "id-aca" */
-     355,    /* "id-aca-accessIdentity" */
-     354,    /* "id-aca-authenticationInfo" */
-     356,    /* "id-aca-chargingIdentity" */
-     399,    /* "id-aca-encAttrs" */
-     357,    /* "id-aca-group" */
-     358,    /* "id-aca-role" */
-     176,    /* "id-ad" */
-     788,    /* "id-aes128-wrap" */
-     897,    /* "id-aes128-wrap-pad" */
-     789,    /* "id-aes192-wrap" */
-     900,    /* "id-aes192-wrap-pad" */
-     790,    /* "id-aes256-wrap" */
-     903,    /* "id-aes256-wrap-pad" */
-     262,    /* "id-alg" */
-     893,    /* "id-alg-PWRI-KEK" */
-     323,    /* "id-alg-des40" */
-     326,    /* "id-alg-dh-pop" */
-     325,    /* "id-alg-dh-sig-hmac-sha1" */
-     324,    /* "id-alg-noSignature" */
-     907,    /* "id-camellia128-wrap" */
-     908,    /* "id-camellia192-wrap" */
-     909,    /* "id-camellia256-wrap" */
-     268,    /* "id-cct" */
-     361,    /* "id-cct-PKIData" */
-     362,    /* "id-cct-PKIResponse" */
-     360,    /* "id-cct-crs" */
-      81,    /* "id-ce" */
-     680,    /* "id-characteristic-two-basis" */
-     263,    /* "id-cmc" */
-     334,    /* "id-cmc-addExtensions" */
-     346,    /* "id-cmc-confirmCertAcceptance" */
-     330,    /* "id-cmc-dataReturn" */
-     336,    /* "id-cmc-decryptedPOP" */
-     335,    /* "id-cmc-encryptedPOP" */
-     339,    /* "id-cmc-getCRL" */
-     338,    /* "id-cmc-getCert" */
-     328,    /* "id-cmc-identification" */
-     329,    /* "id-cmc-identityProof" */
-     337,    /* "id-cmc-lraPOPWitness" */
-     344,    /* "id-cmc-popLinkRandom" */
-     345,    /* "id-cmc-popLinkWitness" */
-     343,    /* "id-cmc-queryPending" */
-     333,    /* "id-cmc-recipientNonce" */
-     341,    /* "id-cmc-regInfo" */
-     342,    /* "id-cmc-responseInfo" */
-     340,    /* "id-cmc-revokeRequest" */
-     332,    /* "id-cmc-senderNonce" */
-     327,    /* "id-cmc-statusInfo" */
-     331,    /* "id-cmc-transactionId" */
-     787,    /* "id-ct-asciiTextWithCRLF" */
-    1060,    /* "id-ct-xml" */
-     408,    /* "id-ecPublicKey" */
-     508,    /* "id-hex-multipart-message" */
-     507,    /* "id-hex-partial-message" */
-     260,    /* "id-it" */
-     302,    /* "id-it-caKeyUpdateInfo" */
-     298,    /* "id-it-caProtEncCert" */
-     311,    /* "id-it-confirmWaitTime" */
-     303,    /* "id-it-currentCRL" */
-     300,    /* "id-it-encKeyPairTypes" */
-     310,    /* "id-it-implicitConfirm" */
-     308,    /* "id-it-keyPairParamRep" */
-     307,    /* "id-it-keyPairParamReq" */
-     312,    /* "id-it-origPKIMessage" */
-     301,    /* "id-it-preferredSymmAlg" */
-     309,    /* "id-it-revPassphrase" */
-     299,    /* "id-it-signKeyPairTypes" */
-     305,    /* "id-it-subscriptionRequest" */
-     306,    /* "id-it-subscriptionResponse" */
-     784,    /* "id-it-suppLangTags" */
-     304,    /* "id-it-unsupportedOIDs" */
-     128,    /* "id-kp" */
-     280,    /* "id-mod-attribute-cert" */
-     274,    /* "id-mod-cmc" */
-     277,    /* "id-mod-cmp" */
-     284,    /* "id-mod-cmp2000" */
-     273,    /* "id-mod-crmf" */
-     283,    /* "id-mod-dvcs" */
-     275,    /* "id-mod-kea-profile-88" */
-     276,    /* "id-mod-kea-profile-93" */
-     282,    /* "id-mod-ocsp" */
-     278,    /* "id-mod-qualified-cert-88" */
-     279,    /* "id-mod-qualified-cert-93" */
-     281,    /* "id-mod-timestamp-protocol" */
-     264,    /* "id-on" */
-     347,    /* "id-on-personalData" */
-     265,    /* "id-pda" */
-     352,    /* "id-pda-countryOfCitizenship" */
-     353,    /* "id-pda-countryOfResidence" */
-     348,    /* "id-pda-dateOfBirth" */
-     351,    /* "id-pda-gender" */
-     349,    /* "id-pda-placeOfBirth" */
-     175,    /* "id-pe" */
-    1031,    /* "id-pkinit" */
-     261,    /* "id-pkip" */
-     258,    /* "id-pkix-mod" */
-     269,    /* "id-pkix1-explicit-88" */
-     271,    /* "id-pkix1-explicit-93" */
-     270,    /* "id-pkix1-implicit-88" */
-     272,    /* "id-pkix1-implicit-93" */
-     662,    /* "id-ppl" */
-     267,    /* "id-qcs" */
-     359,    /* "id-qcs-pkixQCSyntax-v1" */
-     259,    /* "id-qt" */
-     313,    /* "id-regCtrl" */
-     316,    /* "id-regCtrl-authenticator" */
-     319,    /* "id-regCtrl-oldCertID" */
-     318,    /* "id-regCtrl-pkiArchiveOptions" */
-     317,    /* "id-regCtrl-pkiPublicationInfo" */
-     320,    /* "id-regCtrl-protocolEncrKey" */
-     315,    /* "id-regCtrl-regToken" */
-     314,    /* "id-regInfo" */
-     322,    /* "id-regInfo-certReq" */
-     321,    /* "id-regInfo-utf8Pairs" */
-     973,    /* "id-scrypt" */
-     191,    /* "id-smime-aa" */
-     215,    /* "id-smime-aa-contentHint" */
-     218,    /* "id-smime-aa-contentIdentifier" */
-     221,    /* "id-smime-aa-contentReference" */
-     240,    /* "id-smime-aa-dvcs-dvc" */
-     217,    /* "id-smime-aa-encapContentType" */
-     222,    /* "id-smime-aa-encrypKeyPref" */
-     220,    /* "id-smime-aa-equivalentLabels" */
-     232,    /* "id-smime-aa-ets-CertificateRefs" */
-     233,    /* "id-smime-aa-ets-RevocationRefs" */
-     238,    /* "id-smime-aa-ets-archiveTimeStamp" */
-     237,    /* "id-smime-aa-ets-certCRLTimestamp" */
-     234,    /* "id-smime-aa-ets-certValues" */
-     227,    /* "id-smime-aa-ets-commitmentType" */
-     231,    /* "id-smime-aa-ets-contentTimestamp" */
-     236,    /* "id-smime-aa-ets-escTimeStamp" */
-     230,    /* "id-smime-aa-ets-otherSigCert" */
-     235,    /* "id-smime-aa-ets-revocationValues" */
-     226,    /* "id-smime-aa-ets-sigPolicyId" */
-     229,    /* "id-smime-aa-ets-signerAttr" */
-     228,    /* "id-smime-aa-ets-signerLocation" */
-     219,    /* "id-smime-aa-macValue" */
-     214,    /* "id-smime-aa-mlExpandHistory" */
-     216,    /* "id-smime-aa-msgSigDigest" */
-     212,    /* "id-smime-aa-receiptRequest" */
-     213,    /* "id-smime-aa-securityLabel" */
-     239,    /* "id-smime-aa-signatureType" */
-     223,    /* "id-smime-aa-signingCertificate" */
-     224,    /* "id-smime-aa-smimeEncryptCerts" */
-     225,    /* "id-smime-aa-timeStampToken" */
-     192,    /* "id-smime-alg" */
-     243,    /* "id-smime-alg-3DESwrap" */
-     246,    /* "id-smime-alg-CMS3DESwrap" */
-     247,    /* "id-smime-alg-CMSRC2wrap" */
-     245,    /* "id-smime-alg-ESDH" */
-     241,    /* "id-smime-alg-ESDHwith3DES" */
-     242,    /* "id-smime-alg-ESDHwithRC2" */
-     244,    /* "id-smime-alg-RC2wrap" */
-     193,    /* "id-smime-cd" */
-     248,    /* "id-smime-cd-ldap" */
-     190,    /* "id-smime-ct" */
-     210,    /* "id-smime-ct-DVCSRequestData" */
-     211,    /* "id-smime-ct-DVCSResponseData" */
-     208,    /* "id-smime-ct-TDTInfo" */
-     207,    /* "id-smime-ct-TSTInfo" */
-     205,    /* "id-smime-ct-authData" */
-    1059,    /* "id-smime-ct-authEnvelopedData" */
-     786,    /* "id-smime-ct-compressedData" */
-    1058,    /* "id-smime-ct-contentCollection" */
-     209,    /* "id-smime-ct-contentInfo" */
-     206,    /* "id-smime-ct-publishCert" */
-     204,    /* "id-smime-ct-receipt" */
-     195,    /* "id-smime-cti" */
-     255,    /* "id-smime-cti-ets-proofOfApproval" */
-     256,    /* "id-smime-cti-ets-proofOfCreation" */
-     253,    /* "id-smime-cti-ets-proofOfDelivery" */
-     251,    /* "id-smime-cti-ets-proofOfOrigin" */
-     252,    /* "id-smime-cti-ets-proofOfReceipt" */
-     254,    /* "id-smime-cti-ets-proofOfSender" */
-     189,    /* "id-smime-mod" */
-     196,    /* "id-smime-mod-cms" */
-     197,    /* "id-smime-mod-ess" */
-     202,    /* "id-smime-mod-ets-eSigPolicy-88" */
-     203,    /* "id-smime-mod-ets-eSigPolicy-97" */
-     200,    /* "id-smime-mod-ets-eSignature-88" */
-     201,    /* "id-smime-mod-ets-eSignature-97" */
-     199,    /* "id-smime-mod-msg-v3" */
-     198,    /* "id-smime-mod-oid" */
-     194,    /* "id-smime-spq" */
-     250,    /* "id-smime-spq-ets-sqt-unotice" */
-     249,    /* "id-smime-spq-ets-sqt-uri" */
-     974,    /* "id-tc26" */
-     991,    /* "id-tc26-agreement" */
-     992,    /* "id-tc26-agreement-gost-3410-2012-256" */
-     993,    /* "id-tc26-agreement-gost-3410-2012-512" */
-     977,    /* "id-tc26-algorithms" */
-     990,    /* "id-tc26-cipher" */
-    1001,    /* "id-tc26-cipher-constants" */
-     994,    /* "id-tc26-constants" */
-     981,    /* "id-tc26-digest" */
-    1000,    /* "id-tc26-digest-constants" */
-    1002,    /* "id-tc26-gost-28147-constants" */
-     996,    /* "id-tc26-gost-3410-2012-512-constants" */
-     987,    /* "id-tc26-mac" */
-     978,    /* "id-tc26-sign" */
-     995,    /* "id-tc26-sign-constants" */
-     984,    /* "id-tc26-signwithdigest" */
-      34,    /* "idea-cbc" */
-      35,    /* "idea-cfb" */
-      36,    /* "idea-ecb" */
-      46,    /* "idea-ofb" */
-     676,    /* "identified-organization" */
-     461,    /* "info" */
-     101,    /* "initials" */
-     869,    /* "internationaliSDNNumber" */
-    1022,    /* "ipsec Internet Key Exchange" */
-     749,    /* "ipsec3" */
-     750,    /* "ipsec4" */
-     181,    /* "iso" */
-     623,    /* "issuer capabilities" */
-     645,    /* "itu-t" */
-     492,    /* "janetMailbox" */
-     646,    /* "joint-iso-itu-t" */
-     957,    /* "jurisdictionCountryName" */
-     955,    /* "jurisdictionLocalityName" */
-     956,    /* "jurisdictionStateOrProvinceName" */
-     150,    /* "keyBag" */
-     773,    /* "kisa" */
-    1039,    /* "kx-dhe" */
-    1041,    /* "kx-dhe-psk" */
-    1038,    /* "kx-ecdhe" */
-    1040,    /* "kx-ecdhe-psk" */
-    1045,    /* "kx-gost" */
-    1043,    /* "kx-psk" */
-    1037,    /* "kx-rsa" */
-    1042,    /* "kx-rsa-psk" */
-    1044,    /* "kx-srp" */
-     477,    /* "lastModifiedBy" */
-     476,    /* "lastModifiedTime" */
-     157,    /* "localKeyID" */
-      15,    /* "localityName" */
-     480,    /* "mXRecord" */
-     493,    /* "mailPreferenceOption" */
-     467,    /* "manager" */
-       3,    /* "md2" */
-       7,    /* "md2WithRSAEncryption" */
-     257,    /* "md4" */
-     396,    /* "md4WithRSAEncryption" */
-       4,    /* "md5" */
-     114,    /* "md5-sha1" */
-     104,    /* "md5WithRSA" */
-       8,    /* "md5WithRSAEncryption" */
-      95,    /* "mdc2" */
-      96,    /* "mdc2WithRSA" */
-     875,    /* "member" */
-     602,    /* "merchant initiated auth" */
-     514,    /* "message extensions" */
-      51,    /* "messageDigest" */
-     911,    /* "mgf1" */
-     506,    /* "mime-mhs-bodies" */
-     505,    /* "mime-mhs-headings" */
-     488,    /* "mobileTelephoneNumber" */
-     481,    /* "nSRecord" */
-     173,    /* "name" */
-     681,    /* "onBasis" */
-     379,    /* "org" */
-      17,    /* "organizationName" */
-     491,    /* "organizationalStatus" */
-      18,    /* "organizationalUnitName" */
-     475,    /* "otherMailbox" */
-     876,    /* "owner" */
-     935,    /* "pSpecified" */
-     489,    /* "pagerTelephoneNumber" */
-     782,    /* "password based MAC" */
-     374,    /* "path" */
-     621,    /* "payment gateway capabilities" */
-       9,    /* "pbeWithMD2AndDES-CBC" */
-     168,    /* "pbeWithMD2AndRC2-CBC" */
-     112,    /* "pbeWithMD5AndCast5CBC" */
-      10,    /* "pbeWithMD5AndDES-CBC" */
-     169,    /* "pbeWithMD5AndRC2-CBC" */
-     148,    /* "pbeWithSHA1And128BitRC2-CBC" */
-     144,    /* "pbeWithSHA1And128BitRC4" */
-     147,    /* "pbeWithSHA1And2-KeyTripleDES-CBC" */
-     146,    /* "pbeWithSHA1And3-KeyTripleDES-CBC" */
-     149,    /* "pbeWithSHA1And40BitRC2-CBC" */
-     145,    /* "pbeWithSHA1And40BitRC4" */
-     170,    /* "pbeWithSHA1AndDES-CBC" */
-      68,    /* "pbeWithSHA1AndRC2-CBC" */
-     499,    /* "personalSignature" */
-     487,    /* "personalTitle" */
-     464,    /* "photo" */
-     863,    /* "physicalDeliveryOfficeName" */
-     437,    /* "pilot" */
-     439,    /* "pilotAttributeSyntax" */
-     438,    /* "pilotAttributeType" */
-     479,    /* "pilotAttributeType27" */
-     456,    /* "pilotDSA" */
-     441,    /* "pilotGroups" */
-     444,    /* "pilotObject" */
-     440,    /* "pilotObjectClass" */
-     455,    /* "pilotOrganization" */
-     445,    /* "pilotPerson" */
-     186,    /* "pkcs1" */
-      27,    /* "pkcs3" */
-     187,    /* "pkcs5" */
-      20,    /* "pkcs7" */
-      21,    /* "pkcs7-data" */
-      25,    /* "pkcs7-digestData" */
-      26,    /* "pkcs7-encryptedData" */
-      23,    /* "pkcs7-envelopedData" */
-      24,    /* "pkcs7-signedAndEnvelopedData" */
-      22,    /* "pkcs7-signedData" */
-     151,    /* "pkcs8ShroudedKeyBag" */
-      47,    /* "pkcs9" */
-     862,    /* "postOfficeBox" */
-     861,    /* "postalAddress" */
-     661,    /* "postalCode" */
-     683,    /* "ppBasis" */
-     872,    /* "preferredDeliveryMethod" */
-     873,    /* "presentationAddress" */
-     406,    /* "prime-field" */
-     409,    /* "prime192v1" */
-     410,    /* "prime192v2" */
-     411,    /* "prime192v3" */
-     412,    /* "prime239v1" */
-     413,    /* "prime239v2" */
-     414,    /* "prime239v3" */
-     415,    /* "prime256v1" */
-     886,    /* "protocolInformation" */
-     510,    /* "pseudonym" */
-     435,    /* "pss" */
-     286,    /* "qcStatements" */
-     457,    /* "qualityLabelledData" */
-     450,    /* "rFC822localPart" */
-      98,    /* "rc2-40-cbc" */
-     166,    /* "rc2-64-cbc" */
-      37,    /* "rc2-cbc" */
-      39,    /* "rc2-cfb" */
-      38,    /* "rc2-ecb" */
-      40,    /* "rc2-ofb" */
-       5,    /* "rc4" */
-      97,    /* "rc4-40" */
-     915,    /* "rc4-hmac-md5" */
-     120,    /* "rc5-cbc" */
-     122,    /* "rc5-cfb" */
-     121,    /* "rc5-ecb" */
-     123,    /* "rc5-ofb" */
-     870,    /* "registeredAddress" */
-     460,    /* "rfc822Mailbox" */
-     117,    /* "ripemd160" */
-     119,    /* "ripemd160WithRSA" */
-     400,    /* "role" */
-     877,    /* "roleOccupant" */
-     448,    /* "room" */
-     463,    /* "roomNumber" */
-      19,    /* "rsa" */
-       6,    /* "rsaEncryption" */
-     644,    /* "rsaOAEPEncryptionSET" */
-     377,    /* "rsaSignature" */
-     919,    /* "rsaesOaep" */
-     912,    /* "rsassaPss" */
-     482,    /* "sOARecord" */
-     155,    /* "safeContentsBag" */
-     291,    /* "sbgp-autonomousSysNum" */
-     290,    /* "sbgp-ipAddrBlock" */
-     292,    /* "sbgp-routerIdentifier" */
-     159,    /* "sdsiCertificate" */
-     859,    /* "searchGuide" */
-     704,    /* "secp112r1" */
-     705,    /* "secp112r2" */
-     706,    /* "secp128r1" */
-     707,    /* "secp128r2" */
-     708,    /* "secp160k1" */
-     709,    /* "secp160r1" */
-     710,    /* "secp160r2" */
-     711,    /* "secp192k1" */
-     712,    /* "secp224k1" */
-     713,    /* "secp224r1" */
-     714,    /* "secp256k1" */
-     715,    /* "secp384r1" */
-     716,    /* "secp521r1" */
-     154,    /* "secretBag" */
-     474,    /* "secretary" */
-     717,    /* "sect113r1" */
-     718,    /* "sect113r2" */
-     719,    /* "sect131r1" */
-     720,    /* "sect131r2" */
-     721,    /* "sect163k1" */
-     722,    /* "sect163r1" */
-     723,    /* "sect163r2" */
-     724,    /* "sect193r1" */
-     725,    /* "sect193r2" */
-     726,    /* "sect233k1" */
-     727,    /* "sect233r1" */
-     728,    /* "sect239k1" */
-     729,    /* "sect283k1" */
-     730,    /* "sect283r1" */
-     731,    /* "sect409k1" */
-     732,    /* "sect409r1" */
-     733,    /* "sect571k1" */
-     734,    /* "sect571r1" */
-     635,    /* "secure device signature" */
-     878,    /* "seeAlso" */
-     777,    /* "seed-cbc" */
-     779,    /* "seed-cfb" */
-     776,    /* "seed-ecb" */
-     778,    /* "seed-ofb" */
-     105,    /* "serialNumber" */
-     625,    /* "set-addPolicy" */
-     515,    /* "set-attr" */
-     518,    /* "set-brand" */
-     638,    /* "set-brand-AmericanExpress" */
-     637,    /* "set-brand-Diners" */
-     636,    /* "set-brand-IATA-ATA" */
-     639,    /* "set-brand-JCB" */
-     641,    /* "set-brand-MasterCard" */
-     642,    /* "set-brand-Novus" */
-     640,    /* "set-brand-Visa" */
-     516,    /* "set-policy" */
-     607,    /* "set-policy-root" */
-     624,    /* "set-rootKeyThumb" */
-     620,    /* "setAttr-Cert" */
-     628,    /* "setAttr-IssCap-CVM" */
-     630,    /* "setAttr-IssCap-Sig" */
-     629,    /* "setAttr-IssCap-T2" */
-     627,    /* "setAttr-Token-B0Prime" */
-     626,    /* "setAttr-Token-EMV" */
-     622,    /* "setAttr-TokenType" */
-     619,    /* "setCext-IssuerCapabilities" */
-     615,    /* "setCext-PGWYcapabilities" */
-     616,    /* "setCext-TokenIdentifier" */
-     618,    /* "setCext-TokenType" */
-     617,    /* "setCext-Track2Data" */
-     611,    /* "setCext-cCertRequired" */
-     609,    /* "setCext-certType" */
-     608,    /* "setCext-hashedRoot" */
-     610,    /* "setCext-merchData" */
-     613,    /* "setCext-setExt" */
-     614,    /* "setCext-setQualf" */
-     612,    /* "setCext-tunneling" */
-     540,    /* "setct-AcqCardCodeMsg" */
-     576,    /* "setct-AcqCardCodeMsgTBE" */
-     570,    /* "setct-AuthReqTBE" */
-     534,    /* "setct-AuthReqTBS" */
-     527,    /* "setct-AuthResBaggage" */
-     571,    /* "setct-AuthResTBE" */
-     572,    /* "setct-AuthResTBEX" */
-     535,    /* "setct-AuthResTBS" */
-     536,    /* "setct-AuthResTBSX" */
-     528,    /* "setct-AuthRevReqBaggage" */
-     577,    /* "setct-AuthRevReqTBE" */
-     541,    /* "setct-AuthRevReqTBS" */
-     529,    /* "setct-AuthRevResBaggage" */
-     542,    /* "setct-AuthRevResData" */
-     578,    /* "setct-AuthRevResTBE" */
-     579,    /* "setct-AuthRevResTBEB" */
-     543,    /* "setct-AuthRevResTBS" */
-     573,    /* "setct-AuthTokenTBE" */
-     537,    /* "setct-AuthTokenTBS" */
-     600,    /* "setct-BCIDistributionTBS" */
-     558,    /* "setct-BatchAdminReqData" */
-     592,    /* "setct-BatchAdminReqTBE" */
-     559,    /* "setct-BatchAdminResData" */
-     593,    /* "setct-BatchAdminResTBE" */
-     599,    /* "setct-CRLNotificationResTBS" */
-     598,    /* "setct-CRLNotificationTBS" */
-     580,    /* "setct-CapReqTBE" */
-     581,    /* "setct-CapReqTBEX" */
-     544,    /* "setct-CapReqTBS" */
-     545,    /* "setct-CapReqTBSX" */
-     546,    /* "setct-CapResData" */
-     582,    /* "setct-CapResTBE" */
-     583,    /* "setct-CapRevReqTBE" */
-     584,    /* "setct-CapRevReqTBEX" */
-     547,    /* "setct-CapRevReqTBS" */
-     548,    /* "setct-CapRevReqTBSX" */
-     549,    /* "setct-CapRevResData" */
-     585,    /* "setct-CapRevResTBE" */
-     538,    /* "setct-CapTokenData" */
-     530,    /* "setct-CapTokenSeq" */
-     574,    /* "setct-CapTokenTBE" */
-     575,    /* "setct-CapTokenTBEX" */
-     539,    /* "setct-CapTokenTBS" */
-     560,    /* "setct-CardCInitResTBS" */
-     566,    /* "setct-CertInqReqTBS" */
-     563,    /* "setct-CertReqData" */
-     595,    /* "setct-CertReqTBE" */
-     596,    /* "setct-CertReqTBEX" */
-     564,    /* "setct-CertReqTBS" */
-     565,    /* "setct-CertResData" */
-     597,    /* "setct-CertResTBE" */
-     586,    /* "setct-CredReqTBE" */
-     587,    /* "setct-CredReqTBEX" */
-     550,    /* "setct-CredReqTBS" */
-     551,    /* "setct-CredReqTBSX" */
-     552,    /* "setct-CredResData" */
-     588,    /* "setct-CredResTBE" */
-     589,    /* "setct-CredRevReqTBE" */
-     590,    /* "setct-CredRevReqTBEX" */
-     553,    /* "setct-CredRevReqTBS" */
-     554,    /* "setct-CredRevReqTBSX" */
-     555,    /* "setct-CredRevResData" */
-     591,    /* "setct-CredRevResTBE" */
-     567,    /* "setct-ErrorTBS" */
-     526,    /* "setct-HODInput" */
-     561,    /* "setct-MeAqCInitResTBS" */
-     522,    /* "setct-OIData" */
-     519,    /* "setct-PANData" */
-     521,    /* "setct-PANOnly" */
-     520,    /* "setct-PANToken" */
-     556,    /* "setct-PCertReqData" */
-     557,    /* "setct-PCertResTBS" */
-     523,    /* "setct-PI" */
-     532,    /* "setct-PI-TBS" */
-     524,    /* "setct-PIData" */
-     525,    /* "setct-PIDataUnsigned" */
-     568,    /* "setct-PIDualSignedTBE" */
-     569,    /* "setct-PIUnsignedTBE" */
-     531,    /* "setct-PInitResData" */
-     533,    /* "setct-PResData" */
-     594,    /* "setct-RegFormReqTBE" */
-     562,    /* "setct-RegFormResTBS" */
-     604,    /* "setext-pinAny" */
-     603,    /* "setext-pinSecure" */
-     605,    /* "setext-track2" */
-      41,    /* "sha" */
-      64,    /* "sha1" */
-     115,    /* "sha1WithRSA" */
-      65,    /* "sha1WithRSAEncryption" */
-     675,    /* "sha224" */
-     671,    /* "sha224WithRSAEncryption" */
-     672,    /* "sha256" */
-     668,    /* "sha256WithRSAEncryption" */
-     673,    /* "sha384" */
-     669,    /* "sha384WithRSAEncryption" */
-     674,    /* "sha512" */
-     670,    /* "sha512WithRSAEncryption" */
-      42,    /* "shaWithRSAEncryption" */
-      52,    /* "signingTime" */
-     454,    /* "simpleSecurityObject" */
-     496,    /* "singleLevelQuality" */
-      16,    /* "stateOrProvinceName" */
-     660,    /* "streetAddress" */
-     498,    /* "subtreeMaximumQuality" */
-     497,    /* "subtreeMinimumQuality" */
-     890,    /* "supportedAlgorithms" */
-     874,    /* "supportedApplicationContext" */
-     100,    /* "surname" */
-     864,    /* "telephoneNumber" */
-     866,    /* "teletexTerminalIdentifier" */
-     865,    /* "telexNumber" */
-     459,    /* "textEncodedORAddress" */
-     293,    /* "textNotice" */
-     106,    /* "title" */
-    1021,    /* "tls1-prf" */
-     682,    /* "tpBasis" */
-     436,    /* "ucl" */
-       0,    /* "undefined" */
-     102,    /* "uniqueIdentifier" */
-     888,    /* "uniqueMember" */
-      55,    /* "unstructuredAddress" */
-      49,    /* "unstructuredName" */
-     880,    /* "userCertificate" */
-     465,    /* "userClass" */
-     458,    /* "userId" */
-     879,    /* "userPassword" */
-     373,    /* "valid" */
-     678,    /* "wap" */
-     679,    /* "wap-wsg" */
-     735,    /* "wap-wsg-idm-ecid-wtls1" */
-     743,    /* "wap-wsg-idm-ecid-wtls10" */
-     744,    /* "wap-wsg-idm-ecid-wtls11" */
-     745,    /* "wap-wsg-idm-ecid-wtls12" */
-     736,    /* "wap-wsg-idm-ecid-wtls3" */
-     737,    /* "wap-wsg-idm-ecid-wtls4" */
-     738,    /* "wap-wsg-idm-ecid-wtls5" */
-     739,    /* "wap-wsg-idm-ecid-wtls6" */
-     740,    /* "wap-wsg-idm-ecid-wtls7" */
-     741,    /* "wap-wsg-idm-ecid-wtls8" */
-     742,    /* "wap-wsg-idm-ecid-wtls9" */
-     804,    /* "whirlpool" */
-     868,    /* "x121Address" */
-     503,    /* "x500UniqueIdentifier" */
-     158,    /* "x509Certificate" */
-     160,    /* "x509Crl" */
-     125,    /* "zlib compression" */
+static const unsigned int ln_objs[NUM_LN]={
+363,	/* "AD Time Stamping" */
+405,	/* "ANSI X9.62" */
+368,	/* "Acceptable OCSP Responses" */
+910,	/* "Any Extended Key Usage" */
+664,	/* "Any language" */
+177,	/* "Authority Information Access" */
+365,	/* "Basic OCSP Response" */
+285,	/* "Biometric Info" */
+179,	/* "CA Issuers" */
+785,	/* "CA Repository" */
+954,	/* "CT Certificate SCTs" */
+952,	/* "CT Precertificate Poison" */
+951,	/* "CT Precertificate SCTs" */
+953,	/* "CT Precertificate Signer" */
+131,	/* "Code Signing" */
+783,	/* "Diffie-Hellman based MAC" */
+382,	/* "Directory" */
+392,	/* "Domain" */
+132,	/* "E-mail Protection" */
+389,	/* "Enterprises" */
+384,	/* "Experimental" */
+372,	/* "Extended OCSP Status" */
+172,	/* "Extension Request" */
+813,	/* "GOST 28147-89" */
+849,	/* "GOST 28147-89 Cryptocom ParamSet" */
+815,	/* "GOST 28147-89 MAC" */
+851,	/* "GOST 34.10-2001 Cryptocom" */
+850,	/* "GOST 34.10-94 Cryptocom" */
+811,	/* "GOST R 34.10-2001" */
+817,	/* "GOST R 34.10-2001 DH" */
+812,	/* "GOST R 34.10-94" */
+818,	/* "GOST R 34.10-94 DH" */
+809,	/* "GOST R 34.11-94" */
+816,	/* "GOST R 34.11-94 PRF" */
+807,	/* "GOST R 34.11-94 with GOST R 34.10-2001" */
+853,	/* "GOST R 34.11-94 with GOST R 34.10-2001 Cryptocom" */
+808,	/* "GOST R 34.11-94 with GOST R 34.10-94" */
+852,	/* "GOST R 34.11-94 with GOST R 34.10-94 Cryptocom" */
+854,	/* "GOST R 3410-2001 Parameter Set Cryptocom" */
+810,	/* "HMAC GOST 34.11-94" */
+432,	/* "Hold Instruction Call Issuer" */
+430,	/* "Hold Instruction Code" */
+431,	/* "Hold Instruction None" */
+433,	/* "Hold Instruction Reject" */
+634,	/* "ICC or token signature" */
+294,	/* "IPSec End System" */
+295,	/* "IPSec Tunnel" */
+296,	/* "IPSec User" */
+182,	/* "ISO Member Body" */
+183,	/* "ISO US Member Body" */
+667,	/* "Independent" */
+665,	/* "Inherit all" */
+647,	/* "International Organizations" */
+142,	/* "Invalidity Date" */
+504,	/* "MIME MHS" */
+388,	/* "Mail" */
+383,	/* "Management" */
+417,	/* "Microsoft CSP Name" */
+135,	/* "Microsoft Commercial Code Signing" */
+138,	/* "Microsoft Encrypted File System" */
+171,	/* "Microsoft Extension Request" */
+134,	/* "Microsoft Individual Code Signing" */
+856,	/* "Microsoft Local Key set" */
+137,	/* "Microsoft Server Gated Crypto" */
+648,	/* "Microsoft Smartcardlogin" */
+136,	/* "Microsoft Trust List Signing" */
+649,	/* "Microsoft Universal Principal Name" */
+393,	/* "NULL" */
+404,	/* "NULL" */
+72,	/* "Netscape Base Url" */
+76,	/* "Netscape CA Policy Url" */
+74,	/* "Netscape CA Revocation Url" */
+71,	/* "Netscape Cert Type" */
+58,	/* "Netscape Certificate Extension" */
+79,	/* "Netscape Certificate Sequence" */
+78,	/* "Netscape Comment" */
+57,	/* "Netscape Communications Corp." */
+59,	/* "Netscape Data Type" */
+75,	/* "Netscape Renewal Url" */
+73,	/* "Netscape Revocation Url" */
+77,	/* "Netscape SSL Server Name" */
+139,	/* "Netscape Server Gated Crypto" */
+178,	/* "OCSP" */
+370,	/* "OCSP Archive Cutoff" */
+367,	/* "OCSP CRL ID" */
+369,	/* "OCSP No Check" */
+366,	/* "OCSP Nonce" */
+371,	/* "OCSP Service Locator" */
+180,	/* "OCSP Signing" */
+161,	/* "PBES2" */
+69,	/* "PBKDF2" */
+162,	/* "PBMAC1" */
+127,	/* "PKIX" */
+858,	/* "Permanent Identifier" */
+164,	/* "Policy Qualifier CPS" */
+165,	/* "Policy Qualifier User Notice" */
+385,	/* "Private" */
+663,	/* "Proxy Certificate Information" */
+ 1,	/* "RSA Data Security, Inc." */
+ 2,	/* "RSA Data Security, Inc. PKCS" */
+188,	/* "S/MIME" */
+167,	/* "S/MIME Capabilities" */
+387,	/* "SNMPv2" */
+512,	/* "Secure Electronic Transactions" */
+386,	/* "Security" */
+394,	/* "Selected Attribute Types" */
+143,	/* "Strong Extranet ID" */
+398,	/* "Subject Information Access" */
+130,	/* "TLS Web Client Authentication" */
+129,	/* "TLS Web Server Authentication" */
+133,	/* "Time Stamping" */
+375,	/* "Trust Root" */
+12,	/* "X509" */
+402,	/* "X509v3 AC Targeting" */
+746,	/* "X509v3 Any Policy" */
+90,	/* "X509v3 Authority Key Identifier" */
+87,	/* "X509v3 Basic Constraints" */
+103,	/* "X509v3 CRL Distribution Points" */
+88,	/* "X509v3 CRL Number" */
+141,	/* "X509v3 CRL Reason Code" */
+771,	/* "X509v3 Certificate Issuer" */
+89,	/* "X509v3 Certificate Policies" */
+140,	/* "X509v3 Delta CRL Indicator" */
+126,	/* "X509v3 Extended Key Usage" */
+857,	/* "X509v3 Freshest CRL" */
+748,	/* "X509v3 Inhibit Any Policy" */
+86,	/* "X509v3 Issuer Alternative Name" */
+770,	/* "X509v3 Issuing Distrubution Point" */
+83,	/* "X509v3 Key Usage" */
+666,	/* "X509v3 Name Constraints" */
+403,	/* "X509v3 No Revocation Available" */
+401,	/* "X509v3 Policy Constraints" */
+747,	/* "X509v3 Policy Mappings" */
+84,	/* "X509v3 Private Key Usage Period" */
+85,	/* "X509v3 Subject Alternative Name" */
+769,	/* "X509v3 Subject Directory Attributes" */
+82,	/* "X509v3 Subject Key Identifier" */
+920,	/* "X9.42 DH" */
+184,	/* "X9.57" */
+185,	/* "X9.57 CM ?" */
+478,	/* "aRecord" */
+289,	/* "aaControls" */
+287,	/* "ac-auditEntity" */
+397,	/* "ac-proxying" */
+288,	/* "ac-targeting" */
+446,	/* "account" */
+364,	/* "ad dvcs" */
+606,	/* "additional verification" */
+419,	/* "aes-128-cbc" */
+916,	/* "aes-128-cbc-hmac-sha1" */
+948,	/* "aes-128-cbc-hmac-sha256" */
+896,	/* "aes-128-ccm" */
+421,	/* "aes-128-cfb" */
+650,	/* "aes-128-cfb1" */
+653,	/* "aes-128-cfb8" */
+904,	/* "aes-128-ctr" */
+418,	/* "aes-128-ecb" */
+895,	/* "aes-128-gcm" */
+420,	/* "aes-128-ofb" */
+913,	/* "aes-128-xts" */
+423,	/* "aes-192-cbc" */
+917,	/* "aes-192-cbc-hmac-sha1" */
+949,	/* "aes-192-cbc-hmac-sha256" */
+899,	/* "aes-192-ccm" */
+425,	/* "aes-192-cfb" */
+651,	/* "aes-192-cfb1" */
+654,	/* "aes-192-cfb8" */
+905,	/* "aes-192-ctr" */
+422,	/* "aes-192-ecb" */
+898,	/* "aes-192-gcm" */
+424,	/* "aes-192-ofb" */
+427,	/* "aes-256-cbc" */
+918,	/* "aes-256-cbc-hmac-sha1" */
+950,	/* "aes-256-cbc-hmac-sha256" */
+902,	/* "aes-256-ccm" */
+429,	/* "aes-256-cfb" */
+652,	/* "aes-256-cfb1" */
+655,	/* "aes-256-cfb8" */
+906,	/* "aes-256-ctr" */
+426,	/* "aes-256-ecb" */
+901,	/* "aes-256-gcm" */
+428,	/* "aes-256-ofb" */
+914,	/* "aes-256-xts" */
+376,	/* "algorithm" */
+484,	/* "associatedDomain" */
+485,	/* "associatedName" */
+501,	/* "audio" */
+882,	/* "authorityRevocationList" */
+91,	/* "bf-cbc" */
+93,	/* "bf-cfb" */
+92,	/* "bf-ecb" */
+94,	/* "bf-ofb" */
+921,	/* "brainpoolP160r1" */
+922,	/* "brainpoolP160t1" */
+923,	/* "brainpoolP192r1" */
+924,	/* "brainpoolP192t1" */
+925,	/* "brainpoolP224r1" */
+926,	/* "brainpoolP224t1" */
+927,	/* "brainpoolP256r1" */
+928,	/* "brainpoolP256t1" */
+929,	/* "brainpoolP320r1" */
+930,	/* "brainpoolP320t1" */
+931,	/* "brainpoolP384r1" */
+932,	/* "brainpoolP384t1" */
+933,	/* "brainpoolP512r1" */
+934,	/* "brainpoolP512t1" */
+494,	/* "buildingName" */
+860,	/* "businessCategory" */
+691,	/* "c2onb191v4" */
+692,	/* "c2onb191v5" */
+697,	/* "c2onb239v4" */
+698,	/* "c2onb239v5" */
+684,	/* "c2pnb163v1" */
+685,	/* "c2pnb163v2" */
+686,	/* "c2pnb163v3" */
+687,	/* "c2pnb176v1" */
+693,	/* "c2pnb208w1" */
+699,	/* "c2pnb272w1" */
+700,	/* "c2pnb304w1" */
+702,	/* "c2pnb368w1" */
+688,	/* "c2tnb191v1" */
+689,	/* "c2tnb191v2" */
+690,	/* "c2tnb191v3" */
+694,	/* "c2tnb239v1" */
+695,	/* "c2tnb239v2" */
+696,	/* "c2tnb239v3" */
+701,	/* "c2tnb359v1" */
+703,	/* "c2tnb431r1" */
+881,	/* "cACertificate" */
+483,	/* "cNAMERecord" */
+751,	/* "camellia-128-cbc" */
+757,	/* "camellia-128-cfb" */
+760,	/* "camellia-128-cfb1" */
+763,	/* "camellia-128-cfb8" */
+754,	/* "camellia-128-ecb" */
+766,	/* "camellia-128-ofb" */
+752,	/* "camellia-192-cbc" */
+758,	/* "camellia-192-cfb" */
+761,	/* "camellia-192-cfb1" */
+764,	/* "camellia-192-cfb8" */
+755,	/* "camellia-192-ecb" */
+767,	/* "camellia-192-ofb" */
+753,	/* "camellia-256-cbc" */
+759,	/* "camellia-256-cfb" */
+762,	/* "camellia-256-cfb1" */
+765,	/* "camellia-256-cfb8" */
+756,	/* "camellia-256-ecb" */
+768,	/* "camellia-256-ofb" */
+443,	/* "caseIgnoreIA5StringSyntax" */
+108,	/* "cast5-cbc" */
+110,	/* "cast5-cfb" */
+109,	/* "cast5-ecb" */
+111,	/* "cast5-ofb" */
+152,	/* "certBag" */
+677,	/* "certicom-arc" */
+517,	/* "certificate extensions" */
+883,	/* "certificateRevocationList" */
+54,	/* "challengePassword" */
+407,	/* "characteristic-two-field" */
+395,	/* "clearance" */
+633,	/* "cleartext track 2" */
+894,	/* "cmac" */
+13,	/* "commonName" */
+513,	/* "content types" */
+50,	/* "contentType" */
+53,	/* "countersignature" */
+14,	/* "countryName" */
+153,	/* "crlBag" */
+884,	/* "crossCertificatePair" */
+806,	/* "cryptocom" */
+805,	/* "cryptopro" */
+500,	/* "dITRedirect" */
+451,	/* "dNSDomain" */
+495,	/* "dSAQuality" */
+434,	/* "data" */
+390,	/* "dcObject" */
+891,	/* "deltaRevocationList" */
+31,	/* "des-cbc" */
+643,	/* "des-cdmf" */
+30,	/* "des-cfb" */
+656,	/* "des-cfb1" */
+657,	/* "des-cfb8" */
+29,	/* "des-ecb" */
+32,	/* "des-ede" */
+43,	/* "des-ede-cbc" */
+60,	/* "des-ede-cfb" */
+62,	/* "des-ede-ofb" */
+33,	/* "des-ede3" */
+44,	/* "des-ede3-cbc" */
+61,	/* "des-ede3-cfb" */
+658,	/* "des-ede3-cfb1" */
+659,	/* "des-ede3-cfb8" */
+63,	/* "des-ede3-ofb" */
+45,	/* "des-ofb" */
+107,	/* "description" */
+871,	/* "destinationIndicator" */
+80,	/* "desx-cbc" */
+947,	/* "dh-cofactor-kdf" */
+946,	/* "dh-std-kdf" */
+28,	/* "dhKeyAgreement" */
+941,	/* "dhSinglePass-cofactorDH-sha1kdf-scheme" */
+942,	/* "dhSinglePass-cofactorDH-sha224kdf-scheme" */
+943,	/* "dhSinglePass-cofactorDH-sha256kdf-scheme" */
+944,	/* "dhSinglePass-cofactorDH-sha384kdf-scheme" */
+945,	/* "dhSinglePass-cofactorDH-sha512kdf-scheme" */
+936,	/* "dhSinglePass-stdDH-sha1kdf-scheme" */
+937,	/* "dhSinglePass-stdDH-sha224kdf-scheme" */
+938,	/* "dhSinglePass-stdDH-sha256kdf-scheme" */
+939,	/* "dhSinglePass-stdDH-sha384kdf-scheme" */
+940,	/* "dhSinglePass-stdDH-sha512kdf-scheme" */
+11,	/* "directory services (X.500)" */
+378,	/* "directory services - algorithms" */
+887,	/* "distinguishedName" */
+892,	/* "dmdName" */
+174,	/* "dnQualifier" */
+447,	/* "document" */
+471,	/* "documentAuthor" */
+468,	/* "documentIdentifier" */
+472,	/* "documentLocation" */
+502,	/* "documentPublisher" */
+449,	/* "documentSeries" */
+469,	/* "documentTitle" */
+470,	/* "documentVersion" */
+380,	/* "dod" */
+391,	/* "domainComponent" */
+452,	/* "domainRelatedObject" */
+116,	/* "dsaEncryption" */
+67,	/* "dsaEncryption-old" */
+66,	/* "dsaWithSHA" */
+113,	/* "dsaWithSHA1" */
+70,	/* "dsaWithSHA1-old" */
+802,	/* "dsa_with_SHA224" */
+803,	/* "dsa_with_SHA256" */
+297,	/* "dvcs" */
+791,	/* "ecdsa-with-Recommended" */
+416,	/* "ecdsa-with-SHA1" */
+793,	/* "ecdsa-with-SHA224" */
+794,	/* "ecdsa-with-SHA256" */
+795,	/* "ecdsa-with-SHA384" */
+796,	/* "ecdsa-with-SHA512" */
+792,	/* "ecdsa-with-Specified" */
+48,	/* "emailAddress" */
+632,	/* "encrypted track 2" */
+885,	/* "enhancedSearchGuide" */
+56,	/* "extendedCertificateAttributes" */
+867,	/* "facsimileTelephoneNumber" */
+462,	/* "favouriteDrink" */
+453,	/* "friendlyCountry" */
+490,	/* "friendlyCountryName" */
+156,	/* "friendlyName" */
+631,	/* "generate cryptogram" */
+509,	/* "generationQualifier" */
+601,	/* "generic cryptogram" */
+99,	/* "givenName" */
+814,	/* "gost89-cnt" */
+855,	/* "hmac" */
+780,	/* "hmac-md5" */
+781,	/* "hmac-sha1" */
+797,	/* "hmacWithMD5" */
+163,	/* "hmacWithSHA1" */
+798,	/* "hmacWithSHA224" */
+799,	/* "hmacWithSHA256" */
+800,	/* "hmacWithSHA384" */
+801,	/* "hmacWithSHA512" */
+486,	/* "homePostalAddress" */
+473,	/* "homeTelephoneNumber" */
+466,	/* "host" */
+889,	/* "houseIdentifier" */
+442,	/* "iA5StringSyntax" */
+381,	/* "iana" */
+824,	/* "id-Gost28147-89-CryptoPro-A-ParamSet" */
+825,	/* "id-Gost28147-89-CryptoPro-B-ParamSet" */
+826,	/* "id-Gost28147-89-CryptoPro-C-ParamSet" */
+827,	/* "id-Gost28147-89-CryptoPro-D-ParamSet" */
+819,	/* "id-Gost28147-89-CryptoPro-KeyMeshing" */
+829,	/* "id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet" */
+828,	/* "id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet" */
+830,	/* "id-Gost28147-89-CryptoPro-RIC-1-ParamSet" */
+820,	/* "id-Gost28147-89-None-KeyMeshing" */
+823,	/* "id-Gost28147-89-TestParamSet" */
+840,	/* "id-GostR3410-2001-CryptoPro-A-ParamSet" */
+841,	/* "id-GostR3410-2001-CryptoPro-B-ParamSet" */
+842,	/* "id-GostR3410-2001-CryptoPro-C-ParamSet" */
+843,	/* "id-GostR3410-2001-CryptoPro-XchA-ParamSet" */
+844,	/* "id-GostR3410-2001-CryptoPro-XchB-ParamSet" */
+839,	/* "id-GostR3410-2001-TestParamSet" */
+832,	/* "id-GostR3410-94-CryptoPro-A-ParamSet" */
+833,	/* "id-GostR3410-94-CryptoPro-B-ParamSet" */
+834,	/* "id-GostR3410-94-CryptoPro-C-ParamSet" */
+835,	/* "id-GostR3410-94-CryptoPro-D-ParamSet" */
+836,	/* "id-GostR3410-94-CryptoPro-XchA-ParamSet" */
+837,	/* "id-GostR3410-94-CryptoPro-XchB-ParamSet" */
+838,	/* "id-GostR3410-94-CryptoPro-XchC-ParamSet" */
+831,	/* "id-GostR3410-94-TestParamSet" */
+845,	/* "id-GostR3410-94-a" */
+846,	/* "id-GostR3410-94-aBis" */
+847,	/* "id-GostR3410-94-b" */
+848,	/* "id-GostR3410-94-bBis" */
+822,	/* "id-GostR3411-94-CryptoProParamSet" */
+821,	/* "id-GostR3411-94-TestParamSet" */
+266,	/* "id-aca" */
+355,	/* "id-aca-accessIdentity" */
+354,	/* "id-aca-authenticationInfo" */
+356,	/* "id-aca-chargingIdentity" */
+399,	/* "id-aca-encAttrs" */
+357,	/* "id-aca-group" */
+358,	/* "id-aca-role" */
+176,	/* "id-ad" */
+788,	/* "id-aes128-wrap" */
+897,	/* "id-aes128-wrap-pad" */
+789,	/* "id-aes192-wrap" */
+900,	/* "id-aes192-wrap-pad" */
+790,	/* "id-aes256-wrap" */
+903,	/* "id-aes256-wrap-pad" */
+262,	/* "id-alg" */
+893,	/* "id-alg-PWRI-KEK" */
+323,	/* "id-alg-des40" */
+326,	/* "id-alg-dh-pop" */
+325,	/* "id-alg-dh-sig-hmac-sha1" */
+324,	/* "id-alg-noSignature" */
+907,	/* "id-camellia128-wrap" */
+908,	/* "id-camellia192-wrap" */
+909,	/* "id-camellia256-wrap" */
+268,	/* "id-cct" */
+361,	/* "id-cct-PKIData" */
+362,	/* "id-cct-PKIResponse" */
+360,	/* "id-cct-crs" */
+81,	/* "id-ce" */
+680,	/* "id-characteristic-two-basis" */
+263,	/* "id-cmc" */
+334,	/* "id-cmc-addExtensions" */
+346,	/* "id-cmc-confirmCertAcceptance" */
+330,	/* "id-cmc-dataReturn" */
+336,	/* "id-cmc-decryptedPOP" */
+335,	/* "id-cmc-encryptedPOP" */
+339,	/* "id-cmc-getCRL" */
+338,	/* "id-cmc-getCert" */
+328,	/* "id-cmc-identification" */
+329,	/* "id-cmc-identityProof" */
+337,	/* "id-cmc-lraPOPWitness" */
+344,	/* "id-cmc-popLinkRandom" */
+345,	/* "id-cmc-popLinkWitness" */
+343,	/* "id-cmc-queryPending" */
+333,	/* "id-cmc-recipientNonce" */
+341,	/* "id-cmc-regInfo" */
+342,	/* "id-cmc-responseInfo" */
+340,	/* "id-cmc-revokeRequest" */
+332,	/* "id-cmc-senderNonce" */
+327,	/* "id-cmc-statusInfo" */
+331,	/* "id-cmc-transactionId" */
+787,	/* "id-ct-asciiTextWithCRLF" */
+408,	/* "id-ecPublicKey" */
+508,	/* "id-hex-multipart-message" */
+507,	/* "id-hex-partial-message" */
+260,	/* "id-it" */
+302,	/* "id-it-caKeyUpdateInfo" */
+298,	/* "id-it-caProtEncCert" */
+311,	/* "id-it-confirmWaitTime" */
+303,	/* "id-it-currentCRL" */
+300,	/* "id-it-encKeyPairTypes" */
+310,	/* "id-it-implicitConfirm" */
+308,	/* "id-it-keyPairParamRep" */
+307,	/* "id-it-keyPairParamReq" */
+312,	/* "id-it-origPKIMessage" */
+301,	/* "id-it-preferredSymmAlg" */
+309,	/* "id-it-revPassphrase" */
+299,	/* "id-it-signKeyPairTypes" */
+305,	/* "id-it-subscriptionRequest" */
+306,	/* "id-it-subscriptionResponse" */
+784,	/* "id-it-suppLangTags" */
+304,	/* "id-it-unsupportedOIDs" */
+128,	/* "id-kp" */
+280,	/* "id-mod-attribute-cert" */
+274,	/* "id-mod-cmc" */
+277,	/* "id-mod-cmp" */
+284,	/* "id-mod-cmp2000" */
+273,	/* "id-mod-crmf" */
+283,	/* "id-mod-dvcs" */
+275,	/* "id-mod-kea-profile-88" */
+276,	/* "id-mod-kea-profile-93" */
+282,	/* "id-mod-ocsp" */
+278,	/* "id-mod-qualified-cert-88" */
+279,	/* "id-mod-qualified-cert-93" */
+281,	/* "id-mod-timestamp-protocol" */
+264,	/* "id-on" */
+347,	/* "id-on-personalData" */
+265,	/* "id-pda" */
+352,	/* "id-pda-countryOfCitizenship" */
+353,	/* "id-pda-countryOfResidence" */
+348,	/* "id-pda-dateOfBirth" */
+351,	/* "id-pda-gender" */
+349,	/* "id-pda-placeOfBirth" */
+175,	/* "id-pe" */
+261,	/* "id-pkip" */
+258,	/* "id-pkix-mod" */
+269,	/* "id-pkix1-explicit-88" */
+271,	/* "id-pkix1-explicit-93" */
+270,	/* "id-pkix1-implicit-88" */
+272,	/* "id-pkix1-implicit-93" */
+662,	/* "id-ppl" */
+267,	/* "id-qcs" */
+359,	/* "id-qcs-pkixQCSyntax-v1" */
+259,	/* "id-qt" */
+313,	/* "id-regCtrl" */
+316,	/* "id-regCtrl-authenticator" */
+319,	/* "id-regCtrl-oldCertID" */
+318,	/* "id-regCtrl-pkiArchiveOptions" */
+317,	/* "id-regCtrl-pkiPublicationInfo" */
+320,	/* "id-regCtrl-protocolEncrKey" */
+315,	/* "id-regCtrl-regToken" */
+314,	/* "id-regInfo" */
+322,	/* "id-regInfo-certReq" */
+321,	/* "id-regInfo-utf8Pairs" */
+191,	/* "id-smime-aa" */
+215,	/* "id-smime-aa-contentHint" */
+218,	/* "id-smime-aa-contentIdentifier" */
+221,	/* "id-smime-aa-contentReference" */
+240,	/* "id-smime-aa-dvcs-dvc" */
+217,	/* "id-smime-aa-encapContentType" */
+222,	/* "id-smime-aa-encrypKeyPref" */
+220,	/* "id-smime-aa-equivalentLabels" */
+232,	/* "id-smime-aa-ets-CertificateRefs" */
+233,	/* "id-smime-aa-ets-RevocationRefs" */
+238,	/* "id-smime-aa-ets-archiveTimeStamp" */
+237,	/* "id-smime-aa-ets-certCRLTimestamp" */
+234,	/* "id-smime-aa-ets-certValues" */
+227,	/* "id-smime-aa-ets-commitmentType" */
+231,	/* "id-smime-aa-ets-contentTimestamp" */
+236,	/* "id-smime-aa-ets-escTimeStamp" */
+230,	/* "id-smime-aa-ets-otherSigCert" */
+235,	/* "id-smime-aa-ets-revocationValues" */
+226,	/* "id-smime-aa-ets-sigPolicyId" */
+229,	/* "id-smime-aa-ets-signerAttr" */
+228,	/* "id-smime-aa-ets-signerLocation" */
+219,	/* "id-smime-aa-macValue" */
+214,	/* "id-smime-aa-mlExpandHistory" */
+216,	/* "id-smime-aa-msgSigDigest" */
+212,	/* "id-smime-aa-receiptRequest" */
+213,	/* "id-smime-aa-securityLabel" */
+239,	/* "id-smime-aa-signatureType" */
+223,	/* "id-smime-aa-signingCertificate" */
+224,	/* "id-smime-aa-smimeEncryptCerts" */
+225,	/* "id-smime-aa-timeStampToken" */
+192,	/* "id-smime-alg" */
+243,	/* "id-smime-alg-3DESwrap" */
+246,	/* "id-smime-alg-CMS3DESwrap" */
+247,	/* "id-smime-alg-CMSRC2wrap" */
+245,	/* "id-smime-alg-ESDH" */
+241,	/* "id-smime-alg-ESDHwith3DES" */
+242,	/* "id-smime-alg-ESDHwithRC2" */
+244,	/* "id-smime-alg-RC2wrap" */
+193,	/* "id-smime-cd" */
+248,	/* "id-smime-cd-ldap" */
+190,	/* "id-smime-ct" */
+210,	/* "id-smime-ct-DVCSRequestData" */
+211,	/* "id-smime-ct-DVCSResponseData" */
+208,	/* "id-smime-ct-TDTInfo" */
+207,	/* "id-smime-ct-TSTInfo" */
+205,	/* "id-smime-ct-authData" */
+786,	/* "id-smime-ct-compressedData" */
+209,	/* "id-smime-ct-contentInfo" */
+206,	/* "id-smime-ct-publishCert" */
+204,	/* "id-smime-ct-receipt" */
+195,	/* "id-smime-cti" */
+255,	/* "id-smime-cti-ets-proofOfApproval" */
+256,	/* "id-smime-cti-ets-proofOfCreation" */
+253,	/* "id-smime-cti-ets-proofOfDelivery" */
+251,	/* "id-smime-cti-ets-proofOfOrigin" */
+252,	/* "id-smime-cti-ets-proofOfReceipt" */
+254,	/* "id-smime-cti-ets-proofOfSender" */
+189,	/* "id-smime-mod" */
+196,	/* "id-smime-mod-cms" */
+197,	/* "id-smime-mod-ess" */
+202,	/* "id-smime-mod-ets-eSigPolicy-88" */
+203,	/* "id-smime-mod-ets-eSigPolicy-97" */
+200,	/* "id-smime-mod-ets-eSignature-88" */
+201,	/* "id-smime-mod-ets-eSignature-97" */
+199,	/* "id-smime-mod-msg-v3" */
+198,	/* "id-smime-mod-oid" */
+194,	/* "id-smime-spq" */
+250,	/* "id-smime-spq-ets-sqt-unotice" */
+249,	/* "id-smime-spq-ets-sqt-uri" */
+34,	/* "idea-cbc" */
+35,	/* "idea-cfb" */
+36,	/* "idea-ecb" */
+46,	/* "idea-ofb" */
+676,	/* "identified-organization" */
+461,	/* "info" */
+101,	/* "initials" */
+869,	/* "internationaliSDNNumber" */
+749,	/* "ipsec3" */
+750,	/* "ipsec4" */
+181,	/* "iso" */
+623,	/* "issuer capabilities" */
+645,	/* "itu-t" */
+492,	/* "janetMailbox" */
+646,	/* "joint-iso-itu-t" */
+957,	/* "jurisdictionCountryName" */
+955,	/* "jurisdictionLocalityName" */
+956,	/* "jurisdictionStateOrProvinceName" */
+150,	/* "keyBag" */
+773,	/* "kisa" */
+477,	/* "lastModifiedBy" */
+476,	/* "lastModifiedTime" */
+157,	/* "localKeyID" */
+15,	/* "localityName" */
+480,	/* "mXRecord" */
+493,	/* "mailPreferenceOption" */
+467,	/* "manager" */
+ 3,	/* "md2" */
+ 7,	/* "md2WithRSAEncryption" */
+257,	/* "md4" */
+396,	/* "md4WithRSAEncryption" */
+ 4,	/* "md5" */
+114,	/* "md5-sha1" */
+104,	/* "md5WithRSA" */
+ 8,	/* "md5WithRSAEncryption" */
+95,	/* "mdc2" */
+96,	/* "mdc2WithRSA" */
+875,	/* "member" */
+602,	/* "merchant initiated auth" */
+514,	/* "message extensions" */
+51,	/* "messageDigest" */
+911,	/* "mgf1" */
+506,	/* "mime-mhs-bodies" */
+505,	/* "mime-mhs-headings" */
+488,	/* "mobileTelephoneNumber" */
+481,	/* "nSRecord" */
+173,	/* "name" */
+681,	/* "onBasis" */
+379,	/* "org" */
+17,	/* "organizationName" */
+491,	/* "organizationalStatus" */
+18,	/* "organizationalUnitName" */
+475,	/* "otherMailbox" */
+876,	/* "owner" */
+935,	/* "pSpecified" */
+489,	/* "pagerTelephoneNumber" */
+782,	/* "password based MAC" */
+374,	/* "path" */
+621,	/* "payment gateway capabilities" */
+ 9,	/* "pbeWithMD2AndDES-CBC" */
+168,	/* "pbeWithMD2AndRC2-CBC" */
+112,	/* "pbeWithMD5AndCast5CBC" */
+10,	/* "pbeWithMD5AndDES-CBC" */
+169,	/* "pbeWithMD5AndRC2-CBC" */
+148,	/* "pbeWithSHA1And128BitRC2-CBC" */
+144,	/* "pbeWithSHA1And128BitRC4" */
+147,	/* "pbeWithSHA1And2-KeyTripleDES-CBC" */
+146,	/* "pbeWithSHA1And3-KeyTripleDES-CBC" */
+149,	/* "pbeWithSHA1And40BitRC2-CBC" */
+145,	/* "pbeWithSHA1And40BitRC4" */
+170,	/* "pbeWithSHA1AndDES-CBC" */
+68,	/* "pbeWithSHA1AndRC2-CBC" */
+499,	/* "personalSignature" */
+487,	/* "personalTitle" */
+464,	/* "photo" */
+863,	/* "physicalDeliveryOfficeName" */
+437,	/* "pilot" */
+439,	/* "pilotAttributeSyntax" */
+438,	/* "pilotAttributeType" */
+479,	/* "pilotAttributeType27" */
+456,	/* "pilotDSA" */
+441,	/* "pilotGroups" */
+444,	/* "pilotObject" */
+440,	/* "pilotObjectClass" */
+455,	/* "pilotOrganization" */
+445,	/* "pilotPerson" */
+186,	/* "pkcs1" */
+27,	/* "pkcs3" */
+187,	/* "pkcs5" */
+20,	/* "pkcs7" */
+21,	/* "pkcs7-data" */
+25,	/* "pkcs7-digestData" */
+26,	/* "pkcs7-encryptedData" */
+23,	/* "pkcs7-envelopedData" */
+24,	/* "pkcs7-signedAndEnvelopedData" */
+22,	/* "pkcs7-signedData" */
+151,	/* "pkcs8ShroudedKeyBag" */
+47,	/* "pkcs9" */
+862,	/* "postOfficeBox" */
+861,	/* "postalAddress" */
+661,	/* "postalCode" */
+683,	/* "ppBasis" */
+872,	/* "preferredDeliveryMethod" */
+873,	/* "presentationAddress" */
+406,	/* "prime-field" */
+409,	/* "prime192v1" */
+410,	/* "prime192v2" */
+411,	/* "prime192v3" */
+412,	/* "prime239v1" */
+413,	/* "prime239v2" */
+414,	/* "prime239v3" */
+415,	/* "prime256v1" */
+886,	/* "protocolInformation" */
+510,	/* "pseudonym" */
+435,	/* "pss" */
+286,	/* "qcStatements" */
+457,	/* "qualityLabelledData" */
+450,	/* "rFC822localPart" */
+98,	/* "rc2-40-cbc" */
+166,	/* "rc2-64-cbc" */
+37,	/* "rc2-cbc" */
+39,	/* "rc2-cfb" */
+38,	/* "rc2-ecb" */
+40,	/* "rc2-ofb" */
+ 5,	/* "rc4" */
+97,	/* "rc4-40" */
+915,	/* "rc4-hmac-md5" */
+120,	/* "rc5-cbc" */
+122,	/* "rc5-cfb" */
+121,	/* "rc5-ecb" */
+123,	/* "rc5-ofb" */
+870,	/* "registeredAddress" */
+460,	/* "rfc822Mailbox" */
+117,	/* "ripemd160" */
+119,	/* "ripemd160WithRSA" */
+400,	/* "role" */
+877,	/* "roleOccupant" */
+448,	/* "room" */
+463,	/* "roomNumber" */
+19,	/* "rsa" */
+ 6,	/* "rsaEncryption" */
+644,	/* "rsaOAEPEncryptionSET" */
+377,	/* "rsaSignature" */
+919,	/* "rsaesOaep" */
+912,	/* "rsassaPss" */
+124,	/* "run length compression" */
+482,	/* "sOARecord" */
+155,	/* "safeContentsBag" */
+291,	/* "sbgp-autonomousSysNum" */
+290,	/* "sbgp-ipAddrBlock" */
+292,	/* "sbgp-routerIdentifier" */
+159,	/* "sdsiCertificate" */
+859,	/* "searchGuide" */
+704,	/* "secp112r1" */
+705,	/* "secp112r2" */
+706,	/* "secp128r1" */
+707,	/* "secp128r2" */
+708,	/* "secp160k1" */
+709,	/* "secp160r1" */
+710,	/* "secp160r2" */
+711,	/* "secp192k1" */
+712,	/* "secp224k1" */
+713,	/* "secp224r1" */
+714,	/* "secp256k1" */
+715,	/* "secp384r1" */
+716,	/* "secp521r1" */
+154,	/* "secretBag" */
+474,	/* "secretary" */
+717,	/* "sect113r1" */
+718,	/* "sect113r2" */
+719,	/* "sect131r1" */
+720,	/* "sect131r2" */
+721,	/* "sect163k1" */
+722,	/* "sect163r1" */
+723,	/* "sect163r2" */
+724,	/* "sect193r1" */
+725,	/* "sect193r2" */
+726,	/* "sect233k1" */
+727,	/* "sect233r1" */
+728,	/* "sect239k1" */
+729,	/* "sect283k1" */
+730,	/* "sect283r1" */
+731,	/* "sect409k1" */
+732,	/* "sect409r1" */
+733,	/* "sect571k1" */
+734,	/* "sect571r1" */
+635,	/* "secure device signature" */
+878,	/* "seeAlso" */
+777,	/* "seed-cbc" */
+779,	/* "seed-cfb" */
+776,	/* "seed-ecb" */
+778,	/* "seed-ofb" */
+105,	/* "serialNumber" */
+625,	/* "set-addPolicy" */
+515,	/* "set-attr" */
+518,	/* "set-brand" */
+638,	/* "set-brand-AmericanExpress" */
+637,	/* "set-brand-Diners" */
+636,	/* "set-brand-IATA-ATA" */
+639,	/* "set-brand-JCB" */
+641,	/* "set-brand-MasterCard" */
+642,	/* "set-brand-Novus" */
+640,	/* "set-brand-Visa" */
+516,	/* "set-policy" */
+607,	/* "set-policy-root" */
+624,	/* "set-rootKeyThumb" */
+620,	/* "setAttr-Cert" */
+628,	/* "setAttr-IssCap-CVM" */
+630,	/* "setAttr-IssCap-Sig" */
+629,	/* "setAttr-IssCap-T2" */
+627,	/* "setAttr-Token-B0Prime" */
+626,	/* "setAttr-Token-EMV" */
+622,	/* "setAttr-TokenType" */
+619,	/* "setCext-IssuerCapabilities" */
+615,	/* "setCext-PGWYcapabilities" */
+616,	/* "setCext-TokenIdentifier" */
+618,	/* "setCext-TokenType" */
+617,	/* "setCext-Track2Data" */
+611,	/* "setCext-cCertRequired" */
+609,	/* "setCext-certType" */
+608,	/* "setCext-hashedRoot" */
+610,	/* "setCext-merchData" */
+613,	/* "setCext-setExt" */
+614,	/* "setCext-setQualf" */
+612,	/* "setCext-tunneling" */
+540,	/* "setct-AcqCardCodeMsg" */
+576,	/* "setct-AcqCardCodeMsgTBE" */
+570,	/* "setct-AuthReqTBE" */
+534,	/* "setct-AuthReqTBS" */
+527,	/* "setct-AuthResBaggage" */
+571,	/* "setct-AuthResTBE" */
+572,	/* "setct-AuthResTBEX" */
+535,	/* "setct-AuthResTBS" */
+536,	/* "setct-AuthResTBSX" */
+528,	/* "setct-AuthRevReqBaggage" */
+577,	/* "setct-AuthRevReqTBE" */
+541,	/* "setct-AuthRevReqTBS" */
+529,	/* "setct-AuthRevResBaggage" */
+542,	/* "setct-AuthRevResData" */
+578,	/* "setct-AuthRevResTBE" */
+579,	/* "setct-AuthRevResTBEB" */
+543,	/* "setct-AuthRevResTBS" */
+573,	/* "setct-AuthTokenTBE" */
+537,	/* "setct-AuthTokenTBS" */
+600,	/* "setct-BCIDistributionTBS" */
+558,	/* "setct-BatchAdminReqData" */
+592,	/* "setct-BatchAdminReqTBE" */
+559,	/* "setct-BatchAdminResData" */
+593,	/* "setct-BatchAdminResTBE" */
+599,	/* "setct-CRLNotificationResTBS" */
+598,	/* "setct-CRLNotificationTBS" */
+580,	/* "setct-CapReqTBE" */
+581,	/* "setct-CapReqTBEX" */
+544,	/* "setct-CapReqTBS" */
+545,	/* "setct-CapReqTBSX" */
+546,	/* "setct-CapResData" */
+582,	/* "setct-CapResTBE" */
+583,	/* "setct-CapRevReqTBE" */
+584,	/* "setct-CapRevReqTBEX" */
+547,	/* "setct-CapRevReqTBS" */
+548,	/* "setct-CapRevReqTBSX" */
+549,	/* "setct-CapRevResData" */
+585,	/* "setct-CapRevResTBE" */
+538,	/* "setct-CapTokenData" */
+530,	/* "setct-CapTokenSeq" */
+574,	/* "setct-CapTokenTBE" */
+575,	/* "setct-CapTokenTBEX" */
+539,	/* "setct-CapTokenTBS" */
+560,	/* "setct-CardCInitResTBS" */
+566,	/* "setct-CertInqReqTBS" */
+563,	/* "setct-CertReqData" */
+595,	/* "setct-CertReqTBE" */
+596,	/* "setct-CertReqTBEX" */
+564,	/* "setct-CertReqTBS" */
+565,	/* "setct-CertResData" */
+597,	/* "setct-CertResTBE" */
+586,	/* "setct-CredReqTBE" */
+587,	/* "setct-CredReqTBEX" */
+550,	/* "setct-CredReqTBS" */
+551,	/* "setct-CredReqTBSX" */
+552,	/* "setct-CredResData" */
+588,	/* "setct-CredResTBE" */
+589,	/* "setct-CredRevReqTBE" */
+590,	/* "setct-CredRevReqTBEX" */
+553,	/* "setct-CredRevReqTBS" */
+554,	/* "setct-CredRevReqTBSX" */
+555,	/* "setct-CredRevResData" */
+591,	/* "setct-CredRevResTBE" */
+567,	/* "setct-ErrorTBS" */
+526,	/* "setct-HODInput" */
+561,	/* "setct-MeAqCInitResTBS" */
+522,	/* "setct-OIData" */
+519,	/* "setct-PANData" */
+521,	/* "setct-PANOnly" */
+520,	/* "setct-PANToken" */
+556,	/* "setct-PCertReqData" */
+557,	/* "setct-PCertResTBS" */
+523,	/* "setct-PI" */
+532,	/* "setct-PI-TBS" */
+524,	/* "setct-PIData" */
+525,	/* "setct-PIDataUnsigned" */
+568,	/* "setct-PIDualSignedTBE" */
+569,	/* "setct-PIUnsignedTBE" */
+531,	/* "setct-PInitResData" */
+533,	/* "setct-PResData" */
+594,	/* "setct-RegFormReqTBE" */
+562,	/* "setct-RegFormResTBS" */
+604,	/* "setext-pinAny" */
+603,	/* "setext-pinSecure" */
+605,	/* "setext-track2" */
+41,	/* "sha" */
+64,	/* "sha1" */
+115,	/* "sha1WithRSA" */
+65,	/* "sha1WithRSAEncryption" */
+675,	/* "sha224" */
+671,	/* "sha224WithRSAEncryption" */
+672,	/* "sha256" */
+668,	/* "sha256WithRSAEncryption" */
+673,	/* "sha384" */
+669,	/* "sha384WithRSAEncryption" */
+674,	/* "sha512" */
+670,	/* "sha512WithRSAEncryption" */
+42,	/* "shaWithRSAEncryption" */
+52,	/* "signingTime" */
+454,	/* "simpleSecurityObject" */
+496,	/* "singleLevelQuality" */
+16,	/* "stateOrProvinceName" */
+660,	/* "streetAddress" */
+498,	/* "subtreeMaximumQuality" */
+497,	/* "subtreeMinimumQuality" */
+890,	/* "supportedAlgorithms" */
+874,	/* "supportedApplicationContext" */
+100,	/* "surname" */
+864,	/* "telephoneNumber" */
+866,	/* "teletexTerminalIdentifier" */
+865,	/* "telexNumber" */
+459,	/* "textEncodedORAddress" */
+293,	/* "textNotice" */
+106,	/* "title" */
+682,	/* "tpBasis" */
+436,	/* "ucl" */
+ 0,	/* "undefined" */
+888,	/* "uniqueMember" */
+55,	/* "unstructuredAddress" */
+49,	/* "unstructuredName" */
+880,	/* "userCertificate" */
+465,	/* "userClass" */
+458,	/* "userId" */
+879,	/* "userPassword" */
+373,	/* "valid" */
+678,	/* "wap" */
+679,	/* "wap-wsg" */
+735,	/* "wap-wsg-idm-ecid-wtls1" */
+743,	/* "wap-wsg-idm-ecid-wtls10" */
+744,	/* "wap-wsg-idm-ecid-wtls11" */
+745,	/* "wap-wsg-idm-ecid-wtls12" */
+736,	/* "wap-wsg-idm-ecid-wtls3" */
+737,	/* "wap-wsg-idm-ecid-wtls4" */
+738,	/* "wap-wsg-idm-ecid-wtls5" */
+739,	/* "wap-wsg-idm-ecid-wtls6" */
+740,	/* "wap-wsg-idm-ecid-wtls7" */
+741,	/* "wap-wsg-idm-ecid-wtls8" */
+742,	/* "wap-wsg-idm-ecid-wtls9" */
+804,	/* "whirlpool" */
+868,	/* "x121Address" */
+503,	/* "x500UniqueIdentifier" */
+158,	/* "x509Certificate" */
+160,	/* "x509Crl" */
+125,	/* "zlib compression" */
 };
 
-#define NUM_OBJ 956
-static const unsigned int obj_objs[NUM_OBJ] = {
-       0,    /* OBJ_undef                        0 */
-     181,    /* OBJ_iso                          1 */
-     393,    /* OBJ_joint_iso_ccitt              OBJ_joint_iso_itu_t */
-     404,    /* OBJ_ccitt                        OBJ_itu_t */
-     645,    /* OBJ_itu_t                        0 */
-     646,    /* OBJ_joint_iso_itu_t              2 */
-     434,    /* OBJ_data                         0 9 */
-     182,    /* OBJ_member_body                  1 2 */
-     379,    /* OBJ_org                          1 3 */
-     676,    /* OBJ_identified_organization      1 3 */
-      11,    /* OBJ_X500                         2 5 */
-     647,    /* OBJ_international_organizations  2 23 */
-     380,    /* OBJ_dod                          1 3 6 */
-      12,    /* OBJ_X509                         2 5 4 */
-     378,    /* OBJ_X500algorithms               2 5 8 */
-      81,    /* OBJ_id_ce                        2 5 29 */
-     512,    /* OBJ_id_set                       2 23 42 */
-     678,    /* OBJ_wap                          2 23 43 */
-     435,    /* OBJ_pss                          0 9 2342 */
-     183,    /* OBJ_ISO_US                       1 2 840 */
-     381,    /* OBJ_iana                         1 3 6 1 */
-    1034,    /* OBJ_X25519                       1 3 101 110 */
-    1035,    /* OBJ_X448                         1 3 101 111 */
-     677,    /* OBJ_certicom_arc                 1 3 132 */
-     394,    /* OBJ_selected_attribute_types     2 5 1 5 */
-      13,    /* OBJ_commonName                   2 5 4 3 */
-     100,    /* OBJ_surname                      2 5 4 4 */
-     105,    /* OBJ_serialNumber                 2 5 4 5 */
-      14,    /* OBJ_countryName                  2 5 4 6 */
-      15,    /* OBJ_localityName                 2 5 4 7 */
-      16,    /* OBJ_stateOrProvinceName          2 5 4 8 */
-     660,    /* OBJ_streetAddress                2 5 4 9 */
-      17,    /* OBJ_organizationName             2 5 4 10 */
-      18,    /* OBJ_organizationalUnitName       2 5 4 11 */
-     106,    /* OBJ_title                        2 5 4 12 */
-     107,    /* OBJ_description                  2 5 4 13 */
-     859,    /* OBJ_searchGuide                  2 5 4 14 */
-     860,    /* OBJ_businessCategory             2 5 4 15 */
-     861,    /* OBJ_postalAddress                2 5 4 16 */
-     661,    /* OBJ_postalCode                   2 5 4 17 */
-     862,    /* OBJ_postOfficeBox                2 5 4 18 */
-     863,    /* OBJ_physicalDeliveryOfficeName   2 5 4 19 */
-     864,    /* OBJ_telephoneNumber              2 5 4 20 */
-     865,    /* OBJ_telexNumber                  2 5 4 21 */
-     866,    /* OBJ_teletexTerminalIdentifier    2 5 4 22 */
-     867,    /* OBJ_facsimileTelephoneNumber     2 5 4 23 */
-     868,    /* OBJ_x121Address                  2 5 4 24 */
-     869,    /* OBJ_internationaliSDNNumber      2 5 4 25 */
-     870,    /* OBJ_registeredAddress            2 5 4 26 */
-     871,    /* OBJ_destinationIndicator         2 5 4 27 */
-     872,    /* OBJ_preferredDeliveryMethod      2 5 4 28 */
-     873,    /* OBJ_presentationAddress          2 5 4 29 */
-     874,    /* OBJ_supportedApplicationContext  2 5 4 30 */
-     875,    /* OBJ_member                       2 5 4 31 */
-     876,    /* OBJ_owner                        2 5 4 32 */
-     877,    /* OBJ_roleOccupant                 2 5 4 33 */
-     878,    /* OBJ_seeAlso                      2 5 4 34 */
-     879,    /* OBJ_userPassword                 2 5 4 35 */
-     880,    /* OBJ_userCertificate              2 5 4 36 */
-     881,    /* OBJ_cACertificate                2 5 4 37 */
-     882,    /* OBJ_authorityRevocationList      2 5 4 38 */
-     883,    /* OBJ_certificateRevocationList    2 5 4 39 */
-     884,    /* OBJ_crossCertificatePair         2 5 4 40 */
-     173,    /* OBJ_name                         2 5 4 41 */
-      99,    /* OBJ_givenName                    2 5 4 42 */
-     101,    /* OBJ_initials                     2 5 4 43 */
-     509,    /* OBJ_generationQualifier          2 5 4 44 */
-     503,    /* OBJ_x500UniqueIdentifier         2 5 4 45 */
-     174,    /* OBJ_dnQualifier                  2 5 4 46 */
-     885,    /* OBJ_enhancedSearchGuide          2 5 4 47 */
-     886,    /* OBJ_protocolInformation          2 5 4 48 */
-     887,    /* OBJ_distinguishedName            2 5 4 49 */
-     888,    /* OBJ_uniqueMember                 2 5 4 50 */
-     889,    /* OBJ_houseIdentifier              2 5 4 51 */
-     890,    /* OBJ_supportedAlgorithms          2 5 4 52 */
-     891,    /* OBJ_deltaRevocationList          2 5 4 53 */
-     892,    /* OBJ_dmdName                      2 5 4 54 */
-     510,    /* OBJ_pseudonym                    2 5 4 65 */
-     400,    /* OBJ_role                         2 5 4 72 */
-     769,    /* OBJ_subject_directory_attributes 2 5 29 9 */
-      82,    /* OBJ_subject_key_identifier       2 5 29 14 */
-      83,    /* OBJ_key_usage                    2 5 29 15 */
-      84,    /* OBJ_private_key_usage_period     2 5 29 16 */
-      85,    /* OBJ_subject_alt_name             2 5 29 17 */
-      86,    /* OBJ_issuer_alt_name              2 5 29 18 */
-      87,    /* OBJ_basic_constraints            2 5 29 19 */
-      88,    /* OBJ_crl_number                   2 5 29 20 */
-     141,    /* OBJ_crl_reason                   2 5 29 21 */
-     430,    /* OBJ_hold_instruction_code        2 5 29 23 */
-     142,    /* OBJ_invalidity_date              2 5 29 24 */
-     140,    /* OBJ_delta_crl                    2 5 29 27 */
-     770,    /* OBJ_issuing_distribution_point   2 5 29 28 */
-     771,    /* OBJ_certificate_issuer           2 5 29 29 */
-     666,    /* OBJ_name_constraints             2 5 29 30 */
-     103,    /* OBJ_crl_distribution_points      2 5 29 31 */
-      89,    /* OBJ_certificate_policies         2 5 29 32 */
-     747,    /* OBJ_policy_mappings              2 5 29 33 */
-      90,    /* OBJ_authority_key_identifier     2 5 29 35 */
-     401,    /* OBJ_policy_constraints           2 5 29 36 */
-     126,    /* OBJ_ext_key_usage                2 5 29 37 */
-     857,    /* OBJ_freshest_crl                 2 5 29 46 */
-     748,    /* OBJ_inhibit_any_policy           2 5 29 54 */
-     402,    /* OBJ_target_information           2 5 29 55 */
-     403,    /* OBJ_no_rev_avail                 2 5 29 56 */
-     513,    /* OBJ_set_ctype                    2 23 42 0 */
-     514,    /* OBJ_set_msgExt                   2 23 42 1 */
-     515,    /* OBJ_set_attr                     2 23 42 3 */
-     516,    /* OBJ_set_policy                   2 23 42 5 */
-     517,    /* OBJ_set_certExt                  2 23 42 7 */
-     518,    /* OBJ_set_brand                    2 23 42 8 */
-     679,    /* OBJ_wap_wsg                      2 23 43 1 */
-     382,    /* OBJ_Directory                    1 3 6 1 1 */
-     383,    /* OBJ_Management                   1 3 6 1 2 */
-     384,    /* OBJ_Experimental                 1 3 6 1 3 */
-     385,    /* OBJ_Private                      1 3 6 1 4 */
-     386,    /* OBJ_Security                     1 3 6 1 5 */
-     387,    /* OBJ_SNMPv2                       1 3 6 1 6 */
-     388,    /* OBJ_Mail                         1 3 6 1 7 */
-     376,    /* OBJ_algorithm                    1 3 14 3 2 */
-     395,    /* OBJ_clearance                    2 5 1 5 55 */
-      19,    /* OBJ_rsa                          2 5 8 1 1 */
-      96,    /* OBJ_mdc2WithRSA                  2 5 8 3 100 */
-      95,    /* OBJ_mdc2                         2 5 8 3 101 */
-     746,    /* OBJ_any_policy                   2 5 29 32 0 */
-     910,    /* OBJ_anyExtendedKeyUsage          2 5 29 37 0 */
-     519,    /* OBJ_setct_PANData                2 23 42 0 0 */
-     520,    /* OBJ_setct_PANToken               2 23 42 0 1 */
-     521,    /* OBJ_setct_PANOnly                2 23 42 0 2 */
-     522,    /* OBJ_setct_OIData                 2 23 42 0 3 */
-     523,    /* OBJ_setct_PI                     2 23 42 0 4 */
-     524,    /* OBJ_setct_PIData                 2 23 42 0 5 */
-     525,    /* OBJ_setct_PIDataUnsigned         2 23 42 0 6 */
-     526,    /* OBJ_setct_HODInput               2 23 42 0 7 */
-     527,    /* OBJ_setct_AuthResBaggage         2 23 42 0 8 */
-     528,    /* OBJ_setct_AuthRevReqBaggage      2 23 42 0 9 */
-     529,    /* OBJ_setct_AuthRevResBaggage      2 23 42 0 10 */
-     530,    /* OBJ_setct_CapTokenSeq            2 23 42 0 11 */
-     531,    /* OBJ_setct_PInitResData           2 23 42 0 12 */
-     532,    /* OBJ_setct_PI_TBS                 2 23 42 0 13 */
-     533,    /* OBJ_setct_PResData               2 23 42 0 14 */
-     534,    /* OBJ_setct_AuthReqTBS             2 23 42 0 16 */
-     535,    /* OBJ_setct_AuthResTBS             2 23 42 0 17 */
-     536,    /* OBJ_setct_AuthResTBSX            2 23 42 0 18 */
-     537,    /* OBJ_setct_AuthTokenTBS           2 23 42 0 19 */
-     538,    /* OBJ_setct_CapTokenData           2 23 42 0 20 */
-     539,    /* OBJ_setct_CapTokenTBS            2 23 42 0 21 */
-     540,    /* OBJ_setct_AcqCardCodeMsg         2 23 42 0 22 */
-     541,    /* OBJ_setct_AuthRevReqTBS          2 23 42 0 23 */
-     542,    /* OBJ_setct_AuthRevResData         2 23 42 0 24 */
-     543,    /* OBJ_setct_AuthRevResTBS          2 23 42 0 25 */
-     544,    /* OBJ_setct_CapReqTBS              2 23 42 0 26 */
-     545,    /* OBJ_setct_CapReqTBSX             2 23 42 0 27 */
-     546,    /* OBJ_setct_CapResData             2 23 42 0 28 */
-     547,    /* OBJ_setct_CapRevReqTBS           2 23 42 0 29 */
-     548,    /* OBJ_setct_CapRevReqTBSX          2 23 42 0 30 */
-     549,    /* OBJ_setct_CapRevResData          2 23 42 0 31 */
-     550,    /* OBJ_setct_CredReqTBS             2 23 42 0 32 */
-     551,    /* OBJ_setct_CredReqTBSX            2 23 42 0 33 */
-     552,    /* OBJ_setct_CredResData            2 23 42 0 34 */
-     553,    /* OBJ_setct_CredRevReqTBS          2 23 42 0 35 */
-     554,    /* OBJ_setct_CredRevReqTBSX         2 23 42 0 36 */
-     555,    /* OBJ_setct_CredRevResData         2 23 42 0 37 */
-     556,    /* OBJ_setct_PCertReqData           2 23 42 0 38 */
-     557,    /* OBJ_setct_PCertResTBS            2 23 42 0 39 */
-     558,    /* OBJ_setct_BatchAdminReqData      2 23 42 0 40 */
-     559,    /* OBJ_setct_BatchAdminResData      2 23 42 0 41 */
-     560,    /* OBJ_setct_CardCInitResTBS        2 23 42 0 42 */
-     561,    /* OBJ_setct_MeAqCInitResTBS        2 23 42 0 43 */
-     562,    /* OBJ_setct_RegFormResTBS          2 23 42 0 44 */
-     563,    /* OBJ_setct_CertReqData            2 23 42 0 45 */
-     564,    /* OBJ_setct_CertReqTBS             2 23 42 0 46 */
-     565,    /* OBJ_setct_CertResData            2 23 42 0 47 */
-     566,    /* OBJ_setct_CertInqReqTBS          2 23 42 0 48 */
-     567,    /* OBJ_setct_ErrorTBS               2 23 42 0 49 */
-     568,    /* OBJ_setct_PIDualSignedTBE        2 23 42 0 50 */
-     569,    /* OBJ_setct_PIUnsignedTBE          2 23 42 0 51 */
-     570,    /* OBJ_setct_AuthReqTBE             2 23 42 0 52 */
-     571,    /* OBJ_setct_AuthResTBE             2 23 42 0 53 */
-     572,    /* OBJ_setct_AuthResTBEX            2 23 42 0 54 */
-     573,    /* OBJ_setct_AuthTokenTBE           2 23 42 0 55 */
-     574,    /* OBJ_setct_CapTokenTBE            2 23 42 0 56 */
-     575,    /* OBJ_setct_CapTokenTBEX           2 23 42 0 57 */
-     576,    /* OBJ_setct_AcqCardCodeMsgTBE      2 23 42 0 58 */
-     577,    /* OBJ_setct_AuthRevReqTBE          2 23 42 0 59 */
-     578,    /* OBJ_setct_AuthRevResTBE          2 23 42 0 60 */
-     579,    /* OBJ_setct_AuthRevResTBEB         2 23 42 0 61 */
-     580,    /* OBJ_setct_CapReqTBE              2 23 42 0 62 */
-     581,    /* OBJ_setct_CapReqTBEX             2 23 42 0 63 */
-     582,    /* OBJ_setct_CapResTBE              2 23 42 0 64 */
-     583,    /* OBJ_setct_CapRevReqTBE           2 23 42 0 65 */
-     584,    /* OBJ_setct_CapRevReqTBEX          2 23 42 0 66 */
-     585,    /* OBJ_setct_CapRevResTBE           2 23 42 0 67 */
-     586,    /* OBJ_setct_CredReqTBE             2 23 42 0 68 */
-     587,    /* OBJ_setct_CredReqTBEX            2 23 42 0 69 */
-     588,    /* OBJ_setct_CredResTBE             2 23 42 0 70 */
-     589,    /* OBJ_setct_CredRevReqTBE          2 23 42 0 71 */
-     590,    /* OBJ_setct_CredRevReqTBEX         2 23 42 0 72 */
-     591,    /* OBJ_setct_CredRevResTBE          2 23 42 0 73 */
-     592,    /* OBJ_setct_BatchAdminReqTBE       2 23 42 0 74 */
-     593,    /* OBJ_setct_BatchAdminResTBE       2 23 42 0 75 */
-     594,    /* OBJ_setct_RegFormReqTBE          2 23 42 0 76 */
-     595,    /* OBJ_setct_CertReqTBE             2 23 42 0 77 */
-     596,    /* OBJ_setct_CertReqTBEX            2 23 42 0 78 */
-     597,    /* OBJ_setct_CertResTBE             2 23 42 0 79 */
-     598,    /* OBJ_setct_CRLNotificationTBS     2 23 42 0 80 */
-     599,    /* OBJ_setct_CRLNotificationResTBS  2 23 42 0 81 */
-     600,    /* OBJ_setct_BCIDistributionTBS     2 23 42 0 82 */
-     601,    /* OBJ_setext_genCrypt              2 23 42 1 1 */
-     602,    /* OBJ_setext_miAuth                2 23 42 1 3 */
-     603,    /* OBJ_setext_pinSecure             2 23 42 1 4 */
-     604,    /* OBJ_setext_pinAny                2 23 42 1 5 */
-     605,    /* OBJ_setext_track2                2 23 42 1 7 */
-     606,    /* OBJ_setext_cv                    2 23 42 1 8 */
-     620,    /* OBJ_setAttr_Cert                 2 23 42 3 0 */
-     621,    /* OBJ_setAttr_PGWYcap              2 23 42 3 1 */
-     622,    /* OBJ_setAttr_TokenType            2 23 42 3 2 */
-     623,    /* OBJ_setAttr_IssCap               2 23 42 3 3 */
-     607,    /* OBJ_set_policy_root              2 23 42 5 0 */
-     608,    /* OBJ_setCext_hashedRoot           2 23 42 7 0 */
-     609,    /* OBJ_setCext_certType             2 23 42 7 1 */
-     610,    /* OBJ_setCext_merchData            2 23 42 7 2 */
-     611,    /* OBJ_setCext_cCertRequired        2 23 42 7 3 */
-     612,    /* OBJ_setCext_tunneling            2 23 42 7 4 */
-     613,    /* OBJ_setCext_setExt               2 23 42 7 5 */
-     614,    /* OBJ_setCext_setQualf             2 23 42 7 6 */
-     615,    /* OBJ_setCext_PGWYcapabilities     2 23 42 7 7 */
-     616,    /* OBJ_setCext_TokenIdentifier      2 23 42 7 8 */
-     617,    /* OBJ_setCext_Track2Data           2 23 42 7 9 */
-     618,    /* OBJ_setCext_TokenType            2 23 42 7 10 */
-     619,    /* OBJ_setCext_IssuerCapabilities   2 23 42 7 11 */
-     636,    /* OBJ_set_brand_IATA_ATA           2 23 42 8 1 */
-     640,    /* OBJ_set_brand_Visa               2 23 42 8 4 */
-     641,    /* OBJ_set_brand_MasterCard         2 23 42 8 5 */
-     637,    /* OBJ_set_brand_Diners             2 23 42 8 30 */
-     638,    /* OBJ_set_brand_AmericanExpress    2 23 42 8 34 */
-     639,    /* OBJ_set_brand_JCB                2 23 42 8 35 */
-     805,    /* OBJ_cryptopro                    1 2 643 2 2 */
-     806,    /* OBJ_cryptocom                    1 2 643 2 9 */
-     974,    /* OBJ_id_tc26                      1 2 643 7 1 */
-    1005,    /* OBJ_OGRN                         1 2 643 100 1 */
-    1006,    /* OBJ_SNILS                        1 2 643 100 3 */
-    1007,    /* OBJ_subjectSignTool              1 2 643 100 111 */
-    1008,    /* OBJ_issuerSignTool               1 2 643 100 112 */
-     184,    /* OBJ_X9_57                        1 2 840 10040 */
-     405,    /* OBJ_ansi_X9_62                   1 2 840 10045 */
-     389,    /* OBJ_Enterprises                  1 3 6 1 4 1 */
-     504,    /* OBJ_mime_mhs                     1 3 6 1 7 1 */
-     104,    /* OBJ_md5WithRSA                   1 3 14 3 2 3 */
-      29,    /* OBJ_des_ecb                      1 3 14 3 2 6 */
-      31,    /* OBJ_des_cbc                      1 3 14 3 2 7 */
-      45,    /* OBJ_des_ofb64                    1 3 14 3 2 8 */
-      30,    /* OBJ_des_cfb64                    1 3 14 3 2 9 */
-     377,    /* OBJ_rsaSignature                 1 3 14 3 2 11 */
-      67,    /* OBJ_dsa_2                        1 3 14 3 2 12 */
-      66,    /* OBJ_dsaWithSHA                   1 3 14 3 2 13 */
-      42,    /* OBJ_shaWithRSAEncryption         1 3 14 3 2 15 */
-      32,    /* OBJ_des_ede_ecb                  1 3 14 3 2 17 */
-      41,    /* OBJ_sha                          1 3 14 3 2 18 */
-      64,    /* OBJ_sha1                         1 3 14 3 2 26 */
-      70,    /* OBJ_dsaWithSHA1_2                1 3 14 3 2 27 */
-     115,    /* OBJ_sha1WithRSA                  1 3 14 3 2 29 */
-     117,    /* OBJ_ripemd160                    1 3 36 3 2 1 */
-     143,    /* OBJ_sxnet                        1 3 101 1 4 1 */
-     721,    /* OBJ_sect163k1                    1 3 132 0 1 */
-     722,    /* OBJ_sect163r1                    1 3 132 0 2 */
-     728,    /* OBJ_sect239k1                    1 3 132 0 3 */
-     717,    /* OBJ_sect113r1                    1 3 132 0 4 */
-     718,    /* OBJ_sect113r2                    1 3 132 0 5 */
-     704,    /* OBJ_secp112r1                    1 3 132 0 6 */
-     705,    /* OBJ_secp112r2                    1 3 132 0 7 */
-     709,    /* OBJ_secp160r1                    1 3 132 0 8 */
-     708,    /* OBJ_secp160k1                    1 3 132 0 9 */
-     714,    /* OBJ_secp256k1                    1 3 132 0 10 */
-     723,    /* OBJ_sect163r2                    1 3 132 0 15 */
-     729,    /* OBJ_sect283k1                    1 3 132 0 16 */
-     730,    /* OBJ_sect283r1                    1 3 132 0 17 */
-     719,    /* OBJ_sect131r1                    1 3 132 0 22 */
-     720,    /* OBJ_sect131r2                    1 3 132 0 23 */
-     724,    /* OBJ_sect193r1                    1 3 132 0 24 */
-     725,    /* OBJ_sect193r2                    1 3 132 0 25 */
-     726,    /* OBJ_sect233k1                    1 3 132 0 26 */
-     727,    /* OBJ_sect233r1                    1 3 132 0 27 */
-     706,    /* OBJ_secp128r1                    1 3 132 0 28 */
-     707,    /* OBJ_secp128r2                    1 3 132 0 29 */
-     710,    /* OBJ_secp160r2                    1 3 132 0 30 */
-     711,    /* OBJ_secp192k1                    1 3 132 0 31 */
-     712,    /* OBJ_secp224k1                    1 3 132 0 32 */
-     713,    /* OBJ_secp224r1                    1 3 132 0 33 */
-     715,    /* OBJ_secp384r1                    1 3 132 0 34 */
-     716,    /* OBJ_secp521r1                    1 3 132 0 35 */
-     731,    /* OBJ_sect409k1                    1 3 132 0 36 */
-     732,    /* OBJ_sect409r1                    1 3 132 0 37 */
-     733,    /* OBJ_sect571k1                    1 3 132 0 38 */
-     734,    /* OBJ_sect571r1                    1 3 132 0 39 */
-     624,    /* OBJ_set_rootKeyThumb             2 23 42 3 0 0 */
-     625,    /* OBJ_set_addPolicy                2 23 42 3 0 1 */
-     626,    /* OBJ_setAttr_Token_EMV            2 23 42 3 2 1 */
-     627,    /* OBJ_setAttr_Token_B0Prime        2 23 42 3 2 2 */
-     628,    /* OBJ_setAttr_IssCap_CVM           2 23 42 3 3 3 */
-     629,    /* OBJ_setAttr_IssCap_T2            2 23 42 3 3 4 */
-     630,    /* OBJ_setAttr_IssCap_Sig           2 23 42 3 3 5 */
-     642,    /* OBJ_set_brand_Novus              2 23 42 8 6011 */
-     735,    /* OBJ_wap_wsg_idm_ecid_wtls1       2 23 43 1 4 1 */
-     736,    /* OBJ_wap_wsg_idm_ecid_wtls3       2 23 43 1 4 3 */
-     737,    /* OBJ_wap_wsg_idm_ecid_wtls4       2 23 43 1 4 4 */
-     738,    /* OBJ_wap_wsg_idm_ecid_wtls5       2 23 43 1 4 5 */
-     739,    /* OBJ_wap_wsg_idm_ecid_wtls6       2 23 43 1 4 6 */
-     740,    /* OBJ_wap_wsg_idm_ecid_wtls7       2 23 43 1 4 7 */
-     741,    /* OBJ_wap_wsg_idm_ecid_wtls8       2 23 43 1 4 8 */
-     742,    /* OBJ_wap_wsg_idm_ecid_wtls9       2 23 43 1 4 9 */
-     743,    /* OBJ_wap_wsg_idm_ecid_wtls10      2 23 43 1 4 10 */
-     744,    /* OBJ_wap_wsg_idm_ecid_wtls11      2 23 43 1 4 11 */
-     745,    /* OBJ_wap_wsg_idm_ecid_wtls12      2 23 43 1 4 12 */
-     804,    /* OBJ_whirlpool                    1 0 10118 3 0 55 */
-     773,    /* OBJ_kisa                         1 2 410 200004 */
-     807,    /* OBJ_id_GostR3411_94_with_GostR3410_2001 1 2 643 2 2 3 */
-     808,    /* OBJ_id_GostR3411_94_with_GostR3410_94 1 2 643 2 2 4 */
-     809,    /* OBJ_id_GostR3411_94              1 2 643 2 2 9 */
-     810,    /* OBJ_id_HMACGostR3411_94          1 2 643 2 2 10 */
-     811,    /* OBJ_id_GostR3410_2001            1 2 643 2 2 19 */
-     812,    /* OBJ_id_GostR3410_94              1 2 643 2 2 20 */
-     813,    /* OBJ_id_Gost28147_89              1 2 643 2 2 21 */
-     815,    /* OBJ_id_Gost28147_89_MAC          1 2 643 2 2 22 */
-     816,    /* OBJ_id_GostR3411_94_prf          1 2 643 2 2 23 */
-     817,    /* OBJ_id_GostR3410_2001DH          1 2 643 2 2 98 */
-     818,    /* OBJ_id_GostR3410_94DH            1 2 643 2 2 99 */
-     977,    /* OBJ_id_tc26_algorithms           1 2 643 7 1 1 */
-     994,    /* OBJ_id_tc26_constants            1 2 643 7 1 2 */
-       1,    /* OBJ_rsadsi                       1 2 840 113549 */
-     185,    /* OBJ_X9cm                         1 2 840 10040 4 */
-    1031,    /* OBJ_id_pkinit                    1 3 6 1 5 2 3 */
-     127,    /* OBJ_id_pkix                      1 3 6 1 5 5 7 */
-     505,    /* OBJ_mime_mhs_headings            1 3 6 1 7 1 1 */
-     506,    /* OBJ_mime_mhs_bodies              1 3 6 1 7 1 2 */
-     119,    /* OBJ_ripemd160WithRSA             1 3 36 3 3 1 2 */
-     937,    /* OBJ_dhSinglePass_stdDH_sha224kdf_scheme 1 3 132 1 11 0 */
-     938,    /* OBJ_dhSinglePass_stdDH_sha256kdf_scheme 1 3 132 1 11 1 */
-     939,    /* OBJ_dhSinglePass_stdDH_sha384kdf_scheme 1 3 132 1 11 2 */
-     940,    /* OBJ_dhSinglePass_stdDH_sha512kdf_scheme 1 3 132 1 11 3 */
-     942,    /* OBJ_dhSinglePass_cofactorDH_sha224kdf_scheme 1 3 132 1 14 0 */
-     943,    /* OBJ_dhSinglePass_cofactorDH_sha256kdf_scheme 1 3 132 1 14 1 */
-     944,    /* OBJ_dhSinglePass_cofactorDH_sha384kdf_scheme 1 3 132 1 14 2 */
-     945,    /* OBJ_dhSinglePass_cofactorDH_sha512kdf_scheme 1 3 132 1 14 3 */
-     631,    /* OBJ_setAttr_GenCryptgrm          2 23 42 3 3 3 1 */
-     632,    /* OBJ_setAttr_T2Enc                2 23 42 3 3 4 1 */
-     633,    /* OBJ_setAttr_T2cleartxt           2 23 42 3 3 4 2 */
-     634,    /* OBJ_setAttr_TokICCsig            2 23 42 3 3 5 1 */
-     635,    /* OBJ_setAttr_SecDevSig            2 23 42 3 3 5 2 */
-     436,    /* OBJ_ucl                          0 9 2342 19200300 */
-     820,    /* OBJ_id_Gost28147_89_None_KeyMeshing 1 2 643 2 2 14 0 */
-     819,    /* OBJ_id_Gost28147_89_CryptoPro_KeyMeshing 1 2 643 2 2 14 1 */
-     845,    /* OBJ_id_GostR3410_94_a            1 2 643 2 2 20 1 */
-     846,    /* OBJ_id_GostR3410_94_aBis         1 2 643 2 2 20 2 */
-     847,    /* OBJ_id_GostR3410_94_b            1 2 643 2 2 20 3 */
-     848,    /* OBJ_id_GostR3410_94_bBis         1 2 643 2 2 20 4 */
-     821,    /* OBJ_id_GostR3411_94_TestParamSet 1 2 643 2 2 30 0 */
-     822,    /* OBJ_id_GostR3411_94_CryptoProParamSet 1 2 643 2 2 30 1 */
-     823,    /* OBJ_id_Gost28147_89_TestParamSet 1 2 643 2 2 31 0 */
-     824,    /* OBJ_id_Gost28147_89_CryptoPro_A_ParamSet 1 2 643 2 2 31 1 */
-     825,    /* OBJ_id_Gost28147_89_CryptoPro_B_ParamSet 1 2 643 2 2 31 2 */
-     826,    /* OBJ_id_Gost28147_89_CryptoPro_C_ParamSet 1 2 643 2 2 31 3 */
-     827,    /* OBJ_id_Gost28147_89_CryptoPro_D_ParamSet 1 2 643 2 2 31 4 */
-     828,    /* OBJ_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet 1 2 643 2 2 31 5 */
-     829,    /* OBJ_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet 1 2 643 2 2 31 6 */
-     830,    /* OBJ_id_Gost28147_89_CryptoPro_RIC_1_ParamSet 1 2 643 2 2 31 7 */
-     831,    /* OBJ_id_GostR3410_94_TestParamSet 1 2 643 2 2 32 0 */
-     832,    /* OBJ_id_GostR3410_94_CryptoPro_A_ParamSet 1 2 643 2 2 32 2 */
-     833,    /* OBJ_id_GostR3410_94_CryptoPro_B_ParamSet 1 2 643 2 2 32 3 */
-     834,    /* OBJ_id_GostR3410_94_CryptoPro_C_ParamSet 1 2 643 2 2 32 4 */
-     835,    /* OBJ_id_GostR3410_94_CryptoPro_D_ParamSet 1 2 643 2 2 32 5 */
-     836,    /* OBJ_id_GostR3410_94_CryptoPro_XchA_ParamSet 1 2 643 2 2 33 1 */
-     837,    /* OBJ_id_GostR3410_94_CryptoPro_XchB_ParamSet 1 2 643 2 2 33 2 */
-     838,    /* OBJ_id_GostR3410_94_CryptoPro_XchC_ParamSet 1 2 643 2 2 33 3 */
-     839,    /* OBJ_id_GostR3410_2001_TestParamSet 1 2 643 2 2 35 0 */
-     840,    /* OBJ_id_GostR3410_2001_CryptoPro_A_ParamSet 1 2 643 2 2 35 1 */
-     841,    /* OBJ_id_GostR3410_2001_CryptoPro_B_ParamSet 1 2 643 2 2 35 2 */
-     842,    /* OBJ_id_GostR3410_2001_CryptoPro_C_ParamSet 1 2 643 2 2 35 3 */
-     843,    /* OBJ_id_GostR3410_2001_CryptoPro_XchA_ParamSet 1 2 643 2 2 36 0 */
-     844,    /* OBJ_id_GostR3410_2001_CryptoPro_XchB_ParamSet 1 2 643 2 2 36 1 */
-     978,    /* OBJ_id_tc26_sign                 1 2 643 7 1 1 1 */
-     981,    /* OBJ_id_tc26_digest               1 2 643 7 1 1 2 */
-     984,    /* OBJ_id_tc26_signwithdigest       1 2 643 7 1 1 3 */
-     987,    /* OBJ_id_tc26_mac                  1 2 643 7 1 1 4 */
-     990,    /* OBJ_id_tc26_cipher               1 2 643 7 1 1 5 */
-     991,    /* OBJ_id_tc26_agreement            1 2 643 7 1 1 6 */
-     995,    /* OBJ_id_tc26_sign_constants       1 2 643 7 1 2 1 */
-    1000,    /* OBJ_id_tc26_digest_constants     1 2 643 7 1 2 2 */
-    1001,    /* OBJ_id_tc26_cipher_constants     1 2 643 7 1 2 5 */
-       2,    /* OBJ_pkcs                         1 2 840 113549 1 */
-     431,    /* OBJ_hold_instruction_none        1 2 840 10040 2 1 */
-     432,    /* OBJ_hold_instruction_call_issuer 1 2 840 10040 2 2 */
-     433,    /* OBJ_hold_instruction_reject      1 2 840 10040 2 3 */
-     116,    /* OBJ_dsa                          1 2 840 10040 4 1 */
-     113,    /* OBJ_dsaWithSHA1                  1 2 840 10040 4 3 */
-     406,    /* OBJ_X9_62_prime_field            1 2 840 10045 1 1 */
-     407,    /* OBJ_X9_62_characteristic_two_field 1 2 840 10045 1 2 */
-     408,    /* OBJ_X9_62_id_ecPublicKey         1 2 840 10045 2 1 */
-     416,    /* OBJ_ecdsa_with_SHA1              1 2 840 10045 4 1 */
-     791,    /* OBJ_ecdsa_with_Recommended       1 2 840 10045 4 2 */
-     792,    /* OBJ_ecdsa_with_Specified         1 2 840 10045 4 3 */
-     920,    /* OBJ_dhpublicnumber               1 2 840 10046 2 1 */
-    1032,    /* OBJ_pkInitClientAuth             1 3 6 1 5 2 3 4 */
-    1033,    /* OBJ_pkInitKDC                    1 3 6 1 5 2 3 5 */
-     258,    /* OBJ_id_pkix_mod                  1 3 6 1 5 5 7 0 */
-     175,    /* OBJ_id_pe                        1 3 6 1 5 5 7 1 */
-     259,    /* OBJ_id_qt                        1 3 6 1 5 5 7 2 */
-     128,    /* OBJ_id_kp                        1 3 6 1 5 5 7 3 */
-     260,    /* OBJ_id_it                        1 3 6 1 5 5 7 4 */
-     261,    /* OBJ_id_pkip                      1 3 6 1 5 5 7 5 */
-     262,    /* OBJ_id_alg                       1 3 6 1 5 5 7 6 */
-     263,    /* OBJ_id_cmc                       1 3 6 1 5 5 7 7 */
-     264,    /* OBJ_id_on                        1 3 6 1 5 5 7 8 */
-     265,    /* OBJ_id_pda                       1 3 6 1 5 5 7 9 */
-     266,    /* OBJ_id_aca                       1 3 6 1 5 5 7 10 */
-     267,    /* OBJ_id_qcs                       1 3 6 1 5 5 7 11 */
-     268,    /* OBJ_id_cct                       1 3 6 1 5 5 7 12 */
-     662,    /* OBJ_id_ppl                       1 3 6 1 5 5 7 21 */
-     176,    /* OBJ_id_ad                        1 3 6 1 5 5 7 48 */
-     507,    /* OBJ_id_hex_partial_message       1 3 6 1 7 1 1 1 */
-     508,    /* OBJ_id_hex_multipart_message     1 3 6 1 7 1 1 2 */
-      57,    /* OBJ_netscape                     2 16 840 1 113730 */
-     754,    /* OBJ_camellia_128_ecb             0 3 4401 5 3 1 9 1 */
-     766,    /* OBJ_camellia_128_ofb128          0 3 4401 5 3 1 9 3 */
-     757,    /* OBJ_camellia_128_cfb128          0 3 4401 5 3 1 9 4 */
-     961,    /* OBJ_camellia_128_gcm             0 3 4401 5 3 1 9 6 */
-     962,    /* OBJ_camellia_128_ccm             0 3 4401 5 3 1 9 7 */
-     963,    /* OBJ_camellia_128_ctr             0 3 4401 5 3 1 9 9 */
-     964,    /* OBJ_camellia_128_cmac            0 3 4401 5 3 1 9 10 */
-     755,    /* OBJ_camellia_192_ecb             0 3 4401 5 3 1 9 21 */
-     767,    /* OBJ_camellia_192_ofb128          0 3 4401 5 3 1 9 23 */
-     758,    /* OBJ_camellia_192_cfb128          0 3 4401 5 3 1 9 24 */
-     965,    /* OBJ_camellia_192_gcm             0 3 4401 5 3 1 9 26 */
-     966,    /* OBJ_camellia_192_ccm             0 3 4401 5 3 1 9 27 */
-     967,    /* OBJ_camellia_192_ctr             0 3 4401 5 3 1 9 29 */
-     968,    /* OBJ_camellia_192_cmac            0 3 4401 5 3 1 9 30 */
-     756,    /* OBJ_camellia_256_ecb             0 3 4401 5 3 1 9 41 */
-     768,    /* OBJ_camellia_256_ofb128          0 3 4401 5 3 1 9 43 */
-     759,    /* OBJ_camellia_256_cfb128          0 3 4401 5 3 1 9 44 */
-     969,    /* OBJ_camellia_256_gcm             0 3 4401 5 3 1 9 46 */
-     970,    /* OBJ_camellia_256_ccm             0 3 4401 5 3 1 9 47 */
-     971,    /* OBJ_camellia_256_ctr             0 3 4401 5 3 1 9 49 */
-     972,    /* OBJ_camellia_256_cmac            0 3 4401 5 3 1 9 50 */
-     437,    /* OBJ_pilot                        0 9 2342 19200300 100 */
-     776,    /* OBJ_seed_ecb                     1 2 410 200004 1 3 */
-     777,    /* OBJ_seed_cbc                     1 2 410 200004 1 4 */
-     779,    /* OBJ_seed_cfb128                  1 2 410 200004 1 5 */
-     778,    /* OBJ_seed_ofb128                  1 2 410 200004 1 6 */
-     852,    /* OBJ_id_GostR3411_94_with_GostR3410_94_cc 1 2 643 2 9 1 3 3 */
-     853,    /* OBJ_id_GostR3411_94_with_GostR3410_2001_cc 1 2 643 2 9 1 3 4 */
-     850,    /* OBJ_id_GostR3410_94_cc           1 2 643 2 9 1 5 3 */
-     851,    /* OBJ_id_GostR3410_2001_cc         1 2 643 2 9 1 5 4 */
-     849,    /* OBJ_id_Gost28147_89_cc           1 2 643 2 9 1 6 1 */
-     854,    /* OBJ_id_GostR3410_2001_ParamSet_cc 1 2 643 2 9 1 8 1 */
-    1004,    /* OBJ_INN                          1 2 643 3 131 1 1 */
-     979,    /* OBJ_id_GostR3410_2012_256        1 2 643 7 1 1 1 1 */
-     980,    /* OBJ_id_GostR3410_2012_512        1 2 643 7 1 1 1 2 */
-     982,    /* OBJ_id_GostR3411_2012_256        1 2 643 7 1 1 2 2 */
-     983,    /* OBJ_id_GostR3411_2012_512        1 2 643 7 1 1 2 3 */
-     985,    /* OBJ_id_tc26_signwithdigest_gost3410_2012_256 1 2 643 7 1 1 3 2 */
-     986,    /* OBJ_id_tc26_signwithdigest_gost3410_2012_512 1 2 643 7 1 1 3 3 */
-     988,    /* OBJ_id_tc26_hmac_gost_3411_2012_256 1 2 643 7 1 1 4 1 */
-     989,    /* OBJ_id_tc26_hmac_gost_3411_2012_512 1 2 643 7 1 1 4 2 */
-     992,    /* OBJ_id_tc26_agreement_gost_3410_2012_256 1 2 643 7 1 1 6 1 */
-     993,    /* OBJ_id_tc26_agreement_gost_3410_2012_512 1 2 643 7 1 1 6 2 */
-     996,    /* OBJ_id_tc26_gost_3410_2012_512_constants 1 2 643 7 1 2 1 2 */
-    1002,    /* OBJ_id_tc26_gost_28147_constants 1 2 643 7 1 2 5 1 */
-     186,    /* OBJ_pkcs1                        1 2 840 113549 1 1 */
-      27,    /* OBJ_pkcs3                        1 2 840 113549 1 3 */
-     187,    /* OBJ_pkcs5                        1 2 840 113549 1 5 */
-      20,    /* OBJ_pkcs7                        1 2 840 113549 1 7 */
-      47,    /* OBJ_pkcs9                        1 2 840 113549 1 9 */
-       3,    /* OBJ_md2                          1 2 840 113549 2 2 */
-     257,    /* OBJ_md4                          1 2 840 113549 2 4 */
-       4,    /* OBJ_md5                          1 2 840 113549 2 5 */
-     797,    /* OBJ_hmacWithMD5                  1 2 840 113549 2 6 */
-     163,    /* OBJ_hmacWithSHA1                 1 2 840 113549 2 7 */
-     798,    /* OBJ_hmacWithSHA224               1 2 840 113549 2 8 */
-     799,    /* OBJ_hmacWithSHA256               1 2 840 113549 2 9 */
-     800,    /* OBJ_hmacWithSHA384               1 2 840 113549 2 10 */
-     801,    /* OBJ_hmacWithSHA512               1 2 840 113549 2 11 */
-      37,    /* OBJ_rc2_cbc                      1 2 840 113549 3 2 */
-       5,    /* OBJ_rc4                          1 2 840 113549 3 4 */
-      44,    /* OBJ_des_ede3_cbc                 1 2 840 113549 3 7 */
-     120,    /* OBJ_rc5_cbc                      1 2 840 113549 3 8 */
-     643,    /* OBJ_des_cdmf                     1 2 840 113549 3 10 */
-     680,    /* OBJ_X9_62_id_characteristic_two_basis 1 2 840 10045 1 2 3 */
-     684,    /* OBJ_X9_62_c2pnb163v1             1 2 840 10045 3 0 1 */
-     685,    /* OBJ_X9_62_c2pnb163v2             1 2 840 10045 3 0 2 */
-     686,    /* OBJ_X9_62_c2pnb163v3             1 2 840 10045 3 0 3 */
-     687,    /* OBJ_X9_62_c2pnb176v1             1 2 840 10045 3 0 4 */
-     688,    /* OBJ_X9_62_c2tnb191v1             1 2 840 10045 3 0 5 */
-     689,    /* OBJ_X9_62_c2tnb191v2             1 2 840 10045 3 0 6 */
-     690,    /* OBJ_X9_62_c2tnb191v3             1 2 840 10045 3 0 7 */
-     691,    /* OBJ_X9_62_c2onb191v4             1 2 840 10045 3 0 8 */
-     692,    /* OBJ_X9_62_c2onb191v5             1 2 840 10045 3 0 9 */
-     693,    /* OBJ_X9_62_c2pnb208w1             1 2 840 10045 3 0 10 */
-     694,    /* OBJ_X9_62_c2tnb239v1             1 2 840 10045 3 0 11 */
-     695,    /* OBJ_X9_62_c2tnb239v2             1 2 840 10045 3 0 12 */
-     696,    /* OBJ_X9_62_c2tnb239v3             1 2 840 10045 3 0 13 */
-     697,    /* OBJ_X9_62_c2onb239v4             1 2 840 10045 3 0 14 */
-     698,    /* OBJ_X9_62_c2onb239v5             1 2 840 10045 3 0 15 */
-     699,    /* OBJ_X9_62_c2pnb272w1             1 2 840 10045 3 0 16 */
-     700,    /* OBJ_X9_62_c2pnb304w1             1 2 840 10045 3 0 17 */
-     701,    /* OBJ_X9_62_c2tnb359v1             1 2 840 10045 3 0 18 */
-     702,    /* OBJ_X9_62_c2pnb368w1             1 2 840 10045 3 0 19 */
-     703,    /* OBJ_X9_62_c2tnb431r1             1 2 840 10045 3 0 20 */
-     409,    /* OBJ_X9_62_prime192v1             1 2 840 10045 3 1 1 */
-     410,    /* OBJ_X9_62_prime192v2             1 2 840 10045 3 1 2 */
-     411,    /* OBJ_X9_62_prime192v3             1 2 840 10045 3 1 3 */
-     412,    /* OBJ_X9_62_prime239v1             1 2 840 10045 3 1 4 */
-     413,    /* OBJ_X9_62_prime239v2             1 2 840 10045 3 1 5 */
-     414,    /* OBJ_X9_62_prime239v3             1 2 840 10045 3 1 6 */
-     415,    /* OBJ_X9_62_prime256v1             1 2 840 10045 3 1 7 */
-     793,    /* OBJ_ecdsa_with_SHA224            1 2 840 10045 4 3 1 */
-     794,    /* OBJ_ecdsa_with_SHA256            1 2 840 10045 4 3 2 */
-     795,    /* OBJ_ecdsa_with_SHA384            1 2 840 10045 4 3 3 */
-     796,    /* OBJ_ecdsa_with_SHA512            1 2 840 10045 4 3 4 */
-     269,    /* OBJ_id_pkix1_explicit_88         1 3 6 1 5 5 7 0 1 */
-     270,    /* OBJ_id_pkix1_implicit_88         1 3 6 1 5 5 7 0 2 */
-     271,    /* OBJ_id_pkix1_explicit_93         1 3 6 1 5 5 7 0 3 */
-     272,    /* OBJ_id_pkix1_implicit_93         1 3 6 1 5 5 7 0 4 */
-     273,    /* OBJ_id_mod_crmf                  1 3 6 1 5 5 7 0 5 */
-     274,    /* OBJ_id_mod_cmc                   1 3 6 1 5 5 7 0 6 */
-     275,    /* OBJ_id_mod_kea_profile_88        1 3 6 1 5 5 7 0 7 */
-     276,    /* OBJ_id_mod_kea_profile_93        1 3 6 1 5 5 7 0 8 */
-     277,    /* OBJ_id_mod_cmp                   1 3 6 1 5 5 7 0 9 */
-     278,    /* OBJ_id_mod_qualified_cert_88     1 3 6 1 5 5 7 0 10 */
-     279,    /* OBJ_id_mod_qualified_cert_93     1 3 6 1 5 5 7 0 11 */
-     280,    /* OBJ_id_mod_attribute_cert        1 3 6 1 5 5 7 0 12 */
-     281,    /* OBJ_id_mod_timestamp_protocol    1 3 6 1 5 5 7 0 13 */
-     282,    /* OBJ_id_mod_ocsp                  1 3 6 1 5 5 7 0 14 */
-     283,    /* OBJ_id_mod_dvcs                  1 3 6 1 5 5 7 0 15 */
-     284,    /* OBJ_id_mod_cmp2000               1 3 6 1 5 5 7 0 16 */
-     177,    /* OBJ_info_access                  1 3 6 1 5 5 7 1 1 */
-     285,    /* OBJ_biometricInfo                1 3 6 1 5 5 7 1 2 */
-     286,    /* OBJ_qcStatements                 1 3 6 1 5 5 7 1 3 */
-     287,    /* OBJ_ac_auditEntity               1 3 6 1 5 5 7 1 4 */
-     288,    /* OBJ_ac_targeting                 1 3 6 1 5 5 7 1 5 */
-     289,    /* OBJ_aaControls                   1 3 6 1 5 5 7 1 6 */
-     290,    /* OBJ_sbgp_ipAddrBlock             1 3 6 1 5 5 7 1 7 */
-     291,    /* OBJ_sbgp_autonomousSysNum        1 3 6 1 5 5 7 1 8 */
-     292,    /* OBJ_sbgp_routerIdentifier        1 3 6 1 5 5 7 1 9 */
-     397,    /* OBJ_ac_proxying                  1 3 6 1 5 5 7 1 10 */
-     398,    /* OBJ_sinfo_access                 1 3 6 1 5 5 7 1 11 */
-     663,    /* OBJ_proxyCertInfo                1 3 6 1 5 5 7 1 14 */
-    1020,    /* OBJ_tlsfeature                   1 3 6 1 5 5 7 1 24 */
-     164,    /* OBJ_id_qt_cps                    1 3 6 1 5 5 7 2 1 */
-     165,    /* OBJ_id_qt_unotice                1 3 6 1 5 5 7 2 2 */
-     293,    /* OBJ_textNotice                   1 3 6 1 5 5 7 2 3 */
-     129,    /* OBJ_server_auth                  1 3 6 1 5 5 7 3 1 */
-     130,    /* OBJ_client_auth                  1 3 6 1 5 5 7 3 2 */
-     131,    /* OBJ_code_sign                    1 3 6 1 5 5 7 3 3 */
-     132,    /* OBJ_email_protect                1 3 6 1 5 5 7 3 4 */
-     294,    /* OBJ_ipsecEndSystem               1 3 6 1 5 5 7 3 5 */
-     295,    /* OBJ_ipsecTunnel                  1 3 6 1 5 5 7 3 6 */
-     296,    /* OBJ_ipsecUser                    1 3 6 1 5 5 7 3 7 */
-     133,    /* OBJ_time_stamp                   1 3 6 1 5 5 7 3 8 */
-     180,    /* OBJ_OCSP_sign                    1 3 6 1 5 5 7 3 9 */
-     297,    /* OBJ_dvcs                         1 3 6 1 5 5 7 3 10 */
-    1022,    /* OBJ_ipsec_IKE                    1 3 6 1 5 5 7 3 17 */
-    1023,    /* OBJ_capwapAC                     1 3 6 1 5 5 7 3 18 */
-    1024,    /* OBJ_capwapWTP                    1 3 6 1 5 5 7 3 19 */
-    1025,    /* OBJ_sshClient                    1 3 6 1 5 5 7 3 21 */
-    1026,    /* OBJ_sshServer                    1 3 6 1 5 5 7 3 22 */
-    1027,    /* OBJ_sendRouter                   1 3 6 1 5 5 7 3 23 */
-    1028,    /* OBJ_sendProxiedRouter            1 3 6 1 5 5 7 3 24 */
-    1029,    /* OBJ_sendOwner                    1 3 6 1 5 5 7 3 25 */
-    1030,    /* OBJ_sendProxiedOwner             1 3 6 1 5 5 7 3 26 */
-     298,    /* OBJ_id_it_caProtEncCert          1 3 6 1 5 5 7 4 1 */
-     299,    /* OBJ_id_it_signKeyPairTypes       1 3 6 1 5 5 7 4 2 */
-     300,    /* OBJ_id_it_encKeyPairTypes        1 3 6 1 5 5 7 4 3 */
-     301,    /* OBJ_id_it_preferredSymmAlg       1 3 6 1 5 5 7 4 4 */
-     302,    /* OBJ_id_it_caKeyUpdateInfo        1 3 6 1 5 5 7 4 5 */
-     303,    /* OBJ_id_it_currentCRL             1 3 6 1 5 5 7 4 6 */
-     304,    /* OBJ_id_it_unsupportedOIDs        1 3 6 1 5 5 7 4 7 */
-     305,    /* OBJ_id_it_subscriptionRequest    1 3 6 1 5 5 7 4 8 */
-     306,    /* OBJ_id_it_subscriptionResponse   1 3 6 1 5 5 7 4 9 */
-     307,    /* OBJ_id_it_keyPairParamReq        1 3 6 1 5 5 7 4 10 */
-     308,    /* OBJ_id_it_keyPairParamRep        1 3 6 1 5 5 7 4 11 */
-     309,    /* OBJ_id_it_revPassphrase          1 3 6 1 5 5 7 4 12 */
-     310,    /* OBJ_id_it_implicitConfirm        1 3 6 1 5 5 7 4 13 */
-     311,    /* OBJ_id_it_confirmWaitTime        1 3 6 1 5 5 7 4 14 */
-     312,    /* OBJ_id_it_origPKIMessage         1 3 6 1 5 5 7 4 15 */
-     784,    /* OBJ_id_it_suppLangTags           1 3 6 1 5 5 7 4 16 */
-     313,    /* OBJ_id_regCtrl                   1 3 6 1 5 5 7 5 1 */
-     314,    /* OBJ_id_regInfo                   1 3 6 1 5 5 7 5 2 */
-     323,    /* OBJ_id_alg_des40                 1 3 6 1 5 5 7 6 1 */
-     324,    /* OBJ_id_alg_noSignature           1 3 6 1 5 5 7 6 2 */
-     325,    /* OBJ_id_alg_dh_sig_hmac_sha1      1 3 6 1 5 5 7 6 3 */
-     326,    /* OBJ_id_alg_dh_pop                1 3 6 1 5 5 7 6 4 */
-     327,    /* OBJ_id_cmc_statusInfo            1 3 6 1 5 5 7 7 1 */
-     328,    /* OBJ_id_cmc_identification        1 3 6 1 5 5 7 7 2 */
-     329,    /* OBJ_id_cmc_identityProof         1 3 6 1 5 5 7 7 3 */
-     330,    /* OBJ_id_cmc_dataReturn            1 3 6 1 5 5 7 7 4 */
-     331,    /* OBJ_id_cmc_transactionId         1 3 6 1 5 5 7 7 5 */
-     332,    /* OBJ_id_cmc_senderNonce           1 3 6 1 5 5 7 7 6 */
-     333,    /* OBJ_id_cmc_recipientNonce        1 3 6 1 5 5 7 7 7 */
-     334,    /* OBJ_id_cmc_addExtensions         1 3 6 1 5 5 7 7 8 */
-     335,    /* OBJ_id_cmc_encryptedPOP          1 3 6 1 5 5 7 7 9 */
-     336,    /* OBJ_id_cmc_decryptedPOP          1 3 6 1 5 5 7 7 10 */
-     337,    /* OBJ_id_cmc_lraPOPWitness         1 3 6 1 5 5 7 7 11 */
-     338,    /* OBJ_id_cmc_getCert               1 3 6 1 5 5 7 7 15 */
-     339,    /* OBJ_id_cmc_getCRL                1 3 6 1 5 5 7 7 16 */
-     340,    /* OBJ_id_cmc_revokeRequest         1 3 6 1 5 5 7 7 17 */
-     341,    /* OBJ_id_cmc_regInfo               1 3 6 1 5 5 7 7 18 */
-     342,    /* OBJ_id_cmc_responseInfo          1 3 6 1 5 5 7 7 19 */
-     343,    /* OBJ_id_cmc_queryPending          1 3 6 1 5 5 7 7 21 */
-     344,    /* OBJ_id_cmc_popLinkRandom         1 3 6 1 5 5 7 7 22 */
-     345,    /* OBJ_id_cmc_popLinkWitness        1 3 6 1 5 5 7 7 23 */
-     346,    /* OBJ_id_cmc_confirmCertAcceptance 1 3 6 1 5 5 7 7 24 */
-     347,    /* OBJ_id_on_personalData           1 3 6 1 5 5 7 8 1 */
-     858,    /* OBJ_id_on_permanentIdentifier    1 3 6 1 5 5 7 8 3 */
-     348,    /* OBJ_id_pda_dateOfBirth           1 3 6 1 5 5 7 9 1 */
-     349,    /* OBJ_id_pda_placeOfBirth          1 3 6 1 5 5 7 9 2 */
-     351,    /* OBJ_id_pda_gender                1 3 6 1 5 5 7 9 3 */
-     352,    /* OBJ_id_pda_countryOfCitizenship  1 3 6 1 5 5 7 9 4 */
-     353,    /* OBJ_id_pda_countryOfResidence    1 3 6 1 5 5 7 9 5 */
-     354,    /* OBJ_id_aca_authenticationInfo    1 3 6 1 5 5 7 10 1 */
-     355,    /* OBJ_id_aca_accessIdentity        1 3 6 1 5 5 7 10 2 */
-     356,    /* OBJ_id_aca_chargingIdentity      1 3 6 1 5 5 7 10 3 */
-     357,    /* OBJ_id_aca_group                 1 3 6 1 5 5 7 10 4 */
-     358,    /* OBJ_id_aca_role                  1 3 6 1 5 5 7 10 5 */
-     399,    /* OBJ_id_aca_encAttrs              1 3 6 1 5 5 7 10 6 */
-     359,    /* OBJ_id_qcs_pkixQCSyntax_v1       1 3 6 1 5 5 7 11 1 */
-     360,    /* OBJ_id_cct_crs                   1 3 6 1 5 5 7 12 1 */
-     361,    /* OBJ_id_cct_PKIData               1 3 6 1 5 5 7 12 2 */
-     362,    /* OBJ_id_cct_PKIResponse           1 3 6 1 5 5 7 12 3 */
-     664,    /* OBJ_id_ppl_anyLanguage           1 3 6 1 5 5 7 21 0 */
-     665,    /* OBJ_id_ppl_inheritAll            1 3 6 1 5 5 7 21 1 */
-     667,    /* OBJ_Independent                  1 3 6 1 5 5 7 21 2 */
-     178,    /* OBJ_ad_OCSP                      1 3 6 1 5 5 7 48 1 */
-     179,    /* OBJ_ad_ca_issuers                1 3 6 1 5 5 7 48 2 */
-     363,    /* OBJ_ad_timeStamping              1 3 6 1 5 5 7 48 3 */
-     364,    /* OBJ_ad_dvcs                      1 3 6 1 5 5 7 48 4 */
-     785,    /* OBJ_caRepository                 1 3 6 1 5 5 7 48 5 */
-     780,    /* OBJ_hmac_md5                     1 3 6 1 5 5 8 1 1 */
-     781,    /* OBJ_hmac_sha1                    1 3 6 1 5 5 8 1 2 */
-      58,    /* OBJ_netscape_cert_extension      2 16 840 1 113730 1 */
-      59,    /* OBJ_netscape_data_type           2 16 840 1 113730 2 */
-     438,    /* OBJ_pilotAttributeType           0 9 2342 19200300 100 1 */
-     439,    /* OBJ_pilotAttributeSyntax         0 9 2342 19200300 100 3 */
-     440,    /* OBJ_pilotObjectClass             0 9 2342 19200300 100 4 */
-     441,    /* OBJ_pilotGroups                  0 9 2342 19200300 100 10 */
-     997,    /* OBJ_id_tc26_gost_3410_2012_512_paramSetTest 1 2 643 7 1 2 1 2 0 */
-     998,    /* OBJ_id_tc26_gost_3410_2012_512_paramSetA 1 2 643 7 1 2 1 2 1 */
-     999,    /* OBJ_id_tc26_gost_3410_2012_512_paramSetB 1 2 643 7 1 2 1 2 2 */
-    1003,    /* OBJ_id_tc26_gost_28147_param_Z   1 2 643 7 1 2 5 1 1 */
-     108,    /* OBJ_cast5_cbc                    1 2 840 113533 7 66 10 */
-     112,    /* OBJ_pbeWithMD5AndCast5_CBC       1 2 840 113533 7 66 12 */
-     782,    /* OBJ_id_PasswordBasedMAC          1 2 840 113533 7 66 13 */
-     783,    /* OBJ_id_DHBasedMac                1 2 840 113533 7 66 30 */
-       6,    /* OBJ_rsaEncryption                1 2 840 113549 1 1 1 */
-       7,    /* OBJ_md2WithRSAEncryption         1 2 840 113549 1 1 2 */
-     396,    /* OBJ_md4WithRSAEncryption         1 2 840 113549 1 1 3 */
-       8,    /* OBJ_md5WithRSAEncryption         1 2 840 113549 1 1 4 */
-      65,    /* OBJ_sha1WithRSAEncryption        1 2 840 113549 1 1 5 */
-     644,    /* OBJ_rsaOAEPEncryptionSET         1 2 840 113549 1 1 6 */
-     919,    /* OBJ_rsaesOaep                    1 2 840 113549 1 1 7 */
-     911,    /* OBJ_mgf1                         1 2 840 113549 1 1 8 */
-     935,    /* OBJ_pSpecified                   1 2 840 113549 1 1 9 */
-     912,    /* OBJ_rsassaPss                    1 2 840 113549 1 1 10 */
-     668,    /* OBJ_sha256WithRSAEncryption      1 2 840 113549 1 1 11 */
-     669,    /* OBJ_sha384WithRSAEncryption      1 2 840 113549 1 1 12 */
-     670,    /* OBJ_sha512WithRSAEncryption      1 2 840 113549 1 1 13 */
-     671,    /* OBJ_sha224WithRSAEncryption      1 2 840 113549 1 1 14 */
-      28,    /* OBJ_dhKeyAgreement               1 2 840 113549 1 3 1 */
-       9,    /* OBJ_pbeWithMD2AndDES_CBC         1 2 840 113549 1 5 1 */
-      10,    /* OBJ_pbeWithMD5AndDES_CBC         1 2 840 113549 1 5 3 */
-     168,    /* OBJ_pbeWithMD2AndRC2_CBC         1 2 840 113549 1 5 4 */
-     169,    /* OBJ_pbeWithMD5AndRC2_CBC         1 2 840 113549 1 5 6 */
-     170,    /* OBJ_pbeWithSHA1AndDES_CBC        1 2 840 113549 1 5 10 */
-      68,    /* OBJ_pbeWithSHA1AndRC2_CBC        1 2 840 113549 1 5 11 */
-      69,    /* OBJ_id_pbkdf2                    1 2 840 113549 1 5 12 */
-     161,    /* OBJ_pbes2                        1 2 840 113549 1 5 13 */
-     162,    /* OBJ_pbmac1                       1 2 840 113549 1 5 14 */
-      21,    /* OBJ_pkcs7_data                   1 2 840 113549 1 7 1 */
-      22,    /* OBJ_pkcs7_signed                 1 2 840 113549 1 7 2 */
-      23,    /* OBJ_pkcs7_enveloped              1 2 840 113549 1 7 3 */
-      24,    /* OBJ_pkcs7_signedAndEnveloped     1 2 840 113549 1 7 4 */
-      25,    /* OBJ_pkcs7_digest                 1 2 840 113549 1 7 5 */
-      26,    /* OBJ_pkcs7_encrypted              1 2 840 113549 1 7 6 */
-      48,    /* OBJ_pkcs9_emailAddress           1 2 840 113549 1 9 1 */
-      49,    /* OBJ_pkcs9_unstructuredName       1 2 840 113549 1 9 2 */
-      50,    /* OBJ_pkcs9_contentType            1 2 840 113549 1 9 3 */
-      51,    /* OBJ_pkcs9_messageDigest          1 2 840 113549 1 9 4 */
-      52,    /* OBJ_pkcs9_signingTime            1 2 840 113549 1 9 5 */
-      53,    /* OBJ_pkcs9_countersignature       1 2 840 113549 1 9 6 */
-      54,    /* OBJ_pkcs9_challengePassword      1 2 840 113549 1 9 7 */
-      55,    /* OBJ_pkcs9_unstructuredAddress    1 2 840 113549 1 9 8 */
-      56,    /* OBJ_pkcs9_extCertAttributes      1 2 840 113549 1 9 9 */
-     172,    /* OBJ_ext_req                      1 2 840 113549 1 9 14 */
-     167,    /* OBJ_SMIMECapabilities            1 2 840 113549 1 9 15 */
-     188,    /* OBJ_SMIME                        1 2 840 113549 1 9 16 */
-     156,    /* OBJ_friendlyName                 1 2 840 113549 1 9 20 */
-     157,    /* OBJ_localKeyID                   1 2 840 113549 1 9 21 */
-     681,    /* OBJ_X9_62_onBasis                1 2 840 10045 1 2 3 1 */
-     682,    /* OBJ_X9_62_tpBasis                1 2 840 10045 1 2 3 2 */
-     683,    /* OBJ_X9_62_ppBasis                1 2 840 10045 1 2 3 3 */
-     417,    /* OBJ_ms_csp_name                  1 3 6 1 4 1 311 17 1 */
-     856,    /* OBJ_LocalKeySet                  1 3 6 1 4 1 311 17 2 */
-     390,    /* OBJ_dcObject                     1 3 6 1 4 1 1466 344 */
-      91,    /* OBJ_bf_cbc                       1 3 6 1 4 1 3029 1 2 */
-     973,    /* OBJ_id_scrypt                    1 3 6 1 4 1 11591 4 11 */
-     315,    /* OBJ_id_regCtrl_regToken          1 3 6 1 5 5 7 5 1 1 */
-     316,    /* OBJ_id_regCtrl_authenticator     1 3 6 1 5 5 7 5 1 2 */
-     317,    /* OBJ_id_regCtrl_pkiPublicationInfo 1 3 6 1 5 5 7 5 1 3 */
-     318,    /* OBJ_id_regCtrl_pkiArchiveOptions 1 3 6 1 5 5 7 5 1 4 */
-     319,    /* OBJ_id_regCtrl_oldCertID         1 3 6 1 5 5 7 5 1 5 */
-     320,    /* OBJ_id_regCtrl_protocolEncrKey   1 3 6 1 5 5 7 5 1 6 */
-     321,    /* OBJ_id_regInfo_utf8Pairs         1 3 6 1 5 5 7 5 2 1 */
-     322,    /* OBJ_id_regInfo_certReq           1 3 6 1 5 5 7 5 2 2 */
-     365,    /* OBJ_id_pkix_OCSP_basic           1 3 6 1 5 5 7 48 1 1 */
-     366,    /* OBJ_id_pkix_OCSP_Nonce           1 3 6 1 5 5 7 48 1 2 */
-     367,    /* OBJ_id_pkix_OCSP_CrlID           1 3 6 1 5 5 7 48 1 3 */
-     368,    /* OBJ_id_pkix_OCSP_acceptableResponses 1 3 6 1 5 5 7 48 1 4 */
-     369,    /* OBJ_id_pkix_OCSP_noCheck         1 3 6 1 5 5 7 48 1 5 */
-     370,    /* OBJ_id_pkix_OCSP_archiveCutoff   1 3 6 1 5 5 7 48 1 6 */
-     371,    /* OBJ_id_pkix_OCSP_serviceLocator  1 3 6 1 5 5 7 48 1 7 */
-     372,    /* OBJ_id_pkix_OCSP_extendedStatus  1 3 6 1 5 5 7 48 1 8 */
-     373,    /* OBJ_id_pkix_OCSP_valid           1 3 6 1 5 5 7 48 1 9 */
-     374,    /* OBJ_id_pkix_OCSP_path            1 3 6 1 5 5 7 48 1 10 */
-     375,    /* OBJ_id_pkix_OCSP_trustRoot       1 3 6 1 5 5 7 48 1 11 */
-     921,    /* OBJ_brainpoolP160r1              1 3 36 3 3 2 8 1 1 1 */
-     922,    /* OBJ_brainpoolP160t1              1 3 36 3 3 2 8 1 1 2 */
-     923,    /* OBJ_brainpoolP192r1              1 3 36 3 3 2 8 1 1 3 */
-     924,    /* OBJ_brainpoolP192t1              1 3 36 3 3 2 8 1 1 4 */
-     925,    /* OBJ_brainpoolP224r1              1 3 36 3 3 2 8 1 1 5 */
-     926,    /* OBJ_brainpoolP224t1              1 3 36 3 3 2 8 1 1 6 */
-     927,    /* OBJ_brainpoolP256r1              1 3 36 3 3 2 8 1 1 7 */
-     928,    /* OBJ_brainpoolP256t1              1 3 36 3 3 2 8 1 1 8 */
-     929,    /* OBJ_brainpoolP320r1              1 3 36 3 3 2 8 1 1 9 */
-     930,    /* OBJ_brainpoolP320t1              1 3 36 3 3 2 8 1 1 10 */
-     931,    /* OBJ_brainpoolP384r1              1 3 36 3 3 2 8 1 1 11 */
-     932,    /* OBJ_brainpoolP384t1              1 3 36 3 3 2 8 1 1 12 */
-     933,    /* OBJ_brainpoolP512r1              1 3 36 3 3 2 8 1 1 13 */
-     934,    /* OBJ_brainpoolP512t1              1 3 36 3 3 2 8 1 1 14 */
-     936,    /* OBJ_dhSinglePass_stdDH_sha1kdf_scheme 1 3 133 16 840 63 0 2 */
-     941,    /* OBJ_dhSinglePass_cofactorDH_sha1kdf_scheme 1 3 133 16 840 63 0 3 */
-     418,    /* OBJ_aes_128_ecb                  2 16 840 1 101 3 4 1 1 */
-     419,    /* OBJ_aes_128_cbc                  2 16 840 1 101 3 4 1 2 */
-     420,    /* OBJ_aes_128_ofb128               2 16 840 1 101 3 4 1 3 */
-     421,    /* OBJ_aes_128_cfb128               2 16 840 1 101 3 4 1 4 */
-     788,    /* OBJ_id_aes128_wrap               2 16 840 1 101 3 4 1 5 */
-     895,    /* OBJ_aes_128_gcm                  2 16 840 1 101 3 4 1 6 */
-     896,    /* OBJ_aes_128_ccm                  2 16 840 1 101 3 4 1 7 */
-     897,    /* OBJ_id_aes128_wrap_pad           2 16 840 1 101 3 4 1 8 */
-     422,    /* OBJ_aes_192_ecb                  2 16 840 1 101 3 4 1 21 */
-     423,    /* OBJ_aes_192_cbc                  2 16 840 1 101 3 4 1 22 */
-     424,    /* OBJ_aes_192_ofb128               2 16 840 1 101 3 4 1 23 */
-     425,    /* OBJ_aes_192_cfb128               2 16 840 1 101 3 4 1 24 */
-     789,    /* OBJ_id_aes192_wrap               2 16 840 1 101 3 4 1 25 */
-     898,    /* OBJ_aes_192_gcm                  2 16 840 1 101 3 4 1 26 */
-     899,    /* OBJ_aes_192_ccm                  2 16 840 1 101 3 4 1 27 */
-     900,    /* OBJ_id_aes192_wrap_pad           2 16 840 1 101 3 4 1 28 */
-     426,    /* OBJ_aes_256_ecb                  2 16 840 1 101 3 4 1 41 */
-     427,    /* OBJ_aes_256_cbc                  2 16 840 1 101 3 4 1 42 */
-     428,    /* OBJ_aes_256_ofb128               2 16 840 1 101 3 4 1 43 */
-     429,    /* OBJ_aes_256_cfb128               2 16 840 1 101 3 4 1 44 */
-     790,    /* OBJ_id_aes256_wrap               2 16 840 1 101 3 4 1 45 */
-     901,    /* OBJ_aes_256_gcm                  2 16 840 1 101 3 4 1 46 */
-     902,    /* OBJ_aes_256_ccm                  2 16 840 1 101 3 4 1 47 */
-     903,    /* OBJ_id_aes256_wrap_pad           2 16 840 1 101 3 4 1 48 */
-     672,    /* OBJ_sha256                       2 16 840 1 101 3 4 2 1 */
-     673,    /* OBJ_sha384                       2 16 840 1 101 3 4 2 2 */
-     674,    /* OBJ_sha512                       2 16 840 1 101 3 4 2 3 */
-     675,    /* OBJ_sha224                       2 16 840 1 101 3 4 2 4 */
-     802,    /* OBJ_dsa_with_SHA224              2 16 840 1 101 3 4 3 1 */
-     803,    /* OBJ_dsa_with_SHA256              2 16 840 1 101 3 4 3 2 */
-      71,    /* OBJ_netscape_cert_type           2 16 840 1 113730 1 1 */
-      72,    /* OBJ_netscape_base_url            2 16 840 1 113730 1 2 */
-      73,    /* OBJ_netscape_revocation_url      2 16 840 1 113730 1 3 */
-      74,    /* OBJ_netscape_ca_revocation_url   2 16 840 1 113730 1 4 */
-      75,    /* OBJ_netscape_renewal_url         2 16 840 1 113730 1 7 */
-      76,    /* OBJ_netscape_ca_policy_url       2 16 840 1 113730 1 8 */
-      77,    /* OBJ_netscape_ssl_server_name     2 16 840 1 113730 1 12 */
-      78,    /* OBJ_netscape_comment             2 16 840 1 113730 1 13 */
-      79,    /* OBJ_netscape_cert_sequence       2 16 840 1 113730 2 5 */
-     139,    /* OBJ_ns_sgc                       2 16 840 1 113730 4 1 */
-     458,    /* OBJ_userId                       0 9 2342 19200300 100 1 1 */
-     459,    /* OBJ_textEncodedORAddress         0 9 2342 19200300 100 1 2 */
-     460,    /* OBJ_rfc822Mailbox                0 9 2342 19200300 100 1 3 */
-     461,    /* OBJ_info                         0 9 2342 19200300 100 1 4 */
-     462,    /* OBJ_favouriteDrink               0 9 2342 19200300 100 1 5 */
-     463,    /* OBJ_roomNumber                   0 9 2342 19200300 100 1 6 */
-     464,    /* OBJ_photo                        0 9 2342 19200300 100 1 7 */
-     465,    /* OBJ_userClass                    0 9 2342 19200300 100 1 8 */
-     466,    /* OBJ_host                         0 9 2342 19200300 100 1 9 */
-     467,    /* OBJ_manager                      0 9 2342 19200300 100 1 10 */
-     468,    /* OBJ_documentIdentifier           0 9 2342 19200300 100 1 11 */
-     469,    /* OBJ_documentTitle                0 9 2342 19200300 100 1 12 */
-     470,    /* OBJ_documentVersion              0 9 2342 19200300 100 1 13 */
-     471,    /* OBJ_documentAuthor               0 9 2342 19200300 100 1 14 */
-     472,    /* OBJ_documentLocation             0 9 2342 19200300 100 1 15 */
-     473,    /* OBJ_homeTelephoneNumber          0 9 2342 19200300 100 1 20 */
-     474,    /* OBJ_secretary                    0 9 2342 19200300 100 1 21 */
-     475,    /* OBJ_otherMailbox                 0 9 2342 19200300 100 1 22 */
-     476,    /* OBJ_lastModifiedTime             0 9 2342 19200300 100 1 23 */
-     477,    /* OBJ_lastModifiedBy               0 9 2342 19200300 100 1 24 */
-     391,    /* OBJ_domainComponent              0 9 2342 19200300 100 1 25 */
-     478,    /* OBJ_aRecord                      0 9 2342 19200300 100 1 26 */
-     479,    /* OBJ_pilotAttributeType27         0 9 2342 19200300 100 1 27 */
-     480,    /* OBJ_mXRecord                     0 9 2342 19200300 100 1 28 */
-     481,    /* OBJ_nSRecord                     0 9 2342 19200300 100 1 29 */
-     482,    /* OBJ_sOARecord                    0 9 2342 19200300 100 1 30 */
-     483,    /* OBJ_cNAMERecord                  0 9 2342 19200300 100 1 31 */
-     484,    /* OBJ_associatedDomain             0 9 2342 19200300 100 1 37 */
-     485,    /* OBJ_associatedName               0 9 2342 19200300 100 1 38 */
-     486,    /* OBJ_homePostalAddress            0 9 2342 19200300 100 1 39 */
-     487,    /* OBJ_personalTitle                0 9 2342 19200300 100 1 40 */
-     488,    /* OBJ_mobileTelephoneNumber        0 9 2342 19200300 100 1 41 */
-     489,    /* OBJ_pagerTelephoneNumber         0 9 2342 19200300 100 1 42 */
-     490,    /* OBJ_friendlyCountryName          0 9 2342 19200300 100 1 43 */
-     102,    /* OBJ_uniqueIdentifier             0 9 2342 19200300 100 1 44 */
-     491,    /* OBJ_organizationalStatus         0 9 2342 19200300 100 1 45 */
-     492,    /* OBJ_janetMailbox                 0 9 2342 19200300 100 1 46 */
-     493,    /* OBJ_mailPreferenceOption         0 9 2342 19200300 100 1 47 */
-     494,    /* OBJ_buildingName                 0 9 2342 19200300 100 1 48 */
-     495,    /* OBJ_dSAQuality                   0 9 2342 19200300 100 1 49 */
-     496,    /* OBJ_singleLevelQuality           0 9 2342 19200300 100 1 50 */
-     497,    /* OBJ_subtreeMinimumQuality        0 9 2342 19200300 100 1 51 */
-     498,    /* OBJ_subtreeMaximumQuality        0 9 2342 19200300 100 1 52 */
-     499,    /* OBJ_personalSignature            0 9 2342 19200300 100 1 53 */
-     500,    /* OBJ_dITRedirect                  0 9 2342 19200300 100 1 54 */
-     501,    /* OBJ_audio                        0 9 2342 19200300 100 1 55 */
-     502,    /* OBJ_documentPublisher            0 9 2342 19200300 100 1 56 */
-     442,    /* OBJ_iA5StringSyntax              0 9 2342 19200300 100 3 4 */
-     443,    /* OBJ_caseIgnoreIA5StringSyntax    0 9 2342 19200300 100 3 5 */
-     444,    /* OBJ_pilotObject                  0 9 2342 19200300 100 4 3 */
-     445,    /* OBJ_pilotPerson                  0 9 2342 19200300 100 4 4 */
-     446,    /* OBJ_account                      0 9 2342 19200300 100 4 5 */
-     447,    /* OBJ_document                     0 9 2342 19200300 100 4 6 */
-     448,    /* OBJ_room                         0 9 2342 19200300 100 4 7 */
-     449,    /* OBJ_documentSeries               0 9 2342 19200300 100 4 9 */
-     392,    /* OBJ_Domain                       0 9 2342 19200300 100 4 13 */
-     450,    /* OBJ_rFC822localPart              0 9 2342 19200300 100 4 14 */
-     451,    /* OBJ_dNSDomain                    0 9 2342 19200300 100 4 15 */
-     452,    /* OBJ_domainRelatedObject          0 9 2342 19200300 100 4 17 */
-     453,    /* OBJ_friendlyCountry              0 9 2342 19200300 100 4 18 */
-     454,    /* OBJ_simpleSecurityObject         0 9 2342 19200300 100 4 19 */
-     455,    /* OBJ_pilotOrganization            0 9 2342 19200300 100 4 20 */
-     456,    /* OBJ_pilotDSA                     0 9 2342 19200300 100 4 21 */
-     457,    /* OBJ_qualityLabelledData          0 9 2342 19200300 100 4 22 */
-     189,    /* OBJ_id_smime_mod                 1 2 840 113549 1 9 16 0 */
-     190,    /* OBJ_id_smime_ct                  1 2 840 113549 1 9 16 1 */
-     191,    /* OBJ_id_smime_aa                  1 2 840 113549 1 9 16 2 */
-     192,    /* OBJ_id_smime_alg                 1 2 840 113549 1 9 16 3 */
-     193,    /* OBJ_id_smime_cd                  1 2 840 113549 1 9 16 4 */
-     194,    /* OBJ_id_smime_spq                 1 2 840 113549 1 9 16 5 */
-     195,    /* OBJ_id_smime_cti                 1 2 840 113549 1 9 16 6 */
-     158,    /* OBJ_x509Certificate              1 2 840 113549 1 9 22 1 */
-     159,    /* OBJ_sdsiCertificate              1 2 840 113549 1 9 22 2 */
-     160,    /* OBJ_x509Crl                      1 2 840 113549 1 9 23 1 */
-     144,    /* OBJ_pbe_WithSHA1And128BitRC4     1 2 840 113549 1 12 1 1 */
-     145,    /* OBJ_pbe_WithSHA1And40BitRC4      1 2 840 113549 1 12 1 2 */
-     146,    /* OBJ_pbe_WithSHA1And3_Key_TripleDES_CBC 1 2 840 113549 1 12 1 3 */
-     147,    /* OBJ_pbe_WithSHA1And2_Key_TripleDES_CBC 1 2 840 113549 1 12 1 4 */
-     148,    /* OBJ_pbe_WithSHA1And128BitRC2_CBC 1 2 840 113549 1 12 1 5 */
-     149,    /* OBJ_pbe_WithSHA1And40BitRC2_CBC  1 2 840 113549 1 12 1 6 */
-     171,    /* OBJ_ms_ext_req                   1 3 6 1 4 1 311 2 1 14 */
-     134,    /* OBJ_ms_code_ind                  1 3 6 1 4 1 311 2 1 21 */
-     135,    /* OBJ_ms_code_com                  1 3 6 1 4 1 311 2 1 22 */
-     136,    /* OBJ_ms_ctl_sign                  1 3 6 1 4 1 311 10 3 1 */
-     137,    /* OBJ_ms_sgc                       1 3 6 1 4 1 311 10 3 3 */
-     138,    /* OBJ_ms_efs                       1 3 6 1 4 1 311 10 3 4 */
-     648,    /* OBJ_ms_smartcard_login           1 3 6 1 4 1 311 20 2 2 */
-     649,    /* OBJ_ms_upn                       1 3 6 1 4 1 311 20 2 3 */
-     951,    /* OBJ_ct_precert_scts              1 3 6 1 4 1 11129 2 4 2 */
-     952,    /* OBJ_ct_precert_poison            1 3 6 1 4 1 11129 2 4 3 */
-     953,    /* OBJ_ct_precert_signer            1 3 6 1 4 1 11129 2 4 4 */
-     954,    /* OBJ_ct_cert_scts                 1 3 6 1 4 1 11129 2 4 5 */
-     751,    /* OBJ_camellia_128_cbc             1 2 392 200011 61 1 1 1 2 */
-     752,    /* OBJ_camellia_192_cbc             1 2 392 200011 61 1 1 1 3 */
-     753,    /* OBJ_camellia_256_cbc             1 2 392 200011 61 1 1 1 4 */
-     907,    /* OBJ_id_camellia128_wrap          1 2 392 200011 61 1 1 3 2 */
-     908,    /* OBJ_id_camellia192_wrap          1 2 392 200011 61 1 1 3 3 */
-     909,    /* OBJ_id_camellia256_wrap          1 2 392 200011 61 1 1 3 4 */
-     196,    /* OBJ_id_smime_mod_cms             1 2 840 113549 1 9 16 0 1 */
-     197,    /* OBJ_id_smime_mod_ess             1 2 840 113549 1 9 16 0 2 */
-     198,    /* OBJ_id_smime_mod_oid             1 2 840 113549 1 9 16 0 3 */
-     199,    /* OBJ_id_smime_mod_msg_v3          1 2 840 113549 1 9 16 0 4 */
-     200,    /* OBJ_id_smime_mod_ets_eSignature_88 1 2 840 113549 1 9 16 0 5 */
-     201,    /* OBJ_id_smime_mod_ets_eSignature_97 1 2 840 113549 1 9 16 0 6 */
-     202,    /* OBJ_id_smime_mod_ets_eSigPolicy_88 1 2 840 113549 1 9 16 0 7 */
-     203,    /* OBJ_id_smime_mod_ets_eSigPolicy_97 1 2 840 113549 1 9 16 0 8 */
-     204,    /* OBJ_id_smime_ct_receipt          1 2 840 113549 1 9 16 1 1 */
-     205,    /* OBJ_id_smime_ct_authData         1 2 840 113549 1 9 16 1 2 */
-     206,    /* OBJ_id_smime_ct_publishCert      1 2 840 113549 1 9 16 1 3 */
-     207,    /* OBJ_id_smime_ct_TSTInfo          1 2 840 113549 1 9 16 1 4 */
-     208,    /* OBJ_id_smime_ct_TDTInfo          1 2 840 113549 1 9 16 1 5 */
-     209,    /* OBJ_id_smime_ct_contentInfo      1 2 840 113549 1 9 16 1 6 */
-     210,    /* OBJ_id_smime_ct_DVCSRequestData  1 2 840 113549 1 9 16 1 7 */
-     211,    /* OBJ_id_smime_ct_DVCSResponseData 1 2 840 113549 1 9 16 1 8 */
-     786,    /* OBJ_id_smime_ct_compressedData   1 2 840 113549 1 9 16 1 9 */
-    1058,    /* OBJ_id_smime_ct_contentCollection 1 2 840 113549 1 9 16 1 19 */
-    1059,    /* OBJ_id_smime_ct_authEnvelopedData 1 2 840 113549 1 9 16 1 23 */
-     787,    /* OBJ_id_ct_asciiTextWithCRLF      1 2 840 113549 1 9 16 1 27 */
-    1060,    /* OBJ_id_ct_xml                    1 2 840 113549 1 9 16 1 28 */
-     212,    /* OBJ_id_smime_aa_receiptRequest   1 2 840 113549 1 9 16 2 1 */
-     213,    /* OBJ_id_smime_aa_securityLabel    1 2 840 113549 1 9 16 2 2 */
-     214,    /* OBJ_id_smime_aa_mlExpandHistory  1 2 840 113549 1 9 16 2 3 */
-     215,    /* OBJ_id_smime_aa_contentHint      1 2 840 113549 1 9 16 2 4 */
-     216,    /* OBJ_id_smime_aa_msgSigDigest     1 2 840 113549 1 9 16 2 5 */
-     217,    /* OBJ_id_smime_aa_encapContentType 1 2 840 113549 1 9 16 2 6 */
-     218,    /* OBJ_id_smime_aa_contentIdentifier 1 2 840 113549 1 9 16 2 7 */
-     219,    /* OBJ_id_smime_aa_macValue         1 2 840 113549 1 9 16 2 8 */
-     220,    /* OBJ_id_smime_aa_equivalentLabels 1 2 840 113549 1 9 16 2 9 */
-     221,    /* OBJ_id_smime_aa_contentReference 1 2 840 113549 1 9 16 2 10 */
-     222,    /* OBJ_id_smime_aa_encrypKeyPref    1 2 840 113549 1 9 16 2 11 */
-     223,    /* OBJ_id_smime_aa_signingCertificate 1 2 840 113549 1 9 16 2 12 */
-     224,    /* OBJ_id_smime_aa_smimeEncryptCerts 1 2 840 113549 1 9 16 2 13 */
-     225,    /* OBJ_id_smime_aa_timeStampToken   1 2 840 113549 1 9 16 2 14 */
-     226,    /* OBJ_id_smime_aa_ets_sigPolicyId  1 2 840 113549 1 9 16 2 15 */
-     227,    /* OBJ_id_smime_aa_ets_commitmentType 1 2 840 113549 1 9 16 2 16 */
-     228,    /* OBJ_id_smime_aa_ets_signerLocation 1 2 840 113549 1 9 16 2 17 */
-     229,    /* OBJ_id_smime_aa_ets_signerAttr   1 2 840 113549 1 9 16 2 18 */
-     230,    /* OBJ_id_smime_aa_ets_otherSigCert 1 2 840 113549 1 9 16 2 19 */
-     231,    /* OBJ_id_smime_aa_ets_contentTimestamp 1 2 840 113549 1 9 16 2 20 */
-     232,    /* OBJ_id_smime_aa_ets_CertificateRefs 1 2 840 113549 1 9 16 2 21 */
-     233,    /* OBJ_id_smime_aa_ets_RevocationRefs 1 2 840 113549 1 9 16 2 22 */
-     234,    /* OBJ_id_smime_aa_ets_certValues   1 2 840 113549 1 9 16 2 23 */
-     235,    /* OBJ_id_smime_aa_ets_revocationValues 1 2 840 113549 1 9 16 2 24 */
-     236,    /* OBJ_id_smime_aa_ets_escTimeStamp 1 2 840 113549 1 9 16 2 25 */
-     237,    /* OBJ_id_smime_aa_ets_certCRLTimestamp 1 2 840 113549 1 9 16 2 26 */
-     238,    /* OBJ_id_smime_aa_ets_archiveTimeStamp 1 2 840 113549 1 9 16 2 27 */
-     239,    /* OBJ_id_smime_aa_signatureType    1 2 840 113549 1 9 16 2 28 */
-     240,    /* OBJ_id_smime_aa_dvcs_dvc         1 2 840 113549 1 9 16 2 29 */
-     241,    /* OBJ_id_smime_alg_ESDHwith3DES    1 2 840 113549 1 9 16 3 1 */
-     242,    /* OBJ_id_smime_alg_ESDHwithRC2     1 2 840 113549 1 9 16 3 2 */
-     243,    /* OBJ_id_smime_alg_3DESwrap        1 2 840 113549 1 9 16 3 3 */
-     244,    /* OBJ_id_smime_alg_RC2wrap         1 2 840 113549 1 9 16 3 4 */
-     245,    /* OBJ_id_smime_alg_ESDH            1 2 840 113549 1 9 16 3 5 */
-     246,    /* OBJ_id_smime_alg_CMS3DESwrap     1 2 840 113549 1 9 16 3 6 */
-     247,    /* OBJ_id_smime_alg_CMSRC2wrap      1 2 840 113549 1 9 16 3 7 */
-     125,    /* OBJ_zlib_compression             1 2 840 113549 1 9 16 3 8 */
-     893,    /* OBJ_id_alg_PWRI_KEK              1 2 840 113549 1 9 16 3 9 */
-     248,    /* OBJ_id_smime_cd_ldap             1 2 840 113549 1 9 16 4 1 */
-     249,    /* OBJ_id_smime_spq_ets_sqt_uri     1 2 840 113549 1 9 16 5 1 */
-     250,    /* OBJ_id_smime_spq_ets_sqt_unotice 1 2 840 113549 1 9 16 5 2 */
-     251,    /* OBJ_id_smime_cti_ets_proofOfOrigin 1 2 840 113549 1 9 16 6 1 */
-     252,    /* OBJ_id_smime_cti_ets_proofOfReceipt 1 2 840 113549 1 9 16 6 2 */
-     253,    /* OBJ_id_smime_cti_ets_proofOfDelivery 1 2 840 113549 1 9 16 6 3 */
-     254,    /* OBJ_id_smime_cti_ets_proofOfSender 1 2 840 113549 1 9 16 6 4 */
-     255,    /* OBJ_id_smime_cti_ets_proofOfApproval 1 2 840 113549 1 9 16 6 5 */
-     256,    /* OBJ_id_smime_cti_ets_proofOfCreation 1 2 840 113549 1 9 16 6 6 */
-     150,    /* OBJ_keyBag                       1 2 840 113549 1 12 10 1 1 */
-     151,    /* OBJ_pkcs8ShroudedKeyBag          1 2 840 113549 1 12 10 1 2 */
-     152,    /* OBJ_certBag                      1 2 840 113549 1 12 10 1 3 */
-     153,    /* OBJ_crlBag                       1 2 840 113549 1 12 10 1 4 */
-     154,    /* OBJ_secretBag                    1 2 840 113549 1 12 10 1 5 */
-     155,    /* OBJ_safeContentsBag              1 2 840 113549 1 12 10 1 6 */
-      34,    /* OBJ_idea_cbc                     1 3 6 1 4 1 188 7 1 1 2 */
-     955,    /* OBJ_jurisdictionLocalityName     1 3 6 1 4 1 311 60 2 1 1 */
-     956,    /* OBJ_jurisdictionStateOrProvinceName 1 3 6 1 4 1 311 60 2 1 2 */
-     957,    /* OBJ_jurisdictionCountryName      1 3 6 1 4 1 311 60 2 1 3 */
-    1056,    /* OBJ_blake2b512                   1 3 6 1 4 1 1722 12 2 1 16 */
-    1057,    /* OBJ_blake2s256                   1 3 6 1 4 1 1722 12 2 2 8 */
+static const unsigned int obj_objs[NUM_OBJ]={
+ 0,	/* OBJ_undef                        0 */
+181,	/* OBJ_iso                          1 */
+393,	/* OBJ_joint_iso_ccitt              OBJ_joint_iso_itu_t */
+404,	/* OBJ_ccitt                        OBJ_itu_t */
+645,	/* OBJ_itu_t                        0 */
+646,	/* OBJ_joint_iso_itu_t              2 */
+434,	/* OBJ_data                         0 9 */
+182,	/* OBJ_member_body                  1 2 */
+379,	/* OBJ_org                          1 3 */
+676,	/* OBJ_identified_organization      1 3 */
+11,	/* OBJ_X500                         2 5 */
+647,	/* OBJ_international_organizations  2 23 */
+380,	/* OBJ_dod                          1 3 6 */
+12,	/* OBJ_X509                         2 5 4 */
+378,	/* OBJ_X500algorithms               2 5 8 */
+81,	/* OBJ_id_ce                        2 5 29 */
+512,	/* OBJ_id_set                       2 23 42 */
+678,	/* OBJ_wap                          2 23 43 */
+435,	/* OBJ_pss                          0 9 2342 */
+183,	/* OBJ_ISO_US                       1 2 840 */
+381,	/* OBJ_iana                         1 3 6 1 */
+677,	/* OBJ_certicom_arc                 1 3 132 */
+394,	/* OBJ_selected_attribute_types     2 5 1 5 */
+13,	/* OBJ_commonName                   2 5 4 3 */
+100,	/* OBJ_surname                      2 5 4 4 */
+105,	/* OBJ_serialNumber                 2 5 4 5 */
+14,	/* OBJ_countryName                  2 5 4 6 */
+15,	/* OBJ_localityName                 2 5 4 7 */
+16,	/* OBJ_stateOrProvinceName          2 5 4 8 */
+660,	/* OBJ_streetAddress                2 5 4 9 */
+17,	/* OBJ_organizationName             2 5 4 10 */
+18,	/* OBJ_organizationalUnitName       2 5 4 11 */
+106,	/* OBJ_title                        2 5 4 12 */
+107,	/* OBJ_description                  2 5 4 13 */
+859,	/* OBJ_searchGuide                  2 5 4 14 */
+860,	/* OBJ_businessCategory             2 5 4 15 */
+861,	/* OBJ_postalAddress                2 5 4 16 */
+661,	/* OBJ_postalCode                   2 5 4 17 */
+862,	/* OBJ_postOfficeBox                2 5 4 18 */
+863,	/* OBJ_physicalDeliveryOfficeName   2 5 4 19 */
+864,	/* OBJ_telephoneNumber              2 5 4 20 */
+865,	/* OBJ_telexNumber                  2 5 4 21 */
+866,	/* OBJ_teletexTerminalIdentifier    2 5 4 22 */
+867,	/* OBJ_facsimileTelephoneNumber     2 5 4 23 */
+868,	/* OBJ_x121Address                  2 5 4 24 */
+869,	/* OBJ_internationaliSDNNumber      2 5 4 25 */
+870,	/* OBJ_registeredAddress            2 5 4 26 */
+871,	/* OBJ_destinationIndicator         2 5 4 27 */
+872,	/* OBJ_preferredDeliveryMethod      2 5 4 28 */
+873,	/* OBJ_presentationAddress          2 5 4 29 */
+874,	/* OBJ_supportedApplicationContext  2 5 4 30 */
+875,	/* OBJ_member                       2 5 4 31 */
+876,	/* OBJ_owner                        2 5 4 32 */
+877,	/* OBJ_roleOccupant                 2 5 4 33 */
+878,	/* OBJ_seeAlso                      2 5 4 34 */
+879,	/* OBJ_userPassword                 2 5 4 35 */
+880,	/* OBJ_userCertificate              2 5 4 36 */
+881,	/* OBJ_cACertificate                2 5 4 37 */
+882,	/* OBJ_authorityRevocationList      2 5 4 38 */
+883,	/* OBJ_certificateRevocationList    2 5 4 39 */
+884,	/* OBJ_crossCertificatePair         2 5 4 40 */
+173,	/* OBJ_name                         2 5 4 41 */
+99,	/* OBJ_givenName                    2 5 4 42 */
+101,	/* OBJ_initials                     2 5 4 43 */
+509,	/* OBJ_generationQualifier          2 5 4 44 */
+503,	/* OBJ_x500UniqueIdentifier         2 5 4 45 */
+174,	/* OBJ_dnQualifier                  2 5 4 46 */
+885,	/* OBJ_enhancedSearchGuide          2 5 4 47 */
+886,	/* OBJ_protocolInformation          2 5 4 48 */
+887,	/* OBJ_distinguishedName            2 5 4 49 */
+888,	/* OBJ_uniqueMember                 2 5 4 50 */
+889,	/* OBJ_houseIdentifier              2 5 4 51 */
+890,	/* OBJ_supportedAlgorithms          2 5 4 52 */
+891,	/* OBJ_deltaRevocationList          2 5 4 53 */
+892,	/* OBJ_dmdName                      2 5 4 54 */
+510,	/* OBJ_pseudonym                    2 5 4 65 */
+400,	/* OBJ_role                         2 5 4 72 */
+769,	/* OBJ_subject_directory_attributes 2 5 29 9 */
+82,	/* OBJ_subject_key_identifier       2 5 29 14 */
+83,	/* OBJ_key_usage                    2 5 29 15 */
+84,	/* OBJ_private_key_usage_period     2 5 29 16 */
+85,	/* OBJ_subject_alt_name             2 5 29 17 */
+86,	/* OBJ_issuer_alt_name              2 5 29 18 */
+87,	/* OBJ_basic_constraints            2 5 29 19 */
+88,	/* OBJ_crl_number                   2 5 29 20 */
+141,	/* OBJ_crl_reason                   2 5 29 21 */
+430,	/* OBJ_hold_instruction_code        2 5 29 23 */
+142,	/* OBJ_invalidity_date              2 5 29 24 */
+140,	/* OBJ_delta_crl                    2 5 29 27 */
+770,	/* OBJ_issuing_distribution_point   2 5 29 28 */
+771,	/* OBJ_certificate_issuer           2 5 29 29 */
+666,	/* OBJ_name_constraints             2 5 29 30 */
+103,	/* OBJ_crl_distribution_points      2 5 29 31 */
+89,	/* OBJ_certificate_policies         2 5 29 32 */
+747,	/* OBJ_policy_mappings              2 5 29 33 */
+90,	/* OBJ_authority_key_identifier     2 5 29 35 */
+401,	/* OBJ_policy_constraints           2 5 29 36 */
+126,	/* OBJ_ext_key_usage                2 5 29 37 */
+857,	/* OBJ_freshest_crl                 2 5 29 46 */
+748,	/* OBJ_inhibit_any_policy           2 5 29 54 */
+402,	/* OBJ_target_information           2 5 29 55 */
+403,	/* OBJ_no_rev_avail                 2 5 29 56 */
+513,	/* OBJ_set_ctype                    2 23 42 0 */
+514,	/* OBJ_set_msgExt                   2 23 42 1 */
+515,	/* OBJ_set_attr                     2 23 42 3 */
+516,	/* OBJ_set_policy                   2 23 42 5 */
+517,	/* OBJ_set_certExt                  2 23 42 7 */
+518,	/* OBJ_set_brand                    2 23 42 8 */
+679,	/* OBJ_wap_wsg                      2 23 43 1 */
+382,	/* OBJ_Directory                    1 3 6 1 1 */
+383,	/* OBJ_Management                   1 3 6 1 2 */
+384,	/* OBJ_Experimental                 1 3 6 1 3 */
+385,	/* OBJ_Private                      1 3 6 1 4 */
+386,	/* OBJ_Security                     1 3 6 1 5 */
+387,	/* OBJ_SNMPv2                       1 3 6 1 6 */
+388,	/* OBJ_Mail                         1 3 6 1 7 */
+376,	/* OBJ_algorithm                    1 3 14 3 2 */
+395,	/* OBJ_clearance                    2 5 1 5 55 */
+19,	/* OBJ_rsa                          2 5 8 1 1 */
+96,	/* OBJ_mdc2WithRSA                  2 5 8 3 100 */
+95,	/* OBJ_mdc2                         2 5 8 3 101 */
+746,	/* OBJ_any_policy                   2 5 29 32 0 */
+910,	/* OBJ_anyExtendedKeyUsage          2 5 29 37 0 */
+519,	/* OBJ_setct_PANData                2 23 42 0 0 */
+520,	/* OBJ_setct_PANToken               2 23 42 0 1 */
+521,	/* OBJ_setct_PANOnly                2 23 42 0 2 */
+522,	/* OBJ_setct_OIData                 2 23 42 0 3 */
+523,	/* OBJ_setct_PI                     2 23 42 0 4 */
+524,	/* OBJ_setct_PIData                 2 23 42 0 5 */
+525,	/* OBJ_setct_PIDataUnsigned         2 23 42 0 6 */
+526,	/* OBJ_setct_HODInput               2 23 42 0 7 */
+527,	/* OBJ_setct_AuthResBaggage         2 23 42 0 8 */
+528,	/* OBJ_setct_AuthRevReqBaggage      2 23 42 0 9 */
+529,	/* OBJ_setct_AuthRevResBaggage      2 23 42 0 10 */
+530,	/* OBJ_setct_CapTokenSeq            2 23 42 0 11 */
+531,	/* OBJ_setct_PInitResData           2 23 42 0 12 */
+532,	/* OBJ_setct_PI_TBS                 2 23 42 0 13 */
+533,	/* OBJ_setct_PResData               2 23 42 0 14 */
+534,	/* OBJ_setct_AuthReqTBS             2 23 42 0 16 */
+535,	/* OBJ_setct_AuthResTBS             2 23 42 0 17 */
+536,	/* OBJ_setct_AuthResTBSX            2 23 42 0 18 */
+537,	/* OBJ_setct_AuthTokenTBS           2 23 42 0 19 */
+538,	/* OBJ_setct_CapTokenData           2 23 42 0 20 */
+539,	/* OBJ_setct_CapTokenTBS            2 23 42 0 21 */
+540,	/* OBJ_setct_AcqCardCodeMsg         2 23 42 0 22 */
+541,	/* OBJ_setct_AuthRevReqTBS          2 23 42 0 23 */
+542,	/* OBJ_setct_AuthRevResData         2 23 42 0 24 */
+543,	/* OBJ_setct_AuthRevResTBS          2 23 42 0 25 */
+544,	/* OBJ_setct_CapReqTBS              2 23 42 0 26 */
+545,	/* OBJ_setct_CapReqTBSX             2 23 42 0 27 */
+546,	/* OBJ_setct_CapResData             2 23 42 0 28 */
+547,	/* OBJ_setct_CapRevReqTBS           2 23 42 0 29 */
+548,	/* OBJ_setct_CapRevReqTBSX          2 23 42 0 30 */
+549,	/* OBJ_setct_CapRevResData          2 23 42 0 31 */
+550,	/* OBJ_setct_CredReqTBS             2 23 42 0 32 */
+551,	/* OBJ_setct_CredReqTBSX            2 23 42 0 33 */
+552,	/* OBJ_setct_CredResData            2 23 42 0 34 */
+553,	/* OBJ_setct_CredRevReqTBS          2 23 42 0 35 */
+554,	/* OBJ_setct_CredRevReqTBSX         2 23 42 0 36 */
+555,	/* OBJ_setct_CredRevResData         2 23 42 0 37 */
+556,	/* OBJ_setct_PCertReqData           2 23 42 0 38 */
+557,	/* OBJ_setct_PCertResTBS            2 23 42 0 39 */
+558,	/* OBJ_setct_BatchAdminReqData      2 23 42 0 40 */
+559,	/* OBJ_setct_BatchAdminResData      2 23 42 0 41 */
+560,	/* OBJ_setct_CardCInitResTBS        2 23 42 0 42 */
+561,	/* OBJ_setct_MeAqCInitResTBS        2 23 42 0 43 */
+562,	/* OBJ_setct_RegFormResTBS          2 23 42 0 44 */
+563,	/* OBJ_setct_CertReqData            2 23 42 0 45 */
+564,	/* OBJ_setct_CertReqTBS             2 23 42 0 46 */
+565,	/* OBJ_setct_CertResData            2 23 42 0 47 */
+566,	/* OBJ_setct_CertInqReqTBS          2 23 42 0 48 */
+567,	/* OBJ_setct_ErrorTBS               2 23 42 0 49 */
+568,	/* OBJ_setct_PIDualSignedTBE        2 23 42 0 50 */
+569,	/* OBJ_setct_PIUnsignedTBE          2 23 42 0 51 */
+570,	/* OBJ_setct_AuthReqTBE             2 23 42 0 52 */
+571,	/* OBJ_setct_AuthResTBE             2 23 42 0 53 */
+572,	/* OBJ_setct_AuthResTBEX            2 23 42 0 54 */
+573,	/* OBJ_setct_AuthTokenTBE           2 23 42 0 55 */
+574,	/* OBJ_setct_CapTokenTBE            2 23 42 0 56 */
+575,	/* OBJ_setct_CapTokenTBEX           2 23 42 0 57 */
+576,	/* OBJ_setct_AcqCardCodeMsgTBE      2 23 42 0 58 */
+577,	/* OBJ_setct_AuthRevReqTBE          2 23 42 0 59 */
+578,	/* OBJ_setct_AuthRevResTBE          2 23 42 0 60 */
+579,	/* OBJ_setct_AuthRevResTBEB         2 23 42 0 61 */
+580,	/* OBJ_setct_CapReqTBE              2 23 42 0 62 */
+581,	/* OBJ_setct_CapReqTBEX             2 23 42 0 63 */
+582,	/* OBJ_setct_CapResTBE              2 23 42 0 64 */
+583,	/* OBJ_setct_CapRevReqTBE           2 23 42 0 65 */
+584,	/* OBJ_setct_CapRevReqTBEX          2 23 42 0 66 */
+585,	/* OBJ_setct_CapRevResTBE           2 23 42 0 67 */
+586,	/* OBJ_setct_CredReqTBE             2 23 42 0 68 */
+587,	/* OBJ_setct_CredReqTBEX            2 23 42 0 69 */
+588,	/* OBJ_setct_CredResTBE             2 23 42 0 70 */
+589,	/* OBJ_setct_CredRevReqTBE          2 23 42 0 71 */
+590,	/* OBJ_setct_CredRevReqTBEX         2 23 42 0 72 */
+591,	/* OBJ_setct_CredRevResTBE          2 23 42 0 73 */
+592,	/* OBJ_setct_BatchAdminReqTBE       2 23 42 0 74 */
+593,	/* OBJ_setct_BatchAdminResTBE       2 23 42 0 75 */
+594,	/* OBJ_setct_RegFormReqTBE          2 23 42 0 76 */
+595,	/* OBJ_setct_CertReqTBE             2 23 42 0 77 */
+596,	/* OBJ_setct_CertReqTBEX            2 23 42 0 78 */
+597,	/* OBJ_setct_CertResTBE             2 23 42 0 79 */
+598,	/* OBJ_setct_CRLNotificationTBS     2 23 42 0 80 */
+599,	/* OBJ_setct_CRLNotificationResTBS  2 23 42 0 81 */
+600,	/* OBJ_setct_BCIDistributionTBS     2 23 42 0 82 */
+601,	/* OBJ_setext_genCrypt              2 23 42 1 1 */
+602,	/* OBJ_setext_miAuth                2 23 42 1 3 */
+603,	/* OBJ_setext_pinSecure             2 23 42 1 4 */
+604,	/* OBJ_setext_pinAny                2 23 42 1 5 */
+605,	/* OBJ_setext_track2                2 23 42 1 7 */
+606,	/* OBJ_setext_cv                    2 23 42 1 8 */
+620,	/* OBJ_setAttr_Cert                 2 23 42 3 0 */
+621,	/* OBJ_setAttr_PGWYcap              2 23 42 3 1 */
+622,	/* OBJ_setAttr_TokenType            2 23 42 3 2 */
+623,	/* OBJ_setAttr_IssCap               2 23 42 3 3 */
+607,	/* OBJ_set_policy_root              2 23 42 5 0 */
+608,	/* OBJ_setCext_hashedRoot           2 23 42 7 0 */
+609,	/* OBJ_setCext_certType             2 23 42 7 1 */
+610,	/* OBJ_setCext_merchData            2 23 42 7 2 */
+611,	/* OBJ_setCext_cCertRequired        2 23 42 7 3 */
+612,	/* OBJ_setCext_tunneling            2 23 42 7 4 */
+613,	/* OBJ_setCext_setExt               2 23 42 7 5 */
+614,	/* OBJ_setCext_setQualf             2 23 42 7 6 */
+615,	/* OBJ_setCext_PGWYcapabilities     2 23 42 7 7 */
+616,	/* OBJ_setCext_TokenIdentifier      2 23 42 7 8 */
+617,	/* OBJ_setCext_Track2Data           2 23 42 7 9 */
+618,	/* OBJ_setCext_TokenType            2 23 42 7 10 */
+619,	/* OBJ_setCext_IssuerCapabilities   2 23 42 7 11 */
+636,	/* OBJ_set_brand_IATA_ATA           2 23 42 8 1 */
+640,	/* OBJ_set_brand_Visa               2 23 42 8 4 */
+641,	/* OBJ_set_brand_MasterCard         2 23 42 8 5 */
+637,	/* OBJ_set_brand_Diners             2 23 42 8 30 */
+638,	/* OBJ_set_brand_AmericanExpress    2 23 42 8 34 */
+639,	/* OBJ_set_brand_JCB                2 23 42 8 35 */
+805,	/* OBJ_cryptopro                    1 2 643 2 2 */
+806,	/* OBJ_cryptocom                    1 2 643 2 9 */
+184,	/* OBJ_X9_57                        1 2 840 10040 */
+405,	/* OBJ_ansi_X9_62                   1 2 840 10045 */
+389,	/* OBJ_Enterprises                  1 3 6 1 4 1 */
+504,	/* OBJ_mime_mhs                     1 3 6 1 7 1 */
+104,	/* OBJ_md5WithRSA                   1 3 14 3 2 3 */
+29,	/* OBJ_des_ecb                      1 3 14 3 2 6 */
+31,	/* OBJ_des_cbc                      1 3 14 3 2 7 */
+45,	/* OBJ_des_ofb64                    1 3 14 3 2 8 */
+30,	/* OBJ_des_cfb64                    1 3 14 3 2 9 */
+377,	/* OBJ_rsaSignature                 1 3 14 3 2 11 */
+67,	/* OBJ_dsa_2                        1 3 14 3 2 12 */
+66,	/* OBJ_dsaWithSHA                   1 3 14 3 2 13 */
+42,	/* OBJ_shaWithRSAEncryption         1 3 14 3 2 15 */
+32,	/* OBJ_des_ede_ecb                  1 3 14 3 2 17 */
+41,	/* OBJ_sha                          1 3 14 3 2 18 */
+64,	/* OBJ_sha1                         1 3 14 3 2 26 */
+70,	/* OBJ_dsaWithSHA1_2                1 3 14 3 2 27 */
+115,	/* OBJ_sha1WithRSA                  1 3 14 3 2 29 */
+117,	/* OBJ_ripemd160                    1 3 36 3 2 1 */
+143,	/* OBJ_sxnet                        1 3 101 1 4 1 */
+721,	/* OBJ_sect163k1                    1 3 132 0 1 */
+722,	/* OBJ_sect163r1                    1 3 132 0 2 */
+728,	/* OBJ_sect239k1                    1 3 132 0 3 */
+717,	/* OBJ_sect113r1                    1 3 132 0 4 */
+718,	/* OBJ_sect113r2                    1 3 132 0 5 */
+704,	/* OBJ_secp112r1                    1 3 132 0 6 */
+705,	/* OBJ_secp112r2                    1 3 132 0 7 */
+709,	/* OBJ_secp160r1                    1 3 132 0 8 */
+708,	/* OBJ_secp160k1                    1 3 132 0 9 */
+714,	/* OBJ_secp256k1                    1 3 132 0 10 */
+723,	/* OBJ_sect163r2                    1 3 132 0 15 */
+729,	/* OBJ_sect283k1                    1 3 132 0 16 */
+730,	/* OBJ_sect283r1                    1 3 132 0 17 */
+719,	/* OBJ_sect131r1                    1 3 132 0 22 */
+720,	/* OBJ_sect131r2                    1 3 132 0 23 */
+724,	/* OBJ_sect193r1                    1 3 132 0 24 */
+725,	/* OBJ_sect193r2                    1 3 132 0 25 */
+726,	/* OBJ_sect233k1                    1 3 132 0 26 */
+727,	/* OBJ_sect233r1                    1 3 132 0 27 */
+706,	/* OBJ_secp128r1                    1 3 132 0 28 */
+707,	/* OBJ_secp128r2                    1 3 132 0 29 */
+710,	/* OBJ_secp160r2                    1 3 132 0 30 */
+711,	/* OBJ_secp192k1                    1 3 132 0 31 */
+712,	/* OBJ_secp224k1                    1 3 132 0 32 */
+713,	/* OBJ_secp224r1                    1 3 132 0 33 */
+715,	/* OBJ_secp384r1                    1 3 132 0 34 */
+716,	/* OBJ_secp521r1                    1 3 132 0 35 */
+731,	/* OBJ_sect409k1                    1 3 132 0 36 */
+732,	/* OBJ_sect409r1                    1 3 132 0 37 */
+733,	/* OBJ_sect571k1                    1 3 132 0 38 */
+734,	/* OBJ_sect571r1                    1 3 132 0 39 */
+624,	/* OBJ_set_rootKeyThumb             2 23 42 3 0 0 */
+625,	/* OBJ_set_addPolicy                2 23 42 3 0 1 */
+626,	/* OBJ_setAttr_Token_EMV            2 23 42 3 2 1 */
+627,	/* OBJ_setAttr_Token_B0Prime        2 23 42 3 2 2 */
+628,	/* OBJ_setAttr_IssCap_CVM           2 23 42 3 3 3 */
+629,	/* OBJ_setAttr_IssCap_T2            2 23 42 3 3 4 */
+630,	/* OBJ_setAttr_IssCap_Sig           2 23 42 3 3 5 */
+642,	/* OBJ_set_brand_Novus              2 23 42 8 6011 */
+735,	/* OBJ_wap_wsg_idm_ecid_wtls1       2 23 43 1 4 1 */
+736,	/* OBJ_wap_wsg_idm_ecid_wtls3       2 23 43 1 4 3 */
+737,	/* OBJ_wap_wsg_idm_ecid_wtls4       2 23 43 1 4 4 */
+738,	/* OBJ_wap_wsg_idm_ecid_wtls5       2 23 43 1 4 5 */
+739,	/* OBJ_wap_wsg_idm_ecid_wtls6       2 23 43 1 4 6 */
+740,	/* OBJ_wap_wsg_idm_ecid_wtls7       2 23 43 1 4 7 */
+741,	/* OBJ_wap_wsg_idm_ecid_wtls8       2 23 43 1 4 8 */
+742,	/* OBJ_wap_wsg_idm_ecid_wtls9       2 23 43 1 4 9 */
+743,	/* OBJ_wap_wsg_idm_ecid_wtls10      2 23 43 1 4 10 */
+744,	/* OBJ_wap_wsg_idm_ecid_wtls11      2 23 43 1 4 11 */
+745,	/* OBJ_wap_wsg_idm_ecid_wtls12      2 23 43 1 4 12 */
+804,	/* OBJ_whirlpool                    1 0 10118 3 0 55 */
+124,	/* OBJ_rle_compression              1 1 1 1 666 1 */
+773,	/* OBJ_kisa                         1 2 410 200004 */
+807,	/* OBJ_id_GostR3411_94_with_GostR3410_2001 1 2 643 2 2 3 */
+808,	/* OBJ_id_GostR3411_94_with_GostR3410_94 1 2 643 2 2 4 */
+809,	/* OBJ_id_GostR3411_94              1 2 643 2 2 9 */
+810,	/* OBJ_id_HMACGostR3411_94          1 2 643 2 2 10 */
+811,	/* OBJ_id_GostR3410_2001            1 2 643 2 2 19 */
+812,	/* OBJ_id_GostR3410_94              1 2 643 2 2 20 */
+813,	/* OBJ_id_Gost28147_89              1 2 643 2 2 21 */
+815,	/* OBJ_id_Gost28147_89_MAC          1 2 643 2 2 22 */
+816,	/* OBJ_id_GostR3411_94_prf          1 2 643 2 2 23 */
+817,	/* OBJ_id_GostR3410_2001DH          1 2 643 2 2 98 */
+818,	/* OBJ_id_GostR3410_94DH            1 2 643 2 2 99 */
+ 1,	/* OBJ_rsadsi                       1 2 840 113549 */
+185,	/* OBJ_X9cm                         1 2 840 10040 4 */
+127,	/* OBJ_id_pkix                      1 3 6 1 5 5 7 */
+505,	/* OBJ_mime_mhs_headings            1 3 6 1 7 1 1 */
+506,	/* OBJ_mime_mhs_bodies              1 3 6 1 7 1 2 */
+119,	/* OBJ_ripemd160WithRSA             1 3 36 3 3 1 2 */
+937,	/* OBJ_dhSinglePass_stdDH_sha224kdf_scheme 1 3 132 1 11 0 */
+938,	/* OBJ_dhSinglePass_stdDH_sha256kdf_scheme 1 3 132 1 11 1 */
+939,	/* OBJ_dhSinglePass_stdDH_sha384kdf_scheme 1 3 132 1 11 2 */
+940,	/* OBJ_dhSinglePass_stdDH_sha512kdf_scheme 1 3 132 1 11 3 */
+942,	/* OBJ_dhSinglePass_cofactorDH_sha224kdf_scheme 1 3 132 1 14 0 */
+943,	/* OBJ_dhSinglePass_cofactorDH_sha256kdf_scheme 1 3 132 1 14 1 */
+944,	/* OBJ_dhSinglePass_cofactorDH_sha384kdf_scheme 1 3 132 1 14 2 */
+945,	/* OBJ_dhSinglePass_cofactorDH_sha512kdf_scheme 1 3 132 1 14 3 */
+631,	/* OBJ_setAttr_GenCryptgrm          2 23 42 3 3 3 1 */
+632,	/* OBJ_setAttr_T2Enc                2 23 42 3 3 4 1 */
+633,	/* OBJ_setAttr_T2cleartxt           2 23 42 3 3 4 2 */
+634,	/* OBJ_setAttr_TokICCsig            2 23 42 3 3 5 1 */
+635,	/* OBJ_setAttr_SecDevSig            2 23 42 3 3 5 2 */
+436,	/* OBJ_ucl                          0 9 2342 19200300 */
+820,	/* OBJ_id_Gost28147_89_None_KeyMeshing 1 2 643 2 2 14 0 */
+819,	/* OBJ_id_Gost28147_89_CryptoPro_KeyMeshing 1 2 643 2 2 14 1 */
+845,	/* OBJ_id_GostR3410_94_a            1 2 643 2 2 20 1 */
+846,	/* OBJ_id_GostR3410_94_aBis         1 2 643 2 2 20 2 */
+847,	/* OBJ_id_GostR3410_94_b            1 2 643 2 2 20 3 */
+848,	/* OBJ_id_GostR3410_94_bBis         1 2 643 2 2 20 4 */
+821,	/* OBJ_id_GostR3411_94_TestParamSet 1 2 643 2 2 30 0 */
+822,	/* OBJ_id_GostR3411_94_CryptoProParamSet 1 2 643 2 2 30 1 */
+823,	/* OBJ_id_Gost28147_89_TestParamSet 1 2 643 2 2 31 0 */
+824,	/* OBJ_id_Gost28147_89_CryptoPro_A_ParamSet 1 2 643 2 2 31 1 */
+825,	/* OBJ_id_Gost28147_89_CryptoPro_B_ParamSet 1 2 643 2 2 31 2 */
+826,	/* OBJ_id_Gost28147_89_CryptoPro_C_ParamSet 1 2 643 2 2 31 3 */
+827,	/* OBJ_id_Gost28147_89_CryptoPro_D_ParamSet 1 2 643 2 2 31 4 */
+828,	/* OBJ_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet 1 2 643 2 2 31 5 */
+829,	/* OBJ_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet 1 2 643 2 2 31 6 */
+830,	/* OBJ_id_Gost28147_89_CryptoPro_RIC_1_ParamSet 1 2 643 2 2 31 7 */
+831,	/* OBJ_id_GostR3410_94_TestParamSet 1 2 643 2 2 32 0 */
+832,	/* OBJ_id_GostR3410_94_CryptoPro_A_ParamSet 1 2 643 2 2 32 2 */
+833,	/* OBJ_id_GostR3410_94_CryptoPro_B_ParamSet 1 2 643 2 2 32 3 */
+834,	/* OBJ_id_GostR3410_94_CryptoPro_C_ParamSet 1 2 643 2 2 32 4 */
+835,	/* OBJ_id_GostR3410_94_CryptoPro_D_ParamSet 1 2 643 2 2 32 5 */
+836,	/* OBJ_id_GostR3410_94_CryptoPro_XchA_ParamSet 1 2 643 2 2 33 1 */
+837,	/* OBJ_id_GostR3410_94_CryptoPro_XchB_ParamSet 1 2 643 2 2 33 2 */
+838,	/* OBJ_id_GostR3410_94_CryptoPro_XchC_ParamSet 1 2 643 2 2 33 3 */
+839,	/* OBJ_id_GostR3410_2001_TestParamSet 1 2 643 2 2 35 0 */
+840,	/* OBJ_id_GostR3410_2001_CryptoPro_A_ParamSet 1 2 643 2 2 35 1 */
+841,	/* OBJ_id_GostR3410_2001_CryptoPro_B_ParamSet 1 2 643 2 2 35 2 */
+842,	/* OBJ_id_GostR3410_2001_CryptoPro_C_ParamSet 1 2 643 2 2 35 3 */
+843,	/* OBJ_id_GostR3410_2001_CryptoPro_XchA_ParamSet 1 2 643 2 2 36 0 */
+844,	/* OBJ_id_GostR3410_2001_CryptoPro_XchB_ParamSet 1 2 643 2 2 36 1 */
+ 2,	/* OBJ_pkcs                         1 2 840 113549 1 */
+431,	/* OBJ_hold_instruction_none        1 2 840 10040 2 1 */
+432,	/* OBJ_hold_instruction_call_issuer 1 2 840 10040 2 2 */
+433,	/* OBJ_hold_instruction_reject      1 2 840 10040 2 3 */
+116,	/* OBJ_dsa                          1 2 840 10040 4 1 */
+113,	/* OBJ_dsaWithSHA1                  1 2 840 10040 4 3 */
+406,	/* OBJ_X9_62_prime_field            1 2 840 10045 1 1 */
+407,	/* OBJ_X9_62_characteristic_two_field 1 2 840 10045 1 2 */
+408,	/* OBJ_X9_62_id_ecPublicKey         1 2 840 10045 2 1 */
+416,	/* OBJ_ecdsa_with_SHA1              1 2 840 10045 4 1 */
+791,	/* OBJ_ecdsa_with_Recommended       1 2 840 10045 4 2 */
+792,	/* OBJ_ecdsa_with_Specified         1 2 840 10045 4 3 */
+920,	/* OBJ_dhpublicnumber               1 2 840 10046 2 1 */
+258,	/* OBJ_id_pkix_mod                  1 3 6 1 5 5 7 0 */
+175,	/* OBJ_id_pe                        1 3 6 1 5 5 7 1 */
+259,	/* OBJ_id_qt                        1 3 6 1 5 5 7 2 */
+128,	/* OBJ_id_kp                        1 3 6 1 5 5 7 3 */
+260,	/* OBJ_id_it                        1 3 6 1 5 5 7 4 */
+261,	/* OBJ_id_pkip                      1 3 6 1 5 5 7 5 */
+262,	/* OBJ_id_alg                       1 3 6 1 5 5 7 6 */
+263,	/* OBJ_id_cmc                       1 3 6 1 5 5 7 7 */
+264,	/* OBJ_id_on                        1 3 6 1 5 5 7 8 */
+265,	/* OBJ_id_pda                       1 3 6 1 5 5 7 9 */
+266,	/* OBJ_id_aca                       1 3 6 1 5 5 7 10 */
+267,	/* OBJ_id_qcs                       1 3 6 1 5 5 7 11 */
+268,	/* OBJ_id_cct                       1 3 6 1 5 5 7 12 */
+662,	/* OBJ_id_ppl                       1 3 6 1 5 5 7 21 */
+176,	/* OBJ_id_ad                        1 3 6 1 5 5 7 48 */
+507,	/* OBJ_id_hex_partial_message       1 3 6 1 7 1 1 1 */
+508,	/* OBJ_id_hex_multipart_message     1 3 6 1 7 1 1 2 */
+57,	/* OBJ_netscape                     2 16 840 1 113730 */
+754,	/* OBJ_camellia_128_ecb             0 3 4401 5 3 1 9 1 */
+766,	/* OBJ_camellia_128_ofb128          0 3 4401 5 3 1 9 3 */
+757,	/* OBJ_camellia_128_cfb128          0 3 4401 5 3 1 9 4 */
+755,	/* OBJ_camellia_192_ecb             0 3 4401 5 3 1 9 21 */
+767,	/* OBJ_camellia_192_ofb128          0 3 4401 5 3 1 9 23 */
+758,	/* OBJ_camellia_192_cfb128          0 3 4401 5 3 1 9 24 */
+756,	/* OBJ_camellia_256_ecb             0 3 4401 5 3 1 9 41 */
+768,	/* OBJ_camellia_256_ofb128          0 3 4401 5 3 1 9 43 */
+759,	/* OBJ_camellia_256_cfb128          0 3 4401 5 3 1 9 44 */
+437,	/* OBJ_pilot                        0 9 2342 19200300 100 */
+776,	/* OBJ_seed_ecb                     1 2 410 200004 1 3 */
+777,	/* OBJ_seed_cbc                     1 2 410 200004 1 4 */
+779,	/* OBJ_seed_cfb128                  1 2 410 200004 1 5 */
+778,	/* OBJ_seed_ofb128                  1 2 410 200004 1 6 */
+852,	/* OBJ_id_GostR3411_94_with_GostR3410_94_cc 1 2 643 2 9 1 3 3 */
+853,	/* OBJ_id_GostR3411_94_with_GostR3410_2001_cc 1 2 643 2 9 1 3 4 */
+850,	/* OBJ_id_GostR3410_94_cc           1 2 643 2 9 1 5 3 */
+851,	/* OBJ_id_GostR3410_2001_cc         1 2 643 2 9 1 5 4 */
+849,	/* OBJ_id_Gost28147_89_cc           1 2 643 2 9 1 6 1 */
+854,	/* OBJ_id_GostR3410_2001_ParamSet_cc 1 2 643 2 9 1 8 1 */
+186,	/* OBJ_pkcs1                        1 2 840 113549 1 1 */
+27,	/* OBJ_pkcs3                        1 2 840 113549 1 3 */
+187,	/* OBJ_pkcs5                        1 2 840 113549 1 5 */
+20,	/* OBJ_pkcs7                        1 2 840 113549 1 7 */
+47,	/* OBJ_pkcs9                        1 2 840 113549 1 9 */
+ 3,	/* OBJ_md2                          1 2 840 113549 2 2 */
+257,	/* OBJ_md4                          1 2 840 113549 2 4 */
+ 4,	/* OBJ_md5                          1 2 840 113549 2 5 */
+797,	/* OBJ_hmacWithMD5                  1 2 840 113549 2 6 */
+163,	/* OBJ_hmacWithSHA1                 1 2 840 113549 2 7 */
+798,	/* OBJ_hmacWithSHA224               1 2 840 113549 2 8 */
+799,	/* OBJ_hmacWithSHA256               1 2 840 113549 2 9 */
+800,	/* OBJ_hmacWithSHA384               1 2 840 113549 2 10 */
+801,	/* OBJ_hmacWithSHA512               1 2 840 113549 2 11 */
+37,	/* OBJ_rc2_cbc                      1 2 840 113549 3 2 */
+ 5,	/* OBJ_rc4                          1 2 840 113549 3 4 */
+44,	/* OBJ_des_ede3_cbc                 1 2 840 113549 3 7 */
+120,	/* OBJ_rc5_cbc                      1 2 840 113549 3 8 */
+643,	/* OBJ_des_cdmf                     1 2 840 113549 3 10 */
+680,	/* OBJ_X9_62_id_characteristic_two_basis 1 2 840 10045 1 2 3 */
+684,	/* OBJ_X9_62_c2pnb163v1             1 2 840 10045 3 0 1 */
+685,	/* OBJ_X9_62_c2pnb163v2             1 2 840 10045 3 0 2 */
+686,	/* OBJ_X9_62_c2pnb163v3             1 2 840 10045 3 0 3 */
+687,	/* OBJ_X9_62_c2pnb176v1             1 2 840 10045 3 0 4 */
+688,	/* OBJ_X9_62_c2tnb191v1             1 2 840 10045 3 0 5 */
+689,	/* OBJ_X9_62_c2tnb191v2             1 2 840 10045 3 0 6 */
+690,	/* OBJ_X9_62_c2tnb191v3             1 2 840 10045 3 0 7 */
+691,	/* OBJ_X9_62_c2onb191v4             1 2 840 10045 3 0 8 */
+692,	/* OBJ_X9_62_c2onb191v5             1 2 840 10045 3 0 9 */
+693,	/* OBJ_X9_62_c2pnb208w1             1 2 840 10045 3 0 10 */
+694,	/* OBJ_X9_62_c2tnb239v1             1 2 840 10045 3 0 11 */
+695,	/* OBJ_X9_62_c2tnb239v2             1 2 840 10045 3 0 12 */
+696,	/* OBJ_X9_62_c2tnb239v3             1 2 840 10045 3 0 13 */
+697,	/* OBJ_X9_62_c2onb239v4             1 2 840 10045 3 0 14 */
+698,	/* OBJ_X9_62_c2onb239v5             1 2 840 10045 3 0 15 */
+699,	/* OBJ_X9_62_c2pnb272w1             1 2 840 10045 3 0 16 */
+700,	/* OBJ_X9_62_c2pnb304w1             1 2 840 10045 3 0 17 */
+701,	/* OBJ_X9_62_c2tnb359v1             1 2 840 10045 3 0 18 */
+702,	/* OBJ_X9_62_c2pnb368w1             1 2 840 10045 3 0 19 */
+703,	/* OBJ_X9_62_c2tnb431r1             1 2 840 10045 3 0 20 */
+409,	/* OBJ_X9_62_prime192v1             1 2 840 10045 3 1 1 */
+410,	/* OBJ_X9_62_prime192v2             1 2 840 10045 3 1 2 */
+411,	/* OBJ_X9_62_prime192v3             1 2 840 10045 3 1 3 */
+412,	/* OBJ_X9_62_prime239v1             1 2 840 10045 3 1 4 */
+413,	/* OBJ_X9_62_prime239v2             1 2 840 10045 3 1 5 */
+414,	/* OBJ_X9_62_prime239v3             1 2 840 10045 3 1 6 */
+415,	/* OBJ_X9_62_prime256v1             1 2 840 10045 3 1 7 */
+793,	/* OBJ_ecdsa_with_SHA224            1 2 840 10045 4 3 1 */
+794,	/* OBJ_ecdsa_with_SHA256            1 2 840 10045 4 3 2 */
+795,	/* OBJ_ecdsa_with_SHA384            1 2 840 10045 4 3 3 */
+796,	/* OBJ_ecdsa_with_SHA512            1 2 840 10045 4 3 4 */
+269,	/* OBJ_id_pkix1_explicit_88         1 3 6 1 5 5 7 0 1 */
+270,	/* OBJ_id_pkix1_implicit_88         1 3 6 1 5 5 7 0 2 */
+271,	/* OBJ_id_pkix1_explicit_93         1 3 6 1 5 5 7 0 3 */
+272,	/* OBJ_id_pkix1_implicit_93         1 3 6 1 5 5 7 0 4 */
+273,	/* OBJ_id_mod_crmf                  1 3 6 1 5 5 7 0 5 */
+274,	/* OBJ_id_mod_cmc                   1 3 6 1 5 5 7 0 6 */
+275,	/* OBJ_id_mod_kea_profile_88        1 3 6 1 5 5 7 0 7 */
+276,	/* OBJ_id_mod_kea_profile_93        1 3 6 1 5 5 7 0 8 */
+277,	/* OBJ_id_mod_cmp                   1 3 6 1 5 5 7 0 9 */
+278,	/* OBJ_id_mod_qualified_cert_88     1 3 6 1 5 5 7 0 10 */
+279,	/* OBJ_id_mod_qualified_cert_93     1 3 6 1 5 5 7 0 11 */
+280,	/* OBJ_id_mod_attribute_cert        1 3 6 1 5 5 7 0 12 */
+281,	/* OBJ_id_mod_timestamp_protocol    1 3 6 1 5 5 7 0 13 */
+282,	/* OBJ_id_mod_ocsp                  1 3 6 1 5 5 7 0 14 */
+283,	/* OBJ_id_mod_dvcs                  1 3 6 1 5 5 7 0 15 */
+284,	/* OBJ_id_mod_cmp2000               1 3 6 1 5 5 7 0 16 */
+177,	/* OBJ_info_access                  1 3 6 1 5 5 7 1 1 */
+285,	/* OBJ_biometricInfo                1 3 6 1 5 5 7 1 2 */
+286,	/* OBJ_qcStatements                 1 3 6 1 5 5 7 1 3 */
+287,	/* OBJ_ac_auditEntity               1 3 6 1 5 5 7 1 4 */
+288,	/* OBJ_ac_targeting                 1 3 6 1 5 5 7 1 5 */
+289,	/* OBJ_aaControls                   1 3 6 1 5 5 7 1 6 */
+290,	/* OBJ_sbgp_ipAddrBlock             1 3 6 1 5 5 7 1 7 */
+291,	/* OBJ_sbgp_autonomousSysNum        1 3 6 1 5 5 7 1 8 */
+292,	/* OBJ_sbgp_routerIdentifier        1 3 6 1 5 5 7 1 9 */
+397,	/* OBJ_ac_proxying                  1 3 6 1 5 5 7 1 10 */
+398,	/* OBJ_sinfo_access                 1 3 6 1 5 5 7 1 11 */
+663,	/* OBJ_proxyCertInfo                1 3 6 1 5 5 7 1 14 */
+164,	/* OBJ_id_qt_cps                    1 3 6 1 5 5 7 2 1 */
+165,	/* OBJ_id_qt_unotice                1 3 6 1 5 5 7 2 2 */
+293,	/* OBJ_textNotice                   1 3 6 1 5 5 7 2 3 */
+129,	/* OBJ_server_auth                  1 3 6 1 5 5 7 3 1 */
+130,	/* OBJ_client_auth                  1 3 6 1 5 5 7 3 2 */
+131,	/* OBJ_code_sign                    1 3 6 1 5 5 7 3 3 */
+132,	/* OBJ_email_protect                1 3 6 1 5 5 7 3 4 */
+294,	/* OBJ_ipsecEndSystem               1 3 6 1 5 5 7 3 5 */
+295,	/* OBJ_ipsecTunnel                  1 3 6 1 5 5 7 3 6 */
+296,	/* OBJ_ipsecUser                    1 3 6 1 5 5 7 3 7 */
+133,	/* OBJ_time_stamp                   1 3 6 1 5 5 7 3 8 */
+180,	/* OBJ_OCSP_sign                    1 3 6 1 5 5 7 3 9 */
+297,	/* OBJ_dvcs                         1 3 6 1 5 5 7 3 10 */
+298,	/* OBJ_id_it_caProtEncCert          1 3 6 1 5 5 7 4 1 */
+299,	/* OBJ_id_it_signKeyPairTypes       1 3 6 1 5 5 7 4 2 */
+300,	/* OBJ_id_it_encKeyPairTypes        1 3 6 1 5 5 7 4 3 */
+301,	/* OBJ_id_it_preferredSymmAlg       1 3 6 1 5 5 7 4 4 */
+302,	/* OBJ_id_it_caKeyUpdateInfo        1 3 6 1 5 5 7 4 5 */
+303,	/* OBJ_id_it_currentCRL             1 3 6 1 5 5 7 4 6 */
+304,	/* OBJ_id_it_unsupportedOIDs        1 3 6 1 5 5 7 4 7 */
+305,	/* OBJ_id_it_subscriptionRequest    1 3 6 1 5 5 7 4 8 */
+306,	/* OBJ_id_it_subscriptionResponse   1 3 6 1 5 5 7 4 9 */
+307,	/* OBJ_id_it_keyPairParamReq        1 3 6 1 5 5 7 4 10 */
+308,	/* OBJ_id_it_keyPairParamRep        1 3 6 1 5 5 7 4 11 */
+309,	/* OBJ_id_it_revPassphrase          1 3 6 1 5 5 7 4 12 */
+310,	/* OBJ_id_it_implicitConfirm        1 3 6 1 5 5 7 4 13 */
+311,	/* OBJ_id_it_confirmWaitTime        1 3 6 1 5 5 7 4 14 */
+312,	/* OBJ_id_it_origPKIMessage         1 3 6 1 5 5 7 4 15 */
+784,	/* OBJ_id_it_suppLangTags           1 3 6 1 5 5 7 4 16 */
+313,	/* OBJ_id_regCtrl                   1 3 6 1 5 5 7 5 1 */
+314,	/* OBJ_id_regInfo                   1 3 6 1 5 5 7 5 2 */
+323,	/* OBJ_id_alg_des40                 1 3 6 1 5 5 7 6 1 */
+324,	/* OBJ_id_alg_noSignature           1 3 6 1 5 5 7 6 2 */
+325,	/* OBJ_id_alg_dh_sig_hmac_sha1      1 3 6 1 5 5 7 6 3 */
+326,	/* OBJ_id_alg_dh_pop                1 3 6 1 5 5 7 6 4 */
+327,	/* OBJ_id_cmc_statusInfo            1 3 6 1 5 5 7 7 1 */
+328,	/* OBJ_id_cmc_identification        1 3 6 1 5 5 7 7 2 */
+329,	/* OBJ_id_cmc_identityProof         1 3 6 1 5 5 7 7 3 */
+330,	/* OBJ_id_cmc_dataReturn            1 3 6 1 5 5 7 7 4 */
+331,	/* OBJ_id_cmc_transactionId         1 3 6 1 5 5 7 7 5 */
+332,	/* OBJ_id_cmc_senderNonce           1 3 6 1 5 5 7 7 6 */
+333,	/* OBJ_id_cmc_recipientNonce        1 3 6 1 5 5 7 7 7 */
+334,	/* OBJ_id_cmc_addExtensions         1 3 6 1 5 5 7 7 8 */
+335,	/* OBJ_id_cmc_encryptedPOP          1 3 6 1 5 5 7 7 9 */
+336,	/* OBJ_id_cmc_decryptedPOP          1 3 6 1 5 5 7 7 10 */
+337,	/* OBJ_id_cmc_lraPOPWitness         1 3 6 1 5 5 7 7 11 */
+338,	/* OBJ_id_cmc_getCert               1 3 6 1 5 5 7 7 15 */
+339,	/* OBJ_id_cmc_getCRL                1 3 6 1 5 5 7 7 16 */
+340,	/* OBJ_id_cmc_revokeRequest         1 3 6 1 5 5 7 7 17 */
+341,	/* OBJ_id_cmc_regInfo               1 3 6 1 5 5 7 7 18 */
+342,	/* OBJ_id_cmc_responseInfo          1 3 6 1 5 5 7 7 19 */
+343,	/* OBJ_id_cmc_queryPending          1 3 6 1 5 5 7 7 21 */
+344,	/* OBJ_id_cmc_popLinkRandom         1 3 6 1 5 5 7 7 22 */
+345,	/* OBJ_id_cmc_popLinkWitness        1 3 6 1 5 5 7 7 23 */
+346,	/* OBJ_id_cmc_confirmCertAcceptance 1 3 6 1 5 5 7 7 24 */
+347,	/* OBJ_id_on_personalData           1 3 6 1 5 5 7 8 1 */
+858,	/* OBJ_id_on_permanentIdentifier    1 3 6 1 5 5 7 8 3 */
+348,	/* OBJ_id_pda_dateOfBirth           1 3 6 1 5 5 7 9 1 */
+349,	/* OBJ_id_pda_placeOfBirth          1 3 6 1 5 5 7 9 2 */
+351,	/* OBJ_id_pda_gender                1 3 6 1 5 5 7 9 3 */
+352,	/* OBJ_id_pda_countryOfCitizenship  1 3 6 1 5 5 7 9 4 */
+353,	/* OBJ_id_pda_countryOfResidence    1 3 6 1 5 5 7 9 5 */
+354,	/* OBJ_id_aca_authenticationInfo    1 3 6 1 5 5 7 10 1 */
+355,	/* OBJ_id_aca_accessIdentity        1 3 6 1 5 5 7 10 2 */
+356,	/* OBJ_id_aca_chargingIdentity      1 3 6 1 5 5 7 10 3 */
+357,	/* OBJ_id_aca_group                 1 3 6 1 5 5 7 10 4 */
+358,	/* OBJ_id_aca_role                  1 3 6 1 5 5 7 10 5 */
+399,	/* OBJ_id_aca_encAttrs              1 3 6 1 5 5 7 10 6 */
+359,	/* OBJ_id_qcs_pkixQCSyntax_v1       1 3 6 1 5 5 7 11 1 */
+360,	/* OBJ_id_cct_crs                   1 3 6 1 5 5 7 12 1 */
+361,	/* OBJ_id_cct_PKIData               1 3 6 1 5 5 7 12 2 */
+362,	/* OBJ_id_cct_PKIResponse           1 3 6 1 5 5 7 12 3 */
+664,	/* OBJ_id_ppl_anyLanguage           1 3 6 1 5 5 7 21 0 */
+665,	/* OBJ_id_ppl_inheritAll            1 3 6 1 5 5 7 21 1 */
+667,	/* OBJ_Independent                  1 3 6 1 5 5 7 21 2 */
+178,	/* OBJ_ad_OCSP                      1 3 6 1 5 5 7 48 1 */
+179,	/* OBJ_ad_ca_issuers                1 3 6 1 5 5 7 48 2 */
+363,	/* OBJ_ad_timeStamping              1 3 6 1 5 5 7 48 3 */
+364,	/* OBJ_ad_dvcs                      1 3 6 1 5 5 7 48 4 */
+785,	/* OBJ_caRepository                 1 3 6 1 5 5 7 48 5 */
+780,	/* OBJ_hmac_md5                     1 3 6 1 5 5 8 1 1 */
+781,	/* OBJ_hmac_sha1                    1 3 6 1 5 5 8 1 2 */
+58,	/* OBJ_netscape_cert_extension      2 16 840 1 113730 1 */
+59,	/* OBJ_netscape_data_type           2 16 840 1 113730 2 */
+438,	/* OBJ_pilotAttributeType           0 9 2342 19200300 100 1 */
+439,	/* OBJ_pilotAttributeSyntax         0 9 2342 19200300 100 3 */
+440,	/* OBJ_pilotObjectClass             0 9 2342 19200300 100 4 */
+441,	/* OBJ_pilotGroups                  0 9 2342 19200300 100 10 */
+108,	/* OBJ_cast5_cbc                    1 2 840 113533 7 66 10 */
+112,	/* OBJ_pbeWithMD5AndCast5_CBC       1 2 840 113533 7 66 12 */
+782,	/* OBJ_id_PasswordBasedMAC          1 2 840 113533 7 66 13 */
+783,	/* OBJ_id_DHBasedMac                1 2 840 113533 7 66 30 */
+ 6,	/* OBJ_rsaEncryption                1 2 840 113549 1 1 1 */
+ 7,	/* OBJ_md2WithRSAEncryption         1 2 840 113549 1 1 2 */
+396,	/* OBJ_md4WithRSAEncryption         1 2 840 113549 1 1 3 */
+ 8,	/* OBJ_md5WithRSAEncryption         1 2 840 113549 1 1 4 */
+65,	/* OBJ_sha1WithRSAEncryption        1 2 840 113549 1 1 5 */
+644,	/* OBJ_rsaOAEPEncryptionSET         1 2 840 113549 1 1 6 */
+919,	/* OBJ_rsaesOaep                    1 2 840 113549 1 1 7 */
+911,	/* OBJ_mgf1                         1 2 840 113549 1 1 8 */
+935,	/* OBJ_pSpecified                   1 2 840 113549 1 1 9 */
+912,	/* OBJ_rsassaPss                    1 2 840 113549 1 1 10 */
+668,	/* OBJ_sha256WithRSAEncryption      1 2 840 113549 1 1 11 */
+669,	/* OBJ_sha384WithRSAEncryption      1 2 840 113549 1 1 12 */
+670,	/* OBJ_sha512WithRSAEncryption      1 2 840 113549 1 1 13 */
+671,	/* OBJ_sha224WithRSAEncryption      1 2 840 113549 1 1 14 */
+28,	/* OBJ_dhKeyAgreement               1 2 840 113549 1 3 1 */
+ 9,	/* OBJ_pbeWithMD2AndDES_CBC         1 2 840 113549 1 5 1 */
+10,	/* OBJ_pbeWithMD5AndDES_CBC         1 2 840 113549 1 5 3 */
+168,	/* OBJ_pbeWithMD2AndRC2_CBC         1 2 840 113549 1 5 4 */
+169,	/* OBJ_pbeWithMD5AndRC2_CBC         1 2 840 113549 1 5 6 */
+170,	/* OBJ_pbeWithSHA1AndDES_CBC        1 2 840 113549 1 5 10 */
+68,	/* OBJ_pbeWithSHA1AndRC2_CBC        1 2 840 113549 1 5 11 */
+69,	/* OBJ_id_pbkdf2                    1 2 840 113549 1 5 12 */
+161,	/* OBJ_pbes2                        1 2 840 113549 1 5 13 */
+162,	/* OBJ_pbmac1                       1 2 840 113549 1 5 14 */
+21,	/* OBJ_pkcs7_data                   1 2 840 113549 1 7 1 */
+22,	/* OBJ_pkcs7_signed                 1 2 840 113549 1 7 2 */
+23,	/* OBJ_pkcs7_enveloped              1 2 840 113549 1 7 3 */
+24,	/* OBJ_pkcs7_signedAndEnveloped     1 2 840 113549 1 7 4 */
+25,	/* OBJ_pkcs7_digest                 1 2 840 113549 1 7 5 */
+26,	/* OBJ_pkcs7_encrypted              1 2 840 113549 1 7 6 */
+48,	/* OBJ_pkcs9_emailAddress           1 2 840 113549 1 9 1 */
+49,	/* OBJ_pkcs9_unstructuredName       1 2 840 113549 1 9 2 */
+50,	/* OBJ_pkcs9_contentType            1 2 840 113549 1 9 3 */
+51,	/* OBJ_pkcs9_messageDigest          1 2 840 113549 1 9 4 */
+52,	/* OBJ_pkcs9_signingTime            1 2 840 113549 1 9 5 */
+53,	/* OBJ_pkcs9_countersignature       1 2 840 113549 1 9 6 */
+54,	/* OBJ_pkcs9_challengePassword      1 2 840 113549 1 9 7 */
+55,	/* OBJ_pkcs9_unstructuredAddress    1 2 840 113549 1 9 8 */
+56,	/* OBJ_pkcs9_extCertAttributes      1 2 840 113549 1 9 9 */
+172,	/* OBJ_ext_req                      1 2 840 113549 1 9 14 */
+167,	/* OBJ_SMIMECapabilities            1 2 840 113549 1 9 15 */
+188,	/* OBJ_SMIME                        1 2 840 113549 1 9 16 */
+156,	/* OBJ_friendlyName                 1 2 840 113549 1 9 20 */
+157,	/* OBJ_localKeyID                   1 2 840 113549 1 9 21 */
+681,	/* OBJ_X9_62_onBasis                1 2 840 10045 1 2 3 1 */
+682,	/* OBJ_X9_62_tpBasis                1 2 840 10045 1 2 3 2 */
+683,	/* OBJ_X9_62_ppBasis                1 2 840 10045 1 2 3 3 */
+417,	/* OBJ_ms_csp_name                  1 3 6 1 4 1 311 17 1 */
+856,	/* OBJ_LocalKeySet                  1 3 6 1 4 1 311 17 2 */
+390,	/* OBJ_dcObject                     1 3 6 1 4 1 1466 344 */
+91,	/* OBJ_bf_cbc                       1 3 6 1 4 1 3029 1 2 */
+315,	/* OBJ_id_regCtrl_regToken          1 3 6 1 5 5 7 5 1 1 */
+316,	/* OBJ_id_regCtrl_authenticator     1 3 6 1 5 5 7 5 1 2 */
+317,	/* OBJ_id_regCtrl_pkiPublicationInfo 1 3 6 1 5 5 7 5 1 3 */
+318,	/* OBJ_id_regCtrl_pkiArchiveOptions 1 3 6 1 5 5 7 5 1 4 */
+319,	/* OBJ_id_regCtrl_oldCertID         1 3 6 1 5 5 7 5 1 5 */
+320,	/* OBJ_id_regCtrl_protocolEncrKey   1 3 6 1 5 5 7 5 1 6 */
+321,	/* OBJ_id_regInfo_utf8Pairs         1 3 6 1 5 5 7 5 2 1 */
+322,	/* OBJ_id_regInfo_certReq           1 3 6 1 5 5 7 5 2 2 */
+365,	/* OBJ_id_pkix_OCSP_basic           1 3 6 1 5 5 7 48 1 1 */
+366,	/* OBJ_id_pkix_OCSP_Nonce           1 3 6 1 5 5 7 48 1 2 */
+367,	/* OBJ_id_pkix_OCSP_CrlID           1 3 6 1 5 5 7 48 1 3 */
+368,	/* OBJ_id_pkix_OCSP_acceptableResponses 1 3 6 1 5 5 7 48 1 4 */
+369,	/* OBJ_id_pkix_OCSP_noCheck         1 3 6 1 5 5 7 48 1 5 */
+370,	/* OBJ_id_pkix_OCSP_archiveCutoff   1 3 6 1 5 5 7 48 1 6 */
+371,	/* OBJ_id_pkix_OCSP_serviceLocator  1 3 6 1 5 5 7 48 1 7 */
+372,	/* OBJ_id_pkix_OCSP_extendedStatus  1 3 6 1 5 5 7 48 1 8 */
+373,	/* OBJ_id_pkix_OCSP_valid           1 3 6 1 5 5 7 48 1 9 */
+374,	/* OBJ_id_pkix_OCSP_path            1 3 6 1 5 5 7 48 1 10 */
+375,	/* OBJ_id_pkix_OCSP_trustRoot       1 3 6 1 5 5 7 48 1 11 */
+921,	/* OBJ_brainpoolP160r1              1 3 36 3 3 2 8 1 1 1 */
+922,	/* OBJ_brainpoolP160t1              1 3 36 3 3 2 8 1 1 2 */
+923,	/* OBJ_brainpoolP192r1              1 3 36 3 3 2 8 1 1 3 */
+924,	/* OBJ_brainpoolP192t1              1 3 36 3 3 2 8 1 1 4 */
+925,	/* OBJ_brainpoolP224r1              1 3 36 3 3 2 8 1 1 5 */
+926,	/* OBJ_brainpoolP224t1              1 3 36 3 3 2 8 1 1 6 */
+927,	/* OBJ_brainpoolP256r1              1 3 36 3 3 2 8 1 1 7 */
+928,	/* OBJ_brainpoolP256t1              1 3 36 3 3 2 8 1 1 8 */
+929,	/* OBJ_brainpoolP320r1              1 3 36 3 3 2 8 1 1 9 */
+930,	/* OBJ_brainpoolP320t1              1 3 36 3 3 2 8 1 1 10 */
+931,	/* OBJ_brainpoolP384r1              1 3 36 3 3 2 8 1 1 11 */
+932,	/* OBJ_brainpoolP384t1              1 3 36 3 3 2 8 1 1 12 */
+933,	/* OBJ_brainpoolP512r1              1 3 36 3 3 2 8 1 1 13 */
+934,	/* OBJ_brainpoolP512t1              1 3 36 3 3 2 8 1 1 14 */
+936,	/* OBJ_dhSinglePass_stdDH_sha1kdf_scheme 1 3 133 16 840 63 0 2 */
+941,	/* OBJ_dhSinglePass_cofactorDH_sha1kdf_scheme 1 3 133 16 840 63 0 3 */
+418,	/* OBJ_aes_128_ecb                  2 16 840 1 101 3 4 1 1 */
+419,	/* OBJ_aes_128_cbc                  2 16 840 1 101 3 4 1 2 */
+420,	/* OBJ_aes_128_ofb128               2 16 840 1 101 3 4 1 3 */
+421,	/* OBJ_aes_128_cfb128               2 16 840 1 101 3 4 1 4 */
+788,	/* OBJ_id_aes128_wrap               2 16 840 1 101 3 4 1 5 */
+895,	/* OBJ_aes_128_gcm                  2 16 840 1 101 3 4 1 6 */
+896,	/* OBJ_aes_128_ccm                  2 16 840 1 101 3 4 1 7 */
+897,	/* OBJ_id_aes128_wrap_pad           2 16 840 1 101 3 4 1 8 */
+422,	/* OBJ_aes_192_ecb                  2 16 840 1 101 3 4 1 21 */
+423,	/* OBJ_aes_192_cbc                  2 16 840 1 101 3 4 1 22 */
+424,	/* OBJ_aes_192_ofb128               2 16 840 1 101 3 4 1 23 */
+425,	/* OBJ_aes_192_cfb128               2 16 840 1 101 3 4 1 24 */
+789,	/* OBJ_id_aes192_wrap               2 16 840 1 101 3 4 1 25 */
+898,	/* OBJ_aes_192_gcm                  2 16 840 1 101 3 4 1 26 */
+899,	/* OBJ_aes_192_ccm                  2 16 840 1 101 3 4 1 27 */
+900,	/* OBJ_id_aes192_wrap_pad           2 16 840 1 101 3 4 1 28 */
+426,	/* OBJ_aes_256_ecb                  2 16 840 1 101 3 4 1 41 */
+427,	/* OBJ_aes_256_cbc                  2 16 840 1 101 3 4 1 42 */
+428,	/* OBJ_aes_256_ofb128               2 16 840 1 101 3 4 1 43 */
+429,	/* OBJ_aes_256_cfb128               2 16 840 1 101 3 4 1 44 */
+790,	/* OBJ_id_aes256_wrap               2 16 840 1 101 3 4 1 45 */
+901,	/* OBJ_aes_256_gcm                  2 16 840 1 101 3 4 1 46 */
+902,	/* OBJ_aes_256_ccm                  2 16 840 1 101 3 4 1 47 */
+903,	/* OBJ_id_aes256_wrap_pad           2 16 840 1 101 3 4 1 48 */
+672,	/* OBJ_sha256                       2 16 840 1 101 3 4 2 1 */
+673,	/* OBJ_sha384                       2 16 840 1 101 3 4 2 2 */
+674,	/* OBJ_sha512                       2 16 840 1 101 3 4 2 3 */
+675,	/* OBJ_sha224                       2 16 840 1 101 3 4 2 4 */
+802,	/* OBJ_dsa_with_SHA224              2 16 840 1 101 3 4 3 1 */
+803,	/* OBJ_dsa_with_SHA256              2 16 840 1 101 3 4 3 2 */
+71,	/* OBJ_netscape_cert_type           2 16 840 1 113730 1 1 */
+72,	/* OBJ_netscape_base_url            2 16 840 1 113730 1 2 */
+73,	/* OBJ_netscape_revocation_url      2 16 840 1 113730 1 3 */
+74,	/* OBJ_netscape_ca_revocation_url   2 16 840 1 113730 1 4 */
+75,	/* OBJ_netscape_renewal_url         2 16 840 1 113730 1 7 */
+76,	/* OBJ_netscape_ca_policy_url       2 16 840 1 113730 1 8 */
+77,	/* OBJ_netscape_ssl_server_name     2 16 840 1 113730 1 12 */
+78,	/* OBJ_netscape_comment             2 16 840 1 113730 1 13 */
+79,	/* OBJ_netscape_cert_sequence       2 16 840 1 113730 2 5 */
+139,	/* OBJ_ns_sgc                       2 16 840 1 113730 4 1 */
+458,	/* OBJ_userId                       0 9 2342 19200300 100 1 1 */
+459,	/* OBJ_textEncodedORAddress         0 9 2342 19200300 100 1 2 */
+460,	/* OBJ_rfc822Mailbox                0 9 2342 19200300 100 1 3 */
+461,	/* OBJ_info                         0 9 2342 19200300 100 1 4 */
+462,	/* OBJ_favouriteDrink               0 9 2342 19200300 100 1 5 */
+463,	/* OBJ_roomNumber                   0 9 2342 19200300 100 1 6 */
+464,	/* OBJ_photo                        0 9 2342 19200300 100 1 7 */
+465,	/* OBJ_userClass                    0 9 2342 19200300 100 1 8 */
+466,	/* OBJ_host                         0 9 2342 19200300 100 1 9 */
+467,	/* OBJ_manager                      0 9 2342 19200300 100 1 10 */
+468,	/* OBJ_documentIdentifier           0 9 2342 19200300 100 1 11 */
+469,	/* OBJ_documentTitle                0 9 2342 19200300 100 1 12 */
+470,	/* OBJ_documentVersion              0 9 2342 19200300 100 1 13 */
+471,	/* OBJ_documentAuthor               0 9 2342 19200300 100 1 14 */
+472,	/* OBJ_documentLocation             0 9 2342 19200300 100 1 15 */
+473,	/* OBJ_homeTelephoneNumber          0 9 2342 19200300 100 1 20 */
+474,	/* OBJ_secretary                    0 9 2342 19200300 100 1 21 */
+475,	/* OBJ_otherMailbox                 0 9 2342 19200300 100 1 22 */
+476,	/* OBJ_lastModifiedTime             0 9 2342 19200300 100 1 23 */
+477,	/* OBJ_lastModifiedBy               0 9 2342 19200300 100 1 24 */
+391,	/* OBJ_domainComponent              0 9 2342 19200300 100 1 25 */
+478,	/* OBJ_aRecord                      0 9 2342 19200300 100 1 26 */
+479,	/* OBJ_pilotAttributeType27         0 9 2342 19200300 100 1 27 */
+480,	/* OBJ_mXRecord                     0 9 2342 19200300 100 1 28 */
+481,	/* OBJ_nSRecord                     0 9 2342 19200300 100 1 29 */
+482,	/* OBJ_sOARecord                    0 9 2342 19200300 100 1 30 */
+483,	/* OBJ_cNAMERecord                  0 9 2342 19200300 100 1 31 */
+484,	/* OBJ_associatedDomain             0 9 2342 19200300 100 1 37 */
+485,	/* OBJ_associatedName               0 9 2342 19200300 100 1 38 */
+486,	/* OBJ_homePostalAddress            0 9 2342 19200300 100 1 39 */
+487,	/* OBJ_personalTitle                0 9 2342 19200300 100 1 40 */
+488,	/* OBJ_mobileTelephoneNumber        0 9 2342 19200300 100 1 41 */
+489,	/* OBJ_pagerTelephoneNumber         0 9 2342 19200300 100 1 42 */
+490,	/* OBJ_friendlyCountryName          0 9 2342 19200300 100 1 43 */
+491,	/* OBJ_organizationalStatus         0 9 2342 19200300 100 1 45 */
+492,	/* OBJ_janetMailbox                 0 9 2342 19200300 100 1 46 */
+493,	/* OBJ_mailPreferenceOption         0 9 2342 19200300 100 1 47 */
+494,	/* OBJ_buildingName                 0 9 2342 19200300 100 1 48 */
+495,	/* OBJ_dSAQuality                   0 9 2342 19200300 100 1 49 */
+496,	/* OBJ_singleLevelQuality           0 9 2342 19200300 100 1 50 */
+497,	/* OBJ_subtreeMinimumQuality        0 9 2342 19200300 100 1 51 */
+498,	/* OBJ_subtreeMaximumQuality        0 9 2342 19200300 100 1 52 */
+499,	/* OBJ_personalSignature            0 9 2342 19200300 100 1 53 */
+500,	/* OBJ_dITRedirect                  0 9 2342 19200300 100 1 54 */
+501,	/* OBJ_audio                        0 9 2342 19200300 100 1 55 */
+502,	/* OBJ_documentPublisher            0 9 2342 19200300 100 1 56 */
+442,	/* OBJ_iA5StringSyntax              0 9 2342 19200300 100 3 4 */
+443,	/* OBJ_caseIgnoreIA5StringSyntax    0 9 2342 19200300 100 3 5 */
+444,	/* OBJ_pilotObject                  0 9 2342 19200300 100 4 3 */
+445,	/* OBJ_pilotPerson                  0 9 2342 19200300 100 4 4 */
+446,	/* OBJ_account                      0 9 2342 19200300 100 4 5 */
+447,	/* OBJ_document                     0 9 2342 19200300 100 4 6 */
+448,	/* OBJ_room                         0 9 2342 19200300 100 4 7 */
+449,	/* OBJ_documentSeries               0 9 2342 19200300 100 4 9 */
+392,	/* OBJ_Domain                       0 9 2342 19200300 100 4 13 */
+450,	/* OBJ_rFC822localPart              0 9 2342 19200300 100 4 14 */
+451,	/* OBJ_dNSDomain                    0 9 2342 19200300 100 4 15 */
+452,	/* OBJ_domainRelatedObject          0 9 2342 19200300 100 4 17 */
+453,	/* OBJ_friendlyCountry              0 9 2342 19200300 100 4 18 */
+454,	/* OBJ_simpleSecurityObject         0 9 2342 19200300 100 4 19 */
+455,	/* OBJ_pilotOrganization            0 9 2342 19200300 100 4 20 */
+456,	/* OBJ_pilotDSA                     0 9 2342 19200300 100 4 21 */
+457,	/* OBJ_qualityLabelledData          0 9 2342 19200300 100 4 22 */
+189,	/* OBJ_id_smime_mod                 1 2 840 113549 1 9 16 0 */
+190,	/* OBJ_id_smime_ct                  1 2 840 113549 1 9 16 1 */
+191,	/* OBJ_id_smime_aa                  1 2 840 113549 1 9 16 2 */
+192,	/* OBJ_id_smime_alg                 1 2 840 113549 1 9 16 3 */
+193,	/* OBJ_id_smime_cd                  1 2 840 113549 1 9 16 4 */
+194,	/* OBJ_id_smime_spq                 1 2 840 113549 1 9 16 5 */
+195,	/* OBJ_id_smime_cti                 1 2 840 113549 1 9 16 6 */
+158,	/* OBJ_x509Certificate              1 2 840 113549 1 9 22 1 */
+159,	/* OBJ_sdsiCertificate              1 2 840 113549 1 9 22 2 */
+160,	/* OBJ_x509Crl                      1 2 840 113549 1 9 23 1 */
+144,	/* OBJ_pbe_WithSHA1And128BitRC4     1 2 840 113549 1 12 1 1 */
+145,	/* OBJ_pbe_WithSHA1And40BitRC4      1 2 840 113549 1 12 1 2 */
+146,	/* OBJ_pbe_WithSHA1And3_Key_TripleDES_CBC 1 2 840 113549 1 12 1 3 */
+147,	/* OBJ_pbe_WithSHA1And2_Key_TripleDES_CBC 1 2 840 113549 1 12 1 4 */
+148,	/* OBJ_pbe_WithSHA1And128BitRC2_CBC 1 2 840 113549 1 12 1 5 */
+149,	/* OBJ_pbe_WithSHA1And40BitRC2_CBC  1 2 840 113549 1 12 1 6 */
+171,	/* OBJ_ms_ext_req                   1 3 6 1 4 1 311 2 1 14 */
+134,	/* OBJ_ms_code_ind                  1 3 6 1 4 1 311 2 1 21 */
+135,	/* OBJ_ms_code_com                  1 3 6 1 4 1 311 2 1 22 */
+136,	/* OBJ_ms_ctl_sign                  1 3 6 1 4 1 311 10 3 1 */
+137,	/* OBJ_ms_sgc                       1 3 6 1 4 1 311 10 3 3 */
+138,	/* OBJ_ms_efs                       1 3 6 1 4 1 311 10 3 4 */
+648,	/* OBJ_ms_smartcard_login           1 3 6 1 4 1 311 20 2 2 */
+649,	/* OBJ_ms_upn                       1 3 6 1 4 1 311 20 2 3 */
+951,	/* OBJ_ct_precert_scts              1 3 6 1 4 1 11129 2 4 2 */
+952,	/* OBJ_ct_precert_poison            1 3 6 1 4 1 11129 2 4 3 */
+953,	/* OBJ_ct_precert_signer            1 3 6 1 4 1 11129 2 4 4 */
+954,	/* OBJ_ct_cert_scts                 1 3 6 1 4 1 11129 2 4 5 */
+751,	/* OBJ_camellia_128_cbc             1 2 392 200011 61 1 1 1 2 */
+752,	/* OBJ_camellia_192_cbc             1 2 392 200011 61 1 1 1 3 */
+753,	/* OBJ_camellia_256_cbc             1 2 392 200011 61 1 1 1 4 */
+907,	/* OBJ_id_camellia128_wrap          1 2 392 200011 61 1 1 3 2 */
+908,	/* OBJ_id_camellia192_wrap          1 2 392 200011 61 1 1 3 3 */
+909,	/* OBJ_id_camellia256_wrap          1 2 392 200011 61 1 1 3 4 */
+196,	/* OBJ_id_smime_mod_cms             1 2 840 113549 1 9 16 0 1 */
+197,	/* OBJ_id_smime_mod_ess             1 2 840 113549 1 9 16 0 2 */
+198,	/* OBJ_id_smime_mod_oid             1 2 840 113549 1 9 16 0 3 */
+199,	/* OBJ_id_smime_mod_msg_v3          1 2 840 113549 1 9 16 0 4 */
+200,	/* OBJ_id_smime_mod_ets_eSignature_88 1 2 840 113549 1 9 16 0 5 */
+201,	/* OBJ_id_smime_mod_ets_eSignature_97 1 2 840 113549 1 9 16 0 6 */
+202,	/* OBJ_id_smime_mod_ets_eSigPolicy_88 1 2 840 113549 1 9 16 0 7 */
+203,	/* OBJ_id_smime_mod_ets_eSigPolicy_97 1 2 840 113549 1 9 16 0 8 */
+204,	/* OBJ_id_smime_ct_receipt          1 2 840 113549 1 9 16 1 1 */
+205,	/* OBJ_id_smime_ct_authData         1 2 840 113549 1 9 16 1 2 */
+206,	/* OBJ_id_smime_ct_publishCert      1 2 840 113549 1 9 16 1 3 */
+207,	/* OBJ_id_smime_ct_TSTInfo          1 2 840 113549 1 9 16 1 4 */
+208,	/* OBJ_id_smime_ct_TDTInfo          1 2 840 113549 1 9 16 1 5 */
+209,	/* OBJ_id_smime_ct_contentInfo      1 2 840 113549 1 9 16 1 6 */
+210,	/* OBJ_id_smime_ct_DVCSRequestData  1 2 840 113549 1 9 16 1 7 */
+211,	/* OBJ_id_smime_ct_DVCSResponseData 1 2 840 113549 1 9 16 1 8 */
+786,	/* OBJ_id_smime_ct_compressedData   1 2 840 113549 1 9 16 1 9 */
+787,	/* OBJ_id_ct_asciiTextWithCRLF      1 2 840 113549 1 9 16 1 27 */
+212,	/* OBJ_id_smime_aa_receiptRequest   1 2 840 113549 1 9 16 2 1 */
+213,	/* OBJ_id_smime_aa_securityLabel    1 2 840 113549 1 9 16 2 2 */
+214,	/* OBJ_id_smime_aa_mlExpandHistory  1 2 840 113549 1 9 16 2 3 */
+215,	/* OBJ_id_smime_aa_contentHint      1 2 840 113549 1 9 16 2 4 */
+216,	/* OBJ_id_smime_aa_msgSigDigest     1 2 840 113549 1 9 16 2 5 */
+217,	/* OBJ_id_smime_aa_encapContentType 1 2 840 113549 1 9 16 2 6 */
+218,	/* OBJ_id_smime_aa_contentIdentifier 1 2 840 113549 1 9 16 2 7 */
+219,	/* OBJ_id_smime_aa_macValue         1 2 840 113549 1 9 16 2 8 */
+220,	/* OBJ_id_smime_aa_equivalentLabels 1 2 840 113549 1 9 16 2 9 */
+221,	/* OBJ_id_smime_aa_contentReference 1 2 840 113549 1 9 16 2 10 */
+222,	/* OBJ_id_smime_aa_encrypKeyPref    1 2 840 113549 1 9 16 2 11 */
+223,	/* OBJ_id_smime_aa_signingCertificate 1 2 840 113549 1 9 16 2 12 */
+224,	/* OBJ_id_smime_aa_smimeEncryptCerts 1 2 840 113549 1 9 16 2 13 */
+225,	/* OBJ_id_smime_aa_timeStampToken   1 2 840 113549 1 9 16 2 14 */
+226,	/* OBJ_id_smime_aa_ets_sigPolicyId  1 2 840 113549 1 9 16 2 15 */
+227,	/* OBJ_id_smime_aa_ets_commitmentType 1 2 840 113549 1 9 16 2 16 */
+228,	/* OBJ_id_smime_aa_ets_signerLocation 1 2 840 113549 1 9 16 2 17 */
+229,	/* OBJ_id_smime_aa_ets_signerAttr   1 2 840 113549 1 9 16 2 18 */
+230,	/* OBJ_id_smime_aa_ets_otherSigCert 1 2 840 113549 1 9 16 2 19 */
+231,	/* OBJ_id_smime_aa_ets_contentTimestamp 1 2 840 113549 1 9 16 2 20 */
+232,	/* OBJ_id_smime_aa_ets_CertificateRefs 1 2 840 113549 1 9 16 2 21 */
+233,	/* OBJ_id_smime_aa_ets_RevocationRefs 1 2 840 113549 1 9 16 2 22 */
+234,	/* OBJ_id_smime_aa_ets_certValues   1 2 840 113549 1 9 16 2 23 */
+235,	/* OBJ_id_smime_aa_ets_revocationValues 1 2 840 113549 1 9 16 2 24 */
+236,	/* OBJ_id_smime_aa_ets_escTimeStamp 1 2 840 113549 1 9 16 2 25 */
+237,	/* OBJ_id_smime_aa_ets_certCRLTimestamp 1 2 840 113549 1 9 16 2 26 */
+238,	/* OBJ_id_smime_aa_ets_archiveTimeStamp 1 2 840 113549 1 9 16 2 27 */
+239,	/* OBJ_id_smime_aa_signatureType    1 2 840 113549 1 9 16 2 28 */
+240,	/* OBJ_id_smime_aa_dvcs_dvc         1 2 840 113549 1 9 16 2 29 */
+241,	/* OBJ_id_smime_alg_ESDHwith3DES    1 2 840 113549 1 9 16 3 1 */
+242,	/* OBJ_id_smime_alg_ESDHwithRC2     1 2 840 113549 1 9 16 3 2 */
+243,	/* OBJ_id_smime_alg_3DESwrap        1 2 840 113549 1 9 16 3 3 */
+244,	/* OBJ_id_smime_alg_RC2wrap         1 2 840 113549 1 9 16 3 4 */
+245,	/* OBJ_id_smime_alg_ESDH            1 2 840 113549 1 9 16 3 5 */
+246,	/* OBJ_id_smime_alg_CMS3DESwrap     1 2 840 113549 1 9 16 3 6 */
+247,	/* OBJ_id_smime_alg_CMSRC2wrap      1 2 840 113549 1 9 16 3 7 */
+125,	/* OBJ_zlib_compression             1 2 840 113549 1 9 16 3 8 */
+893,	/* OBJ_id_alg_PWRI_KEK              1 2 840 113549 1 9 16 3 9 */
+248,	/* OBJ_id_smime_cd_ldap             1 2 840 113549 1 9 16 4 1 */
+249,	/* OBJ_id_smime_spq_ets_sqt_uri     1 2 840 113549 1 9 16 5 1 */
+250,	/* OBJ_id_smime_spq_ets_sqt_unotice 1 2 840 113549 1 9 16 5 2 */
+251,	/* OBJ_id_smime_cti_ets_proofOfOrigin 1 2 840 113549 1 9 16 6 1 */
+252,	/* OBJ_id_smime_cti_ets_proofOfReceipt 1 2 840 113549 1 9 16 6 2 */
+253,	/* OBJ_id_smime_cti_ets_proofOfDelivery 1 2 840 113549 1 9 16 6 3 */
+254,	/* OBJ_id_smime_cti_ets_proofOfSender 1 2 840 113549 1 9 16 6 4 */
+255,	/* OBJ_id_smime_cti_ets_proofOfApproval 1 2 840 113549 1 9 16 6 5 */
+256,	/* OBJ_id_smime_cti_ets_proofOfCreation 1 2 840 113549 1 9 16 6 6 */
+150,	/* OBJ_keyBag                       1 2 840 113549 1 12 10 1 1 */
+151,	/* OBJ_pkcs8ShroudedKeyBag          1 2 840 113549 1 12 10 1 2 */
+152,	/* OBJ_certBag                      1 2 840 113549 1 12 10 1 3 */
+153,	/* OBJ_crlBag                       1 2 840 113549 1 12 10 1 4 */
+154,	/* OBJ_secretBag                    1 2 840 113549 1 12 10 1 5 */
+155,	/* OBJ_safeContentsBag              1 2 840 113549 1 12 10 1 6 */
+34,	/* OBJ_idea_cbc                     1 3 6 1 4 1 188 7 1 1 2 */
+955,	/* OBJ_jurisdictionLocalityName     1 3 6 1 4 1 311 60 2 1 1 */
+956,	/* OBJ_jurisdictionStateOrProvinceName 1 3 6 1 4 1 311 60 2 1 2 */
+957,	/* OBJ_jurisdictionCountryName      1 3 6 1 4 1 311 60 2 1 3 */
 };
+
diff --git a/Cryptlib/OpenSSL/crypto/objects/obj_err.c b/Cryptlib/OpenSSL/crypto/objects/obj_err.c
index 4677b673..238aaa59 100644
--- a/Cryptlib/OpenSSL/crypto/objects/obj_err.c
+++ b/Cryptlib/OpenSSL/crypto/objects/obj_err.c
@@ -1,11 +1,62 @@
-/*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/objects/obj_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
  */
 
 #include <stdio.h>
@@ -30,14 +81,14 @@ static ERR_STRING_DATA OBJ_str_functs[] = {
 };
 
 static ERR_STRING_DATA OBJ_str_reasons[] = {
-    {ERR_REASON(OBJ_R_OID_EXISTS), "oid exists"},
+    {ERR_REASON(OBJ_R_MALLOC_FAILURE), "malloc failure"},
     {ERR_REASON(OBJ_R_UNKNOWN_NID), "unknown nid"},
     {0, NULL}
 };
 
 #endif
 
-int ERR_load_OBJ_strings(void)
+void ERR_load_OBJ_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
 
@@ -46,5 +97,4 @@ int ERR_load_OBJ_strings(void)
         ERR_load_strings(0, OBJ_str_reasons);
     }
 #endif
-    return 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/objects/obj_lcl.h b/Cryptlib/OpenSSL/crypto/objects/obj_lcl.h
deleted file mode 100644
index a417f7c4..00000000
--- a/Cryptlib/OpenSSL/crypto/objects/obj_lcl.h
+++ /dev/null
@@ -1,14 +0,0 @@
-/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-typedef struct name_funcs_st NAME_FUNCS;
-DEFINE_STACK_OF(NAME_FUNCS)
-DEFINE_LHASH_OF(OBJ_NAME);
-typedef struct added_obj_st ADDED_OBJ;
-DEFINE_LHASH_OF(ADDED_OBJ);
diff --git a/Cryptlib/OpenSSL/crypto/objects/obj_lib.c b/Cryptlib/OpenSSL/crypto/objects/obj_lib.c
index 33075e64..8851baff 100644
--- a/Cryptlib/OpenSSL/crypto/objects/obj_lib.c
+++ b/Cryptlib/OpenSSL/crypto/objects/obj_lib.c
@@ -1,58 +1,127 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/objects/obj_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/lhash.h>
 #include <openssl/objects.h>
 #include <openssl/buffer.h>
-#include "internal/asn1_int.h"
 
 ASN1_OBJECT *OBJ_dup(const ASN1_OBJECT *o)
 {
     ASN1_OBJECT *r;
+    int i;
+    char *ln = NULL, *sn = NULL;
+    unsigned char *data = NULL;
 
     if (o == NULL)
-        return NULL;
-    /* If object isn't dynamic it's an internal OID which is never freed */
+        return (NULL);
     if (!(o->flags & ASN1_OBJECT_FLAG_DYNAMIC))
-        return ((ASN1_OBJECT *)o);
+        return ((ASN1_OBJECT *)o); /* XXX: ugh! Why? What kind of duplication
+                                    * is this??? */
 
     r = ASN1_OBJECT_new();
     if (r == NULL) {
         OBJerr(OBJ_F_OBJ_DUP, ERR_R_ASN1_LIB);
         return (NULL);
     }
-
-    /* Set dynamic flags so everything gets freed up on error */
-
-    r->flags = o->flags | (ASN1_OBJECT_FLAG_DYNAMIC |
-                           ASN1_OBJECT_FLAG_DYNAMIC_STRINGS |
-                           ASN1_OBJECT_FLAG_DYNAMIC_DATA);
-
-    if (o->length > 0 && (r->data = OPENSSL_memdup(o->data, o->length)) == NULL)
+    data = OPENSSL_malloc(o->length);
+    if (data == NULL)
         goto err;
-
+    if (o->data != NULL)
+        memcpy(data, o->data, o->length);
+    /* once data attached to object it remains const */
+    r->data = data;
     r->length = o->length;
     r->nid = o->nid;
+    r->ln = r->sn = NULL;
+    if (o->ln != NULL) {
+        i = strlen(o->ln) + 1;
+        ln = OPENSSL_malloc(i);
+        if (ln == NULL)
+            goto err;
+        memcpy(ln, o->ln, i);
+        r->ln = ln;
+    }
 
-    if (o->ln != NULL && (r->ln = OPENSSL_strdup(o->ln)) == NULL)
-        goto err;
-
-    if (o->sn != NULL && (r->sn = OPENSSL_strdup(o->sn)) == NULL)
-        goto err;
-
-    return r;
+    if (o->sn != NULL) {
+        i = strlen(o->sn) + 1;
+        sn = OPENSSL_malloc(i);
+        if (sn == NULL)
+            goto err;
+        memcpy(sn, o->sn, i);
+        r->sn = sn;
+    }
+    r->flags = o->flags | (ASN1_OBJECT_FLAG_DYNAMIC |
+                           ASN1_OBJECT_FLAG_DYNAMIC_STRINGS |
+                           ASN1_OBJECT_FLAG_DYNAMIC_DATA);
+    return (r);
  err:
-    ASN1_OBJECT_free(r);
     OBJerr(OBJ_F_OBJ_DUP, ERR_R_MALLOC_FAILURE);
-    return NULL;
+    if (ln != NULL)
+        OPENSSL_free(ln);
+    if (sn != NULL)
+        OPENSSL_free(sn);
+    if (data != NULL)
+        OPENSSL_free(data);
+    if (r != NULL)
+        OPENSSL_free(r);
+    return (NULL);
 }
 
 int OBJ_cmp(const ASN1_OBJECT *a, const ASN1_OBJECT *b)
diff --git a/Cryptlib/OpenSSL/crypto/objects/obj_xref.c b/Cryptlib/OpenSSL/crypto/objects/obj_xref.c
index 627f5bca..97b305d2 100644
--- a/Cryptlib/OpenSSL/crypto/objects/obj_xref.c
+++ b/Cryptlib/OpenSSL/crypto/objects/obj_xref.c
@@ -1,17 +1,67 @@
+/* crypto/objects/obj_xref.c */
 /*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2006.
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <openssl/objects.h>
 #include "obj_xref.h"
-#include "e_os.h"
 
-static STACK_OF(nid_triple) *sig_app, *sigx_app;
+DECLARE_STACK_OF(nid_triple)
+STACK_OF(nid_triple) *sig_app, *sigx_app;
 
 static int sig_cmp(const nid_triple *a, const nid_triple *b)
 {
@@ -52,7 +102,8 @@ int OBJ_find_sigid_algs(int signid, int *pdig_nid, int *ppkey_nid)
     }
 #ifndef OBJ_XREF_TEST2
     if (rv == NULL) {
-        rv = OBJ_bsearch_sig(&tmp, sigoid_srt, OSSL_NELEM(sigoid_srt));
+        rv = OBJ_bsearch_sig(&tmp, sigoid_srt,
+                             sizeof(sigoid_srt) / sizeof(nid_triple));
     }
 #endif
     if (rv == NULL)
@@ -82,7 +133,9 @@ int OBJ_find_sigid_by_algs(int *psignid, int dig_nid, int pkey_nid)
     }
 #ifndef OBJ_XREF_TEST2
     if (rv == NULL) {
-        rv = OBJ_bsearch_sigx(&t, sigoid_srt_xref, OSSL_NELEM(sigoid_srt_xref));
+        rv = OBJ_bsearch_sigx(&t, sigoid_srt_xref,
+                              sizeof(sigoid_srt_xref) / sizeof(nid_triple *)
+            );
     }
 #endif
     if (rv == NULL)
@@ -95,16 +148,16 @@ int OBJ_find_sigid_by_algs(int *psignid, int dig_nid, int pkey_nid)
 int OBJ_add_sigid(int signid, int dig_id, int pkey_id)
 {
     nid_triple *ntr;
-    if (sig_app == NULL)
+    if (!sig_app)
         sig_app = sk_nid_triple_new(sig_sk_cmp);
-    if (sig_app == NULL)
+    if (!sig_app)
         return 0;
-    if (sigx_app == NULL)
+    if (!sigx_app)
         sigx_app = sk_nid_triple_new(sigx_cmp);
-    if (sigx_app == NULL)
+    if (!sigx_app)
         return 0;
-    ntr = OPENSSL_malloc(sizeof(*ntr));
-    if (ntr == NULL)
+    ntr = OPENSSL_malloc(sizeof(int) * 3);
+    if (!ntr)
         return 0;
     ntr->sign_id = signid;
     ntr->hash_id = dig_id;
@@ -131,10 +184,14 @@ static void sid_free(nid_triple *tt)
 
 void OBJ_sigid_free(void)
 {
-    sk_nid_triple_pop_free(sig_app, sid_free);
-    sig_app = NULL;
-    sk_nid_triple_free(sigx_app);
-    sigx_app = NULL;
+    if (sig_app) {
+        sk_nid_triple_pop_free(sig_app, sid_free);
+        sig_app = NULL;
+    }
+    if (sigx_app) {
+        sk_nid_triple_free(sigx_app);
+        sigx_app = NULL;
+    }
 }
 
 #ifdef OBJ_XREF_TEST
@@ -145,12 +202,12 @@ main()
 
     int i, rv;
 # ifdef OBJ_XREF_TEST2
-    for (i = 0; i < OSSL_NELEM(sigoid_srt); i++) {
+    for (i = 0; i < sizeof(sigoid_srt) / sizeof(nid_triple); i++) {
         OBJ_add_sigid(sigoid_srt[i][0], sigoid_srt[i][1], sigoid_srt[i][2]);
     }
 # endif
 
-    for (i = 0; i < OSSL_NELEM(sigoid_srt); i++) {
+    for (i = 0; i < sizeof(sigoid_srt) / sizeof(nid_triple); i++) {
         n1 = sigoid_srt[i][0];
         rv = OBJ_find_sigid_algs(n1, &n2, &n3);
         printf("Forward: %d, %s %s %s\n", rv,
diff --git a/Cryptlib/OpenSSL/crypto/objects/obj_xref.h b/Cryptlib/OpenSSL/crypto/objects/obj_xref.h
index d09aa71f..e453e99f 100644
--- a/Cryptlib/OpenSSL/crypto/objects/obj_xref.h
+++ b/Cryptlib/OpenSSL/crypto/objects/obj_xref.h
@@ -1,15 +1,4 @@
-/*
- * WARNING: do not edit!
- * Generated by objxref.pl
- *
- * Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
+/* AUTOGENERATED BY objxref.pl, DO NOT EDIT */
 
 typedef struct {
     int sign_id;
@@ -17,8 +6,6 @@ typedef struct {
     int pkey_id;
 } nid_triple;
 
-DEFINE_STACK_OF(nid_triple)
-
 static const nid_triple sigoid_srt[] = {
     {NID_md2WithRSAEncryption, NID_md2, NID_rsaEncryption},
     {NID_md5WithRSAEncryption, NID_md5, NID_rsaEncryption},
@@ -69,10 +56,6 @@ static const nid_triple sigoid_srt[] = {
      NID_dh_cofactor_kdf},
     {NID_dhSinglePass_cofactorDH_sha512kdf_scheme, NID_sha512,
      NID_dh_cofactor_kdf},
-    {NID_id_tc26_signwithdigest_gost3410_2012_256, NID_id_GostR3411_2012_256,
-     NID_id_GostR3410_2012_256},
-    {NID_id_tc26_signwithdigest_gost3410_2012_512, NID_id_GostR3411_2012_512,
-     NID_id_GostR3410_2012_512},
 };
 
 static const nid_triple *const sigoid_srt_xref[] = {
@@ -113,6 +96,4 @@ static const nid_triple *const sigoid_srt_xref[] = {
     &sigoid_srt[26],
     &sigoid_srt[27],
     &sigoid_srt[28],
-    &sigoid_srt[40],
-    &sigoid_srt[41],
 };
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_asn.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_asn.c
index 1e0b8279..e2e52e77 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_asn.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_asn.c
@@ -1,19 +1,67 @@
+/* ocsp_asn.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
-
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/ocsp.h>
-#include "ocsp_lcl.h"
 
 ASN1_SEQUENCE(OCSP_SIGNATURE) = {
-        ASN1_EMBED(OCSP_SIGNATURE, signatureAlgorithm, X509_ALGOR),
+        ASN1_SIMPLE(OCSP_SIGNATURE, signatureAlgorithm, X509_ALGOR),
         ASN1_SIMPLE(OCSP_SIGNATURE, signature, ASN1_BIT_STRING),
         ASN1_EXP_SEQUENCE_OF_OPT(OCSP_SIGNATURE, certs, X509, 0)
 } ASN1_SEQUENCE_END(OCSP_SIGNATURE)
@@ -21,10 +69,10 @@ ASN1_SEQUENCE(OCSP_SIGNATURE) = {
 IMPLEMENT_ASN1_FUNCTIONS(OCSP_SIGNATURE)
 
 ASN1_SEQUENCE(OCSP_CERTID) = {
-        ASN1_EMBED(OCSP_CERTID, hashAlgorithm, X509_ALGOR),
-        ASN1_EMBED(OCSP_CERTID, issuerNameHash, ASN1_OCTET_STRING),
-        ASN1_EMBED(OCSP_CERTID, issuerKeyHash, ASN1_OCTET_STRING),
-        ASN1_EMBED(OCSP_CERTID, serialNumber, ASN1_INTEGER)
+        ASN1_SIMPLE(OCSP_CERTID, hashAlgorithm, X509_ALGOR),
+        ASN1_SIMPLE(OCSP_CERTID, issuerNameHash, ASN1_OCTET_STRING),
+        ASN1_SIMPLE(OCSP_CERTID, issuerKeyHash, ASN1_OCTET_STRING),
+        ASN1_SIMPLE(OCSP_CERTID, serialNumber, ASN1_INTEGER)
 } ASN1_SEQUENCE_END(OCSP_CERTID)
 
 IMPLEMENT_ASN1_FUNCTIONS(OCSP_CERTID)
@@ -46,7 +94,7 @@ ASN1_SEQUENCE(OCSP_REQINFO) = {
 IMPLEMENT_ASN1_FUNCTIONS(OCSP_REQINFO)
 
 ASN1_SEQUENCE(OCSP_REQUEST) = {
-        ASN1_EMBED(OCSP_REQUEST, tbsRequest, OCSP_REQINFO),
+        ASN1_SIMPLE(OCSP_REQUEST, tbsRequest, OCSP_REQINFO),
         ASN1_EXP_OPT(OCSP_REQUEST, optionalSignature, OCSP_SIGNATURE, 0)
 } ASN1_SEQUENCE_END(OCSP_REQUEST)
 
@@ -102,7 +150,7 @@ IMPLEMENT_ASN1_FUNCTIONS(OCSP_SINGLERESP)
 
 ASN1_SEQUENCE(OCSP_RESPDATA) = {
            ASN1_EXP_OPT(OCSP_RESPDATA, version, ASN1_INTEGER, 0),
-           ASN1_EMBED(OCSP_RESPDATA, responderId, OCSP_RESPID),
+           ASN1_SIMPLE(OCSP_RESPDATA, responderId, OCSP_RESPID),
            ASN1_SIMPLE(OCSP_RESPDATA, producedAt, ASN1_GENERALIZEDTIME),
            ASN1_SEQUENCE_OF(OCSP_RESPDATA, responses, OCSP_SINGLERESP),
            ASN1_EXP_SEQUENCE_OF_OPT(OCSP_RESPDATA, responseExtensions, X509_EXTENSION, 1)
@@ -111,8 +159,8 @@ ASN1_SEQUENCE(OCSP_RESPDATA) = {
 IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPDATA)
 
 ASN1_SEQUENCE(OCSP_BASICRESP) = {
-           ASN1_EMBED(OCSP_BASICRESP, tbsResponseData, OCSP_RESPDATA),
-           ASN1_EMBED(OCSP_BASICRESP, signatureAlgorithm, X509_ALGOR),
+           ASN1_SIMPLE(OCSP_BASICRESP, tbsResponseData, OCSP_RESPDATA),
+           ASN1_SIMPLE(OCSP_BASICRESP, signatureAlgorithm, X509_ALGOR),
            ASN1_SIMPLE(OCSP_BASICRESP, signature, ASN1_BIT_STRING),
            ASN1_EXP_SEQUENCE_OF_OPT(OCSP_BASICRESP, certs, X509, 0)
 } ASN1_SEQUENCE_END(OCSP_BASICRESP)
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c
index a42b80fa..fca7db0b 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_cl.c
@@ -1,21 +1,78 @@
+/* ocsp_cl.c */
 /*
- * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
+ * project.
+ */
+
+/*
+ * History: This file was transfered to Richard Levitte from CertCo by Kathy
+ * Weinhold in mid-spring 2000 to be included in OpenSSL or released as a
+ * patch kit.
+ */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <time.h>
-#include "internal/cryptlib.h"
+#include <cryptlib.h>
 #include <openssl/objects.h>
+#include <openssl/rand.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/x509v3.h>
 #include <openssl/ocsp.h>
-#include "ocsp_lcl.h"
 
 /*
  * Utility functions related to sending OCSP requests and extracting relevant
@@ -31,11 +88,12 @@ OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
 {
     OCSP_ONEREQ *one = NULL;
 
-    if ((one = OCSP_ONEREQ_new()) == NULL)
-        return NULL;
-    OCSP_CERTID_free(one->reqCert);
+    if (!(one = OCSP_ONEREQ_new()))
+        goto err;
+    if (one->reqCert)
+        OCSP_CERTID_free(one->reqCert);
     one->reqCert = cid;
-    if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest.requestList, one)) {
+    if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one)) {
         one->reqCert = NULL; /* do not free on error */
         goto err;
     }
@@ -50,7 +108,6 @@ OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
 int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
 {
     GENERAL_NAME *gen;
-
     gen = GENERAL_NAME_new();
     if (gen == NULL)
         return 0;
@@ -59,8 +116,9 @@ int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
         return 0;
     }
     gen->type = GEN_DIRNAME;
-    GENERAL_NAME_free(req->tbsRequest.requestorName);
-    req->tbsRequest.requestorName = gen;
+    if (req->tbsRequest->requestorName)
+        GENERAL_NAME_free(req->tbsRequest->requestorName);
+    req->tbsRequest->requestorName = gen;
     return 1;
 }
 
@@ -69,25 +127,24 @@ int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
 int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
 {
     OCSP_SIGNATURE *sig;
-    if (req->optionalSignature == NULL)
+    if (!req->optionalSignature)
         req->optionalSignature = OCSP_SIGNATURE_new();
     sig = req->optionalSignature;
-    if (sig == NULL)
+    if (!sig)
         return 0;
-    if (cert == NULL)
+    if (!cert)
         return 1;
-    if (sig->certs == NULL
-        && (sig->certs = sk_X509_new_null()) == NULL)
+    if (!sig->certs && !(sig->certs = sk_X509_new_null()))
         return 0;
 
     if (!sk_X509_push(sig->certs, cert))
         return 0;
-    X509_up_ref(cert);
+    CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
     return 1;
 }
 
 /*
- * Sign an OCSP request set the requestorName to the subject name of an
+ * Sign an OCSP request set the requestorName to the subjec name of an
  * optional signers certificate and include one or more optional certificates
  * in the request. Behaves like PKCS7_sign().
  */
@@ -99,12 +156,13 @@ int OCSP_request_sign(OCSP_REQUEST *req,
                       STACK_OF(X509) *certs, unsigned long flags)
 {
     int i;
+    OCSP_SIGNATURE *sig;
     X509 *x;
 
     if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
         goto err;
 
-    if ((req->optionalSignature = OCSP_SIGNATURE_new()) == NULL)
+    if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new()))
         goto err;
     if (key) {
         if (!X509_check_private_key(signer, key)) {
@@ -161,20 +219,15 @@ OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp)
     return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));
 }
 
-const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs)
-{
-    return bs->signature;
-}
-
 /*
- * Return number of OCSP_SINGLERESP responses present in a basic response.
+ * Return number of OCSP_SINGLERESP reponses present in a basic response.
  */
 
 int OCSP_resp_count(OCSP_BASICRESP *bs)
 {
     if (!bs)
         return -1;
-    return sk_OCSP_SINGLERESP_num(bs->tbsResponseData.responses);
+    return sk_OCSP_SINGLERESP_num(bs->tbsResponseData->responses);
 }
 
 /* Extract an OCSP_SINGLERESP response with a given index */
@@ -183,35 +236,7 @@ OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
 {
     if (!bs)
         return NULL;
-    return sk_OCSP_SINGLERESP_value(bs->tbsResponseData.responses, idx);
-}
-
-const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(const OCSP_BASICRESP* bs)
-{
-    return bs->tbsResponseData.producedAt;
-}
-
-const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs)
-{
-    return bs->certs;
-}
-
-int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
-                      const ASN1_OCTET_STRING **pid,
-                      const X509_NAME **pname)
-
-{
-    const OCSP_RESPID *rid = &bs->tbsResponseData.responderId;
-    if (rid->type == V_OCSP_RESPID_NAME) {
-        *pname = rid->value.byName;
-        *pid = NULL;
-    } else if (rid->type == V_OCSP_RESPID_KEY) {
-        *pid = rid->value.byKey;
-        *pname = NULL;
-    } else {
-        return 0;
-    }
-    return 1;
+    return sk_OCSP_SINGLERESP_value(bs->tbsResponseData->responses, idx);
 }
 
 /* Look single response matching a given certificate ID */
@@ -227,7 +252,7 @@ int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
         last = 0;
     else
         last++;
-    sresp = bs->tbsResponseData.responses;
+    sresp = bs->tbsResponseData->responses;
     for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
         single = sk_OCSP_SINGLERESP_value(sresp, i);
         if (!OCSP_id_cmp(id, single->certId))
@@ -297,7 +322,7 @@ int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
 
 /*
  * Check validity of thisUpdate and nextUpdate fields. It is possible that
- * the request will take a few seconds to process and/or the time won't be
+ * the request will take a few seconds to process and/or the time wont be
  * totally accurate. Therefore to avoid rejecting otherwise valid time we
  * allow the times to be within 'nsec' of the current time. Also to avoid
  * accepting very old responses without a nextUpdate field an optional maxage
@@ -358,8 +383,3 @@ int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
 
     return ret;
 }
-
-const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single)
-{
-    return single->certId;
-}
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c
index a2d96e9c..722043c0 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_err.c
@@ -1,11 +1,62 @@
-/*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/ocsp/ocsp_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
  */
 
 #include <stdio.h>
@@ -19,25 +70,30 @@
 # define ERR_REASON(reason) ERR_PACK(ERR_LIB_OCSP,0,reason)
 
 static ERR_STRING_DATA OCSP_str_functs[] = {
-    {ERR_FUNC(OCSP_F_D2I_OCSP_NONCE), "d2i_ocsp_nonce"},
+    {ERR_FUNC(OCSP_F_ASN1_STRING_ENCODE), "ASN1_STRING_encode"},
+    {ERR_FUNC(OCSP_F_D2I_OCSP_NONCE), "D2I_OCSP_NONCE"},
     {ERR_FUNC(OCSP_F_OCSP_BASIC_ADD1_STATUS), "OCSP_basic_add1_status"},
     {ERR_FUNC(OCSP_F_OCSP_BASIC_SIGN), "OCSP_basic_sign"},
     {ERR_FUNC(OCSP_F_OCSP_BASIC_VERIFY), "OCSP_basic_verify"},
     {ERR_FUNC(OCSP_F_OCSP_CERT_ID_NEW), "OCSP_cert_id_new"},
-    {ERR_FUNC(OCSP_F_OCSP_CHECK_DELEGATED), "ocsp_check_delegated"},
-    {ERR_FUNC(OCSP_F_OCSP_CHECK_IDS), "ocsp_check_ids"},
-    {ERR_FUNC(OCSP_F_OCSP_CHECK_ISSUER), "ocsp_check_issuer"},
+    {ERR_FUNC(OCSP_F_OCSP_CHECK_DELEGATED), "OCSP_CHECK_DELEGATED"},
+    {ERR_FUNC(OCSP_F_OCSP_CHECK_IDS), "OCSP_CHECK_IDS"},
+    {ERR_FUNC(OCSP_F_OCSP_CHECK_ISSUER), "OCSP_CHECK_ISSUER"},
     {ERR_FUNC(OCSP_F_OCSP_CHECK_VALIDITY), "OCSP_check_validity"},
-    {ERR_FUNC(OCSP_F_OCSP_MATCH_ISSUERID), "ocsp_match_issuerid"},
+    {ERR_FUNC(OCSP_F_OCSP_MATCH_ISSUERID), "OCSP_MATCH_ISSUERID"},
     {ERR_FUNC(OCSP_F_OCSP_PARSE_URL), "OCSP_parse_url"},
     {ERR_FUNC(OCSP_F_OCSP_REQUEST_SIGN), "OCSP_request_sign"},
     {ERR_FUNC(OCSP_F_OCSP_REQUEST_VERIFY), "OCSP_request_verify"},
     {ERR_FUNC(OCSP_F_OCSP_RESPONSE_GET1_BASIC), "OCSP_response_get1_basic"},
-    {ERR_FUNC(OCSP_F_PARSE_HTTP_LINE1), "parse_http_line1"},
+    {ERR_FUNC(OCSP_F_OCSP_SENDREQ_BIO), "OCSP_sendreq_bio"},
+    {ERR_FUNC(OCSP_F_OCSP_SENDREQ_NBIO), "OCSP_sendreq_nbio"},
+    {ERR_FUNC(OCSP_F_PARSE_HTTP_LINE1), "PARSE_HTTP_LINE1"},
+    {ERR_FUNC(OCSP_F_REQUEST_VERIFY), "REQUEST_VERIFY"},
     {0, NULL}
 };
 
 static ERR_STRING_DATA OCSP_str_reasons[] = {
+    {ERR_REASON(OCSP_R_BAD_DATA), "bad data"},
     {ERR_REASON(OCSP_R_CERTIFICATE_VERIFY_ERROR), "certificate verify error"},
     {ERR_REASON(OCSP_R_DIGEST_ERR), "digest err"},
     {ERR_REASON(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD),
@@ -51,18 +107,21 @@ static ERR_STRING_DATA OCSP_str_reasons[] = {
      "nextupdate before thisupdate"},
     {ERR_REASON(OCSP_R_NOT_BASIC_RESPONSE), "not basic response"},
     {ERR_REASON(OCSP_R_NO_CERTIFICATES_IN_CHAIN), "no certificates in chain"},
+    {ERR_REASON(OCSP_R_NO_CONTENT), "no content"},
+    {ERR_REASON(OCSP_R_NO_PUBLIC_KEY), "no public key"},
     {ERR_REASON(OCSP_R_NO_RESPONSE_DATA), "no response data"},
     {ERR_REASON(OCSP_R_NO_REVOKED_TIME), "no revoked time"},
-    {ERR_REASON(OCSP_R_NO_SIGNER_KEY), "no signer key"},
     {ERR_REASON(OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE),
      "private key does not match certificate"},
     {ERR_REASON(OCSP_R_REQUEST_NOT_SIGNED), "request not signed"},
     {ERR_REASON(OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA),
      "response contains no revocation data"},
     {ERR_REASON(OCSP_R_ROOT_CA_NOT_TRUSTED), "root ca not trusted"},
+    {ERR_REASON(OCSP_R_SERVER_READ_ERROR), "server read error"},
     {ERR_REASON(OCSP_R_SERVER_RESPONSE_ERROR), "server response error"},
     {ERR_REASON(OCSP_R_SERVER_RESPONSE_PARSE_ERROR),
      "server response parse error"},
+    {ERR_REASON(OCSP_R_SERVER_WRITE_ERROR), "server write error"},
     {ERR_REASON(OCSP_R_SIGNATURE_FAILURE), "signature failure"},
     {ERR_REASON(OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND),
      "signer certificate not found"},
@@ -78,7 +137,7 @@ static ERR_STRING_DATA OCSP_str_reasons[] = {
 
 #endif
 
-int ERR_load_OCSP_strings(void)
+void ERR_load_OCSP_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
 
@@ -87,5 +146,4 @@ int ERR_load_OCSP_strings(void)
         ERR_load_strings(0, OCSP_str_reasons);
     }
 #endif
-    return 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c
index b829b2e4..55af31b5 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ext.c
@@ -1,18 +1,74 @@
+/* ocsp_ext.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
+ * project.
+ */
+
+/*
+ * History: This file was transfered to Richard Levitte from CertCo by Kathy
+ * Weinhold in mid-spring 2000 to be included in OpenSSL or released as a
+ * patch kit.
+ */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include <cryptlib.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/ocsp.h>
-#include "ocsp_lcl.h"
 #include <openssl/rand.h>
 #include <openssl/x509v3.h>
 
@@ -22,53 +78,53 @@
 
 int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x)
 {
-    return (X509v3_get_ext_count(x->tbsRequest.requestExtensions));
+    return (X509v3_get_ext_count(x->tbsRequest->requestExtensions));
 }
 
 int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos)
 {
     return (X509v3_get_ext_by_NID
-            (x->tbsRequest.requestExtensions, nid, lastpos));
+            (x->tbsRequest->requestExtensions, nid, lastpos));
 }
 
-int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, const ASN1_OBJECT *obj,
+int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj,
                                 int lastpos)
 {
     return (X509v3_get_ext_by_OBJ
-            (x->tbsRequest.requestExtensions, obj, lastpos));
+            (x->tbsRequest->requestExtensions, obj, lastpos));
 }
 
 int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos)
 {
     return (X509v3_get_ext_by_critical
-            (x->tbsRequest.requestExtensions, crit, lastpos));
+            (x->tbsRequest->requestExtensions, crit, lastpos));
 }
 
 X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc)
 {
-    return (X509v3_get_ext(x->tbsRequest.requestExtensions, loc));
+    return (X509v3_get_ext(x->tbsRequest->requestExtensions, loc));
 }
 
 X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc)
 {
-    return (X509v3_delete_ext(x->tbsRequest.requestExtensions, loc));
+    return (X509v3_delete_ext(x->tbsRequest->requestExtensions, loc));
 }
 
 void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx)
 {
-    return X509V3_get_d2i(x->tbsRequest.requestExtensions, nid, crit, idx);
+    return X509V3_get_d2i(x->tbsRequest->requestExtensions, nid, crit, idx);
 }
 
 int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
                               unsigned long flags)
 {
-    return X509V3_add1_i2d(&x->tbsRequest.requestExtensions, nid, value,
+    return X509V3_add1_i2d(&x->tbsRequest->requestExtensions, nid, value,
                            crit, flags);
 }
 
 int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc)
 {
-    return (X509v3_add_ext(&(x->tbsRequest.requestExtensions), ex, loc) !=
+    return (X509v3_add_ext(&(x->tbsRequest->requestExtensions), ex, loc) !=
             NULL);
 }
 
@@ -84,8 +140,7 @@ int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos)
     return (X509v3_get_ext_by_NID(x->singleRequestExtensions, nid, lastpos));
 }
 
-int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, const ASN1_OBJECT *obj,
-                               int lastpos)
+int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos)
 {
     return (X509v3_get_ext_by_OBJ(x->singleRequestExtensions, obj, lastpos));
 }
@@ -127,56 +182,56 @@ int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc)
 
 int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x)
 {
-    return (X509v3_get_ext_count(x->tbsResponseData.responseExtensions));
+    return (X509v3_get_ext_count(x->tbsResponseData->responseExtensions));
 }
 
 int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos)
 {
     return (X509v3_get_ext_by_NID
-            (x->tbsResponseData.responseExtensions, nid, lastpos));
+            (x->tbsResponseData->responseExtensions, nid, lastpos));
 }
 
-int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, const ASN1_OBJECT *obj,
+int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj,
                                   int lastpos)
 {
     return (X509v3_get_ext_by_OBJ
-            (x->tbsResponseData.responseExtensions, obj, lastpos));
+            (x->tbsResponseData->responseExtensions, obj, lastpos));
 }
 
 int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit,
                                        int lastpos)
 {
     return (X509v3_get_ext_by_critical
-            (x->tbsResponseData.responseExtensions, crit, lastpos));
+            (x->tbsResponseData->responseExtensions, crit, lastpos));
 }
 
 X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc)
 {
-    return (X509v3_get_ext(x->tbsResponseData.responseExtensions, loc));
+    return (X509v3_get_ext(x->tbsResponseData->responseExtensions, loc));
 }
 
 X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc)
 {
-    return (X509v3_delete_ext(x->tbsResponseData.responseExtensions, loc));
+    return (X509v3_delete_ext(x->tbsResponseData->responseExtensions, loc));
 }
 
 void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit,
                                   int *idx)
 {
-    return X509V3_get_d2i(x->tbsResponseData.responseExtensions, nid, crit,
+    return X509V3_get_d2i(x->tbsResponseData->responseExtensions, nid, crit,
                           idx);
 }
 
 int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value,
                                 int crit, unsigned long flags)
 {
-    return X509V3_add1_i2d(&x->tbsResponseData.responseExtensions, nid,
+    return X509V3_add1_i2d(&x->tbsResponseData->responseExtensions, nid,
                            value, crit, flags);
 }
 
 int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc)
 {
-    return (X509v3_add_ext(&(x->tbsResponseData.responseExtensions), ex, loc)
+    return (X509v3_add_ext(&(x->tbsResponseData->responseExtensions), ex, loc)
             != NULL);
 }
 
@@ -192,7 +247,7 @@ int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos)
     return (X509v3_get_ext_by_NID(x->singleExtensions, nid, lastpos));
 }
 
-int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, const ASN1_OBJECT *obj,
+int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj,
                                    int lastpos)
 {
     return (X509v3_get_ext_by_OBJ(x->singleExtensions, obj, lastpos));
@@ -232,11 +287,54 @@ int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc)
 }
 
 /* also CRL Entry Extensions */
+#if 0
+ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, i2d_of_void *i2d,
+                                void *data, STACK_OF(ASN1_OBJECT) *sk)
+{
+    int i;
+    unsigned char *p, *b = NULL;
+
+    if (data) {
+        if ((i = i2d(data, NULL)) <= 0)
+            goto err;
+        if (!(b = p = OPENSSL_malloc((unsigned int)i)))
+            goto err;
+        if (i2d(data, &p) <= 0)
+            goto err;
+    } else if (sk) {
+        if ((i = i2d_ASN1_SET_OF_ASN1_OBJECT(sk, NULL,
+                                             (I2D_OF(ASN1_OBJECT)) i2d,
+                                             V_ASN1_SEQUENCE,
+                                             V_ASN1_UNIVERSAL,
+                                             IS_SEQUENCE)) <= 0)
+             goto err;
+        if (!(b = p = OPENSSL_malloc((unsigned int)i)))
+            goto err;
+        if (i2d_ASN1_SET_OF_ASN1_OBJECT(sk, &p, (I2D_OF(ASN1_OBJECT)) i2d,
+                                        V_ASN1_SEQUENCE,
+                                        V_ASN1_UNIVERSAL, IS_SEQUENCE) <= 0)
+             goto err;
+    } else {
+        OCSPerr(OCSP_F_ASN1_STRING_ENCODE, OCSP_R_BAD_DATA);
+        goto err;
+    }
+    if (!s && !(s = ASN1_STRING_new()))
+        goto err;
+    if (!(ASN1_STRING_set(s, b, i)))
+        goto err;
+    OPENSSL_free(b);
+    return s;
+ err:
+    if (b)
+        OPENSSL_free(b);
+    return NULL;
+}
+#endif
 
 /* Nonce handling functions */
 
 /*
- * Add a nonce to an extension stack. A nonce can be specified or if NULL a
+ * Add a nonce to an extension stack. A nonce can be specificed or if NULL a
  * random nonce will be generated. Note: OpenSSL 0.9.7d and later create an
  * OCTET STRING containing the nonce, previous versions used the raw nonce.
  */
@@ -256,9 +354,6 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts,
      * relies on library internals.
      */
     os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING);
-    if (os.length < 0)
-        return 0;
-
     os.data = OPENSSL_malloc(os.length);
     if (os.data == NULL)
         goto err;
@@ -273,7 +368,8 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts,
         goto err;
     ret = 1;
  err:
-    OPENSSL_free(os.data);
+    if (os.data)
+        OPENSSL_free(os.data);
     return ret;
 }
 
@@ -281,14 +377,14 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts,
 
 int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
 {
-    return ocsp_add1_nonce(&req->tbsRequest.requestExtensions, val, len);
+    return ocsp_add1_nonce(&req->tbsRequest->requestExtensions, val, len);
 }
 
 /* Same as above but for a response */
 
 int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len)
 {
-    return ocsp_add1_nonce(&resp->tbsResponseData.responseExtensions, val,
+    return ocsp_add1_nonce(&resp->tbsResponseData->responseExtensions, val,
                            len);
 }
 
@@ -334,8 +430,7 @@ int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
      */
     req_ext = OCSP_REQUEST_get_ext(req, req_idx);
     resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx);
-    if (ASN1_OCTET_STRING_cmp(X509_EXTENSION_get_data(req_ext),
-                              X509_EXTENSION_get_data(resp_ext)))
+    if (ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value))
         return 0;
     return 1;
 }
@@ -357,34 +452,35 @@ int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req)
     return OCSP_BASICRESP_add_ext(resp, req_ext, -1);
 }
 
-X509_EXTENSION *OCSP_crlID_new(const char *url, long *n, char *tim)
+X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim)
 {
     X509_EXTENSION *x = NULL;
     OCSP_CRLID *cid = NULL;
 
-    if ((cid = OCSP_CRLID_new()) == NULL)
+    if (!(cid = OCSP_CRLID_new()))
         goto err;
     if (url) {
-        if ((cid->crlUrl = ASN1_IA5STRING_new()) == NULL)
+        if (!(cid->crlUrl = ASN1_IA5STRING_new()))
             goto err;
         if (!(ASN1_STRING_set(cid->crlUrl, url, -1)))
             goto err;
     }
     if (n) {
-        if ((cid->crlNum = ASN1_INTEGER_new()) == NULL)
+        if (!(cid->crlNum = ASN1_INTEGER_new()))
             goto err;
         if (!(ASN1_INTEGER_set(cid->crlNum, *n)))
             goto err;
     }
     if (tim) {
-        if ((cid->crlTime = ASN1_GENERALIZEDTIME_new()) == NULL)
+        if (!(cid->crlTime = ASN1_GENERALIZEDTIME_new()))
             goto err;
         if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim)))
             goto err;
     }
     x = X509V3_EXT_i2d(NID_id_pkix_OCSP_CrlID, 0, cid);
  err:
-    OCSP_CRLID_free(cid);
+    if (cid)
+        OCSP_CRLID_free(cid);
     return x;
 }
 
@@ -396,7 +492,7 @@ X509_EXTENSION *OCSP_accept_responses_new(char **oids)
     ASN1_OBJECT *o = NULL;
     X509_EXTENSION *x = NULL;
 
-    if ((sk = sk_ASN1_OBJECT_new_null()) == NULL)
+    if (!(sk = sk_ASN1_OBJECT_new_null()))
         goto err;
     while (oids && *oids) {
         if ((nid = OBJ_txt2nid(*oids)) != NID_undef && (o = OBJ_nid2obj(nid)))
@@ -405,7 +501,8 @@ X509_EXTENSION *OCSP_accept_responses_new(char **oids)
     }
     x = X509V3_EXT_i2d(NID_id_pkix_OCSP_acceptableResponses, 0, sk);
  err:
-    sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
+    if (sk)
+        sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
     return x;
 }
 
@@ -415,13 +512,14 @@ X509_EXTENSION *OCSP_archive_cutoff_new(char *tim)
     X509_EXTENSION *x = NULL;
     ASN1_GENERALIZEDTIME *gt = NULL;
 
-    if ((gt = ASN1_GENERALIZEDTIME_new()) == NULL)
+    if (!(gt = ASN1_GENERALIZEDTIME_new()))
         goto err;
     if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim)))
         goto err;
     x = X509V3_EXT_i2d(NID_id_pkix_OCSP_archiveCutoff, 0, gt);
  err:
-    ASN1_GENERALIZEDTIME_free(gt);
+    if (gt)
+        ASN1_GENERALIZEDTIME_free(gt);
     return x;
 }
 
@@ -430,43 +528,39 @@ X509_EXTENSION *OCSP_archive_cutoff_new(char *tim)
  * two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value.  This method
  * forces NID_ad_ocsp and uniformResourceLocator [6] IA5String.
  */
-X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME *issuer, const char **urls)
+X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME *issuer, char **urls)
 {
     X509_EXTENSION *x = NULL;
     ASN1_IA5STRING *ia5 = NULL;
     OCSP_SERVICELOC *sloc = NULL;
     ACCESS_DESCRIPTION *ad = NULL;
 
-    if ((sloc = OCSP_SERVICELOC_new()) == NULL)
+    if (!(sloc = OCSP_SERVICELOC_new()))
         goto err;
-    if ((sloc->issuer = X509_NAME_dup(issuer)) == NULL)
+    if (!(sloc->issuer = X509_NAME_dup(issuer)))
         goto err;
-    if (urls && *urls
-        && (sloc->locator = sk_ACCESS_DESCRIPTION_new_null()) == NULL)
+    if (urls && *urls && !(sloc->locator = sk_ACCESS_DESCRIPTION_new_null()))
         goto err;
     while (urls && *urls) {
-        if ((ad = ACCESS_DESCRIPTION_new()) == NULL)
+        if (!(ad = ACCESS_DESCRIPTION_new()))
             goto err;
-        if ((ad->method = OBJ_nid2obj(NID_ad_OCSP)) == NULL)
+        if (!(ad->method = OBJ_nid2obj(NID_ad_OCSP)))
             goto err;
-        if ((ad->location = GENERAL_NAME_new()) == NULL)
+        if (!(ad->location = GENERAL_NAME_new()))
             goto err;
-        if ((ia5 = ASN1_IA5STRING_new()) == NULL)
+        if (!(ia5 = ASN1_IA5STRING_new()))
             goto err;
         if (!ASN1_STRING_set((ASN1_STRING *)ia5, *urls, -1))
             goto err;
         ad->location->type = GEN_URI;
         ad->location->d.ia5 = ia5;
-        ia5 = NULL;
         if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad))
             goto err;
-        ad = NULL;
         urls++;
     }
     x = X509V3_EXT_i2d(NID_id_pkix_OCSP_serviceLocator, 0, sloc);
  err:
-    ASN1_IA5STRING_free(ia5);
-    ACCESS_DESCRIPTION_free(ad);
-    OCSP_SERVICELOC_free(sloc);
+    if (sloc)
+        OCSP_SERVICELOC_free(sloc);
     return x;
 }
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c
index 680edfa5..88b26b38 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_ht.c
@@ -1,10 +1,60 @@
+/* ocsp_ht.c */
 /*
- * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2006.
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
@@ -16,6 +66,9 @@
 #include <openssl/ocsp.h>
 #include <openssl/err.h>
 #include <openssl/buffer.h>
+#ifdef OPENSSL_SYS_SUNOS
+# define strtoul (unsigned long)strtol
+#endif                          /* OPENSSL_SYS_SUNOS */
 
 /* Stateful OCSP request code, supporting non-blocking I/O */
 
@@ -63,20 +116,21 @@ static int parse_http_line1(char *line);
 
 OCSP_REQ_CTX *OCSP_REQ_CTX_new(BIO *io, int maxline)
 {
-    OCSP_REQ_CTX *rctx = OPENSSL_zalloc(sizeof(*rctx));
-
-    if (rctx == NULL)
+    OCSP_REQ_CTX *rctx;
+    rctx = OPENSSL_malloc(sizeof(OCSP_REQ_CTX));
+    if (!rctx)
         return NULL;
     rctx->state = OHS_ERROR;
     rctx->max_resp_len = OCSP_MAX_RESP_LENGTH;
     rctx->mem = BIO_new(BIO_s_mem());
     rctx->io = io;
+    rctx->asn1_len = 0;
     if (maxline > 0)
         rctx->iobuflen = maxline;
     else
         rctx->iobuflen = OCSP_MAX_LINE_LEN;
     rctx->iobuf = OPENSSL_malloc(rctx->iobuflen);
-    if (rctx->iobuf == NULL || rctx->mem == NULL) {
+    if (!rctx->iobuf || !rctx->mem) {
         OCSP_REQ_CTX_free(rctx);
         return NULL;
     }
@@ -85,10 +139,10 @@ OCSP_REQ_CTX *OCSP_REQ_CTX_new(BIO *io, int maxline)
 
 void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx)
 {
-    if (!rctx)
-        return;
-    BIO_free(rctx->mem);
-    OPENSSL_free(rctx->iobuf);
+    if (rctx->mem)
+        BIO_free(rctx->mem);
+    if (rctx->iobuf)
+        OPENSSL_free(rctx->iobuf);
     OPENSSL_free(rctx);
 }
 
@@ -182,7 +236,7 @@ OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req,
 
     OCSP_REQ_CTX *rctx = NULL;
     rctx = OCSP_REQ_CTX_new(io, maxline);
-    if (rctx == NULL)
+    if (!rctx)
         return NULL;
 
     if (!OCSP_REQ_CTX_http(rctx, "POST", path))
@@ -457,6 +511,8 @@ int OCSP_REQ_CTX_nbio(OCSP_REQ_CTX *rctx)
         rctx->state = OHS_DONE;
         return 1;
 
+        break;
+
     case OHS_DONE:
         return 1;
 
@@ -483,7 +539,7 @@ OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req)
 
     ctx = OCSP_sendreq_new(b, path, req, -1);
 
-    if (ctx == NULL)
+    if (!ctx)
         return NULL;
 
     do {
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lcl.h b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lcl.h
deleted file mode 100644
index f93a268e..00000000
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lcl.h
+++ /dev/null
@@ -1,216 +0,0 @@
-/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*-  CertID ::= SEQUENCE {
- *       hashAlgorithm            AlgorithmIdentifier,
- *       issuerNameHash     OCTET STRING, -- Hash of Issuer's DN
- *       issuerKeyHash      OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
- *       serialNumber       CertificateSerialNumber }
- */
-struct ocsp_cert_id_st {
-    X509_ALGOR hashAlgorithm;
-    ASN1_OCTET_STRING issuerNameHash;
-    ASN1_OCTET_STRING issuerKeyHash;
-    ASN1_INTEGER serialNumber;
-};
-
-/*-  Request ::=     SEQUENCE {
- *       reqCert                    CertID,
- *       singleRequestExtensions    [0] EXPLICIT Extensions OPTIONAL }
- */
-struct ocsp_one_request_st {
-    OCSP_CERTID *reqCert;
-    STACK_OF(X509_EXTENSION) *singleRequestExtensions;
-};
-
-/*-  TBSRequest      ::=     SEQUENCE {
- *       version             [0] EXPLICIT Version DEFAULT v1,
- *       requestorName       [1] EXPLICIT GeneralName OPTIONAL,
- *       requestList             SEQUENCE OF Request,
- *       requestExtensions   [2] EXPLICIT Extensions OPTIONAL }
- */
-struct ocsp_req_info_st {
-    ASN1_INTEGER *version;
-    GENERAL_NAME *requestorName;
-    STACK_OF(OCSP_ONEREQ) *requestList;
-    STACK_OF(X509_EXTENSION) *requestExtensions;
-};
-
-/*-  Signature       ::=     SEQUENCE {
- *       signatureAlgorithm   AlgorithmIdentifier,
- *       signature            BIT STRING,
- *       certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
- */
-struct ocsp_signature_st {
-    X509_ALGOR signatureAlgorithm;
-    ASN1_BIT_STRING *signature;
-    STACK_OF(X509) *certs;
-};
-
-/*-  OCSPRequest     ::=     SEQUENCE {
- *       tbsRequest                  TBSRequest,
- *       optionalSignature   [0]     EXPLICIT Signature OPTIONAL }
- */
-struct ocsp_request_st {
-    OCSP_REQINFO tbsRequest;
-    OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
-};
-
-/*-  OCSPResponseStatus ::= ENUMERATED {
- *       successful            (0),      --Response has valid confirmations
- *       malformedRequest      (1),      --Illegal confirmation request
- *       internalError         (2),      --Internal error in issuer
- *       tryLater              (3),      --Try again later
- *                                       --(4) is not used
- *       sigRequired           (5),      --Must sign the request
- *       unauthorized          (6)       --Request unauthorized
- *   }
- */
-
-/*-  ResponseBytes ::=       SEQUENCE {
- *       responseType   OBJECT IDENTIFIER,
- *       response       OCTET STRING }
- */
-struct ocsp_resp_bytes_st {
-    ASN1_OBJECT *responseType;
-    ASN1_OCTET_STRING *response;
-};
-
-/*-  OCSPResponse ::= SEQUENCE {
- *      responseStatus         OCSPResponseStatus,
- *      responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }
- */
-struct ocsp_response_st {
-    ASN1_ENUMERATED *responseStatus;
-    OCSP_RESPBYTES *responseBytes;
-};
-
-/*-  ResponderID ::= CHOICE {
- *      byName   [1] Name,
- *      byKey    [2] KeyHash }
- */
-struct ocsp_responder_id_st {
-    int type;
-    union {
-        X509_NAME *byName;
-        ASN1_OCTET_STRING *byKey;
-    } value;
-};
-
-/*-  KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
- *                            --(excluding the tag and length fields)
- */
-
-/*-  RevokedInfo ::= SEQUENCE {
- *       revocationTime              GeneralizedTime,
- *       revocationReason    [0]     EXPLICIT CRLReason OPTIONAL }
- */
-struct ocsp_revoked_info_st {
-    ASN1_GENERALIZEDTIME *revocationTime;
-    ASN1_ENUMERATED *revocationReason;
-};
-
-/*-  CertStatus ::= CHOICE {
- *       good                [0]     IMPLICIT NULL,
- *       revoked             [1]     IMPLICIT RevokedInfo,
- *       unknown             [2]     IMPLICIT UnknownInfo }
- */
-struct ocsp_cert_status_st {
-    int type;
-    union {
-        ASN1_NULL *good;
-        OCSP_REVOKEDINFO *revoked;
-        ASN1_NULL *unknown;
-    } value;
-};
-
-/*-  SingleResponse ::= SEQUENCE {
- *      certID                       CertID,
- *      certStatus                   CertStatus,
- *      thisUpdate                   GeneralizedTime,
- *      nextUpdate           [0]     EXPLICIT GeneralizedTime OPTIONAL,
- *      singleExtensions     [1]     EXPLICIT Extensions OPTIONAL }
- */
-struct ocsp_single_response_st {
-    OCSP_CERTID *certId;
-    OCSP_CERTSTATUS *certStatus;
-    ASN1_GENERALIZEDTIME *thisUpdate;
-    ASN1_GENERALIZEDTIME *nextUpdate;
-    STACK_OF(X509_EXTENSION) *singleExtensions;
-};
-
-/*-  ResponseData ::= SEQUENCE {
- *      version              [0] EXPLICIT Version DEFAULT v1,
- *      responderID              ResponderID,
- *      producedAt               GeneralizedTime,
- *      responses                SEQUENCE OF SingleResponse,
- *      responseExtensions   [1] EXPLICIT Extensions OPTIONAL }
- */
-struct ocsp_response_data_st {
-    ASN1_INTEGER *version;
-    OCSP_RESPID responderId;
-    ASN1_GENERALIZEDTIME *producedAt;
-    STACK_OF(OCSP_SINGLERESP) *responses;
-    STACK_OF(X509_EXTENSION) *responseExtensions;
-};
-
-/*-  BasicOCSPResponse       ::= SEQUENCE {
- *      tbsResponseData      ResponseData,
- *      signatureAlgorithm   AlgorithmIdentifier,
- *      signature            BIT STRING,
- *      certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
- */
-  /*
-   * Note 1: The value for "signature" is specified in the OCSP rfc2560 as
-   * follows: "The value for the signature SHALL be computed on the hash of
-   * the DER encoding ResponseData." This means that you must hash the
-   * DER-encoded tbsResponseData, and then run it through a crypto-signing
-   * function, which will (at least w/RSA) do a hash-'n'-private-encrypt
-   * operation.  This seems a bit odd, but that's the spec.  Also note that
-   * the data structures do not leave anywhere to independently specify the
-   * algorithm used for the initial hash. So, we look at the
-   * signature-specification algorithm, and try to do something intelligent.
-   * -- Kathy Weinhold, CertCo
-   */
-  /*
-   * Note 2: It seems that the mentioned passage from RFC 2560 (section
-   * 4.2.1) is open for interpretation.  I've done tests against another
-   * responder, and found that it doesn't do the double hashing that the RFC
-   * seems to say one should.  Therefore, all relevant functions take a flag
-   * saying which variant should be used.  -- Richard Levitte, OpenSSL team
-   * and CeloCom
-   */
-struct ocsp_basic_response_st {
-    OCSP_RESPDATA tbsResponseData;
-    X509_ALGOR signatureAlgorithm;
-    ASN1_BIT_STRING *signature;
-    STACK_OF(X509) *certs;
-};
-
-/*-
- * CrlID ::= SEQUENCE {
- *     crlUrl               [0]     EXPLICIT IA5String OPTIONAL,
- *     crlNum               [1]     EXPLICIT INTEGER OPTIONAL,
- *     crlTime              [2]     EXPLICIT GeneralizedTime OPTIONAL }
- */
-struct ocsp_crl_id_st {
-    ASN1_IA5STRING *crlUrl;
-    ASN1_INTEGER *crlNum;
-    ASN1_GENERALIZEDTIME *crlTime;
-};
-
-/*-
- * ServiceLocator ::= SEQUENCE {
- *      issuer    Name,
- *      locator   AuthorityInfoAccessSyntax OPTIONAL }
- */
-struct ocsp_service_locator_st {
-    X509_NAME *issuer;
-    STACK_OF(ACCESS_DESCRIPTION) *locator;
-};
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c
index 8edd70ac..ff781e56 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_lib.c
@@ -1,35 +1,93 @@
+/* ocsp_lib.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
+ * project.
+ */
+
+/*
+ * History: This file was transfered to Richard Levitte from CertCo by Kathy
+ * Weinhold in mid-spring 2000 to be included in OpenSSL or released as a
+ * patch kit.
+ */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include <cryptlib.h>
 #include <openssl/objects.h>
+#include <openssl/rand.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/x509v3.h>
 #include <openssl/ocsp.h>
-#include "ocsp_lcl.h"
 #include <openssl/asn1t.h>
 
 /* Convert a certificate and its issuer to an OCSP_CERTID */
 
-OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, const X509 *subject,
-                             const X509 *issuer)
+OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer)
 {
     X509_NAME *iname;
-    const ASN1_INTEGER *serial;
+    ASN1_INTEGER *serial;
     ASN1_BIT_STRING *ikey;
+#ifndef OPENSSL_NO_SHA1
     if (!dgst)
         dgst = EVP_sha1();
+#endif
     if (subject) {
         iname = X509_get_issuer_name(subject);
-        serial = X509_get0_serialNumber(subject);
+        serial = X509_get_serialNumber(subject);
     } else {
         iname = X509_get_subject_name(issuer);
         serial = NULL;
@@ -39,9 +97,9 @@ OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, const X509 *subject,
 }
 
 OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
-                              const X509_NAME *issuerName,
-                              const ASN1_BIT_STRING *issuerKey,
-                              const ASN1_INTEGER *serialNumber)
+                              X509_NAME *issuerName,
+                              ASN1_BIT_STRING *issuerKey,
+                              ASN1_INTEGER *serialNumber)
 {
     int nid;
     unsigned int i;
@@ -49,16 +107,17 @@ OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
     OCSP_CERTID *cid = NULL;
     unsigned char md[EVP_MAX_MD_SIZE];
 
-    if ((cid = OCSP_CERTID_new()) == NULL)
+    if (!(cid = OCSP_CERTID_new()))
         goto err;
 
-    alg = &cid->hashAlgorithm;
-    ASN1_OBJECT_free(alg->algorithm);
+    alg = cid->hashAlgorithm;
+    if (alg->algorithm != NULL)
+        ASN1_OBJECT_free(alg->algorithm);
     if ((nid = EVP_MD_type(dgst)) == NID_undef) {
         OCSPerr(OCSP_F_OCSP_CERT_ID_NEW, OCSP_R_UNKNOWN_NID);
         goto err;
     }
-    if ((alg->algorithm = OBJ_nid2obj(nid)) == NULL)
+    if (!(alg->algorithm = OBJ_nid2obj(nid)))
         goto err;
     if ((alg->parameter = ASN1_TYPE_new()) == NULL)
         goto err;
@@ -66,38 +125,40 @@ OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
 
     if (!X509_NAME_digest(issuerName, dgst, md, &i))
         goto digerr;
-    if (!(ASN1_OCTET_STRING_set(&cid->issuerNameHash, md, i)))
+    if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i)))
         goto err;
 
     /* Calculate the issuerKey hash, excluding tag and length */
     if (!EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL))
         goto err;
 
-    if (!(ASN1_OCTET_STRING_set(&cid->issuerKeyHash, md, i)))
+    if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i)))
         goto err;
 
     if (serialNumber) {
-        if (ASN1_STRING_copy(&cid->serialNumber, serialNumber) == 0)
+        ASN1_INTEGER_free(cid->serialNumber);
+        if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber)))
             goto err;
     }
     return cid;
  digerr:
     OCSPerr(OCSP_F_OCSP_CERT_ID_NEW, OCSP_R_DIGEST_ERR);
  err:
-    OCSP_CERTID_free(cid);
+    if (cid)
+        OCSP_CERTID_free(cid);
     return NULL;
 }
 
 int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
 {
     int ret;
-    ret = OBJ_cmp(a->hashAlgorithm.algorithm, b->hashAlgorithm.algorithm);
+    ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm);
     if (ret)
         return ret;
-    ret = ASN1_OCTET_STRING_cmp(&a->issuerNameHash, &b->issuerNameHash);
+    ret = ASN1_OCTET_STRING_cmp(a->issuerNameHash, b->issuerNameHash);
     if (ret)
         return ret;
-    return ASN1_OCTET_STRING_cmp(&a->issuerKeyHash, &b->issuerKeyHash);
+    return ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash);
 }
 
 int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
@@ -106,7 +167,7 @@ int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
     ret = OCSP_id_issuer_cmp(a, b);
     if (ret)
         return ret;
-    return ASN1_INTEGER_cmp(&a->serialNumber, &b->serialNumber);
+    return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber);
 }
 
 /*
@@ -126,7 +187,7 @@ int OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath,
     *ppath = NULL;
 
     /* dup the buffer since we are going to mess with it */
-    buf = OPENSSL_strdup(url);
+    buf = BUF_strdup(url);
     if (!buf)
         goto mem_err;
 
@@ -138,10 +199,10 @@ int OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath,
 
     *(p++) = '\0';
 
-    if (strcmp(buf, "http") == 0) {
+    if (!strcmp(buf, "http")) {
         *pssl = 0;
         port = "80";
-    } else if (strcmp(buf, "https") == 0) {
+    } else if (!strcmp(buf, "https")) {
         *pssl = 1;
         port = "443";
     } else
@@ -160,9 +221,9 @@ int OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath,
     p = strchr(p, '/');
 
     if (!p)
-        *ppath = OPENSSL_strdup("/");
+        *ppath = BUF_strdup("/");
     else {
-        *ppath = OPENSSL_strdup(p);
+        *ppath = BUF_strdup(p);
         /* Set start of path to 0 so hostname is valid */
         *p = '\0';
     }
@@ -187,11 +248,11 @@ int OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath,
         port = p + 1;
     }
 
-    *pport = OPENSSL_strdup(port);
+    *pport = BUF_strdup(port);
     if (!*pport)
         goto mem_err;
 
-    *phost = OPENSSL_strdup(host);
+    *phost = BUF_strdup(host);
 
     if (!*phost)
         goto mem_err;
@@ -208,13 +269,20 @@ int OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath,
     OCSPerr(OCSP_F_OCSP_PARSE_URL, OCSP_R_ERROR_PARSING_URL);
 
  err:
-    OPENSSL_free(buf);
-    OPENSSL_free(*ppath);
-    *ppath = NULL;
-    OPENSSL_free(*pport);
-    *pport = NULL;
-    OPENSSL_free(*phost);
-    *phost = NULL;
+    if (buf)
+        OPENSSL_free(buf);
+    if (*ppath) {
+        OPENSSL_free(*ppath);
+        *ppath = NULL;
+    }
+    if (*pport) {
+        OPENSSL_free(*pport);
+        *pport = NULL;
+    }
+    if (*phost) {
+        OPENSSL_free(*phost);
+        *phost = NULL;
+    }
     return 0;
 
 }
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c
index 5605812e..47d5f83e 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_prn.c
@@ -1,17 +1,72 @@
+/* ocsp_prn.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
+ * project.
+ */
+
+/*
+ * History: This file was originally part of ocsp.c and was transfered to
+ * Richard Levitte from CertCo by Kathy Weinhold in mid-spring 2000 to be
+ * included in OpenSSL or released as a patch kit.
+ */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/ocsp.h>
-#include "ocsp_lcl.h"
-#include "internal/cryptlib.h"
 #include <openssl/pem.h>
 
 static int ocsp_certid_print(BIO *bp, OCSP_CERTID *a, int indent)
@@ -19,13 +74,13 @@ static int ocsp_certid_print(BIO *bp, OCSP_CERTID *a, int indent)
     BIO_printf(bp, "%*sCertificate ID:\n", indent, "");
     indent += 2;
     BIO_printf(bp, "%*sHash Algorithm: ", indent, "");
-    i2a_ASN1_OBJECT(bp, a->hashAlgorithm.algorithm);
+    i2a_ASN1_OBJECT(bp, a->hashAlgorithm->algorithm);
     BIO_printf(bp, "\n%*sIssuer Name Hash: ", indent, "");
-    i2a_ASN1_STRING(bp, &a->issuerNameHash, 0);
+    i2a_ASN1_STRING(bp, a->issuerNameHash, V_ASN1_OCTET_STRING);
     BIO_printf(bp, "\n%*sIssuer Key Hash: ", indent, "");
-    i2a_ASN1_STRING(bp, &a->issuerKeyHash, 0);
+    i2a_ASN1_STRING(bp, a->issuerKeyHash, V_ASN1_OCTET_STRING);
     BIO_printf(bp, "\n%*sSerial Number: ", indent, "");
-    i2a_ASN1_INTEGER(bp, &a->serialNumber);
+    i2a_ASN1_INTEGER(bp, a->serialNumber);
     BIO_printf(bp, "\n");
     return 1;
 }
@@ -35,17 +90,15 @@ typedef struct {
     const char *m;
 } OCSP_TBLSTR;
 
-static const char *do_table2string(long s, const OCSP_TBLSTR *ts, size_t len)
+static const char *table2string(long s, const OCSP_TBLSTR *ts, int len)
 {
-    size_t i;
-    for (i = 0; i < len; i++, ts++)
-        if (ts->t == s)
-            return ts->m;
+    const OCSP_TBLSTR *p;
+    for (p = ts; p < ts + len; p++)
+        if (p->t == s)
+            return p->m;
     return "(UNKNOWN)";
 }
 
-#define table2string(s, tbl) do_table2string(s, tbl, OSSL_NELEM(tbl))
-
 const char *OCSP_response_status_str(long s)
 {
     static const OCSP_TBLSTR rstat_tbl[] = {
@@ -56,7 +109,7 @@ const char *OCSP_response_status_str(long s)
         {OCSP_RESPONSE_STATUS_SIGREQUIRED, "sigrequired"},
         {OCSP_RESPONSE_STATUS_UNAUTHORIZED, "unauthorized"}
     };
-    return table2string(s, rstat_tbl);
+    return table2string(s, rstat_tbl, 6);
 }
 
 const char *OCSP_cert_status_str(long s)
@@ -66,7 +119,7 @@ const char *OCSP_cert_status_str(long s)
         {V_OCSP_CERTSTATUS_REVOKED, "revoked"},
         {V_OCSP_CERTSTATUS_UNKNOWN, "unknown"}
     };
-    return table2string(s, cstat_tbl);
+    return table2string(s, cstat_tbl, 3);
 }
 
 const char *OCSP_crl_reason_str(long s)
@@ -81,7 +134,7 @@ const char *OCSP_crl_reason_str(long s)
         {OCSP_REVOKED_STATUS_CERTIFICATEHOLD, "certificateHold"},
         {OCSP_REVOKED_STATUS_REMOVEFROMCRL, "removeFromCRL"}
     };
-    return table2string(s, reason_tbl);
+    return table2string(s, reason_tbl, 8);
 }
 
 int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *o, unsigned long flags)
@@ -90,7 +143,7 @@ int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *o, unsigned long flags)
     long l;
     OCSP_CERTID *cid = NULL;
     OCSP_ONEREQ *one = NULL;
-    OCSP_REQINFO *inf = &o->tbsRequest;
+    OCSP_REQINFO *inf = o->tbsRequest;
     OCSP_SIGNATURE *sig = o->optionalSignature;
 
     if (BIO_write(bp, "OCSP Request Data:\n", 19) <= 0)
@@ -118,7 +171,7 @@ int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *o, unsigned long flags)
                                  inf->requestExtensions, flags, 4))
         goto err;
     if (sig) {
-        X509_signature_print(bp, &sig->signatureAlgorithm, sig->signature);
+        X509_signature_print(bp, sig->signatureAlgorithm, sig->signature);
         for (i = 0; i < sk_X509_num(sig->certs); i++) {
             X509_print(bp, sk_X509_value(sig->certs, i));
             PEM_write_bio_X509(bp, sk_X509_value(sig->certs, i));
@@ -161,20 +214,20 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE *o, unsigned long flags)
 
     if ((br = OCSP_response_get1_basic(o)) == NULL)
         goto err;
-    rd = &br->tbsResponseData;
+    rd = br->tbsResponseData;
     l = ASN1_INTEGER_get(rd->version);
     if (BIO_printf(bp, "\n    Version: %lu (0x%lx)\n", l + 1, l) <= 0)
         goto err;
     if (BIO_puts(bp, "    Responder Id: ") <= 0)
         goto err;
 
-    rid = &rd->responderId;
+    rid = rd->responderId;
     switch (rid->type) {
     case V_OCSP_RESPID_NAME:
         X509_NAME_print_ex(bp, rid->value.byName, 0, XN_FLAG_ONELINE);
         break;
     case V_OCSP_RESPID_KEY:
-        i2a_ASN1_STRING(bp, rid->value.byKey, 0);
+        i2a_ASN1_STRING(bp, rid->value.byKey, V_ASN1_OCTET_STRING);
         break;
     }
 
@@ -231,7 +284,7 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE *o, unsigned long flags)
     if (!X509V3_extensions_print(bp, "Response Extensions",
                                  rd->responseExtensions, flags, 4))
         goto err;
-    if (X509_signature_print(bp, &br->signatureAlgorithm, br->signature) <= 0)
+    if (X509_signature_print(bp, br->signatureAlgorithm, br->signature) <= 0)
         goto err;
 
     for (i = 0; i < sk_X509_num(br->certs); i++) {
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_srv.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_srv.c
index 46a4bf78..2ec2c636 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_srv.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_srv.c
@@ -1,20 +1,70 @@
+/* ocsp_srv.c */
 /*
- * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include <cryptlib.h>
 #include <openssl/objects.h>
+#include <openssl/rand.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/x509v3.h>
 #include <openssl/ocsp.h>
-#include "ocsp_lcl.h"
 
 /*
  * Utility functions related to sending OCSP responses and extracting
@@ -23,12 +73,12 @@
 
 int OCSP_request_onereq_count(OCSP_REQUEST *req)
 {
-    return sk_OCSP_ONEREQ_num(req->tbsRequest.requestList);
+    return sk_OCSP_ONEREQ_num(req->tbsRequest->requestList);
 }
 
 OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i)
 {
-    return sk_OCSP_ONEREQ_value(req->tbsRequest.requestList, i);
+    return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i);
 }
 
 OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one)
@@ -43,13 +93,13 @@ int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
     if (!cid)
         return 0;
     if (pmd)
-        *pmd = cid->hashAlgorithm.algorithm;
+        *pmd = cid->hashAlgorithm->algorithm;
     if (piNameHash)
-        *piNameHash = &cid->issuerNameHash;
+        *piNameHash = cid->issuerNameHash;
     if (pikeyHash)
-        *pikeyHash = &cid->issuerKeyHash;
+        *pikeyHash = cid->issuerKeyHash;
     if (pserial)
-        *pserial = &cid->serialNumber;
+        *pserial = cid->serialNumber;
     return 1;
 }
 
@@ -65,13 +115,13 @@ OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs)
 {
     OCSP_RESPONSE *rsp = NULL;
 
-    if ((rsp = OCSP_RESPONSE_new()) == NULL)
+    if (!(rsp = OCSP_RESPONSE_new()))
         goto err;
     if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status)))
         goto err;
     if (!bs)
         return rsp;
-    if ((rsp->responseBytes = OCSP_RESPBYTES_new()) == NULL)
+    if (!(rsp->responseBytes = OCSP_RESPBYTES_new()))
         goto err;
     rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic);
     if (!ASN1_item_pack
@@ -79,7 +129,8 @@ OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs)
          goto err;
     return rsp;
  err:
-    OCSP_RESPONSE_free(rsp);
+    if (rsp)
+        OCSP_RESPONSE_free(rsp);
     return NULL;
 }
 
@@ -94,12 +145,11 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
     OCSP_CERTSTATUS *cs;
     OCSP_REVOKEDINFO *ri;
 
-    if (rsp->tbsResponseData.responses == NULL
-        && (rsp->tbsResponseData.responses
-                = sk_OCSP_SINGLERESP_new_null()) == NULL)
+    if (!rsp->tbsResponseData->responses &&
+        !(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null()))
         goto err;
 
-    if ((single = OCSP_SINGLERESP_new()) == NULL)
+    if (!(single = OCSP_SINGLERESP_new()))
         goto err;
 
     if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate))
@@ -110,7 +160,7 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
 
     OCSP_CERTID_free(single->certId);
 
-    if ((single->certId = OCSP_CERTID_dup(cid)) == NULL)
+    if (!(single->certId = OCSP_CERTID_dup(cid)))
         goto err;
 
     cs = single->certStatus;
@@ -120,12 +170,12 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
             OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS, OCSP_R_NO_REVOKED_TIME);
             goto err;
         }
-        if ((cs->value.revoked = ri = OCSP_REVOKEDINFO_new()) == NULL)
+        if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new()))
             goto err;
         if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime))
             goto err;
         if (reason != OCSP_REVOKED_STATUS_NOSTATUS) {
-            if ((ri->revocationReason = ASN1_ENUMERATED_new()) == NULL)
+            if (!(ri->revocationReason = ASN1_ENUMERATED_new()))
                 goto err;
             if (!(ASN1_ENUMERATED_set(ri->revocationReason, reason)))
                 goto err;
@@ -133,20 +183,18 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
         break;
 
     case V_OCSP_CERTSTATUS_GOOD:
-        if ((cs->value.good = ASN1_NULL_new()) == NULL)
-            goto err;
+        cs->value.good = ASN1_NULL_new();
         break;
 
     case V_OCSP_CERTSTATUS_UNKNOWN:
-        if ((cs->value.unknown = ASN1_NULL_new()) == NULL)
-            goto err;
+        cs->value.unknown = ASN1_NULL_new();
         break;
 
     default:
         goto err;
 
     }
-    if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData.responses, single)))
+    if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single)))
         goto err;
     return single;
  err:
@@ -158,13 +206,12 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
 
 int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
 {
-    if (resp->certs == NULL
-        && (resp->certs = sk_X509_new_null()) == NULL)
+    if (!resp->certs && !(resp->certs = sk_X509_new_null()))
         return 0;
 
     if (!sk_X509_push(resp->certs, cert))
         return 0;
-    X509_up_ref(cert);
+    CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
     return 1;
 }
 
@@ -191,16 +238,23 @@ int OCSP_basic_sign(OCSP_BASICRESP *brsp,
         }
     }
 
-    rid = &brsp->tbsResponseData.responderId;
+    rid = brsp->tbsResponseData->responderId;
     if (flags & OCSP_RESPID_KEY) {
-        if (!OCSP_RESPID_set_by_key(rid, signer))
+        unsigned char md[SHA_DIGEST_LENGTH];
+        X509_pubkey_digest(signer, EVP_sha1(), md, NULL);
+        if (!(rid->value.byKey = ASN1_OCTET_STRING_new()))
             goto err;
-    } else if (!OCSP_RESPID_set_by_name(rid, signer)) {
-        goto err;
+        if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md, SHA_DIGEST_LENGTH)))
+            goto err;
+        rid->type = V_OCSP_RESPID_KEY;
+    } else {
+        if (!X509_NAME_set(&rid->value.byName, X509_get_subject_name(signer)))
+            goto err;
+        rid->type = V_OCSP_RESPID_NAME;
     }
 
     if (!(flags & OCSP_NOTIME) &&
-        !X509_gmtime_adj(brsp->tbsResponseData.producedAt, 0))
+        !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))
         goto err;
 
     /*
@@ -215,63 +269,3 @@ int OCSP_basic_sign(OCSP_BASICRESP *brsp,
  err:
     return 0;
 }
-
-int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert)
-{
-    if (!X509_NAME_set(&respid->value.byName, X509_get_subject_name(cert)))
-        return 0;
-
-    respid->type = V_OCSP_RESPID_NAME;
-
-    return 1;
-}
-
-int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert)
-{
-    ASN1_OCTET_STRING *byKey = NULL;
-    unsigned char md[SHA_DIGEST_LENGTH];
-
-    /* RFC2560 requires SHA1 */
-    if (!X509_pubkey_digest(cert, EVP_sha1(), md, NULL))
-        return 0;
-
-    byKey = ASN1_OCTET_STRING_new();
-    if (byKey == NULL)
-        return 0;
-
-    if (!(ASN1_OCTET_STRING_set(byKey, md, SHA_DIGEST_LENGTH))) {
-        ASN1_OCTET_STRING_free(byKey);
-        return 0;
-    }
-
-    respid->type = V_OCSP_RESPID_KEY;
-    respid->value.byKey = byKey;
-
-    return 1;
-}
-
-int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert)
-{
-    if (respid->type == V_OCSP_RESPID_KEY) {
-        unsigned char md[SHA_DIGEST_LENGTH];
-
-        if (respid->value.byKey == NULL)
-            return 0;
-
-        /* RFC2560 requires SHA1 */
-        if (!X509_pubkey_digest(cert, EVP_sha1(), md, NULL))
-            return 0;
-
-        return (ASN1_STRING_length(respid->value.byKey) == SHA_DIGEST_LENGTH)
-            && (memcmp(ASN1_STRING_get0_data(respid->value.byKey), md,
-                       SHA_DIGEST_LENGTH) == 0);
-    } else if(respid->type == V_OCSP_RESPID_NAME) {
-        if (respid->value.byName == NULL)
-            return 0;
-
-        return X509_NAME_cmp(respid->value.byName,
-                             X509_get_subject_name(cert)) == 0;
-    }
-
-    return 0;
-}
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c
index e2cfa6dd..d4a257c3 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c
+++ b/Cryptlib/OpenSSL/crypto/ocsp/ocsp_vfy.c
@@ -1,29 +1,80 @@
+/* ocsp_vfy.c */
 /*
- * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000-2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <openssl/ocsp.h>
-#include "ocsp_lcl.h"
 #include <openssl/err.h>
 #include <string.h>
 
 static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
-                            STACK_OF(X509) *certs, unsigned long flags);
+                            STACK_OF(X509) *certs, X509_STORE *st,
+                            unsigned long flags);
 static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
-static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain);
+static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain,
+                             unsigned long flags);
 static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp,
                           OCSP_CERTID **ret);
 static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
                                STACK_OF(OCSP_SINGLERESP) *sresp);
-static int ocsp_check_delegated(X509 *x);
+static int ocsp_check_delegated(X509 *x, int flags);
 static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
                                 X509_NAME *nm, STACK_OF(X509) *certs,
-                                unsigned long flags);
+                                X509_STORE *st, unsigned long flags);
 
 /* Verify a basic response message */
 
@@ -33,30 +84,24 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
     X509 *signer, *x;
     STACK_OF(X509) *chain = NULL;
     STACK_OF(X509) *untrusted = NULL;
-    X509_STORE_CTX *ctx = NULL;
-    int i, ret = ocsp_find_signer(&signer, bs, certs, flags);
-
+    X509_STORE_CTX ctx;
+    int i, ret = 0;
+    ret = ocsp_find_signer(&signer, bs, certs, st, flags);
     if (!ret) {
         OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
                 OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
         goto end;
     }
-    ctx = X509_STORE_CTX_new();
-    if (ctx == NULL) {
-        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE);
-        goto f_err;
-    }
     if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
         flags |= OCSP_NOVERIFY;
     if (!(flags & OCSP_NOSIGS)) {
         EVP_PKEY *skey;
-        skey = X509_get0_pubkey(signer);
-        if (skey == NULL) {
-            OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_NO_SIGNER_KEY);
-            goto err;
+        skey = X509_get_pubkey(signer);
+        if (skey) {
+            ret = OCSP_BASICRESP_verify(bs, skey, 0);
+            EVP_PKEY_free(skey);
         }
-        ret = OCSP_BASICRESP_verify(bs, skey, 0);
-        if (ret <= 0) {
+        if (!skey || ret <= 0) {
             OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
             goto end;
         }
@@ -70,23 +115,25 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
             for (i = 0; i < sk_X509_num(certs); i++) {
                 if (!sk_X509_push(untrusted, sk_X509_value(certs, i))) {
                     OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE);
-                    goto f_err;
+                    goto end;
                 }
             }
         } else {
             untrusted = bs->certs;
         }
-        init_res = X509_STORE_CTX_init(ctx, st, signer, untrusted);
+        init_res = X509_STORE_CTX_init(&ctx, st, signer, untrusted);
         if (!init_res) {
+            ret = -1;
             OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB);
-            goto f_err;
+            goto end;
         }
 
-        X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER);
-        ret = X509_verify_cert(ctx);
-        chain = X509_STORE_CTX_get1_chain(ctx);
+        X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
+        ret = X509_verify_cert(&ctx);
+        chain = X509_STORE_CTX_get1_chain(&ctx);
+        X509_STORE_CTX_cleanup(&ctx);
         if (ret <= 0) {
-            i = X509_STORE_CTX_get_error(ctx);
+            i = X509_STORE_CTX_get_error(&ctx);
             OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
                     OCSP_R_CERTIFICATE_VERIFY_ERROR);
             ERR_add_error_data(2, "Verify error:",
@@ -101,7 +148,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
          * At this point we have a valid certificate chain need to verify it
          * against the OCSP issuer criteria.
          */
-        ret = ocsp_check_issuer(bs, chain);
+        ret = ocsp_check_issuer(bs, chain, flags);
 
         /* If fatal error or valid match then finish */
         if (ret != 0)
@@ -117,30 +164,25 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
         x = sk_X509_value(chain, sk_X509_num(chain) - 1);
         if (X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) {
             OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_ROOT_CA_NOT_TRUSTED);
-            goto err;
+            goto end;
         }
         ret = 1;
     }
+
  end:
-    X509_STORE_CTX_free(ctx);
-    sk_X509_pop_free(chain, X509_free);
+    if (chain)
+        sk_X509_pop_free(chain, X509_free);
     if (bs->certs && certs)
         sk_X509_free(untrusted);
     return ret;
-
- err:
-    ret = 0;
-    goto end;
- f_err:
-    ret = -1;
-    goto end;
 }
 
 static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
-                            STACK_OF(X509) *certs, unsigned long flags)
+                            STACK_OF(X509) *certs, X509_STORE *st,
+                            unsigned long flags)
 {
     X509 *signer;
-    OCSP_RESPID *rid = &bs->tbsResponseData.responderId;
+    OCSP_RESPID *rid = bs->tbsResponseData->responderId;
     if ((signer = ocsp_find_signer_sk(certs, rid))) {
         *psigner = signer;
         return 2;
@@ -182,13 +224,14 @@ static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
     return NULL;
 }
 
-static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain)
+static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain,
+                             unsigned long flags)
 {
     STACK_OF(OCSP_SINGLERESP) *sresp;
     X509 *signer, *sca;
     OCSP_CERTID *caid = NULL;
     int i;
-    sresp = bs->tbsResponseData.responses;
+    sresp = bs->tbsResponseData->responses;
 
     if (sk_X509_num(chain) <= 0) {
         OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, OCSP_R_NO_CERTIFICATES_IN_CHAIN);
@@ -211,7 +254,7 @@ static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain)
             return i;
         if (i) {
             /* We have a match, if extensions OK then success */
-            if (ocsp_check_delegated(signer))
+            if (ocsp_check_delegated(signer, flags))
                 return 1;
             return 0;
         }
@@ -248,9 +291,9 @@ static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
         tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
         /* Check to see if IDs match */
         if (OCSP_id_issuer_cmp(cid, tmpid)) {
-            /* If algorithm mismatch let caller deal with it */
-            if (OBJ_cmp(tmpid->hashAlgorithm.algorithm,
-                        cid->hashAlgorithm.algorithm))
+            /* If algoritm mismatch let caller deal with it */
+            if (OBJ_cmp(tmpid->hashAlgorithm->algorithm,
+                        cid->hashAlgorithm->algorithm))
                 return 2;
             /* Else mismatch */
             return 0;
@@ -271,8 +314,7 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
         X509_NAME *iname;
         int mdlen;
         unsigned char md[EVP_MAX_MD_SIZE];
-        if ((dgst = EVP_get_digestbyobj(cid->hashAlgorithm.algorithm))
-                == NULL) {
+        if (!(dgst = EVP_get_digestbyobj(cid->hashAlgorithm->algorithm))) {
             OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID,
                     OCSP_R_UNKNOWN_MESSAGE_DIGEST);
             return -1;
@@ -281,16 +323,16 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
         mdlen = EVP_MD_size(dgst);
         if (mdlen < 0)
             return -1;
-        if ((cid->issuerNameHash.length != mdlen) ||
-            (cid->issuerKeyHash.length != mdlen))
+        if ((cid->issuerNameHash->length != mdlen) ||
+            (cid->issuerKeyHash->length != mdlen))
             return 0;
         iname = X509_get_subject_name(cert);
         if (!X509_NAME_digest(iname, dgst, md, NULL))
             return -1;
-        if (memcmp(md, cid->issuerNameHash.data, mdlen))
+        if (memcmp(md, cid->issuerNameHash->data, mdlen))
             return 0;
         X509_pubkey_digest(cert, dgst, md, NULL);
-        if (memcmp(md, cid->issuerKeyHash.data, mdlen))
+        if (memcmp(md, cid->issuerKeyHash->data, mdlen))
             return 0;
 
         return 1;
@@ -310,10 +352,10 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
 
 }
 
-static int ocsp_check_delegated(X509 *x)
+static int ocsp_check_delegated(X509 *x, int flags)
 {
-    if ((X509_get_extension_flags(x) & EXFLAG_XKUSAGE)
-        && (X509_get_extended_key_usage(x) & XKU_OCSP_SIGN))
+    X509_check_purpose(x, -1, 0);
+    if ((x->ex_flags & EXFLAG_XKUSAGE) && (x->ex_xkusage & XKU_OCSP_SIGN))
         return 1;
     OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE);
     return 0;
@@ -331,80 +373,68 @@ int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs,
     X509 *signer;
     X509_NAME *nm;
     GENERAL_NAME *gen;
-    int ret = 0;
-    X509_STORE_CTX *ctx = X509_STORE_CTX_new();
-
-    if (ctx == NULL) {
-        OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_MALLOC_FAILURE);
-        goto err;
-    }
-
+    int ret;
+    X509_STORE_CTX ctx;
     if (!req->optionalSignature) {
         OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED);
-        goto err;
+        return 0;
     }
-    gen = req->tbsRequest.requestorName;
+    gen = req->tbsRequest->requestorName;
     if (!gen || gen->type != GEN_DIRNAME) {
         OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
                 OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
-        goto err;
+        return 0;
     }
     nm = gen->d.directoryName;
-    ret = ocsp_req_find_signer(&signer, req, nm, certs, flags);
+    ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags);
     if (ret <= 0) {
         OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
                 OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
-        goto err;
+        return 0;
     }
     if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
         flags |= OCSP_NOVERIFY;
     if (!(flags & OCSP_NOSIGS)) {
         EVP_PKEY *skey;
-        skey = X509_get0_pubkey(signer);
+        skey = X509_get_pubkey(signer);
         ret = OCSP_REQUEST_verify(req, skey);
+        EVP_PKEY_free(skey);
         if (ret <= 0) {
             OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE);
-            goto err;
+            return 0;
         }
     }
     if (!(flags & OCSP_NOVERIFY)) {
         int init_res;
         if (flags & OCSP_NOCHAIN)
-            init_res = X509_STORE_CTX_init(ctx, store, signer, NULL);
+            init_res = X509_STORE_CTX_init(&ctx, store, signer, NULL);
         else
-            init_res = X509_STORE_CTX_init(ctx, store, signer,
+            init_res = X509_STORE_CTX_init(&ctx, store, signer,
                                            req->optionalSignature->certs);
         if (!init_res) {
             OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_X509_LIB);
-            goto err;
+            return 0;
         }
 
-        X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER);
-        X509_STORE_CTX_set_trust(ctx, X509_TRUST_OCSP_REQUEST);
-        ret = X509_verify_cert(ctx);
+        X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
+        X509_STORE_CTX_set_trust(&ctx, X509_TRUST_OCSP_REQUEST);
+        ret = X509_verify_cert(&ctx);
+        X509_STORE_CTX_cleanup(&ctx);
         if (ret <= 0) {
-            ret = X509_STORE_CTX_get_error(ctx);
+            ret = X509_STORE_CTX_get_error(&ctx);
             OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
                     OCSP_R_CERTIFICATE_VERIFY_ERROR);
             ERR_add_error_data(2, "Verify error:",
                                X509_verify_cert_error_string(ret));
-            goto err;
+            return 0;
         }
     }
-    ret = 1;
-    goto end;
-
-err:
-    ret = 0;
-end:
-    X509_STORE_CTX_free(ctx);
-    return ret;
-
+    return 1;
 }
 
 static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
                                 X509_NAME *nm, STACK_OF(X509) *certs,
-                                unsigned long flags)
+                                X509_STORE *st, unsigned long flags)
 {
     X509 *signer;
     if (!(flags & OCSP_NOINTERN)) {
diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_all.c b/Cryptlib/OpenSSL/crypto/pem/pem_all.c
index 0e718131..0e5be63e 100644
--- a/Cryptlib/OpenSSL/crypto/pem/pem_all.c
+++ b/Cryptlib/OpenSSL/crypto/pem/pem_all.c
@@ -1,22 +1,130 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/pem/pem_all.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/bio.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pkcs7.h>
 #include <openssl/pem.h>
-#include <openssl/rsa.h>
-#include <openssl/dsa.h>
-#include <openssl/dh.h>
+#ifndef OPENSSL_NO_RSA
+# include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+# include <openssl/dsa.h>
+#endif
+#ifndef OPENSSL_NO_DH
+# include <openssl/dh.h>
+#endif
 
 #ifndef OPENSSL_NO_RSA
 static RSA *pkey_get_rsa(EVP_PKEY *key, RSA **rsa);
@@ -68,7 +176,7 @@ RSA *PEM_read_bio_RSAPrivateKey(BIO *bp, RSA **rsa, pem_password_cb *cb,
     return pkey_get_rsa(pktmp, rsa);
 }
 
-# ifndef OPENSSL_NO_STDIO
+# ifndef OPENSSL_NO_FP_API
 
 RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb, void *u)
 {
@@ -79,10 +187,57 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb, void *u)
 
 # endif
 
-IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA,
-                             RSAPrivateKey)
+# ifdef OPENSSL_FIPS
 
+int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
+                                unsigned char *kstr, int klen,
+                                pem_password_cb *cb, void *u)
+{
+    if (FIPS_mode()) {
+        EVP_PKEY *k;
+        int ret;
+        k = EVP_PKEY_new();
+        if (!k)
+            return 0;
+        EVP_PKEY_set1_RSA(k, x);
 
+        ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+        EVP_PKEY_free(k);
+        return ret;
+    } else
+        return PEM_ASN1_write_bio((i2d_of_void *)i2d_RSAPrivateKey,
+                                  PEM_STRING_RSA, bp, x, enc, kstr, klen, cb,
+                                  u);
+}
+
+#  ifndef OPENSSL_NO_FP_API
+int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
+                            unsigned char *kstr, int klen,
+                            pem_password_cb *cb, void *u)
+{
+    if (FIPS_mode()) {
+        EVP_PKEY *k;
+        int ret;
+        k = EVP_PKEY_new();
+        if (!k)
+            return 0;
+
+        EVP_PKEY_set1_RSA(k, x);
+
+        ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+        EVP_PKEY_free(k);
+        return ret;
+    } else
+        return PEM_ASN1_write((i2d_of_void *)i2d_RSAPrivateKey,
+                              PEM_STRING_RSA, fp, x, enc, kstr, klen, cb, u);
+}
+#  endif
+
+# else
+
+IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA,
+                             RSAPrivateKey)
+# endif
 IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC,
                        RSAPublicKey) IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA,
                                                       PEM_STRING_PUBLIC,
@@ -113,10 +268,57 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **dsa, pem_password_cb *cb,
     return pkey_get_dsa(pktmp, dsa); /* will free pktmp */
 }
 
+# ifdef OPENSSL_FIPS
+
+int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
+                                unsigned char *kstr, int klen,
+                                pem_password_cb *cb, void *u)
+{
+    if (FIPS_mode()) {
+        EVP_PKEY *k;
+        int ret;
+        k = EVP_PKEY_new();
+        if (!k)
+            return 0;
+        EVP_PKEY_set1_DSA(k, x);
+
+        ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+        EVP_PKEY_free(k);
+        return ret;
+    } else
+        return PEM_ASN1_write_bio((i2d_of_void *)i2d_DSAPrivateKey,
+                                  PEM_STRING_DSA, bp, x, enc, kstr, klen, cb,
+                                  u);
+}
+
+#  ifndef OPENSSL_NO_FP_API
+int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
+                            unsigned char *kstr, int klen,
+                            pem_password_cb *cb, void *u)
+{
+    if (FIPS_mode()) {
+        EVP_PKEY *k;
+        int ret;
+        k = EVP_PKEY_new();
+        if (!k)
+            return 0;
+        EVP_PKEY_set1_DSA(k, x);
+        ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+        EVP_PKEY_free(k);
+        return ret;
+    } else
+        return PEM_ASN1_write((i2d_of_void *)i2d_DSAPrivateKey,
+                              PEM_STRING_DSA, fp, x, enc, kstr, klen, cb, u);
+}
+#  endif
+
+# else
+
 IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA,
                              DSAPrivateKey)
+# endif
     IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY)
-# ifndef OPENSSL_NO_STDIO
+# ifndef OPENSSL_NO_FP_API
 DSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **dsa, pem_password_cb *cb, void *u)
 {
     EVP_PKEY *pktmp;
@@ -155,12 +357,56 @@ EC_KEY *PEM_read_bio_ECPrivateKey(BIO *bp, EC_KEY **key, pem_password_cb *cb,
 
 IMPLEMENT_PEM_rw_const(ECPKParameters, EC_GROUP, PEM_STRING_ECPARAMETERS,
                        ECPKParameters)
+# ifdef OPENSSL_FIPS
+int PEM_write_bio_ECPrivateKey(BIO *bp, EC_KEY *x, const EVP_CIPHER *enc,
+                               unsigned char *kstr, int klen,
+                               pem_password_cb *cb, void *u)
+{
+    if (FIPS_mode()) {
+        EVP_PKEY *k;
+        int ret;
+        k = EVP_PKEY_new();
+        if (!k)
+            return 0;
+        EVP_PKEY_set1_EC_KEY(k, x);
+
+        ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+        EVP_PKEY_free(k);
+        return ret;
+    } else
+        return PEM_ASN1_write_bio((i2d_of_void *)i2d_ECPrivateKey,
+                                  PEM_STRING_ECPRIVATEKEY,
+                                  bp, x, enc, kstr, klen, cb, u);
+}
 
+#  ifndef OPENSSL_NO_FP_API
+int PEM_write_ECPrivateKey(FILE *fp, EC_KEY *x, const EVP_CIPHER *enc,
+                           unsigned char *kstr, int klen,
+                           pem_password_cb *cb, void *u)
+{
+    if (FIPS_mode()) {
+        EVP_PKEY *k;
+        int ret;
+        k = EVP_PKEY_new();
+        if (!k)
+            return 0;
+        EVP_PKEY_set1_EC_KEY(k, x);
+        ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+        EVP_PKEY_free(k);
+        return ret;
+    } else
+        return PEM_ASN1_write((i2d_of_void *)i2d_ECPrivateKey,
+                              PEM_STRING_ECPRIVATEKEY,
+                              fp, x, enc, kstr, klen, cb, u);
+}
+#  endif
 
-IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY,
+# else
+    IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY,
                        ECPrivateKey)
+# endif
 IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY)
-# ifndef OPENSSL_NO_STDIO
+# ifndef OPENSSL_NO_FP_API
 EC_KEY *PEM_read_ECPrivateKey(FILE *fp, EC_KEY **eckey, pem_password_cb *cb,
                               void *u)
 {
diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_err.c b/Cryptlib/OpenSSL/crypto/pem/pem_err.c
index f36d8932..4e5f8e93 100644
--- a/Cryptlib/OpenSSL/crypto/pem/pem_err.c
+++ b/Cryptlib/OpenSSL/crypto/pem/pem_err.c
@@ -1,11 +1,62 @@
-/*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/pem/pem_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2016 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
  */
 
 #include <stdio.h>
@@ -19,41 +70,46 @@
 # define ERR_REASON(reason) ERR_PACK(ERR_LIB_PEM,0,reason)
 
 static ERR_STRING_DATA PEM_str_functs[] = {
-    {ERR_FUNC(PEM_F_B2I_DSS), "b2i_dss"},
+    {ERR_FUNC(PEM_F_B2I_DSS), "B2I_DSS"},
     {ERR_FUNC(PEM_F_B2I_PVK_BIO), "b2i_PVK_bio"},
-    {ERR_FUNC(PEM_F_B2I_RSA), "b2i_rsa"},
-    {ERR_FUNC(PEM_F_CHECK_BITLEN_DSA), "check_bitlen_dsa"},
-    {ERR_FUNC(PEM_F_CHECK_BITLEN_RSA), "check_bitlen_rsa"},
+    {ERR_FUNC(PEM_F_B2I_RSA), "B2I_RSA"},
+    {ERR_FUNC(PEM_F_CHECK_BITLEN_DSA), "CHECK_BITLEN_DSA"},
+    {ERR_FUNC(PEM_F_CHECK_BITLEN_RSA), "CHECK_BITLEN_RSA"},
     {ERR_FUNC(PEM_F_D2I_PKCS8PRIVATEKEY_BIO), "d2i_PKCS8PrivateKey_bio"},
     {ERR_FUNC(PEM_F_D2I_PKCS8PRIVATEKEY_FP), "d2i_PKCS8PrivateKey_fp"},
-    {ERR_FUNC(PEM_F_DO_B2I), "do_b2i"},
-    {ERR_FUNC(PEM_F_DO_B2I_BIO), "do_b2i_bio"},
-    {ERR_FUNC(PEM_F_DO_BLOB_HEADER), "do_blob_header"},
-    {ERR_FUNC(PEM_F_DO_PK8PKEY), "do_pk8pkey"},
-    {ERR_FUNC(PEM_F_DO_PK8PKEY_FP), "do_pk8pkey_fp"},
-    {ERR_FUNC(PEM_F_DO_PVK_BODY), "do_PVK_body"},
-    {ERR_FUNC(PEM_F_DO_PVK_HEADER), "do_PVK_header"},
-    {ERR_FUNC(PEM_F_I2B_PVK), "i2b_PVK"},
+    {ERR_FUNC(PEM_F_DO_B2I), "DO_B2I"},
+    {ERR_FUNC(PEM_F_DO_B2I_BIO), "DO_B2I_BIO"},
+    {ERR_FUNC(PEM_F_DO_BLOB_HEADER), "DO_BLOB_HEADER"},
+    {ERR_FUNC(PEM_F_DO_PK8PKEY), "DO_PK8PKEY"},
+    {ERR_FUNC(PEM_F_DO_PK8PKEY_FP), "DO_PK8PKEY_FP"},
+    {ERR_FUNC(PEM_F_DO_PVK_BODY), "DO_PVK_BODY"},
+    {ERR_FUNC(PEM_F_DO_PVK_HEADER), "DO_PVK_HEADER"},
+    {ERR_FUNC(PEM_F_I2B_PVK), "I2B_PVK"},
     {ERR_FUNC(PEM_F_I2B_PVK_BIO), "i2b_PVK_bio"},
-    {ERR_FUNC(PEM_F_LOAD_IV), "load_iv"},
+    {ERR_FUNC(PEM_F_LOAD_IV), "LOAD_IV"},
     {ERR_FUNC(PEM_F_PEM_ASN1_READ), "PEM_ASN1_read"},
     {ERR_FUNC(PEM_F_PEM_ASN1_READ_BIO), "PEM_ASN1_read_bio"},
     {ERR_FUNC(PEM_F_PEM_ASN1_WRITE), "PEM_ASN1_write"},
     {ERR_FUNC(PEM_F_PEM_ASN1_WRITE_BIO), "PEM_ASN1_write_bio"},
     {ERR_FUNC(PEM_F_PEM_DEF_CALLBACK), "PEM_def_callback"},
     {ERR_FUNC(PEM_F_PEM_DO_HEADER), "PEM_do_header"},
+    {ERR_FUNC(PEM_F_PEM_F_PEM_WRITE_PKCS8PRIVATEKEY),
+     "PEM_F_PEM_WRITE_PKCS8PRIVATEKEY"},
     {ERR_FUNC(PEM_F_PEM_GET_EVP_CIPHER_INFO), "PEM_get_EVP_CIPHER_INFO"},
+    {ERR_FUNC(PEM_F_PEM_PK8PKEY), "PEM_PK8PKEY"},
     {ERR_FUNC(PEM_F_PEM_READ), "PEM_read"},
     {ERR_FUNC(PEM_F_PEM_READ_BIO), "PEM_read_bio"},
-    {ERR_FUNC(PEM_F_PEM_READ_BIO_DHPARAMS), "PEM_read_bio_DHparams"},
+    {ERR_FUNC(PEM_F_PEM_READ_BIO_DHPARAMS), "PEM_READ_BIO_DHPARAMS"},
     {ERR_FUNC(PEM_F_PEM_READ_BIO_PARAMETERS), "PEM_read_bio_Parameters"},
-    {ERR_FUNC(PEM_F_PEM_READ_BIO_PRIVATEKEY), "PEM_read_bio_PrivateKey"},
-    {ERR_FUNC(PEM_F_PEM_READ_DHPARAMS), "PEM_read_DHparams"},
-    {ERR_FUNC(PEM_F_PEM_READ_PRIVATEKEY), "PEM_read_PrivateKey"},
+    {ERR_FUNC(PEM_F_PEM_READ_BIO_PRIVATEKEY), "PEM_READ_BIO_PRIVATEKEY"},
+    {ERR_FUNC(PEM_F_PEM_READ_DHPARAMS), "PEM_READ_DHPARAMS"},
+    {ERR_FUNC(PEM_F_PEM_READ_PRIVATEKEY), "PEM_READ_PRIVATEKEY"},
+    {ERR_FUNC(PEM_F_PEM_SEALFINAL), "PEM_SealFinal"},
+    {ERR_FUNC(PEM_F_PEM_SEALINIT), "PEM_SealInit"},
     {ERR_FUNC(PEM_F_PEM_SIGNFINAL), "PEM_SignFinal"},
     {ERR_FUNC(PEM_F_PEM_WRITE), "PEM_write"},
     {ERR_FUNC(PEM_F_PEM_WRITE_BIO), "PEM_write_bio"},
-    {ERR_FUNC(PEM_F_PEM_WRITE_PRIVATEKEY), "PEM_write_PrivateKey"},
+    {ERR_FUNC(PEM_F_PEM_WRITE_PRIVATEKEY), "PEM_WRITE_PRIVATEKEY"},
     {ERR_FUNC(PEM_F_PEM_X509_INFO_READ), "PEM_X509_INFO_read"},
     {ERR_FUNC(PEM_F_PEM_X509_INFO_READ_BIO), "PEM_X509_INFO_read_bio"},
     {ERR_FUNC(PEM_F_PEM_X509_INFO_WRITE_BIO), "PEM_X509_INFO_write_bio"},
@@ -81,18 +137,17 @@ static ERR_STRING_DATA PEM_str_reasons[] = {
     {ERR_REASON(PEM_R_KEYBLOB_HEADER_PARSE_ERROR),
      "keyblob header parse error"},
     {ERR_REASON(PEM_R_KEYBLOB_TOO_SHORT), "keyblob too short"},
-    {ERR_REASON(PEM_R_MISSING_DEK_IV), "missing dek iv"},
     {ERR_REASON(PEM_R_NOT_DEK_INFO), "not dek info"},
     {ERR_REASON(PEM_R_NOT_ENCRYPTED), "not encrypted"},
     {ERR_REASON(PEM_R_NOT_PROC_TYPE), "not proc type"},
     {ERR_REASON(PEM_R_NO_START_LINE), "no start line"},
     {ERR_REASON(PEM_R_PROBLEMS_GETTING_PASSWORD),
      "problems getting password"},
+    {ERR_REASON(PEM_R_PUBLIC_KEY_NO_RSA), "public key no rsa"},
     {ERR_REASON(PEM_R_PVK_DATA_TOO_SHORT), "pvk data too short"},
     {ERR_REASON(PEM_R_PVK_TOO_SHORT), "pvk too short"},
     {ERR_REASON(PEM_R_READ_KEY), "read key"},
     {ERR_REASON(PEM_R_SHORT_HEADER), "short header"},
-    {ERR_REASON(PEM_R_UNEXPECTED_DEK_IV), "unexpected dek iv"},
     {ERR_REASON(PEM_R_UNSUPPORTED_CIPHER), "unsupported cipher"},
     {ERR_REASON(PEM_R_UNSUPPORTED_ENCRYPTION), "unsupported encryption"},
     {ERR_REASON(PEM_R_UNSUPPORTED_KEY_COMPONENTS),
@@ -102,7 +157,7 @@ static ERR_STRING_DATA PEM_str_reasons[] = {
 
 #endif
 
-int ERR_load_PEM_strings(void)
+void ERR_load_PEM_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
 
@@ -111,5 +166,4 @@ int ERR_load_PEM_strings(void)
         ERR_load_strings(0, PEM_str_reasons);
     }
 #endif
-    return 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_info.c b/Cryptlib/OpenSSL/crypto/pem/pem_info.c
index dd493c85..4d736a1d 100644
--- a/Cryptlib/OpenSSL/crypto/pem/pem_info.c
+++ b/Cryptlib/OpenSSL/crypto/pem/pem_info.c
@@ -1,23 +1,76 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/pem/pem_info.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
-#include <openssl/rsa.h>
-#include <openssl/dsa.h>
+#ifndef OPENSSL_NO_RSA
+# include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+# include <openssl/dsa.h>
+#endif
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk,
                                         pem_password_cb *cb, void *u)
 {
@@ -206,11 +259,14 @@ STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk,
         } else {
             /* unknown */
         }
-        OPENSSL_free(name);
+        if (name != NULL)
+            OPENSSL_free(name);
+        if (header != NULL)
+            OPENSSL_free(header);
+        if (data != NULL)
+            OPENSSL_free(data);
         name = NULL;
-        OPENSSL_free(header);
         header = NULL;
-        OPENSSL_free(data);
         data = NULL;
     }
 
@@ -226,7 +282,8 @@ STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk,
     }
     ok = 1;
  err:
-    X509_INFO_free(xi);
+    if (xi != NULL)
+        X509_INFO_free(xi);
     if (!ok) {
         for (i = 0; ((int)i) < sk_X509_INFO_num(ret); i++) {
             xi = sk_X509_INFO_value(ret, i);
@@ -237,9 +294,12 @@ STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk,
         ret = NULL;
     }
 
-    OPENSSL_free(name);
-    OPENSSL_free(header);
-    OPENSSL_free(data);
+    if (name != NULL)
+        OPENSSL_free(name);
+    if (header != NULL)
+        OPENSSL_free(header);
+    if (data != NULL)
+        OPENSSL_free(data);
     return (ret);
 }
 
@@ -248,6 +308,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
                             unsigned char *kstr, int klen,
                             pem_password_cb *cb, void *u)
 {
+    EVP_CIPHER_CTX ctx;
     int i, ret = 0;
     unsigned char *data = NULL;
     const char *objstr = NULL;
@@ -292,13 +353,11 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
             }
 
             /* create the right magic header stuff */
-            OPENSSL_assert(strlen(objstr) + 23
-                           + 2 * EVP_CIPHER_iv_length(enc) + 13 <=
+            OPENSSL_assert(strlen(objstr) + 23 + 2 * enc->iv_len + 13 <=
                            sizeof buf);
             buf[0] = '\0';
             PEM_proc_type(buf, PEM_TYPE_ENCRYPTED);
-            PEM_dek_info(buf, objstr, EVP_CIPHER_iv_length(enc),
-                         (char *)iv);
+            PEM_dek_info(buf, objstr, enc->iv_len, (char *)iv);
 
             /* use the normal code to write things out */
             i = PEM_write_bio(bp, PEM_STRING_RSA, buf, data, i);
@@ -309,7 +368,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
 #ifndef OPENSSL_NO_RSA
             /* normal optionally encrypted stuff */
             if (PEM_write_bio_RSAPrivateKey(bp,
-                                            EVP_PKEY_get0_RSA(xi->x_pkey->dec_pkey),
+                                            xi->x_pkey->dec_pkey->pkey.rsa,
                                             enc, kstr, klen, cb, u) <= 0)
                 goto err;
 #endif
@@ -329,6 +388,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
     ret = 1;
 
  err:
+    OPENSSL_cleanse((char *)&ctx, sizeof(ctx));
     OPENSSL_cleanse(buf, PEM_BUFSIZE);
     return (ret);
 }
diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_lib.c b/Cryptlib/OpenSSL/crypto/pem/pem_lib.c
index 2792593c..56c77b1f 100644
--- a/Cryptlib/OpenSSL/crypto/pem/pem_lib.c
+++ b/Cryptlib/OpenSSL/crypto/pem/pem_lib.c
@@ -1,16 +1,64 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/pem/pem_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <ctype.h>
-#include <string.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
@@ -18,9 +66,15 @@
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/pkcs12.h>
-#include "internal/asn1_int.h"
-#include <openssl/des.h>
-#include <openssl/engine.h>
+#include "asn1_locl.h"
+#ifndef OPENSSL_NO_DES
+# include <openssl/des.h>
+#endif
+#ifndef OPENSSL_NO_ENGINE
+# include <openssl/engine.h>
+#endif
+
+const char PEM_version[] = "PEM" OPENSSL_VERSION_PTEXT;
 
 #define MIN_LENGTH      4
 
@@ -30,24 +84,22 @@ int pem_check_suffix(const char *pem_str, const char *suffix);
 
 int PEM_def_callback(char *buf, int num, int w, void *key)
 {
-#if defined(OPENSSL_NO_STDIO) || defined(OPENSSL_NO_UI)
-    int i;
+#if defined(OPENSSL_NO_FP_API) || defined(OPENSSL_NO_UI)
+    /*
+     * We should not ever call the default callback routine from windows.
+     */
+    PEMerr(PEM_F_PEM_DEF_CALLBACK, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+    return (-1);
 #else
     int i, j;
     const char *prompt;
-#endif
-
     if (key) {
         i = strlen(key);
         i = (i > num) ? num : i;
         memcpy(buf, key, i);
-        return i;
+        return (i);
     }
 
-#if defined(OPENSSL_NO_STDIO) || defined(OPENSSL_NO_UI)
-    PEMerr(PEM_F_PEM_DEF_CALLBACK, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-    return -1;
-#else
     prompt = EVP_get_pw_prompt();
     if (prompt == NULL)
         prompt = "Enter PEM pass phrase:";
@@ -63,7 +115,7 @@ int PEM_def_callback(char *buf, int num, int w, void *key)
         if (i != 0) {
             PEMerr(PEM_F_PEM_DEF_CALLBACK, PEM_R_PROBLEMS_GETTING_PASSWORD);
             memset(buf, 0, (unsigned int)num);
-            return -1;
+            return (-1);
         }
         j = strlen(buf);
         if (min_len && j < min_len) {
@@ -73,7 +125,7 @@ int PEM_def_callback(char *buf, int num, int w, void *key)
         } else
             break;
     }
-    return j;
+    return (j);
 #endif
 }
 
@@ -90,9 +142,9 @@ void PEM_proc_type(char *buf, int type)
     else
         str = "BAD-TYPE";
 
-    OPENSSL_strlcat(buf, "Proc-Type: 4,", PEM_BUFSIZE);
-    OPENSSL_strlcat(buf, str, PEM_BUFSIZE);
-    OPENSSL_strlcat(buf, "\n", PEM_BUFSIZE);
+    BUF_strlcat(buf, "Proc-Type: 4,", PEM_BUFSIZE);
+    BUF_strlcat(buf, str, PEM_BUFSIZE);
+    BUF_strlcat(buf, "\n", PEM_BUFSIZE);
 }
 
 void PEM_dek_info(char *buf, const char *type, int len, char *str)
@@ -101,9 +153,9 @@ void PEM_dek_info(char *buf, const char *type, int len, char *str)
     long i;
     int j;
 
-    OPENSSL_strlcat(buf, "DEK-Info: ", PEM_BUFSIZE);
-    OPENSSL_strlcat(buf, type, PEM_BUFSIZE);
-    OPENSSL_strlcat(buf, ",", PEM_BUFSIZE);
+    BUF_strlcat(buf, "DEK-Info: ", PEM_BUFSIZE);
+    BUF_strlcat(buf, type, PEM_BUFSIZE);
+    BUF_strlcat(buf, ",", PEM_BUFSIZE);
     j = strlen(buf);
     if (j + (len * 2) + 1 > PEM_BUFSIZE)
         return;
@@ -115,7 +167,7 @@ void PEM_dek_info(char *buf, const char *type, int len, char *str)
     buf[j + i * 2 + 1] = '\0';
 }
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 void *PEM_ASN1_read(d2i_of_void *d2i, const char *name, FILE *fp, void **x,
                     pem_password_cb *cb, void *u)
 {
@@ -136,22 +188,22 @@ void *PEM_ASN1_read(d2i_of_void *d2i, const char *name, FILE *fp, void **x,
 static int check_pem(const char *nm, const char *name)
 {
     /* Normal matching nm and name */
-    if (strcmp(nm, name) == 0)
+    if (!strcmp(nm, name))
         return 1;
 
     /* Make PEM_STRING_EVP_PKEY match any private key */
 
-    if (strcmp(name, PEM_STRING_EVP_PKEY) == 0) {
+    if (!strcmp(name, PEM_STRING_EVP_PKEY)) {
         int slen;
         const EVP_PKEY_ASN1_METHOD *ameth;
-        if (strcmp(nm, PEM_STRING_PKCS8) == 0)
+        if (!strcmp(nm, PEM_STRING_PKCS8))
             return 1;
-        if (strcmp(nm, PEM_STRING_PKCS8INF) == 0)
+        if (!strcmp(nm, PEM_STRING_PKCS8INF))
             return 1;
         slen = pem_check_suffix(nm, "PRIVATE KEY");
         if (slen > 0) {
             /*
-             * NB: ENGINE implementations won't contain a deprecated old
+             * NB: ENGINE implementations wont contain a deprecated old
              * private key decode function so don't look for them.
              */
             ameth = EVP_PKEY_asn1_find_str(NULL, nm, slen);
@@ -161,7 +213,7 @@ static int check_pem(const char *nm, const char *name)
         return 0;
     }
 
-    if (strcmp(name, PEM_STRING_PARAMETERS) == 0) {
+    if (!strcmp(name, PEM_STRING_PARAMETERS)) {
         int slen;
         const EVP_PKEY_ASN1_METHOD *ameth;
         slen = pem_check_suffix(nm, "PARAMETERS");
@@ -175,7 +227,8 @@ static int check_pem(const char *nm, const char *name)
                 else
                     r = 0;
 #ifndef OPENSSL_NO_ENGINE
-                ENGINE_finish(e);
+                if (e)
+                    ENGINE_finish(e);
 #endif
                 return r;
             }
@@ -183,45 +236,41 @@ static int check_pem(const char *nm, const char *name)
         return 0;
     }
     /* If reading DH parameters handle X9.42 DH format too */
-    if (strcmp(nm, PEM_STRING_DHXPARAMS) == 0
-        && strcmp(name, PEM_STRING_DHPARAMS) == 0)
+    if (!strcmp(nm, PEM_STRING_DHXPARAMS) &&
+        !strcmp(name, PEM_STRING_DHPARAMS))
         return 1;
 
     /* Permit older strings */
 
-    if (strcmp(nm, PEM_STRING_X509_OLD) == 0
-        && strcmp(name, PEM_STRING_X509) == 0)
+    if (!strcmp(nm, PEM_STRING_X509_OLD) && !strcmp(name, PEM_STRING_X509))
         return 1;
 
-    if (strcmp(nm, PEM_STRING_X509_REQ_OLD) == 0
-        && strcmp(name, PEM_STRING_X509_REQ) == 0)
+    if (!strcmp(nm, PEM_STRING_X509_REQ_OLD) &&
+        !strcmp(name, PEM_STRING_X509_REQ))
         return 1;
 
     /* Allow normal certs to be read as trusted certs */
-    if (strcmp(nm, PEM_STRING_X509) == 0
-        && strcmp(name, PEM_STRING_X509_TRUSTED) == 0)
+    if (!strcmp(nm, PEM_STRING_X509) &&
+        !strcmp(name, PEM_STRING_X509_TRUSTED))
         return 1;
 
-    if (strcmp(nm, PEM_STRING_X509_OLD) == 0
-        && strcmp(name, PEM_STRING_X509_TRUSTED) == 0)
+    if (!strcmp(nm, PEM_STRING_X509_OLD) &&
+        !strcmp(name, PEM_STRING_X509_TRUSTED))
         return 1;
 
     /* Some CAs use PKCS#7 with CERTIFICATE headers */
-    if (strcmp(nm, PEM_STRING_X509) == 0
-        && strcmp(name, PEM_STRING_PKCS7) == 0)
+    if (!strcmp(nm, PEM_STRING_X509) && !strcmp(name, PEM_STRING_PKCS7))
         return 1;
 
-    if (strcmp(nm, PEM_STRING_PKCS7_SIGNED) == 0
-        && strcmp(name, PEM_STRING_PKCS7) == 0)
+    if (!strcmp(nm, PEM_STRING_PKCS7_SIGNED) &&
+        !strcmp(name, PEM_STRING_PKCS7))
         return 1;
 
 #ifndef OPENSSL_NO_CMS
-    if (strcmp(nm, PEM_STRING_X509) == 0
-        && strcmp(name, PEM_STRING_CMS) == 0)
+    if (!strcmp(nm, PEM_STRING_X509) && !strcmp(name, PEM_STRING_CMS))
         return 1;
     /* Allow CMS to be read from PKCS#7 headers */
-    if (strcmp(nm, PEM_STRING_PKCS7) == 0
-        && strcmp(name, PEM_STRING_CMS) == 0)
+    if (!strcmp(nm, PEM_STRING_PKCS7) && !strcmp(name, PEM_STRING_CMS))
         return 1;
 #endif
 
@@ -272,7 +321,7 @@ int PEM_bytes_read_bio(unsigned char **pdata, long *plen, char **pnm,
     return ret;
 }
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 int PEM_ASN1_write(i2d_of_void *i2d, const char *name, FILE *fp,
                    void *x, const EVP_CIPHER *enc, unsigned char *kstr,
                    int klen, pem_password_cb *callback, void *u)
@@ -295,8 +344,8 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
                        void *x, const EVP_CIPHER *enc, unsigned char *kstr,
                        int klen, pem_password_cb *callback, void *u)
 {
-    EVP_CIPHER_CTX *ctx = NULL;
-    int dsize = 0, i = 0, j = 0, ret = 0;
+    EVP_CIPHER_CTX ctx;
+    int dsize = 0, i, j, ret = 0;
     unsigned char *p, *data = NULL;
     const char *objstr = NULL;
     char buf[PEM_BUFSIZE];
@@ -318,7 +367,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
     }
     /* dzise + 8 bytes are needed */
     /* actually it needs the cipher block size extra... */
-    data = OPENSSL_malloc((unsigned int)dsize + 20);
+    data = (unsigned char *)OPENSSL_malloc((unsigned int)dsize + 20);
     if (data == NULL) {
         PEMerr(PEM_F_PEM_ASN1_WRITE_BIO, ERR_R_MALLOC_FAILURE);
         goto err;
@@ -343,8 +392,8 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
             kstr = (unsigned char *)buf;
         }
         RAND_add(data, i, 0);   /* put in the RSA key. */
-        OPENSSL_assert(EVP_CIPHER_iv_length(enc) <= (int)sizeof(iv));
-        if (RAND_bytes(iv, EVP_CIPHER_iv_length(enc)) <= 0) /* Generate a salt */
+        OPENSSL_assert(enc->iv_len <= (int)sizeof(iv));
+        if (RAND_bytes(iv, enc->iv_len) <= 0) /* Generate a salt */
             goto err;
         /*
          * The 'iv' is used as the iv and as a salt.  It is NOT taken from
@@ -356,20 +405,21 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
         if (kstr == (unsigned char *)buf)
             OPENSSL_cleanse(buf, PEM_BUFSIZE);
 
-        OPENSSL_assert(strlen(objstr) + 23 + 2 * EVP_CIPHER_iv_length(enc) + 13
-                       <= sizeof buf);
+        OPENSSL_assert(strlen(objstr) + 23 + 2 * enc->iv_len + 13 <=
+                       sizeof buf);
 
         buf[0] = '\0';
         PEM_proc_type(buf, PEM_TYPE_ENCRYPTED);
-        PEM_dek_info(buf, objstr, EVP_CIPHER_iv_length(enc), (char *)iv);
+        PEM_dek_info(buf, objstr, enc->iv_len, (char *)iv);
         /* k=strlen(buf); */
 
+        EVP_CIPHER_CTX_init(&ctx);
         ret = 1;
-        if ((ctx = EVP_CIPHER_CTX_new()) == NULL
-            || !EVP_EncryptInit_ex(ctx, enc, NULL, key, iv)
-            || !EVP_EncryptUpdate(ctx, data, &j, data, i)
-            || !EVP_EncryptFinal_ex(ctx, &(data[j]), &i))
+        if (!EVP_EncryptInit_ex(&ctx, enc, NULL, key, iv)
+            || !EVP_EncryptUpdate(&ctx, data, &j, data, i)
+            || !EVP_EncryptFinal_ex(&ctx, &(data[j]), &i))
             ret = 0;
+        EVP_CIPHER_CTX_cleanup(&ctx);
         if (ret == 0)
             goto err;
         i += j;
@@ -383,162 +433,127 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
  err:
     OPENSSL_cleanse(key, sizeof(key));
     OPENSSL_cleanse(iv, sizeof(iv));
-    EVP_CIPHER_CTX_free(ctx);
+    OPENSSL_cleanse((char *)&ctx, sizeof(ctx));
     OPENSSL_cleanse(buf, PEM_BUFSIZE);
-    OPENSSL_clear_free(data, (unsigned int)dsize);
+    if (data != NULL) {
+        OPENSSL_cleanse(data, (unsigned int)dsize);
+        OPENSSL_free(data);
+    }
     return (ret);
 }
 
 int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen,
                   pem_password_cb *callback, void *u)
 {
-    int ok;
-    int keylen;
-    long len = *plen;
-    int ilen = (int) len;       /* EVP_DecryptUpdate etc. take int lengths */
-    EVP_CIPHER_CTX *ctx;
+    int i = 0, j, o, klen;
+    long len;
+    EVP_CIPHER_CTX ctx;
     unsigned char key[EVP_MAX_KEY_LENGTH];
     char buf[PEM_BUFSIZE];
 
-#if LONG_MAX > INT_MAX
-    /* Check that we did not truncate the length */
-    if (len > INT_MAX) {
-        PEMerr(PEM_F_PEM_DO_HEADER, PEM_R_HEADER_TOO_LONG);
-        return 0;
-    }
-#endif
+    len = *plen;
 
     if (cipher->cipher == NULL)
-        return 1;
+        return (1);
     if (callback == NULL)
-        keylen = PEM_def_callback(buf, PEM_BUFSIZE, 0, u);
+        klen = PEM_def_callback(buf, PEM_BUFSIZE, 0, u);
     else
-        keylen = callback(buf, PEM_BUFSIZE, 0, u);
-    if (keylen <= 0) {
+        klen = callback(buf, PEM_BUFSIZE, 0, u);
+    if (klen <= 0) {
         PEMerr(PEM_F_PEM_DO_HEADER, PEM_R_BAD_PASSWORD_READ);
-        return 0;
+        return (0);
     }
 #ifdef CHARSET_EBCDIC
     /* Convert the pass phrase from EBCDIC */
-    ebcdic2ascii(buf, buf, keylen);
+    ebcdic2ascii(buf, buf, klen);
 #endif
 
     if (!EVP_BytesToKey(cipher->cipher, EVP_md5(), &(cipher->iv[0]),
-                        (unsigned char *)buf, keylen, 1, key, NULL))
-        return 0;
-
-    ctx = EVP_CIPHER_CTX_new();
-    if (ctx == NULL)
+                        (unsigned char *)buf, klen, 1, key, NULL))
         return 0;
 
-    ok = EVP_DecryptInit_ex(ctx, cipher->cipher, NULL, key, &(cipher->iv[0]));
-    if (ok)
-        ok = EVP_DecryptUpdate(ctx, data, &ilen, data, ilen);
-    if (ok) {
-        /* Squirrel away the length of data decrypted so far. */
-        *plen = ilen;
-        ok = EVP_DecryptFinal_ex(ctx, &(data[ilen]), &ilen);
-    }
-    if (ok)
-        *plen += ilen;
-    else
-        PEMerr(PEM_F_PEM_DO_HEADER, PEM_R_BAD_DECRYPT);
-
-    EVP_CIPHER_CTX_free(ctx);
+    j = (int)len;
+    EVP_CIPHER_CTX_init(&ctx);
+    o = EVP_DecryptInit_ex(&ctx, cipher->cipher, NULL, key, &(cipher->iv[0]));
+    if (o)
+        o = EVP_DecryptUpdate(&ctx, data, &i, data, j);
+    if (o)
+        o = EVP_DecryptFinal_ex(&ctx, &(data[i]), &j);
+    EVP_CIPHER_CTX_cleanup(&ctx);
     OPENSSL_cleanse((char *)buf, sizeof(buf));
     OPENSSL_cleanse((char *)key, sizeof(key));
-    return ok;
+    if (o)
+        j += i;
+    else {
+        PEMerr(PEM_F_PEM_DO_HEADER, PEM_R_BAD_DECRYPT);
+        return (0);
+    }
+    *plen = j;
+    return (1);
 }
 
-/*
- * This implements a very limited PEM header parser that does not support the
- * full grammar of rfc1421.  In particular, folded headers are not supported,
- * nor is additional whitespace.
- *
- * A robust implementation would make use of a library that turns the headers
- * into a BIO from which one folded line is read at a time, and is then split
- * into a header label and content.  We would then parse the content of the
- * headers we care about.  This is overkill for just this limited use-case, but
- * presumably we also parse rfc822-style headers for S/MIME, so a common
- * abstraction might well be more generally useful.
- */
 int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher)
 {
-    static const char ProcType[] = "Proc-Type:";
-    static const char ENCRYPTED[] = "ENCRYPTED";
-    static const char DEKInfo[] = "DEK-Info:";
     const EVP_CIPHER *enc = NULL;
-    int ivlen;
-    char *dekinfostart, c;
+    char *p, c;
+    char **header_pp = &header;
 
     cipher->cipher = NULL;
     if ((header == NULL) || (*header == '\0') || (*header == '\n'))
-        return 1;
-
-    if (strncmp(header, ProcType, sizeof(ProcType)-1) != 0) {
+        return (1);
+    if (strncmp(header, "Proc-Type: ", 11) != 0) {
         PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO, PEM_R_NOT_PROC_TYPE);
-        return 0;
+        return (0);
     }
-    header += sizeof(ProcType)-1;
-    header += strspn(header, " \t");
-
-    if (*header++ != '4' || *header++ != ',')
-        return 0;
-    header += strspn(header, " \t");
-
-    /* We expect "ENCRYPTED" followed by optional white-space + line break */
-    if (strncmp(header, ENCRYPTED, sizeof(ENCRYPTED)-1) != 0 ||
-        strspn(header+sizeof(ENCRYPTED)-1, " \t\r\n") == 0) {
+    header += 11;
+    if (*header != '4')
+        return (0);
+    header++;
+    if (*header != ',')
+        return (0);
+    header++;
+    if (strncmp(header, "ENCRYPTED", 9) != 0) {
         PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO, PEM_R_NOT_ENCRYPTED);
-        return 0;
+        return (0);
     }
-    header += sizeof(ENCRYPTED)-1;
-    header += strspn(header, " \t\r");
-    if (*header++ != '\n') {
+    for (; (*header != '\n') && (*header != '\0'); header++) ;
+    if (*header == '\0') {
         PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO, PEM_R_SHORT_HEADER);
-        return 0;
+        return (0);
     }
-
-    /*-
-     * https://tools.ietf.org/html/rfc1421#section-4.6.1.3
-     * We expect "DEK-Info: algo[,hex-parameters]"
-     */
-    if (strncmp(header, DEKInfo, sizeof(DEKInfo)-1) != 0) {
+    header++;
+    if (strncmp(header, "DEK-Info: ", 10) != 0) {
         PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO, PEM_R_NOT_DEK_INFO);
-        return 0;
+        return (0);
     }
-    header += sizeof(DEKInfo)-1;
-    header += strspn(header, " \t");
+    header += 10;
 
-    /*
-     * DEK-INFO is a comma-separated combination of algorithm name and optional
-     * parameters.
-     */
-    dekinfostart = header;
-    header += strcspn(header, " \t,");
-    c = *header;
+    p = header;
+    for (;;) {
+        c = *header;
+#ifndef CHARSET_EBCDIC
+        if (!(((c >= 'A') && (c <= 'Z')) || (c == '-') ||
+              ((c >= '0') && (c <= '9'))))
+            break;
+#else
+        if (!(isupper(c) || (c == '-') || isdigit(c)))
+            break;
+#endif
+        header++;
+    }
     *header = '\0';
-    cipher->cipher = enc = EVP_get_cipherbyname(dekinfostart);
+    cipher->cipher = enc = EVP_get_cipherbyname(p);
     *header = c;
-    header += strspn(header, " \t");
+    header++;
 
     if (enc == NULL) {
         PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO, PEM_R_UNSUPPORTED_ENCRYPTION);
-        return 0;
-    }
-    ivlen = EVP_CIPHER_iv_length(enc);
-    if (ivlen > 0 && *header++ != ',') {
-        PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO, PEM_R_MISSING_DEK_IV);
-        return 0;
-    } else if (ivlen == 0 && *header == ',') {
-        PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO, PEM_R_UNEXPECTED_DEK_IV);
-        return 0;
+        return (0);
     }
+    if (!load_iv(header_pp, &(cipher->iv[0]), enc->iv_len))
+        return (0);
 
-    if (!load_iv(&header, cipher->iv, EVP_CIPHER_iv_length(enc)))
-        return 0;
-
-    return 1;
+    return (1);
 }
 
 static int load_iv(char **fromp, unsigned char *to, int num)
@@ -551,8 +566,13 @@ static int load_iv(char **fromp, unsigned char *to, int num)
         to[i] = 0;
     num *= 2;
     for (i = 0; i < num; i++) {
-        v = OPENSSL_hexchar2int(*from);
-        if (v < 0) {
+        if ((*from >= '0') && (*from <= '9'))
+            v = *from - '0';
+        else if ((*from >= 'A') && (*from <= 'F'))
+            v = *from - 'A' + 10;
+        else if ((*from >= 'a') && (*from <= 'f'))
+            v = *from - 'a' + 10;
+        else {
             PEMerr(PEM_F_LOAD_IV, PEM_R_BAD_IV_CHARS);
             return (0);
         }
@@ -564,7 +584,7 @@ static int load_iv(char **fromp, unsigned char *to, int num)
     return (1);
 }
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 int PEM_write(FILE *fp, const char *name, const char *header,
               const unsigned char *data, long len)
 {
@@ -587,15 +607,10 @@ int PEM_write_bio(BIO *bp, const char *name, const char *header,
 {
     int nlen, n, i, j, outl;
     unsigned char *buf = NULL;
-    EVP_ENCODE_CTX *ctx = EVP_ENCODE_CTX_new();
+    EVP_ENCODE_CTX ctx;
     int reason = ERR_R_BUF_LIB;
 
-    if (ctx == NULL) {
-        reason = ERR_R_MALLOC_FAILURE;
-        goto err;
-    }
-
-    EVP_EncodeInit(ctx);
+    EVP_EncodeInit(&ctx);
     nlen = strlen(name);
 
     if ((BIO_write(bp, "-----BEGIN ", 11) != 11) ||
@@ -618,32 +633,34 @@ int PEM_write_bio(BIO *bp, const char *name, const char *header,
     i = j = 0;
     while (len > 0) {
         n = (int)((len > (PEM_BUFSIZE * 5)) ? (PEM_BUFSIZE * 5) : len);
-        if (!EVP_EncodeUpdate(ctx, buf, &outl, &(data[j]), n))
-            goto err;
+        EVP_EncodeUpdate(&ctx, buf, &outl, &(data[j]), n);
         if ((outl) && (BIO_write(bp, (char *)buf, outl) != outl))
             goto err;
         i += outl;
         len -= n;
         j += n;
     }
-    EVP_EncodeFinal(ctx, buf, &outl);
+    EVP_EncodeFinal(&ctx, buf, &outl);
     if ((outl > 0) && (BIO_write(bp, (char *)buf, outl) != outl))
         goto err;
+    OPENSSL_cleanse(buf, PEM_BUFSIZE * 8);
+    OPENSSL_free(buf);
+    buf = NULL;
     if ((BIO_write(bp, "-----END ", 9) != 9) ||
         (BIO_write(bp, name, nlen) != nlen) ||
         (BIO_write(bp, "-----\n", 6) != 6))
         goto err;
-    OPENSSL_clear_free(buf, PEM_BUFSIZE * 8);
-    EVP_ENCODE_CTX_free(ctx);
     return (i + outl);
  err:
-    OPENSSL_clear_free(buf, PEM_BUFSIZE * 8);
-    EVP_ENCODE_CTX_free(ctx);
+    if (buf) {
+        OPENSSL_cleanse(buf, PEM_BUFSIZE * 8);
+        OPENSSL_free(buf);
+    }
     PEMerr(PEM_F_PEM_WRITE_BIO, reason);
     return (0);
 }
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 int PEM_read(FILE *fp, char **name, char **header, unsigned char **data,
              long *len)
 {
@@ -664,23 +681,22 @@ int PEM_read(FILE *fp, char **name, char **header, unsigned char **data,
 int PEM_read_bio(BIO *bp, char **name, char **header, unsigned char **data,
                  long *len)
 {
-    EVP_ENCODE_CTX *ctx = EVP_ENCODE_CTX_new();
+    EVP_ENCODE_CTX ctx;
     int end = 0, i, k, bl = 0, hl = 0, nohead = 0;
     char buf[256];
     BUF_MEM *nameB;
     BUF_MEM *headerB;
     BUF_MEM *dataB, *tmpB;
 
-    if (ctx == NULL) {
-        PEMerr(PEM_F_PEM_READ_BIO, ERR_R_MALLOC_FAILURE);
-        return (0);
-    }
-
     nameB = BUF_MEM_new();
     headerB = BUF_MEM_new();
     dataB = BUF_MEM_new();
     if ((nameB == NULL) || (headerB == NULL) || (dataB == NULL)) {
-        goto err;
+        BUF_MEM_free(nameB);
+        BUF_MEM_free(headerB);
+        BUF_MEM_free(dataB);
+        PEMerr(PEM_F_PEM_READ_BIO, ERR_R_MALLOC_FAILURE);
+        return (0);
     }
 
     buf[254] = '\0';
@@ -800,15 +816,15 @@ int PEM_read_bio(BIO *bp, char **name, char **header, unsigned char **data,
         goto err;
     }
 
-    EVP_DecodeInit(ctx);
-    i = EVP_DecodeUpdate(ctx,
+    EVP_DecodeInit(&ctx);
+    i = EVP_DecodeUpdate(&ctx,
                          (unsigned char *)dataB->data, &bl,
                          (unsigned char *)dataB->data, bl);
     if (i < 0) {
         PEMerr(PEM_F_PEM_READ_BIO, PEM_R_BAD_BASE64_DECODE);
         goto err;
     }
-    i = EVP_DecodeFinal(ctx, (unsigned char *)&(dataB->data[bl]), &k);
+    i = EVP_DecodeFinal(&ctx, (unsigned char *)&(dataB->data[bl]), &k);
     if (i < 0) {
         PEMerr(PEM_F_PEM_READ_BIO, PEM_R_BAD_BASE64_DECODE);
         goto err;
@@ -824,13 +840,11 @@ int PEM_read_bio(BIO *bp, char **name, char **header, unsigned char **data,
     OPENSSL_free(nameB);
     OPENSSL_free(headerB);
     OPENSSL_free(dataB);
-    EVP_ENCODE_CTX_free(ctx);
     return (1);
  err:
     BUF_MEM_free(nameB);
     BUF_MEM_free(headerB);
     BUF_MEM_free(dataB);
-    EVP_ENCODE_CTX_free(ctx);
     return (0);
 }
 
diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_oth.c b/Cryptlib/OpenSSL/crypto/pem/pem_oth.c
index cc7a8dbe..1dd3bd7a 100644
--- a/Cryptlib/OpenSSL/crypto/pem/pem_oth.c
+++ b/Cryptlib/OpenSSL/crypto/pem/pem_oth.c
@@ -1,17 +1,67 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/pem/pem_oth.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
+#include <openssl/rand.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 
diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_pk8.c b/Cryptlib/OpenSSL/crypto/pem/pem_pk8.c
index 993c595a..9edca4de 100644
--- a/Cryptlib/OpenSSL/crypto/pem/pem_pk8.c
+++ b/Cryptlib/OpenSSL/crypto/pem/pem_pk8.c
@@ -1,17 +1,67 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/pem/pem_pkey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
+#include <openssl/rand.h>
 #include <openssl/x509.h>
 #include <openssl/pkcs12.h>
 #include <openssl/pem.h>
@@ -19,12 +69,12 @@
 static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder,
                       int nid, const EVP_CIPHER *enc,
                       char *kstr, int klen, pem_password_cb *cb, void *u);
-
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 static int do_pk8pkey_fp(FILE *bp, EVP_PKEY *x, int isder,
                          int nid, const EVP_CIPHER *enc,
                          char *kstr, int klen, pem_password_cb *cb, void *u);
 #endif
+
 /*
  * These functions write a private key in PKCS#8 format: it is a "drop in"
  * replacement for PEM_write_bio_PrivateKey() and friends. As usual if 'enc'
@@ -68,8 +118,7 @@ static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder, int nid,
     PKCS8_PRIV_KEY_INFO *p8inf;
     char buf[PEM_BUFSIZE];
     int ret;
-
-    if ((p8inf = EVP_PKEY2PKCS8(x)) == NULL) {
+    if (!(p8inf = EVP_PKEY2PKCS8(x))) {
         PEMerr(PEM_F_DO_PK8PKEY, PEM_R_ERROR_CONVERTING_PRIVATE_KEY);
         return 0;
     }
@@ -138,13 +187,14 @@ EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
     if (!ret)
         return NULL;
     if (x) {
-        EVP_PKEY_free(*x);
+        if (*x)
+            EVP_PKEY_free(*x);
         *x = ret;
     }
     return ret;
 }
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 
 int i2d_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
                            char *kstr, int klen, pem_password_cb *cb, void *u)
@@ -179,8 +229,7 @@ static int do_pk8pkey_fp(FILE *fp, EVP_PKEY *x, int isder, int nid,
 {
     BIO *bp;
     int ret;
-
-    if ((bp = BIO_new_fp(fp, BIO_NOCLOSE)) == NULL) {
+    if (!(bp = BIO_new_fp(fp, BIO_NOCLOSE))) {
         PEMerr(PEM_F_DO_PK8PKEY_FP, ERR_R_BUF_LIB);
         return (0);
     }
@@ -194,8 +243,7 @@ EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb,
 {
     BIO *bp;
     EVP_PKEY *ret;
-
-    if ((bp = BIO_new_fp(fp, BIO_NOCLOSE)) == NULL) {
+    if (!(bp = BIO_new_fp(fp, BIO_NOCLOSE))) {
         PEMerr(PEM_F_D2I_PKCS8PRIVATEKEY_FP, ERR_R_BUF_LIB);
         return NULL;
     }
diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_pkey.c b/Cryptlib/OpenSSL/crypto/pem/pem_pkey.c
index 63086227..04d6319a 100644
--- a/Cryptlib/OpenSSL/crypto/pem/pem_pkey.c
+++ b/Cryptlib/OpenSSL/crypto/pem/pem_pkey.c
@@ -1,24 +1,77 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/pem/pem_pkey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
+#include <openssl/rand.h>
 #include <openssl/x509.h>
 #include <openssl/pkcs12.h>
 #include <openssl/pem.h>
-#include <openssl/engine.h>
-#include <openssl/dh.h>
-#include "internal/asn1_int.h"
-#include "internal/evp_int.h"
+#ifndef OPENSSL_NO_ENGINE
+# include <openssl/engine.h>
+#endif
+#ifndef OPENSSL_NO_DH
+# include <openssl/dh.h>
+#endif
+#include "asn1_locl.h"
 
 int pem_check_suffix(const char *pem_str, const char *suffix);
 
@@ -43,7 +96,8 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
             goto p8err;
         ret = EVP_PKCS82PKEY(p8inf);
         if (x) {
-            EVP_PKEY_free((EVP_PKEY *)*x);
+            if (*x)
+                EVP_PKEY_free((EVP_PKEY *)*x);
             *x = ret;
         }
         PKCS8_PRIV_KEY_INFO_free(p8inf);
@@ -70,7 +124,8 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
             goto p8err;
         ret = EVP_PKCS82PKEY(p8inf);
         if (x) {
-            EVP_PKEY_free((EVP_PKEY *)*x);
+            if (*x)
+                EVP_PKEY_free((EVP_PKEY *)*x);
             *x = ret;
         }
         PKCS8_PRIV_KEY_INFO_free(p8inf);
@@ -86,7 +141,8 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
         PEMerr(PEM_F_PEM_READ_BIO_PRIVATEKEY, ERR_R_ASN1_LIB);
  err:
     OPENSSL_free(nm);
-    OPENSSL_clear_free(data, len);
+    OPENSSL_cleanse(data, len);
+    OPENSSL_free(data);
     return (ret);
 }
 
@@ -94,18 +150,11 @@ int PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
                              unsigned char *kstr, int klen,
                              pem_password_cb *cb, void *u)
 {
-    if (x->ameth == NULL || x->ameth->priv_encode != NULL)
+    char pem_str[80];
+    if (!x->ameth || x->ameth->priv_encode)
         return PEM_write_bio_PKCS8PrivateKey(bp, x, enc,
                                              (char *)kstr, klen, cb, u);
-    return PEM_write_bio_PrivateKey_traditional(bp, x, enc, kstr, klen, cb, u);
-}
 
-int PEM_write_bio_PrivateKey_traditional(BIO *bp, EVP_PKEY *x,
-                                         const EVP_CIPHER *enc,
-                                         unsigned char *kstr, int klen,
-                                         pem_password_cb *cb, void *u)
-{
-    char pem_str[80];
     BIO_snprintf(pem_str, 80, "%s PRIVATE KEY", x->ameth->pem_str);
     return PEM_ASN1_write_bio((i2d_of_void *)i2d_PrivateKey,
                               pem_str, bp, x, enc, kstr, klen, cb, u);
@@ -127,7 +176,7 @@ EVP_PKEY *PEM_read_bio_Parameters(BIO *bp, EVP_PKEY **x)
 
     if ((slen = pem_check_suffix(nm, "PARAMETERS")) > 0) {
         ret = EVP_PKEY_new();
-        if (ret == NULL)
+        if (!ret)
             goto err;
         if (!EVP_PKEY_set_type_str(ret, nm, slen)
             || !ret->ameth->param_decode
@@ -137,7 +186,8 @@ EVP_PKEY *PEM_read_bio_Parameters(BIO *bp, EVP_PKEY **x)
             goto err;
         }
         if (x) {
-            EVP_PKEY_free((EVP_PKEY *)*x);
+            if (*x)
+                EVP_PKEY_free((EVP_PKEY *)*x);
             *x = ret;
         }
     }
@@ -160,7 +210,7 @@ int PEM_write_bio_Parameters(BIO *bp, EVP_PKEY *x)
                               pem_str, bp, x, NULL, NULL, 0, 0, NULL);
 }
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x, pem_password_cb *cb,
                               void *u)
 {
@@ -211,7 +261,7 @@ DH *PEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u)
         return NULL;
     p = data;
 
-    if (strcmp(nm, PEM_STRING_DHXPARAMS) == 0)
+    if (!strcmp(nm, PEM_STRING_DHXPARAMS))
         ret = d2i_DHxparams(x, &p, len);
     else
         ret = d2i_DHparams(x, &p, len);
@@ -223,7 +273,7 @@ DH *PEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u)
     return ret;
 }
 
-# ifndef OPENSSL_NO_STDIO
+# ifndef OPENSSL_NO_FP_API
 DH *PEM_read_DHparams(FILE *fp, DH **x, pem_password_cb *cb, void *u)
 {
     BIO *b;
diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_seal.c b/Cryptlib/OpenSSL/crypto/pem/pem_seal.c
new file mode 100644
index 00000000..a5c18125
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/pem/pem_seal.c
@@ -0,0 +1,191 @@
+/* crypto/pem/pem_seal.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/opensslconf.h> /* for OPENSSL_NO_RSA */
+#ifndef OPENSSL_NO_RSA
+# include <stdio.h>
+# include "cryptlib.h"
+# include <openssl/evp.h>
+# include <openssl/rand.h>
+# include <openssl/objects.h>
+# include <openssl/x509.h>
+# include <openssl/pem.h>
+# include <openssl/rsa.h>
+
+int PEM_SealInit(PEM_ENCODE_SEAL_CTX *ctx, EVP_CIPHER *type, EVP_MD *md_type,
+                 unsigned char **ek, int *ekl, unsigned char *iv,
+                 EVP_PKEY **pubk, int npubk)
+{
+    unsigned char key[EVP_MAX_KEY_LENGTH];
+    int ret = -1;
+    int i, j, max = 0;
+    char *s = NULL;
+
+    for (i = 0; i < npubk; i++) {
+        if (pubk[i]->type != EVP_PKEY_RSA) {
+            PEMerr(PEM_F_PEM_SEALINIT, PEM_R_PUBLIC_KEY_NO_RSA);
+            goto err;
+        }
+        j = RSA_size(pubk[i]->pkey.rsa);
+        if (j > max)
+            max = j;
+    }
+    s = (char *)OPENSSL_malloc(max * 2);
+    if (s == NULL) {
+        PEMerr(PEM_F_PEM_SEALINIT, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+
+    EVP_EncodeInit(&ctx->encode);
+
+    EVP_MD_CTX_init(&ctx->md);
+    if (!EVP_SignInit(&ctx->md, md_type))
+        goto err;
+
+    EVP_CIPHER_CTX_init(&ctx->cipher);
+    ret = EVP_SealInit(&ctx->cipher, type, ek, ekl, iv, pubk, npubk);
+    if (ret <= 0)
+        goto err;
+
+    /* base64 encode the keys */
+    for (i = 0; i < npubk; i++) {
+        j = EVP_EncodeBlock((unsigned char *)s, ek[i],
+                            RSA_size(pubk[i]->pkey.rsa));
+        ekl[i] = j;
+        memcpy(ek[i], s, j + 1);
+    }
+
+    ret = npubk;
+ err:
+    if (s != NULL)
+        OPENSSL_free(s);
+    OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
+    return (ret);
+}
+
+void PEM_SealUpdate(PEM_ENCODE_SEAL_CTX *ctx, unsigned char *out, int *outl,
+                    unsigned char *in, int inl)
+{
+    unsigned char buffer[1600];
+    int i, j;
+
+    *outl = 0;
+    EVP_SignUpdate(&ctx->md, in, inl);
+    for (;;) {
+        if (inl <= 0)
+            break;
+        if (inl > 1200)
+            i = 1200;
+        else
+            i = inl;
+        EVP_EncryptUpdate(&ctx->cipher, buffer, &j, in, i);
+        EVP_EncodeUpdate(&ctx->encode, out, &j, buffer, j);
+        *outl += j;
+        out += j;
+        in += i;
+        inl -= i;
+    }
+}
+
+int PEM_SealFinal(PEM_ENCODE_SEAL_CTX *ctx, unsigned char *sig, int *sigl,
+                  unsigned char *out, int *outl, EVP_PKEY *priv)
+{
+    unsigned char *s = NULL;
+    int ret = 0, j;
+    unsigned int i;
+
+    if (priv->type != EVP_PKEY_RSA) {
+        PEMerr(PEM_F_PEM_SEALFINAL, PEM_R_PUBLIC_KEY_NO_RSA);
+        goto err;
+    }
+    i = RSA_size(priv->pkey.rsa);
+    if (i < 100)
+        i = 100;
+    s = (unsigned char *)OPENSSL_malloc(i * 2);
+    if (s == NULL) {
+        PEMerr(PEM_F_PEM_SEALFINAL, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+
+    if (!EVP_EncryptFinal_ex(&ctx->cipher, s, (int *)&i))
+        goto err;
+    EVP_EncodeUpdate(&ctx->encode, out, &j, s, i);
+    *outl = j;
+    out += j;
+    EVP_EncodeFinal(&ctx->encode, out, &j);
+    *outl += j;
+
+    if (!EVP_SignFinal(&ctx->md, s, &i, priv))
+        goto err;
+    *sigl = EVP_EncodeBlock(sig, s, i);
+
+    ret = 1;
+ err:
+    EVP_MD_CTX_cleanup(&ctx->md);
+    EVP_CIPHER_CTX_cleanup(&ctx->cipher);
+    if (s != NULL)
+        OPENSSL_free(s);
+    return (ret);
+}
+#else                           /* !OPENSSL_NO_RSA */
+
+# if PEDANTIC
+static void *dummy = &dummy;
+# endif
+
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_sign.c b/Cryptlib/OpenSSL/crypto/pem/pem_sign.c
index 12ad9745..b5e5c29b 100644
--- a/Cryptlib/OpenSSL/crypto/pem/pem_sign.c
+++ b/Cryptlib/OpenSSL/crypto/pem/pem_sign.c
@@ -1,27 +1,77 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/pem/pem_sign.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
+#include <openssl/rand.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 
-int PEM_SignInit(EVP_MD_CTX *ctx, EVP_MD *type)
+void PEM_SignInit(EVP_MD_CTX *ctx, EVP_MD *type)
 {
-    return EVP_DigestInit_ex(ctx, type, NULL);
+    EVP_DigestInit_ex(ctx, type, NULL);
 }
 
-int PEM_SignUpdate(EVP_MD_CTX *ctx, unsigned char *data, unsigned int count)
+void PEM_SignUpdate(EVP_MD_CTX *ctx, unsigned char *data, unsigned int count)
 {
-    return EVP_DigestUpdate(ctx, data, count);
+    EVP_DigestUpdate(ctx, data, count);
 }
 
 int PEM_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
@@ -31,7 +81,7 @@ int PEM_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
     int i, ret = 0;
     unsigned int m_len;
 
-    m = OPENSSL_malloc(EVP_PKEY_size(pkey) + 2);
+    m = (unsigned char *)OPENSSL_malloc(EVP_PKEY_size(pkey) + 2);
     if (m == NULL) {
         PEMerr(PEM_F_PEM_SIGNFINAL, ERR_R_MALLOC_FAILURE);
         goto err;
@@ -45,6 +95,7 @@ int PEM_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
     ret = 1;
  err:
     /* ctx has been zeroed by EVP_SignFinal() */
-    OPENSSL_free(m);
+    if (m != NULL)
+        OPENSSL_free(m);
     return (ret);
 }
diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_x509.c b/Cryptlib/OpenSSL/crypto/pem/pem_x509.c
index 3a997564..3c20ff28 100644
--- a/Cryptlib/OpenSSL/crypto/pem/pem_x509.c
+++ b/Cryptlib/OpenSSL/crypto/pem/pem_x509.c
@@ -1,14 +1,64 @@
+/* pem_x509.c */
 /*
- * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/bio.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
diff --git a/Cryptlib/OpenSSL/crypto/pem/pem_xaux.c b/Cryptlib/OpenSSL/crypto/pem/pem_xaux.c
index 6d7e1db2..c5234301 100644
--- a/Cryptlib/OpenSSL/crypto/pem/pem_xaux.c
+++ b/Cryptlib/OpenSSL/crypto/pem/pem_xaux.c
@@ -1,14 +1,64 @@
+/* pem_xaux.c */
 /*
- * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/bio.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
@@ -16,3 +66,5 @@
 #include <openssl/pem.h>
 
 IMPLEMENT_PEM_rw(X509_AUX, X509, PEM_STRING_X509_TRUSTED, X509_AUX)
+IMPLEMENT_PEM_rw(X509_CERT_PAIR, X509_CERT_PAIR, PEM_STRING_X509_PAIR,
+                 X509_CERT_PAIR)
diff --git a/Cryptlib/OpenSSL/crypto/pem/pvkfmt.c b/Cryptlib/OpenSSL/crypto/pem/pvkfmt.c
index 248704ec..1ce5a1e3 100644
--- a/Cryptlib/OpenSSL/crypto/pem/pvkfmt.c
+++ b/Cryptlib/OpenSSL/crypto/pem/pvkfmt.c
@@ -1,10 +1,59 @@
 /*
- * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2005.
+ */
+/* ====================================================================
+ * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 /*
@@ -12,7 +61,7 @@
  * and PRIVATEKEYBLOB).
  */
 
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/pem.h>
 #include <openssl/rand.h>
 #include <openssl/bn.h>
@@ -44,11 +93,23 @@ static unsigned int read_ledword(const unsigned char **in)
 
 static int read_lebn(const unsigned char **in, unsigned int nbyte, BIGNUM **r)
 {
-    *r = BN_lebin2bn(*in, nbyte, NULL);
-    if (*r == NULL)
+    const unsigned char *p;
+    unsigned char *tmpbuf, *q;
+    unsigned int i;
+    p = *in + nbyte - 1;
+    tmpbuf = OPENSSL_malloc(nbyte);
+    if (!tmpbuf)
+        return 0;
+    q = tmpbuf;
+    for (i = 0; i < nbyte; i++)
+        *q++ = *p--;
+    *r = BN_bin2bn(tmpbuf, nbyte, NULL);
+    OPENSSL_free(tmpbuf);
+    if (*r) {
+        *in += nbyte;
+        return 1;
+    } else
         return 0;
-    *in += nbyte;
-    return 1;
 }
 
 /* Convert private key blob to EVP_PKEY: RSA and DSA keys supported */
@@ -78,9 +139,9 @@ static int read_lebn(const unsigned char **in, unsigned int nbyte, BIGNUM **r)
 /* Maximum salt length */
 # define PVK_MAX_SALTLEN         10240
 
-static EVP_PKEY *b2i_rsa(const unsigned char **in,
+static EVP_PKEY *b2i_rsa(const unsigned char **in, unsigned int length,
                          unsigned int bitlen, int ispub);
-static EVP_PKEY *b2i_dss(const unsigned char **in,
+static EVP_PKEY *b2i_dss(const unsigned char **in, unsigned int length,
                          unsigned int bitlen, int ispub);
 
 static int do_blob_header(const unsigned char **in, unsigned int length,
@@ -193,9 +254,9 @@ static EVP_PKEY *do_b2i(const unsigned char **in, unsigned int length,
         return NULL;
     }
     if (isdss)
-        return b2i_dss(&p, bitlen, ispub);
+        return b2i_dss(&p, length, bitlen, ispub);
     else
-        return b2i_rsa(&p, bitlen, ispub);
+        return b2i_rsa(&p, length, bitlen, ispub);
 }
 
 static EVP_PKEY *do_b2i_bio(BIO *in, int ispub)
@@ -219,7 +280,7 @@ static EVP_PKEY *do_b2i_bio(BIO *in, int ispub)
         return NULL;
     }
     buf = OPENSSL_malloc(length);
-    if (buf == NULL) {
+    if (!buf) {
         PEMerr(PEM_F_DO_B2I_BIO, ERR_R_MALLOC_FAILURE);
         goto err;
     }
@@ -230,16 +291,17 @@ static EVP_PKEY *do_b2i_bio(BIO *in, int ispub)
     }
 
     if (isdss)
-        ret = b2i_dss(&p, bitlen, ispub);
+        ret = b2i_dss(&p, length, bitlen, ispub);
     else
-        ret = b2i_rsa(&p, bitlen, ispub);
+        ret = b2i_rsa(&p, length, bitlen, ispub);
 
  err:
-    OPENSSL_free(buf);
+    if (buf)
+        OPENSSL_free(buf);
     return ret;
 }
 
-static EVP_PKEY *b2i_dss(const unsigned char **in,
+static EVP_PKEY *b2i_dss(const unsigned char **in, unsigned int length,
                          unsigned int bitlen, int ispub)
 {
     const unsigned char *p = *in;
@@ -247,48 +309,35 @@ static EVP_PKEY *b2i_dss(const unsigned char **in,
     DSA *dsa = NULL;
     BN_CTX *ctx = NULL;
     unsigned int nbyte;
-    BIGNUM *pbn = NULL, *qbn = NULL, *gbn = NULL, *priv_key = NULL;
-    BIGNUM *pub_key = NULL;
-
     nbyte = (bitlen + 7) >> 3;
 
     dsa = DSA_new();
     ret = EVP_PKEY_new();
-    if (dsa == NULL || ret == NULL)
+    if (!dsa || !ret)
         goto memerr;
-    if (!read_lebn(&p, nbyte, &pbn))
+    if (!read_lebn(&p, nbyte, &dsa->p))
         goto memerr;
-
-    if (!read_lebn(&p, 20, &qbn))
+    if (!read_lebn(&p, 20, &dsa->q))
         goto memerr;
-
-    if (!read_lebn(&p, nbyte, &gbn))
+    if (!read_lebn(&p, nbyte, &dsa->g))
         goto memerr;
-
     if (ispub) {
-        if (!read_lebn(&p, nbyte, &pub_key))
+        if (!read_lebn(&p, nbyte, &dsa->pub_key))
             goto memerr;
     } else {
-        if (!read_lebn(&p, 20, &priv_key))
+        if (!read_lebn(&p, 20, &dsa->priv_key))
             goto memerr;
-
         /* Calculate public key */
-        pub_key = BN_new();
-        if (pub_key == NULL)
+        if (!(dsa->pub_key = BN_new()))
             goto memerr;
-        if ((ctx = BN_CTX_new()) == NULL)
+        if (!(ctx = BN_CTX_new()))
             goto memerr;
 
-        if (!BN_mod_exp(pub_key, gbn, priv_key, pbn, ctx))
-            goto memerr;
+        if (!BN_mod_exp(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx))
 
+            goto memerr;
         BN_CTX_free(ctx);
     }
-    if (!DSA_set0_pqg(dsa, pbn, qbn, gbn))
-        goto memerr;
-    pbn = qbn = gbn = NULL;
-    if (!DSA_set0_key(dsa, pub_key, priv_key))
-        goto memerr;
 
     EVP_PKEY_set1_DSA(ret, dsa);
     DSA_free(dsa);
@@ -297,73 +346,60 @@ static EVP_PKEY *b2i_dss(const unsigned char **in,
 
  memerr:
     PEMerr(PEM_F_B2I_DSS, ERR_R_MALLOC_FAILURE);
-    DSA_free(dsa);
-    BN_free(pbn);
-    BN_free(qbn);
-    BN_free(gbn);
-    BN_free(pub_key);
-    BN_free(priv_key);
-    EVP_PKEY_free(ret);
-    BN_CTX_free(ctx);
+    if (dsa)
+        DSA_free(dsa);
+    if (ret)
+        EVP_PKEY_free(ret);
+    if (ctx)
+        BN_CTX_free(ctx);
     return NULL;
 }
 
-static EVP_PKEY *b2i_rsa(const unsigned char **in,
+static EVP_PKEY *b2i_rsa(const unsigned char **in, unsigned int length,
                          unsigned int bitlen, int ispub)
 {
-    const unsigned char *pin = *in;
+    const unsigned char *p = *in;
     EVP_PKEY *ret = NULL;
-    BIGNUM *e = NULL, *n = NULL, *d = NULL;
-    BIGNUM *p = NULL, *q = NULL, *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
     RSA *rsa = NULL;
     unsigned int nbyte, hnbyte;
     nbyte = (bitlen + 7) >> 3;
     hnbyte = (bitlen + 15) >> 4;
     rsa = RSA_new();
     ret = EVP_PKEY_new();
-    if (rsa == NULL || ret == NULL)
+    if (!rsa || !ret)
         goto memerr;
-    e = BN_new();
-    if (e == NULL)
+    rsa->e = BN_new();
+    if (!rsa->e)
         goto memerr;
-    if (!BN_set_word(e, read_ledword(&pin)))
+    if (!BN_set_word(rsa->e, read_ledword(&p)))
         goto memerr;
-    if (!read_lebn(&pin, nbyte, &n))
+    if (!read_lebn(&p, nbyte, &rsa->n))
         goto memerr;
     if (!ispub) {
-        if (!read_lebn(&pin, hnbyte, &p))
+        if (!read_lebn(&p, hnbyte, &rsa->p))
             goto memerr;
-        if (!read_lebn(&pin, hnbyte, &q))
+        if (!read_lebn(&p, hnbyte, &rsa->q))
             goto memerr;
-        if (!read_lebn(&pin, hnbyte, &dmp1))
+        if (!read_lebn(&p, hnbyte, &rsa->dmp1))
             goto memerr;
-        if (!read_lebn(&pin, hnbyte, &dmq1))
+        if (!read_lebn(&p, hnbyte, &rsa->dmq1))
             goto memerr;
-        if (!read_lebn(&pin, hnbyte, &iqmp))
+        if (!read_lebn(&p, hnbyte, &rsa->iqmp))
             goto memerr;
-        if (!read_lebn(&pin, nbyte, &d))
+        if (!read_lebn(&p, nbyte, &rsa->d))
             goto memerr;
-        RSA_set0_factors(rsa, p, q);
-        RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
     }
-    RSA_set0_key(rsa, n, e, d);
 
     EVP_PKEY_set1_RSA(ret, rsa);
     RSA_free(rsa);
-    *in = pin;
+    *in = p;
     return ret;
  memerr:
     PEMerr(PEM_F_B2I_RSA, ERR_R_MALLOC_FAILURE);
-    BN_free(e);
-    BN_free(n);
-    BN_free(p);
-    BN_free(q);
-    BN_free(dmp1);
-    BN_free(dmq1);
-    BN_free(iqmp);
-    BN_free(d);
-    RSA_free(rsa);
-    EVP_PKEY_free(ret);
+    if (rsa)
+        RSA_free(rsa);
+    if (ret)
+        EVP_PKEY_free(ret);
     return NULL;
 }
 
@@ -399,8 +435,26 @@ static void write_ledword(unsigned char **out, unsigned int dw)
 
 static void write_lebn(unsigned char **out, const BIGNUM *bn, int len)
 {
-    BN_bn2lebinpad(bn, *out, len);
-    *out += len;
+    int nb, i;
+    unsigned char *p = *out, *q, c;
+    nb = BN_num_bytes(bn);
+    BN_bn2bin(bn, p);
+    q = p + nb - 1;
+    /* In place byte order reversal */
+    for (i = 0; i < nb / 2; i++) {
+        c = *p;
+        *p++ = *q;
+        *q-- = c;
+    }
+    *out += nb;
+    /* Pad with zeroes if we have to */
+    if (len > 0) {
+        len -= nb;
+        if (len > 0) {
+            memset(*out, 0, len);
+            *out += len;
+        }
+    }
 }
 
 static int check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *magic);
@@ -414,12 +468,11 @@ static int do_i2b(unsigned char **out, EVP_PKEY *pk, int ispub)
     unsigned char *p;
     unsigned int bitlen, magic = 0, keyalg;
     int outlen, noinc = 0;
-    int pktype = EVP_PKEY_id(pk);
-    if (pktype == EVP_PKEY_DSA) {
-        bitlen = check_bitlen_dsa(EVP_PKEY_get0_DSA(pk), ispub, &magic);
+    if (pk->type == EVP_PKEY_DSA) {
+        bitlen = check_bitlen_dsa(pk->pkey.dsa, ispub, &magic);
         keyalg = MS_KEYALG_DSS_SIGN;
-    } else if (pktype == EVP_PKEY_RSA) {
-        bitlen = check_bitlen_rsa(EVP_PKEY_get0_RSA(pk), ispub, &magic);
+    } else if (pk->type == EVP_PKEY_RSA) {
+        bitlen = check_bitlen_rsa(pk->pkey.rsa, ispub, &magic);
         keyalg = MS_KEYALG_RSA_KEYX;
     } else
         return -1;
@@ -433,7 +486,7 @@ static int do_i2b(unsigned char **out, EVP_PKEY *pk, int ispub)
         p = *out;
     else {
         p = OPENSSL_malloc(outlen);
-        if (p == NULL)
+        if (!p)
             return -1;
         *out = p;
         noinc = 1;
@@ -449,9 +502,9 @@ static int do_i2b(unsigned char **out, EVP_PKEY *pk, int ispub)
     write_ledword(&p, magic);
     write_ledword(&p, bitlen);
     if (keyalg == MS_KEYALG_DSS_SIGN)
-        write_dsa(&p, EVP_PKEY_get0_DSA(pk), ispub);
+        write_dsa(&p, pk->pkey.dsa, ispub);
     else
-        write_rsa(&p, EVP_PKEY_get0_RSA(pk), ispub);
+        write_rsa(&p, pk->pkey.rsa, ispub);
     if (!noinc)
         *out += outlen;
     return outlen;
@@ -474,21 +527,16 @@ static int do_i2b_bio(BIO *out, EVP_PKEY *pk, int ispub)
 static int check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *pmagic)
 {
     int bitlen;
-    const BIGNUM *p = NULL, *q = NULL, *g = NULL;
-    const BIGNUM *pub_key = NULL, *priv_key = NULL;
-
-    DSA_get0_pqg(dsa, &p, &q, &g);
-    DSA_get0_key(dsa, &pub_key, &priv_key);
-    bitlen = BN_num_bits(p);
-    if ((bitlen & 7) || (BN_num_bits(q) != 160)
-        || (BN_num_bits(g) > bitlen))
+    bitlen = BN_num_bits(dsa->p);
+    if ((bitlen & 7) || (BN_num_bits(dsa->q) != 160)
+        || (BN_num_bits(dsa->g) > bitlen))
         goto badkey;
     if (ispub) {
-        if (BN_num_bits(pub_key) > bitlen)
+        if (BN_num_bits(dsa->pub_key) > bitlen)
             goto badkey;
         *pmagic = MS_DSS1MAGIC;
     } else {
-        if (BN_num_bits(priv_key) > 160)
+        if (BN_num_bits(dsa->priv_key) > 160)
             goto badkey;
         *pmagic = MS_DSS2MAGIC;
     }
@@ -502,35 +550,26 @@ static int check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *pmagic)
 static int check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *pmagic)
 {
     int nbyte, hnbyte, bitlen;
-    const BIGNUM *e;
-
-    RSA_get0_key(rsa, NULL, &e, NULL);
-    if (BN_num_bits(e) > 32)
+    if (BN_num_bits(rsa->e) > 32)
         goto badkey;
-    bitlen = RSA_bits(rsa);
-    nbyte = RSA_size(rsa);
-    hnbyte = (bitlen + 15) >> 4;
+    bitlen = BN_num_bits(rsa->n);
+    nbyte = BN_num_bytes(rsa->n);
+    hnbyte = (BN_num_bits(rsa->n) + 15) >> 4;
     if (ispub) {
         *pmagic = MS_RSA1MAGIC;
         return bitlen;
     } else {
-        const BIGNUM *d, *p, *q, *iqmp, *dmp1, *dmq1;
-
         *pmagic = MS_RSA2MAGIC;
-
         /*
          * For private key each component must fit within nbyte or hnbyte.
          */
-        RSA_get0_key(rsa, NULL, NULL, &d);
-        if (BN_num_bytes(d) > nbyte)
+        if (BN_num_bytes(rsa->d) > nbyte)
             goto badkey;
-        RSA_get0_factors(rsa, &p, &q);
-        RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
-        if ((BN_num_bytes(iqmp) > hnbyte)
-            || (BN_num_bytes(p) > hnbyte)
-            || (BN_num_bytes(q) > hnbyte)
-            || (BN_num_bytes(dmp1) > hnbyte)
-            || (BN_num_bytes(dmq1) > hnbyte))
+        if ((BN_num_bytes(rsa->iqmp) > hnbyte)
+            || (BN_num_bytes(rsa->p) > hnbyte)
+            || (BN_num_bytes(rsa->q) > hnbyte)
+            || (BN_num_bytes(rsa->dmp1) > hnbyte)
+            || (BN_num_bytes(rsa->dmq1) > hnbyte))
             goto badkey;
     }
     return bitlen;
@@ -542,41 +581,31 @@ static int check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *pmagic)
 static void write_rsa(unsigned char **out, RSA *rsa, int ispub)
 {
     int nbyte, hnbyte;
-    const BIGNUM *n, *d, *e, *p, *q, *iqmp, *dmp1, *dmq1;
-
-    nbyte = RSA_size(rsa);
-    hnbyte = (RSA_bits(rsa) + 15) >> 4;
-    RSA_get0_key(rsa, &n, &e, &d);
-    write_lebn(out, e, 4);
-    write_lebn(out, n, nbyte);
+    nbyte = BN_num_bytes(rsa->n);
+    hnbyte = (BN_num_bits(rsa->n) + 15) >> 4;
+    write_lebn(out, rsa->e, 4);
+    write_lebn(out, rsa->n, -1);
     if (ispub)
         return;
-    RSA_get0_factors(rsa, &p, &q);
-    RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
-    write_lebn(out, p, hnbyte);
-    write_lebn(out, q, hnbyte);
-    write_lebn(out, dmp1, hnbyte);
-    write_lebn(out, dmq1, hnbyte);
-    write_lebn(out, iqmp, hnbyte);
-    write_lebn(out, d, nbyte);
+    write_lebn(out, rsa->p, hnbyte);
+    write_lebn(out, rsa->q, hnbyte);
+    write_lebn(out, rsa->dmp1, hnbyte);
+    write_lebn(out, rsa->dmq1, hnbyte);
+    write_lebn(out, rsa->iqmp, hnbyte);
+    write_lebn(out, rsa->d, nbyte);
 }
 
 static void write_dsa(unsigned char **out, DSA *dsa, int ispub)
 {
     int nbyte;
-    const BIGNUM *p = NULL, *q = NULL, *g = NULL;
-    const BIGNUM *pub_key = NULL, *priv_key = NULL;
-
-    DSA_get0_pqg(dsa, &p, &q, &g);
-    DSA_get0_key(dsa, &pub_key, &priv_key);
-    nbyte = BN_num_bytes(p);
-    write_lebn(out, p, nbyte);
-    write_lebn(out, q, 20);
-    write_lebn(out, g, nbyte);
+    nbyte = BN_num_bytes(dsa->p);
+    write_lebn(out, dsa->p, nbyte);
+    write_lebn(out, dsa->q, 20);
+    write_lebn(out, dsa->g, nbyte);
     if (ispub)
-        write_lebn(out, pub_key, nbyte);
+        write_lebn(out, dsa->pub_key, nbyte);
     else
-        write_lebn(out, priv_key, 20);
+        write_lebn(out, dsa->priv_key, 20);
     /* Set "invalid" for seed structure values */
     memset(*out, 0xff, 24);
     *out += 24;
@@ -642,16 +671,16 @@ static int derive_pvk_key(unsigned char *key,
                           const unsigned char *salt, unsigned int saltlen,
                           const unsigned char *pass, int passlen)
 {
-    EVP_MD_CTX *mctx = EVP_MD_CTX_new();
+    EVP_MD_CTX mctx;
     int rv = 1;
-    if (mctx == NULL
-        || !EVP_DigestInit_ex(mctx, EVP_sha1(), NULL)
-        || !EVP_DigestUpdate(mctx, salt, saltlen)
-        || !EVP_DigestUpdate(mctx, pass, passlen)
-        || !EVP_DigestFinal_ex(mctx, key, NULL))
+    EVP_MD_CTX_init(&mctx);
+    if (!EVP_DigestInit_ex(&mctx, EVP_sha1(), NULL)
+        || !EVP_DigestUpdate(&mctx, salt, saltlen)
+        || !EVP_DigestUpdate(&mctx, pass, passlen)
+        || !EVP_DigestFinal_ex(&mctx, key, NULL))
         rv = 0;
 
-    EVP_MD_CTX_free(mctx);
+    EVP_MD_CTX_cleanup(&mctx);
     return rv;
 }
 
@@ -663,8 +692,8 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in,
     const unsigned char *p = *in;
     unsigned int magic;
     unsigned char *enctmp = NULL, *q;
-
-    EVP_CIPHER_CTX *cctx = EVP_CIPHER_CTX_new();
+    EVP_CIPHER_CTX cctx;
+    EVP_CIPHER_CTX_init(&cctx);
     if (saltlen) {
         char psbuf[PEM_BUFSIZE];
         unsigned char keybuf[20];
@@ -678,7 +707,7 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in,
             goto err;
         }
         enctmp = OPENSSL_malloc(keylen + 8);
-        if (enctmp == NULL) {
+        if (!enctmp) {
             PEMerr(PEM_F_DO_PVK_BODY, ERR_R_MALLOC_FAILURE);
             goto err;
         }
@@ -695,22 +724,22 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in,
         }
         inlen = keylen - 8;
         q = enctmp + 8;
-        if (!EVP_DecryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL))
+        if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL))
             goto err;
-        if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen))
+        if (!EVP_DecryptUpdate(&cctx, q, &enctmplen, p, inlen))
             goto err;
-        if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen))
+        if (!EVP_DecryptFinal_ex(&cctx, q + enctmplen, &enctmplen))
             goto err;
         magic = read_ledword((const unsigned char **)&q);
         if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) {
             q = enctmp + 8;
             memset(keybuf + 5, 0, 11);
-            if (!EVP_DecryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL))
+            if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL))
                 goto err;
             OPENSSL_cleanse(keybuf, 20);
-            if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen))
+            if (!EVP_DecryptUpdate(&cctx, q, &enctmplen, p, inlen))
                 goto err;
-            if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen))
+            if (!EVP_DecryptFinal_ex(&cctx, q + enctmplen, &enctmplen))
                 goto err;
             magic = read_ledword((const unsigned char **)&q);
             if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) {
@@ -724,8 +753,9 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in,
 
     ret = b2i_PrivateKey(&p, keylen);
  err:
-    EVP_CIPHER_CTX_free(cctx);
-    OPENSSL_free(enctmp);
+    EVP_CIPHER_CTX_cleanup(&cctx);
+    if (enctmp && saltlen)
+        OPENSSL_free(enctmp);
     return ret;
 }
 
@@ -746,7 +776,7 @@ EVP_PKEY *b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u)
         return 0;
     buflen = (int)keylen + saltlen;
     buf = OPENSSL_malloc(buflen);
-    if (buf == NULL) {
+    if (!buf) {
         PEMerr(PEM_F_B2I_PVK_BIO, ERR_R_MALLOC_FAILURE);
         return 0;
     }
@@ -758,7 +788,10 @@ EVP_PKEY *b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u)
     ret = do_PVK_body(&p, saltlen, keylen, cb, u);
 
  err:
-    OPENSSL_clear_free(buf, buflen);
+    if (buf) {
+        OPENSSL_cleanse(buf, buflen);
+        OPENSSL_free(buf);
+    }
     return ret;
 }
 
@@ -766,33 +799,31 @@ static int i2b_PVK(unsigned char **out, EVP_PKEY *pk, int enclevel,
                    pem_password_cb *cb, void *u)
 {
     int outlen = 24, pklen;
-    unsigned char *p = NULL, *start = NULL, *salt = NULL;
-    EVP_CIPHER_CTX *cctx = NULL;
+    unsigned char *p, *salt = NULL;
+    EVP_CIPHER_CTX cctx;
+    EVP_CIPHER_CTX_init(&cctx);
     if (enclevel)
         outlen += PVK_SALTLEN;
     pklen = do_i2b(NULL, pk, 0);
     if (pklen < 0)
         return -1;
     outlen += pklen;
-    if (out == NULL)
+    if (!out)
         return outlen;
-    if (*out != NULL) {
+    if (*out)
         p = *out;
-    } else {
-        start = p = OPENSSL_malloc(outlen);
-        if (p == NULL) {
+    else {
+        p = OPENSSL_malloc(outlen);
+        if (!p) {
             PEMerr(PEM_F_I2B_PVK, ERR_R_MALLOC_FAILURE);
             return -1;
         }
+        *out = p;
     }
 
-    cctx = EVP_CIPHER_CTX_new();
-    if (cctx == NULL)
-        goto error;
-
     write_ledword(&p, MS_PVKMAGIC);
     write_ledword(&p, 0);
-    if (EVP_PKEY_id(pk) == EVP_PKEY_DSA)
+    if (pk->type == EVP_PKEY_DSA)
         write_ledword(&p, MS_KEYTYPE_SIGN);
     else
         write_ledword(&p, MS_KEYTYPE_KEYX);
@@ -806,7 +837,9 @@ static int i2b_PVK(unsigned char **out, EVP_PKEY *pk, int enclevel,
         p += PVK_SALTLEN;
     }
     do_i2b(&p, pk, 0);
-    if (enclevel != 0) {
+    if (enclevel == 0)
+        return outlen;
+    else {
         char psbuf[PEM_BUFSIZE];
         unsigned char keybuf[20];
         int enctmplen, inlen;
@@ -824,26 +857,19 @@ static int i2b_PVK(unsigned char **out, EVP_PKEY *pk, int enclevel,
         if (enclevel == 1)
             memset(keybuf + 5, 0, 11);
         p = salt + PVK_SALTLEN + 8;
-        if (!EVP_EncryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL))
+        if (!EVP_EncryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL))
             goto error;
         OPENSSL_cleanse(keybuf, 20);
-        if (!EVP_DecryptUpdate(cctx, p, &enctmplen, p, pklen - 8))
+        if (!EVP_DecryptUpdate(&cctx, p, &enctmplen, p, pklen - 8))
             goto error;
-        if (!EVP_DecryptFinal_ex(cctx, p + enctmplen, &enctmplen))
+        if (!EVP_DecryptFinal_ex(&cctx, p + enctmplen, &enctmplen))
             goto error;
     }
-
-    EVP_CIPHER_CTX_free(cctx);
-
-    if (*out == NULL)
-        *out = start;
-
+    EVP_CIPHER_CTX_cleanup(&cctx);
     return outlen;
 
  error:
-    EVP_CIPHER_CTX_free(cctx);
-    if (*out == NULL)
-        OPENSSL_free(start);
+    EVP_CIPHER_CTX_cleanup(&cctx);
     return -1;
 }
 
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_add.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_add.c
index 193ed809..d9f03a39 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_add.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_add.c
@@ -1,16 +1,65 @@
+/* p12_add.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/pkcs12.h>
-#include "p12_lcl.h"
 
 /* Pack an object into an OCTET STRING and turn into a safebag */
 
@@ -19,8 +68,7 @@ PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it,
 {
     PKCS12_BAGS *bag;
     PKCS12_SAFEBAG *safebag;
-
-    if ((bag = PKCS12_BAGS_new()) == NULL) {
+    if (!(bag = PKCS12_BAGS_new())) {
         PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
@@ -29,7 +77,7 @@ PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it,
         PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
         goto err;
     }
-    if ((safebag = PKCS12_SAFEBAG_new()) == NULL) {
+    if (!(safebag = PKCS12_SAFEBAG_new())) {
         PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
         goto err;
     }
@@ -42,17 +90,64 @@ PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it,
     return NULL;
 }
 
+/* Turn PKCS8 object into a keybag */
+
+PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8)
+{
+    PKCS12_SAFEBAG *bag;
+    if (!(bag = PKCS12_SAFEBAG_new())) {
+        PKCS12err(PKCS12_F_PKCS12_MAKE_KEYBAG, ERR_R_MALLOC_FAILURE);
+        return NULL;
+    }
+    bag->type = OBJ_nid2obj(NID_keyBag);
+    bag->value.keybag = p8;
+    return bag;
+}
+
+/* Turn PKCS8 object into a shrouded keybag */
+
+PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass,
+                                     int passlen, unsigned char *salt,
+                                     int saltlen, int iter,
+                                     PKCS8_PRIV_KEY_INFO *p8)
+{
+    PKCS12_SAFEBAG *bag;
+    const EVP_CIPHER *pbe_ciph;
+
+    /* Set up the safe bag */
+    if (!(bag = PKCS12_SAFEBAG_new())) {
+        PKCS12err(PKCS12_F_PKCS12_MAKE_SHKEYBAG, ERR_R_MALLOC_FAILURE);
+        return NULL;
+    }
+
+    bag->type = OBJ_nid2obj(NID_pkcs8ShroudedKeyBag);
+
+    pbe_ciph = EVP_get_cipherbynid(pbe_nid);
+
+    if (pbe_ciph)
+        pbe_nid = -1;
+
+    if (!(bag->value.shkeybag =
+          PKCS8_encrypt(pbe_nid, pbe_ciph, pass, passlen, salt, saltlen, iter,
+                        p8))) {
+        PKCS12err(PKCS12_F_PKCS12_MAKE_SHKEYBAG, ERR_R_MALLOC_FAILURE);
+        PKCS12_SAFEBAG_free(bag);
+        return NULL;
+    }
+
+    return bag;
+}
+
 /* Turn a stack of SAFEBAGS into a PKCS#7 data Contentinfo */
 PKCS7 *PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk)
 {
     PKCS7 *p7;
-
-    if ((p7 = PKCS7_new()) == NULL) {
+    if (!(p7 = PKCS7_new())) {
         PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
     p7->type = OBJ_nid2obj(NID_pkcs7_data);
-    if ((p7->d.data = ASN1_OCTET_STRING_new()) == NULL) {
+    if (!(p7->d.data = M_ASN1_OCTET_STRING_new())) {
         PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, ERR_R_MALLOC_FAILURE);
         goto err;
     }
@@ -88,8 +183,7 @@ PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen,
     PKCS7 *p7;
     X509_ALGOR *pbe;
     const EVP_CIPHER *pbe_ciph;
-
-    if ((p7 = PKCS7_new()) == NULL) {
+    if (!(p7 = PKCS7_new())) {
         PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
@@ -112,7 +206,7 @@ PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen,
     }
     X509_ALGOR_free(p7->d.encrypted->enc_data->algorithm);
     p7->d.encrypted->enc_data->algorithm = pbe;
-    ASN1_OCTET_STRING_free(p7->d.encrypted->enc_data->enc_data);
+    M_ASN1_OCTET_STRING_free(p7->d.encrypted->enc_data->enc_data);
     if (!(p7->d.encrypted->enc_data->enc_data =
           PKCS12_item_i2d_encrypt(pbe, ASN1_ITEM_rptr(PKCS12_SAFEBAGS), pass,
                                   passlen, bags, 1))) {
@@ -138,7 +232,7 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass,
                                    p7->d.encrypted->enc_data->enc_data, 1);
 }
 
-PKCS8_PRIV_KEY_INFO *PKCS12_decrypt_skey(const PKCS12_SAFEBAG *bag,
+PKCS8_PRIV_KEY_INFO *PKCS12_decrypt_skey(PKCS12_SAFEBAG *bag,
                                          const char *pass, int passlen)
 {
     return PKCS8_decrypt(bag->value.shkeybag, pass, passlen);
@@ -152,7 +246,7 @@ int PKCS12_pack_authsafes(PKCS12 *p12, STACK_OF(PKCS7) *safes)
     return 0;
 }
 
-STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12)
+STACK_OF(PKCS7) *PKCS12_unpack_authsafes(PKCS12 *p12)
 {
     if (!PKCS7_type_is_data(p12->authsafes)) {
         PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES,
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_asn.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_asn.c
index f2bfe32e..370ddbd6 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_asn.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_asn.c
@@ -1,17 +1,66 @@
+/* p12_asn.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/pkcs12.h>
-#include "p12_lcl.h"
 
 /* PKCS#12 ASN1 module */
 
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_attr.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_attr.c
index c324f505..fff3ba1e 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_attr.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_attr.c
@@ -1,16 +1,65 @@
+/* p12_attr.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/pkcs12.h>
-#include "p12_lcl.h"
 
 /* Add a local keyid to a safebag */
 
@@ -28,9 +77,13 @@ int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name,
 
 int PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage)
 {
-    unsigned char us_val = (unsigned char)usage;
-    return PKCS8_pkey_add1_attr_by_NID(p8, NID_key_usage,
-                                       V_ASN1_BIT_STRING, &us_val, 1);
+    unsigned char us_val;
+    us_val = (unsigned char)usage;
+    if (X509at_add1_attr_by_NID(&p8->attributes, NID_key_usage,
+                                V_ASN1_BIT_STRING, &us_val, 1))
+        return 1;
+    else
+        return 0;
 }
 
 /* Add a friendlyname to a safebag */
@@ -45,16 +98,6 @@ int PKCS12_add_friendlyname_asc(PKCS12_SAFEBAG *bag, const char *name,
         return 0;
 }
 
-int PKCS12_add_friendlyname_utf8(PKCS12_SAFEBAG *bag, const char *name,
-                                int namelen)
-{
-    if (X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName,
-                                MBSTRING_UTF8, (unsigned char *)name, namelen))
-        return 1;
-    else
-        return 0;
-}
-
 int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag,
                                 const unsigned char *name, int namelen)
 {
@@ -74,30 +117,31 @@ int PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name, int namelen)
         return 0;
 }
 
-ASN1_TYPE *PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs,
-                               int attr_nid)
+ASN1_TYPE *PKCS12_get_attr_gen(STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid)
 {
     X509_ATTRIBUTE *attrib;
     int i;
-    i = X509at_get_attr_by_NID(attrs, attr_nid, -1);
-    attrib = X509at_get_attr(attrs, i);
-    return X509_ATTRIBUTE_get0_type(attrib, 0);
+    if (!attrs)
+        return NULL;
+    for (i = 0; i < sk_X509_ATTRIBUTE_num(attrs); i++) {
+        attrib = sk_X509_ATTRIBUTE_value(attrs, i);
+        if (OBJ_obj2nid(attrib->object) == attr_nid) {
+            if (sk_ASN1_TYPE_num(attrib->value.set))
+                return sk_ASN1_TYPE_value(attrib->value.set, 0);
+            else
+                return NULL;
+        }
+    }
+    return NULL;
 }
 
 char *PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag)
 {
-    const ASN1_TYPE *atype;
-
-    if ((atype = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName)) == NULL)
+    ASN1_TYPE *atype;
+    if (!(atype = PKCS12_get_attr(bag, NID_friendlyName)))
         return NULL;
     if (atype->type != V_ASN1_BMPSTRING)
         return NULL;
-    return OPENSSL_uni2utf8(atype->value.bmpstring->data,
-                            atype->value.bmpstring->length);
-}
-
-const STACK_OF(X509_ATTRIBUTE) *
-PKCS12_SAFEBAG_get0_attrs(const PKCS12_SAFEBAG *bag)
-{
-    return bag->attrib;
+    return OPENSSL_uni2asc(atype->value.bmpstring->data,
+                           atype->value.bmpstring->length);
 }
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_crpt.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_crpt.c
index feef9d1f..9c2dcab0 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_crpt.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_crpt.c
@@ -1,14 +1,64 @@
+/* p12_crpt.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/pkcs12.h>
 
 /* PKCS#12 PBE algorithms now in static table */
@@ -24,22 +74,21 @@ int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
     PBEPARAM *pbe;
     int saltlen, iter, ret;
     unsigned char *salt;
+    const unsigned char *pbuf;
     unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
-    int (*pkcs12_key_gen)(const char *pass, int passlen,
-                          unsigned char *salt, int slen,
-                          int id, int iter, int n,
-                          unsigned char *out,
-                          const EVP_MD *md_type);
-
-    pkcs12_key_gen = PKCS12_key_gen_utf8;
 
     if (cipher == NULL)
         return 0;
 
     /* Extract useful info from parameter */
+    if (param == NULL || param->type != V_ASN1_SEQUENCE ||
+        param->value.sequence == NULL) {
+        PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN, PKCS12_R_DECODE_ERROR);
+        return 0;
+    }
 
-    pbe = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(PBEPARAM), param);
-    if (pbe == NULL) {
+    pbuf = param->value.sequence->data;
+    if (!(pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length))) {
         PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN, PKCS12_R_DECODE_ERROR);
         return 0;
     }
@@ -50,14 +99,14 @@ int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
         iter = ASN1_INTEGER_get(pbe->iter);
     salt = pbe->salt->data;
     saltlen = pbe->salt->length;
-    if (!(*pkcs12_key_gen)(pass, passlen, salt, saltlen, PKCS12_KEY_ID,
-                           iter, EVP_CIPHER_key_length(cipher), key, md)) {
+    if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_KEY_ID,
+                        iter, EVP_CIPHER_key_length(cipher), key, md)) {
         PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN, PKCS12_R_KEY_GEN_ERROR);
         PBEPARAM_free(pbe);
         return 0;
     }
-    if (!(*pkcs12_key_gen)(pass, passlen, salt, saltlen, PKCS12_IV_ID,
-                           iter, EVP_CIPHER_iv_length(cipher), iv, md)) {
+    if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_IV_ID,
+                        iter, EVP_CIPHER_iv_length(cipher), iv, md)) {
         PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN, PKCS12_R_IV_GEN_ERROR);
         PBEPARAM_free(pbe);
         return 0;
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_crt.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_crt.c
index 10cf8dd5..7d2aeefa 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_crt.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_crt.c
@@ -1,16 +1,65 @@
+/* p12_crt.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/pkcs12.h>
-#include "p12_lcl.h"
 
 static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags,
                           PKCS12_SAFEBAG *bag);
@@ -28,7 +77,7 @@ static int copy_bag_attr(PKCS12_SAFEBAG *bag, EVP_PKEY *pkey, int nid)
     return 1;
 }
 
-PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, X509 *cert,
+PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
                       STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter,
                       int mac_iter, int keytype)
 {
@@ -41,12 +90,18 @@ PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, X509 *
     unsigned int keyidlen = 0;
 
     /* Set defaults */
-    if (!nid_cert)
+    if (!nid_cert) {
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode())
+            nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+        else
+#endif
 #ifdef OPENSSL_NO_RC2
-        nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+            nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
 #else
-        nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
+            nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
 #endif
+    }
     if (!nid_key)
         nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
     if (!iter)
@@ -124,9 +179,13 @@ PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, X509 *
     return p12;
 
  err:
-    PKCS12_free(p12);
-    sk_PKCS7_pop_free(safes, PKCS7_free);
-    sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
+
+    if (p12)
+        PKCS12_free(p12);
+    if (safes)
+        sk_PKCS7_pop_free(safes, PKCS7_free);
+    if (bags)
+        sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
     return NULL;
 
 }
@@ -140,7 +199,7 @@ PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert)
     int keyidlen = -1;
 
     /* Add user certificate */
-    if ((bag = PKCS12_SAFEBAG_create_cert(cert)) == NULL)
+    if (!(bag = PKCS12_x5092certbag(cert)))
         goto err;
 
     /*
@@ -163,30 +222,32 @@ PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert)
     return bag;
 
  err:
-    PKCS12_SAFEBAG_free(bag);
+
+    if (bag)
+        PKCS12_SAFEBAG_free(bag);
+
     return NULL;
 
 }
 
 PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags,
                                EVP_PKEY *key, int key_usage, int iter,
-                               int nid_key, const char *pass)
+                               int nid_key, char *pass)
 {
 
     PKCS12_SAFEBAG *bag = NULL;
     PKCS8_PRIV_KEY_INFO *p8 = NULL;
 
     /* Make a PKCS#8 structure */
-    if ((p8 = EVP_PKEY2PKCS8(key)) == NULL)
+    if (!(p8 = EVP_PKEY2PKCS8(key)))
         goto err;
     if (key_usage && !PKCS8_add_keyusage(p8, key_usage))
         goto err;
     if (nid_key != -1) {
-        bag = PKCS12_SAFEBAG_create_pkcs8_encrypt(nid_key, pass, -1, NULL, 0,
-                                                  iter, p8);
+        bag = PKCS12_MAKE_SHKEYBAG(nid_key, pass, -1, NULL, 0, iter, p8);
         PKCS8_PRIV_KEY_INFO_free(p8);
     } else
-        bag = PKCS12_SAFEBAG_create0_p8inf(p8);
+        bag = PKCS12_MAKE_KEYBAG(p8);
 
     if (!bag)
         goto err;
@@ -197,13 +258,16 @@ PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags,
     return bag;
 
  err:
-    PKCS12_SAFEBAG_free(bag);
+
+    if (bag)
+        PKCS12_SAFEBAG_free(bag);
+
     return NULL;
 
 }
 
 int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags,
-                    int nid_safe, int iter, const char *pass)
+                    int nid_safe, int iter, char *pass)
 {
     PKCS7 *p7 = NULL;
     int free_safes = 0;
@@ -240,7 +304,10 @@ int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags,
         sk_PKCS7_free(*psafes);
         *psafes = NULL;
     }
-    PKCS7_free(p7);
+
+    if (p7)
+        PKCS7_free(p7);
+
     return 0;
 
 }
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_decr.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_decr.c
index 3c860584..b40ea10c 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_decr.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_decr.c
@@ -1,54 +1,99 @@
+/* p12_decr.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/pkcs12.h>
 
 /* Define this to dump decrypted output to files called DERnnn */
 /*
- * #define OPENSSL_DEBUG_DECRYPT
+ * #define DEBUG_DECRYPT
  */
 
 /*
  * Encrypt/Decrypt a buffer based on password and algor, result in a
  * OPENSSL_malloc'ed buffer
  */
-unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor,
-                                const char *pass, int passlen,
-                                const unsigned char *in, int inlen,
+
+unsigned char *PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass,
+                                int passlen, unsigned char *in, int inlen,
                                 unsigned char **data, int *datalen, int en_de)
 {
-    unsigned char *out = NULL;
+    unsigned char *out;
     int outlen, i;
-    EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
-
-    if (ctx == NULL) {
-        PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_MALLOC_FAILURE);
-        goto err;
-    }
+    EVP_CIPHER_CTX ctx;
 
+    EVP_CIPHER_CTX_init(&ctx);
     /* Decrypt data */
     if (!EVP_PBE_CipherInit(algor->algorithm, pass, passlen,
-                            algor->parameter, ctx, en_de)) {
+                            algor->parameter, &ctx, en_de)) {
         PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,
                   PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR);
-        goto err;
+        return NULL;
     }
 
-    if ((out = OPENSSL_malloc(inlen + EVP_CIPHER_CTX_block_size(ctx)))
-            == NULL) {
+    if (!(out = OPENSSL_malloc(inlen + EVP_CIPHER_CTX_block_size(&ctx)))) {
         PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_MALLOC_FAILURE);
         goto err;
     }
 
-    if (!EVP_CipherUpdate(ctx, out, &i, in, inlen)) {
+    if (!EVP_CipherUpdate(&ctx, out, &i, in, inlen)) {
         OPENSSL_free(out);
         out = NULL;
         PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_EVP_LIB);
@@ -56,7 +101,7 @@ unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor,
     }
 
     outlen = i;
-    if (!EVP_CipherFinal_ex(ctx, out + i, &i)) {
+    if (!EVP_CipherFinal_ex(&ctx, out + i, &i)) {
         OPENSSL_free(out);
         out = NULL;
         PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,
@@ -69,7 +114,7 @@ unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor,
     if (data)
         *data = out;
  err:
-    EVP_CIPHER_CTX_free(ctx);
+    EVP_CIPHER_CTX_cleanup(&ctx);
     return out;
 
 }
@@ -79,9 +124,9 @@ unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor,
  * after use.
  */
 
-void *PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it,
+void *PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
                               const char *pass, int passlen,
-                              const ASN1_OCTET_STRING *oct, int zbuf)
+                              ASN1_OCTET_STRING *oct, int zbuf)
 {
     unsigned char *out;
     const unsigned char *p;
@@ -95,7 +140,7 @@ void *PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it,
         return NULL;
     }
     p = out;
-#ifdef OPENSSL_DEBUG_DECRYPT
+#ifdef DEBUG_DECRYPT
     {
         FILE *op;
 
@@ -129,8 +174,7 @@ ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor,
     ASN1_OCTET_STRING *oct = NULL;
     unsigned char *in = NULL;
     int inlen;
-
-    if ((oct = ASN1_OCTET_STRING_new()) == NULL) {
+    if (!(oct = M_ASN1_OCTET_STRING_new())) {
         PKCS12err(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT, ERR_R_MALLOC_FAILURE);
         goto err;
     }
@@ -150,6 +194,9 @@ ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor,
     OPENSSL_free(in);
     return oct;
  err:
-    ASN1_OCTET_STRING_free(oct);
+    if (oct)
+        ASN1_OCTET_STRING_free(oct);
     return NULL;
 }
+
+IMPLEMENT_PKCS12_STACK_OF(PKCS7)
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_init.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_init.c
index a78e183c..0322df94 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_init.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_init.c
@@ -1,24 +1,72 @@
+/* p12_init.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/pkcs12.h>
-#include "p12_lcl.h"
 
 /* Initialise a PKCS12 structure to take data */
 
 PKCS12 *PKCS12_init(int mode)
 {
     PKCS12 *pkcs12;
-
-    if ((pkcs12 = PKCS12_new()) == NULL) {
+    if (!(pkcs12 = PKCS12_new())) {
         PKCS12err(PKCS12_F_PKCS12_INIT, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
@@ -26,7 +74,7 @@ PKCS12 *PKCS12_init(int mode)
     pkcs12->authsafes->type = OBJ_nid2obj(mode);
     switch (mode) {
     case NID_pkcs7_data:
-        if ((pkcs12->authsafes->d.data = ASN1_OCTET_STRING_new()) == NULL) {
+        if (!(pkcs12->authsafes->d.data = M_ASN1_OCTET_STRING_new())) {
             PKCS12err(PKCS12_F_PKCS12_INIT, ERR_R_MALLOC_FAILURE);
             goto err;
         }
@@ -35,9 +83,10 @@ PKCS12 *PKCS12_init(int mode)
         PKCS12err(PKCS12_F_PKCS12_INIT, PKCS12_R_UNSUPPORTED_PKCS12_MODE);
         goto err;
     }
-    return pkcs12;
 
+    return pkcs12;
  err:
-    PKCS12_free(pkcs12);
+    if (pkcs12 != NULL)
+        PKCS12_free(pkcs12);
     return NULL;
 }
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_key.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_key.c
index 9c13a451..99b8260c 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_key.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_key.c
@@ -1,22 +1,72 @@
+/* p12_key.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/pkcs12.h>
 #include <openssl/bn.h>
 
 /* Uncomment out this line to get debugging info about key generation */
 /*
- * #define OPENSSL_DEBUG_KEYGEN
+ * #define DEBUG_KEYGEN
  */
-#ifdef OPENSSL_DEBUG_KEYGEN
+#ifdef DEBUG_KEYGEN
 # include <openssl/bio.h>
 extern BIO *bio_err;
 void h__dump(unsigned char *p, int len);
@@ -46,30 +96,10 @@ int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt,
                              id, iter, n, out, md_type);
     if (ret <= 0)
         return 0;
-    OPENSSL_clear_free(unipass, uniplen);
-    return ret;
-}
-
-int PKCS12_key_gen_utf8(const char *pass, int passlen, unsigned char *salt,
-                        int saltlen, int id, int iter, int n,
-                        unsigned char *out, const EVP_MD *md_type)
-{
-    int ret;
-    unsigned char *unipass;
-    int uniplen;
-
-    if (!pass) {
-        unipass = NULL;
-        uniplen = 0;
-    } else if (!OPENSSL_utf82uni(pass, passlen, &unipass, &uniplen)) {
-        PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UTF8, ERR_R_MALLOC_FAILURE);
-        return 0;
+    if (unipass) {
+        OPENSSL_cleanse(unipass, uniplen); /* Clear password from memory */
+        OPENSSL_free(unipass);
     }
-    ret = PKCS12_key_gen_uni(unipass, uniplen, salt, saltlen,
-                             id, iter, n, out, md_type);
-    if (ret <= 0)
-        return 0;
-    OPENSSL_clear_free(unipass, uniplen);
     return ret;
 }
 
@@ -77,22 +107,26 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
                        int saltlen, int id, int iter, int n,
                        unsigned char *out, const EVP_MD *md_type)
 {
-    unsigned char *B = NULL, *D = NULL, *I = NULL, *p = NULL, *Ai = NULL;
+    unsigned char *B, *D, *I, *p, *Ai;
     int Slen, Plen, Ilen, Ijlen;
     int i, j, u, v;
     int ret = 0;
-    BIGNUM *Ij = NULL, *Bpl1 = NULL; /* These hold Ij and B + 1 */
-    EVP_MD_CTX *ctx = NULL;
-#ifdef  OPENSSL_DEBUG_KEYGEN
+    BIGNUM *Ij, *Bpl1;          /* These hold Ij and B + 1 */
+    EVP_MD_CTX ctx;
+#ifdef  DEBUG_KEYGEN
     unsigned char *tmpout = out;
     int tmpn = n;
 #endif
 
-    ctx = EVP_MD_CTX_new();
-    if (ctx == NULL)
-        goto err;
+#if 0
+    if (!pass) {
+        PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI, ERR_R_PASSED_NULL_PARAMETER);
+        return 0;
+    }
+#endif
 
-#ifdef  OPENSSL_DEBUG_KEYGEN
+    EVP_MD_CTX_init(&ctx);
+#ifdef  DEBUG_KEYGEN
     fprintf(stderr, "KEYGEN DEBUG\n");
     fprintf(stderr, "ID %d, ITER %d\n", id, iter);
     fprintf(stderr, "Password (length %d):\n", passlen);
@@ -102,8 +136,8 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
 #endif
     v = EVP_MD_block_size(md_type);
     u = EVP_MD_size(md_type);
-    if (u < 0 || v <= 0)
-        goto err;
+    if (u < 0)
+        return 0;
     D = OPENSSL_malloc(v);
     Ai = OPENSSL_malloc(u);
     B = OPENSSL_malloc(v + 1);
@@ -116,8 +150,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
     I = OPENSSL_malloc(Ilen);
     Ij = BN_new();
     Bpl1 = BN_new();
-    if (D == NULL || Ai == NULL || B == NULL || I == NULL || Ij == NULL
-            || Bpl1 == NULL)
+    if (!D || !Ai || !B || !I || !Ij || !Bpl1)
         goto err;
     for (i = 0; i < v; i++)
         D[i] = id;
@@ -127,20 +160,20 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
     for (i = 0; i < Plen; i++)
         *p++ = pass[i % passlen];
     for (;;) {
-        if (!EVP_DigestInit_ex(ctx, md_type, NULL)
-            || !EVP_DigestUpdate(ctx, D, v)
-            || !EVP_DigestUpdate(ctx, I, Ilen)
-            || !EVP_DigestFinal_ex(ctx, Ai, NULL))
+        if (!EVP_DigestInit_ex(&ctx, md_type, NULL)
+            || !EVP_DigestUpdate(&ctx, D, v)
+            || !EVP_DigestUpdate(&ctx, I, Ilen)
+            || !EVP_DigestFinal_ex(&ctx, Ai, NULL))
             goto err;
         for (j = 1; j < iter; j++) {
-            if (!EVP_DigestInit_ex(ctx, md_type, NULL)
-                || !EVP_DigestUpdate(ctx, Ai, u)
-                || !EVP_DigestFinal_ex(ctx, Ai, NULL))
+            if (!EVP_DigestInit_ex(&ctx, md_type, NULL)
+                || !EVP_DigestUpdate(&ctx, Ai, u)
+                || !EVP_DigestFinal_ex(&ctx, Ai, NULL))
                 goto err;
         }
         memcpy(out, Ai, min(n, u));
         if (u >= n) {
-#ifdef OPENSSL_DEBUG_KEYGEN
+#ifdef DEBUG_KEYGEN
             fprintf(stderr, "Output KEY (length %d)\n", tmpn);
             h__dump(tmpout, tmpn);
 #endif
@@ -191,11 +224,11 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
     OPENSSL_free(I);
     BN_free(Ij);
     BN_free(Bpl1);
-    EVP_MD_CTX_free(ctx);
+    EVP_MD_CTX_cleanup(&ctx);
     return ret;
 }
 
-#ifdef OPENSSL_DEBUG_KEYGEN
+#ifdef DEBUG_KEYGEN
 void h__dump(unsigned char *p, int len)
 {
     for (; len--; p++)
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_kiss.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_kiss.c
index 62f5d1ec..9aa3c90c 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_kiss.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_kiss.c
@@ -1,14 +1,64 @@
+/* p12_kiss.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/pkcs12.h>
 
 /* Simplified PKCS#12 routines */
@@ -16,7 +66,7 @@
 static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
                       EVP_PKEY **pkey, STACK_OF(X509) *ocerts);
 
-static int parse_bags(const STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
+static int parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
                       int passlen, EVP_PKEY **pkey, STACK_OF(X509) *ocerts);
 
 static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
@@ -26,7 +76,7 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
  * Parse and decrypt a PKCS#12 structure returning user key, user cert and
  * other (CA) certs. Note either ca should be NULL, *ca should be NULL, or it
  * should point to a valid STACK structure. pkey and cert can be passed
- * uninitialised.
+ * unitialised.
  */
 
 int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
@@ -102,21 +152,25 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
                 goto err;
             x = NULL;
         }
-        X509_free(x);
+        if (x)
+            X509_free(x);
     }
 
-    sk_X509_pop_free(ocerts, X509_free);
+    if (ocerts)
+        sk_X509_pop_free(ocerts, X509_free);
 
     return 1;
 
  err:
 
-    if (pkey)
+    if (pkey && *pkey)
         EVP_PKEY_free(*pkey);
-    if (cert)
+    if (cert && *cert)
         X509_free(*cert);
-    X509_free(x);
-    sk_X509_pop_free(ocerts, X509_free);
+    if (x)
+        X509_free(x);
+    if (ocerts)
+        sk_X509_pop_free(ocerts, X509_free);
     return 0;
 
 }
@@ -131,7 +185,7 @@ static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
     int i, bagnid;
     PKCS7 *p7;
 
-    if ((asafes = PKCS12_unpack_authsafes(p12)) == NULL)
+    if (!(asafes = PKCS12_unpack_authsafes(p12)))
         return 0;
     for (i = 0; i < sk_PKCS7_num(asafes); i++) {
         p7 = sk_PKCS7_value(asafes, i);
@@ -157,7 +211,7 @@ static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
     return 1;
 }
 
-static int parse_bags(const STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
+static int parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
                       int passlen, EVP_PKEY **pkey, STACK_OF(X509) *ocerts)
 {
     int i;
@@ -174,29 +228,28 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
 {
     PKCS8_PRIV_KEY_INFO *p8;
     X509 *x509;
-    const ASN1_TYPE *attrib;
+    ASN1_TYPE *attrib;
     ASN1_BMPSTRING *fname = NULL;
     ASN1_OCTET_STRING *lkid = NULL;
 
-    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName)))
+    if ((attrib = PKCS12_get_attr(bag, NID_friendlyName)))
         fname = attrib->value.bmpstring;
 
-    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID)))
+    if ((attrib = PKCS12_get_attr(bag, NID_localKeyID)))
         lkid = attrib->value.octet_string;
 
-    switch (PKCS12_SAFEBAG_get_nid(bag)) {
+    switch (M_PKCS12_bag_type(bag)) {
     case NID_keyBag:
         if (!pkey || *pkey)
             return 1;
-        *pkey = EVP_PKCS82PKEY(PKCS12_SAFEBAG_get0_p8inf(bag));
-        if (*pkey == NULL)
+        if (!(*pkey = EVP_PKCS82PKEY(bag->value.keybag)))
             return 0;
         break;
 
     case NID_pkcs8ShroudedKeyBag:
         if (!pkey || *pkey)
             return 1;
-        if ((p8 = PKCS12_decrypt_skey(bag, pass, passlen)) == NULL)
+        if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen)))
             return 0;
         *pkey = EVP_PKCS82PKEY(p8);
         PKCS8_PRIV_KEY_INFO_free(p8);
@@ -205,9 +258,9 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
         break;
 
     case NID_certBag:
-        if (PKCS12_SAFEBAG_get_bag_nid(bag) != NID_x509Certificate)
+        if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate)
             return 1;
-        if ((x509 = PKCS12_SAFEBAG_get1_cert(bag)) == NULL)
+        if (!(x509 = PKCS12_certbag2x509(bag)))
             return 0;
         if (lkid && !X509_keyid_set1(x509, lkid->data, lkid->length)) {
             X509_free(x509);
@@ -235,11 +288,12 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
         break;
 
     case NID_safeContentsBag:
-        return parse_bags(PKCS12_SAFEBAG_get0_safes(bag), pass, passlen, pkey,
-                          ocerts);
+        return parse_bags(bag->value.safes, pass, passlen, pkey, ocerts);
+        break;
 
     default:
         return 1;
+        break;
     }
     return 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_lcl.h b/Cryptlib/OpenSSL/crypto/pkcs12/p12_lcl.h
deleted file mode 100644
index 0b52f1e1..00000000
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_lcl.h
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-struct PKCS12_MAC_DATA_st {
-    X509_SIG *dinfo;
-    ASN1_OCTET_STRING *salt;
-    ASN1_INTEGER *iter;         /* defaults to 1 */
-};
-
-struct PKCS12_st {
-    ASN1_INTEGER *version;
-    PKCS12_MAC_DATA *mac;
-    PKCS7 *authsafes;
-};
-
-struct PKCS12_SAFEBAG_st {
-    ASN1_OBJECT *type;
-    union {
-        struct pkcs12_bag_st *bag; /* secret, crl and certbag */
-        struct pkcs8_priv_key_info_st *keybag; /* keybag */
-        X509_SIG *shkeybag;     /* shrouded key bag */
-        STACK_OF(PKCS12_SAFEBAG) *safes;
-        ASN1_TYPE *other;
-    } value;
-    STACK_OF(X509_ATTRIBUTE) *attrib;
-};
-
-struct pkcs12_bag_st {
-    ASN1_OBJECT *type;
-    union {
-        ASN1_OCTET_STRING *x509cert;
-        ASN1_OCTET_STRING *x509crl;
-        ASN1_OCTET_STRING *octet;
-        ASN1_IA5STRING *sdsicert;
-        ASN1_TYPE *other;       /* Secret or other bag */
-    } value;
-};
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_mutl.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_mutl.c
index d6b89192..cbf34da0 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_mutl.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_mutl.c
@@ -1,91 +1,79 @@
+/* p12_mutl.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
+#ifndef OPENSSL_NO_HMAC
 # include <stdio.h>
-# include "internal/cryptlib.h"
+# include "cryptlib.h"
 # include <openssl/crypto.h>
 # include <openssl/hmac.h>
 # include <openssl/rand.h>
 # include <openssl/pkcs12.h>
-# include "p12_lcl.h"
-
-int PKCS12_mac_present(const PKCS12 *p12)
-{
-    return p12->mac ? 1 : 0;
-}
-
-void PKCS12_get0_mac(const ASN1_OCTET_STRING **pmac,
-                     const X509_ALGOR **pmacalg,
-                     const ASN1_OCTET_STRING **psalt,
-                     const ASN1_INTEGER **piter,
-                     const PKCS12 *p12)
-{
-    if (p12->mac) {
-        X509_SIG_get0(p12->mac->dinfo, pmacalg, pmac);
-        if (psalt)
-            *psalt = p12->mac->salt;
-        if (piter)
-            *piter = p12->mac->iter;
-    } else {
-        if (pmac)
-            *pmac = NULL;
-        if (pmacalg)
-            *pmacalg = NULL;
-        if (psalt)
-            *psalt = NULL;
-        if (piter)
-            *piter = NULL;
-    }
-}
-
-# define TK26_MAC_KEY_LEN 32
-
-static int pkcs12_gen_gost_mac_key(const char *pass, int passlen,
-                                   const unsigned char *salt, int saltlen,
-                                   int iter, int keylen, unsigned char *key,
-                                   const EVP_MD *digest)
-{
-    unsigned char out[96];
-
-    if (keylen != TK26_MAC_KEY_LEN) {
-        return 0;
-    }
-
-    if (!PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter,
-                           digest, sizeof(out), out)) {
-        return 0;
-    }
-    memcpy(key, out + sizeof(out) - TK26_MAC_KEY_LEN, TK26_MAC_KEY_LEN);
-    OPENSSL_cleanse(out, sizeof(out));
-    return 1;
-}
 
 /* Generate a MAC */
-static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
-                          unsigned char *mac, unsigned int *maclen,
-                          int (*pkcs12_key_gen)(const char *pass, int passlen,
-                                                unsigned char *salt, int slen,
-                                                int id, int iter, int n,
-                                                unsigned char *out,
-                                                const EVP_MD *md_type))
+int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
+                   unsigned char *mac, unsigned int *maclen)
 {
     const EVP_MD *md_type;
-    HMAC_CTX *hmac = NULL;
+    HMAC_CTX hmac;
     unsigned char key[EVP_MAX_MD_SIZE], *salt;
     int saltlen, iter;
-    int md_size = 0;
-    int md_type_nid;
-    const X509_ALGOR *macalg;
-    const ASN1_OBJECT *macoid;
-
-    if (pkcs12_key_gen == NULL)
-        pkcs12_key_gen = PKCS12_key_gen_utf8;
+    int md_size;
 
     if (!PKCS7_type_is_data(p12->authsafes)) {
         PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_CONTENT_TYPE_NOT_DATA);
@@ -98,71 +86,46 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
         iter = 1;
     else
         iter = ASN1_INTEGER_get(p12->mac->iter);
-    X509_SIG_get0(p12->mac->dinfo, &macalg, NULL);
-    X509_ALGOR_get0(&macoid, NULL, NULL, macalg);
-    if ((md_type = EVP_get_digestbyobj(macoid)) == NULL) {
+    if (!(md_type = EVP_get_digestbyobj(p12->mac->dinfo->algor->algorithm))) {
         PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_UNKNOWN_DIGEST_ALGORITHM);
         return 0;
     }
     md_size = EVP_MD_size(md_type);
-    md_type_nid = EVP_MD_type(md_type);
     if (md_size < 0)
         return 0;
-    if ((md_type_nid == NID_id_GostR3411_94
-         || md_type_nid == NID_id_GostR3411_2012_256
-         || md_type_nid == NID_id_GostR3411_2012_512)
-        && !getenv("LEGACY_GOST_PKCS12")) {
-        md_size = TK26_MAC_KEY_LEN;
-        if (!pkcs12_gen_gost_mac_key(pass, passlen, salt, saltlen, iter,
-                                     md_size, key, md_type)) {
-            PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_KEY_GEN_ERROR);
-            return 0;
-        }
-    } else
-        if (!(*pkcs12_key_gen)(pass, passlen, salt, saltlen, PKCS12_MAC_ID,
-                               iter, md_size, key, md_type)) {
+    if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_MAC_ID, iter,
+                        md_size, key, md_type)) {
         PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_KEY_GEN_ERROR);
         return 0;
     }
-    hmac = HMAC_CTX_new();
-    if (!HMAC_Init_ex(hmac, key, md_size, md_type, NULL)
-        || !HMAC_Update(hmac, p12->authsafes->d.data->data,
+    HMAC_CTX_init(&hmac);
+    if (!HMAC_Init_ex(&hmac, key, md_size, md_type, NULL)
+        || !HMAC_Update(&hmac, p12->authsafes->d.data->data,
                         p12->authsafes->d.data->length)
-        || !HMAC_Final(hmac, mac, maclen)) {
-        HMAC_CTX_free(hmac);
+        || !HMAC_Final(&hmac, mac, maclen)) {
+        HMAC_CTX_cleanup(&hmac);
         return 0;
     }
-    HMAC_CTX_free(hmac);
+    HMAC_CTX_cleanup(&hmac);
     return 1;
 }
 
-int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
-                   unsigned char *mac, unsigned int *maclen)
-{
-    return pkcs12_gen_mac(p12, pass, passlen, mac, maclen, NULL);
-}
-
 /* Verify the mac */
 int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen)
 {
     unsigned char mac[EVP_MAX_MD_SIZE];
     unsigned int maclen;
-    const ASN1_OCTET_STRING *macoct;
-
     if (p12->mac == NULL) {
         PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC, PKCS12_R_MAC_ABSENT);
         return 0;
     }
-    if (!pkcs12_gen_mac(p12, pass, passlen, mac, &maclen,
-                        PKCS12_key_gen_utf8)) {
+    if (!PKCS12_gen_mac(p12, pass, passlen, mac, &maclen)) {
         PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC, PKCS12_R_MAC_GENERATION_ERROR);
         return 0;
     }
-    X509_SIG_get0(p12->mac->dinfo, NULL, &macoct);
-    if ((maclen != (unsigned int)ASN1_STRING_length(macoct))
-        || CRYPTO_memcmp(mac, ASN1_STRING_get0_data(macoct), maclen) != 0)
+    if ((maclen != (unsigned int)p12->mac->dinfo->digest->length)
+        || CRYPTO_memcmp(mac, p12->mac->dinfo->digest->data, maclen))
         return 0;
-
     return 1;
 }
 
@@ -174,7 +137,6 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
 {
     unsigned char mac[EVP_MAX_MD_SIZE];
     unsigned int maclen;
-    ASN1_OCTET_STRING *macoct;
 
     if (!md_type)
         md_type = EVP_sha1();
@@ -182,16 +144,11 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
         PKCS12err(PKCS12_F_PKCS12_SET_MAC, PKCS12_R_MAC_SETUP_ERROR);
         return 0;
     }
-    /*
-     * Note that output mac is forced to UTF-8...
-     */
-    if (!pkcs12_gen_mac(p12, pass, passlen, mac, &maclen,
-                        PKCS12_key_gen_utf8)) {
+    if (!PKCS12_gen_mac(p12, pass, passlen, mac, &maclen)) {
         PKCS12err(PKCS12_F_PKCS12_SET_MAC, PKCS12_R_MAC_GENERATION_ERROR);
         return 0;
     }
-    X509_SIG_getm(p12->mac->dinfo, NULL, &macoct);
-    if (!ASN1_OCTET_STRING_set(macoct, mac, maclen)) {
+    if (!(M_ASN1_OCTET_STRING_set(p12->mac->dinfo->digest, mac, maclen))) {
         PKCS12err(PKCS12_F_PKCS12_SET_MAC, PKCS12_R_MAC_STRING_SET_ERROR);
         return 0;
     }
@@ -202,12 +159,10 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
 int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
                      const EVP_MD *md_type)
 {
-    X509_ALGOR *macalg;
-
-    if ((p12->mac = PKCS12_MAC_DATA_new()) == NULL)
+    if (!(p12->mac = PKCS12_MAC_DATA_new()))
         return PKCS12_ERROR;
     if (iter > 1) {
-        if ((p12->mac->iter = ASN1_INTEGER_new()) == NULL) {
+        if (!(p12->mac->iter = M_ASN1_INTEGER_new())) {
             PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
             return 0;
         }
@@ -228,12 +183,13 @@ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
             return 0;
     } else
         memcpy(p12->mac->salt->data, salt, saltlen);
-    X509_SIG_getm(p12->mac->dinfo, &macalg, NULL);
-    if (!X509_ALGOR_set0(macalg, OBJ_nid2obj(EVP_MD_type(md_type)),
-                         V_ASN1_NULL, NULL)) {
+    p12->mac->dinfo->algor->algorithm = OBJ_nid2obj(EVP_MD_type(md_type));
+    if (!(p12->mac->dinfo->algor->parameter = ASN1_TYPE_new())) {
         PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
         return 0;
     }
+    p12->mac->dinfo->algor->parameter->type = V_ASN1_NULL;
 
     return 1;
 }
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_npas.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_npas.c
index 0ce75ed3..9e8ebb2a 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_npas.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_npas.c
@@ -1,10 +1,60 @@
+/* p12_npas.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
@@ -13,7 +63,6 @@
 #include <openssl/pem.h>
 #include <openssl/err.h>
 #include <openssl/pkcs12.h>
-#include "p12_lcl.h"
 
 /* PKCS#12 password change routine */
 
@@ -22,8 +71,7 @@ static int newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *oldpass,
                         const char *newpass);
 static int newpass_bag(PKCS12_SAFEBAG *bag, const char *oldpass,
                         const char *newpass);
-static int alg_get(const X509_ALGOR *alg, int *pnid, int *piter,
-                   int *psaltlen);
+static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen);
 
 /*
  * Change the password on a PKCS#12 structure.
@@ -62,7 +110,7 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass)
     STACK_OF(PKCS12_SAFEBAG) *bags = NULL;
     int i, bagnid, pbe_nid = 0, pbe_iter = 0, pbe_saltlen = 0;
     PKCS7 *p7, *p7new;
-    ASN1_OCTET_STRING *p12_data_tmp = NULL, *macoct = NULL;
+    ASN1_OCTET_STRING *p12_data_tmp = NULL;
     unsigned char mac[EVP_MAX_MD_SIZE];
     unsigned int maclen;
     int rv = 0;
@@ -107,11 +155,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass)
         goto err;
     if (!PKCS12_pack_authsafes(p12, newsafes))
         goto err;
-
     if (!PKCS12_gen_mac(p12, newpass, -1, mac, &maclen))
         goto err;
-    X509_SIG_getm(p12->mac->dinfo, NULL, &macoct);
-    if (!ASN1_OCTET_STRING_set(macoct, mac, maclen))
+    if (!ASN1_OCTET_STRING_set(p12->mac->dinfo->digest, mac, maclen))
         goto err;
 
     rv = 1;
@@ -149,15 +195,13 @@ static int newpass_bag(PKCS12_SAFEBAG *bag, const char *oldpass,
     PKCS8_PRIV_KEY_INFO *p8;
     X509_SIG *p8new;
     int p8_nid, p8_saltlen, p8_iter;
-    const X509_ALGOR *shalg;
 
-    if (PKCS12_SAFEBAG_get_nid(bag) != NID_pkcs8ShroudedKeyBag)
+    if (M_PKCS12_bag_type(bag) != NID_pkcs8ShroudedKeyBag)
         return 1;
 
-    if ((p8 = PKCS8_decrypt(bag->value.shkeybag, oldpass, -1)) == NULL)
+    if (!(p8 = PKCS8_decrypt(bag->value.shkeybag, oldpass, -1)))
         return 0;
-    X509_SIG_get0(bag->value.shkeybag, &shalg, NULL);
-    if (!alg_get(shalg, &p8_nid, &p8_iter, &p8_saltlen))
+    if (!alg_get(bag->value.shkeybag->algor, &p8_nid, &p8_iter, &p8_saltlen))
         return 0;
     p8new = PKCS8_encrypt(p8_nid, NULL, newpass, -1, NULL, p8_saltlen,
                           p8_iter, p8);
@@ -169,11 +213,13 @@ static int newpass_bag(PKCS12_SAFEBAG *bag, const char *oldpass,
     return 1;
 }
 
-static int alg_get(const X509_ALGOR *alg, int *pnid, int *piter,
-                   int *psaltlen)
+static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen)
 {
     PBEPARAM *pbe;
-    pbe = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(PBEPARAM), alg->parameter);
+    const unsigned char *p;
+
+    p = alg->parameter->value.sequence->data;
+    pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length);
     if (!pbe)
         return 0;
     *pnid = OBJ_obj2nid(alg->algorithm);
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_p8d.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_p8d.c
index d926a77d..3cc7a9f4 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_p8d.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_p8d.c
@@ -1,23 +1,70 @@
+/* p12_p8d.c */
 /*
- * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/pkcs12.h>
 
-PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(const X509_SIG *p8, const char *pass,
+PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *p8, const char *pass,
                                    int passlen)
 {
-    const X509_ALGOR *dalg;
-    const ASN1_OCTET_STRING *doct;
-    X509_SIG_get0(p8, &dalg, &doct);
-    return PKCS12_item_decrypt_d2i(dalg,
+    return PKCS12_item_decrypt_d2i(p8->algor,
                                    ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass,
-                                   passlen, doct, 1);
+                                   passlen, p8->digest, 1);
 }
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_p8e.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_p8e.c
index 86a07e13..861a087f 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_p8e.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_p8e.c
@@ -1,16 +1,65 @@
+/* p12_p8e.c */
 /*
- * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/pkcs12.h>
-#include "internal/x509_int.h"
 
 X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
                         const char *pass, int passlen,
@@ -20,6 +69,11 @@ X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
     X509_SIG *p8 = NULL;
     X509_ALGOR *pbe;
 
+    if (!(p8 = X509_SIG_new())) {
+        PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+
     if (pbe_nid == -1)
         pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen);
     else if (EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0))
@@ -30,40 +84,22 @@ X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
     }
     if (!pbe) {
         PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_ASN1_LIB);
-        return NULL;
-    }
-    p8 = PKCS8_set0_pbe(pass, passlen, p8inf, pbe);
-    if (p8 == NULL) {
-        X509_ALGOR_free(pbe);
-        return NULL;
+        goto err;
     }
-
-    return p8;
-}
-
-X509_SIG *PKCS8_set0_pbe(const char *pass, int passlen,
-                         PKCS8_PRIV_KEY_INFO *p8inf, X509_ALGOR *pbe)
-{
-    X509_SIG *p8;
-    ASN1_OCTET_STRING *enckey;
-
-    enckey =
+    X509_ALGOR_free(p8->algor);
+    p8->algor = pbe;
+    M_ASN1_OCTET_STRING_free(p8->digest);
+    p8->digest =
         PKCS12_item_i2d_encrypt(pbe, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO),
                                 pass, passlen, p8inf, 1);
-    if (!enckey) {
-        PKCS12err(PKCS12_F_PKCS8_SET0_PBE, PKCS12_R_ENCRYPT_ERROR);
-        return NULL;
-    }
-
-    p8 = OPENSSL_zalloc(sizeof(*p8));
-
-    if (p8 == NULL) {
-        PKCS12err(PKCS12_F_PKCS8_SET0_PBE, ERR_R_MALLOC_FAILURE);
-        ASN1_OCTET_STRING_free(enckey);
-        return NULL;
+    if (!p8->digest) {
+        PKCS12err(PKCS12_F_PKCS8_ENCRYPT, PKCS12_R_ENCRYPT_ERROR);
+        goto err;
     }
-    p8->algor = pbe;
-    p8->digest = enckey;
 
     return p8;
+
+ err:
+    X509_SIG_free(p8);
+    return NULL;
 }
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_sbag.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_sbag.c
deleted file mode 100644
index 4a3d2599..00000000
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_sbag.c
+++ /dev/null
@@ -1,170 +0,0 @@
-/*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include "internal/cryptlib.h"
-#include <openssl/pkcs12.h>
-#include "p12_lcl.h"
-
-#if OPENSSL_API_COMPAT < 0x10100000L
-ASN1_TYPE *PKCS12_get_attr(const PKCS12_SAFEBAG *bag, int attr_nid)
-{
-    return PKCS12_get_attr_gen(bag->attrib, attr_nid);
-}
-#endif
-
-const ASN1_TYPE *PKCS12_SAFEBAG_get0_attr(const PKCS12_SAFEBAG *bag,
-                                          int attr_nid)
-{
-    return PKCS12_get_attr_gen(bag->attrib, attr_nid);
-}
-
-ASN1_TYPE *PKCS8_get_attr(PKCS8_PRIV_KEY_INFO *p8, int attr_nid)
-{
-    return PKCS12_get_attr_gen(PKCS8_pkey_get0_attrs(p8), attr_nid);
-}
-
-const PKCS8_PRIV_KEY_INFO *PKCS12_SAFEBAG_get0_p8inf(const PKCS12_SAFEBAG *bag)
-{
-    if (PKCS12_SAFEBAG_get_nid(bag) != NID_keyBag)
-        return NULL;
-    return bag->value.keybag;
-}
-
-const X509_SIG *PKCS12_SAFEBAG_get0_pkcs8(const PKCS12_SAFEBAG *bag)
-{
-    if (OBJ_obj2nid(bag->type) != NID_pkcs8ShroudedKeyBag)
-        return NULL;
-    return bag->value.shkeybag;
-}
-
-const STACK_OF(PKCS12_SAFEBAG) *
-PKCS12_SAFEBAG_get0_safes(const PKCS12_SAFEBAG *bag)
-{
-    if (OBJ_obj2nid(bag->type) != NID_safeContentsBag)
-        return NULL;
-    return bag->value.safes;
-}
-
-const ASN1_OBJECT *PKCS12_SAFEBAG_get0_type(const PKCS12_SAFEBAG *bag)
-{
-    return bag->type;
-}
-
-int PKCS12_SAFEBAG_get_nid(const PKCS12_SAFEBAG *bag)
-{
-    return OBJ_obj2nid(bag->type);
-}
-
-int PKCS12_SAFEBAG_get_bag_nid(const PKCS12_SAFEBAG *bag)
-{
-    int btype = PKCS12_SAFEBAG_get_nid(bag);
-
-    if (btype != NID_certBag && btype != NID_crlBag && btype != NID_secretBag)
-        return -1;
-    return OBJ_obj2nid(bag->value.bag->type);
-}
-
-X509 *PKCS12_SAFEBAG_get1_cert(const PKCS12_SAFEBAG *bag)
-{
-    if (PKCS12_SAFEBAG_get_nid(bag) != NID_certBag)
-        return NULL;
-    if (OBJ_obj2nid(bag->value.bag->type) != NID_x509Certificate)
-        return NULL;
-    return ASN1_item_unpack(bag->value.bag->value.octet,
-                            ASN1_ITEM_rptr(X509));
-}
-
-X509_CRL *PKCS12_SAFEBAG_get1_crl(const PKCS12_SAFEBAG *bag)
-{
-    if (PKCS12_SAFEBAG_get_nid(bag) != NID_crlBag)
-        return NULL;
-    if (OBJ_obj2nid(bag->value.bag->type) != NID_x509Crl)
-        return NULL;
-    return ASN1_item_unpack(bag->value.bag->value.octet,
-                            ASN1_ITEM_rptr(X509_CRL));
-}
-
-PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_cert(X509 *x509)
-{
-    return PKCS12_item_pack_safebag(x509, ASN1_ITEM_rptr(X509),
-                                    NID_x509Certificate, NID_certBag);
-}
-
-PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_crl(X509_CRL *crl)
-{
-    return PKCS12_item_pack_safebag(crl, ASN1_ITEM_rptr(X509_CRL),
-                                    NID_x509Crl, NID_crlBag);
-}
-
-/* Turn PKCS8 object into a keybag */
-
-PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_p8inf(PKCS8_PRIV_KEY_INFO *p8)
-{
-    PKCS12_SAFEBAG *bag = PKCS12_SAFEBAG_new();
-
-    if (bag == NULL) {
-        PKCS12err(PKCS12_F_PKCS12_SAFEBAG_CREATE0_P8INF, ERR_R_MALLOC_FAILURE);
-        return NULL;
-    }
-    bag->type = OBJ_nid2obj(NID_keyBag);
-    bag->value.keybag = p8;
-    return bag;
-}
-
-/* Turn PKCS8 object into a shrouded keybag */
-
-PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_pkcs8(X509_SIG *p8)
-{
-    PKCS12_SAFEBAG *bag = PKCS12_SAFEBAG_new();
-
-    /* Set up the safe bag */
-    if (bag == NULL) {
-        PKCS12err(PKCS12_F_PKCS12_SAFEBAG_CREATE0_PKCS8, ERR_R_MALLOC_FAILURE);
-        return NULL;
-    }
-    bag->type = OBJ_nid2obj(NID_pkcs8ShroudedKeyBag);
-    bag->value.shkeybag = p8;
-    return bag;
-}
-
-PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_pkcs8_encrypt(int pbe_nid,
-                                                    const char *pass,
-                                                    int passlen,
-                                                    unsigned char *salt,
-                                                    int saltlen, int iter,
-                                                    PKCS8_PRIV_KEY_INFO *p8inf)
-{
-    PKCS12_SAFEBAG *bag;
-    const EVP_CIPHER *pbe_ciph;
-    X509_SIG *p8;
-
-    pbe_ciph = EVP_get_cipherbynid(pbe_nid);
-
-    if (pbe_ciph)
-        pbe_nid = -1;
-
-    p8 = PKCS8_encrypt(pbe_nid, pbe_ciph, pass, passlen, salt, saltlen, iter,
-                       p8inf);
-
-    if (p8 == NULL) {
-        PKCS12err(PKCS12_F_PKCS12_SAFEBAG_CREATE_PKCS8_ENCRYPT, ERR_R_MALLOC_FAILURE);
-        return NULL;
-    }
-
-    bag = PKCS12_SAFEBAG_create0_pkcs8(p8);
-
-    if (bag == NULL) {
-        PKCS12err(PKCS12_F_PKCS12_SAFEBAG_CREATE_PKCS8_ENCRYPT, ERR_R_MALLOC_FAILURE);
-        X509_SIG_free(p8);
-        return NULL;
-    }
-
-    return bag;
-}
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_utl.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_utl.c
index 07014786..e466f762 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/p12_utl.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_utl.c
@@ -1,14 +1,64 @@
+/* p12_utl.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/pkcs12.h>
 
 /* Cheap and nasty Unicode stuff */
@@ -18,11 +68,10 @@ unsigned char *OPENSSL_asc2uni(const char *asc, int asclen,
 {
     int ulen, i;
     unsigned char *unitmp;
-
     if (asclen == -1)
         asclen = strlen(asc);
     ulen = asclen * 2 + 2;
-    if ((unitmp = OPENSSL_malloc(ulen)) == NULL)
+    if (!(unitmp = OPENSSL_malloc(ulen)))
         return NULL;
     for (i = 0; i < ulen - 2; i += 2) {
         unitmp[i] = 0;
@@ -38,10 +87,11 @@ unsigned char *OPENSSL_asc2uni(const char *asc, int asclen,
     return unitmp;
 }
 
-char *OPENSSL_uni2asc(const unsigned char *uni, int unilen)
+char *OPENSSL_uni2asc(unsigned char *uni, int unilen)
 {
     int asclen, i;
     char *asctmp;
+
     /* string must contain an even number of bytes */
     if (unilen & 1)
         return NULL;
@@ -50,7 +100,7 @@ char *OPENSSL_uni2asc(const unsigned char *uni, int unilen)
     if (!unilen || uni[unilen - 1])
         asclen++;
     uni++;
-    if ((asctmp = OPENSSL_malloc(asclen)) == NULL)
+    if (!(asctmp = OPENSSL_malloc(asclen)))
         return NULL;
     for (i = 0; i < unilen; i += 2)
         asctmp[i >> 1] = uni[i];
@@ -58,166 +108,12 @@ char *OPENSSL_uni2asc(const unsigned char *uni, int unilen)
     return asctmp;
 }
 
-/*
- * OPENSSL_{utf82uni|uni2utf8} perform conversion between UTF-8 and
- * PKCS#12 BMPString format, which is specified as big-endian UTF-16.
- * One should keep in mind that even though BMPString is passed as
- * unsigned char *, it's not the kind of string you can exercise e.g.
- * strlen on. Caller also has to keep in mind that its length is
- * expressed not in number of UTF-16 characters, but in number of
- * bytes the string occupies, and treat it, the length, accordingly.
- */
-unsigned char *OPENSSL_utf82uni(const char *asc, int asclen,
-                                unsigned char **uni, int *unilen)
-{
-    int ulen, i, j;
-    unsigned char *unitmp, *ret;
-    unsigned long utf32chr = 0;
-
-    if (asclen == -1)
-        asclen = strlen(asc);
-
-    for (ulen = 0, i = 0; i < asclen; i += j) {
-        j = UTF8_getc((const unsigned char *)asc+i, asclen-i, &utf32chr);
-
-        /*
-         * Following condition is somewhat opportunistic is sense that
-         * decoding failure is used as *indirect* indication that input
-         * string might in fact be extended ASCII/ANSI/ISO-8859-X. The
-         * fallback is taken in hope that it would allow to process
-         * files created with previous OpenSSL version, which used the
-         * naive OPENSSL_asc2uni all along. It might be worth noting
-         * that probability of false positive depends on language. In
-         * cases covered by ISO Latin 1 probability is very low, because
-         * any printable non-ASCII alphabet letter followed by another
-         * or any ASCII character will trigger failure and fallback.
-         * In other cases situation can be intensified by the fact that
-         * English letters are not part of alternative keyboard layout,
-         * but even then there should be plenty of pairs that trigger
-         * decoding failure...
-         */
-        if (j < 0)
-	    return OPENSSL_asc2uni(asc, asclen, uni, unilen);
-
-        if (utf32chr > 0x10FFFF)        /* UTF-16 cap */
-	    return NULL;
-
-        if (utf32chr >= 0x10000)        /* pair of UTF-16 characters */
-            ulen += 2*2;
-        else                            /* or just one */
-            ulen += 2;
-    }
-
-    ulen += 2;  /* for trailing UTF16 zero */
-
-    if ((ret = OPENSSL_malloc(ulen)) == NULL)
-        return NULL;
-
-    /* re-run the loop writing down UTF-16 characters in big-endian order */
-    for (unitmp = ret, i = 0; i < asclen; i += j) {
-        j = UTF8_getc((const unsigned char *)asc+i, asclen-i, &utf32chr);
-        if (utf32chr >= 0x10000) {      /* pair if UTF-16 characters */
-            unsigned int hi, lo;
-
-            utf32chr -= 0x10000;
-            hi = 0xD800 + (utf32chr>>10);
-            lo = 0xDC00 + (utf32chr&0x3ff);
-            *unitmp++ = (unsigned char)(hi>>8);
-            *unitmp++ = (unsigned char)(hi);
-            *unitmp++ = (unsigned char)(lo>>8);
-            *unitmp++ = (unsigned char)(lo);
-        } else {                        /* or just one */
-            *unitmp++ = (unsigned char)(utf32chr>>8);
-            *unitmp++ = (unsigned char)(utf32chr);
-        }
-    }
-    /* Make result double null terminated */
-    *unitmp++ = 0;
-    *unitmp++ = 0;
-    if (unilen)
-        *unilen = ulen;
-    if (uni)
-        *uni = ret;
-    return ret;
-}
-
-static int bmp_to_utf8(char *str, const unsigned char *utf16, int len)
-{
-    unsigned long utf32chr;
-
-    if (len == 0) return 0;
-
-    if (len < 2) return -1;
-
-    /* pull UTF-16 character in big-endian order */
-    utf32chr = (utf16[0]<<8) | utf16[1];
-
-    if (utf32chr >= 0xD800 && utf32chr < 0xE000) {   /* two chars */
-        unsigned int lo;
-
-        if (len < 4) return -1;
-
-        utf32chr -= 0xD800;
-        utf32chr <<= 10;
-        lo = (utf16[2]<<8) | utf16[3];
-        if (lo < 0xDC00 || lo >= 0xE000) return -1;
-        utf32chr |= lo-0xDC00;
-        utf32chr += 0x10000;
-    }
-
-    return UTF8_putc((unsigned char *)str, len > 4 ? 4 : len, utf32chr);
-}
-
-char *OPENSSL_uni2utf8(const unsigned char *uni, int unilen)
-{
-    int asclen, i, j;
-    char *asctmp;
-
-    /* string must contain an even number of bytes */
-    if (unilen & 1)
-        return NULL;
-
-    for (asclen = 0, i = 0; i < unilen; ) {
-        j = bmp_to_utf8(NULL, uni+i, unilen-i);
-        /*
-         * falling back to OPENSSL_uni2asc makes lesser sense [than
-         * falling back to OPENSSL_asc2uni in OPENSSL_utf82uni above],
-         * it's done rather to maintain symmetry...
-         */
-        if (j < 0) return OPENSSL_uni2asc(uni, unilen);
-        if (j == 4) i += 4;
-        else        i += 2;
-        asclen += j;
-    }
-
-    /* If no terminating zero allow for one */
-    if (!unilen || (uni[unilen-2]||uni[unilen - 1]))
-        asclen++;
-
-    if ((asctmp = OPENSSL_malloc(asclen)) == NULL)
-        return NULL;
-
-    /* re-run the loop emitting UTF-8 string */
-    for (asclen = 0, i = 0; i < unilen; ) {
-        j = bmp_to_utf8(asctmp+asclen, uni+i, unilen-i);
-        if (j == 4) i += 4;
-        else        i += 2;
-        asclen += j;
-    }
-
-    /* If no terminating zero write one */
-    if (!unilen || (uni[unilen-2]||uni[unilen - 1]))
-        asctmp[asclen] = '\0';
-
-    return asctmp;
-}
-
 int i2d_PKCS12_bio(BIO *bp, PKCS12 *p12)
 {
     return ASN1_item_i2d_bio(ASN1_ITEM_rptr(PKCS12), bp, p12);
 }
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 int i2d_PKCS12_fp(FILE *fp, PKCS12 *p12)
 {
     return ASN1_item_i2d_fp(ASN1_ITEM_rptr(PKCS12), fp, p12);
@@ -229,9 +125,41 @@ PKCS12 *d2i_PKCS12_bio(BIO *bp, PKCS12 **p12)
     return ASN1_item_d2i_bio(ASN1_ITEM_rptr(PKCS12), bp, p12);
 }
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 PKCS12 *d2i_PKCS12_fp(FILE *fp, PKCS12 **p12)
 {
     return ASN1_item_d2i_fp(ASN1_ITEM_rptr(PKCS12), fp, p12);
 }
 #endif
+
+PKCS12_SAFEBAG *PKCS12_x5092certbag(X509 *x509)
+{
+    return PKCS12_item_pack_safebag(x509, ASN1_ITEM_rptr(X509),
+                                    NID_x509Certificate, NID_certBag);
+}
+
+PKCS12_SAFEBAG *PKCS12_x509crl2certbag(X509_CRL *crl)
+{
+    return PKCS12_item_pack_safebag(crl, ASN1_ITEM_rptr(X509_CRL),
+                                    NID_x509Crl, NID_crlBag);
+}
+
+X509 *PKCS12_certbag2x509(PKCS12_SAFEBAG *bag)
+{
+    if (M_PKCS12_bag_type(bag) != NID_certBag)
+        return NULL;
+    if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate)
+        return NULL;
+    return ASN1_item_unpack(bag->value.bag->value.octet,
+                            ASN1_ITEM_rptr(X509));
+}
+
+X509_CRL *PKCS12_certbag2x509crl(PKCS12_SAFEBAG *bag)
+{
+    if (M_PKCS12_bag_type(bag) != NID_crlBag)
+        return NULL;
+    if (M_PKCS12_cert_bag_type(bag) != NID_x509Crl)
+        return NULL;
+    return ASN1_item_unpack(bag->value.bag->value.octet,
+                            ASN1_ITEM_rptr(X509_CRL));
+}
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/pk12err.c b/Cryptlib/OpenSSL/crypto/pkcs12/pk12err.c
index f705084a..e58710b2 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs12/pk12err.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/pk12err.c
@@ -1,11 +1,62 @@
-/*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/pkcs12/pk12err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
  */
 
 #include <stdio.h>
@@ -19,6 +70,14 @@
 # define ERR_REASON(reason) ERR_PACK(ERR_LIB_PKCS12,0,reason)
 
 static ERR_STRING_DATA PKCS12_str_functs[] = {
+    {ERR_FUNC(PKCS12_F_PARSE_BAG), "PARSE_BAG"},
+    {ERR_FUNC(PKCS12_F_PARSE_BAGS), "PARSE_BAGS"},
+    {ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME), "PKCS12_ADD_FRIENDLYNAME"},
+    {ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC),
+     "PKCS12_add_friendlyname_asc"},
+    {ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI),
+     "PKCS12_add_friendlyname_uni"},
+    {ERR_FUNC(PKCS12_F_PKCS12_ADD_LOCALKEYID), "PKCS12_add_localkeyid"},
     {ERR_FUNC(PKCS12_F_PKCS12_CREATE), "PKCS12_create"},
     {ERR_FUNC(PKCS12_F_PKCS12_GEN_MAC), "PKCS12_gen_mac"},
     {ERR_FUNC(PKCS12_F_PKCS12_INIT), "PKCS12_init"},
@@ -27,26 +86,21 @@ static ERR_STRING_DATA PKCS12_str_functs[] = {
     {ERR_FUNC(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG), "PKCS12_item_pack_safebag"},
     {ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_ASC), "PKCS12_key_gen_asc"},
     {ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_UNI), "PKCS12_key_gen_uni"},
-    {ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_UTF8), "PKCS12_key_gen_utf8"},
+    {ERR_FUNC(PKCS12_F_PKCS12_MAKE_KEYBAG), "PKCS12_MAKE_KEYBAG"},
+    {ERR_FUNC(PKCS12_F_PKCS12_MAKE_SHKEYBAG), "PKCS12_MAKE_SHKEYBAG"},
     {ERR_FUNC(PKCS12_F_PKCS12_NEWPASS), "PKCS12_newpass"},
     {ERR_FUNC(PKCS12_F_PKCS12_PACK_P7DATA), "PKCS12_pack_p7data"},
     {ERR_FUNC(PKCS12_F_PKCS12_PACK_P7ENCDATA), "PKCS12_pack_p7encdata"},
     {ERR_FUNC(PKCS12_F_PKCS12_PARSE), "PKCS12_parse"},
     {ERR_FUNC(PKCS12_F_PKCS12_PBE_CRYPT), "PKCS12_pbe_crypt"},
     {ERR_FUNC(PKCS12_F_PKCS12_PBE_KEYIVGEN), "PKCS12_PBE_keyivgen"},
-    {ERR_FUNC(PKCS12_F_PKCS12_SAFEBAG_CREATE0_P8INF),
-     "PKCS12_SAFEBAG_create0_p8inf"},
-    {ERR_FUNC(PKCS12_F_PKCS12_SAFEBAG_CREATE0_PKCS8),
-     "PKCS12_SAFEBAG_create0_pkcs8"},
-    {ERR_FUNC(PKCS12_F_PKCS12_SAFEBAG_CREATE_PKCS8_ENCRYPT),
-     "PKCS12_SAFEBAG_create_pkcs8_encrypt"},
     {ERR_FUNC(PKCS12_F_PKCS12_SETUP_MAC), "PKCS12_setup_mac"},
     {ERR_FUNC(PKCS12_F_PKCS12_SET_MAC), "PKCS12_set_mac"},
     {ERR_FUNC(PKCS12_F_PKCS12_UNPACK_AUTHSAFES), "PKCS12_unpack_authsafes"},
     {ERR_FUNC(PKCS12_F_PKCS12_UNPACK_P7DATA), "PKCS12_unpack_p7data"},
     {ERR_FUNC(PKCS12_F_PKCS12_VERIFY_MAC), "PKCS12_verify_mac"},
+    {ERR_FUNC(PKCS12_F_PKCS8_ADD_KEYUSAGE), "PKCS8_add_keyusage"},
     {ERR_FUNC(PKCS12_F_PKCS8_ENCRYPT), "PKCS8_encrypt"},
-    {ERR_FUNC(PKCS12_F_PKCS8_SET0_PBE), "PKCS8_set0_pbe"},
     {0, NULL}
 };
 
@@ -67,6 +121,7 @@ static ERR_STRING_DATA PKCS12_str_reasons[] = {
     {ERR_REASON(PKCS12_R_MAC_GENERATION_ERROR), "mac generation error"},
     {ERR_REASON(PKCS12_R_MAC_SETUP_ERROR), "mac setup error"},
     {ERR_REASON(PKCS12_R_MAC_STRING_SET_ERROR), "mac string set error"},
+    {ERR_REASON(PKCS12_R_MAC_VERIFY_ERROR), "mac verify error"},
     {ERR_REASON(PKCS12_R_MAC_VERIFY_FAILURE), "mac verify failure"},
     {ERR_REASON(PKCS12_R_PARSE_ERROR), "parse error"},
     {ERR_REASON(PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR),
@@ -82,7 +137,7 @@ static ERR_STRING_DATA PKCS12_str_reasons[] = {
 
 #endif
 
-int ERR_load_PKCS12_strings(void)
+void ERR_load_PKCS12_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
 
@@ -91,5 +146,4 @@ int ERR_load_PKCS12_strings(void)
         ERR_load_strings(0, PKCS12_str_reasons);
     }
 #endif
-    return 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/bio_pk7.c b/Cryptlib/OpenSSL/crypto/pkcs7/bio_pk7.c
index 29feaa35..fae1c564 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs7/bio_pk7.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs7/bio_pk7.c
@@ -1,17 +1,63 @@
+/* bio_pk7.c */
 /*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <openssl/asn1.h>
 #include <openssl/pkcs7.h>
 #include <openssl/bio.h>
 
-#if !defined(OPENSSL_SYS_VXWORKS)
+#if !defined(OPENSSL_SYSNAME_NETWARE) && !defined(OPENSSL_SYSNAME_VXWORKS)
 # include <memory.h>
 #endif
 #include <stdio.h>
diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_asn1.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_asn1.c
index 315e1b81..9c0a4398 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_asn1.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_asn1.c
@@ -1,14 +1,64 @@
+/* pk7_asn.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/pkcs7.h>
 #include <openssl/x509.h>
diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_attr.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_attr.c
index e90bf03c..88922efe 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_attr.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_attr.c
@@ -1,10 +1,60 @@
+/* pk7_attr.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001-2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
@@ -21,8 +71,7 @@ int PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si,
                               STACK_OF(X509_ALGOR) *cap)
 {
     ASN1_STRING *seq;
-
-    if ((seq = ASN1_STRING_new()) == NULL) {
+    if (!(seq = ASN1_STRING_new())) {
         PKCS7err(PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP, ERR_R_MALLOC_FAILURE);
         return 0;
     }
@@ -38,7 +87,7 @@ STACK_OF(X509_ALGOR) *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si)
     const unsigned char *p;
 
     cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities);
-    if (cap == NULL || (cap->type != V_ASN1_SEQUENCE))
+    if (!cap || (cap->type != V_ASN1_SEQUENCE))
         return NULL;
     p = cap->value.sequence->data;
     return (STACK_OF(X509_ALGOR) *)
@@ -49,38 +98,33 @@ STACK_OF(X509_ALGOR) *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si)
 /* Basic smime-capabilities OID and optional integer arg */
 int PKCS7_simple_smimecap(STACK_OF(X509_ALGOR) *sk, int nid, int arg)
 {
-    ASN1_INTEGER *nbit = NULL;
     X509_ALGOR *alg;
 
-    if ((alg = X509_ALGOR_new()) == NULL) {
+    if (!(alg = X509_ALGOR_new())) {
         PKCS7err(PKCS7_F_PKCS7_SIMPLE_SMIMECAP, ERR_R_MALLOC_FAILURE);
         return 0;
     }
     ASN1_OBJECT_free(alg->algorithm);
     alg->algorithm = OBJ_nid2obj(nid);
     if (arg > 0) {
-        if ((alg->parameter = ASN1_TYPE_new()) == NULL) {
-            goto err;
+        ASN1_INTEGER *nbit;
+        if (!(alg->parameter = ASN1_TYPE_new())) {
+            PKCS7err(PKCS7_F_PKCS7_SIMPLE_SMIMECAP, ERR_R_MALLOC_FAILURE);
+            return 0;
         }
-        if ((nbit = ASN1_INTEGER_new()) == NULL) {
-            goto err;
+        if (!(nbit = ASN1_INTEGER_new())) {
+            PKCS7err(PKCS7_F_PKCS7_SIMPLE_SMIMECAP, ERR_R_MALLOC_FAILURE);
+            return 0;
         }
         if (!ASN1_INTEGER_set(nbit, arg)) {
-            goto err;
+            PKCS7err(PKCS7_F_PKCS7_SIMPLE_SMIMECAP, ERR_R_MALLOC_FAILURE);
+            return 0;
         }
         alg->parameter->value.integer = nbit;
         alg->parameter->type = V_ASN1_INTEGER;
-        nbit = NULL;
-    }
-    if (!sk_X509_ALGOR_push(sk, alg)) {
-        goto err;
     }
+    sk_X509_ALGOR_push(sk, alg);
     return 1;
-err:
-    PKCS7err(PKCS7_F_PKCS7_SIMPLE_SMIMECAP, ERR_R_MALLOC_FAILURE);
-    ASN1_INTEGER_free(nbit);
-    X509_ALGOR_free(alg);
-    return 0;
 }
 
 int PKCS7_add_attrib_content_type(PKCS7_SIGNER_INFO *si, ASN1_OBJECT *coid)
@@ -95,7 +139,7 @@ int PKCS7_add_attrib_content_type(PKCS7_SIGNER_INFO *si, ASN1_OBJECT *coid)
 
 int PKCS7_add0_attrib_signing_time(PKCS7_SIGNER_INFO *si, ASN1_TIME *t)
 {
-    if (t == NULL && (t = X509_gmtime_adj(NULL, 0)) == NULL) {
+    if (!t && !(t = X509_gmtime_adj(NULL, 0))) {
         PKCS7err(PKCS7_F_PKCS7_ADD0_ATTRIB_SIGNING_TIME,
                  ERR_R_MALLOC_FAILURE);
         return 0;
@@ -109,7 +153,7 @@ int PKCS7_add1_attrib_digest(PKCS7_SIGNER_INFO *si,
 {
     ASN1_OCTET_STRING *os;
     os = ASN1_OCTET_STRING_new();
-    if (os == NULL)
+    if (!os)
         return 0;
     if (!ASN1_STRING_set(os, md, mdlen)
         || !PKCS7_add_signed_attribute(si, NID_pkcs9_messageDigest,
diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_dgst.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_dgst.c
deleted file mode 100644
index 965fb37e..00000000
--- a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_dgst.c
+++ /dev/null
@@ -1,15 +0,0 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include "internal/cryptlib.h"
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include <openssl/x509.h>
-#include <openssl/pkcs7.h>
diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c
index bc6bd30f..e6a44f40 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c
@@ -1,14 +1,63 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/pkcs7/pk7_doit.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
@@ -79,7 +128,8 @@ static int PKCS7_bio_add_digest(BIO **pbio, X509_ALGOR *alg)
     return 1;
 
  err:
-    BIO_free(btmp);
+    if (btmp)
+        BIO_free(btmp);
     return 0;
 
 }
@@ -93,7 +143,7 @@ static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri,
     int ret = 0;
     size_t eklen;
 
-    pkey = X509_get0_pubkey(ri->cert);
+    pkey = X509_get_pubkey(ri->cert);
 
     if (!pkey)
         return 0;
@@ -130,8 +180,12 @@ static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri,
     ret = 1;
 
  err:
-    EVP_PKEY_CTX_free(pctx);
-    OPENSSL_free(ek);
+    if (pkey)
+        EVP_PKEY_free(pkey);
+    if (pctx)
+        EVP_PKEY_CTX_free(pctx);
+    if (ek)
+        OPENSSL_free(ek);
     return ret;
 
 }
@@ -178,13 +232,18 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
 
     ret = 1;
 
-    OPENSSL_clear_free(*pek, *peklen);
+    if (*pek) {
+        OPENSSL_cleanse(*pek, *peklen);
+        OPENSSL_free(*pek);
+    }
+
     *pek = ek;
     *peklen = eklen;
 
  err:
-    EVP_PKEY_CTX_free(pctx);
-    if (!ret)
+    if (pctx)
+        EVP_PKEY_CTX_free(pctx);
+    if (!ret && ek)
         OPENSSL_free(ek);
 
     return ret;
@@ -331,23 +390,27 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
         BIO_push(out, bio);
     else
         out = bio;
-    return out;
-
+    bio = NULL;
+    if (0) {
  err:
-    BIO_free_all(out);
-    BIO_free_all(btmp);
-    return NULL;
+        if (out != NULL)
+            BIO_free_all(out);
+        if (btmp != NULL)
+            BIO_free_all(btmp);
+        out = NULL;
+    }
+    return (out);
 }
 
 static int pkcs7_cmp_ri(PKCS7_RECIP_INFO *ri, X509 *pcert)
 {
     int ret;
     ret = X509_NAME_cmp(ri->issuer_and_serial->issuer,
-                        X509_get_issuer_name(pcert));
+                        pcert->cert_info->issuer);
     if (ret)
         return ret;
-    return ASN1_INTEGER_cmp(X509_get_serialNumber(pcert),
-                            ri->issuer_and_serial->serial);
+    return M_ASN1_INTEGER_cmp(pcert->cert_info->serialNumber,
+                              ri->issuer_and_serial->serial);
 }
 
 /* int */
@@ -459,6 +522,15 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
     }
 
     if (evp_cipher != NULL) {
+#if 0
+        unsigned char key[EVP_MAX_KEY_LENGTH];
+        unsigned char iv[EVP_MAX_IV_LENGTH];
+        unsigned char *p;
+        int keylen, ivlen;
+        int max;
+        X509_OBJECT ret;
+#endif
+
         if ((etmp = BIO_new(BIO_f_cipher())) == NULL) {
             PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_BIO_LIB);
             goto err;
@@ -491,7 +563,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
         /* If we haven't got a certificate try each ri in turn */
         if (pcert == NULL) {
             /*
-             * Always attempt to decrypt all rinfo even after success as a
+             * Always attempt to decrypt all rinfo even after sucess as a
              * defence against MMA timing attacks.
              */
             for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) {
@@ -517,7 +589,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
         /* Generate random key as MMA defence */
         tkeylen = EVP_CIPHER_CTX_key_length(evp_ctx);
         tkey = OPENSSL_malloc(tkeylen);
-        if (tkey == NULL)
+        if (!tkey)
             goto err;
         if (EVP_CIPHER_CTX_rand_key(evp_ctx, tkey) <= 0)
             goto err;
@@ -535,7 +607,8 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
              */
             if (!EVP_CIPHER_CTX_set_key_length(evp_ctx, eklen)) {
                 /* Use random key as MMA defence */
-                OPENSSL_clear_free(ek, eklen);
+                OPENSSL_cleanse(ek, eklen);
+                OPENSSL_free(ek);
                 ek = tkey;
                 eklen = tkeylen;
                 tkey = NULL;
@@ -546,10 +619,16 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
         if (EVP_CipherInit_ex(evp_ctx, NULL, NULL, ek, NULL, 0) <= 0)
             goto err;
 
-        OPENSSL_clear_free(ek, eklen);
-        ek = NULL;
-        OPENSSL_clear_free(tkey, tkeylen);
-        tkey = NULL;
+        if (ek) {
+            OPENSSL_cleanse(ek, eklen);
+            OPENSSL_free(ek);
+            ek = NULL;
+        }
+        if (tkey) {
+            OPENSSL_cleanse(tkey, tkeylen);
+            OPENSSL_free(tkey);
+            tkey = NULL;
+        }
 
         if (out == NULL)
             out = etmp;
@@ -557,10 +636,25 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
             BIO_push(out, etmp);
         etmp = NULL;
     }
+#if 1
     if (in_bio != NULL) {
         bio = in_bio;
     } else {
+# if 0
+        bio = BIO_new(BIO_s_mem());
+        if (bio == NULL)
+            goto err;
+        /*
+         * We need to set this so that when we have read all the data, the
+         * encrypt BIO, if present, will read EOF and encode the last few
+         * bytes
+         */
+        BIO_set_mem_eof_return(bio, 0);
+
         if (data_body->length > 0)
+            BIO_write(bio, (char *)data_body->data, data_body->length);
+# else
+        if (data_body != NULL && data_body->length > 0)
             bio = BIO_new_mem_buf(data_body->data, data_body->length);
         else {
             bio = BIO_new(BIO_s_mem());
@@ -570,19 +664,32 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
         }
         if (bio == NULL)
             goto err;
+# endif
     }
     BIO_push(out, bio);
     bio = NULL;
-    return out;
-
+#endif
+    if (0) {
  err:
-    OPENSSL_clear_free(ek, eklen);
-    OPENSSL_clear_free(tkey, tkeylen);
-    BIO_free_all(out);
-    BIO_free_all(btmp);
-    BIO_free_all(etmp);
-    BIO_free_all(bio);
-    return NULL;
+        if (ek) {
+            OPENSSL_cleanse(ek, eklen);
+            OPENSSL_free(ek);
+        }
+        if (tkey) {
+            OPENSSL_cleanse(tkey, tkeylen);
+            OPENSSL_free(tkey);
+        }
+        if (out != NULL)
+            BIO_free_all(out);
+        if (btmp != NULL)
+            BIO_free_all(btmp);
+        if (etmp != NULL)
+            BIO_free_all(etmp);
+        if (bio != NULL)
+            BIO_free_all(bio);
+        out = NULL;
+    }
+    return (out);
 }
 
 static BIO *PKCS7_find_digest(EVP_MD_CTX **pmd, BIO *bio, int nid)
@@ -642,7 +749,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
     int i, j;
     BIO *btmp;
     PKCS7_SIGNER_INFO *si;
-    EVP_MD_CTX *mdc, *ctx_tmp;
+    EVP_MD_CTX *mdc, ctx_tmp;
     STACK_OF(X509_ATTRIBUTE) *sk;
     STACK_OF(PKCS7_SIGNER_INFO) *si_sk = NULL;
     ASN1_OCTET_STRING *os = NULL;
@@ -657,12 +764,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
         return 0;
     }
 
-    ctx_tmp = EVP_MD_CTX_new();
-    if (ctx_tmp == NULL) {
-        PKCS7err(PKCS7_F_PKCS7_DATAFINAL, ERR_R_MALLOC_FAILURE);
-        return 0;
-    }
-
+    EVP_MD_CTX_init(&ctx_tmp);
     i = OBJ_obj2nid(p7->type);
     p7->state = PKCS7_S_HEADER;
 
@@ -674,9 +776,9 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
         /* XXXXXXXXXXXXXXXX */
         si_sk = p7->d.signed_and_enveloped->signer_info;
         os = p7->d.signed_and_enveloped->enc_data->enc_data;
-        if (os == NULL) {
-            os = ASN1_OCTET_STRING_new();
-            if (os == NULL) {
+        if (!os) {
+            os = M_ASN1_OCTET_STRING_new();
+            if (!os) {
                 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, ERR_R_MALLOC_FAILURE);
                 goto err;
             }
@@ -686,9 +788,9 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
     case NID_pkcs7_enveloped:
         /* XXXXXXXXXXXXXXXX */
         os = p7->d.enveloped->enc_data->enc_data;
-        if (os == NULL) {
-            os = ASN1_OCTET_STRING_new();
-            if (os == NULL) {
+        if (!os) {
+            os = M_ASN1_OCTET_STRING_new();
+            if (!os) {
                 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, ERR_R_MALLOC_FAILURE);
                 goto err;
             }
@@ -700,7 +802,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
         os = PKCS7_get_octet_string(p7->d.sign->contents);
         /* If detached data then the content is excluded */
         if (PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
-            ASN1_OCTET_STRING_free(os);
+            M_ASN1_OCTET_STRING_free(os);
             os = NULL;
             p7->d.sign->contents->d.data = NULL;
         }
@@ -710,7 +812,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
         os = PKCS7_get_octet_string(p7->d.digest->contents);
         /* If detached data then the content is excluded */
         if (PKCS7_type_is_data(p7->d.digest->contents) && p7->detached) {
-            ASN1_OCTET_STRING_free(os);
+            M_ASN1_OCTET_STRING_free(os);
             os = NULL;
             p7->d.digest->contents->d.data = NULL;
         }
@@ -739,7 +841,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
             /*
              * We now have the EVP_MD_CTX, lets do the signing.
              */
-            if (!EVP_MD_CTX_copy_ex(ctx_tmp, mdc))
+            if (!EVP_MD_CTX_copy_ex(&ctx_tmp, mdc))
                 goto err;
 
             sk = si->auth_attr;
@@ -749,18 +851,17 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
              * sign the attributes
              */
             if (sk_X509_ATTRIBUTE_num(sk) > 0) {
-                if (!do_pkcs7_signed_attrib(si, ctx_tmp))
+                if (!do_pkcs7_signed_attrib(si, &ctx_tmp))
                     goto err;
             } else {
                 unsigned char *abuf = NULL;
                 unsigned int abuflen;
                 abuflen = EVP_PKEY_size(si->pkey);
                 abuf = OPENSSL_malloc(abuflen);
-                if (abuf == NULL)
+                if (!abuf)
                     goto err;
 
-                if (!EVP_SignFinal(ctx_tmp, abuf, &abuflen, si->pkey)) {
-                    OPENSSL_free(abuf);
+                if (!EVP_SignFinal(&ctx_tmp, abuf, &abuflen, si->pkey)) {
                     PKCS7err(PKCS7_F_PKCS7_DATAFINAL, ERR_R_EVP_LIB);
                     goto err;
                 }
@@ -775,8 +876,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
             goto err;
         if (!EVP_DigestFinal_ex(mdc, md_data, &md_len))
             goto err;
-        if (!ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len))
-            goto err;
+        M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len);
     }
 
     if (!PKCS7_is_detached(p7)) {
@@ -806,13 +906,13 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
     }
     ret = 1;
  err:
-    EVP_MD_CTX_free(ctx_tmp);
+    EVP_MD_CTX_cleanup(&ctx_tmp);
     return (ret);
 }
 
 int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si)
 {
-    EVP_MD_CTX *mctx;
+    EVP_MD_CTX mctx;
     EVP_PKEY_CTX *pctx;
     unsigned char *abuf = NULL;
     int alen;
@@ -823,13 +923,8 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si)
     if (md == NULL)
         return 0;
 
-    mctx = EVP_MD_CTX_new();
-    if (mctx == NULL) {
-        PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN, ERR_R_MALLOC_FAILURE);
-        goto err;
-    }
-
-    if (EVP_DigestSignInit(mctx, &pctx, md, NULL, si->pkey) <= 0)
+    EVP_MD_CTX_init(&mctx);
+    if (EVP_DigestSignInit(&mctx, &pctx, md, NULL, si->pkey) <= 0)
         goto err;
 
     if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
@@ -842,16 +937,16 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si)
                          ASN1_ITEM_rptr(PKCS7_ATTR_SIGN));
     if (!abuf)
         goto err;
-    if (EVP_DigestSignUpdate(mctx, abuf, alen) <= 0)
+    if (EVP_DigestSignUpdate(&mctx, abuf, alen) <= 0)
         goto err;
     OPENSSL_free(abuf);
     abuf = NULL;
-    if (EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0)
+    if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0)
         goto err;
     abuf = OPENSSL_malloc(siglen);
-    if (abuf == NULL)
+    if (!abuf)
         goto err;
-    if (EVP_DigestSignFinal(mctx, abuf, &siglen) <= 0)
+    if (EVP_DigestSignFinal(&mctx, abuf, &siglen) <= 0)
         goto err;
 
     if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
@@ -860,15 +955,16 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si)
         goto err;
     }
 
-    EVP_MD_CTX_free(mctx);
+    EVP_MD_CTX_cleanup(&mctx);
 
     ASN1_STRING_set0(si->enc_digest, abuf, siglen);
 
     return 1;
 
  err:
-    OPENSSL_free(abuf);
-    EVP_MD_CTX_free(mctx);
+    if (abuf)
+        OPENSSL_free(abuf);
+    EVP_MD_CTX_cleanup(&mctx);
     return 0;
 
 }
@@ -934,18 +1030,14 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
                           X509 *x509)
 {
     ASN1_OCTET_STRING *os;
-    EVP_MD_CTX *mdc_tmp, *mdc;
+    EVP_MD_CTX mdc_tmp, *mdc;
     int ret = 0, i;
     int md_type;
     STACK_OF(X509_ATTRIBUTE) *sk;
     BIO *btmp;
     EVP_PKEY *pkey;
 
-    mdc_tmp = EVP_MD_CTX_new();
-    if (mdc_tmp == NULL) {
-        PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, ERR_R_MALLOC_FAILURE);
-        goto err;
-    }
+    EVP_MD_CTX_init(&mdc_tmp);
 
     if (!PKCS7_type_is_signed(p7) && !PKCS7_type_is_signedAndEnveloped(p7)) {
         PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_WRONG_PKCS7_TYPE);
@@ -982,7 +1074,7 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
      * mdc is the digest ctx that we want, unless there are attributes, in
      * which case the digest is the signed attributes
      */
-    if (!EVP_MD_CTX_copy_ex(mdc_tmp, mdc))
+    if (!EVP_MD_CTX_copy_ex(&mdc_tmp, mdc))
         goto err;
 
     sk = si->auth_attr;
@@ -992,7 +1084,7 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
         int alen;
         ASN1_OCTET_STRING *message_digest;
 
-        if (!EVP_DigestFinal_ex(mdc_tmp, md_dat, &md_len))
+        if (!EVP_DigestFinal_ex(&mdc_tmp, md_dat, &md_len))
             goto err;
         message_digest = PKCS7_digest_from_attributes(sk);
         if (!message_digest) {
@@ -1002,12 +1094,23 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
         }
         if ((message_digest->length != (int)md_len) ||
             (memcmp(message_digest->data, md_dat, md_len))) {
+#if 0
+            {
+                int ii;
+                for (ii = 0; ii < message_digest->length; ii++)
+                    printf("%02X", message_digest->data[ii]);
+                printf(" sent\n");
+                for (ii = 0; ii < md_len; ii++)
+                    printf("%02X", md_dat[ii]);
+                printf(" calc\n");
+            }
+#endif
             PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_DIGEST_FAILURE);
             ret = -1;
             goto err;
         }
 
-        if (!EVP_VerifyInit_ex(mdc_tmp, EVP_get_digestbynid(md_type), NULL))
+        if (!EVP_VerifyInit_ex(&mdc_tmp, EVP_get_digestbynid(md_type), NULL))
             goto err;
 
         alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf,
@@ -1017,28 +1120,29 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
             ret = -1;
             goto err;
         }
-        if (!EVP_VerifyUpdate(mdc_tmp, abuf, alen))
+        if (!EVP_VerifyUpdate(&mdc_tmp, abuf, alen))
             goto err;
 
         OPENSSL_free(abuf);
     }
 
     os = si->enc_digest;
-    pkey = X509_get0_pubkey(x509);
+    pkey = X509_get_pubkey(x509);
     if (!pkey) {
         ret = -1;
         goto err;
     }
 
-    i = EVP_VerifyFinal(mdc_tmp, os->data, os->length, pkey);
+    i = EVP_VerifyFinal(&mdc_tmp, os->data, os->length, pkey);
+    EVP_PKEY_free(pkey);
     if (i <= 0) {
         PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_SIGNATURE_FAILURE);
         ret = -1;
         goto err;
-    }
-    ret = 1;
+    } else
+        ret = 1;
  err:
-    EVP_MD_CTX_free(mdc_tmp);
+    EVP_MD_CTX_cleanup(&mdc_tmp);
     return (ret);
 }
 
@@ -1074,17 +1178,29 @@ ASN1_TYPE *PKCS7_get_attribute(PKCS7_SIGNER_INFO *si, int nid)
 
 static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid)
 {
-    int idx;
+    int i;
     X509_ATTRIBUTE *xa;
-    idx = X509at_get_attr_by_NID(sk, nid, -1);
-    xa = X509at_get_attr(sk, idx);
-    return X509_ATTRIBUTE_get0_type(xa, 0);
+    ASN1_OBJECT *o;
+
+    o = OBJ_nid2obj(nid);
+    if (!o || !sk)
+        return (NULL);
+    for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
+        xa = sk_X509_ATTRIBUTE_value(sk, i);
+        if (OBJ_cmp(xa->object, o) == 0) {
+            if (!xa->single && sk_ASN1_TYPE_num(xa->value.set))
+                return (sk_ASN1_TYPE_value(xa->value.set, 0));
+            else
+                return (NULL);
+        }
+    }
+    return (NULL);
 }
 
 ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk)
 {
     ASN1_TYPE *astype;
-    if ((astype = get_attribute(sk, NID_pkcs9_messageDigest)) == NULL)
+    if (!(astype = get_attribute(sk, NID_pkcs9_messageDigest)))
         return NULL;
     return astype->value.octet_string;
 }
@@ -1094,7 +1210,8 @@ int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si,
 {
     int i;
 
-    sk_X509_ATTRIBUTE_pop_free(p7si->auth_attr, X509_ATTRIBUTE_free);
+    if (p7si->auth_attr != NULL)
+        sk_X509_ATTRIBUTE_pop_free(p7si->auth_attr, X509_ATTRIBUTE_free);
     p7si->auth_attr = sk_X509_ATTRIBUTE_dup(sk);
     if (p7si->auth_attr == NULL)
         return 0;
@@ -1113,7 +1230,8 @@ int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si,
 {
     int i;
 
-    sk_X509_ATTRIBUTE_pop_free(p7si->unauth_attr, X509_ATTRIBUTE_free);
+    if (p7si->unauth_attr != NULL)
+        sk_X509_ATTRIBUTE_pop_free(p7si->unauth_attr, X509_ATTRIBUTE_free);
     p7si->unauth_attr = sk_X509_ATTRIBUTE_dup(sk);
     if (p7si->unauth_attr == NULL)
         return 0;
@@ -1145,10 +1263,11 @@ static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype,
     X509_ATTRIBUTE *attr = NULL;
 
     if (*sk == NULL) {
-        if ((*sk = sk_X509_ATTRIBUTE_new_null()) == NULL)
+        *sk = sk_X509_ATTRIBUTE_new_null();
+        if (*sk == NULL)
             return 0;
  new_attrib:
-        if ((attr = X509_ATTRIBUTE_create(nid, atrtype, value)) == NULL)
+        if (!(attr = X509_ATTRIBUTE_create(nid, atrtype, value)))
             return 0;
         if (!sk_X509_ATTRIBUTE_push(*sk, attr)) {
             X509_ATTRIBUTE_free(attr);
@@ -1159,7 +1278,7 @@ static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype,
 
         for (i = 0; i < sk_X509_ATTRIBUTE_num(*sk); i++) {
             attr = sk_X509_ATTRIBUTE_value(*sk, i);
-            if (OBJ_obj2nid(X509_ATTRIBUTE_get0_object(attr)) == nid) {
+            if (OBJ_obj2nid(attr->object) == nid) {
                 X509_ATTRIBUTE_free(attr);
                 attr = X509_ATTRIBUTE_create(nid, atrtype, value);
                 if (attr == NULL)
diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_enc.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_enc.c
deleted file mode 100644
index 3c59f9c8..00000000
--- a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_enc.c
+++ /dev/null
@@ -1,25 +0,0 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include "internal/cryptlib.h"
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include <openssl/x509.h>
-#include <openssl/pkcs7.h>
-
-PKCS7_in_bio(PKCS7 *p7, BIO *in);
-PKCS7_out_bio(PKCS7 *p7, BIO *out);
-
-PKCS7_add_signer(PKCS7 *p7, X509 *cert, EVP_PKEY *key);
-PKCS7_cipher(PKCS7 *p7, EVP_CIPHER *cipher);
-
-PKCS7_Init(PKCS7 *p7);
-PKCS7_Update(PKCS7 *p7);
-PKCS7_Finish(PKCS7 *p7);
diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_lib.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_lib.c
index 69c68cf5..0c5fcaa6 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_lib.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_lib.c
@@ -1,18 +1,66 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/pkcs7/pk7_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/objects.h>
 #include <openssl/x509.h>
-#include "internal/asn1_int.h"
-#include "internal/evp_int.h"
+#include "asn1_locl.h"
 
 long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg)
 {
@@ -73,7 +121,8 @@ int PKCS7_content_new(PKCS7 *p7, int type)
 
     return (1);
  err:
-    PKCS7_free(ret);
+    if (ret != NULL)
+        PKCS7_free(ret);
     return (0);
 }
 
@@ -84,11 +133,13 @@ int PKCS7_set_content(PKCS7 *p7, PKCS7 *p7_data)
     i = OBJ_obj2nid(p7->type);
     switch (i) {
     case NID_pkcs7_signed:
-        PKCS7_free(p7->d.sign->contents);
+        if (p7->d.sign->contents != NULL)
+            PKCS7_free(p7->d.sign->contents);
         p7->d.sign->contents = p7_data;
         break;
     case NID_pkcs7_digest:
-        PKCS7_free(p7->d.digest->contents);
+        if (p7->d.digest->contents != NULL)
+            PKCS7_free(p7->d.digest->contents);
         p7->d.digest->contents = p7_data;
         break;
     case NID_pkcs7_data:
@@ -126,7 +177,7 @@ int PKCS7_set_type(PKCS7 *p7, int type)
         break;
     case NID_pkcs7_data:
         p7->type = obj;
-        if ((p7->d.data = ASN1_OCTET_STRING_new()) == NULL)
+        if ((p7->d.data = M_ASN1_OCTET_STRING_new()) == NULL)
             goto err;
         break;
     case NID_pkcs7_signedAndEnveloped:
@@ -217,8 +268,8 @@ int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *psi)
         }
     }
     if (!j) {                   /* we need to add another algorithm */
-        if ((alg = X509_ALGOR_new()) == NULL
-            || (alg->parameter = ASN1_TYPE_new()) == NULL) {
+        if (!(alg = X509_ALGOR_new())
+            || !(alg->parameter = ASN1_TYPE_new())) {
             X509_ALGOR_free(alg);
             PKCS7err(PKCS7_F_PKCS7_ADD_SIGNER, ERR_R_MALLOC_FAILURE);
             return (0);
@@ -260,7 +311,7 @@ int PKCS7_add_certificate(PKCS7 *p7, X509 *x509)
         PKCS7err(PKCS7_F_PKCS7_ADD_CERTIFICATE, ERR_R_MALLOC_FAILURE);
         return 0;
     }
-    X509_up_ref(x509);
+    CRYPTO_add(&x509->references, 1, CRYPTO_LOCK_X509);
     if (!sk_X509_push(*sk, x509)) {
         X509_free(x509);
         return 0;
@@ -293,7 +344,7 @@ int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl)
         return 0;
     }
 
-    X509_CRL_up_ref(crl);
+    CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509_CRL);
     if (!sk_X509_CRL_push(*sk, crl)) {
         X509_CRL_free(crl);
         return 0;
@@ -317,13 +368,13 @@ int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
      * because ASN1_INTEGER_set is used to set a 'long' we will do things the
      * ugly way.
      */
-    ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
+    M_ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
     if (!(p7i->issuer_and_serial->serial =
-          ASN1_INTEGER_dup(X509_get_serialNumber(x509))))
+          M_ASN1_INTEGER_dup(X509_get_serialNumber(x509))))
         goto err;
 
     /* lets keep the pkey around for a while */
-    EVP_PKEY_up_ref(pkey);
+    CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
     p7i->pkey = pkey;
 
     /* Set the algorithms */
@@ -371,14 +422,15 @@ PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey,
         goto err;
     return (si);
  err:
-    PKCS7_SIGNER_INFO_free(si);
+    if (si)
+        PKCS7_SIGNER_INFO_free(si);
     return (NULL);
 }
 
 int PKCS7_set_digest(PKCS7 *p7, const EVP_MD *md)
 {
     if (PKCS7_type_is_digest(p7)) {
-        if ((p7->d.digest->md->parameter = ASN1_TYPE_new()) == NULL) {
+        if (!(p7->d.digest->md->parameter = ASN1_TYPE_new())) {
             PKCS7err(PKCS7_F_PKCS7_SET_DIGEST, ERR_R_MALLOC_FAILURE);
             return 0;
         }
@@ -432,7 +484,8 @@ PKCS7_RECIP_INFO *PKCS7_add_recipient(PKCS7 *p7, X509 *x509)
         goto err;
     return ri;
  err:
-    PKCS7_RECIP_INFO_free(ri);
+    if (ri)
+        PKCS7_RECIP_INFO_free(ri);
     return NULL;
 }
 
@@ -470,12 +523,12 @@ int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509)
                        X509_get_issuer_name(x509)))
         return 0;
 
-    ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
+    M_ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
     if (!(p7i->issuer_and_serial->serial =
-          ASN1_INTEGER_dup(X509_get_serialNumber(x509))))
+          M_ASN1_INTEGER_dup(X509_get_serialNumber(x509))))
         return 0;
 
-    pkey = X509_get0_pubkey(x509);
+    pkey = X509_get_pubkey(x509);
 
     if (!pkey || !pkey->ameth || !pkey->ameth->pkey_ctrl) {
         PKCS7err(PKCS7_F_PKCS7_RECIP_INFO_SET,
@@ -495,12 +548,16 @@ int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509)
         goto err;
     }
 
-    X509_up_ref(x509);
+    EVP_PKEY_free(pkey);
+
+    CRYPTO_add(&x509->references, 1, CRYPTO_LOCK_X509);
     p7i->cert = x509;
 
     return 1;
 
  err:
+    if (pkey)
+        EVP_PKEY_free(pkey);
     return 0;
 }
 
@@ -557,7 +614,7 @@ int PKCS7_stream(unsigned char ***boundary, PKCS7 *p7)
     case NID_pkcs7_signedAndEnveloped:
         os = p7->d.signed_and_enveloped->enc_data->enc_data;
         if (os == NULL) {
-            os = ASN1_OCTET_STRING_new();
+            os = M_ASN1_OCTET_STRING_new();
             p7->d.signed_and_enveloped->enc_data->enc_data = os;
         }
         break;
@@ -565,7 +622,7 @@ int PKCS7_stream(unsigned char ***boundary, PKCS7 *p7)
     case NID_pkcs7_enveloped:
         os = p7->d.enveloped->enc_data->enc_data;
         if (os == NULL) {
-            os = ASN1_OCTET_STRING_new();
+            os = M_ASN1_OCTET_STRING_new();
             p7->d.enveloped->enc_data->enc_data = os;
         }
         break;
diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_mime.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_mime.c
index 97474cf5..62fb2997 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_mime.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_mime.c
@@ -1,15 +1,62 @@
+/* pk7_mime.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <ctype.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
+#include <openssl/rand.h>
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
 
diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c
index 5e2107e9..b27b0f68 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c
@@ -1,20 +1,69 @@
+/* pk7_smime.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 /* Simple PKCS#7 processing functions */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
-
 #define BUFFERSIZE 4096
 
 static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si);
@@ -25,7 +74,7 @@ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
     PKCS7 *p7;
     int i;
 
-    if ((p7 = PKCS7_new()) == NULL) {
+    if (!(p7 = PKCS7_new())) {
         PKCS7err(PKCS7_F_PKCS7_SIGN, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
@@ -66,8 +115,7 @@ int PKCS7_final(PKCS7 *p7, BIO *data, int flags)
 {
     BIO *p7bio;
     int ret = 0;
-
-    if ((p7bio = PKCS7_dataInit(p7, NULL)) == NULL) {
+    if (!(p7bio = PKCS7_dataInit(p7, NULL))) {
         PKCS7err(PKCS7_F_PKCS7_FINAL, ERR_R_MALLOC_FAILURE);
         return 0;
     }
@@ -118,7 +166,7 @@ PKCS7_SIGNER_INFO *PKCS7_sign_add_signer(PKCS7 *p7, X509 *signcert,
         return NULL;
     }
 
-    if ((si = PKCS7_add_signature(p7, signcert, pkey, md)) == NULL) {
+    if (!(si = PKCS7_add_signature(p7, signcert, pkey, md))) {
         PKCS7err(PKCS7_F_PKCS7_SIGN_ADD_SIGNER,
                  PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR);
         return NULL;
@@ -134,13 +182,11 @@ PKCS7_SIGNER_INFO *PKCS7_sign_add_signer(PKCS7 *p7, X509 *signcert,
             goto err;
         /* Add SMIMECapabilities */
         if (!(flags & PKCS7_NOSMIMECAP)) {
-            if ((smcap = sk_X509_ALGOR_new_null()) == NULL) {
+            if (!(smcap = sk_X509_ALGOR_new_null())) {
                 PKCS7err(PKCS7_F_PKCS7_SIGN_ADD_SIGNER, ERR_R_MALLOC_FAILURE);
                 goto err;
             }
             if (!add_cipher_smcap(smcap, NID_aes_256_cbc, -1)
-                || !add_digest_smcap(smcap, NID_id_GostR3411_2012_256, -1)
-                || !add_digest_smcap(smcap, NID_id_GostR3411_2012_512, -1)
                 || !add_digest_smcap(smcap, NID_id_GostR3411_94, -1)
                 || !add_cipher_smcap(smcap, NID_id_Gost28147_89, -1)
                 || !add_cipher_smcap(smcap, NID_aes_192_cbc, -1)
@@ -164,7 +210,8 @@ PKCS7_SIGNER_INFO *PKCS7_sign_add_signer(PKCS7 *p7, X509 *signcert,
     }
     return si;
  err:
-    sk_X509_ALGOR_pop_free(smcap, X509_ALGOR_free);
+    if (smcap)
+        sk_X509_ALGOR_pop_free(smcap, X509_ALGOR_free);
     return NULL;
 }
 
@@ -208,7 +255,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
     X509 *signer;
     STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
     PKCS7_SIGNER_INFO *si;
-    X509_STORE_CTX *cert_ctx = NULL;
+    X509_STORE_CTX cert_ctx;
     char *buf = NULL;
     int i, j = 0, k, ret = 0;
     BIO *p7bio = NULL;
@@ -229,20 +276,29 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
         PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_NO_CONTENT);
         return 0;
     }
+#if 0
+    /*
+     * NB: this test commented out because some versions of Netscape
+     * illegally include zero length content when signing data. Also
+     * Microsoft Authenticode includes a SpcIndirectDataContent data
+     * structure which describes the content to be protected by the
+     * signature, rather than directly embedding that content. So
+     * Authenticode implementations are also expected to use
+     * PKCS7_verify() with explicit external data, on non-detached
+     * PKCS#7 signatures.
+     *
+     * In OpenSSL 1.1 a new flag PKCS7_NO_DUAL_CONTENT has been
+     * introduced to disable this sanity check. For the 1.0.2 branch
+     * this change is not acceptable, so the check remains completely
+     * commented out (as it has been for a long time).
+     */
 
-    if (flags & PKCS7_NO_DUAL_CONTENT) {
-        /*
-         * This was originally "#if 0" because we thought that only old broken
-         * Netscape did this.  It turns out that Authenticode uses this kind
-         * of "extended" PKCS7 format, and things like UEFI secure boot and
-         * tools like osslsigncode need it.  In Authenticode the verification
-         * process is different, but the existing PKCs7 verification works.
-         */
-        if (!PKCS7_get_detached(p7) && indata) {
-            PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CONTENT_AND_DATA_PRESENT);
-            return 0;
-        }
+    /* Check for data and content: two sets of data */
+    if (!PKCS7_get_detached(p7) && indata) {
+        PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CONTENT_AND_DATA_PRESENT);
+        return 0;
     }
+#endif
 
     sinfos = PKCS7_get_signer_info(p7);
 
@@ -257,29 +313,26 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
 
     /* Now verify the certificates */
 
-    cert_ctx = X509_STORE_CTX_new();
-    if (cert_ctx == NULL)
-        goto err;
     if (!(flags & PKCS7_NOVERIFY))
         for (k = 0; k < sk_X509_num(signers); k++) {
             signer = sk_X509_value(signers, k);
             if (!(flags & PKCS7_NOCHAIN)) {
-                if (!X509_STORE_CTX_init(cert_ctx, store, signer,
+                if (!X509_STORE_CTX_init(&cert_ctx, store, signer,
                                          p7->d.sign->cert)) {
                     PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_X509_LIB);
                     goto err;
                 }
-                X509_STORE_CTX_set_default(cert_ctx, "smime_sign");
-            } else if (!X509_STORE_CTX_init(cert_ctx, store, signer, NULL)) {
+                X509_STORE_CTX_set_default(&cert_ctx, "smime_sign");
+            } else if (!X509_STORE_CTX_init(&cert_ctx, store, signer, NULL)) {
                 PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_X509_LIB);
                 goto err;
             }
             if (!(flags & PKCS7_NOCRL))
-                X509_STORE_CTX_set0_crls(cert_ctx, p7->d.sign->crl);
-            i = X509_verify_cert(cert_ctx);
+                X509_STORE_CTX_set0_crls(&cert_ctx, p7->d.sign->crl);
+            i = X509_verify_cert(&cert_ctx);
             if (i <= 0)
-                j = X509_STORE_CTX_get_error(cert_ctx);
-            X509_STORE_CTX_cleanup(cert_ctx);
+                j = X509_STORE_CTX_get_error(&cert_ctx);
+            X509_STORE_CTX_cleanup(&cert_ctx);
             if (i <= 0) {
                 PKCS7err(PKCS7_F_PKCS7_VERIFY,
                          PKCS7_R_CERTIFICATE_VERIFY_ERROR);
@@ -309,11 +362,11 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
     } else
         tmpin = indata;
 
-    if ((p7bio = PKCS7_dataInit(p7, tmpin)) == NULL)
+    if (!(p7bio = PKCS7_dataInit(p7, tmpin)))
         goto err;
 
     if (flags & PKCS7_TEXT) {
-        if ((tmpout = BIO_new(BIO_s_mem())) == NULL) {
+        if (!(tmpout = BIO_new(BIO_s_mem()))) {
             PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_MALLOC_FAILURE);
             goto err;
         }
@@ -358,7 +411,6 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
     ret = 1;
 
  err:
-    X509_STORE_CTX_free(cert_ctx);
     OPENSSL_free(buf);
     if (tmpin == indata) {
         if (indata)
@@ -398,7 +450,7 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs,
         return 0;
     }
 
-    if ((signers = sk_X509_new_null()) == NULL) {
+    if (!(signers = sk_X509_new_null())) {
         PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
@@ -441,7 +493,7 @@ PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher,
     BIO *p7bio = NULL;
     int i;
     X509 *x509;
-    if ((p7 = PKCS7_new()) == NULL) {
+    if (!(p7 = PKCS7_new())) {
         PKCS7err(PKCS7_F_PKCS7_ENCRYPT, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
@@ -478,7 +530,8 @@ PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher,
 int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags)
 {
     BIO *tmpmem;
-    int ret = 0, i;
+    int ret = 0; /* current openssl sets 'ret' to zero here */
+    int i;
     char *buf = NULL;
 
     if (!p7) {
@@ -497,7 +550,7 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags)
         return 0;
     }
 
-    if ((tmpmem = PKCS7_dataDecode(p7, pkey, NULL, cert)) == NULL) {
+    if (!(tmpmem = PKCS7_dataDecode(p7, pkey, NULL, cert))) {
         PKCS7err(PKCS7_F_PKCS7_DECRYPT, PKCS7_R_DECRYPT_ERROR);
         return 0;
     }
@@ -505,12 +558,12 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags)
     if (flags & PKCS7_TEXT) {
         BIO *tmpbuf, *bread;
         /* Encrypt BIOs can't do BIO_gets() so add a buffer BIO */
-        if ((tmpbuf = BIO_new(BIO_f_buffer())) == NULL) {
+        if (!(tmpbuf = BIO_new(BIO_f_buffer()))) {
             PKCS7err(PKCS7_F_PKCS7_DECRYPT, ERR_R_MALLOC_FAILURE);
             BIO_free_all(tmpmem);
             return 0;
         }
-        if ((bread = BIO_push(tmpbuf, tmpmem)) == NULL) {
+        if (!(bread = BIO_push(tmpbuf, tmpmem))) {
             PKCS7err(PKCS7_F_PKCS7_DECRYPT, ERR_R_MALLOC_FAILURE);
             BIO_free_all(tmpbuf);
             BIO_free_all(tmpmem);
@@ -540,9 +593,11 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags)
             break;
         }
         if (BIO_write(data, buf, i) != i) {
+            ret = 0;
             break;
         }
     }
+
 err:
     OPENSSL_free(buf);
     BIO_free_all(tmpmem);
diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pkcs7err.c b/Cryptlib/OpenSSL/crypto/pkcs7/pkcs7err.c
index d5baa9b8..323513fe 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs7/pkcs7err.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs7/pkcs7err.c
@@ -1,11 +1,62 @@
-/*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/pkcs7/pkcs7err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2014 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
  */
 
 #include <stdio.h>
@@ -19,7 +70,10 @@
 # define ERR_REASON(reason) ERR_PACK(ERR_LIB_PKCS7,0,reason)
 
 static ERR_STRING_DATA PKCS7_str_functs[] = {
-    {ERR_FUNC(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB), "do_pkcs7_signed_attrib"},
+    {ERR_FUNC(PKCS7_F_B64_READ_PKCS7), "B64_READ_PKCS7"},
+    {ERR_FUNC(PKCS7_F_B64_WRITE_PKCS7), "B64_WRITE_PKCS7"},
+    {ERR_FUNC(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB), "DO_PKCS7_SIGNED_ATTRIB"},
+    {ERR_FUNC(PKCS7_F_I2D_PKCS7_BIO_STREAM), "i2d_PKCS7_bio_stream"},
     {ERR_FUNC(PKCS7_F_PKCS7_ADD0_ATTRIB_SIGNING_TIME),
      "PKCS7_add0_attrib_signing_time"},
     {ERR_FUNC(PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP),
@@ -29,20 +83,21 @@ static ERR_STRING_DATA PKCS7_str_functs[] = {
     {ERR_FUNC(PKCS7_F_PKCS7_ADD_RECIPIENT_INFO), "PKCS7_add_recipient_info"},
     {ERR_FUNC(PKCS7_F_PKCS7_ADD_SIGNATURE), "PKCS7_add_signature"},
     {ERR_FUNC(PKCS7_F_PKCS7_ADD_SIGNER), "PKCS7_add_signer"},
-    {ERR_FUNC(PKCS7_F_PKCS7_BIO_ADD_DIGEST), "PKCS7_bio_add_digest"},
+    {ERR_FUNC(PKCS7_F_PKCS7_BIO_ADD_DIGEST), "PKCS7_BIO_ADD_DIGEST"},
     {ERR_FUNC(PKCS7_F_PKCS7_COPY_EXISTING_DIGEST),
-     "pkcs7_copy_existing_digest"},
+     "PKCS7_COPY_EXISTING_DIGEST"},
     {ERR_FUNC(PKCS7_F_PKCS7_CTRL), "PKCS7_ctrl"},
     {ERR_FUNC(PKCS7_F_PKCS7_DATADECODE), "PKCS7_dataDecode"},
     {ERR_FUNC(PKCS7_F_PKCS7_DATAFINAL), "PKCS7_dataFinal"},
     {ERR_FUNC(PKCS7_F_PKCS7_DATAINIT), "PKCS7_dataInit"},
+    {ERR_FUNC(PKCS7_F_PKCS7_DATASIGN), "PKCS7_DATASIGN"},
     {ERR_FUNC(PKCS7_F_PKCS7_DATAVERIFY), "PKCS7_dataVerify"},
     {ERR_FUNC(PKCS7_F_PKCS7_DECRYPT), "PKCS7_decrypt"},
-    {ERR_FUNC(PKCS7_F_PKCS7_DECRYPT_RINFO), "pkcs7_decrypt_rinfo"},
-    {ERR_FUNC(PKCS7_F_PKCS7_ENCODE_RINFO), "pkcs7_encode_rinfo"},
+    {ERR_FUNC(PKCS7_F_PKCS7_DECRYPT_RINFO), "PKCS7_DECRYPT_RINFO"},
+    {ERR_FUNC(PKCS7_F_PKCS7_ENCODE_RINFO), "PKCS7_ENCODE_RINFO"},
     {ERR_FUNC(PKCS7_F_PKCS7_ENCRYPT), "PKCS7_encrypt"},
     {ERR_FUNC(PKCS7_F_PKCS7_FINAL), "PKCS7_final"},
-    {ERR_FUNC(PKCS7_F_PKCS7_FIND_DIGEST), "PKCS7_find_digest"},
+    {ERR_FUNC(PKCS7_F_PKCS7_FIND_DIGEST), "PKCS7_FIND_DIGEST"},
     {ERR_FUNC(PKCS7_F_PKCS7_GET0_SIGNERS), "PKCS7_get0_signers"},
     {ERR_FUNC(PKCS7_F_PKCS7_RECIP_INFO_SET), "PKCS7_RECIP_INFO_set"},
     {ERR_FUNC(PKCS7_F_PKCS7_SET_CIPHER), "PKCS7_set_cipher"},
@@ -56,6 +111,8 @@ static ERR_STRING_DATA PKCS7_str_functs[] = {
     {ERR_FUNC(PKCS7_F_PKCS7_SIGN_ADD_SIGNER), "PKCS7_sign_add_signer"},
     {ERR_FUNC(PKCS7_F_PKCS7_SIMPLE_SMIMECAP), "PKCS7_simple_smimecap"},
     {ERR_FUNC(PKCS7_F_PKCS7_VERIFY), "PKCS7_verify"},
+    {ERR_FUNC(PKCS7_F_SMIME_READ_PKCS7), "SMIME_read_PKCS7"},
+    {ERR_FUNC(PKCS7_F_SMIME_TEXT), "SMIME_text"},
     {0, NULL}
 };
 
@@ -68,6 +125,9 @@ static ERR_STRING_DATA PKCS7_str_reasons[] = {
     {ERR_REASON(PKCS7_R_CONTENT_AND_DATA_PRESENT),
      "content and data present"},
     {ERR_REASON(PKCS7_R_CTRL_ERROR), "ctrl error"},
+    {ERR_REASON(PKCS7_R_DECODE_ERROR), "decode error"},
+    {ERR_REASON(PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH),
+     "decrypted key is wrong length"},
     {ERR_REASON(PKCS7_R_DECRYPT_ERROR), "decrypt error"},
     {ERR_REASON(PKCS7_R_DIGEST_FAILURE), "digest failure"},
     {ERR_REASON(PKCS7_R_ENCRYPTION_CTRL_FAILURE), "encryption ctrl failure"},
@@ -75,23 +135,39 @@ static ERR_STRING_DATA PKCS7_str_reasons[] = {
      "encryption not supported for this key type"},
     {ERR_REASON(PKCS7_R_ERROR_ADDING_RECIPIENT), "error adding recipient"},
     {ERR_REASON(PKCS7_R_ERROR_SETTING_CIPHER), "error setting cipher"},
+    {ERR_REASON(PKCS7_R_INVALID_MIME_TYPE), "invalid mime type"},
     {ERR_REASON(PKCS7_R_INVALID_NULL_POINTER), "invalid null pointer"},
     {ERR_REASON(PKCS7_R_INVALID_SIGNED_DATA_TYPE),
      "invalid signed data type"},
+    {ERR_REASON(PKCS7_R_MIME_NO_CONTENT_TYPE), "mime no content type"},
+    {ERR_REASON(PKCS7_R_MIME_PARSE_ERROR), "mime parse error"},
+    {ERR_REASON(PKCS7_R_MIME_SIG_PARSE_ERROR), "mime sig parse error"},
+    {ERR_REASON(PKCS7_R_MISSING_CERIPEND_INFO), "missing ceripend info"},
     {ERR_REASON(PKCS7_R_NO_CONTENT), "no content"},
+    {ERR_REASON(PKCS7_R_NO_CONTENT_TYPE), "no content type"},
     {ERR_REASON(PKCS7_R_NO_DEFAULT_DIGEST), "no default digest"},
     {ERR_REASON(PKCS7_R_NO_MATCHING_DIGEST_TYPE_FOUND),
      "no matching digest type found"},
+    {ERR_REASON(PKCS7_R_NO_MULTIPART_BODY_FAILURE),
+     "no multipart body failure"},
+    {ERR_REASON(PKCS7_R_NO_MULTIPART_BOUNDARY), "no multipart boundary"},
     {ERR_REASON(PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE),
      "no recipient matches certificate"},
+    {ERR_REASON(PKCS7_R_NO_RECIPIENT_MATCHES_KEY),
+     "no recipient matches key"},
     {ERR_REASON(PKCS7_R_NO_SIGNATURES_ON_DATA), "no signatures on data"},
     {ERR_REASON(PKCS7_R_NO_SIGNERS), "no signers"},
+    {ERR_REASON(PKCS7_R_NO_SIG_CONTENT_TYPE), "no sig content type"},
     {ERR_REASON(PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE),
      "operation not supported on this type"},
     {ERR_REASON(PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR),
      "pkcs7 add signature error"},
     {ERR_REASON(PKCS7_R_PKCS7_ADD_SIGNER_ERROR), "pkcs7 add signer error"},
+    {ERR_REASON(PKCS7_R_PKCS7_DATAFINAL), "pkcs7 datafinal"},
+    {ERR_REASON(PKCS7_R_PKCS7_DATAFINAL_ERROR), "pkcs7 datafinal error"},
     {ERR_REASON(PKCS7_R_PKCS7_DATASIGN), "pkcs7 datasign"},
+    {ERR_REASON(PKCS7_R_PKCS7_PARSE_ERROR), "pkcs7 parse error"},
+    {ERR_REASON(PKCS7_R_PKCS7_SIG_PARSE_ERROR), "pkcs7 sig parse error"},
     {ERR_REASON(PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE),
      "private key does not match certificate"},
     {ERR_REASON(PKCS7_R_SIGNATURE_FAILURE), "signature failure"},
@@ -100,6 +176,7 @@ static ERR_STRING_DATA PKCS7_str_reasons[] = {
     {ERR_REASON(PKCS7_R_SIGNING_CTRL_FAILURE), "signing ctrl failure"},
     {ERR_REASON(PKCS7_R_SIGNING_NOT_SUPPORTED_FOR_THIS_KEY_TYPE),
      "signing not supported for this key type"},
+    {ERR_REASON(PKCS7_R_SIG_INVALID_MIME_TYPE), "sig invalid mime type"},
     {ERR_REASON(PKCS7_R_SMIME_TEXT_ERROR), "smime text error"},
     {ERR_REASON(PKCS7_R_UNABLE_TO_FIND_CERTIFICATE),
      "unable to find certificate"},
@@ -118,7 +195,7 @@ static ERR_STRING_DATA PKCS7_str_reasons[] = {
 
 #endif
 
-int ERR_load_PKCS7_strings(void)
+void ERR_load_PKCS7_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
 
@@ -127,5 +204,4 @@ int ERR_load_PKCS7_strings(void)
         ERR_load_strings(0, PKCS7_str_reasons);
     }
 #endif
-    return 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/rand/md_rand.c b/Cryptlib/OpenSSL/crypto/rand/md_rand.c
index 85ce4e6f..bd76e23e 100644
--- a/Cryptlib/OpenSSL/crypto/rand/md_rand.c
+++ b/Cryptlib/OpenSSL/crypto/rand/md_rand.c
@@ -1,38 +1,134 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/rand/md_rand.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#define OPENSSL_FIPSEVP
 
+#ifdef MD_RAND_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
+
+#include <assert.h>
 #include <stdio.h>
 #include <string.h>
 
 #include "e_os.h"
 
-#if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_DSPBIOS))
-# include <sys/time.h>
-#endif
-#if defined(OPENSSL_SYS_VXWORKS)
-# include <time.h>
-#endif
-
-#include <openssl/opensslconf.h>
 #include <openssl/crypto.h>
 #include <openssl/rand.h>
-#include <openssl/async.h>
 #include "rand_lcl.h"
 
 #include <openssl/err.h>
 
-#include <internal/thread_once.h>
-
-#ifdef OPENSSL_FIPS
-# include <openssl/fips.h>
-#endif
-
 #ifdef BN_DEBUG
 # define PREDICT
 #endif
@@ -48,59 +144,41 @@ static long md_count[2] = { 0, 0 };
 static double entropy = 0;
 static int initialized = 0;
 
-static CRYPTO_RWLOCK *rand_lock = NULL;
-static CRYPTO_RWLOCK *rand_tmp_lock = NULL;
-static CRYPTO_ONCE rand_lock_init = CRYPTO_ONCE_STATIC_INIT;
-
-/* May be set only when a thread holds rand_lock (to prevent double locking) */
-static unsigned int crypto_lock_rand = 0;
-/* access to locking_threadid is synchronized by rand_tmp_lock */
+static unsigned int crypto_lock_rand = 0; /* may be set only when a thread
+                                           * holds CRYPTO_LOCK_RAND (to
+                                           * prevent double locking) */
+/* access to lockin_thread is synchronized by CRYPTO_LOCK_RAND2 */
 /* valid iff crypto_lock_rand is set */
-static CRYPTO_THREAD_ID locking_threadid;
+static CRYPTO_THREADID locking_threadid;
 
 #ifdef PREDICT
 int rand_predictable = 0;
 #endif
 
-static int rand_hw_seed(EVP_MD_CTX *ctx);
-
-static void rand_cleanup(void);
-static int rand_seed(const void *buf, int num);
-static int rand_add(const void *buf, int num, double add_entropy);
-static int rand_bytes(unsigned char *buf, int num, int pseudo);
-static int rand_nopseudo_bytes(unsigned char *buf, int num);
-#if OPENSSL_API_COMPAT < 0x10100000L
-static int rand_pseudo_bytes(unsigned char *buf, int num);
-#endif
-static int rand_status(void);
-
-static RAND_METHOD rand_meth = {
-    rand_seed,
-    rand_nopseudo_bytes,
-    rand_cleanup,
-    rand_add,
-#if OPENSSL_API_COMPAT < 0x10100000L
-    rand_pseudo_bytes,
-#else
-    NULL,
-#endif
-    rand_status
+const char RAND_version[] = "RAND" OPENSSL_VERSION_PTEXT;
+
+static void ssleay_rand_cleanup(void);
+static void ssleay_rand_seed(const void *buf, int num);
+static void ssleay_rand_add(const void *buf, int num, double add_entropy);
+static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num);
+static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num);
+static int ssleay_rand_status(void);
+
+RAND_METHOD rand_ssleay_meth = {
+    ssleay_rand_seed,
+    ssleay_rand_nopseudo_bytes,
+    ssleay_rand_cleanup,
+    ssleay_rand_add,
+    ssleay_rand_pseudo_bytes,
+    ssleay_rand_status
 };
 
-DEFINE_RUN_ONCE_STATIC(do_rand_lock_init)
-{
-    OPENSSL_init_crypto(0, NULL);
-    rand_lock = CRYPTO_THREAD_lock_new();
-    rand_tmp_lock = CRYPTO_THREAD_lock_new();
-    return rand_lock != NULL && rand_tmp_lock != NULL;
-}
-
-RAND_METHOD *RAND_OpenSSL(void)
+RAND_METHOD *RAND_SSLeay(void)
 {
-    return (&rand_meth);
+    return (&rand_ssleay_meth);
 }
 
-static void rand_cleanup(void)
+static void ssleay_rand_cleanup(void)
 {
     OPENSSL_cleanse(state, sizeof(state));
     state_num = 0;
@@ -110,21 +188,18 @@ static void rand_cleanup(void)
     md_count[1] = 0;
     entropy = 0;
     initialized = 0;
-    CRYPTO_THREAD_lock_free(rand_lock);
-    CRYPTO_THREAD_lock_free(rand_tmp_lock);
 }
 
-static int rand_add(const void *buf, int num, double add)
+static void ssleay_rand_add(const void *buf, int num, double add)
 {
     int i, j, k, st_idx;
     long md_c[2];
     unsigned char local_md[MD_DIGEST_LENGTH];
-    EVP_MD_CTX *m;
+    EVP_MD_CTX m;
     int do_not_lock;
-    int rv = 0;
 
     if (!num)
-        return 1;
+        return;
 
     /*
      * (Based on the rand(3) manpage)
@@ -141,24 +216,18 @@ static int rand_add(const void *buf, int num, double add)
      * hash function.
      */
 
-    m = EVP_MD_CTX_new();
-    if (m == NULL)
-        goto err;
-
-    if (!RUN_ONCE(&rand_lock_init, do_rand_lock_init))
-        goto err;
-
     /* check if we already have the lock */
     if (crypto_lock_rand) {
-        CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id();
-        CRYPTO_THREAD_read_lock(rand_tmp_lock);
-        do_not_lock = CRYPTO_THREAD_compare_id(locking_threadid, cur);
-        CRYPTO_THREAD_unlock(rand_tmp_lock);
+        CRYPTO_THREADID cur;
+        CRYPTO_THREADID_current(&cur);
+        CRYPTO_r_lock(CRYPTO_LOCK_RAND2);
+        do_not_lock = !CRYPTO_THREADID_cmp(&locking_threadid, &cur);
+        CRYPTO_r_unlock(CRYPTO_LOCK_RAND2);
     } else
         do_not_lock = 0;
 
     if (!do_not_lock)
-        CRYPTO_THREAD_write_lock(rand_lock);
+        CRYPTO_w_lock(CRYPTO_LOCK_RAND);
     st_idx = state_index;
 
     /*
@@ -190,28 +259,24 @@ static int rand_add(const void *buf, int num, double add)
     md_count[1] += (num / MD_DIGEST_LENGTH) + (num % MD_DIGEST_LENGTH > 0);
 
     if (!do_not_lock)
-        CRYPTO_THREAD_unlock(rand_lock);
+        CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 
+    EVP_MD_CTX_init(&m);
     for (i = 0; i < num; i += MD_DIGEST_LENGTH) {
         j = (num - i);
         j = (j > MD_DIGEST_LENGTH) ? MD_DIGEST_LENGTH : j;
 
-        if (!MD_Init(m))
-            goto err;
-        if (!MD_Update(m, local_md, MD_DIGEST_LENGTH))
-            goto err;
+        MD_Init(&m);
+        MD_Update(&m, local_md, MD_DIGEST_LENGTH);
         k = (st_idx + j) - STATE_SIZE;
         if (k > 0) {
-            if (!MD_Update(m, &(state[st_idx]), j - k))
-                goto err;
-            if (!MD_Update(m, &(state[0]), k))
-                goto err;
-        } else if (!MD_Update(m, &(state[st_idx]), j))
-            goto err;
+            MD_Update(&m, &(state[st_idx]), j - k);
+            MD_Update(&m, &(state[0]), k);
+        } else
+            MD_Update(&m, &(state[st_idx]), j);
 
         /* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */
-        if (!MD_Update(m, buf, j))
-            goto err;
+        MD_Update(&m, buf, j);
         /*
          * We know that line may cause programs such as purify and valgrind
          * to complain about use of uninitialized data.  The problem is not,
@@ -220,10 +285,8 @@ static int rand_add(const void *buf, int num, double add)
          * insecure keys.
          */
 
-        if (!MD_Update(m, (unsigned char *)&(md_c[0]), sizeof(md_c)))
-            goto err;
-        if (!MD_Final(m, local_md))
-            goto err;
+        MD_Update(&m, (unsigned char *)&(md_c[0]), sizeof(md_c));
+        MD_Final(&m, local_md);
         md_c[1]++;
 
         buf = (const char *)buf + j;
@@ -232,7 +295,7 @@ static int rand_add(const void *buf, int num, double add)
             /*
              * Parallel threads may interfere with this, but always each byte
              * of the new state is the XOR of some previous value of its and
-             * local_md (intermediate values may be lost). Alway using locking
+             * local_md (itermediate values may be lost). Alway using locking
              * could hurt performance more than necessary given that
              * conflicts occur only when the total seeding is longer than the
              * random state.
@@ -242,9 +305,10 @@ static int rand_add(const void *buf, int num, double add)
                 st_idx = 0;
         }
     }
+    EVP_MD_CTX_cleanup(&m);
 
     if (!do_not_lock)
-        CRYPTO_THREAD_write_lock(rand_lock);
+        CRYPTO_w_lock(CRYPTO_LOCK_RAND);
     /*
      * Don't just copy back local_md into md -- this could mean that other
      * thread's seeding remains without effect (except for the incremented
@@ -257,20 +321,19 @@ static int rand_add(const void *buf, int num, double add)
     if (entropy < ENTROPY_NEEDED) /* stop counting when we have enough */
         entropy += add;
     if (!do_not_lock)
-        CRYPTO_THREAD_unlock(rand_lock);
+        CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 
-    rv = 1;
- err:
-    EVP_MD_CTX_free(m);
-    return rv;
+#if !defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32)
+    assert(md_c[1] == md_count[1]);
+#endif
 }
 
-static int rand_seed(const void *buf, int num)
+static void ssleay_rand_seed(const void *buf, int num)
 {
-    return rand_add(buf, num, (double)num);
+    ssleay_rand_add(buf, num, (double)num);
 }
 
-static int rand_bytes(unsigned char *buf, int num, int pseudo)
+int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock)
 {
     static volatile int stirred_pool = 0;
     int i, j, k;
@@ -278,32 +341,11 @@ static int rand_bytes(unsigned char *buf, int num, int pseudo)
     int ok;
     long md_c[2];
     unsigned char local_md[MD_DIGEST_LENGTH];
-    EVP_MD_CTX *m;
+    EVP_MD_CTX m;
 #ifndef GETPID_IS_MEANINGLESS
     pid_t curr_pid = getpid();
 #endif
-    time_t curr_time = time(NULL);
     int do_stir_pool = 0;
-/* time value for various platforms */
-#ifdef OPENSSL_SYS_WIN32
-    FILETIME tv;
-# ifdef _WIN32_WCE
-    SYSTEMTIME t;
-    GetSystemTime(&t);
-    SystemTimeToFileTime(&t, &tv);
-# else
-    GetSystemTimeAsFileTime(&tv);
-# endif
-#elif defined(OPENSSL_SYS_VXWORKS)
-    struct timespec tv;
-    clock_gettime(CLOCK_REALTIME, &ts);
-#elif defined(OPENSSL_SYS_DSPBIOS)
-    unsigned long long tv, OPENSSL_rdtsc();
-    tv = OPENSSL_rdtsc();
-#else
-    struct timeval tv;
-    gettimeofday(&tv, NULL);
-#endif
 
 #ifdef PREDICT
     if (rand_predictable) {
@@ -318,10 +360,7 @@ static int rand_bytes(unsigned char *buf, int num, int pseudo)
     if (num <= 0)
         return 1;
 
-    m = EVP_MD_CTX_new();
-    if (m == NULL)
-        goto err_mem;
-
+    EVP_MD_CTX_init(&m);
     /* round upwards to multiple of MD_DIGEST_LENGTH/2 */
     num_ceil =
         (1 + (num - 1) / (MD_DIGEST_LENGTH / 2)) * (MD_DIGEST_LENGTH / 2);
@@ -343,21 +382,13 @@ static int rand_bytes(unsigned char *buf, int num, int pseudo)
      * are fed into the hash function and the results are kept in the
      * global 'md'.
      */
+    if (lock)
+        CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 
-    if (!RUN_ONCE(&rand_lock_init, do_rand_lock_init))
-        goto err_mem;
-
-    CRYPTO_THREAD_write_lock(rand_lock);
-    /*
-     * We could end up in an async engine while holding this lock so ensure
-     * we don't pause and cause a deadlock
-     */
-    ASYNC_block_pause();
-
-    /* prevent rand_bytes() from trying to obtain the lock again */
-    CRYPTO_THREAD_write_lock(rand_tmp_lock);
-    locking_threadid = CRYPTO_THREAD_get_current_id();
-    CRYPTO_THREAD_unlock(rand_tmp_lock);
+    /* prevent ssleay_rand_bytes() from trying to obtain the lock again */
+    CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
+    CRYPTO_THREADID_current(&locking_threadid);
+    CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
     crypto_lock_rand = 1;
 
     if (!initialized) {
@@ -391,7 +422,7 @@ static int rand_bytes(unsigned char *buf, int num, int pseudo)
          * In the output function only half of 'md' remains secret, so we
          * better make sure that the required entropy gets 'evenly
          * distributed' through 'state', our randomness pool. The input
-         * function (rand_add) chains all of 'md', which makes it more
+         * function (ssleay_rand_add) chains all of 'md', which makes it more
          * suitable for this purpose.
          */
 
@@ -403,9 +434,9 @@ static int rand_bytes(unsigned char *buf, int num, int pseudo)
 #define DUMMY_SEED "...................." /* at least MD_DIGEST_LENGTH */
             /*
              * Note that the seed does not matter, it's just that
-             * rand_add expects to have something to hash.
+             * ssleay_rand_add expects to have something to hash.
              */
-            rand_add(DUMMY_SEED, MD_DIGEST_LENGTH, 0.0);
+            ssleay_rand_add(DUMMY_SEED, MD_DIGEST_LENGTH, 0.0);
             n -= MD_DIGEST_LENGTH;
         }
         if (ok)
@@ -431,46 +462,41 @@ static int rand_bytes(unsigned char *buf, int num, int pseudo)
 
     /* before unlocking, we must clear 'crypto_lock_rand' */
     crypto_lock_rand = 0;
-    ASYNC_unblock_pause();
-    CRYPTO_THREAD_unlock(rand_lock);
+    if (lock)
+        CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 
     while (num > 0) {
         /* num_ceil -= MD_DIGEST_LENGTH/2 */
         j = (num >= MD_DIGEST_LENGTH / 2) ? MD_DIGEST_LENGTH / 2 : num;
         num -= j;
-        if (!MD_Init(m))
-            goto err;
+        MD_Init(&m);
 #ifndef GETPID_IS_MEANINGLESS
         if (curr_pid) {         /* just in the first iteration to save time */
-            if (!MD_Update(m, (unsigned char *)&curr_pid, sizeof curr_pid))
-                goto err;
+            MD_Update(&m, (unsigned char *)&curr_pid, sizeof curr_pid);
             curr_pid = 0;
         }
 #endif
-        if (curr_time) {        /* just in the first iteration to save time */
-            if (!MD_Update(m, (unsigned char *)&curr_time, sizeof curr_time))
-                goto err;
-            if (!MD_Update(m, (unsigned char *)&tv, sizeof tv))
-                goto err;
-            curr_time = 0;
-            if (!rand_hw_seed(m))
-                goto err;
-        }
-        if (!MD_Update(m, local_md, MD_DIGEST_LENGTH))
-            goto err;
-        if (!MD_Update(m, (unsigned char *)&(md_c[0]), sizeof(md_c)))
-            goto err;
+        MD_Update(&m, local_md, MD_DIGEST_LENGTH);
+        MD_Update(&m, (unsigned char *)&(md_c[0]), sizeof(md_c));
+
+#ifndef PURIFY                  /* purify complains */
+        /*
+         * The following line uses the supplied buffer as a small source of
+         * entropy: since this buffer is often uninitialised it may cause
+         * programs such as purify or valgrind to complain. So for those
+         * builds it is not used: the removal of such a small source of
+         * entropy has negligible impact on security.
+         */
+        MD_Update(&m, buf, j);
+#endif
 
         k = (st_idx + MD_DIGEST_LENGTH / 2) - st_num;
         if (k > 0) {
-            if (!MD_Update(m, &(state[st_idx]), MD_DIGEST_LENGTH / 2 - k))
-                goto err;
-            if (!MD_Update(m, &(state[0]), k))
-                goto err;
-        } else if (!MD_Update(m, &(state[st_idx]), MD_DIGEST_LENGTH / 2))
-            goto err;
-        if (!MD_Final(m, local_md))
-            goto err;
+            MD_Update(&m, &(state[st_idx]), MD_DIGEST_LENGTH / 2 - k);
+            MD_Update(&m, &(state[0]), k);
+        } else
+            MD_Update(&m, &(state[st_idx]), MD_DIGEST_LENGTH / 2);
+        MD_Final(&m, local_md);
 
         for (i = 0; i < MD_DIGEST_LENGTH / 2; i++) {
             /* may compete with other threads */
@@ -482,93 +508,69 @@ static int rand_bytes(unsigned char *buf, int num, int pseudo)
         }
     }
 
-    if (!MD_Init(m)
-        || !MD_Update(m, (unsigned char *)&(md_c[0]), sizeof(md_c))
-        || !MD_Update(m, local_md, MD_DIGEST_LENGTH))
-        goto err;
-    CRYPTO_THREAD_write_lock(rand_lock);
-    /*
-     * Prevent deadlocks if we end up in an async engine
-     */
-    ASYNC_block_pause();
-    if (!MD_Update(m, md, MD_DIGEST_LENGTH) || !MD_Final(m, md)) {
-        CRYPTO_THREAD_unlock(rand_lock);
-        goto err;
-    }
-    ASYNC_unblock_pause();
-    CRYPTO_THREAD_unlock(rand_lock);
-
-    EVP_MD_CTX_free(m);
+    MD_Init(&m);
+    MD_Update(&m, (unsigned char *)&(md_c[0]), sizeof(md_c));
+    MD_Update(&m, local_md, MD_DIGEST_LENGTH);
+    if (lock)
+        CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+    MD_Update(&m, md, MD_DIGEST_LENGTH);
+    MD_Final(&m, md);
+    if (lock)
+        CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+
+    EVP_MD_CTX_cleanup(&m);
     if (ok)
         return (1);
     else if (pseudo)
         return 0;
     else {
-        RANDerr(RAND_F_RAND_BYTES, RAND_R_PRNG_NOT_SEEDED);
+        RANDerr(RAND_F_SSLEAY_RAND_BYTES, RAND_R_PRNG_NOT_SEEDED);
         ERR_add_error_data(1, "You need to read the OpenSSL FAQ, "
-                           "https://www.openssl.org/docs/faq.html");
+                           "http://www.openssl.org/support/faq.html");
         return (0);
     }
- err:
-    RANDerr(RAND_F_RAND_BYTES, ERR_R_EVP_LIB);
-    EVP_MD_CTX_free(m);
-    return 0;
- err_mem:
-    RANDerr(RAND_F_RAND_BYTES, ERR_R_MALLOC_FAILURE);
-    EVP_MD_CTX_free(m);
-    return 0;
-
 }
 
-static int rand_nopseudo_bytes(unsigned char *buf, int num)
+static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num)
 {
-    return rand_bytes(buf, num, 0);
+    return ssleay_rand_bytes(buf, num, 0, 1);
 }
 
-#if OPENSSL_API_COMPAT < 0x10100000L
 /*
  * pseudo-random bytes that are guaranteed to be unique but not unpredictable
  */
-static int rand_pseudo_bytes(unsigned char *buf, int num)
+static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num)
 {
-    return rand_bytes(buf, num, 1);
+    return ssleay_rand_bytes(buf, num, 1, 1);
 }
-#endif
 
-static int rand_status(void)
+static int ssleay_rand_status(void)
 {
-    CRYPTO_THREAD_ID cur;
+    CRYPTO_THREADID cur;
     int ret;
     int do_not_lock;
 
-    if (!RUN_ONCE(&rand_lock_init, do_rand_lock_init))
-        return 0;
-
-    cur = CRYPTO_THREAD_get_current_id();
+    CRYPTO_THREADID_current(&cur);
     /*
      * check if we already have the lock (could happen if a RAND_poll()
      * implementation calls RAND_status())
      */
     if (crypto_lock_rand) {
-        CRYPTO_THREAD_read_lock(rand_tmp_lock);
-        do_not_lock = CRYPTO_THREAD_compare_id(locking_threadid, cur);
-        CRYPTO_THREAD_unlock(rand_tmp_lock);
+        CRYPTO_r_lock(CRYPTO_LOCK_RAND2);
+        do_not_lock = !CRYPTO_THREADID_cmp(&locking_threadid, &cur);
+        CRYPTO_r_unlock(CRYPTO_LOCK_RAND2);
     } else
         do_not_lock = 0;
 
     if (!do_not_lock) {
-        CRYPTO_THREAD_write_lock(rand_lock);
-        /*
-         * Prevent deadlocks in case we end up in an async engine
-         */
-        ASYNC_block_pause();
+        CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 
         /*
-         * prevent rand_bytes() from trying to obtain the lock again
+         * prevent ssleay_rand_bytes() from trying to obtain the lock again
          */
-        CRYPTO_THREAD_write_lock(rand_tmp_lock);
-        locking_threadid = cur;
-        CRYPTO_THREAD_unlock(rand_tmp_lock);
+        CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
+        CRYPTO_THREADID_cpy(&locking_threadid, &cur);
+        CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
         crypto_lock_rand = 1;
     }
 
@@ -583,84 +585,8 @@ static int rand_status(void)
         /* before unlocking, we must clear 'crypto_lock_rand' */
         crypto_lock_rand = 0;
 
-        ASYNC_unblock_pause();
-        CRYPTO_THREAD_unlock(rand_lock);
+        CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
     }
 
     return ret;
 }
-
-/*
- * rand_hw_seed: get seed data from any available hardware RNG. only
- * currently supports rdrand.
- */
-
-/* Adapted from eng_rdrand.c */
-
-#if (defined(__i386)   || defined(__i386__)   || defined(_M_IX86) || \
-     defined(__x86_64) || defined(__x86_64__) || \
-     defined(_M_AMD64) || defined (_M_X64)) && defined(OPENSSL_CPUID_OBJ) \
-     && !defined(OPENSSL_NO_RDRAND)
-
-# define RDRAND_CALLS    4
-
-size_t OPENSSL_ia32_rdrand(void);
-extern unsigned int OPENSSL_ia32cap_P[];
-
-static int rand_hw_seed(EVP_MD_CTX *ctx)
-{
-    int i;
-    if (!(OPENSSL_ia32cap_P[1] & (1 << (62 - 32))))
-        return 1;
-    for (i = 0; i < RDRAND_CALLS; i++) {
-        size_t rnd;
-        rnd = OPENSSL_ia32_rdrand();
-        if (rnd == 0)
-            return 1;
-        if (!MD_Update(ctx, (unsigned char *)&rnd, sizeof(size_t)))
-            return 0;
-    }
-    return 1;
-}
-
-/* XOR an existing buffer with random data */
-
-void rand_hw_xor(unsigned char *buf, size_t num)
-{
-    size_t rnd;
-    if (!(OPENSSL_ia32cap_P[1] & (1 << (62 - 32))))
-        return;
-    while (num >= sizeof(size_t)) {
-        rnd = OPENSSL_ia32_rdrand();
-        if (rnd == 0)
-            return;
-        *((size_t *)buf) ^= rnd;
-        buf += sizeof(size_t);
-        num -= sizeof(size_t);
-    }
-    if (num) {
-        rnd = OPENSSL_ia32_rdrand();
-        if (rnd == 0)
-            return;
-        while (num) {
-            *buf ^= rnd & 0xff;
-            rnd >>= 8;
-            buf++;
-            num--;
-        }
-    }
-}
-
-#else
-
-static int rand_hw_seed(EVP_MD_CTX *ctx)
-{
-    return 1;
-}
-
-void rand_hw_xor(unsigned char *buf, size_t num)
-{
-    return;
-}
-
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/rand/rand_egd.c b/Cryptlib/OpenSSL/crypto/rand/rand_egd.c
deleted file mode 100644
index dd58b214..00000000
--- a/Cryptlib/OpenSSL/crypto/rand/rand_egd.c
+++ /dev/null
@@ -1,249 +0,0 @@
-/*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/opensslconf.h>
-#ifdef OPENSSL_NO_EGD
-NON_EMPTY_TRANSLATION_UNIT
-#else
-
-# include <openssl/crypto.h>
-# include <openssl/e_os2.h>
-# include <openssl/rand.h>
-
-/*-
- * Query the EGD <URL: http://www.lothar.com/tech/crypto/>.
- *
- * This module supplies three routines:
- *
- * RAND_query_egd_bytes(path, buf, bytes)
- *   will actually query "bytes" bytes of entropy form the egd-socket located
- *   at path and will write them to buf (if supplied) or will directly feed
- *   it to RAND_seed() if buf==NULL.
- *   The number of bytes is not limited by the maximum chunk size of EGD,
- *   which is 255 bytes. If more than 255 bytes are wanted, several chunks
- *   of entropy bytes are requested. The connection is left open until the
- *   query is competed.
- *   RAND_query_egd_bytes() returns with
- *     -1  if an error occurred during connection or communication.
- *     num the number of bytes read from the EGD socket. This number is either
- *         the number of bytes requested or smaller, if the EGD pool is
- *         drained and the daemon signals that the pool is empty.
- *   This routine does not touch any RAND_status(). This is necessary, since
- *   PRNG functions may call it during initialization.
- *
- * RAND_egd_bytes(path, bytes) will query "bytes" bytes and have them
- *   used to seed the PRNG.
- *   RAND_egd_bytes() is a wrapper for RAND_query_egd_bytes() with buf=NULL.
- *   Unlike RAND_query_egd_bytes(), RAND_status() is used to test the
- *   seed status so that the return value can reflect the seed state:
- *     -1  if an error occurred during connection or communication _or_
- *         if the PRNG has still not received the required seeding.
- *     num the number of bytes read from the EGD socket. This number is either
- *         the number of bytes requested or smaller, if the EGD pool is
- *         drained and the daemon signals that the pool is empty.
- *
- * RAND_egd(path) will query 255 bytes and use the bytes retrieved to seed
- *   the PRNG.
- *   RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255.
- */
-
-# if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_UEFI)
-int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
-{
-    return (-1);
-}
-
-int RAND_egd(const char *path)
-{
-    return (-1);
-}
-
-int RAND_egd_bytes(const char *path, int bytes)
-{
-    return (-1);
-}
-# else
-#  include <openssl/opensslconf.h>
-#  include OPENSSL_UNISTD
-#  include <stddef.h>
-#  include <sys/types.h>
-#  include <sys/socket.h>
-#  ifndef NO_SYS_UN_H
-#   ifdef OPENSSL_SYS_VXWORKS
-#    include <streams/un.h>
-#   else
-#    include <sys/un.h>
-#   endif
-#  else
-struct sockaddr_un {
-    short sun_family;           /* AF_UNIX */
-    char sun_path[108];         /* path name (gag) */
-};
-#  endif                         /* NO_SYS_UN_H */
-#  include <string.h>
-#  include <errno.h>
-
-int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
-{
-    int ret = 0;
-    struct sockaddr_un addr;
-    int len, num, numbytes;
-    int fd = -1;
-    int success;
-    unsigned char egdbuf[2], tempbuf[255], *retrievebuf;
-
-    memset(&addr, 0, sizeof(addr));
-    addr.sun_family = AF_UNIX;
-    if (strlen(path) >= sizeof(addr.sun_path))
-        return (-1);
-    OPENSSL_strlcpy(addr.sun_path, path, sizeof addr.sun_path);
-    len = offsetof(struct sockaddr_un, sun_path) + strlen(path);
-    fd = socket(AF_UNIX, SOCK_STREAM, 0);
-    if (fd == -1)
-        return (-1);
-    success = 0;
-    while (!success) {
-        if (connect(fd, (struct sockaddr *)&addr, len) == 0)
-            success = 1;
-        else {
-            switch (errno) {
-#  ifdef EINTR
-            case EINTR:
-#  endif
-#  ifdef EAGAIN
-            case EAGAIN:
-#  endif
-#  ifdef EINPROGRESS
-            case EINPROGRESS:
-#  endif
-#  ifdef EALREADY
-            case EALREADY:
-#  endif
-                /* No error, try again */
-                break;
-#  ifdef EISCONN
-            case EISCONN:
-                success = 1;
-                break;
-#  endif
-            default:
-                ret = -1;
-                goto err;       /* failure */
-            }
-        }
-    }
-
-    while (bytes > 0) {
-        egdbuf[0] = 1;
-        egdbuf[1] = bytes < 255 ? bytes : 255;
-        numbytes = 0;
-        while (numbytes != 2) {
-            num = write(fd, egdbuf + numbytes, 2 - numbytes);
-            if (num >= 0)
-                numbytes += num;
-            else {
-                switch (errno) {
-#  ifdef EINTR
-                case EINTR:
-#  endif
-#  ifdef EAGAIN
-                case EAGAIN:
-#  endif
-                    /* No error, try again */
-                    break;
-                default:
-                    ret = -1;
-                    goto err;   /* failure */
-                }
-            }
-        }
-        numbytes = 0;
-        while (numbytes != 1) {
-            num = read(fd, egdbuf, 1);
-            if (num == 0)
-                goto err;       /* descriptor closed */
-            else if (num > 0)
-                numbytes += num;
-            else {
-                switch (errno) {
-#  ifdef EINTR
-                case EINTR:
-#  endif
-#  ifdef EAGAIN
-                case EAGAIN:
-#  endif
-                    /* No error, try again */
-                    break;
-                default:
-                    ret = -1;
-                    goto err;   /* failure */
-                }
-            }
-        }
-        if (egdbuf[0] == 0)
-            goto err;
-        if (buf)
-            retrievebuf = buf + ret;
-        else
-            retrievebuf = tempbuf;
-        numbytes = 0;
-        while (numbytes != egdbuf[0]) {
-            num = read(fd, retrievebuf + numbytes, egdbuf[0] - numbytes);
-            if (num == 0)
-                goto err;       /* descriptor closed */
-            else if (num > 0)
-                numbytes += num;
-            else {
-                switch (errno) {
-#  ifdef EINTR
-                case EINTR:
-#  endif
-#  ifdef EAGAIN
-                case EAGAIN:
-#  endif
-                    /* No error, try again */
-                    break;
-                default:
-                    ret = -1;
-                    goto err;   /* failure */
-                }
-            }
-        }
-        ret += egdbuf[0];
-        bytes -= egdbuf[0];
-        if (!buf)
-            RAND_seed(tempbuf, egdbuf[0]);
-    }
- err:
-    if (fd != -1)
-        close(fd);
-    return (ret);
-}
-
-int RAND_egd_bytes(const char *path, int bytes)
-{
-    int num, ret = -1;
-
-    num = RAND_query_egd_bytes(path, NULL, bytes);
-    if (num < 0)
-        goto err;
-    if (RAND_status() == 1)
-        ret = num;
- err:
-    return (ret);
-}
-
-int RAND_egd(const char *path)
-{
-    return (RAND_egd_bytes(path, 255));
-}
-
-# endif
-
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/rand/rand_err.c b/Cryptlib/OpenSSL/crypto/rand/rand_err.c
index 55431264..55d86ea8 100644
--- a/Cryptlib/OpenSSL/crypto/rand/rand_err.c
+++ b/Cryptlib/OpenSSL/crypto/rand/rand_err.c
@@ -1,11 +1,62 @@
-/*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/rand/rand_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
  */
 
 #include <stdio.h>
@@ -19,18 +70,25 @@
 # define ERR_REASON(reason) ERR_PACK(ERR_LIB_RAND,0,reason)
 
 static ERR_STRING_DATA RAND_str_functs[] = {
-    {ERR_FUNC(RAND_F_RAND_BYTES), "RAND_bytes"},
+    {ERR_FUNC(RAND_F_RAND_GET_RAND_METHOD), "RAND_get_rand_method"},
+    {ERR_FUNC(RAND_F_RAND_INIT_FIPS), "RAND_init_fips"},
+    {ERR_FUNC(RAND_F_SSLEAY_RAND_BYTES), "SSLEAY_RAND_BYTES"},
     {0, NULL}
 };
 
 static ERR_STRING_DATA RAND_str_reasons[] = {
+    {ERR_REASON(RAND_R_DUAL_EC_DRBG_DISABLED), "dual ec drbg disabled"},
+    {ERR_REASON(RAND_R_ERROR_INITIALISING_DRBG), "error initialising drbg"},
+    {ERR_REASON(RAND_R_ERROR_INSTANTIATING_DRBG), "error instantiating drbg"},
+    {ERR_REASON(RAND_R_NO_FIPS_RANDOM_METHOD_SET),
+     "no fips random method set"},
     {ERR_REASON(RAND_R_PRNG_NOT_SEEDED), "PRNG not seeded"},
     {0, NULL}
 };
 
 #endif
 
-int ERR_load_RAND_strings(void)
+void ERR_load_RAND_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
 
@@ -39,5 +97,4 @@ int ERR_load_RAND_strings(void)
         ERR_load_strings(0, RAND_str_reasons);
     }
 #endif
-    return 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/rand/rand_lcl.h b/Cryptlib/OpenSSL/crypto/rand/rand_lcl.h
index d98c90e2..f9fda3eb 100644
--- a/Cryptlib/OpenSSL/crypto/rand/rand_lcl.h
+++ b/Cryptlib/OpenSSL/crypto/rand/rand_lcl.h
@@ -1,10 +1,112 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/rand/rand_lcl.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #ifndef HEADER_RAND_LCL_H
@@ -13,7 +115,17 @@
 # define ENTROPY_NEEDED 32      /* require 256 bits = 32 bytes of randomness */
 
 # if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
-#  define USE_SHA1_RAND
+#  if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
+#   define USE_SHA1_RAND
+#  elif !defined(OPENSSL_NO_MD5)
+#   define USE_MD5_RAND
+#  elif !defined(OPENSSL_NO_MDC2) && !defined(OPENSSL_NO_DES)
+#   define USE_MDC2_RAND
+#  elif !defined(OPENSSL_NO_MD2)
+#   define USE_MD2_RAND
+#  else
+#   error No message digest algorithm available
+#  endif
 # endif
 
 # include <openssl/evp.h>
@@ -41,6 +153,6 @@
 #  define MD(a,b,c)               EVP_Digest(a,b,c,NULL,EVP_md2(), NULL)
 # endif
 
-void rand_hw_xor(unsigned char *buf, size_t num);
+int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock);
 
 #endif
diff --git a/Cryptlib/OpenSSL/crypto/rand/rand_lib.c b/Cryptlib/OpenSSL/crypto/rand/rand_lib.c
index 23871267..88a78d35 100644
--- a/Cryptlib/OpenSSL/crypto/rand/rand_lib.c
+++ b/Cryptlib/OpenSSL/crypto/rand/rand_lib.c
@@ -1,23 +1,74 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/rand/rand_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <time.h>
-#include "internal/cryptlib.h"
-#include <openssl/opensslconf.h>
-#include "internal/rand.h"
+#include "cryptlib.h"
+#include <openssl/rand.h>
 
-#include <openssl/engine.h>
+#ifndef OPENSSL_NO_ENGINE
+# include <openssl/engine.h>
+#endif
 
 #ifdef OPENSSL_FIPS
 # include <openssl/fips.h>
 # include <openssl/fips_rand.h>
+# include "rand_lcl.h"
 #endif
 
 #ifndef OPENSSL_NO_ENGINE
@@ -29,8 +80,10 @@ static const RAND_METHOD *default_RAND_meth = NULL;
 int RAND_set_rand_method(const RAND_METHOD *meth)
 {
 #ifndef OPENSSL_NO_ENGINE
-    ENGINE_finish(funct_ref);
-    funct_ref = NULL;
+    if (funct_ref) {
+        ENGINE_finish(funct_ref);
+        funct_ref = NULL;
+    }
 #endif
     default_RAND_meth = meth;
     return 1;
@@ -43,7 +96,7 @@ const RAND_METHOD *RAND_get_rand_method(void)
         ENGINE *e = ENGINE_get_default_RAND();
         if (e) {
             default_RAND_meth = ENGINE_get_RAND(e);
-            if (default_RAND_meth == NULL) {
+            if (!default_RAND_meth) {
                 ENGINE_finish(e);
                 e = NULL;
             }
@@ -52,7 +105,7 @@ const RAND_METHOD *RAND_get_rand_method(void)
             funct_ref = e;
         else
 #endif
-            default_RAND_meth = RAND_OpenSSL();
+            default_RAND_meth = RAND_SSLeay();
     }
     return default_RAND_meth;
 }
@@ -65,7 +118,7 @@ int RAND_set_rand_engine(ENGINE *engine)
         if (!ENGINE_init(engine))
             return 0;
         tmp_meth = ENGINE_get_RAND(engine);
-        if (tmp_meth == NULL) {
+        if (!tmp_meth) {
             ENGINE_finish(engine);
             return 0;
         }
@@ -77,7 +130,7 @@ int RAND_set_rand_engine(ENGINE *engine)
 }
 #endif
 
-void rand_cleanup_int(void)
+void RAND_cleanup(void)
 {
     const RAND_METHOD *meth = RAND_get_rand_method();
     if (meth && meth->cleanup)
@@ -107,7 +160,6 @@ int RAND_bytes(unsigned char *buf, int num)
     return (-1);
 }
 
-#if OPENSSL_API_COMPAT < 0x10100000L
 int RAND_pseudo_bytes(unsigned char *buf, int num)
 {
     const RAND_METHOD *meth = RAND_get_rand_method();
@@ -115,7 +167,6 @@ int RAND_pseudo_bytes(unsigned char *buf, int num)
         return meth->pseudorand(buf, num);
     return (-1);
 }
-#endif
 
 int RAND_status(void)
 {
@@ -124,3 +175,126 @@ int RAND_status(void)
         return meth->status();
     return 0;
 }
+
+#ifdef OPENSSL_FIPS
+
+/*
+ * FIPS DRBG initialisation code. This sets up the DRBG for use by the rest
+ * of OpenSSL.
+ */
+
+/*
+ * Entropy gatherer: use standard OpenSSL PRNG to seed (this will gather
+ * entropy internally through RAND_poll().
+ */
+
+static size_t drbg_get_entropy(DRBG_CTX *ctx, unsigned char **pout,
+                               int entropy, size_t min_len, size_t max_len)
+{
+    /* Round up request to multiple of block size */
+    min_len = ((min_len + 19) / 20) * 20;
+    *pout = OPENSSL_malloc(min_len);
+    if (!*pout)
+        return 0;
+    if (ssleay_rand_bytes(*pout, min_len, 0, 0) <= 0) {
+        OPENSSL_free(*pout);
+        *pout = NULL;
+        return 0;
+    }
+    return min_len;
+}
+
+static void drbg_free_entropy(DRBG_CTX *ctx, unsigned char *out, size_t olen)
+{
+    if (out) {
+        OPENSSL_cleanse(out, olen);
+        OPENSSL_free(out);
+    }
+}
+
+/*
+ * Set "additional input" when generating random data. This uses the current
+ * PID, a time value and a counter.
+ */
+
+static size_t drbg_get_adin(DRBG_CTX *ctx, unsigned char **pout)
+{
+    /* Use of static variables is OK as this happens under a lock */
+    static unsigned char buf[16];
+    static unsigned long counter;
+    FIPS_get_timevec(buf, &counter);
+    *pout = buf;
+    return sizeof(buf);
+}
+
+/*
+ * RAND_add() and RAND_seed() pass through to OpenSSL PRNG so it is
+ * correctly seeded by RAND_poll().
+ */
+
+static int drbg_rand_add(DRBG_CTX *ctx, const void *in, int inlen,
+                         double entropy)
+{
+    RAND_SSLeay()->add(in, inlen, entropy);
+    return 1;
+}
+
+static int drbg_rand_seed(DRBG_CTX *ctx, const void *in, int inlen)
+{
+    RAND_SSLeay()->seed(in, inlen);
+    return 1;
+}
+
+# ifndef OPENSSL_DRBG_DEFAULT_TYPE
+#  define OPENSSL_DRBG_DEFAULT_TYPE       NID_aes_256_ctr
+# endif
+# ifndef OPENSSL_DRBG_DEFAULT_FLAGS
+#  define OPENSSL_DRBG_DEFAULT_FLAGS      DRBG_FLAG_CTR_USE_DF
+# endif
+
+static int fips_drbg_type = OPENSSL_DRBG_DEFAULT_TYPE;
+static int fips_drbg_flags = OPENSSL_DRBG_DEFAULT_FLAGS;
+
+void RAND_set_fips_drbg_type(int type, int flags)
+{
+    fips_drbg_type = type;
+    fips_drbg_flags = flags;
+}
+
+int RAND_init_fips(void)
+{
+    DRBG_CTX *dctx;
+    size_t plen;
+    unsigned char pers[32], *p;
+# ifndef OPENSSL_ALLOW_DUAL_EC_DRBG
+    if (fips_drbg_type >> 16) {
+        RANDerr(RAND_F_RAND_INIT_FIPS, RAND_R_DUAL_EC_DRBG_DISABLED);
+        return 0;
+    }
+# endif
+
+    dctx = FIPS_get_default_drbg();
+    if (FIPS_drbg_init(dctx, fips_drbg_type, fips_drbg_flags) <= 0) {
+        RANDerr(RAND_F_RAND_INIT_FIPS, RAND_R_ERROR_INITIALISING_DRBG);
+        return 0;
+    }
+
+    FIPS_drbg_set_callbacks(dctx,
+                            drbg_get_entropy, drbg_free_entropy, 20,
+                            drbg_get_entropy, drbg_free_entropy);
+    FIPS_drbg_set_rand_callbacks(dctx, drbg_get_adin, 0,
+                                 drbg_rand_seed, drbg_rand_add);
+    /* Personalisation string: a string followed by date time vector */
+    strcpy((char *)pers, "OpenSSL DRBG2.0");
+    plen = drbg_get_adin(dctx, &p);
+    memcpy(pers + 16, p, plen);
+
+    if (FIPS_drbg_instantiate(dctx, pers, sizeof(pers)) <= 0) {
+        RANDerr(RAND_F_RAND_INIT_FIPS, RAND_R_ERROR_INSTANTIATING_DRBG);
+        return 0;
+    }
+    FIPS_rand_set_method(FIPS_drbg_method());
+    return 1;
+}
+
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/rand/rand_unix.c b/Cryptlib/OpenSSL/crypto/rand/rand_unix.c
index ecba2dc9..11ee152d 100644
--- a/Cryptlib/OpenSSL/crypto/rand/rand_unix.c
+++ b/Cryptlib/OpenSSL/crypto/rand/rand_unix.c
@@ -1,21 +1,122 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/rand/rand_unix.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
-
 #include <stdio.h>
 
 #define USE_SOCKETS
 #include "e_os.h"
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/rand.h>
 #include "rand_lcl.h"
 
-#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI))
+#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_UEFI))
 
 # include <sys/types.h>
 # include <sys/time.h>
@@ -143,17 +244,17 @@ int RAND_poll(void)
 {
     unsigned long l;
     pid_t curr_pid = getpid();
-#  if defined(DEVRANDOM) || (!defined(OPENSS_NO_EGD) && defined(DEVRANDOM_EGD))
+#  if defined(DEVRANDOM) || defined(DEVRANDOM_EGD)
     unsigned char tmpbuf[ENTROPY_NEEDED];
     int n = 0;
 #  endif
 #  ifdef DEVRANDOM
     static const char *randomfiles[] = { DEVRANDOM };
-    struct stat randomstats[OSSL_NELEM(randomfiles)];
+    struct stat randomstats[sizeof(randomfiles) / sizeof(randomfiles[0])];
     int fd;
     unsigned int i;
 #  endif
-#  if !defined(OPENSSL_NO_EGD) && defined(DEVRANDOM_EGD)
+#  ifdef DEVRANDOM_EGD
     static const char *egdsockets[] = { DEVRANDOM_EGD, NULL };
     const char **egdsocket = NULL;
 #  endif
@@ -166,7 +267,8 @@ int RAND_poll(void)
      * out of random entries.
      */
 
-    for (i = 0; (i < OSSL_NELEM(randomfiles)) && (n < ENTROPY_NEEDED); i++) {
+    for (i = 0; (i < sizeof(randomfiles) / sizeof(randomfiles[0])) &&
+         (n < ENTROPY_NEEDED); i++) {
         if ((fd = open(randomfiles[i], O_RDONLY
 #   ifdef O_NONBLOCK
                        | O_NONBLOCK
@@ -205,7 +307,14 @@ int RAND_poll(void)
             do {
                 int try_read = 0;
 
-#   if defined(OPENSSL_SYS_LINUX)
+#   if defined(OPENSSL_SYS_BEOS_R5)
+                /*
+                 * select() is broken in BeOS R5, so we simply try to read
+                 * something and snooze if we couldn't
+                 */
+                try_read = 1;
+
+#   elif defined(OPENSSL_SYS_LINUX)
                 /* use poll() */
                 struct pollfd pset;
 
@@ -249,6 +358,10 @@ int RAND_poll(void)
                              ENTROPY_NEEDED - n);
                     if (r > 0)
                         n += r;
+#   if defined(OPENSSL_SYS_BEOS_R5)
+                    if (r == 0)
+                        snooze(t.tv_usec);
+#   endif
                 } else
                     r = -1;
 
@@ -270,7 +383,7 @@ int RAND_poll(void)
     }
 #  endif                        /* defined(DEVRANDOM) */
 
-#  if !defined(OPENSSL_NO_EGD) && defined(DEVRANDOM_EGD)
+#  ifdef DEVRANDOM_EGD
     /*
      * Use an EGD socket to read entropy from an EGD or PRNGD entropy
      * collecting daemon.
@@ -287,7 +400,7 @@ int RAND_poll(void)
     }
 #  endif                        /* defined(DEVRANDOM_EGD) */
 
-#  if defined(DEVRANDOM) || (!defined(OPENSSL_NO_EGD) && defined(DEVRANDOM_EGD))
+#  if defined(DEVRANDOM) || defined(DEVRANDOM_EGD)
     if (n > 0) {
         RAND_add(tmpbuf, sizeof tmpbuf, (double)n);
         OPENSSL_cleanse(tmpbuf, n);
@@ -303,7 +416,15 @@ int RAND_poll(void)
     l = time(NULL);
     RAND_add(&l, sizeof(l), 0.0);
 
-#  if defined(DEVRANDOM) || (!defined(OPENSSL_NO_EGD) && defined(DEVRANDOM_EGD))
+#  if defined(OPENSSL_SYS_BEOS)
+    {
+        system_info sysInfo;
+        get_system_info(&sysInfo);
+        RAND_add(&sysInfo, sizeof(sysInfo), 0);
+    }
+#  endif
+
+#  if defined(DEVRANDOM) || defined(DEVRANDOM_EGD)
     return 1;
 #  else
     return 0;
@@ -314,7 +435,9 @@ int RAND_poll(void)
 #endif                          /* !(defined(OPENSSL_SYS_WINDOWS) ||
                                  * defined(OPENSSL_SYS_WIN32) ||
                                  * defined(OPENSSL_SYS_VMS) ||
-                                 * defined(OPENSSL_SYS_VXWORKS) */
+                                 * defined(OPENSSL_SYS_OS2) ||
+                                 * defined(OPENSSL_SYS_VXWORKS) ||
+                                 * defined(OPENSSL_SYS_NETWARE)) */
 
 #if defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI)
 int RAND_poll(void)
diff --git a/Cryptlib/OpenSSL/crypto/rand/rand_vms.c b/Cryptlib/OpenSSL/crypto/rand/rand_vms.c
deleted file mode 100644
index 9c462dd3..00000000
--- a/Cryptlib/OpenSSL/crypto/rand/rand_vms.c
+++ /dev/null
@@ -1,133 +0,0 @@
-/*
- * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*
- * Modified by VMS Software, Inc (2016)
- *    Eliminate looping through all processes (performance)
- *    Add additional randomizations using rand() function
- */
-
-#include <openssl/rand.h>
-#include "rand_lcl.h"
-
-#if defined(OPENSSL_SYS_VMS)
-# include <descrip.h>
-# include <jpidef.h>
-# include <ssdef.h>
-# include <starlet.h>
-# include <efndef>
-# ifdef __DECC
-#  pragma message disable DOLLARID
-# endif
-
-/*
- * Use 32-bit pointers almost everywhere.  Define the type to which to cast a
- * pointer passed to an external function.
- */
-# if __INITIAL_POINTER_SIZE == 64
-#  define PTR_T __void_ptr64
-#  pragma pointer_size save
-#  pragma pointer_size 32
-# else                          /* __INITIAL_POINTER_SIZE == 64 */
-#  define PTR_T void *
-# endif                         /* __INITIAL_POINTER_SIZE == 64 [else] */
-
-static struct items_data_st {
-    short length, code;         /* length is number of bytes */
-} items_data[] = {
-    {4, JPI$_BUFIO},
-    {4, JPI$_CPUTIM},
-    {4, JPI$_DIRIO},
-    {4, JPI$_IMAGECOUNT},
-    {8, JPI$_LAST_LOGIN_I},
-    {8, JPI$_LOGINTIM},
-    {4, JPI$_PAGEFLTS},
-    {4, JPI$_PID},
-    {4, JPI$_PPGCNT},
-    {4, JPI$_WSPEAK},
-    {4, JPI$_FINALEXC},
-    {0, 0}                      /* zero terminated */
-};
-
-int RAND_poll(void)
-{
-
-    /* determine the number of items in the JPI array */
-
-    struct items_data_st item_entry;
-    int item_entry_count = sizeof(items_data)/sizeof(item_entry);
-
-    /* Create the JPI itemlist array to hold item_data content */
-
-    struct {
-        short length, code;
-        int *buffer;
-        int *retlen;
-    } item[item_entry_count], *pitem; /* number of entries in items_data */
-
-    struct items_data_st *pitems_data;
-    int data_buffer[(item_entry_count*2)+4]; /* 8 bytes per entry max */
-    int iosb[2];
-    int sys_time[2];
-    int *ptr;
-    int i, j ;
-    int tmp_length   = 0;
-    int total_length = 0;
-
-    pitems_data = items_data;
-    pitem = item;
-
-
-    /* Setup itemlist for GETJPI */
-    while (pitems_data->length) {
-        pitem->length = pitems_data->length;
-        pitem->code   = pitems_data->code;
-        pitem->buffer = &data_buffer[total_length];
-        pitem->retlen = 0;
-        /* total_length is in longwords */
-        total_length += pitems_data->length/4;
-        pitems_data++;
-        pitem ++;
-    }
-    pitem->length = pitem->code = 0;
-
-    /* Fill data_buffer with various info bits from this process */
-    /* and twist that data to seed the SSL random number init    */
-
-    if (sys$getjpiw(EFN$C_ENF, NULL, NULL, item, &iosb, 0, 0) == SS$_NORMAL) {
-        for (i = 0; i < total_length; i++) {
-            sys$gettim((struct _generic_64 *)&sys_time[0]);
-            srand(sys_time[0] * data_buffer[0] * data_buffer[1] + i);
-
-            if (i == (total_length - 1)) { /* for JPI$_FINALEXC */
-                ptr = &data_buffer[i];
-                for (j = 0; j < 4; j++) {
-                    data_buffer[i + j] = ptr[j];
-                    /* OK to use rand() just to scramble the seed */
-                    data_buffer[i + j] ^= (sys_time[0] ^ rand());
-                    tmp_length++;
-                }
-            } else {
-                /* OK to use rand() just to scramble the seed */
-                data_buffer[i] ^= (sys_time[0] ^ rand());
-            }
-        }
-
-        total_length += (tmp_length - 1);
-
-        /* size of seed is total_length*4 bytes (64bytes) */
-        RAND_add((PTR_T) data_buffer, total_length*4, total_length * 2);
-    } else {
-        return 0;
-    }
-
-    return 1;
-}
-
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/rand/rand_win.c b/Cryptlib/OpenSSL/crypto/rand/rand_win.c
deleted file mode 100644
index 1be0ed3c..00000000
--- a/Cryptlib/OpenSSL/crypto/rand/rand_win.c
+++ /dev/null
@@ -1,135 +0,0 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include "internal/cryptlib.h"
-#include <openssl/rand.h>
-#include "rand_lcl.h"
-
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
-# include <windows.h>
-/* On Windows 7 or higher use BCrypt instead of the legacy CryptoAPI */
-# if defined(_MSC_VER) && defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0601
-#  define RAND_WINDOWS_USE_BCRYPT
-# endif
-
-# ifdef RAND_WINDOWS_USE_BCRYPT
-#  include <bcrypt.h>
-#  pragma comment(lib, "bcrypt.lib")
-#  ifndef STATUS_SUCCESS
-#   define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
-#  endif
-# else
-#  include <wincrypt.h>
-/*
- * Intel hardware RNG CSP -- available from
- * http://developer.intel.com/design/security/rng/redist_license.htm
- */
-#  define PROV_INTEL_SEC 22
-#  define INTEL_DEF_PROV L"Intel Hardware Cryptographic Service Provider"
-# endif
-
-static void readtimer(void);
-
-int RAND_poll(void)
-{
-    MEMORYSTATUS mst;
-# ifndef RAND_WINDOWS_USE_BCRYPT
-    HCRYPTPROV hProvider;
-# endif
-    DWORD w;
-    BYTE buf[64];
-
-# ifdef RAND_WINDOWS_USE_BCRYPT
-    if (BCryptGenRandom(NULL, buf, (ULONG)sizeof(buf), BCRYPT_USE_SYSTEM_PREFERRED_RNG) == STATUS_SUCCESS) {
-        RAND_add(buf, sizeof(buf), sizeof(buf));
-    }
-# else
-    /* poll the CryptoAPI PRNG */
-    /* The CryptoAPI returns sizeof(buf) bytes of randomness */
-    if (CryptAcquireContextW(&hProvider, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT | CRYPT_SILENT)) {
-        if (CryptGenRandom(hProvider, (DWORD)sizeof(buf), buf) != 0) {
-            RAND_add(buf, sizeof(buf), sizeof(buf));
-        }
-        CryptReleaseContext(hProvider, 0);
-    }
-
-    /* poll the Pentium PRG with CryptoAPI */
-    if (CryptAcquireContextW(&hProvider, NULL, INTEL_DEF_PROV, PROV_INTEL_SEC, CRYPT_VERIFYCONTEXT | CRYPT_SILENT)) {
-        if (CryptGenRandom(hProvider, (DWORD)sizeof(buf), buf) != 0) {
-            RAND_add(buf, sizeof(buf), sizeof(buf));
-        }
-        CryptReleaseContext(hProvider, 0);
-    }
-# endif
-
-    /* timer data */
-    readtimer();
-
-    /* memory usage statistics */
-    GlobalMemoryStatus(&mst);
-    RAND_add(&mst, sizeof(mst), 1);
-
-    /* process ID */
-    w = GetCurrentProcessId();
-    RAND_add(&w, sizeof(w), 1);
-
-    return (1);
-}
-
-#if OPENSSL_API_COMPAT < 0x10100000L
-int RAND_event(UINT iMsg, WPARAM wParam, LPARAM lParam)
-{
-    RAND_poll();
-    return RAND_status();
-}
-
-void RAND_screen(void)
-{
-    RAND_poll();
-}
-#endif
-
-/* feed timing information to the PRNG */
-static void readtimer(void)
-{
-    DWORD w;
-    LARGE_INTEGER l;
-    static int have_perfc = 1;
-# if defined(_MSC_VER) && defined(_M_X86)
-    static int have_tsc = 1;
-    DWORD cyclecount;
-
-    if (have_tsc) {
-        __try {
-            __asm {
-            _emit 0x0f _emit 0x31 mov cyclecount, eax}
-            RAND_add(&cyclecount, sizeof(cyclecount), 1);
-        }
-        __except(EXCEPTION_EXECUTE_HANDLER) {
-            have_tsc = 0;
-        }
-    }
-# else
-#  define have_tsc 0
-# endif
-
-    if (have_perfc) {
-        if (QueryPerformanceCounter(&l) == 0)
-            have_perfc = 0;
-        else
-            RAND_add(&l, sizeof(l), 0);
-    }
-
-    if (!have_tsc && !have_perfc) {
-        w = GetTickCount();
-        RAND_add(&w, sizeof(w), 0);
-    }
-}
-
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/rand/randfile.c b/Cryptlib/OpenSSL/crypto/rand/randfile.c
index 15fa9dce..728fd0a7 100644
--- a/Cryptlib/OpenSSL/crypto/rand/randfile.c
+++ b/Cryptlib/OpenSSL/crypto/rand/randfile.c
@@ -1,19 +1,67 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/rand/randfile.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
-#include "internal/cryptlib.h"
-
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 
+#include "e_os.h"
 #include <openssl/crypto.h>
 #include <openssl/rand.h>
 #include <openssl/buffer.h>
@@ -57,52 +105,23 @@
 # define chmod   _chmod
 # define open    _open
 # define fdopen  _fdopen
-# define fstat   _fstat
-# define fileno  _fileno
 #endif
 
 #undef BUFSIZE
 #define BUFSIZE 1024
 #define RAND_DATA 1024
 
-#ifdef OPENSSL_SYS_VMS
-/*
- * Misc hacks needed for specific cases.
- *
- * __FILE_ptr32 is a type provided by DEC C headers (types.h specifically)
- * to make sure the FILE* is a 32-bit pointer no matter what.  We know that
- * stdio function return this type (a study of stdio.h proves it).
- * Additionally, we create a similar char pointer type for the sake of
- * vms_setbuf below.
- */
-# if __INITIAL_POINTER_SIZE == 64
-#  pragma pointer_size save
-#  pragma pointer_size 32
-typedef char *char_ptr32;
-#  pragma pointer_size restore
-/*
- * On VMS, setbuf() will only take 32-bit pointers, and a compilation
- * with /POINTER_SIZE=64 will give off a MAYLOSEDATA2 warning here.
- * Since we know that the FILE* really is a 32-bit pointer expanded to
- * 64 bits, we also know it's safe to convert it back to a 32-bit pointer.
- * As for the buffer parameter, we only use NULL here, so that passes as
- * well...
- */
-#  define setbuf(fp,buf) (setbuf)((__FILE_ptr32)(fp), (char_ptr32)(buf))
-# endif
-
+#if (defined(OPENSSL_SYS_VMS) && (defined(__alpha) || defined(__ia64)))
 /*
  * This declaration is a nasty hack to get around vms' extension to fopen for
- * passing in sharing options being disabled by /STANDARD=ANSI89
+ * passing in sharing options being disabled by our /STANDARD=ANSI89
  */
-static __FILE_ptr32 (*const vms_fopen)(const char *, const char *, ...) =
-      (__FILE_ptr32 (*)(const char *, const char *, ...))fopen;
+static FILE *(*const vms_fopen)(const char *, const char *, ...) =
+    (FILE *(*)(const char *, const char *, ...))fopen;
 # define VMS_OPEN_ATTRS "shr=get,put,upd,del","ctx=bin,stm","rfm=stm","rat=none","mrs=0"
-
-# define openssl_fopen(fname,mode) vms_fopen((fname), (mode), VMS_OPEN_ATTRS)
 #endif
 
-#define RFILE ".rnd"
+/* #define RFILE ".rnd" - defined in ../../e_os.h */
 
 /*
  * Note that these functions are intended for seed files only. Entropy
@@ -116,24 +135,35 @@ int RAND_load_file(const char *file, long bytes)
      * if bytes == -1, read complete file.
      */
 
-    unsigned char buf[BUFSIZE];
+    MS_STATIC unsigned char buf[BUFSIZE];
 #ifndef OPENSSL_NO_POSIX_IO
     struct stat sb;
 #endif
     int i, ret = 0, n;
-    FILE *in = NULL;
+/*
+ * If setvbuf() is to be called, then the FILE pointer
+ * to it must be 32 bit.
+*/
+
+#if !defined OPENSSL_NO_SETVBUF_IONBF && defined(OPENSSL_SYS_VMS) && defined(__VMS_VER) && (__VMS_VER >= 70000000)
+    /* For 64-bit-->32 bit API Support*/
+#if __INITIAL_POINTER_SIZE == 64
+#pragma __required_pointer_size __save
+#pragma __required_pointer_size 32
+#endif
+    FILE *in; /* setvbuf() requires 32-bit pointers */
+#if __INITIAL_POINTER_SIZE == 64
+#pragma __required_pointer_size __restore
+#endif
+#else
+    FILE *in;
+#endif /* OPENSSL_SYS_VMS */
 
     if (file == NULL)
-        return 0;
-
-    if (bytes == 0)
-        return ret;
-
-    in = openssl_fopen(file, "rb");
-    if (in == NULL)
-        goto err;
+        return (0);
 
 #ifndef OPENSSL_NO_POSIX_IO
+# ifdef PURIFY
     /*
      * struct stat can have padding and unused fields that may not be
      * initialized in the call to stat(). We need to clear the entire
@@ -141,11 +171,22 @@ int RAND_load_file(const char *file, long bytes)
      * applications such as Valgrind.
      */
     memset(&sb, 0, sizeof(sb));
-    if (fstat(fileno(in), &sb) < 0)
-        goto err;
+# endif
+    if (stat(file, &sb) < 0)
+        return (0);
     RAND_add(&sb, sizeof(sb), 0.0);
+#endif
+    if (bytes == 0)
+        return (ret);
 
-# if defined(S_ISBLK) && defined(S_ISCHR)
+#ifdef OPENSSL_SYS_VMS
+    in = vms_fopen(file, "rb", VMS_OPEN_ATTRS);
+#else
+    in = fopen(file, "rb");
+#endif
+    if (in == NULL)
+        goto err;
+#if defined(S_ISBLK) && defined(S_ISCHR) && !defined(OPENSSL_NO_POSIX_IO)
     if (S_ISBLK(sb.st_mode) || S_ISCHR(sb.st_mode)) {
         /*
          * this file is a device. we don't want read an infinite number of
@@ -153,9 +194,10 @@ int RAND_load_file(const char *file, long bytes)
          * because we will waste system entropy.
          */
         bytes = (bytes == -1) ? 2048 : bytes; /* ok, is 2048 enough? */
-        setbuf(in, NULL); /* don't do buffered reads */
+# ifndef OPENSSL_NO_SETVBUF_IONBF
+        setvbuf(in, NULL, _IONBF, 0); /* don't do buffered reads */
+# endif                         /* ndef OPENSSL_NO_SETVBUF_IONBF */
     }
-# endif
 #endif
     for (;;) {
         if (bytes > 0)
@@ -165,8 +207,12 @@ int RAND_load_file(const char *file, long bytes)
         i = fread(buf, 1, n, in);
         if (i <= 0)
             break;
-
+#ifdef PURIFY
         RAND_add(buf, i, (double)i);
+#else
+        /* even if n != i, use the full array */
+        RAND_add(buf, n, (double)i);
+#endif
         ret += i;
         if (bytes > 0) {
             bytes -= n;
@@ -174,11 +220,10 @@ int RAND_load_file(const char *file, long bytes)
                 break;
         }
     }
+    fclose(in);
     OPENSSL_cleanse(buf, BUFSIZE);
  err:
-    if (in != NULL)
-        fclose(in);
-    return ret;
+    return (ret);
 }
 
 int RAND_write_file(const char *file)
@@ -190,15 +235,9 @@ int RAND_write_file(const char *file)
 #ifndef OPENSSL_NO_POSIX_IO
     struct stat sb;
 
-# if defined(S_ISBLK) && defined(S_ISCHR)
-# ifdef _WIN32
-    /*
-     * Check for |file| being a driver as "ASCII-safe" on Windows,
-     * because driver paths are always ASCII.
-     */
-# endif
     i = stat(file, &sb);
     if (i != -1) {
+# if defined(S_ISBLK) && defined(S_ISCHR)
         if (S_ISBLK(sb.st_mode) || S_ISCHR(sb.st_mode)) {
             /*
              * this file is a device. we don't write back to it. we
@@ -206,14 +245,13 @@ int RAND_write_file(const char *file)
              * device. Otherwise attempting to write to and chmod the device
              * causes problems.
              */
-            return 1;
+            return (1);
         }
-    }
 # endif
+    }
 #endif
 
-#if defined(O_CREAT) && !defined(OPENSSL_NO_POSIX_IO) && \
-    !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_WINDOWS)
+#if defined(O_CREAT) && !defined(OPENSSL_NO_POSIX_IO) && !defined(OPENSSL_SYS_VMS)
     {
 # ifndef O_BINARY
 #  define O_BINARY 0
@@ -228,7 +266,7 @@ int RAND_write_file(const char *file)
     }
 #endif
 
-#ifdef OPENSSL_SYS_VMS
+#if (defined(OPENSSL_SYS_VMS) && (defined(__alpha) || defined(__ia64)))
     /*
      * VMS NOTE: Prior versions of this routine created a _new_ version of
      * the rand file for each call into this routine, then deleted all
@@ -247,14 +285,17 @@ int RAND_write_file(const char *file)
      * rand file in a concurrent use situation.
      */
 
-    out = openssl_fopen(file, "rb+");
-#endif
+    out = vms_fopen(file, "rb+", VMS_OPEN_ATTRS);
     if (out == NULL)
-        out = openssl_fopen(file, "wb");
+        out = vms_fopen(file, "wb", VMS_OPEN_ATTRS);
+#else
+    if (out == NULL)
+        out = fopen(file, "wb");
+#endif
     if (out == NULL)
         goto err;
 
-#if !defined(NO_CHMOD) && !defined(OPENSSL_NO_POSIX_IO)
+#ifndef NO_CHMOD
     chmod(file, 0600);
 #endif
     n = RAND_DATA;
@@ -282,70 +323,31 @@ int RAND_write_file(const char *file)
 const char *RAND_file_name(char *buf, size_t size)
 {
     char *s = NULL;
-    int use_randfile = 1;
 #ifdef __OpenBSD__
     struct stat sb;
 #endif
 
-#if defined(_WIN32) && defined(CP_UTF8)
-    DWORD len;
-    WCHAR *var, *val;
-
-    if ((var = L"RANDFILE",
-         len = GetEnvironmentVariableW(var, NULL, 0)) == 0
-        && (var = L"HOME", use_randfile = 0,
-            len = GetEnvironmentVariableW(var, NULL, 0)) == 0
-        && (var = L"USERPROFILE",
-            len = GetEnvironmentVariableW(var, NULL, 0)) == 0) {
-        var = L"SYSTEMROOT",
-        len = GetEnvironmentVariableW(var, NULL, 0);
-    }
-
-    if (len != 0) {
-        int sz;
-
-        val = _alloca(len * sizeof(WCHAR));
-
-        if (GetEnvironmentVariableW(var, val, len) < len
-            && (sz = WideCharToMultiByte(CP_UTF8, 0, val, -1, NULL, 0,
-                                         NULL, NULL)) != 0) {
-            s = _alloca(sz);
-            if (WideCharToMultiByte(CP_UTF8, 0, val, -1, s, sz,
-                                    NULL, NULL) == 0)
-                s = NULL;
-        }
-    }
-#else
-    if (OPENSSL_issetugid() != 0) {
-        use_randfile = 0;
-    } else {
+    if (OPENSSL_issetugid() == 0)
         s = getenv("RANDFILE");
-        if (s == NULL || *s == '\0') {
-            use_randfile = 0;
+    if (s != NULL && *s && strlen(s) + 1 < size) {
+        if (BUF_strlcpy(buf, s, size) >= size)
+            return NULL;
+    } else {
+        if (OPENSSL_issetugid() == 0)
             s = getenv("HOME");
-        }
-    }
-#endif
 #ifdef DEFAULT_HOME
-    if (!use_randfile && s == NULL) {
-        s = DEFAULT_HOME;
-    }
+        if (s == NULL) {
+            s = DEFAULT_HOME;
+        }
 #endif
-    if (s != NULL && *s) {
-        size_t len = strlen(s);
-
-        if (use_randfile && len + 1 < size) {
-            if (OPENSSL_strlcpy(buf, s, size) >= size)
-                return NULL;
-        } else if (len + strlen(RFILE) + 2 < size) {
-            OPENSSL_strlcpy(buf, s, size);
+        if (s && *s && strlen(s) + strlen(RFILE) + 2 < size) {
+            BUF_strlcpy(buf, s, size);
 #ifndef OPENSSL_SYS_VMS
-            OPENSSL_strlcat(buf, "/", size);
+            BUF_strlcat(buf, "/", size);
 #endif
-            OPENSSL_strlcat(buf, RFILE, size);
-        }
-    } else {
-        buf[0] = '\0';      /* no file name */
+            BUF_strlcat(buf, RFILE, size);
+        } else
+            buf[0] = '\0';      /* no file name */
     }
 
 #ifdef __OpenBSD__
@@ -357,10 +359,14 @@ const char *RAND_file_name(char *buf, size_t size)
      * available.
      */
 
-    if (!buf[0] || stat(buf, &sb) == -1)
-        if (OPENSSL_strlcpy(buf, "/dev/arandom", size) >= size) {
-            return NULL;
+    if (!buf[0])
+        if (BUF_strlcpy(buf, "/dev/arandom", size) >= size) {
+            return (NULL);
+        }
+    if (stat(buf, &sb) == -1)
+        if (BUF_strlcpy(buf, "/dev/arandom", size) >= size) {
+            return (NULL);
         }
 #endif
-    return buf[0] ? buf : NULL;
+    return (buf);
 }
diff --git a/Cryptlib/OpenSSL/crypto/rc4/rc4_enc.c b/Cryptlib/OpenSSL/crypto/rc4/rc4_enc.c
index be11bade..0f0a2487 100644
--- a/Cryptlib/OpenSSL/crypto/rc4/rc4_enc.c
+++ b/Cryptlib/OpenSSL/crypto/rc4/rc4_enc.c
@@ -1,10 +1,59 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/rc4/rc4_enc.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <openssl/rc4.h>
@@ -30,6 +79,197 @@ void RC4(RC4_KEY *key, size_t len, const unsigned char *indata,
     y = key->y;
     d = key->data;
 
+#if defined(RC4_CHUNK) && !defined(PEDANTIC)
+    /*-
+     * The original reason for implementing this(*) was the fact that
+     * pre-21164a Alpha CPUs don't have byte load/store instructions
+     * and e.g. a byte store has to be done with 64-bit load, shift,
+     * and, or and finally 64-bit store. Peaking data and operating
+     * at natural word size made it possible to reduce amount of
+     * instructions as well as to perform early read-ahead without
+     * suffering from RAW (read-after-write) hazard. This resulted
+     * in ~40%(**) performance improvement on 21064 box with gcc.
+     * But it's not only Alpha users who win here:-) Thanks to the
+     * early-n-wide read-ahead this implementation also exhibits
+     * >40% speed-up on SPARC and 20-30% on 64-bit MIPS (depending
+     * on sizeof(RC4_INT)).
+     *
+     * (*)  "this" means code which recognizes the case when input
+     *      and output pointers appear to be aligned at natural CPU
+     *      word boundary
+     * (**) i.e. according to 'apps/openssl speed rc4' benchmark,
+     *      crypto/rc4/rc4speed.c exhibits almost 70% speed-up...
+     *
+     * Cavets.
+     *
+     * - RC4_CHUNK="unsigned long long" should be a #1 choice for
+     *   UltraSPARC. Unfortunately gcc generates very slow code
+     *   (2.5-3 times slower than one generated by Sun's WorkShop
+     *   C) and therefore gcc (at least 2.95 and earlier) should
+     *   always be told that RC4_CHUNK="unsigned long".
+     *
+     *                                      <appro@fy.chalmers.se>
+     */
+
+# define RC4_STEP       ( \
+                        x=(x+1) &0xff,  \
+                        tx=d[x],        \
+                        y=(tx+y)&0xff,  \
+                        ty=d[y],        \
+                        d[y]=tx,        \
+                        d[x]=ty,        \
+                        (RC4_CHUNK)d[(tx+ty)&0xff]\
+                        )
+
+    if ((((size_t)indata & (sizeof(RC4_CHUNK) - 1)) |
+         ((size_t)outdata & (sizeof(RC4_CHUNK) - 1))) == 0) {
+        RC4_CHUNK ichunk, otp;
+        const union {
+            long one;
+            char little;
+        } is_endian = {
+            1
+        };
+
+        /*-
+         * I reckon we can afford to implement both endian
+         * cases and to decide which way to take at run-time
+         * because the machine code appears to be very compact
+         * and redundant 1-2KB is perfectly tolerable (i.e.
+         * in case the compiler fails to eliminate it:-). By
+         * suggestion from Terrel Larson <terr@terralogic.net>
+         * who also stands for the is_endian union:-)
+         *
+         * Special notes.
+         *
+         * - is_endian is declared automatic as doing otherwise
+         *   (declaring static) prevents gcc from eliminating
+         *   the redundant code;
+         * - compilers (those I've tried) don't seem to have
+         *   problems eliminating either the operators guarded
+         *   by "if (sizeof(RC4_CHUNK)==8)" or the condition
+         *   expressions themselves so I've got 'em to replace
+         *   corresponding #ifdefs from the previous version;
+         * - I chose to let the redundant switch cases when
+         *   sizeof(RC4_CHUNK)!=8 be (were also #ifdefed
+         *   before);
+         * - in case you wonder "&(sizeof(RC4_CHUNK)*8-1)" in
+         *   [LB]ESHFT guards against "shift is out of range"
+         *   warnings when sizeof(RC4_CHUNK)!=8
+         *
+         *                      <appro@fy.chalmers.se>
+         */
+        if (!is_endian.little) { /* BIG-ENDIAN CASE */
+# define BESHFT(c)      (((sizeof(RC4_CHUNK)-(c)-1)*8)&(sizeof(RC4_CHUNK)*8-1))
+            for (; len & (0 - sizeof(RC4_CHUNK)); len -= sizeof(RC4_CHUNK)) {
+                ichunk = *(RC4_CHUNK *) indata;
+                otp = RC4_STEP << BESHFT(0);
+                otp |= RC4_STEP << BESHFT(1);
+                otp |= RC4_STEP << BESHFT(2);
+                otp |= RC4_STEP << BESHFT(3);
+                if (sizeof(RC4_CHUNK) == 8) {
+                    otp |= RC4_STEP << BESHFT(4);
+                    otp |= RC4_STEP << BESHFT(5);
+                    otp |= RC4_STEP << BESHFT(6);
+                    otp |= RC4_STEP << BESHFT(7);
+                }
+                *(RC4_CHUNK *) outdata = otp ^ ichunk;
+                indata += sizeof(RC4_CHUNK);
+                outdata += sizeof(RC4_CHUNK);
+            }
+            if (len) {
+                RC4_CHUNK mask = (RC4_CHUNK) - 1, ochunk;
+
+                ichunk = *(RC4_CHUNK *) indata;
+                ochunk = *(RC4_CHUNK *) outdata;
+                otp = 0;
+                i = BESHFT(0);
+                mask <<= (sizeof(RC4_CHUNK) - len) << 3;
+                switch (len & (sizeof(RC4_CHUNK) - 1)) {
+                case 7:
+                    otp = RC4_STEP << i, i -= 8;
+                case 6:
+                    otp |= RC4_STEP << i, i -= 8;
+                case 5:
+                    otp |= RC4_STEP << i, i -= 8;
+                case 4:
+                    otp |= RC4_STEP << i, i -= 8;
+                case 3:
+                    otp |= RC4_STEP << i, i -= 8;
+                case 2:
+                    otp |= RC4_STEP << i, i -= 8;
+                case 1:
+                    otp |= RC4_STEP << i, i -= 8;
+                case 0:;       /*
+                                 * it's never the case,
+                                 * but it has to be here
+                                 * for ultrix?
+                                 */
+                }
+                ochunk &= ~mask;
+                ochunk |= (otp ^ ichunk) & mask;
+                *(RC4_CHUNK *) outdata = ochunk;
+            }
+            key->x = x;
+            key->y = y;
+            return;
+        } else {                /* LITTLE-ENDIAN CASE */
+# define LESHFT(c)      (((c)*8)&(sizeof(RC4_CHUNK)*8-1))
+            for (; len & (0 - sizeof(RC4_CHUNK)); len -= sizeof(RC4_CHUNK)) {
+                ichunk = *(RC4_CHUNK *) indata;
+                otp = RC4_STEP;
+                otp |= RC4_STEP << 8;
+                otp |= RC4_STEP << 16;
+                otp |= RC4_STEP << 24;
+                if (sizeof(RC4_CHUNK) == 8) {
+                    otp |= RC4_STEP << LESHFT(4);
+                    otp |= RC4_STEP << LESHFT(5);
+                    otp |= RC4_STEP << LESHFT(6);
+                    otp |= RC4_STEP << LESHFT(7);
+                }
+                *(RC4_CHUNK *) outdata = otp ^ ichunk;
+                indata += sizeof(RC4_CHUNK);
+                outdata += sizeof(RC4_CHUNK);
+            }
+            if (len) {
+                RC4_CHUNK mask = (RC4_CHUNK) - 1, ochunk;
+
+                ichunk = *(RC4_CHUNK *) indata;
+                ochunk = *(RC4_CHUNK *) outdata;
+                otp = 0;
+                i = 0;
+                mask >>= (sizeof(RC4_CHUNK) - len) << 3;
+                switch (len & (sizeof(RC4_CHUNK) - 1)) {
+                case 7:
+                    otp = RC4_STEP, i += 8;
+                case 6:
+                    otp |= RC4_STEP << i, i += 8;
+                case 5:
+                    otp |= RC4_STEP << i, i += 8;
+                case 4:
+                    otp |= RC4_STEP << i, i += 8;
+                case 3:
+                    otp |= RC4_STEP << i, i += 8;
+                case 2:
+                    otp |= RC4_STEP << i, i += 8;
+                case 1:
+                    otp |= RC4_STEP << i, i += 8;
+                case 0:;       /*
+                                 * it's never the case,
+                                 * but it has to be here
+                                 * for ultrix?
+                                 */
+                }
+                ochunk &= ~mask;
+                ochunk |= (otp ^ ichunk) & mask;
+                *(RC4_CHUNK *) outdata = ochunk;
+            }
+            key->x = x;
+            key->y = y;
+            return;
+        }
+    }
+#endif
 #define LOOP(in,out) \
                 x=((x+1)&0xff); \
                 tx=d[x]; \
@@ -38,19 +278,27 @@ void RC4(RC4_KEY *key, size_t len, const unsigned char *indata,
                 d[y]=tx; \
                 (out) = d[(tx+ty)&0xff]^ (in);
 
+#ifndef RC4_INDEX
+# define RC4_LOOP(a,b,i) LOOP(*((a)++),*((b)++))
+#else
+# define RC4_LOOP(a,b,i) LOOP(a[i],b[i])
+#endif
+
     i = len >> 3;
     if (i) {
         for (;;) {
-            LOOP(indata[0], outdata[0]);
-            LOOP(indata[1], outdata[1]);
-            LOOP(indata[2], outdata[2]);
-            LOOP(indata[3], outdata[3]);
-            LOOP(indata[4], outdata[4]);
-            LOOP(indata[5], outdata[5]);
-            LOOP(indata[6], outdata[6]);
-            LOOP(indata[7], outdata[7]);
+            RC4_LOOP(indata, outdata, 0);
+            RC4_LOOP(indata, outdata, 1);
+            RC4_LOOP(indata, outdata, 2);
+            RC4_LOOP(indata, outdata, 3);
+            RC4_LOOP(indata, outdata, 4);
+            RC4_LOOP(indata, outdata, 5);
+            RC4_LOOP(indata, outdata, 6);
+            RC4_LOOP(indata, outdata, 7);
+#ifdef RC4_INDEX
             indata += 8;
             outdata += 8;
+#endif
             if (--i == 0)
                 break;
         }
@@ -58,25 +306,25 @@ void RC4(RC4_KEY *key, size_t len, const unsigned char *indata,
     i = len & 0x07;
     if (i) {
         for (;;) {
-            LOOP(indata[0], outdata[0]);
+            RC4_LOOP(indata, outdata, 0);
             if (--i == 0)
                 break;
-            LOOP(indata[1], outdata[1]);
+            RC4_LOOP(indata, outdata, 1);
             if (--i == 0)
                 break;
-            LOOP(indata[2], outdata[2]);
+            RC4_LOOP(indata, outdata, 2);
             if (--i == 0)
                 break;
-            LOOP(indata[3], outdata[3]);
+            RC4_LOOP(indata, outdata, 3);
             if (--i == 0)
                 break;
-            LOOP(indata[4], outdata[4]);
+            RC4_LOOP(indata, outdata, 4);
             if (--i == 0)
                 break;
-            LOOP(indata[5], outdata[5]);
+            RC4_LOOP(indata, outdata, 5);
             if (--i == 0)
                 break;
-            LOOP(indata[6], outdata[6]);
+            RC4_LOOP(indata, outdata, 6);
             if (--i == 0)
                 break;
         }
diff --git a/Cryptlib/OpenSSL/crypto/rc4/rc4_locl.h b/Cryptlib/OpenSSL/crypto/rc4/rc4_locl.h
index 4380addb..faf8742f 100644
--- a/Cryptlib/OpenSSL/crypto/rc4/rc4_locl.h
+++ b/Cryptlib/OpenSSL/crypto/rc4/rc4_locl.h
@@ -1,16 +1,5 @@
-/*
- * Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
 #ifndef HEADER_RC4_LOCL_H
 # define HEADER_RC4_LOCL_H
-
 # include <openssl/opensslconf.h>
-# include "internal/cryptlib.h"
-
+# include <cryptlib.h>
 #endif
diff --git a/Cryptlib/OpenSSL/crypto/rc4/rc4_skey.c b/Cryptlib/OpenSSL/crypto/rc4/rc4_skey.c
index 16f81a4d..06890d16 100644
--- a/Cryptlib/OpenSSL/crypto/rc4/rc4_skey.c
+++ b/Cryptlib/OpenSSL/crypto/rc4/rc4_skey.c
@@ -1,22 +1,80 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/rc4/rc4_skey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <openssl/rc4.h>
 #include "rc4_locl.h"
 #include <openssl/opensslv.h>
 
+const char RC4_version[] = "RC4" OPENSSL_VERSION_PTEXT;
+
 const char *RC4_options(void)
 {
+#ifdef RC4_INDEX
+    if (sizeof(RC4_INT) == 1)
+        return ("rc4(idx,char)");
+    else
+        return ("rc4(idx,int)");
+#else
     if (sizeof(RC4_INT) == 1)
-        return ("rc4(char)");
+        return ("rc4(ptr,char)");
     else
-        return ("rc4(int)");
+        return ("rc4(ptr,int)");
+#endif
 }
 
 /*-
@@ -28,7 +86,7 @@ const char *RC4_options(void)
  * Date: Wed, 14 Sep 1994 06:35:31 GMT
  */
 
-void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data)
+void private_RC4_set_key(RC4_KEY *key, int len, const unsigned char *data)
 {
     register RC4_INT tmp;
     register int id1, id2;
diff --git a/Cryptlib/OpenSSL/crypto/rc4/rc4_utl.c b/Cryptlib/OpenSSL/crypto/rc4/rc4_utl.c
new file mode 100644
index 00000000..cbd4a24e
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/rc4/rc4_utl.c
@@ -0,0 +1,62 @@
+/* crypto/rc4/rc4_utl.c */
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#include <openssl/opensslv.h>
+#include <openssl/crypto.h>
+#include <openssl/rc4.h>
+
+void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data)
+{
+#ifdef OPENSSL_FIPS
+    fips_cipher_abort(RC4);
+#endif
+    private_RC4_set_key(key, len, data);
+}
diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_ameth.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_ameth.c
index 5694140a..ddead3d7 100644
--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_ameth.c
+++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_ameth.c
@@ -1,21 +1,72 @@
+/* crypto/rsa/rsa_ameth.c */
 /*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2006.
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
+#include <openssl/rsa.h>
 #include <openssl/bn.h>
-#include <openssl/cms.h>
-#include "internal/asn1_int.h"
-#include "internal/evp_int.h"
-#include "rsa_locl.h"
+#ifndef OPENSSL_NO_CMS
+# include <openssl/cms.h>
+#endif
+#include "asn1_locl.h"
 
 #ifndef OPENSSL_NO_CMS
 static int rsa_cms_sign(CMS_SignerInfo *si);
@@ -44,10 +95,9 @@ static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
     const unsigned char *p;
     int pklen;
     RSA *rsa = NULL;
-
     if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, NULL, pubkey))
         return 0;
-    if ((rsa = d2i_RSAPublicKey(NULL, &p, pklen)) == NULL) {
+    if (!(rsa = d2i_RSAPublicKey(NULL, &p, pklen))) {
         RSAerr(RSA_F_RSA_PUB_DECODE, ERR_R_RSA_LIB);
         return 0;
     }
@@ -67,8 +117,7 @@ static int old_rsa_priv_decode(EVP_PKEY *pkey,
                                const unsigned char **pder, int derlen)
 {
     RSA *rsa;
-
-    if ((rsa = d2i_RSAPrivateKey(NULL, pder, derlen)) == NULL) {
+    if (!(rsa = d2i_RSAPrivateKey(NULL, pder, derlen))) {
         RSAerr(RSA_F_OLD_RSA_PRIV_DECODE, ERR_R_RSA_LIB);
         return 0;
     }
@@ -101,7 +150,7 @@ static int rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
     return 1;
 }
 
-static int rsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
+static int rsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
 {
     const unsigned char *p;
     int pklen;
@@ -120,21 +169,45 @@ static int rsa_bits(const EVP_PKEY *pkey)
     return BN_num_bits(pkey->pkey.rsa->n);
 }
 
-static int rsa_security_bits(const EVP_PKEY *pkey)
+static void int_rsa_free(EVP_PKEY *pkey)
 {
-    return RSA_security_bits(pkey->pkey.rsa);
+    RSA_free(pkey->pkey.rsa);
 }
 
-static void int_rsa_free(EVP_PKEY *pkey)
+static void update_buflen(const BIGNUM *b, size_t *pbuflen)
 {
-    RSA_free(pkey->pkey.rsa);
+    size_t i;
+    if (!b)
+        return;
+    if (*pbuflen < (i = (size_t)BN_num_bytes(b)))
+        *pbuflen = i;
 }
 
 static int do_rsa_print(BIO *bp, const RSA *x, int off, int priv)
 {
     char *str;
     const char *s;
+    unsigned char *m = NULL;
     int ret = 0, mod_len = 0;
+    size_t buf_len = 0;
+
+    update_buflen(x->n, &buf_len);
+    update_buflen(x->e, &buf_len);
+
+    if (priv) {
+        update_buflen(x->d, &buf_len);
+        update_buflen(x->p, &buf_len);
+        update_buflen(x->q, &buf_len);
+        update_buflen(x->dmp1, &buf_len);
+        update_buflen(x->dmq1, &buf_len);
+        update_buflen(x->iqmp, &buf_len);
+    }
+
+    m = (unsigned char *)OPENSSL_malloc(buf_len + 10);
+    if (m == NULL) {
+        RSAerr(RSA_F_DO_RSA_PRINT, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
 
     if (x->n != NULL)
         mod_len = BN_num_bits(x->n);
@@ -143,36 +216,40 @@ static int do_rsa_print(BIO *bp, const RSA *x, int off, int priv)
         goto err;
 
     if (priv && x->d) {
-        if (BIO_printf(bp, "Private-Key: (%d bit)\n", mod_len) <= 0)
+        if (BIO_printf(bp, "Private-Key: (%d bit)\n", mod_len)
+            <= 0)
             goto err;
         str = "modulus:";
         s = "publicExponent:";
     } else {
-        if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0)
+        if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len)
+            <= 0)
             goto err;
         str = "Modulus:";
         s = "Exponent:";
     }
-    if (!ASN1_bn_print(bp, str, x->n, NULL, off))
+    if (!ASN1_bn_print(bp, str, x->n, m, off))
         goto err;
-    if (!ASN1_bn_print(bp, s, x->e, NULL, off))
+    if (!ASN1_bn_print(bp, s, x->e, m, off))
         goto err;
     if (priv) {
-        if (!ASN1_bn_print(bp, "privateExponent:", x->d, NULL, off))
+        if (!ASN1_bn_print(bp, "privateExponent:", x->d, m, off))
             goto err;
-        if (!ASN1_bn_print(bp, "prime1:", x->p, NULL, off))
+        if (!ASN1_bn_print(bp, "prime1:", x->p, m, off))
             goto err;
-        if (!ASN1_bn_print(bp, "prime2:", x->q, NULL, off))
+        if (!ASN1_bn_print(bp, "prime2:", x->q, m, off))
             goto err;
-        if (!ASN1_bn_print(bp, "exponent1:", x->dmp1, NULL, off))
+        if (!ASN1_bn_print(bp, "exponent1:", x->dmp1, m, off))
             goto err;
-        if (!ASN1_bn_print(bp, "exponent2:", x->dmq1, NULL, off))
+        if (!ASN1_bn_print(bp, "exponent2:", x->dmq1, m, off))
             goto err;
-        if (!ASN1_bn_print(bp, "coefficient:", x->iqmp, NULL, off))
+        if (!ASN1_bn_print(bp, "coefficient:", x->iqmp, m, off))
             goto err;
     }
     ret = 1;
  err:
+    if (m != NULL)
+        OPENSSL_free(m);
     return (ret);
 }
 
@@ -191,23 +268,34 @@ static int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent,
 /* Given an MGF1 Algorithm ID decode to an Algorithm Identifier */
 static X509_ALGOR *rsa_mgf1_decode(X509_ALGOR *alg)
 {
-    if (alg == NULL)
+    const unsigned char *p;
+    int plen;
+    if (alg == NULL || alg->parameter == NULL)
         return NULL;
     if (OBJ_obj2nid(alg->algorithm) != NID_mgf1)
         return NULL;
-    return ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(X509_ALGOR),
-                                     alg->parameter);
+    if (alg->parameter->type != V_ASN1_SEQUENCE)
+        return NULL;
+
+    p = alg->parameter->value.sequence->data;
+    plen = alg->parameter->value.sequence->length;
+    return d2i_X509_ALGOR(NULL, &p, plen);
 }
 
 static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg,
                                       X509_ALGOR **pmaskHash)
 {
+    const unsigned char *p;
+    int plen;
     RSA_PSS_PARAMS *pss;
 
     *pmaskHash = NULL;
 
-    pss = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(RSA_PSS_PARAMS),
-                                    alg->parameter);
+    if (!alg->parameter || alg->parameter->type != V_ASN1_SEQUENCE)
+        return NULL;
+    p = alg->parameter->value.sequence->data;
+    plen = alg->parameter->value.sequence->length;
+    pss = d2i_RSA_PSS_PARAMS(NULL, &p, plen);
 
     if (!pss)
         return NULL;
@@ -299,8 +387,10 @@ static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg,
         X509_ALGOR *maskHash;
         pss = rsa_pss_decode(sigalg, &maskHash);
         rv = rsa_pss_param_print(bp, pss, maskHash, indent);
-        RSA_PSS_PARAMS_free(pss);
-        X509_ALGOR_free(maskHash);
+        if (pss)
+            RSA_PSS_PARAMS_free(pss);
+        if (maskHash)
+            X509_ALGOR_free(maskHash);
         if (!rv)
             return 0;
     } else if (!sig && BIO_puts(bp, "\n") <= 0)
@@ -366,7 +456,7 @@ static int rsa_md_to_algor(X509_ALGOR **palg, const EVP_MD *md)
     if (EVP_MD_type(md) == NID_sha1)
         return 1;
     *palg = X509_ALGOR_new();
-    if (*palg == NULL)
+    if (!*palg)
         return 0;
     X509_ALGOR_set_md(*palg, md);
     return 1;
@@ -386,13 +476,15 @@ static int rsa_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md)
     if (!ASN1_item_pack(algtmp, ASN1_ITEM_rptr(X509_ALGOR), &stmp))
          goto err;
     *palg = X509_ALGOR_new();
-    if (*palg == NULL)
+    if (!*palg)
         goto err;
     X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp);
     stmp = NULL;
  err:
-    ASN1_STRING_free(stmp);
-    X509_ALGOR_free(algtmp);
+    if (stmp)
+        ASN1_STRING_free(stmp);
+    if (algtmp)
+        X509_ALGOR_free(algtmp);
     if (*palg)
         return 1;
     return 0;
@@ -459,11 +551,11 @@ static ASN1_STRING *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx)
             saltlen--;
     }
     pss = RSA_PSS_PARAMS_new();
-    if (pss == NULL)
+    if (!pss)
         goto err;
     if (saltlen != 20) {
         pss->saltLength = ASN1_INTEGER_new();
-        if (pss->saltLength == NULL)
+        if (!pss->saltLength)
             goto err;
         if (!ASN1_INTEGER_set(pss->saltLength, saltlen))
             goto err;
@@ -477,16 +569,18 @@ static ASN1_STRING *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx)
          goto err;
     rv = 1;
  err:
-    RSA_PSS_PARAMS_free(pss);
+    if (pss)
+        RSA_PSS_PARAMS_free(pss);
     if (rv)
         return os;
-    ASN1_STRING_free(os);
+    if (os)
+        ASN1_STRING_free(os);
     return NULL;
 }
 
 /*
  * From PSS AlgorithmIdentifier set public key parameters. If pkey isn't NULL
- * then the EVP_MD_CTX is setup and initialised. If it is NULL parameters are
+ * then the EVP_MD_CTX is setup and initalised. If it is NULL parameters are
  * passed to pkctx instead.
  */
 
@@ -568,7 +662,8 @@ static int rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx,
 
  err:
     RSA_PSS_PARAMS_free(pss);
-    X509_ALGOR_free(maskHash);
+    if (maskHash)
+        X509_ALGOR_free(maskHash);
     return rv;
 }
 
@@ -646,7 +741,7 @@ static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
                          ASN1_BIT_STRING *sig)
 {
     int pad_mode;
-    EVP_PKEY_CTX *pkctx = EVP_MD_CTX_pkey_ctx(ctx);
+    EVP_PKEY_CTX *pkctx = ctx->pctx;
     if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
         return 0;
     if (pad_mode == RSA_PKCS1_PADDING)
@@ -677,12 +772,17 @@ static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
 static RSA_OAEP_PARAMS *rsa_oaep_decode(const X509_ALGOR *alg,
                                         X509_ALGOR **pmaskHash)
 {
+    const unsigned char *p;
+    int plen;
     RSA_OAEP_PARAMS *pss;
 
     *pmaskHash = NULL;
 
-    pss = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(RSA_OAEP_PARAMS),
-                                    alg->parameter);
+    if (!alg->parameter || alg->parameter->type != V_ASN1_SEQUENCE)
+        return NULL;
+    p = alg->parameter->value.sequence->data;
+    plen = alg->parameter->value.sequence->length;
+    pss = d2i_RSA_OAEP_PARAMS(NULL, &p, plen);
 
     if (!pss)
         return NULL;
@@ -760,7 +860,8 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
 
  err:
     RSA_OAEP_PARAMS_free(oaep);
-    X509_ALGOR_free(maskHash);
+    if (maskHash)
+        X509_ALGOR_free(maskHash);
     return rv;
 }
 
@@ -793,19 +894,18 @@ static int rsa_cms_encrypt(CMS_RecipientInfo *ri)
     if (labellen < 0)
         goto err;
     oaep = RSA_OAEP_PARAMS_new();
-    if (oaep == NULL)
+    if (!oaep)
         goto err;
     if (!rsa_md_to_algor(&oaep->hashFunc, md))
         goto err;
     if (!rsa_md_to_mgf1(&oaep->maskGenFunc, mgf1md))
         goto err;
     if (labellen > 0) {
-        ASN1_OCTET_STRING *los;
+        ASN1_OCTET_STRING *los = ASN1_OCTET_STRING_new();
         oaep->pSourceFunc = X509_ALGOR_new();
-        if (oaep->pSourceFunc == NULL)
+        if (!oaep->pSourceFunc)
             goto err;
-        los = ASN1_OCTET_STRING_new();
-        if (los == NULL)
+        if (!los)
             goto err;
         if (!ASN1_OCTET_STRING_set(los, label, labellen)) {
             ASN1_OCTET_STRING_free(los);
@@ -821,13 +921,15 @@ static int rsa_cms_encrypt(CMS_RecipientInfo *ri)
     os = NULL;
     rv = 1;
  err:
-    RSA_OAEP_PARAMS_free(oaep);
-    ASN1_STRING_free(os);
+    if (oaep)
+        RSA_OAEP_PARAMS_free(oaep);
+    if (os)
+        ASN1_STRING_free(os);
     return rv;
 }
 #endif
 
-const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[2] = {
+const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {
     {
      EVP_PKEY_RSA,
      EVP_PKEY_RSA,
@@ -847,7 +949,6 @@ const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[2] = {
 
      int_rsa_size,
      rsa_bits,
-     rsa_security_bits,
 
      0, 0, 0, 0, 0, 0,
 
diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_asn1.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_asn1.c
index 20f8ebfa..aff8b583 100644
--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_asn1.c
+++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_asn1.c
@@ -1,18 +1,68 @@
+/* rsa_asn1.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/bn.h>
+#include <openssl/rsa.h>
 #include <openssl/x509.h>
 #include <openssl/asn1t.h>
-#include "rsa_locl.h"
 
 /* Override the default free and new methods */
 static int rsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
@@ -20,7 +70,7 @@ static int rsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
 {
     if (operation == ASN1_OP_NEW_PRE) {
         *pval = (ASN1_VALUE *)RSA_new();
-        if (*pval != NULL)
+        if (*pval)
             return 2;
         return 0;
     } else if (operation == ASN1_OP_FREE_PRE) {
@@ -35,12 +85,12 @@ ASN1_SEQUENCE_cb(RSAPrivateKey, rsa_cb) = {
         ASN1_SIMPLE(RSA, version, LONG),
         ASN1_SIMPLE(RSA, n, BIGNUM),
         ASN1_SIMPLE(RSA, e, BIGNUM),
-        ASN1_SIMPLE(RSA, d, CBIGNUM),
-        ASN1_SIMPLE(RSA, p, CBIGNUM),
-        ASN1_SIMPLE(RSA, q, CBIGNUM),
-        ASN1_SIMPLE(RSA, dmp1, CBIGNUM),
-        ASN1_SIMPLE(RSA, dmq1, CBIGNUM),
-        ASN1_SIMPLE(RSA, iqmp, CBIGNUM)
+        ASN1_SIMPLE(RSA, d, BIGNUM),
+        ASN1_SIMPLE(RSA, p, BIGNUM),
+        ASN1_SIMPLE(RSA, q, BIGNUM),
+        ASN1_SIMPLE(RSA, dmp1, BIGNUM),
+        ASN1_SIMPLE(RSA, dmq1, BIGNUM),
+        ASN1_SIMPLE(RSA, iqmp, BIGNUM)
 } ASN1_SEQUENCE_END_cb(RSA, RSAPrivateKey)
 
 
diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_chk.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_chk.c
index 00260fb1..475dfc56 100644
--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_chk.c
+++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_chk.c
@@ -1,30 +1,65 @@
-/*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/rsa/rsa_chk.c  */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  */
 
 #include <openssl/bn.h>
 #include <openssl/err.h>
-#include "rsa_locl.h"
+#include <openssl/rsa.h>
 
 int RSA_check_key(const RSA *key)
 {
-    return RSA_check_key_ex(key, NULL);
-}
-
-int RSA_check_key_ex(const RSA *key, BN_GENCB *cb)
-{
     BIGNUM *i, *j, *k, *l, *m;
     BN_CTX *ctx;
     int ret = 1;
 
-    if (key->p == NULL || key->q == NULL || key->n == NULL
-            || key->e == NULL || key->d == NULL) {
-        RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_VALUE_MISSING);
+    if (!key->p || !key->q || !key->n || !key->e || !key->d) {
+        RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_VALUE_MISSING);
         return 0;
     }
 
@@ -37,29 +72,29 @@ int RSA_check_key_ex(const RSA *key, BN_GENCB *cb)
     if (i == NULL || j == NULL || k == NULL || l == NULL
             || m == NULL || ctx == NULL) {
         ret = -1;
-        RSAerr(RSA_F_RSA_CHECK_KEY_EX, ERR_R_MALLOC_FAILURE);
+        RSAerr(RSA_F_RSA_CHECK_KEY, ERR_R_MALLOC_FAILURE);
         goto err;
     }
 
     if (BN_is_one(key->e)) {
         ret = 0;
-        RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_BAD_E_VALUE);
+        RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_BAD_E_VALUE);
     }
     if (!BN_is_odd(key->e)) {
         ret = 0;
-        RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_BAD_E_VALUE);
+        RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_BAD_E_VALUE);
     }
 
     /* p prime? */
-    if (BN_is_prime_ex(key->p, BN_prime_checks, NULL, cb) != 1) {
+    if (BN_is_prime_ex(key->p, BN_prime_checks, NULL, NULL) != 1) {
         ret = 0;
-        RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_P_NOT_PRIME);
+        RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_P_NOT_PRIME);
     }
 
     /* q prime? */
-    if (BN_is_prime_ex(key->q, BN_prime_checks, NULL, cb) != 1) {
+    if (BN_is_prime_ex(key->q, BN_prime_checks, NULL, NULL) != 1) {
         ret = 0;
-        RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_Q_NOT_PRIME);
+        RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_Q_NOT_PRIME);
     }
 
     /* n = p*q? */
@@ -69,7 +104,7 @@ int RSA_check_key_ex(const RSA *key, BN_GENCB *cb)
     }
     if (BN_cmp(i, key->n) != 0) {
         ret = 0;
-        RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_N_DOES_NOT_EQUAL_P_Q);
+        RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_N_DOES_NOT_EQUAL_P_Q);
     }
 
     /* d*e = 1  mod lcm(p-1,q-1)? */
@@ -102,7 +137,7 @@ int RSA_check_key_ex(const RSA *key, BN_GENCB *cb)
 
     if (!BN_is_one(i)) {
         ret = 0;
-        RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_D_E_NOT_CONGRUENT_TO_1);
+        RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_D_E_NOT_CONGRUENT_TO_1);
     }
 
     if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) {
@@ -117,7 +152,7 @@ int RSA_check_key_ex(const RSA *key, BN_GENCB *cb)
         }
         if (BN_cmp(j, key->dmp1) != 0) {
             ret = 0;
-            RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_DMP1_NOT_CONGRUENT_TO_D);
+            RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_DMP1_NOT_CONGRUENT_TO_D);
         }
 
         /* dmq1 = d mod (q-1)? */
@@ -131,7 +166,7 @@ int RSA_check_key_ex(const RSA *key, BN_GENCB *cb)
         }
         if (BN_cmp(j, key->dmq1) != 0) {
             ret = 0;
-            RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_DMQ1_NOT_CONGRUENT_TO_D);
+            RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_DMQ1_NOT_CONGRUENT_TO_D);
         }
 
         /* iqmp = q^-1 mod p? */
@@ -141,7 +176,7 @@ int RSA_check_key_ex(const RSA *key, BN_GENCB *cb)
         }
         if (BN_cmp(i, key->iqmp) != 0) {
             ret = 0;
-            RSAerr(RSA_F_RSA_CHECK_KEY_EX, RSA_R_IQMP_NOT_INVERSE_OF_Q);
+            RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_IQMP_NOT_INVERSE_OF_Q);
         }
     }
 
diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_crpt.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_crpt.c
index 9cd733b2..5c416b53 100644
--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_crpt.c
+++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_crpt.c
@@ -1,24 +1,71 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/rsa/rsa_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <openssl/crypto.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/lhash.h>
-#include "internal/bn_int.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
 #include <openssl/rand.h>
-#include "rsa_locl.h"
-
-int RSA_bits(const RSA *r)
-{
-    return (BN_num_bits(r->n));
-}
+#ifndef OPENSSL_NO_ENGINE
+# include <openssl/engine.h>
+#endif
 
 int RSA_size(const RSA *r)
 {
@@ -28,24 +75,52 @@ int RSA_size(const RSA *r)
 int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
                        RSA *rsa, int padding)
 {
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+        && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+        RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
+        return -1;
+    }
+#endif
     return (rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding));
 }
 
 int RSA_private_encrypt(int flen, const unsigned char *from,
                         unsigned char *to, RSA *rsa, int padding)
 {
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+        && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+        RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
+        return -1;
+    }
+#endif
     return (rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding));
 }
 
 int RSA_private_decrypt(int flen, const unsigned char *from,
                         unsigned char *to, RSA *rsa, int padding)
 {
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+        && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+        RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
+        return -1;
+    }
+#endif
     return (rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding));
 }
 
 int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
                        RSA *rsa, int padding)
 {
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+        && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+        RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
+        return -1;
+    }
+#endif
     return (rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
 }
 
@@ -56,8 +131,10 @@ int RSA_flags(const RSA *r)
 
 void RSA_blinding_off(RSA *rsa)
 {
-    BN_BLINDING_free(rsa->blinding);
-    rsa->blinding = NULL;
+    if (rsa->blinding != NULL) {
+        BN_BLINDING_free(rsa->blinding);
+        rsa->blinding = NULL;
+    }
     rsa->flags &= ~RSA_FLAG_BLINDING;
     rsa->flags |= RSA_FLAG_NO_BLINDING;
 }
@@ -110,7 +187,8 @@ static BIGNUM *rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p,
 
 BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
 {
-    BIGNUM *e;
+    BIGNUM local_n;
+    BIGNUM *e, *n;
     BN_CTX *ctx;
     BN_BLINDING *ret = NULL;
 
@@ -136,42 +214,33 @@ BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
     } else
         e = rsa->e;
 
-    if ((RAND_status() == 0) && rsa->d != NULL
-        && bn_get_words(rsa->d) != NULL) {
+    if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL) {
         /*
          * if PRNG is not properly seeded, resort to secret exponent as
          * unpredictable seed
          */
-        RAND_add(bn_get_words(rsa->d), bn_get_dmax(rsa->d) * sizeof(BN_ULONG),
-                 0.0);
+        RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0.0);
     }
 
-    {
-        BIGNUM *n = BN_new();
-
-        if (n == NULL) {
-            RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);
-            goto err;
-        }
+    if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
+        /* Set BN_FLG_CONSTTIME flag */
+        n = &local_n;
         BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
+    } else
+        n = rsa->n;
 
-        ret = BN_BLINDING_create_param(NULL, e, n, ctx, rsa->meth->bn_mod_exp,
-                                       rsa->_method_mod_n);
-        /* We MUST free n before any further use of rsa->n */
-        BN_free(n);
-    }
+    ret = BN_BLINDING_create_param(NULL, e, n, ctx,
+                                   rsa->meth->bn_mod_exp, rsa->_method_mod_n);
     if (ret == NULL) {
         RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
         goto err;
     }
-
-    BN_BLINDING_set_current_thread(ret);
-
+    CRYPTO_THREADID_current(BN_BLINDING_thread_id(ret));
  err:
     BN_CTX_end(ctx);
-    if (ctx != in_ctx)
+    if (in_ctx == NULL)
         BN_CTX_free(ctx);
-    if (e != rsa->e)
+    if (rsa->e == NULL)
         BN_free(e);
 
     return ret;
diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_depr.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_depr.c
index 21e05625..32f0c888 100644
--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_depr.c
+++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_depr.c
@@ -1,10 +1,56 @@
-/*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/rsa/rsa_depr.c */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 /*
@@ -12,27 +58,27 @@
  * "new" versions).
  */
 
-#include <openssl/opensslconf.h>
-#if OPENSSL_API_COMPAT >= 0x00908000L
-NON_EMPTY_TRANSLATION_UNIT
+#include <stdio.h>
+#include <time.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
 
-#else
+#ifdef OPENSSL_NO_DEPRECATED
 
-# include <stdio.h>
-# include <time.h>
-# include "internal/cryptlib.h"
-# include <openssl/bn.h>
-# include <openssl/rsa.h>
+static void *dummy = &dummy;
+
+#else
 
 RSA *RSA_generate_key(int bits, unsigned long e_value,
                       void (*callback) (int, int, void *), void *cb_arg)
 {
+    BN_GENCB cb;
     int i;
-    BN_GENCB *cb = BN_GENCB_new();
     RSA *rsa = RSA_new();
     BIGNUM *e = BN_new();
 
-    if (cb == NULL || rsa == NULL || e == NULL)
+    if (!rsa || !e)
         goto err;
 
     /*
@@ -45,17 +91,17 @@ RSA *RSA_generate_key(int bits, unsigned long e_value,
                 goto err;
     }
 
-    BN_GENCB_set_old(cb, callback, cb_arg);
+    BN_GENCB_set_old(&cb, callback, cb_arg);
 
-    if (RSA_generate_key_ex(rsa, bits, e, cb)) {
+    if (RSA_generate_key_ex(rsa, bits, e, &cb)) {
         BN_free(e);
-        BN_GENCB_free(cb);
         return rsa;
     }
  err:
-    BN_free(e);
-    RSA_free(rsa);
-    BN_GENCB_free(cb);
+    if (e)
+        BN_free(e);
+    if (rsa)
+        RSA_free(rsa);
     return 0;
 }
 #endif
diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_ossl.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_eay.c
index 78260664..b147fff8 100644
--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_ossl.c
+++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_eay.c
@@ -1,54 +1,158 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/rsa/rsa_eay.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
-#include "internal/cryptlib.h"
-#include "internal/bn_int.h"
-#include "rsa_locl.h"
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/rand.h>
 
 #ifndef RSA_NULL
 
-static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
+static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
                                   unsigned char *to, RSA *rsa, int padding);
-static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
+static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                                    unsigned char *to, RSA *rsa, int padding);
-static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
+static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
                                   unsigned char *to, RSA *rsa, int padding);
-static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                                    unsigned char *to, RSA *rsa, int padding);
-static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa,
+static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa,
                            BN_CTX *ctx);
-static int rsa_ossl_init(RSA *rsa);
-static int rsa_ossl_finish(RSA *rsa);
-static RSA_METHOD rsa_pkcs1_ossl_meth = {
-    "OpenSSL PKCS#1 RSA (from Eric Young)",
-    rsa_ossl_public_encrypt,
-    rsa_ossl_public_decrypt,     /* signature verification */
-    rsa_ossl_private_encrypt,    /* signing */
-    rsa_ossl_private_decrypt,
-    rsa_ossl_mod_exp,
+static int RSA_eay_init(RSA *rsa);
+static int RSA_eay_finish(RSA *rsa);
+static RSA_METHOD rsa_pkcs1_eay_meth = {
+    "Eric Young's PKCS#1 RSA",
+    RSA_eay_public_encrypt,
+    RSA_eay_public_decrypt,     /* signature verification */
+    RSA_eay_private_encrypt,    /* signing */
+    RSA_eay_private_decrypt,
+    RSA_eay_mod_exp,
     BN_mod_exp_mont,            /* XXX probably we should not use Montgomery
                                  * if e == 3 */
-    rsa_ossl_init,
-    rsa_ossl_finish,
-    RSA_FLAG_FIPS_METHOD,       /* flags */
+    RSA_eay_init,
+    RSA_eay_finish,
+    0,                          /* flags */
     NULL,
     0,                          /* rsa_sign */
     0,                          /* rsa_verify */
     NULL                        /* rsa_keygen */
 };
 
-const RSA_METHOD *RSA_PKCS1_OpenSSL(void)
+const RSA_METHOD *RSA_PKCS1_SSLeay(void)
 {
-    return &rsa_pkcs1_ossl_meth;
+    return (&rsa_pkcs1_eay_meth);
 }
 
-static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
+static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
                                   unsigned char *to, RSA *rsa, int padding)
 {
     BIGNUM *f, *ret;
@@ -57,19 +161,19 @@ static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
     BN_CTX *ctx = NULL;
 
     if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
-        RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
+        RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
         return -1;
     }
 
     if (BN_ucmp(rsa->n, rsa->e) <= 0) {
-        RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
+        RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
         return -1;
     }
 
     /* for large moduli, enforce exponent limit */
     if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
         if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
-            RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
+            RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
             return -1;
         }
     }
@@ -81,8 +185,8 @@ static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
     ret = BN_CTX_get(ctx);
     num = BN_num_bytes(rsa->n);
     buf = OPENSSL_malloc(num);
-    if (f == NULL || ret == NULL || buf == NULL) {
-        RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE);
+    if (!f || !ret || !buf) {
+        RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE);
         goto err;
     }
 
@@ -90,9 +194,11 @@ static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
     case RSA_PKCS1_PADDING:
         i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen);
         break;
+# ifndef OPENSSL_NO_SHA
     case RSA_PKCS1_OAEP_PADDING:
         i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0);
         break;
+# endif
     case RSA_SSLV23_PADDING:
         i = RSA_padding_add_SSLv23(buf, num, from, flen);
         break;
@@ -100,7 +206,7 @@ static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
         i = RSA_padding_add_none(buf, num, from, flen);
         break;
     default:
-        RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
+        RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
         goto err;
     }
     if (i <= 0)
@@ -111,14 +217,14 @@ static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
 
     if (BN_ucmp(f, rsa->n) >= 0) {
         /* usually the padding functions would catch this */
-        RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT,
+        RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,
                RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
         goto err;
     }
 
     if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
         if (!BN_MONT_CTX_set_locked
-            (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx))
+            (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
             goto err;
 
     if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
@@ -136,28 +242,40 @@ static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
 
     r = num;
  err:
-    if (ctx != NULL)
+    if (ctx != NULL) {
         BN_CTX_end(ctx);
-    BN_CTX_free(ctx);
-    OPENSSL_clear_free(buf, num);
+        BN_CTX_free(ctx);
+    }
+    if (buf != NULL) {
+        OPENSSL_cleanse(buf, num);
+        OPENSSL_free(buf);
+    }
     return (r);
 }
 
 static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
 {
     BN_BLINDING *ret;
+    int got_write_lock = 0;
+    CRYPTO_THREADID cur;
 
-    CRYPTO_THREAD_write_lock(rsa->lock);
+    CRYPTO_r_lock(CRYPTO_LOCK_RSA);
 
     if (rsa->blinding == NULL) {
-        rsa->blinding = RSA_setup_blinding(rsa, ctx);
+        CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
+        CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+        got_write_lock = 1;
+
+        if (rsa->blinding == NULL)
+            rsa->blinding = RSA_setup_blinding(rsa, ctx);
     }
 
     ret = rsa->blinding;
     if (ret == NULL)
         goto err;
 
-    if (BN_BLINDING_is_current_thread(ret)) {
+    CRYPTO_THREADID_current(&cur);
+    if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) {
         /* rsa->blinding is ours! */
 
         *local = 1;
@@ -172,13 +290,23 @@ static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
         *local = 0;
 
         if (rsa->mt_blinding == NULL) {
-            rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
+            if (!got_write_lock) {
+                CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
+                CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+                got_write_lock = 1;
+            }
+
+            if (rsa->mt_blinding == NULL)
+                rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
         }
         ret = rsa->mt_blinding;
     }
 
  err:
-    CRYPTO_THREAD_unlock(rsa->lock);
+    if (got_write_lock)
+        CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+    else
+        CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
     return ret;
 }
 
@@ -195,11 +323,9 @@ static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
          * Shared blinding: store the unblinding factor outside BN_BLINDING.
          */
         int ret;
-
-        BN_BLINDING_lock(b);
+        CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
         ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
-        BN_BLINDING_unlock(b);
-
+        CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
         return ret;
     }
 }
@@ -219,7 +345,7 @@ static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
 }
 
 /* signing */
-static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
+static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                                    unsigned char *to, RSA *rsa, int padding)
 {
     BIGNUM *f, *ret, *res;
@@ -242,8 +368,8 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
     ret = BN_CTX_get(ctx);
     num = BN_num_bytes(rsa->n);
     buf = OPENSSL_malloc(num);
-    if (f == NULL || ret == NULL || buf == NULL) {
-        RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
+    if (!f || !ret || !buf) {
+        RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
         goto err;
     }
 
@@ -259,7 +385,7 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
         break;
     case RSA_SSLV23_PADDING:
     default:
-        RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
+        RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
         goto err;
     }
     if (i <= 0)
@@ -270,7 +396,7 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
 
     if (BN_ucmp(f, rsa->n) >= 0) {
         /* usually the padding functions would catch this */
-        RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT,
+        RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
                RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
         goto err;
     }
@@ -278,14 +404,14 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
     if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
         blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
         if (blinding == NULL) {
-            RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
+            RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
             goto err;
         }
     }
 
     if (blinding != NULL) {
         if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
-            RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
+            RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
             goto err;
         }
         if (!rsa_blinding_convert(blinding, f, unblind, ctx))
@@ -299,27 +425,24 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
         if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
             goto err;
     } else {
-        BIGNUM *d = BN_new();
-        if (d == NULL) {
-            RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
-            goto err;
-        }
-        BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
+        BIGNUM local_d;
+        BIGNUM *d = NULL;
+
+        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
+            BN_init(&local_d);
+            d = &local_d;
+            BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
+        } else
+            d = rsa->d;
 
         if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
             if (!BN_MONT_CTX_set_locked
-                (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) {
-                BN_free(d);
+                (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
                 goto err;
-            }
 
         if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
-                                   rsa->_method_mod_n)) {
-            BN_free(d);
+                                   rsa->_method_mod_n))
             goto err;
-        }
-        /* We MUST free d before any further use of rsa->d */
-        BN_free(d);
     }
 
     if (blinding)
@@ -346,14 +469,18 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
 
     r = num;
  err:
-    if (ctx != NULL)
+    if (ctx != NULL) {
         BN_CTX_end(ctx);
-    BN_CTX_free(ctx);
-    OPENSSL_clear_free(buf, num);
+        BN_CTX_free(ctx);
+    }
+    if (buf != NULL) {
+        OPENSSL_cleanse(buf, num);
+        OPENSSL_free(buf);
+    }
     return (r);
 }
 
-static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                                    unsigned char *to, RSA *rsa, int padding)
 {
     BIGNUM *f, *ret;
@@ -377,8 +504,8 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
     ret = BN_CTX_get(ctx);
     num = BN_num_bytes(rsa->n);
     buf = OPENSSL_malloc(num);
-    if (f == NULL || ret == NULL || buf == NULL) {
-        RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
+    if (!f || !ret || !buf) {
+        RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
         goto err;
     }
 
@@ -387,7 +514,7 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
      * top '0' bytes
      */
     if (flen > num) {
-        RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT,
+        RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
                RSA_R_DATA_GREATER_THAN_MOD_LEN);
         goto err;
     }
@@ -397,7 +524,7 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
         goto err;
 
     if (BN_ucmp(f, rsa->n) >= 0) {
-        RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT,
+        RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,
                RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
         goto err;
     }
@@ -405,14 +532,14 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
     if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
         blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
         if (blinding == NULL) {
-            RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
+            RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
             goto err;
         }
     }
 
     if (blinding != NULL) {
         if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL)) {
-            RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
+            RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
             goto err;
         }
         if (!rsa_blinding_convert(blinding, f, unblind, ctx))
@@ -427,26 +554,22 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
         if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
             goto err;
     } else {
-        BIGNUM *d = BN_new();
-        if (d == NULL) {
-            RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
-            goto err;
-        }
-        BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
+        BIGNUM local_d;
+        BIGNUM *d = NULL;
+
+        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
+            d = &local_d;
+            BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
+        } else
+            d = rsa->d;
 
         if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
             if (!BN_MONT_CTX_set_locked
-                (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) {
-                BN_free(d);
+                (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
                 goto err;
-            }
         if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
-                                   rsa->_method_mod_n)) {
-            BN_free(d);
+                                   rsa->_method_mod_n))
             goto err;
-        }
-        /* We MUST free d before any further use of rsa->d */
-        BN_free(d);
     }
 
     if (blinding)
@@ -460,9 +583,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
     case RSA_PKCS1_PADDING:
         r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
         break;
+# ifndef OPENSSL_NO_SHA
     case RSA_PKCS1_OAEP_PADDING:
         r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
         break;
+# endif
     case RSA_SSLV23_PADDING:
         r = RSA_padding_check_SSLv23(to, num, buf, j, num);
         break;
@@ -470,22 +595,26 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
         r = RSA_padding_check_none(to, num, buf, j, num);
         break;
     default:
-        RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
+        RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
         goto err;
     }
     if (r < 0)
-        RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
+        RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
 
  err:
-    if (ctx != NULL)
+    if (ctx != NULL) {
         BN_CTX_end(ctx);
-    BN_CTX_free(ctx);
-    OPENSSL_clear_free(buf, num);
+        BN_CTX_free(ctx);
+    }
+    if (buf != NULL) {
+        OPENSSL_cleanse(buf, num);
+        OPENSSL_free(buf);
+    }
     return (r);
 }
 
 /* signature verification */
-static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
+static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
                                   unsigned char *to, RSA *rsa, int padding)
 {
     BIGNUM *f, *ret;
@@ -495,19 +624,19 @@ static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
     BN_CTX *ctx = NULL;
 
     if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
-        RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
+        RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
         return -1;
     }
 
     if (BN_ucmp(rsa->n, rsa->e) <= 0) {
-        RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
+        RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
         return -1;
     }
 
     /* for large moduli, enforce exponent limit */
     if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) {
         if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) {
-            RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
+            RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
             return -1;
         }
     }
@@ -519,8 +648,8 @@ static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
     ret = BN_CTX_get(ctx);
     num = BN_num_bytes(rsa->n);
     buf = OPENSSL_malloc(num);
-    if (f == NULL || ret == NULL || buf == NULL) {
-        RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE);
+    if (!f || !ret || !buf) {
+        RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE);
         goto err;
     }
 
@@ -529,7 +658,7 @@ static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
      * top '0' bytes
      */
     if (flen > num) {
-        RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN);
+        RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_DATA_GREATER_THAN_MOD_LEN);
         goto err;
     }
 
@@ -537,21 +666,21 @@ static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
         goto err;
 
     if (BN_ucmp(f, rsa->n) >= 0) {
-        RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT,
+        RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,
                RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
         goto err;
     }
 
     if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
         if (!BN_MONT_CTX_set_locked
-            (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx))
+            (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
             goto err;
 
     if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
                                rsa->_method_mod_n))
         goto err;
 
-    if ((padding == RSA_X931_PADDING) && ((bn_get_words(ret)[0] & 0xf) != 12))
+    if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12))
         if (!BN_sub(ret, rsa->n, ret))
             goto err;
 
@@ -569,124 +698,112 @@ static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
         r = RSA_padding_check_none(to, num, buf, i, num);
         break;
     default:
-        RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
+        RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
         goto err;
     }
     if (r < 0)
-        RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
+        RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
 
  err:
-    if (ctx != NULL)
+    if (ctx != NULL) {
         BN_CTX_end(ctx);
-    BN_CTX_free(ctx);
-    OPENSSL_clear_free(buf, num);
+        BN_CTX_free(ctx);
+    }
+    if (buf != NULL) {
+        OPENSSL_cleanse(buf, num);
+        OPENSSL_free(buf);
+    }
     return (r);
 }
 
-static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
+static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
 {
     BIGNUM *r1, *m1, *vrfy;
+    BIGNUM local_dmp1, local_dmq1, local_c, local_r1;
+    BIGNUM *dmp1, *dmq1, *c, *pr1;
     int ret = 0;
 
     BN_CTX_start(ctx);
-
     r1 = BN_CTX_get(ctx);
     m1 = BN_CTX_get(ctx);
     vrfy = BN_CTX_get(ctx);
 
     {
-        BIGNUM *p = BN_new(), *q = BN_new();
+        BIGNUM local_p, local_q;
+        BIGNUM *p = NULL, *q = NULL;
 
         /*
-         * Make sure BN_mod_inverse in Montgomery initialization uses the
-         * BN_FLG_CONSTTIME flag
+         * Make sure BN_mod_inverse in Montgomery intialization uses the
+         * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
          */
-        if (p == NULL || q == NULL) {
-            BN_free(p);
-            BN_free(q);
-            goto err;
+        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
+            BN_init(&local_p);
+            p = &local_p;
+            BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
+
+            BN_init(&local_q);
+            q = &local_q;
+            BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
+        } else {
+            p = rsa->p;
+            q = rsa->q;
         }
-        BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
-        BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
 
         if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
             if (!BN_MONT_CTX_set_locked
-                (&rsa->_method_mod_p, rsa->lock, p, ctx)
-                || !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
-                                           rsa->lock, q, ctx)) {
-                BN_free(p);
-                BN_free(q);
+                (&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx))
+                goto err;
+            if (!BN_MONT_CTX_set_locked
+                (&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx))
                 goto err;
-            }
         }
-        /*
-         * We MUST free p and q before any further use of rsa->p and rsa->q
-         */
-        BN_free(p);
-        BN_free(q);
     }
 
     if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
         if (!BN_MONT_CTX_set_locked
-            (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx))
+            (&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
             goto err;
 
     /* compute I mod q */
-    {
-        BIGNUM *c = BN_new();
-        if (c == NULL)
-            goto err;
+    if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
+        c = &local_c;
         BN_with_flags(c, I, BN_FLG_CONSTTIME);
-
-        if (!BN_mod(r1, c, rsa->q, ctx)) {
-            BN_free(c);
+        if (!BN_mod(r1, c, rsa->q, ctx))
             goto err;
-        }
-
-        {
-            BIGNUM *dmq1 = BN_new();
-            if (dmq1 == NULL) {
-                BN_free(c);
-                goto err;
-            }
-            BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
-
-            /* compute r1^dmq1 mod q */
-            if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
-                rsa->_method_mod_q)) {
-                BN_free(c);
-                BN_free(dmq1);
-                goto err;
-            }
-            /* We MUST free dmq1 before any further use of rsa->dmq1 */
-            BN_free(dmq1);
-        }
-
-        /* compute I mod p */
-        if (!BN_mod(r1, c, rsa->p, ctx)) {
-            BN_free(c);
+    } else {
+        if (!BN_mod(r1, I, rsa->q, ctx))
             goto err;
-        }
-        /* We MUST free c before any further use of I */
-        BN_free(c);
     }
 
-    {
-        BIGNUM *dmp1 = BN_new();
-        if (dmp1 == NULL)
-            goto err;
-        BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
+    /* compute r1^dmq1 mod q */
+    if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
+        dmq1 = &local_dmq1;
+        BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
+    } else
+        dmq1 = rsa->dmq1;
+    if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->_method_mod_q))
+        goto err;
 
-        /* compute r1^dmp1 mod p */
-        if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
-                                   rsa->_method_mod_p)) {
-            BN_free(dmp1);
+    /* compute I mod p */
+    if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
+        c = &local_c;
+        BN_with_flags(c, I, BN_FLG_CONSTTIME);
+        if (!BN_mod(r1, c, rsa->p, ctx))
+            goto err;
+    } else {
+        if (!BN_mod(r1, I, rsa->p, ctx))
             goto err;
-        }
-        /* We MUST free dmp1 before any further use of rsa->dmp1 */
-        BN_free(dmp1);
     }
 
+    /* compute r1^dmp1 mod p */
+    if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
+        dmp1 = &local_dmp1;
+        BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
+    } else
+        dmp1 = rsa->dmp1;
+    if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->_method_mod_p))
+        goto err;
+
     if (!BN_sub(r0, r0, m1))
         goto err;
     /*
@@ -700,19 +817,14 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
     if (!BN_mul(r1, r0, rsa->iqmp, ctx))
         goto err;
 
-    {
-        BIGNUM *pr1 = BN_new();
-        if (pr1 == NULL)
-            goto err;
+    /* Turn BN_FLG_CONSTTIME flag on before division operation */
+    if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
+        pr1 = &local_r1;
         BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
-
-        if (!BN_mod(r0, pr1, rsa->p, ctx)) {
-            BN_free(pr1);
-            goto err;
-        }
-        /* We MUST free pr1 before any further use of r1 */
-        BN_free(pr1);
-    }
+    } else
+        pr1 = r1;
+    if (!BN_mod(r0, pr1, rsa->p, ctx))
+        goto err;
 
     /*
      * If p < q it is occasionally possible for the correction of adding 'p'
@@ -753,18 +865,17 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
              * return that instead.
              */
 
-            BIGNUM *d = BN_new();
-            if (d == NULL)
-                goto err;
-            BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
+            BIGNUM local_d;
+            BIGNUM *d = NULL;
 
+            if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
+                d = &local_d;
+                BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
+            } else
+                d = rsa->d;
             if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
-                                       rsa->_method_mod_n)) {
-                BN_free(d);
+                                       rsa->_method_mod_n))
                 goto err;
-            }
-            /* We MUST free d before any further use of rsa->d */
-            BN_free(d);
         }
     }
     ret = 1;
@@ -773,17 +884,20 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
     return (ret);
 }
 
-static int rsa_ossl_init(RSA *rsa)
+static int RSA_eay_init(RSA *rsa)
 {
     rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
     return (1);
 }
 
-static int rsa_ossl_finish(RSA *rsa)
+static int RSA_eay_finish(RSA *rsa)
 {
-    BN_MONT_CTX_free(rsa->_method_mod_n);
-    BN_MONT_CTX_free(rsa->_method_mod_p);
-    BN_MONT_CTX_free(rsa->_method_mod_q);
+    if (rsa->_method_mod_n != NULL)
+        BN_MONT_CTX_free(rsa->_method_mod_n);
+    if (rsa->_method_mod_p != NULL)
+        BN_MONT_CTX_free(rsa->_method_mod_p);
+    if (rsa->_method_mod_q != NULL)
+        BN_MONT_CTX_free(rsa->_method_mod_q);
     return (1);
 }
 
diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_err.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_err.c
index bf54095b..0bab05ef 100644
--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_err.c
+++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_err.c
@@ -1,11 +1,62 @@
-/*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/rsa/rsa_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2014 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
  */
 
 #include <stdio.h>
@@ -19,35 +70,36 @@
 # define ERR_REASON(reason) ERR_PACK(ERR_LIB_RSA,0,reason)
 
 static ERR_STRING_DATA RSA_str_functs[] = {
-    {ERR_FUNC(RSA_F_CHECK_PADDING_MD), "check_padding_md"},
-    {ERR_FUNC(RSA_F_ENCODE_PKCS1), "encode_pkcs1"},
-    {ERR_FUNC(RSA_F_INT_RSA_VERIFY), "int_rsa_verify"},
-    {ERR_FUNC(RSA_F_OLD_RSA_PRIV_DECODE), "old_rsa_priv_decode"},
-    {ERR_FUNC(RSA_F_PKEY_RSA_CTRL), "pkey_rsa_ctrl"},
-    {ERR_FUNC(RSA_F_PKEY_RSA_CTRL_STR), "pkey_rsa_ctrl_str"},
-    {ERR_FUNC(RSA_F_PKEY_RSA_SIGN), "pkey_rsa_sign"},
-    {ERR_FUNC(RSA_F_PKEY_RSA_VERIFY), "pkey_rsa_verify"},
-    {ERR_FUNC(RSA_F_PKEY_RSA_VERIFYRECOVER), "pkey_rsa_verifyrecover"},
-    {ERR_FUNC(RSA_F_RSA_ALGOR_TO_MD), "rsa_algor_to_md"},
-    {ERR_FUNC(RSA_F_RSA_BUILTIN_KEYGEN), "rsa_builtin_keygen"},
+    {ERR_FUNC(RSA_F_CHECK_PADDING_MD), "CHECK_PADDING_MD"},
+    {ERR_FUNC(RSA_F_DO_RSA_PRINT), "DO_RSA_PRINT"},
+    {ERR_FUNC(RSA_F_INT_RSA_VERIFY), "INT_RSA_VERIFY"},
+    {ERR_FUNC(RSA_F_MEMORY_LOCK), "MEMORY_LOCK"},
+    {ERR_FUNC(RSA_F_OLD_RSA_PRIV_DECODE), "OLD_RSA_PRIV_DECODE"},
+    {ERR_FUNC(RSA_F_PKEY_RSA_CTRL), "PKEY_RSA_CTRL"},
+    {ERR_FUNC(RSA_F_PKEY_RSA_CTRL_STR), "PKEY_RSA_CTRL_STR"},
+    {ERR_FUNC(RSA_F_PKEY_RSA_SIGN), "PKEY_RSA_SIGN"},
+    {ERR_FUNC(RSA_F_PKEY_RSA_VERIFY), "PKEY_RSA_VERIFY"},
+    {ERR_FUNC(RSA_F_PKEY_RSA_VERIFYRECOVER), "PKEY_RSA_VERIFYRECOVER"},
+    {ERR_FUNC(RSA_F_RSA_ALGOR_TO_MD), "RSA_ALGOR_TO_MD"},
+    {ERR_FUNC(RSA_F_RSA_BUILTIN_KEYGEN), "RSA_BUILTIN_KEYGEN"},
     {ERR_FUNC(RSA_F_RSA_CHECK_KEY), "RSA_check_key"},
-    {ERR_FUNC(RSA_F_RSA_CHECK_KEY_EX), "RSA_check_key_ex"},
-    {ERR_FUNC(RSA_F_RSA_CMS_DECRYPT), "rsa_cms_decrypt"},
-    {ERR_FUNC(RSA_F_RSA_ITEM_VERIFY), "rsa_item_verify"},
-    {ERR_FUNC(RSA_F_RSA_METH_DUP), "RSA_meth_dup"},
-    {ERR_FUNC(RSA_F_RSA_METH_NEW), "RSA_meth_new"},
-    {ERR_FUNC(RSA_F_RSA_METH_SET1_NAME), "RSA_meth_set1_name"},
-    {ERR_FUNC(RSA_F_RSA_MGF1_TO_MD), "rsa_mgf1_to_md"},
+    {ERR_FUNC(RSA_F_RSA_CMS_DECRYPT), "RSA_CMS_DECRYPT"},
+    {ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_DECRYPT), "RSA_EAY_PRIVATE_DECRYPT"},
+    {ERR_FUNC(RSA_F_RSA_EAY_PRIVATE_ENCRYPT), "RSA_EAY_PRIVATE_ENCRYPT"},
+    {ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_DECRYPT), "RSA_EAY_PUBLIC_DECRYPT"},
+    {ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_ENCRYPT), "RSA_EAY_PUBLIC_ENCRYPT"},
+    {ERR_FUNC(RSA_F_RSA_GENERATE_KEY), "RSA_generate_key"},
+    {ERR_FUNC(RSA_F_RSA_GENERATE_KEY_EX), "RSA_generate_key_ex"},
+    {ERR_FUNC(RSA_F_RSA_ITEM_VERIFY), "RSA_ITEM_VERIFY"},
+    {ERR_FUNC(RSA_F_RSA_MEMORY_LOCK), "RSA_memory_lock"},
+    {ERR_FUNC(RSA_F_RSA_MGF1_TO_MD), "RSA_MGF1_TO_MD"},
     {ERR_FUNC(RSA_F_RSA_NEW_METHOD), "RSA_new_method"},
     {ERR_FUNC(RSA_F_RSA_NULL), "RSA_NULL"},
-    {ERR_FUNC(RSA_F_RSA_NULL_PRIVATE_DECRYPT), "RSA_null_private_decrypt"},
-    {ERR_FUNC(RSA_F_RSA_NULL_PRIVATE_ENCRYPT), "RSA_null_private_encrypt"},
-    {ERR_FUNC(RSA_F_RSA_NULL_PUBLIC_DECRYPT), "RSA_null_public_decrypt"},
-    {ERR_FUNC(RSA_F_RSA_NULL_PUBLIC_ENCRYPT), "RSA_null_public_encrypt"},
-    {ERR_FUNC(RSA_F_RSA_OSSL_PRIVATE_DECRYPT), "rsa_ossl_private_decrypt"},
-    {ERR_FUNC(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT), "rsa_ossl_private_encrypt"},
-    {ERR_FUNC(RSA_F_RSA_OSSL_PUBLIC_DECRYPT), "rsa_ossl_public_decrypt"},
-    {ERR_FUNC(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT), "rsa_ossl_public_encrypt"},
+    {ERR_FUNC(RSA_F_RSA_NULL_MOD_EXP), "RSA_NULL_MOD_EXP"},
+    {ERR_FUNC(RSA_F_RSA_NULL_PRIVATE_DECRYPT), "RSA_NULL_PRIVATE_DECRYPT"},
+    {ERR_FUNC(RSA_F_RSA_NULL_PRIVATE_ENCRYPT), "RSA_NULL_PRIVATE_ENCRYPT"},
+    {ERR_FUNC(RSA_F_RSA_NULL_PUBLIC_DECRYPT), "RSA_NULL_PUBLIC_DECRYPT"},
+    {ERR_FUNC(RSA_F_RSA_NULL_PUBLIC_ENCRYPT), "RSA_NULL_PUBLIC_ENCRYPT"},
     {ERR_FUNC(RSA_F_RSA_PADDING_ADD_NONE), "RSA_padding_add_none"},
     {ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP),
      "RSA_padding_add_PKCS1_OAEP"},
@@ -75,9 +127,14 @@ static ERR_STRING_DATA RSA_str_functs[] = {
     {ERR_FUNC(RSA_F_RSA_PADDING_CHECK_X931), "RSA_padding_check_X931"},
     {ERR_FUNC(RSA_F_RSA_PRINT), "RSA_print"},
     {ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"},
-    {ERR_FUNC(RSA_F_RSA_PRIV_ENCODE), "rsa_priv_encode"},
-    {ERR_FUNC(RSA_F_RSA_PSS_TO_CTX), "rsa_pss_to_ctx"},
-    {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "rsa_pub_decode"},
+    {ERR_FUNC(RSA_F_RSA_PRIVATE_DECRYPT), "RSA_private_decrypt"},
+    {ERR_FUNC(RSA_F_RSA_PRIVATE_ENCRYPT), "RSA_private_encrypt"},
+    {ERR_FUNC(RSA_F_RSA_PRIV_DECODE), "RSA_PRIV_DECODE"},
+    {ERR_FUNC(RSA_F_RSA_PRIV_ENCODE), "RSA_PRIV_ENCODE"},
+    {ERR_FUNC(RSA_F_RSA_PSS_TO_CTX), "RSA_PSS_TO_CTX"},
+    {ERR_FUNC(RSA_F_RSA_PUBLIC_DECRYPT), "RSA_public_decrypt"},
+    {ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"},
+    {ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"},
     {ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"},
     {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"},
     {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING),
@@ -85,6 +142,7 @@ static ERR_STRING_DATA RSA_str_functs[] = {
     {ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"},
     {ERR_FUNC(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING),
      "RSA_verify_ASN1_OCTET_STRING"},
+    {ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS), "RSA_verify_PKCS1_PSS"},
     {ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1), "RSA_verify_PKCS1_PSS_mgf1"},
     {0, NULL}
 };
@@ -119,6 +177,7 @@ static ERR_STRING_DATA RSA_str_reasons[] = {
     {ERR_REASON(RSA_R_INVALID_DIGEST), "invalid digest"},
     {ERR_REASON(RSA_R_INVALID_DIGEST_LENGTH), "invalid digest length"},
     {ERR_REASON(RSA_R_INVALID_HEADER), "invalid header"},
+    {ERR_REASON(RSA_R_INVALID_KEYBITS), "invalid keybits"},
     {ERR_REASON(RSA_R_INVALID_LABEL), "invalid label"},
     {ERR_REASON(RSA_R_INVALID_MESSAGE_LENGTH), "invalid message length"},
     {ERR_REASON(RSA_R_INVALID_MGF1_MD), "invalid mgf1 md"},
@@ -134,11 +193,14 @@ static ERR_STRING_DATA RSA_str_reasons[] = {
     {ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL), "key size too small"},
     {ERR_REASON(RSA_R_LAST_OCTET_INVALID), "last octet invalid"},
     {ERR_REASON(RSA_R_MODULUS_TOO_LARGE), "modulus too large"},
+    {ERR_REASON(RSA_R_NON_FIPS_RSA_METHOD), "non fips rsa method"},
     {ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT), "no public exponent"},
     {ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),
      "null before block missing"},
     {ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q), "n does not equal p q"},
     {ERR_REASON(RSA_R_OAEP_DECODING_ERROR), "oaep decoding error"},
+    {ERR_REASON(RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE),
+     "operation not allowed in fips mode"},
     {ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),
      "operation not supported for this keytype"},
     {ERR_REASON(RSA_R_PADDING_CHECK_FAILED), "padding check failed"},
@@ -156,6 +218,7 @@ static ERR_STRING_DATA RSA_str_reasons[] = {
     {ERR_REASON(RSA_R_UNKNOWN_DIGEST), "unknown digest"},
     {ERR_REASON(RSA_R_UNKNOWN_MASK_DIGEST), "unknown mask digest"},
     {ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE), "unknown padding type"},
+    {ERR_REASON(RSA_R_UNKNOWN_PSS_DIGEST), "unknown pss digest"},
     {ERR_REASON(RSA_R_UNSUPPORTED_ENCRYPTION_TYPE),
      "unsupported encryption type"},
     {ERR_REASON(RSA_R_UNSUPPORTED_LABEL_SOURCE), "unsupported label source"},
@@ -172,7 +235,7 @@ static ERR_STRING_DATA RSA_str_reasons[] = {
 
 #endif
 
-int ERR_load_RSA_strings(void)
+void ERR_load_RSA_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
 
@@ -181,5 +244,4 @@ int ERR_load_RSA_strings(void)
         ERR_load_strings(0, RSA_str_reasons);
     }
 #endif
-    return 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c
index 0d1d56bf..082c8da2 100644
--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c
+++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_gen.c
@@ -1,10 +1,59 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/rsa/rsa_gen.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 /*
@@ -15,9 +64,14 @@
 
 #include <stdio.h>
 #include <time.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/bn.h>
-#include "rsa_locl.h"
+#include <openssl/rsa.h>
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+extern int FIPS_rsa_x931_generate_key_ex(RSA *rsa, int bits, BIGNUM *e,
+                                         BN_GENCB *cb);
+#endif
 
 static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
                               BN_GENCB *cb);
@@ -31,8 +85,19 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
  */
 int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
 {
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+        && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+        RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
+        return 0;
+    }
+#endif
     if (rsa->meth->rsa_keygen)
         return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode())
+        return FIPS_rsa_x931_generate_key_ex(rsa, bits, e_value, cb);
+#endif
     return rsa_builtin_keygen(rsa, bits, e_value, cb);
 }
 
@@ -40,6 +105,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
                               BN_GENCB *cb)
 {
     BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
+    BIGNUM local_r0, local_d, local_p;
+    BIGNUM *pr0, *d, *p;
     int bitsp, bitsq, ok = -1, n = 0;
     BN_CTX *ctx = NULL;
 
@@ -60,19 +127,19 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
     /* We need the RSA components non-NULL */
     if (!rsa->n && ((rsa->n = BN_new()) == NULL))
         goto err;
-    if (!rsa->d && ((rsa->d = BN_secure_new()) == NULL))
+    if (!rsa->d && ((rsa->d = BN_new()) == NULL))
         goto err;
     if (!rsa->e && ((rsa->e = BN_new()) == NULL))
         goto err;
-    if (!rsa->p && ((rsa->p = BN_secure_new()) == NULL))
+    if (!rsa->p && ((rsa->p = BN_new()) == NULL))
         goto err;
-    if (!rsa->q && ((rsa->q = BN_secure_new()) == NULL))
+    if (!rsa->q && ((rsa->q = BN_new()) == NULL))
         goto err;
-    if (!rsa->dmp1 && ((rsa->dmp1 = BN_secure_new()) == NULL))
+    if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL))
         goto err;
-    if (!rsa->dmq1 && ((rsa->dmq1 = BN_secure_new()) == NULL))
+    if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL))
         goto err;
-    if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL))
+    if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))
         goto err;
 
     if (BN_copy(rsa->e, e_value) == NULL)
@@ -137,53 +204,37 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
         goto err;               /* q-1 */
     if (!BN_mul(r0, r1, r2, ctx))
         goto err;               /* (p-1)(q-1) */
-    {
-        BIGNUM *pr0 = BN_new();
-
-        if (pr0 == NULL)
-            goto err;
+    if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
+        pr0 = &local_r0;
         BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
-        if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) {
-            BN_free(pr0);
-            goto err;               /* d */
-        }
-        /* We MUST free pr0 before any further use of r0 */
-        BN_free(pr0);
-    }
-
-    {
-        BIGNUM *d = BN_new();
-
-        if (d == NULL)
-            goto err;
+    } else
+        pr0 = r0;
+    if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx))
+        goto err;               /* d */
+
+    /* set up d for correct BN_FLG_CONSTTIME flag */
+    if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
+        d = &local_d;
         BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
+    } else
+        d = rsa->d;
 
-        if (   /* calculate d mod (p-1) */
-               !BN_mod(rsa->dmp1, d, r1, ctx)
-               /* calculate d mod (q-1) */
-            || !BN_mod(rsa->dmq1, d, r2, ctx)) {
-            BN_free(d);
-            goto err;
-        }
-        /* We MUST free d before any further use of rsa->d */
-        BN_free(d);
-    }
+    /* calculate d mod (p-1) */
+    if (!BN_mod(rsa->dmp1, d, r1, ctx))
+        goto err;
 
-    {
-        BIGNUM *p = BN_new();
+    /* calculate d mod (q-1) */
+    if (!BN_mod(rsa->dmq1, d, r2, ctx))
+        goto err;
 
-        if (p == NULL)
-            goto err;
+    /* calculate inverse of q mod p */
+    if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
+        p = &local_p;
         BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
-
-        /* calculate inverse of q mod p */
-        if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) {
-            BN_free(p);
-            goto err;
-        }
-        /* We MUST free p before any further use of rsa->p */
-        BN_free(p);
-    }
+    } else
+        p = rsa->p;
+    if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
+        goto err;
 
     ok = 1;
  err:
@@ -191,9 +242,10 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
         RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
         ok = 0;
     }
-    if (ctx != NULL)
+    if (ctx != NULL) {
         BN_CTX_end(ctx);
-    BN_CTX_free(ctx);
+        BN_CTX_free(ctx);
+    }
 
     return ok;
 }
diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_lib.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_lib.c
index 48e9100a..6ea6b40d 100644
--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_lib.c
+++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_lib.c
@@ -1,19 +1,77 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/rsa/rsa_lib.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <openssl/crypto.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/lhash.h>
-#include "internal/bn_int.h"
-#include <openssl/engine.h>
-#include "rsa_locl.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/rand.h>
+#ifndef OPENSSL_NO_ENGINE
+# include <openssl/engine.h>
+#endif
+
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
+
+const char RSA_version[] = "RSA" OPENSSL_VERSION_PTEXT;
 
 static const RSA_METHOD *default_RSA_meth = NULL;
 
@@ -32,10 +90,17 @@ void RSA_set_default_method(const RSA_METHOD *meth)
 const RSA_METHOD *RSA_get_default_method(void)
 {
     if (default_RSA_meth == NULL) {
-#ifdef RSA_NULL
-        default_RSA_meth = RSA_null_method();
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode())
+            return FIPS_rsa_pkcs1_ssleay();
+        else
+            return RSA_PKCS1_SSLeay();
 #else
-        default_RSA_meth = RSA_PKCS1_OpenSSL();
+# ifdef RSA_NULL
+        default_RSA_meth = RSA_null_method();
+# else
+        default_RSA_meth = RSA_PKCS1_SSLeay();
+# endif
 #endif
     }
 
@@ -58,8 +123,10 @@ int RSA_set_method(RSA *rsa, const RSA_METHOD *meth)
     if (mtmp->finish)
         mtmp->finish(rsa);
 #ifndef OPENSSL_NO_ENGINE
-    ENGINE_finish(rsa->engine);
-    rsa->engine = NULL;
+    if (rsa->engine) {
+        ENGINE_finish(rsa->engine);
+        rsa->engine = NULL;
+    }
 #endif
     rsa->meth = meth;
     if (meth->init)
@@ -69,56 +136,74 @@ int RSA_set_method(RSA *rsa, const RSA_METHOD *meth)
 
 RSA *RSA_new_method(ENGINE *engine)
 {
-    RSA *ret = OPENSSL_zalloc(sizeof(*ret));
+    RSA *ret;
 
+    ret = (RSA *)OPENSSL_malloc(sizeof(RSA));
     if (ret == NULL) {
         RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
-
-    ret->references = 1;
-    ret->lock = CRYPTO_THREAD_lock_new();
-    if (ret->lock == NULL) {
-        RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_MALLOC_FAILURE);
-        OPENSSL_free(ret);
-        return NULL;
-    }
+    memset(ret,0,sizeof(RSA));
 
     ret->meth = RSA_get_default_method();
 #ifndef OPENSSL_NO_ENGINE
-    ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
     if (engine) {
         if (!ENGINE_init(engine)) {
             RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
-            goto err;
+            OPENSSL_free(ret);
+            return NULL;
         }
         ret->engine = engine;
     } else
         ret->engine = ENGINE_get_default_RSA();
     if (ret->engine) {
         ret->meth = ENGINE_get_RSA(ret->engine);
-        if (ret->meth == NULL) {
+        if (!ret->meth) {
             RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
-            goto err;
+            ENGINE_finish(ret->engine);
+            OPENSSL_free(ret);
+            return NULL;
         }
     }
 #endif
 
+    ret->pad = 0;
+    ret->version = 0;
+    ret->n = NULL;
+    ret->e = NULL;
+    ret->d = NULL;
+    ret->p = NULL;
+    ret->q = NULL;
+    ret->dmp1 = NULL;
+    ret->dmq1 = NULL;
+    ret->iqmp = NULL;
+    ret->references = 1;
+    ret->_method_mod_n = NULL;
+    ret->_method_mod_p = NULL;
+    ret->_method_mod_q = NULL;
+    ret->blinding = NULL;
+    ret->mt_blinding = NULL;
+    ret->bignum_data = NULL;
     ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
     if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {
-        goto err;
+#ifndef OPENSSL_NO_ENGINE
+        if (ret->engine)
+            ENGINE_finish(ret->engine);
+#endif
+        OPENSSL_free(ret);
+        return (NULL);
     }
 
     if ((ret->meth->init != NULL) && !ret->meth->init(ret)) {
-        RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_INIT_FAIL);
-        goto err;
+#ifndef OPENSSL_NO_ENGINE
+        if (ret->engine)
+            ENGINE_finish(ret->engine);
+#endif
+        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
+        OPENSSL_free(ret);
+        ret = NULL;
     }
-
-    return ret;
-
-err:
-    RSA_free(ret);
-    return NULL;
+    return (ret);
 }
 
 void RSA_free(RSA *r)
@@ -128,48 +213,75 @@ void RSA_free(RSA *r)
     if (r == NULL)
         return;
 
-    CRYPTO_atomic_add(&r->references, -1, &i, r->lock);
-    REF_PRINT_COUNT("RSA", r);
+    i = CRYPTO_add(&r->references, -1, CRYPTO_LOCK_RSA);
+#ifdef REF_PRINT
+    REF_PRINT("RSA", r);
+#endif
     if (i > 0)
         return;
-    REF_ASSERT_ISNT(i < 0);
+#ifdef REF_CHECK
+    if (i < 0) {
+        fprintf(stderr, "RSA_free, bad reference count\n");
+        abort();
+    }
+#endif
 
     if (r->meth->finish)
         r->meth->finish(r);
 #ifndef OPENSSL_NO_ENGINE
-    ENGINE_finish(r->engine);
+    if (r->engine)
+        ENGINE_finish(r->engine);
 #endif
 
     CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);
 
-    CRYPTO_THREAD_lock_free(r->lock);
-
-    BN_clear_free(r->n);
-    BN_clear_free(r->e);
-    BN_clear_free(r->d);
-    BN_clear_free(r->p);
-    BN_clear_free(r->q);
-    BN_clear_free(r->dmp1);
-    BN_clear_free(r->dmq1);
-    BN_clear_free(r->iqmp);
-    BN_BLINDING_free(r->blinding);
-    BN_BLINDING_free(r->mt_blinding);
-    OPENSSL_free(r->bignum_data);
+    if (r->n != NULL)
+        BN_clear_free(r->n);
+    if (r->e != NULL)
+        BN_clear_free(r->e);
+    if (r->d != NULL)
+        BN_clear_free(r->d);
+    if (r->p != NULL)
+        BN_clear_free(r->p);
+    if (r->q != NULL)
+        BN_clear_free(r->q);
+    if (r->dmp1 != NULL)
+        BN_clear_free(r->dmp1);
+    if (r->dmq1 != NULL)
+        BN_clear_free(r->dmq1);
+    if (r->iqmp != NULL)
+        BN_clear_free(r->iqmp);
+    if (r->blinding != NULL)
+        BN_BLINDING_free(r->blinding);
+    if (r->mt_blinding != NULL)
+        BN_BLINDING_free(r->mt_blinding);
+    if (r->bignum_data != NULL)
+        OPENSSL_free_locked(r->bignum_data);
     OPENSSL_free(r);
 }
 
 int RSA_up_ref(RSA *r)
 {
-    int i;
-
-    if (CRYPTO_atomic_add(&r->references, 1, &i, r->lock) <= 0)
-        return 0;
-
-    REF_PRINT_COUNT("RSA", r);
-    REF_ASSERT_ISNT(i < 2);
+    int i = CRYPTO_add(&r->references, 1, CRYPTO_LOCK_RSA);
+#ifdef REF_PRINT
+    REF_PRINT("RSA", r);
+#endif
+#ifdef REF_CHECK
+    if (i < 2) {
+        fprintf(stderr, "RSA_up_ref, bad reference count\n");
+        abort();
+    }
+#endif
     return ((i > 1) ? 1 : 0);
 }
 
+int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+                         CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+{
+    return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_RSA, argl, argp,
+                                   new_func, dup_func, free_func);
+}
+
 int RSA_set_ex_data(RSA *r, int idx, void *arg)
 {
     return (CRYPTO_set_ex_data(&r->ex_data, idx, arg));
@@ -180,131 +292,46 @@ void *RSA_get_ex_data(const RSA *r, int idx)
     return (CRYPTO_get_ex_data(&r->ex_data, idx));
 }
 
-int RSA_security_bits(const RSA *rsa)
-{
-    return BN_security_bits(BN_num_bits(rsa->n), -1);
-}
-
-int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
-{
-    /* If the fields n and e in r are NULL, the corresponding input
-     * parameters MUST be non-NULL for n and e.  d may be
-     * left NULL (in case only the public key is used).
-     */
-    if ((r->n == NULL && n == NULL)
-        || (r->e == NULL && e == NULL))
-        return 0;
-
-    if (n != NULL) {
-        BN_free(r->n);
-        r->n = n;
-    }
-    if (e != NULL) {
-        BN_free(r->e);
-        r->e = e;
-    }
-    if (d != NULL) {
-        BN_free(r->d);
-        r->d = d;
-    }
-
-    return 1;
-}
-
-int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
+int RSA_memory_lock(RSA *r)
 {
-    /* If the fields p and q in r are NULL, the corresponding input
-     * parameters MUST be non-NULL.
-     */
-    if ((r->p == NULL && p == NULL)
-        || (r->q == NULL && q == NULL))
-        return 0;
-
-    if (p != NULL) {
-        BN_free(r->p);
-        r->p = p;
-    }
-    if (q != NULL) {
-        BN_free(r->q);
-        r->q = q;
-    }
-
-    return 1;
-}
-
-int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
-{
-    /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input
-     * parameters MUST be non-NULL.
-     */
-    if ((r->dmp1 == NULL && dmp1 == NULL)
-        || (r->dmq1 == NULL && dmq1 == NULL)
-        || (r->iqmp == NULL && iqmp == NULL))
-        return 0;
-
-    if (dmp1 != NULL) {
-        BN_free(r->dmp1);
-        r->dmp1 = dmp1;
+    int i, j, k, off;
+    char *p;
+    BIGNUM *bn, **t[6], *b;
+    BN_ULONG *ul;
+
+    if (r->d == NULL)
+        return (1);
+    t[0] = &r->d;
+    t[1] = &r->p;
+    t[2] = &r->q;
+    t[3] = &r->dmp1;
+    t[4] = &r->dmq1;
+    t[5] = &r->iqmp;
+    k = sizeof(BIGNUM) * 6;
+    off = k / sizeof(BN_ULONG) + 1;
+    j = 1;
+    for (i = 0; i < 6; i++)
+        j += (*t[i])->top;
+    if ((p = OPENSSL_malloc_locked((off + j) * sizeof(BN_ULONG))) == NULL) {
+        RSAerr(RSA_F_RSA_MEMORY_LOCK, ERR_R_MALLOC_FAILURE);
+        return (0);
     }
-    if (dmq1 != NULL) {
-        BN_free(r->dmq1);
-        r->dmq1 = dmq1;
+    bn = (BIGNUM *)p;
+    ul = (BN_ULONG *)&(p[off]);
+    for (i = 0; i < 6; i++) {
+        b = *(t[i]);
+        *(t[i]) = &(bn[i]);
+        memcpy((char *)&(bn[i]), (char *)b, sizeof(BIGNUM));
+        bn[i].flags = BN_FLG_STATIC_DATA;
+        bn[i].d = ul;
+        memcpy((char *)ul, b->d, sizeof(BN_ULONG) * b->top);
+        ul += b->top;
+        BN_clear_free(b);
     }
-    if (iqmp != NULL) {
-        BN_free(r->iqmp);
-        r->iqmp = iqmp;
-    }
-
-    return 1;
-}
-
-void RSA_get0_key(const RSA *r,
-                  const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
-{
-    if (n != NULL)
-        *n = r->n;
-    if (e != NULL)
-        *e = r->e;
-    if (d != NULL)
-        *d = r->d;
-}
-
-void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)
-{
-    if (p != NULL)
-        *p = r->p;
-    if (q != NULL)
-        *q = r->q;
-}
-
-void RSA_get0_crt_params(const RSA *r,
-                         const BIGNUM **dmp1, const BIGNUM **dmq1,
-                         const BIGNUM **iqmp)
-{
-    if (dmp1 != NULL)
-        *dmp1 = r->dmp1;
-    if (dmq1 != NULL)
-        *dmq1 = r->dmq1;
-    if (iqmp != NULL)
-        *iqmp = r->iqmp;
-}
 
-void RSA_clear_flags(RSA *r, int flags)
-{
-    r->flags &= ~flags;
-}
+    /* I should fix this so it can still be done */
+    r->flags &= ~(RSA_FLAG_CACHE_PRIVATE | RSA_FLAG_CACHE_PUBLIC);
 
-int RSA_test_flags(const RSA *r, int flags)
-{
-    return r->flags & flags;
-}
-
-void RSA_set_flags(RSA *r, int flags)
-{
-    r->flags |= flags;
-}
-
-ENGINE *RSA_get0_engine(const RSA *r)
-{
-    return r->engine;
+    r->bignum_data = p;
+    return (1);
 }
diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_locl.h b/Cryptlib/OpenSSL/crypto/rsa/rsa_locl.h
index 5d16aa6f..3e88187d 100644
--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_locl.h
+++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_locl.h
@@ -1,95 +1,3 @@
-/*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/rsa.h>
-
-struct rsa_st {
-    /*
-     * The first parameter is used to pickup errors where this is passed
-     * instead of aEVP_PKEY, it is set to 0
-     */
-    int pad;
-    long version;
-    const RSA_METHOD *meth;
-    /* functional reference if 'meth' is ENGINE-provided */
-    ENGINE *engine;
-    BIGNUM *n;
-    BIGNUM *e;
-    BIGNUM *d;
-    BIGNUM *p;
-    BIGNUM *q;
-    BIGNUM *dmp1;
-    BIGNUM *dmq1;
-    BIGNUM *iqmp;
-    /* be careful using this if the RSA structure is shared */
-    CRYPTO_EX_DATA ex_data;
-    int references;
-    int flags;
-    /* Used to cache montgomery values */
-    BN_MONT_CTX *_method_mod_n;
-    BN_MONT_CTX *_method_mod_p;
-    BN_MONT_CTX *_method_mod_q;
-    /*
-     * all BIGNUM values are actually in the following data, if it is not
-     * NULL
-     */
-    char *bignum_data;
-    BN_BLINDING *blinding;
-    BN_BLINDING *mt_blinding;
-    CRYPTO_RWLOCK *lock;
-};
-
-struct rsa_meth_st {
-    char *name;
-    int (*rsa_pub_enc) (int flen, const unsigned char *from,
-                        unsigned char *to, RSA *rsa, int padding);
-    int (*rsa_pub_dec) (int flen, const unsigned char *from,
-                        unsigned char *to, RSA *rsa, int padding);
-    int (*rsa_priv_enc) (int flen, const unsigned char *from,
-                         unsigned char *to, RSA *rsa, int padding);
-    int (*rsa_priv_dec) (int flen, const unsigned char *from,
-                         unsigned char *to, RSA *rsa, int padding);
-    /* Can be null */
-    int (*rsa_mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
-    /* Can be null */
-    int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
-                       const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
-    /* called at new */
-    int (*init) (RSA *rsa);
-    /* called at free */
-    int (*finish) (RSA *rsa);
-    /* RSA_METHOD_FLAG_* things */
-    int flags;
-    /* may be needed! */
-    char *app_data;
-    /*
-     * New sign and verify functions: some libraries don't allow arbitrary
-     * data to be signed/verified: this allows them to be used. Note: for
-     * this to work the RSA_public_decrypt() and RSA_private_encrypt() should
-     * *NOT* be used RSA_sign(), RSA_verify() should be used instead.
-     */
-    int (*rsa_sign) (int type,
-                     const unsigned char *m, unsigned int m_length,
-                     unsigned char *sigret, unsigned int *siglen,
-                     const RSA *rsa);
-    int (*rsa_verify) (int dtype, const unsigned char *m,
-                       unsigned int m_length, const unsigned char *sigbuf,
-                       unsigned int siglen, const RSA *rsa);
-    /*
-     * If this callback is NULL, the builtin software RSA key-gen will be
-     * used. This is for behavioural compatibility whilst the code gets
-     * rewired, but one day it would be nice to assume there are no such
-     * things as "builtin software" implementations.
-     */
-    int (*rsa_keygen) (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
-};
-
 extern int int_rsa_verify(int dtype, const unsigned char *m,
                           unsigned int m_len, unsigned char *rm,
                           size_t *prm_len, const unsigned char *sigbuf,
diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_meth.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_meth.c
deleted file mode 100644
index 9480abd7..00000000
--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_meth.c
+++ /dev/null
@@ -1,273 +0,0 @@
-/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <string.h>
-#include "rsa_locl.h"
-#include <openssl/err.h>
-
-RSA_METHOD *RSA_meth_new(const char *name, int flags)
-{
-    RSA_METHOD *meth = OPENSSL_zalloc(sizeof(*meth));
-
-    if (meth != NULL) {
-        meth->flags = flags;
-
-        meth->name = OPENSSL_strdup(name);
-        if (meth->name != NULL)
-            return meth;
-
-        OPENSSL_free(meth);
-    }
-
-    RSAerr(RSA_F_RSA_METH_NEW, ERR_R_MALLOC_FAILURE);
-    return NULL;
-}
-
-void RSA_meth_free(RSA_METHOD *meth)
-{
-    if (meth != NULL) {
-        OPENSSL_free(meth->name);
-        OPENSSL_free(meth);
-    }
-}
-
-RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth)
-{
-    RSA_METHOD *ret = OPENSSL_malloc(sizeof(*ret));
-
-    if (ret != NULL) {
-        memcpy(ret, meth, sizeof(*meth));
-
-        ret->name = OPENSSL_strdup(meth->name);
-        if (ret->name != NULL)
-            return ret;
-
-        OPENSSL_free(ret);
-    }
-
-    RSAerr(RSA_F_RSA_METH_DUP, ERR_R_MALLOC_FAILURE);
-    return NULL;
-}
-
-const char *RSA_meth_get0_name(const RSA_METHOD *meth)
-{
-    return meth->name;
-}
-
-int RSA_meth_set1_name(RSA_METHOD *meth, const char *name)
-{
-    char *tmpname = OPENSSL_strdup(name);
-
-    if (tmpname == NULL) {
-        RSAerr(RSA_F_RSA_METH_SET1_NAME, ERR_R_MALLOC_FAILURE);
-        return 0;
-    }
-
-    OPENSSL_free(meth->name);
-    meth->name = tmpname;
-
-    return 1;
-}
-
-int RSA_meth_get_flags(RSA_METHOD *meth)
-{
-    return meth->flags;
-}
-
-int RSA_meth_set_flags(RSA_METHOD *meth, int flags)
-{
-    meth->flags = flags;
-    return 1;
-}
-
-void *RSA_meth_get0_app_data(const RSA_METHOD *meth)
-{
-    return meth->app_data;
-}
-
-int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data)
-{
-    meth->app_data = app_data;
-    return 1;
-}
-
-int (*RSA_meth_get_pub_enc(const RSA_METHOD *meth))
-    (int flen, const unsigned char *from,
-     unsigned char *to, RSA *rsa, int padding)
-{
-    return meth->rsa_pub_enc;
-}
-
-int RSA_meth_set_pub_enc(RSA_METHOD *meth,
-                         int (*pub_enc) (int flen, const unsigned char *from,
-                                         unsigned char *to, RSA *rsa,
-                                         int padding))
-{
-    meth->rsa_pub_enc = pub_enc;
-    return 1;
-}
-
-int (*RSA_meth_get_pub_dec(const RSA_METHOD *meth))
-    (int flen, const unsigned char *from,
-     unsigned char *to, RSA *rsa, int padding)
-{
-    return meth->rsa_pub_dec;
-}
-
-int RSA_meth_set_pub_dec(RSA_METHOD *meth,
-                         int (*pub_dec) (int flen, const unsigned char *from,
-                                         unsigned char *to, RSA *rsa,
-                                         int padding))
-{
-    meth->rsa_pub_dec = pub_dec;
-    return 1;
-}
-
-int (*RSA_meth_get_priv_enc(const RSA_METHOD *meth))
-    (int flen, const unsigned char *from,
-     unsigned char *to, RSA *rsa, int padding)
-{
-    return meth->rsa_priv_enc;
-}
-
-int RSA_meth_set_priv_enc(RSA_METHOD *meth,
-                          int (*priv_enc) (int flen, const unsigned char *from,
-                                           unsigned char *to, RSA *rsa,
-                                           int padding))
-{
-    meth->rsa_priv_enc = priv_enc;
-    return 1;
-}
-
-int (*RSA_meth_get_priv_dec(const RSA_METHOD *meth))
-    (int flen, const unsigned char *from,
-     unsigned char *to, RSA *rsa, int padding)
-{
-    return meth->rsa_priv_dec;
-}
-
-int RSA_meth_set_priv_dec(RSA_METHOD *meth,
-                          int (*priv_dec) (int flen, const unsigned char *from,
-                                           unsigned char *to, RSA *rsa,
-                                           int padding))
-{
-    meth->rsa_priv_dec = priv_dec;
-    return 1;
-}
-
-    /* Can be null */
-int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))
-    (BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
-{
-    return meth->rsa_mod_exp;
-}
-
-int RSA_meth_set_mod_exp(RSA_METHOD *meth,
-                         int (*mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa,
-                                         BN_CTX *ctx))
-{
-    meth->rsa_mod_exp = mod_exp;
-    return 1;
-}
-
-    /* Can be null */
-int (*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth))
-    (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
-     const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
-{
-    return meth->bn_mod_exp;
-}
-
-int RSA_meth_set_bn_mod_exp(RSA_METHOD *meth,
-                            int (*bn_mod_exp) (BIGNUM *r,
-                                               const BIGNUM *a,
-                                               const BIGNUM *p,
-                                               const BIGNUM *m,
-                                               BN_CTX *ctx,
-                                               BN_MONT_CTX *m_ctx))
-{
-    meth->bn_mod_exp = bn_mod_exp;
-    return 1;
-}
-
-    /* called at new */
-int (*RSA_meth_get_init(const RSA_METHOD *meth)) (RSA *rsa)
-{
-    return meth->init;
-}
-
-int RSA_meth_set_init(RSA_METHOD *meth, int (*init) (RSA *rsa))
-{
-    meth->init = init;
-    return 1;
-}
-
-    /* called at free */
-int (*RSA_meth_get_finish(const RSA_METHOD *meth)) (RSA *rsa)
-{
-    return meth->finish;
-}
-
-int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa))
-{
-    meth->finish = finish;
-    return 1;
-}
-
-int (*RSA_meth_get_sign(const RSA_METHOD *meth))
-    (int type,
-     const unsigned char *m, unsigned int m_length,
-     unsigned char *sigret, unsigned int *siglen,
-     const RSA *rsa)
-{
-    return meth->rsa_sign;
-}
-
-int RSA_meth_set_sign(RSA_METHOD *meth,
-                      int (*sign) (int type, const unsigned char *m,
-                                   unsigned int m_length,
-                                   unsigned char *sigret, unsigned int *siglen,
-                                   const RSA *rsa))
-{
-    meth->rsa_sign = sign;
-    return 1;
-}
-
-int (*RSA_meth_get_verify(const RSA_METHOD *meth))
-    (int dtype, const unsigned char *m,
-     unsigned int m_length, const unsigned char *sigbuf,
-     unsigned int siglen, const RSA *rsa)
-{
-    return meth->rsa_verify;
-}
-
-int RSA_meth_set_verify(RSA_METHOD *meth,
-                        int (*verify) (int dtype, const unsigned char *m,
-                                       unsigned int m_length,
-                                       const unsigned char *sigbuf,
-                                       unsigned int siglen, const RSA *rsa))
-{
-    meth->rsa_verify = verify;
-    return 1;
-}
-
-int (*RSA_meth_get_keygen(const RSA_METHOD *meth))
-    (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb)
-{
-    return meth->rsa_keygen;
-}
-
-int RSA_meth_set_keygen(RSA_METHOD *meth,
-                        int (*keygen) (RSA *rsa, int bits, BIGNUM *e,
-                                       BN_GENCB *cb))
-{
-    meth->rsa_keygen = keygen;
-    return 1;
-}
-
diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_none.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_none.c
index b78756d1..982b31f2 100644
--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_none.c
+++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_none.c
@@ -1,15 +1,66 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/rsa/rsa_none.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
-#include "internal/cryptlib.h"
+#include <stdio.h>
+#include "cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
+#include <openssl/rand.h>
 
 int RSA_padding_add_none(unsigned char *to, int tlen,
                          const unsigned char *from, int flen)
diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_null.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_null.c
index d3394941..241b431a 100644
--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_null.c
+++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_null.c
@@ -1,16 +1,67 @@
+/* rsa_null.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/bn.h>
-#include "rsa_locl.h"
+#include <openssl/rsa.h>
+#include <openssl/rand.h>
 
 /*
  * This is a dummy RSA implementation that just returns errors when called.
@@ -28,6 +79,9 @@ static int RSA_null_public_decrypt(int flen, const unsigned char *from,
                                    unsigned char *to, RSA *rsa, int padding);
 static int RSA_null_private_decrypt(int flen, const unsigned char *from,
                                     unsigned char *to, RSA *rsa, int padding);
+#if 0                           /* not currently used */
+static int RSA_null_mod_exp(const BIGNUM *r0, const BIGNUM *i, RSA *rsa);
+#endif
 static int RSA_null_init(RSA *rsa);
 static int RSA_null_finish(RSA *rsa);
 static RSA_METHOD rsa_null_meth = {
@@ -82,6 +136,14 @@ static int RSA_null_public_decrypt(int flen, const unsigned char *from,
     return -1;
 }
 
+#if 0                           /* not currently used */
+static int RSA_null_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
+{
+    ... err(RSA_F_RSA_NULL_MOD_EXP, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
+    return -1;
+}
+#endif
+
 static int RSA_null_init(RSA *rsa)
 {
     return (1);
diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_oaep.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_oaep.c
index 868104f1..19d28c6f 100644
--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_oaep.c
+++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_oaep.c
@@ -1,10 +1,7 @@
+/* crypto/rsa/rsa_oaep.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Written by Ulf Moeller. This software is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied.
  */
 
 /* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
@@ -20,15 +17,16 @@
  * one-wayness.  For the RSA function, this is an equivalent notion.
  */
 
-#include "internal/constant_time_locl.h"
+#include "constant_time_locl.h"
 
-#include <stdio.h>
-#include "internal/cryptlib.h"
-#include <openssl/bn.h>
-#include <openssl/evp.h>
-#include <openssl/rand.h>
-#include <openssl/sha.h>
-#include "rsa_locl.h"
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
+# include <stdio.h>
+# include "cryptlib.h"
+# include <openssl/bn.h>
+# include <openssl/rsa.h>
+# include <openssl/evp.h>
+# include <openssl/rand.h>
+# include <openssl/sha.h>
 
 int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
                                const unsigned char *from, int flen,
@@ -78,11 +76,11 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
     memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen);
     if (RAND_bytes(seed, mdlen) <= 0)
         return 0;
-#ifdef PKCS_TESTVECT
+# ifdef PKCS_TESTVECT
     memcpy(seed,
            "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
            20);
-#endif
+# endif
 
     dbmask = OPENSSL_malloc(emlen - mdlen);
     if (dbmask == NULL) {
@@ -239,8 +237,10 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
     RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
            RSA_R_OAEP_DECODING_ERROR);
  cleanup:
-    OPENSSL_free(db);
-    OPENSSL_free(em);
+    if (db != NULL)
+        OPENSSL_free(db);
+    if (em != NULL)
+        OPENSSL_free(em);
     return mlen;
 }
 
@@ -249,13 +249,12 @@ int PKCS1_MGF1(unsigned char *mask, long len,
 {
     long i, outlen = 0;
     unsigned char cnt[4];
-    EVP_MD_CTX *c = EVP_MD_CTX_new();
+    EVP_MD_CTX c;
     unsigned char md[EVP_MAX_MD_SIZE];
     int mdlen;
     int rv = -1;
 
-    if (c == NULL)
-        goto err;
+    EVP_MD_CTX_init(&c);
     mdlen = EVP_MD_size(dgst);
     if (mdlen < 0)
         goto err;
@@ -264,16 +263,16 @@ int PKCS1_MGF1(unsigned char *mask, long len,
         cnt[1] = (unsigned char)((i >> 16) & 255);
         cnt[2] = (unsigned char)((i >> 8)) & 255;
         cnt[3] = (unsigned char)(i & 255);
-        if (!EVP_DigestInit_ex(c, dgst, NULL)
-            || !EVP_DigestUpdate(c, seed, seedlen)
-            || !EVP_DigestUpdate(c, cnt, 4))
+        if (!EVP_DigestInit_ex(&c, dgst, NULL)
+            || !EVP_DigestUpdate(&c, seed, seedlen)
+            || !EVP_DigestUpdate(&c, cnt, 4))
             goto err;
         if (outlen + mdlen <= len) {
-            if (!EVP_DigestFinal_ex(c, mask + outlen, NULL))
+            if (!EVP_DigestFinal_ex(&c, mask + outlen, NULL))
                 goto err;
             outlen += mdlen;
         } else {
-            if (!EVP_DigestFinal_ex(c, md, NULL))
+            if (!EVP_DigestFinal_ex(&c, md, NULL))
                 goto err;
             memcpy(mask + outlen, md, len - outlen);
             outlen = len;
@@ -281,6 +280,8 @@ int PKCS1_MGF1(unsigned char *mask, long len,
     }
     rv = 0;
  err:
-    EVP_MD_CTX_free(c);
+    EVP_MD_CTX_cleanup(&c);
     return rv;
 }
+
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_pk1.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_pk1.c
index efb16a02..efa1fd3e 100644
--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_pk1.c
+++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_pk1.c
@@ -1,16 +1,65 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/rsa/rsa_pk1.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
-#include "internal/constant_time_locl.h"
+#include "constant_time_locl.h"
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
 #include <openssl/rand.h>
@@ -49,28 +98,7 @@ int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
     const unsigned char *p;
 
     p = from;
-
-    /*
-     * The format is
-     * 00 || 01 || PS || 00 || D
-     * PS - padding string, at least 8 bytes of FF
-     * D  - data.
-     */
-
-    if (num < 11)
-        return -1;
-
-    /* Accept inputs with and without the leading 0-byte. */
-    if (num == flen) {
-        if ((*p++) != 0x00) {
-            RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
-                   RSA_R_INVALID_PADDING);
-            return -1;
-        }
-        flen--;
-    }
-
-    if ((num != (flen + 1)) || (*(p++) != 0x01)) {
+    if ((num != (flen + 1)) || (*(p++) != 01)) {
         RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
                RSA_R_BLOCK_TYPE_IS_NOT_01);
         return (-1);
@@ -175,15 +203,16 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
     if (num < 11)
         goto err;
 
-    em = OPENSSL_zalloc(num);
+    em = OPENSSL_malloc(num);
     if (em == NULL) {
         RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE);
         return -1;
     }
+    memset(em, 0, num);
     /*
      * Always do this zero-padding copy (even when num == flen) to avoid
      * leaking that information. The copy still leaks some side-channel
-     * information, but it's impossible to have a fixed memory access
+     * information, but it's impossible to have a fixed  memory access
      * pattern since we can't read out of the bounds of |from|.
      *
      * TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL.
@@ -237,7 +266,8 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
     memcpy(to, em + msg_index, mlen);
 
  err:
-    OPENSSL_free(em);
+    if (em != NULL)
+        OPENSSL_free(em);
     if (mlen == -1)
         RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
                RSA_R_PKCS_DECODING_ERROR);
diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_pmeth.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_pmeth.c
index db4fb0fb..ac583bf6 100644
--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_pmeth.c
+++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_pmeth.c
@@ -1,22 +1,77 @@
+/* crypto/rsa/rsa_pmeth.c */
 /*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2006.
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
 #include <openssl/rsa.h>
 #include <openssl/bn.h>
 #include <openssl/evp.h>
 #include <openssl/x509v3.h>
-#include <openssl/cms.h>
-#include "internal/evp_int.h"
+#ifndef OPENSSL_NO_CMS
+# include <openssl/cms.h>
+#endif
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
+#include "evp_locl.h"
 #include "rsa_locl.h"
 
 /* RSA pkey context structure */
@@ -45,12 +100,21 @@ typedef struct {
 static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
 {
     RSA_PKEY_CTX *rctx;
-    rctx = OPENSSL_zalloc(sizeof(*rctx));
-    if (rctx == NULL)
+    rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX));
+    if (!rctx)
         return 0;
     rctx->nbits = 1024;
+    rctx->pub_exp = NULL;
     rctx->pad_mode = RSA_PKCS1_PADDING;
+    rctx->md = NULL;
+    rctx->mgf1md = NULL;
+    rctx->tbuf = NULL;
+
     rctx->saltlen = -2;
+
+    rctx->oaep_label = NULL;
+    rctx->oaep_labellen = 0;
+
     ctx->data = rctx;
     ctx->keygen_info = rctx->gentmp;
     ctx->keygen_info_count = 2;
@@ -75,8 +139,9 @@ static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
     dctx->md = sctx->md;
     dctx->mgf1md = sctx->mgf1md;
     if (sctx->oaep_label) {
-        OPENSSL_free(dctx->oaep_label);
-        dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen);
+        if (dctx->oaep_label)
+            OPENSSL_free(dctx->oaep_label);
+        dctx->oaep_label = BUF_memdup(sctx->oaep_label, sctx->oaep_labellen);
         if (!dctx->oaep_label)
             return 0;
         dctx->oaep_labellen = sctx->oaep_labellen;
@@ -89,7 +154,7 @@ static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk)
     if (ctx->tbuf)
         return 1;
     ctx->tbuf = OPENSSL_malloc(EVP_PKEY_size(pk->pkey));
-    if (ctx->tbuf == NULL)
+    if (!ctx->tbuf)
         return 0;
     return 1;
 }
@@ -98,13 +163,50 @@ static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
 {
     RSA_PKEY_CTX *rctx = ctx->data;
     if (rctx) {
-        BN_free(rctx->pub_exp);
-        OPENSSL_free(rctx->tbuf);
-        OPENSSL_free(rctx->oaep_label);
+        if (rctx->pub_exp)
+            BN_free(rctx->pub_exp);
+        if (rctx->tbuf)
+            OPENSSL_free(rctx->tbuf);
+        if (rctx->oaep_label)
+            OPENSSL_free(rctx->oaep_label);
         OPENSSL_free(rctx);
     }
 }
 
+#ifdef OPENSSL_FIPS
+/*
+ * FIP checker. Return value indicates status of context parameters: 1 :
+ * redirect to FIPS. 0 : don't redirect to FIPS. -1 : illegal operation in
+ * FIPS mode.
+ */
+
+static int pkey_fips_check_ctx(EVP_PKEY_CTX *ctx)
+{
+    RSA_PKEY_CTX *rctx = ctx->data;
+    RSA *rsa = ctx->pkey->pkey.rsa;
+    int rv = -1;
+    if (!FIPS_mode())
+        return 0;
+    if (rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
+        rv = 0;
+    if (!(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && rv)
+        return -1;
+    if (rctx->md) {
+        const EVP_MD *fmd;
+        fmd = FIPS_get_digestbynid(EVP_MD_type(rctx->md));
+        if (!fmd || !(fmd->flags & EVP_MD_FLAG_FIPS))
+            return rv;
+    }
+    if (rctx->mgf1md && !(rctx->mgf1md->flags & EVP_MD_FLAG_FIPS)) {
+        const EVP_MD *fmd;
+        fmd = FIPS_get_digestbynid(EVP_MD_type(rctx->mgf1md));
+        if (!fmd || !(fmd->flags & EVP_MD_FLAG_FIPS))
+            return rv;
+    }
+    return 1;
+}
+#endif
+
 static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig,
                          size_t *siglen, const unsigned char *tbs,
                          size_t tbslen)
@@ -113,17 +215,39 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig,
     RSA_PKEY_CTX *rctx = ctx->data;
     RSA *rsa = ctx->pkey->pkey.rsa;
 
+#ifdef OPENSSL_FIPS
+    ret = pkey_fips_check_ctx(ctx);
+    if (ret < 0) {
+        RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+        return -1;
+    }
+#endif
+
     if (rctx->md) {
         if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
             RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH);
             return -1;
         }
+#ifdef OPENSSL_FIPS
+        if (ret > 0) {
+            unsigned int slen;
+            ret = FIPS_rsa_sign_digest(rsa, tbs, tbslen, rctx->md,
+                                       rctx->pad_mode,
+                                       rctx->saltlen,
+                                       rctx->mgf1md, sig, &slen);
+            if (ret > 0)
+                *siglen = slen;
+            else
+                *siglen = 0;
+            return ret;
+        }
+#endif
 
         if (EVP_MD_type(rctx->md) == NID_mdc2) {
             unsigned int sltmp;
             if (rctx->pad_mode != RSA_PKCS1_PADDING)
                 return -1;
-            ret = RSA_sign_ASN1_OCTET_STRING(0,
+            ret = RSA_sign_ASN1_OCTET_STRING(NID_mdc2,
                                              tbs, tbslen, sig, &sltmp, rsa);
 
             if (ret <= 0)
@@ -225,7 +349,27 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
     RSA_PKEY_CTX *rctx = ctx->data;
     RSA *rsa = ctx->pkey->pkey.rsa;
     size_t rslen;
+#ifdef OPENSSL_FIPS
+    int rv;
+    rv = pkey_fips_check_ctx(ctx);
+    if (rv < 0) {
+        RSAerr(RSA_F_PKEY_RSA_VERIFY,
+               RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+        return -1;
+    }
+#endif
     if (rctx->md) {
+#ifdef OPENSSL_FIPS
+        if (rv > 0) {
+            return FIPS_rsa_verify_digest(rsa,
+                                          tbs, tbslen,
+                                          rctx->md,
+                                          rctx->pad_mode,
+                                          rctx->saltlen,
+                                          rctx->mgf1md, sig, siglen);
+
+        }
+#endif
         if (rctx->pad_mode == RSA_PKCS1_PADDING)
             return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
                               sig, siglen, rsa);
@@ -329,43 +473,20 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
 
 static int check_padding_md(const EVP_MD *md, int padding)
 {
-    int mdnid;
     if (!md)
         return 1;
 
-    mdnid = EVP_MD_type(md);
-
     if (padding == RSA_NO_PADDING) {
         RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_PADDING_MODE);
         return 0;
     }
 
     if (padding == RSA_X931_PADDING) {
-        if (RSA_X931_hash_id(mdnid) == -1) {
+        if (RSA_X931_hash_id(EVP_MD_type(md)) == -1) {
             RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_X931_DIGEST);
             return 0;
         }
-    } else {
-        switch(mdnid) {
-        /* List of all supported RSA digests */
-        case NID_sha1:
-        case NID_sha224:
-        case NID_sha256:
-        case NID_sha384:
-        case NID_sha512:
-        case NID_md5:
-        case NID_md5_sha1:
-        case NID_md2:
-        case NID_md4:
-        case NID_mdc2:
-        case NID_ripemd160:
-            return 1;
-
-        default:
-            RSAerr(RSA_F_CHECK_PADDING_MD, RSA_R_INVALID_DIGEST);
-            return 0;
-
-        }
+        return 1;
     }
 
     return 1;
@@ -420,8 +541,8 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
         return 1;
 
     case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
-        if (p1 < 512) {
-            RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_KEY_SIZE_TOO_SMALL);
+        if (p1 < 256) {
+            RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_KEYBITS);
             return -2;
         }
         rctx->nbits = p1;
@@ -479,7 +600,8 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
             RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE);
             return -2;
         }
-        OPENSSL_free(rctx->oaep_label);
+        if (rctx->oaep_label)
+            OPENSSL_free(rctx->oaep_label);
         if (p2 && p1 > 0) {
             rctx->oaep_label = p2;
             rctx->oaep_labellen = p1;
@@ -526,21 +648,21 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
         RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_VALUE_MISSING);
         return 0;
     }
-    if (strcmp(type, "rsa_padding_mode") == 0) {
+    if (!strcmp(type, "rsa_padding_mode")) {
         int pm;
-        if (strcmp(value, "pkcs1") == 0)
+        if (!strcmp(value, "pkcs1"))
             pm = RSA_PKCS1_PADDING;
-        else if (strcmp(value, "sslv23") == 0)
+        else if (!strcmp(value, "sslv23"))
             pm = RSA_SSLV23_PADDING;
-        else if (strcmp(value, "none") == 0)
+        else if (!strcmp(value, "none"))
             pm = RSA_NO_PADDING;
-        else if (strcmp(value, "oeap") == 0)
+        else if (!strcmp(value, "oeap"))
             pm = RSA_PKCS1_OAEP_PADDING;
-        else if (strcmp(value, "oaep") == 0)
+        else if (!strcmp(value, "oaep"))
             pm = RSA_PKCS1_OAEP_PADDING;
-        else if (strcmp(value, "x931") == 0)
+        else if (!strcmp(value, "x931"))
             pm = RSA_X931_PADDING;
-        else if (strcmp(value, "pss") == 0)
+        else if (!strcmp(value, "pss"))
             pm = RSA_PKCS1_PSS_PADDING;
         else {
             RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_UNKNOWN_PADDING_TYPE);
@@ -549,19 +671,19 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
         return EVP_PKEY_CTX_set_rsa_padding(ctx, pm);
     }
 
-    if (strcmp(type, "rsa_pss_saltlen") == 0) {
+    if (!strcmp(type, "rsa_pss_saltlen")) {
         int saltlen;
         saltlen = atoi(value);
         return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen);
     }
 
-    if (strcmp(type, "rsa_keygen_bits") == 0) {
+    if (!strcmp(type, "rsa_keygen_bits")) {
         int nbits;
         nbits = atoi(value);
         return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits);
     }
 
-    if (strcmp(type, "rsa_keygen_pubexp") == 0) {
+    if (!strcmp(type, "rsa_keygen_pubexp")) {
         int ret;
         BIGNUM *pubexp = NULL;
         if (!BN_asc2bn(&pubexp, value))
@@ -572,28 +694,28 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
         return ret;
     }
 
-    if (strcmp(type, "rsa_mgf1_md") == 0) {
+    if (!strcmp(type, "rsa_mgf1_md")) {
         const EVP_MD *md;
-        if ((md = EVP_get_digestbyname(value)) == NULL) {
+        if (!(md = EVP_get_digestbyname(value))) {
             RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_INVALID_DIGEST);
             return 0;
         }
         return EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md);
     }
 
-    if (strcmp(type, "rsa_oaep_md") == 0) {
+    if (!strcmp(type, "rsa_oaep_md")) {
         const EVP_MD *md;
-        if ((md = EVP_get_digestbyname(value)) == NULL) {
+        if (!(md = EVP_get_digestbyname(value))) {
             RSAerr(RSA_F_PKEY_RSA_CTRL_STR, RSA_R_INVALID_DIGEST);
             return 0;
         }
         return EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md);
     }
-    if (strcmp(type, "rsa_oaep_label") == 0) {
+    if (!strcmp(type, "rsa_oaep_label")) {
         unsigned char *lab;
         long lablen;
         int ret;
-        lab = OPENSSL_hexstr2buf(value, &lablen);
+        lab = string_to_hex(value, &lablen);
         if (!lab)
             return 0;
         ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen);
@@ -609,27 +731,22 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
 {
     RSA *rsa = NULL;
     RSA_PKEY_CTX *rctx = ctx->data;
-    BN_GENCB *pcb;
+    BN_GENCB *pcb, cb;
     int ret;
-    if (rctx->pub_exp == NULL) {
+    if (!rctx->pub_exp) {
         rctx->pub_exp = BN_new();
-        if (rctx->pub_exp == NULL || !BN_set_word(rctx->pub_exp, RSA_F4))
+        if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4))
             return 0;
     }
     rsa = RSA_new();
-    if (rsa == NULL)
+    if (!rsa)
         return 0;
     if (ctx->pkey_gencb) {
-        pcb = BN_GENCB_new();
-        if (pcb == NULL) {
-            RSA_free(rsa);
-            return 0;
-        }
+        pcb = &cb;
         evp_pkey_set_cb_translate(pcb, ctx);
     } else
         pcb = NULL;
     ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb);
-    BN_GENCB_free(pcb);
     if (ret > 0)
         EVP_PKEY_assign_RSA(pkey, rsa);
     else
diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_prn.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_prn.c
index 5e6c599e..076f871b 100644
--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_prn.c
+++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_prn.c
@@ -1,18 +1,68 @@
+/* crypto/rsa/rsa_prn.c */
 /*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2006.
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/rsa.h>
 #include <openssl/evp.h>
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 int RSA_print_fp(FILE *fp, const RSA *x, int off)
 {
     BIO *b;
@@ -34,7 +84,7 @@ int RSA_print(BIO *bp, const RSA *x, int off)
     EVP_PKEY *pk;
     int ret;
     pk = EVP_PKEY_new();
-    if (pk == NULL || !EVP_PKEY_set1_RSA(pk, (RSA *)x))
+    if (!pk || !EVP_PKEY_set1_RSA(pk, (RSA *)x))
         return 0;
     ret = EVP_PKEY_print_private(bp, pk, off, NULL);
     EVP_PKEY_free(pk);
diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_pss.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_pss.c
index 0ec63b2e..41bc0844 100644
--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_pss.c
+++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_pss.c
@@ -1,20 +1,69 @@
+/* rsa_pss.c */
 /*
- * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2005.
+ */
+/* ====================================================================
+ * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
 #include <openssl/evp.h>
 #include <openssl/rand.h>
 #include <openssl/sha.h>
-#include "rsa_locl.h"
 
 static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
 
@@ -38,12 +87,9 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
     int hLen, maskedDBLen, MSBits, emLen;
     const unsigned char *H;
     unsigned char *DB = NULL;
-    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+    EVP_MD_CTX ctx;
     unsigned char H_[EVP_MAX_MD_SIZE];
-
-
-    if (ctx == NULL)
-        goto err;
+    EVP_MD_CTX_init(&ctx);
 
     if (mgf1Hash == NULL)
         mgf1Hash = Hash;
@@ -87,7 +133,7 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
     maskedDBLen = emLen - hLen - 1;
     H = EM + maskedDBLen;
     DB = OPENSSL_malloc(maskedDBLen);
-    if (DB == NULL) {
+    if (!DB) {
         RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, ERR_R_MALLOC_FAILURE);
         goto err;
     }
@@ -106,15 +152,15 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
         RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_SLEN_CHECK_FAILED);
         goto err;
     }
-    if (!EVP_DigestInit_ex(ctx, Hash, NULL)
-        || !EVP_DigestUpdate(ctx, zeroes, sizeof zeroes)
-        || !EVP_DigestUpdate(ctx, mHash, hLen))
+    if (!EVP_DigestInit_ex(&ctx, Hash, NULL)
+        || !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes)
+        || !EVP_DigestUpdate(&ctx, mHash, hLen))
         goto err;
     if (maskedDBLen - i) {
-        if (!EVP_DigestUpdate(ctx, DB + i, maskedDBLen - i))
+        if (!EVP_DigestUpdate(&ctx, DB + i, maskedDBLen - i))
             goto err;
     }
-    if (!EVP_DigestFinal_ex(ctx, H_, NULL))
+    if (!EVP_DigestFinal_ex(&ctx, H_, NULL))
         goto err;
     if (memcmp(H_, H, hLen)) {
         RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, RSA_R_BAD_SIGNATURE);
@@ -123,8 +169,9 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
         ret = 1;
 
  err:
-    OPENSSL_free(DB);
-    EVP_MD_CTX_free(ctx);
+    if (DB)
+        OPENSSL_free(DB);
+    EVP_MD_CTX_cleanup(&ctx);
 
     return ret;
 
@@ -146,7 +193,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
     int ret = 0;
     int hLen, maskedDBLen, MSBits, emLen;
     unsigned char *H, *salt = NULL, *p;
-    EVP_MD_CTX *ctx = NULL;
+    EVP_MD_CTX ctx;
 
     if (mgf1Hash == NULL)
         mgf1Hash = Hash;
@@ -184,7 +231,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
     }
     if (sLen > 0) {
         salt = OPENSSL_malloc(sLen);
-        if (salt == NULL) {
+        if (!salt) {
             RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1,
                    ERR_R_MALLOC_FAILURE);
             goto err;
@@ -194,17 +241,16 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
     }
     maskedDBLen = emLen - hLen - 1;
     H = EM + maskedDBLen;
-    ctx = EVP_MD_CTX_new();
-    if (ctx == NULL)
-        goto err;
-    if (!EVP_DigestInit_ex(ctx, Hash, NULL)
-        || !EVP_DigestUpdate(ctx, zeroes, sizeof zeroes)
-        || !EVP_DigestUpdate(ctx, mHash, hLen))
+    EVP_MD_CTX_init(&ctx);
+    if (!EVP_DigestInit_ex(&ctx, Hash, NULL)
+        || !EVP_DigestUpdate(&ctx, zeroes, sizeof zeroes)
+        || !EVP_DigestUpdate(&ctx, mHash, hLen))
         goto err;
-    if (sLen && !EVP_DigestUpdate(ctx, salt, sLen))
+    if (sLen && !EVP_DigestUpdate(&ctx, salt, sLen))
         goto err;
-    if (!EVP_DigestFinal_ex(ctx, H, NULL))
+    if (!EVP_DigestFinal_ex(&ctx, H, NULL))
         goto err;
+    EVP_MD_CTX_cleanup(&ctx);
 
     /* Generate dbMask in place then perform XOR on it */
     if (PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash))
@@ -232,8 +278,8 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
     ret = 1;
 
  err:
-    EVP_MD_CTX_free(ctx);
-    OPENSSL_free(salt);
+    if (salt)
+        OPENSSL_free(salt);
 
     return ret;
 
diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_saos.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_saos.c
index 9e5fff45..e4002360 100644
--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_saos.c
+++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_saos.c
@@ -1,14 +1,63 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/rsa/rsa_saos.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
 #include <openssl/objects.h>
@@ -34,7 +83,7 @@ int RSA_sign_ASN1_OCTET_STRING(int type,
                RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
         return (0);
     }
-    s = OPENSSL_malloc((unsigned int)j + 1);
+    s = (unsigned char *)OPENSSL_malloc((unsigned int)j + 1);
     if (s == NULL) {
         RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING, ERR_R_MALLOC_FAILURE);
         return (0);
@@ -47,7 +96,8 @@ int RSA_sign_ASN1_OCTET_STRING(int type,
     else
         *siglen = i;
 
-    OPENSSL_clear_free(s, (unsigned int)j + 1);
+    OPENSSL_cleanse(s, (unsigned int)j + 1);
+    OPENSSL_free(s);
     return (ret);
 }
 
@@ -67,7 +117,7 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype,
         return (0);
     }
 
-    s = OPENSSL_malloc((unsigned int)siglen);
+    s = (unsigned char *)OPENSSL_malloc((unsigned int)siglen);
     if (s == NULL) {
         RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING, ERR_R_MALLOC_FAILURE);
         goto err;
@@ -88,7 +138,11 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype,
     } else
         ret = 1;
  err:
-    ASN1_OCTET_STRING_free(sig);
-    OPENSSL_clear_free(s, (unsigned int)siglen);
+    if (sig != NULL)
+        M_ASN1_OCTET_STRING_free(sig);
+    if (s != NULL) {
+        OPENSSL_cleanse(s, (unsigned int)siglen);
+        OPENSSL_free(s);
+    }
     return (ret);
 }
diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_sign.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_sign.c
index 952d24fb..82ca8324 100644
--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_sign.c
+++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_sign.c
@@ -1,248 +1,301 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/rsa/rsa_sign.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
-#include "internal/x509_int.h"
 #include "rsa_locl.h"
 
 /* Size of an SSL signature: MD5+SHA1 */
 #define SSL_SIG_LENGTH  36
 
-/*
- * encode_pkcs1 encodes a DigestInfo prefix of hash |type| and digest |m|, as
- * described in EMSA-PKCS1-v1_5-ENCODE, RFC 3447 section 9.2 step 2. This
- * encodes the DigestInfo (T and tLen) but does not add the padding.
- *
- * On success, it returns one and sets |*out| to a newly allocated buffer
- * containing the result and |*out_len| to its length. The caller must free
- * |*out| with |OPENSSL_free|. Otherwise, it returns zero.
- */
-static int encode_pkcs1(unsigned char **out, int *out_len, int type,
-                        const unsigned char *m, unsigned int m_len)
+int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
+             unsigned char *sigret, unsigned int *siglen, RSA *rsa)
 {
     X509_SIG sig;
-    X509_ALGOR algor;
     ASN1_TYPE parameter;
+    int i, j, ret = 1;
+    unsigned char *p, *tmps = NULL;
+    const unsigned char *s = NULL;
+    X509_ALGOR algor;
     ASN1_OCTET_STRING digest;
-    uint8_t *der = NULL;
-    int len;
-
-    sig.algor = &algor;
-    sig.algor->algorithm = OBJ_nid2obj(type);
-    if (sig.algor->algorithm == NULL) {
-        RSAerr(RSA_F_ENCODE_PKCS1, RSA_R_UNKNOWN_ALGORITHM_TYPE);
-        return 0;
-    }
-    if (OBJ_length(sig.algor->algorithm) == 0) {
-        RSAerr(RSA_F_ENCODE_PKCS1,
-               RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+        && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+        RSAerr(RSA_F_RSA_SIGN, RSA_R_NON_FIPS_RSA_METHOD);
         return 0;
     }
-    parameter.type = V_ASN1_NULL;
-    parameter.value.ptr = NULL;
-    sig.algor->parameter = &parameter;
-
-    sig.digest = &digest;
-    sig.digest->data = (unsigned char *)m;
-    sig.digest->length = m_len;
-
-    len = i2d_X509_SIG(&sig, &der);
-    if (len < 0)
-        return 0;
-
-    *out = der;
-    *out_len = len;
-    return 1;
-}
-
-int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
-             unsigned char *sigret, unsigned int *siglen, RSA *rsa)
-{
-    int encrypt_len, encoded_len = 0, ret = 0;
-    unsigned char *tmps = NULL;
-    const unsigned char *encoded = NULL;
-
-    if (rsa->meth->rsa_sign) {
+#endif
+    if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) {
         return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
     }
-
-    /* Compute the encoded digest. */
+    /* Special case: SSL signature, just check the length */
     if (type == NID_md5_sha1) {
-        /*
-         * NID_md5_sha1 corresponds to the MD5/SHA1 combination in TLS 1.1 and
-         * earlier. It has no DigestInfo wrapper but otherwise is
-         * RSASSA-PKCS1-v1_5.
-         */
         if (m_len != SSL_SIG_LENGTH) {
             RSAerr(RSA_F_RSA_SIGN, RSA_R_INVALID_MESSAGE_LENGTH);
-            return 0;
+            return (0);
         }
-        encoded_len = SSL_SIG_LENGTH;
-        encoded = m;
+        i = SSL_SIG_LENGTH;
+        s = m;
     } else {
-        if (!encode_pkcs1(&tmps, &encoded_len, type, m, m_len))
-            goto err;
-        encoded = tmps;
-    }
+        sig.algor = &algor;
+        sig.algor->algorithm = OBJ_nid2obj(type);
+        if (sig.algor->algorithm == NULL) {
+            RSAerr(RSA_F_RSA_SIGN, RSA_R_UNKNOWN_ALGORITHM_TYPE);
+            return (0);
+        }
+        if (sig.algor->algorithm->length == 0) {
+            RSAerr(RSA_F_RSA_SIGN,
+                   RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
+            return (0);
+        }
+        parameter.type = V_ASN1_NULL;
+        parameter.value.ptr = NULL;
+        sig.algor->parameter = &parameter;
 
-    if (encoded_len > RSA_size(rsa) - RSA_PKCS1_PADDING_SIZE) {
+        sig.digest = &digest;
+        sig.digest->data = (unsigned char *)m; /* TMP UGLY CAST */
+        sig.digest->length = m_len;
+
+        i = i2d_X509_SIG(&sig, NULL);
+    }
+    j = RSA_size(rsa);
+    if (i > (j - RSA_PKCS1_PADDING_SIZE)) {
         RSAerr(RSA_F_RSA_SIGN, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
-        goto err;
+        return (0);
     }
-    encrypt_len = RSA_private_encrypt(encoded_len, encoded, sigret, rsa,
-                                      RSA_PKCS1_PADDING);
-    if (encrypt_len <= 0)
-        goto err;
-
-    *siglen = encrypt_len;
-    ret = 1;
+    if (type != NID_md5_sha1) {
+        tmps = (unsigned char *)OPENSSL_malloc((unsigned int)j + 1);
+        if (tmps == NULL) {
+            RSAerr(RSA_F_RSA_SIGN, ERR_R_MALLOC_FAILURE);
+            return (0);
+        }
+        p = tmps;
+        i2d_X509_SIG(&sig, &p);
+        s = tmps;
+    }
+    i = RSA_private_encrypt(i, s, sigret, rsa, RSA_PKCS1_PADDING);
+    if (i <= 0)
+        ret = 0;
+    else
+        *siglen = i;
 
-err:
-    OPENSSL_clear_free(tmps, (size_t)encoded_len);
-    return ret;
+    if (type != NID_md5_sha1) {
+        OPENSSL_cleanse(tmps, (unsigned int)j + 1);
+        OPENSSL_free(tmps);
+    }
+    return (ret);
 }
 
 /*
- * int_rsa_verify verifies an RSA signature in |sigbuf| using |rsa|. It may be
- * called in two modes. If |rm| is NULL, it verifies the signature for digest
- * |m|. Otherwise, it recovers the digest from the signature, writing the digest
- * to |rm| and the length to |*prm_len|. |type| is the NID of the digest
- * algorithm to use. It returns one on successful verification and zero
- * otherwise.
+ * Check DigestInfo structure does not contain extraneous data by reencoding
+ * using DER and checking encoding against original.
  */
-int int_rsa_verify(int type, const unsigned char *m, unsigned int m_len,
+static int rsa_check_digestinfo(X509_SIG *sig, const unsigned char *dinfo,
+                                int dinfolen)
+{
+    unsigned char *der = NULL;
+    int derlen;
+    int ret = 0;
+    derlen = i2d_X509_SIG(sig, &der);
+    if (derlen <= 0)
+        return 0;
+    if (derlen == dinfolen && !memcmp(dinfo, der, derlen))
+        ret = 1;
+    OPENSSL_cleanse(der, derlen);
+    OPENSSL_free(der);
+    return ret;
+}
+
+int int_rsa_verify(int dtype, const unsigned char *m,
+                   unsigned int m_len,
                    unsigned char *rm, size_t *prm_len,
                    const unsigned char *sigbuf, size_t siglen, RSA *rsa)
 {
-    int decrypt_len, ret = 0, encoded_len = 0;
-    unsigned char *decrypt_buf = NULL, *encoded = NULL;
+    int i, ret = 0, sigtype;
+    unsigned char *s;
+    X509_SIG *sig = NULL;
 
-    if (siglen != (size_t)RSA_size(rsa)) {
-        RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_WRONG_SIGNATURE_LENGTH);
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+        && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+        RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_NON_FIPS_RSA_METHOD);
         return 0;
     }
+#endif
 
-    /* Recover the encoded digest. */
-    decrypt_buf = OPENSSL_malloc(siglen);
-    if (decrypt_buf == NULL) {
+    if (siglen != (unsigned int)RSA_size(rsa)) {
+        RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_WRONG_SIGNATURE_LENGTH);
+        return (0);
+    }
+
+    if ((dtype == NID_md5_sha1) && rm) {
+        i = RSA_public_decrypt((int)siglen,
+                               sigbuf, rm, rsa, RSA_PKCS1_PADDING);
+        if (i <= 0)
+            return 0;
+        *prm_len = i;
+        return 1;
+    }
+
+    s = (unsigned char *)OPENSSL_malloc((unsigned int)siglen);
+    if (s == NULL) {
         RSAerr(RSA_F_INT_RSA_VERIFY, ERR_R_MALLOC_FAILURE);
         goto err;
     }
-
-    decrypt_len = RSA_public_decrypt((int)siglen, sigbuf, decrypt_buf, rsa,
-                                     RSA_PKCS1_PADDING);
-    if (decrypt_len <= 0)
+    if ((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH)) {
+        RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_INVALID_MESSAGE_LENGTH);
         goto err;
+    }
+    i = RSA_public_decrypt((int)siglen, sigbuf, s, rsa, RSA_PKCS1_PADDING);
 
-    if (type == NID_md5_sha1) {
-        /*
-         * NID_md5_sha1 corresponds to the MD5/SHA1 combination in TLS 1.1 and
-         * earlier. It has no DigestInfo wrapper but otherwise is
-         * RSASSA-PKCS1-v1_5.
-         */
-        if (decrypt_len != SSL_SIG_LENGTH) {
-            RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
-            goto err;
-        }
-
-        if (rm != NULL) {
-            memcpy(rm, decrypt_buf, SSL_SIG_LENGTH);
-            *prm_len = SSL_SIG_LENGTH;
-        } else {
-            if (m_len != SSL_SIG_LENGTH) {
-                RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_INVALID_MESSAGE_LENGTH);
-                goto err;
-            }
-
-            if (memcmp(decrypt_buf, m, SSL_SIG_LENGTH) != 0) {
-                RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
-                goto err;
-            }
-        }
-    } else if (type == NID_mdc2 && decrypt_len == 2 + 16
-               && decrypt_buf[0] == 0x04 && decrypt_buf[1] == 0x10) {
-        /*
-         * Oddball MDC2 case: signature can be OCTET STRING. check for correct
-         * tag and length octets.
-         */
-        if (rm != NULL) {
-            memcpy(rm, decrypt_buf + 2, 16);
+    if (i <= 0)
+        goto err;
+    /*
+     * Oddball MDC2 case: signature can be OCTET STRING. check for correct
+     * tag and length octets.
+     */
+    if (dtype == NID_mdc2 && i == 18 && s[0] == 0x04 && s[1] == 0x10) {
+        if (rm) {
+            memcpy(rm, s + 2, 16);
             *prm_len = 16;
+            ret = 1;
+        } else if (memcmp(m, s + 2, 16)) {
+            RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
         } else {
-            if (m_len != 16) {
-                RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_INVALID_MESSAGE_LENGTH);
-                goto err;
-            }
-
-            if (memcmp(m, decrypt_buf + 2, 16) != 0) {
-                RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
-                goto err;
-            }
+            ret = 1;
         }
+    } else if (dtype == NID_md5_sha1) {
+        /* Special case: SSL signature */
+        if ((i != SSL_SIG_LENGTH) || memcmp(s, m, SSL_SIG_LENGTH))
+            RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
+        else
+            ret = 1;
     } else {
-        /*
-         * If recovering the digest, extract a digest-sized output from the end
-         * of |decrypt_buf| for |encode_pkcs1|, then compare the decryption
-         * output as in a standard verification.
-         */
-        if (rm != NULL) {
-            const EVP_MD *md = EVP_get_digestbynid(type);
-            if (md == NULL) {
-                RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_UNKNOWN_ALGORITHM_TYPE);
-                goto err;
-            }
-
-            m_len = EVP_MD_size(md);
-            if (m_len > (size_t)decrypt_len) {
-                RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH);
-                goto err;
-            }
-            m = decrypt_buf + decrypt_len - m_len;
-        }
+        const unsigned char *p = s;
+        sig = d2i_X509_SIG(NULL, &p, (long)i);
 
-        /* Construct the encoded digest and ensure it matches. */
-        if (!encode_pkcs1(&encoded, &encoded_len, type, m, m_len))
+        if (sig == NULL)
             goto err;
 
-        if (encoded_len != decrypt_len
-            || memcmp(encoded, decrypt_buf, encoded_len) != 0) {
+        /* Excess data can be used to create forgeries */
+        if (p != s + i || !rsa_check_digestinfo(sig, s, i)) {
             RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
             goto err;
         }
 
-        /* Output the recovered digest. */
-        if (rm != NULL) {
-            memcpy(rm, m, m_len);
-            *prm_len = m_len;
+        /*
+         * Parameters to the signature algorithm can also be used to create
+         * forgeries
+         */
+        if (sig->algor->parameter
+            && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL) {
+            RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
+            goto err;
         }
-    }
 
-    ret = 1;
+        sigtype = OBJ_obj2nid(sig->algor->algorithm);
 
-err:
-    OPENSSL_clear_free(encoded, (size_t)encoded_len);
-    OPENSSL_clear_free(decrypt_buf, siglen);
-    return ret;
+#ifdef RSA_DEBUG
+        /* put a backward compatibility flag in EAY */
+        fprintf(stderr, "in(%s) expect(%s)\n", OBJ_nid2ln(sigtype),
+                OBJ_nid2ln(dtype));
+#endif
+        if (sigtype != dtype) {
+            RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_ALGORITHM_MISMATCH);
+            goto err;
+        }
+        if (rm) {
+            const EVP_MD *md;
+            md = EVP_get_digestbynid(dtype);
+            if (md && (EVP_MD_size(md) != sig->digest->length))
+                RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH);
+            else {
+                memcpy(rm, sig->digest->data, sig->digest->length);
+                *prm_len = sig->digest->length;
+                ret = 1;
+            }
+        } else if (((unsigned int)sig->digest->length != m_len) ||
+                   (memcmp(m, sig->digest->data, m_len) != 0)) {
+            RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
+        } else
+            ret = 1;
+    }
+ err:
+    if (sig != NULL)
+        X509_SIG_free(sig);
+    if (s != NULL) {
+        OPENSSL_cleanse(s, (unsigned int)siglen);
+        OPENSSL_free(s);
+    }
+    return (ret);
 }
 
-int RSA_verify(int type, const unsigned char *m, unsigned int m_len,
+int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
                const unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
 {
 
-    if (rsa->meth->rsa_verify) {
-        return rsa->meth->rsa_verify(type, m, m_len, sigbuf, siglen, rsa);
+    if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) {
+        return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, rsa);
     }
 
-    return int_rsa_verify(type, m, m_len, NULL, NULL, sigbuf, siglen, rsa);
+    return int_rsa_verify(dtype, m, m_len, NULL, NULL, sigbuf, siglen, rsa);
 }
diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_ssl.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_ssl.c
index 9ef6b80e..746e01f6 100644
--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_ssl.c
+++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_ssl.c
@@ -1,14 +1,63 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/rsa/rsa_ssl.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
 #include <openssl/rand.h>
diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_x931.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_x931.c
index b9301f37..725ead04 100644
--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_x931.c
+++ b/Cryptlib/OpenSSL/crypto/rsa/rsa_x931.c
@@ -1,16 +1,67 @@
+/* rsa_x931.c */
 /*
- * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2005.
+ */
+/* ====================================================================
+ * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
+#include <openssl/rand.h>
 #include <openssl/objects.h>
 
 int RSA_padding_add_X931(unsigned char *to, int tlen,
diff --git a/Cryptlib/OpenSSL/crypto/rsa/rsa_x931g.c b/Cryptlib/OpenSSL/crypto/rsa/rsa_x931g.c
deleted file mode 100644
index 9dd993fb..00000000
--- a/Cryptlib/OpenSSL/crypto/rsa/rsa_x931g.c
+++ /dev/null
@@ -1,195 +0,0 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <time.h>
-#include <openssl/err.h>
-#include <openssl/bn.h>
-#include "rsa_locl.h"
-
-/* X9.31 RSA key derivation and generation */
-
-int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1,
-                       BIGNUM *q2, const BIGNUM *Xp1, const BIGNUM *Xp2,
-                       const BIGNUM *Xp, const BIGNUM *Xq1, const BIGNUM *Xq2,
-                       const BIGNUM *Xq, const BIGNUM *e, BN_GENCB *cb)
-{
-    BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL;
-    BN_CTX *ctx = NULL, *ctx2 = NULL;
-    int ret = 0;
-
-    if (!rsa)
-        goto err;
-
-    ctx = BN_CTX_new();
-    if (ctx == NULL)
-        goto err;
-    BN_CTX_start(ctx);
-
-    r0 = BN_CTX_get(ctx);
-    r1 = BN_CTX_get(ctx);
-    r2 = BN_CTX_get(ctx);
-    r3 = BN_CTX_get(ctx);
-
-    if (r3 == NULL)
-        goto err;
-    if (!rsa->e) {
-        rsa->e = BN_dup(e);
-        if (!rsa->e)
-            goto err;
-    } else
-        e = rsa->e;
-
-    /*
-     * If not all parameters present only calculate what we can. This allows
-     * test programs to output selective parameters.
-     */
-
-    if (Xp && rsa->p == NULL) {
-        rsa->p = BN_new();
-        if (rsa->p == NULL)
-            goto err;
-
-        if (!BN_X931_derive_prime_ex(rsa->p, p1, p2,
-                                     Xp, Xp1, Xp2, e, ctx, cb))
-            goto err;
-    }
-
-    if (Xq && rsa->q == NULL) {
-        rsa->q = BN_new();
-        if (rsa->q == NULL)
-            goto err;
-        if (!BN_X931_derive_prime_ex(rsa->q, q1, q2,
-                                     Xq, Xq1, Xq2, e, ctx, cb))
-            goto err;
-    }
-
-    if (rsa->p == NULL || rsa->q == NULL) {
-        BN_CTX_end(ctx);
-        BN_CTX_free(ctx);
-        return 2;
-    }
-
-    /*
-     * Since both primes are set we can now calculate all remaining
-     * components.
-     */
-
-    /* calculate n */
-    rsa->n = BN_new();
-    if (rsa->n == NULL)
-        goto err;
-    if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
-        goto err;
-
-    /* calculate d */
-    if (!BN_sub(r1, rsa->p, BN_value_one()))
-        goto err;               /* p-1 */
-    if (!BN_sub(r2, rsa->q, BN_value_one()))
-        goto err;               /* q-1 */
-    if (!BN_mul(r0, r1, r2, ctx))
-        goto err;               /* (p-1)(q-1) */
-
-    if (!BN_gcd(r3, r1, r2, ctx))
-        goto err;
-
-    if (!BN_div(r0, NULL, r0, r3, ctx))
-        goto err;               /* LCM((p-1)(q-1)) */
-
-    ctx2 = BN_CTX_new();
-    if (ctx2 == NULL)
-        goto err;
-
-    rsa->d = BN_mod_inverse(NULL, rsa->e, r0, ctx2); /* d */
-    if (rsa->d == NULL)
-        goto err;
-
-    /* calculate d mod (p-1) */
-    rsa->dmp1 = BN_new();
-    if (rsa->dmp1 == NULL)
-        goto err;
-    if (!BN_mod(rsa->dmp1, rsa->d, r1, ctx))
-        goto err;
-
-    /* calculate d mod (q-1) */
-    rsa->dmq1 = BN_new();
-    if (rsa->dmq1 == NULL)
-        goto err;
-    if (!BN_mod(rsa->dmq1, rsa->d, r2, ctx))
-        goto err;
-
-    /* calculate inverse of q mod p */
-    rsa->iqmp = BN_mod_inverse(NULL, rsa->q, rsa->p, ctx2);
-
-    ret = 1;
- err:
-    if (ctx)
-        BN_CTX_end(ctx);
-    BN_CTX_free(ctx);
-    BN_CTX_free(ctx2);
-
-    return ret;
-
-}
-
-int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e,
-                             BN_GENCB *cb)
-{
-    int ok = 0;
-    BIGNUM *Xp = NULL, *Xq = NULL;
-    BN_CTX *ctx = NULL;
-
-    ctx = BN_CTX_new();
-    if (ctx == NULL)
-        goto error;
-
-    BN_CTX_start(ctx);
-    Xp = BN_CTX_get(ctx);
-    Xq = BN_CTX_get(ctx);
-    if (!BN_X931_generate_Xpq(Xp, Xq, bits, ctx))
-        goto error;
-
-    rsa->p = BN_new();
-    rsa->q = BN_new();
-    if (rsa->p == NULL || rsa->q == NULL)
-        goto error;
-
-    /* Generate two primes from Xp, Xq */
-
-    if (!BN_X931_generate_prime_ex(rsa->p, NULL, NULL, NULL, NULL, Xp,
-                                   e, ctx, cb))
-        goto error;
-
-    if (!BN_X931_generate_prime_ex(rsa->q, NULL, NULL, NULL, NULL, Xq,
-                                   e, ctx, cb))
-        goto error;
-
-    /*
-     * Since rsa->p and rsa->q are valid this call will just derive remaining
-     * RSA components.
-     */
-
-    if (!RSA_X931_derive_ex(rsa, NULL, NULL, NULL, NULL,
-                            NULL, NULL, NULL, NULL, NULL, NULL, e, cb))
-        goto error;
-
-    ok = 1;
-
- error:
-    if (ctx)
-        BN_CTX_end(ctx);
-    BN_CTX_free(ctx);
-
-    if (ok)
-        return 1;
-
-    return 0;
-
-}
diff --git a/Cryptlib/OpenSSL/crypto/sha/sha1_one.c b/Cryptlib/OpenSSL/crypto/sha/sha1_one.c
index 273ab08d..a6dd760a 100644
--- a/Cryptlib/OpenSSL/crypto/sha/sha1_one.c
+++ b/Cryptlib/OpenSSL/crypto/sha/sha1_one.c
@@ -1,10 +1,59 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/sha/sha1_one.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
@@ -12,6 +61,7 @@
 #include <openssl/crypto.h>
 #include <openssl/sha.h>
 
+#ifndef OPENSSL_NO_SHA1
 unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md)
 {
     SHA_CTX c;
@@ -26,3 +76,4 @@ unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md)
     OPENSSL_cleanse(&c, sizeof(c));
     return (md);
 }
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/sha/sha1dgst.c b/Cryptlib/OpenSSL/crypto/sha/sha1dgst.c
index 819370e6..a67f1fe3 100644
--- a/Cryptlib/OpenSSL/crypto/sha/sha1dgst.c
+++ b/Cryptlib/OpenSSL/crypto/sha/sha1dgst.c
@@ -1,17 +1,74 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/sha/sha1dgst.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <openssl/crypto.h>
 #include <openssl/opensslconf.h>
+#if !defined(OPENSSL_NO_SHA1) && !defined(OPENSSL_NO_SHA)
+
+# undef  SHA_0
+# define SHA_1
 
 # include <openssl/opensslv.h>
 
+const char SHA1_version[] = "SHA1" OPENSSL_VERSION_PTEXT;
+
 /* The implementation is in ../md32_common.h */
 
 # include "sha_locl.h"
+
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/sha/sha256.c b/Cryptlib/OpenSSL/crypto/sha/sha256.c
index 5e7ba439..72a11593 100644
--- a/Cryptlib/OpenSSL/crypto/sha/sha256.c
+++ b/Cryptlib/OpenSSL/crypto/sha/sha256.c
@@ -1,22 +1,22 @@
-/*
- * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+/* crypto/sha/sha256.c */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved
+ * according to the OpenSSL license [found in ../../LICENSE].
+ * ====================================================================
  */
-
 #include <openssl/opensslconf.h>
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA256)
 
-#include <stdlib.h>
-#include <string.h>
+# include <stdlib.h>
+# include <string.h>
 
-#include <openssl/crypto.h>
-#include <openssl/sha.h>
-#include <openssl/opensslv.h>
+# include <openssl/crypto.h>
+# include <openssl/sha.h>
+# include <openssl/opensslv.h>
 
-int SHA224_Init(SHA256_CTX *c)
+const char SHA256_version[] = "SHA-256" OPENSSL_VERSION_PTEXT;
+
+fips_md_init_ctx(SHA224, SHA256)
 {
     memset(c, 0, sizeof(*c));
     c->h[0] = 0xc1059ed8UL;
@@ -31,7 +31,7 @@ int SHA224_Init(SHA256_CTX *c)
     return 1;
 }
 
-int SHA256_Init(SHA256_CTX *c)
+fips_md_init(SHA256)
 {
     memset(c, 0, sizeof(*c));
     c->h[0] = 0x6a09e667UL;
@@ -84,21 +84,20 @@ int SHA224_Final(unsigned char *md, SHA256_CTX *c)
     return SHA256_Final(md, c);
 }
 
-#define DATA_ORDER_IS_BIG_ENDIAN
-
-#define HASH_LONG               SHA_LONG
-#define HASH_CTX                SHA256_CTX
-#define HASH_CBLOCK             SHA_CBLOCK
+# define DATA_ORDER_IS_BIG_ENDIAN
 
+# define HASH_LONG               SHA_LONG
+# define HASH_CTX                SHA256_CTX
+# define HASH_CBLOCK             SHA_CBLOCK
 /*
  * Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
  * default: case below covers for it. It's not clear however if it's
  * permitted to truncate to amount of bytes not divisible by 4. I bet not,
  * but if it is, then default: case shall be extended. For reference.
- * Idea behind separate cases for pre-defined lengths is to let the
+ * Idea behind separate cases for pre-defined lenghts is to let the
  * compiler decide if it's appropriate to unroll small loops.
  */
-#define HASH_MAKE_STRING(c,s)   do {    \
+# define HASH_MAKE_STRING(c,s)   do {    \
         unsigned long ll;               \
         unsigned int  nn;               \
         switch ((c)->md_len)            \
@@ -119,18 +118,18 @@ int SHA224_Final(unsigned char *md, SHA256_CTX *c)
         }                               \
         } while (0)
 
-#define HASH_UPDATE             SHA256_Update
-#define HASH_TRANSFORM          SHA256_Transform
-#define HASH_FINAL              SHA256_Final
-#define HASH_BLOCK_DATA_ORDER   sha256_block_data_order
-#ifndef SHA256_ASM
+# define HASH_UPDATE             SHA256_Update
+# define HASH_TRANSFORM          SHA256_Transform
+# define HASH_FINAL              SHA256_Final
+# define HASH_BLOCK_DATA_ORDER   sha256_block_data_order
+# ifndef SHA256_ASM
 static
-#endif
+# endif
 void sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num);
 
-#include "internal/md32_common.h"
+# include "md32_common.h"
 
-#ifndef SHA256_ASM
+# ifndef SHA256_ASM
 static const SHA_LONG K256[64] = {
     0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
     0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
@@ -155,15 +154,15 @@ static const SHA_LONG K256[64] = {
  * is left one. This is why you might notice that rotation coefficients
  * differ from those observed in FIPS document by 32-N...
  */
-# define Sigma0(x)       (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
-# define Sigma1(x)       (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
-# define sigma0(x)       (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
-# define sigma1(x)       (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
+#  define Sigma0(x)       (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
+#  define Sigma1(x)       (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
+#  define sigma0(x)       (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
+#  define sigma1(x)       (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
 
-# define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
-# define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
+#  define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
+#  define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
 
-# ifdef OPENSSL_SMALL_FOOTPRINT
+#  ifdef OPENSSL_SMALL_FOOTPRINT
 
 static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
                                     size_t num)
@@ -185,7 +184,7 @@ static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
         h = ctx->h[7];
 
         for (i = 0; i < 16; i++) {
-            (void)HOST_c2l(data, l);
+            HOST_c2l(data, l);
             T1 = X[i] = l;
             T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i];
             T2 = Sigma0(a) + Maj(a, b, c);
@@ -230,14 +229,14 @@ static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
     }
 }
 
-# else
+#  else
 
-#  define ROUND_00_15(i,a,b,c,d,e,f,g,h)          do {    \
+#   define ROUND_00_15(i,a,b,c,d,e,f,g,h)          do {    \
         T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i];      \
         h = Sigma0(a) + Maj(a,b,c);                     \
         d += T1;        h += T1;                } while (0)
 
-#  define ROUND_16_63(i,a,b,c,d,e,f,g,h,X)        do {    \
+#   define ROUND_16_63(i,a,b,c,d,e,f,g,h,X)        do {    \
         s0 = X[(i+1)&0x0f];     s0 = sigma0(s0);        \
         s1 = X[(i+14)&0x0f];    s1 = sigma1(s1);        \
         T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f];    \
@@ -309,52 +308,52 @@ static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
         } else {
             SHA_LONG l;
 
-            (void)HOST_c2l(data, l);
+            HOST_c2l(data, l);
             T1 = X[0] = l;
             ROUND_00_15(0, a, b, c, d, e, f, g, h);
-            (void)HOST_c2l(data, l);
+            HOST_c2l(data, l);
             T1 = X[1] = l;
             ROUND_00_15(1, h, a, b, c, d, e, f, g);
-            (void)HOST_c2l(data, l);
+            HOST_c2l(data, l);
             T1 = X[2] = l;
             ROUND_00_15(2, g, h, a, b, c, d, e, f);
-            (void)HOST_c2l(data, l);
+            HOST_c2l(data, l);
             T1 = X[3] = l;
             ROUND_00_15(3, f, g, h, a, b, c, d, e);
-            (void)HOST_c2l(data, l);
+            HOST_c2l(data, l);
             T1 = X[4] = l;
             ROUND_00_15(4, e, f, g, h, a, b, c, d);
-            (void)HOST_c2l(data, l);
+            HOST_c2l(data, l);
             T1 = X[5] = l;
             ROUND_00_15(5, d, e, f, g, h, a, b, c);
-            (void)HOST_c2l(data, l);
+            HOST_c2l(data, l);
             T1 = X[6] = l;
             ROUND_00_15(6, c, d, e, f, g, h, a, b);
-            (void)HOST_c2l(data, l);
+            HOST_c2l(data, l);
             T1 = X[7] = l;
             ROUND_00_15(7, b, c, d, e, f, g, h, a);
-            (void)HOST_c2l(data, l);
+            HOST_c2l(data, l);
             T1 = X[8] = l;
             ROUND_00_15(8, a, b, c, d, e, f, g, h);
-            (void)HOST_c2l(data, l);
+            HOST_c2l(data, l);
             T1 = X[9] = l;
             ROUND_00_15(9, h, a, b, c, d, e, f, g);
-            (void)HOST_c2l(data, l);
+            HOST_c2l(data, l);
             T1 = X[10] = l;
             ROUND_00_15(10, g, h, a, b, c, d, e, f);
-            (void)HOST_c2l(data, l);
+            HOST_c2l(data, l);
             T1 = X[11] = l;
             ROUND_00_15(11, f, g, h, a, b, c, d, e);
-            (void)HOST_c2l(data, l);
+            HOST_c2l(data, l);
             T1 = X[12] = l;
             ROUND_00_15(12, e, f, g, h, a, b, c, d);
-            (void)HOST_c2l(data, l);
+            HOST_c2l(data, l);
             T1 = X[13] = l;
             ROUND_00_15(13, d, e, f, g, h, a, b, c);
-            (void)HOST_c2l(data, l);
+            HOST_c2l(data, l);
             T1 = X[14] = l;
             ROUND_00_15(14, c, d, e, f, g, h, a, b);
-            (void)HOST_c2l(data, l);
+            HOST_c2l(data, l);
             T1 = X[15] = l;
             ROUND_00_15(15, b, c, d, e, f, g, h, a);
         }
@@ -382,5 +381,7 @@ static void sha256_block_data_order(SHA256_CTX *ctx, const void *in,
     }
 }
 
-# endif
-#endif                         /* SHA256_ASM */
+#  endif
+# endif                         /* SHA256_ASM */
+
+#endif                          /* OPENSSL_NO_SHA256 */
diff --git a/Cryptlib/OpenSSL/crypto/sha/sha512.c b/Cryptlib/OpenSSL/crypto/sha/sha512.c
index d24d1034..3bf66ae1 100644
--- a/Cryptlib/OpenSSL/crypto/sha/sha512.c
+++ b/Cryptlib/OpenSSL/crypto/sha/sha512.c
@@ -1,19 +1,17 @@
-/*
- * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+/* crypto/sha/sha512.c */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved
+ * according to the OpenSSL license [found in ../../LICENSE].
+ * ====================================================================
  */
-
 #include <openssl/opensslconf.h>
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
 /*-
  * IMPLEMENTATION NOTES.
  *
  * As you might have noticed 32-bit hash algorithms:
  *
- * - permit SHA_LONG to be wider than 32-bit
+ * - permit SHA_LONG to be wider than 32-bit (case on CRAY);
  * - optimized versions implement two transform functions: one operating
  *   on [aligned] data in host byte order and one - on data in input
  *   stream byte order;
@@ -43,24 +41,26 @@
  * 16-bit platforms.
  *                                      <appro@fy.chalmers.se>
  */
-#include <stdlib.h>
-#include <string.h>
+# include <stdlib.h>
+# include <string.h>
 
-#include <openssl/crypto.h>
-#include <openssl/sha.h>
-#include <openssl/opensslv.h>
+# include <openssl/crypto.h>
+# include <openssl/sha.h>
+# include <openssl/opensslv.h>
 
-#include "internal/cryptlib.h"
+# include "cryptlib.h"
 
-#if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
+const char SHA512_version[] = "SHA-512" OPENSSL_VERSION_PTEXT;
+
+# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
     defined(__x86_64) || defined(_M_AMD64) || defined(_M_X64) || \
     defined(__s390__) || defined(__s390x__) || \
     defined(__aarch64__) || \
     defined(SHA512_ASM)
-# define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
-#endif
+#  define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
+# endif
 
-int SHA384_Init(SHA512_CTX *c)
+fips_md_init_ctx(SHA384, SHA512)
 {
     c->h[0] = U64(0xcbbb9d5dc1059ed8);
     c->h[1] = U64(0x629a292a367cd507);
@@ -78,7 +78,7 @@ int SHA384_Init(SHA512_CTX *c)
     return 1;
 }
 
-int SHA512_Init(SHA512_CTX *c)
+fips_md_init(SHA512)
 {
     c->h[0] = U64(0x6a09e667f3bcc908);
     c->h[1] = U64(0xbb67ae8584caa73b);
@@ -96,9 +96,9 @@ int SHA512_Init(SHA512_CTX *c)
     return 1;
 }
 
-#ifndef SHA512_ASM
+# ifndef SHA512_ASM
 static
-#endif
+# endif
 void sha512_block_data_order(SHA512_CTX *ctx, const void *in, size_t num);
 
 int SHA512_Final(unsigned char *md, SHA512_CTX *c)
@@ -108,17 +108,15 @@ int SHA512_Final(unsigned char *md, SHA512_CTX *c)
 
     p[n] = 0x80;                /* There always is a room for one */
     n++;
-    if (n > (sizeof(c->u) - 16)) {
-        memset(p + n, 0, sizeof(c->u) - n);
-        n = 0;
-        sha512_block_data_order(c, p, 1);
-    }
+    if (n > (sizeof(c->u) - 16))
+        memset(p + n, 0, sizeof(c->u) - n), n = 0,
+            sha512_block_data_order(c, p, 1);
 
     memset(p + n, 0, sizeof(c->u) - 16 - n);
-#ifdef  B_ENDIAN
+# ifdef  B_ENDIAN
     c->u.d[SHA_LBLOCK - 2] = c->Nh;
     c->u.d[SHA_LBLOCK - 1] = c->Nl;
-#else
+# else
     p[sizeof(c->u) - 1] = (unsigned char)(c->Nl);
     p[sizeof(c->u) - 2] = (unsigned char)(c->Nl >> 8);
     p[sizeof(c->u) - 3] = (unsigned char)(c->Nl >> 16);
@@ -135,7 +133,7 @@ int SHA512_Final(unsigned char *md, SHA512_CTX *c)
     p[sizeof(c->u) - 14] = (unsigned char)(c->Nh >> 40);
     p[sizeof(c->u) - 15] = (unsigned char)(c->Nh >> 48);
     p[sizeof(c->u) - 16] = (unsigned char)(c->Nh >> 56);
-#endif
+# endif
 
     sha512_block_data_order(c, p, 1);
 
@@ -215,14 +213,14 @@ int SHA512_Update(SHA512_CTX *c, const void *_data, size_t len)
     }
 
     if (len >= sizeof(c->u)) {
-#ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
+# ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
         if ((size_t)data % sizeof(c->u.d[0]) != 0)
             while (len >= sizeof(c->u))
                 memcpy(p, data, sizeof(c->u)),
                     sha512_block_data_order(c, p, 1),
                     len -= sizeof(c->u), data += sizeof(c->u);
         else
-#endif
+# endif
             sha512_block_data_order(c, data, len / sizeof(c->u)),
                 data += len, len %= sizeof(c->u), data -= len;
     }
@@ -240,10 +238,10 @@ int SHA384_Update(SHA512_CTX *c, const void *data, size_t len)
 
 void SHA512_Transform(SHA512_CTX *c, const unsigned char *data)
 {
-#ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
+# ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
     if ((size_t)data % sizeof(c->u.d[0]) != 0)
         memcpy(c->u.p, data, sizeof(c->u.p)), data = c->u.p;
-#endif
+# endif
     sha512_block_data_order(c, data, 1);
 }
 
@@ -275,7 +273,7 @@ unsigned char *SHA512(const unsigned char *d, size_t n, unsigned char *md)
     return (md);
 }
 
-#ifndef SHA512_ASM
+# ifndef SHA512_ASM
 static const SHA_LONG64 K512[80] = {
     U64(0x428a2f98d728ae22), U64(0x7137449123ef65cd),
     U64(0xb5c0fbcfec4d3b2f), U64(0xe9b5dba58189dbbc),
@@ -319,23 +317,23 @@ static const SHA_LONG64 K512[80] = {
     U64(0x5fcb6fab3ad6faec), U64(0x6c44198c4a475817)
 };
 
-# ifndef PEDANTIC
-#  if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
-#   if defined(__x86_64) || defined(__x86_64__)
-#    define ROTR(a,n)    ({ SHA_LONG64 ret;              \
+#  ifndef PEDANTIC
+#   if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
+#    if defined(__x86_64) || defined(__x86_64__)
+#     define ROTR(a,n)    ({ SHA_LONG64 ret;              \
                                 asm ("rorq %1,%0"       \
                                 : "=r"(ret)             \
                                 : "J"(n),"0"(a)         \
                                 : "cc"); ret;           })
-#    if !defined(B_ENDIAN)
-#     define PULL64(x) ({ SHA_LONG64 ret=*((const SHA_LONG64 *)(&(x)));  \
+#     if !defined(B_ENDIAN)
+#      define PULL64(x) ({ SHA_LONG64 ret=*((const SHA_LONG64 *)(&(x)));  \
                                 asm ("bswapq    %0"             \
                                 : "=r"(ret)                     \
                                 : "0"(ret)); ret;               })
-#    endif
-#   elif (defined(__i386) || defined(__i386__)) && !defined(B_ENDIAN)
-#    if defined(I386_ONLY)
-#     define PULL64(x) ({ const unsigned int *p=(const unsigned int *)(&(x));\
+#     endif
+#    elif (defined(__i386) || defined(__i386__)) && !defined(B_ENDIAN)
+#     if defined(I386_ONLY)
+#      define PULL64(x) ({ const unsigned int *p=(const unsigned int *)(&(x));\
                          unsigned int hi=p[0],lo=p[1];          \
                                 asm("xchgb %%ah,%%al;xchgb %%dh,%%dl;"\
                                     "roll $16,%%eax; roll $16,%%edx; "\
@@ -343,39 +341,39 @@ static const SHA_LONG64 K512[80] = {
                                 : "=a"(lo),"=d"(hi)             \
                                 : "0"(lo),"1"(hi) : "cc");      \
                                 ((SHA_LONG64)hi)<<32|lo;        })
-#    else
-#     define PULL64(x) ({ const unsigned int *p=(const unsigned int *)(&(x));\
+#     else
+#      define PULL64(x) ({ const unsigned int *p=(const unsigned int *)(&(x));\
                          unsigned int hi=p[0],lo=p[1];          \
                                 asm ("bswapl %0; bswapl %1;"    \
                                 : "=r"(lo),"=r"(hi)             \
                                 : "0"(lo),"1"(hi));             \
                                 ((SHA_LONG64)hi)<<32|lo;        })
-#    endif
-#   elif (defined(_ARCH_PPC) && defined(__64BIT__)) || defined(_ARCH_PPC64)
-#    define ROTR(a,n)    ({ SHA_LONG64 ret;              \
+#     endif
+#    elif (defined(_ARCH_PPC) && defined(__64BIT__)) || defined(_ARCH_PPC64)
+#     define ROTR(a,n)    ({ SHA_LONG64 ret;              \
                                 asm ("rotrdi %0,%1,%2"  \
                                 : "=r"(ret)             \
                                 : "r"(a),"K"(n)); ret;  })
-#   elif defined(__aarch64__)
-#    define ROTR(a,n)    ({ SHA_LONG64 ret;              \
+#    elif defined(__aarch64__)
+#     define ROTR(a,n)    ({ SHA_LONG64 ret;              \
                                 asm ("ror %0,%1,%2"     \
                                 : "=r"(ret)             \
                                 : "r"(a),"I"(n)); ret;  })
-#    if  defined(__BYTE_ORDER__) && defined(__ORDER_LITTLE_ENDIAN__) && \
+#     if  defined(__BYTE_ORDER__) && defined(__ORDER_LITTLE_ENDIAN__) && \
         __BYTE_ORDER__==__ORDER_LITTLE_ENDIAN__
-#     define PULL64(x)   ({ SHA_LONG64 ret;                      \
+#      define PULL64(x)   ({ SHA_LONG64 ret;                      \
                                 asm ("rev       %0,%1"          \
                                 : "=r"(ret)                     \
                                 : "r"(*((const SHA_LONG64 *)(&(x))))); ret;             })
+#     endif
 #    endif
-#   endif
-#  elif defined(_MSC_VER)
-#   if defined(_WIN64)         /* applies to both IA-64 and AMD64 */
-#    pragma intrinsic(_rotr64)
-#    define ROTR(a,n)    _rotr64((a),n)
-#   endif
-#   if defined(_M_IX86) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
-#    if defined(I386_ONLY)
+#   elif defined(_MSC_VER)
+#    if defined(_WIN64)         /* applies to both IA-64 and AMD64 */
+#     pragma intrinsic(_rotr64)
+#     define ROTR(a,n)    _rotr64((a),n)
+#    endif
+#    if defined(_M_IX86) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
+#     if defined(I386_ONLY)
 static SHA_LONG64 __fastcall __pull64be(const void *x)
 {
     _asm mov edx,[ecx + 0]
@@ -383,34 +381,34 @@ static SHA_LONG64 __fastcall __pull64be(const void *x)
 _asm xchg dh, dl
         _asm xchg ah, al
         _asm rol edx, 16 _asm rol eax, 16 _asm xchg dh, dl _asm xchg ah, al}
-#    else
+#     else
 static SHA_LONG64 __fastcall __pull64be(const void *x)
 {
     _asm mov edx,[ecx + 0]
     _asm mov eax,[ecx + 4]
 _asm bswap edx _asm bswap eax}
-#    endif
-#    define PULL64(x) __pull64be(&(x))
-#    if _MSC_VER<=1200
-#     pragma inline_depth(0)
+#     endif
+#     define PULL64(x) __pull64be(&(x))
+#     if _MSC_VER<=1200
+#      pragma inline_depth(0)
+#     endif
 #    endif
 #   endif
 #  endif
-# endif
-# ifndef PULL64
-#  define B(x,j)    (((SHA_LONG64)(*(((const unsigned char *)(&x))+j)))<<((7-j)*8))
-#  define PULL64(x) (B(x,0)|B(x,1)|B(x,2)|B(x,3)|B(x,4)|B(x,5)|B(x,6)|B(x,7))
-# endif
-# ifndef ROTR
-#  define ROTR(x,s)       (((x)>>s) | (x)<<(64-s))
-# endif
-# define Sigma0(x)       (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39))
-# define Sigma1(x)       (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41))
-# define sigma0(x)       (ROTR((x),1)  ^ ROTR((x),8)  ^ ((x)>>7))
-# define sigma1(x)       (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6))
-# define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
-# define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
-# if defined(__i386) || defined(__i386__) || defined(_M_IX86)
+#  ifndef PULL64
+#   define B(x,j)    (((SHA_LONG64)(*(((const unsigned char *)(&x))+j)))<<((7-j)*8))
+#   define PULL64(x) (B(x,0)|B(x,1)|B(x,2)|B(x,3)|B(x,4)|B(x,5)|B(x,6)|B(x,7))
+#  endif
+#  ifndef ROTR
+#   define ROTR(x,s)       (((x)>>s) | (x)<<(64-s))
+#  endif
+#  define Sigma0(x)       (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39))
+#  define Sigma1(x)       (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41))
+#  define sigma0(x)       (ROTR((x),1)  ^ ROTR((x),8)  ^ ((x)>>7))
+#  define sigma1(x)       (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6))
+#  define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
+#  define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
+#  if defined(__i386) || defined(__i386__) || defined(_M_IX86)
 /*
  * This code should give better results on 32-bit CPU with less than
  * ~24 registers, both size and performance wise...
@@ -435,11 +433,11 @@ _asm bswap edx _asm bswap eax}
         F[7] = ctx->h[7];
 
         for (i = 0; i < 16; i++, F--) {
-#  ifdef B_ENDIAN
+#   ifdef B_ENDIAN
             T = W[i];
-#  else
+#   else
             T = PULL64(W[i]);
-#  endif
+#   endif
             F[0] = A;
             F[4] = E;
             F[8] = T;
@@ -474,7 +472,7 @@ _asm bswap edx _asm bswap eax}
     }
 }
 
-# elif defined(OPENSSL_SMALL_FOOTPRINT)
+#  elif defined(OPENSSL_SMALL_FOOTPRINT)
 static void sha512_block_data_order(SHA512_CTX *ctx, const void *in,
                                     size_t num)
 {
@@ -495,11 +493,11 @@ static void sha512_block_data_order(SHA512_CTX *ctx, const void *in,
         h = ctx->h[7];
 
         for (i = 0; i < 16; i++) {
-#  ifdef B_ENDIAN
+#   ifdef B_ENDIAN
             T1 = X[i] = W[i];
-#  else
+#   else
             T1 = X[i] = PULL64(W[i]);
-#  endif
+#   endif
             T1 += h + Sigma1(e) + Ch(e, f, g) + K512[i];
             T2 = Sigma0(a) + Maj(a, b, c);
             h = g;
@@ -544,12 +542,12 @@ static void sha512_block_data_order(SHA512_CTX *ctx, const void *in,
     }
 }
 
-# else
-#  define ROUND_00_15(i,a,b,c,d,e,f,g,h)          do {    \
+#  else
+#   define ROUND_00_15(i,a,b,c,d,e,f,g,h)          do {    \
         T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i];      \
         h = Sigma0(a) + Maj(a,b,c);                     \
         d += T1;        h += T1;                } while (0)
-#  define ROUND_16_80(i,j,a,b,c,d,e,f,g,h,X)      do {    \
+#   define ROUND_16_80(i,j,a,b,c,d,e,f,g,h,X)      do {    \
         s0 = X[(j+1)&0x0f];     s0 = sigma0(s0);        \
         s1 = X[(j+14)&0x0f];    s1 = sigma1(s1);        \
         T1 = X[(j)&0x0f] += s0 + s1 + X[(j+9)&0x0f];    \
@@ -573,7 +571,7 @@ static void sha512_block_data_order(SHA512_CTX *ctx, const void *in,
         g = ctx->h[6];
         h = ctx->h[7];
 
-#  ifdef B_ENDIAN
+#   ifdef B_ENDIAN
         T1 = X[0] = W[0];
         ROUND_00_15(0, a, b, c, d, e, f, g, h);
         T1 = X[1] = W[1];
@@ -606,7 +604,7 @@ static void sha512_block_data_order(SHA512_CTX *ctx, const void *in,
         ROUND_00_15(14, c, d, e, f, g, h, a, b);
         T1 = X[15] = W[15];
         ROUND_00_15(15, b, c, d, e, f, g, h, a);
-#  else
+#   else
         T1 = X[0] = PULL64(W[0]);
         ROUND_00_15(0, a, b, c, d, e, f, g, h);
         T1 = X[1] = PULL64(W[1]);
@@ -639,7 +637,7 @@ static void sha512_block_data_order(SHA512_CTX *ctx, const void *in,
         ROUND_00_15(14, c, d, e, f, g, h, a, b);
         T1 = X[15] = PULL64(W[15]);
         ROUND_00_15(15, b, c, d, e, f, g, h, a);
-#  endif
+#   endif
 
         for (i = 16; i < 80; i += 16) {
             ROUND_16_80(i, 0, a, b, c, d, e, f, g, h, X);
@@ -673,6 +671,14 @@ static void sha512_block_data_order(SHA512_CTX *ctx, const void *in,
     }
 }
 
+#  endif
+
+# endif                         /* SHA512_ASM */
+
+#else                           /* !OPENSSL_NO_SHA512 */
+
+# if defined(PEDANTIC) || defined(__DECC) || defined(OPENSSL_SYS_MACOSX)
+static void *dummy = &dummy;
 # endif
 
-#endif                         /* SHA512_ASM */
+#endif                          /* !OPENSSL_NO_SHA512 */
diff --git a/Cryptlib/OpenSSL/crypto/sha/sha_dgst.c b/Cryptlib/OpenSSL/crypto/sha/sha_dgst.c
new file mode 100644
index 00000000..f77cf5e3
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/sha/sha_dgst.c
@@ -0,0 +1,74 @@
+/* crypto/sha/sha1dgst.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <openssl/crypto.h>
+#include <openssl/opensslconf.h>
+#if !defined(OPENSSL_NO_SHA0) && !defined(OPENSSL_NO_SHA)
+
+# undef  SHA_1
+# define SHA_0
+
+# include <openssl/opensslv.h>
+
+const char SHA_version[] = "SHA" OPENSSL_VERSION_PTEXT;
+
+/* The implementation is in ../md32_common.h */
+
+# include "sha_locl.h"
+
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/sha/sha_locl.h b/Cryptlib/OpenSSL/crypto/sha/sha_locl.h
index 918278a8..03bd411e 100644
--- a/Cryptlib/OpenSSL/crypto/sha/sha_locl.h
+++ b/Cryptlib/OpenSSL/crypto/sha/sha_locl.h
@@ -1,10 +1,59 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/sha/sha_locl.h */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdlib.h>
@@ -27,22 +76,45 @@
         ll=(c)->h4; (void)HOST_l2c(ll,(s));     \
         } while (0)
 
-#define HASH_UPDATE                     SHA1_Update
-#define HASH_TRANSFORM                  SHA1_Transform
-#define HASH_FINAL                      SHA1_Final
-#define HASH_INIT                       SHA1_Init
-#define HASH_BLOCK_DATA_ORDER           sha1_block_data_order
-#define Xupdate(a,ix,ia,ib,ic,id)       ( (a)=(ia^ib^ic^id),    \
+#if defined(SHA_0)
+
+# define HASH_UPDATE                    SHA_Update
+# define HASH_TRANSFORM                 SHA_Transform
+# define HASH_FINAL                     SHA_Final
+# define HASH_INIT                      SHA_Init
+# define HASH_BLOCK_DATA_ORDER          sha_block_data_order
+# define Xupdate(a,ix,ia,ib,ic,id)      (ix=(a)=(ia^ib^ic^id))
+
+static void sha_block_data_order(SHA_CTX *c, const void *p, size_t num);
+
+#elif defined(SHA_1)
+
+# define HASH_UPDATE                    SHA1_Update
+# define HASH_TRANSFORM                 SHA1_Transform
+# define HASH_FINAL                     SHA1_Final
+# define HASH_INIT                      SHA1_Init
+# define HASH_BLOCK_DATA_ORDER          sha1_block_data_order
+# if defined(__MWERKS__) && defined(__MC68K__)
+   /* Metrowerks for Motorola fails otherwise:-( <appro@fy.chalmers.se> */
+#  define Xupdate(a,ix,ia,ib,ic,id)     do { (a)=(ia^ib^ic^id);         \
+                                             ix=(a)=ROTATE((a),1);      \
+                                        } while (0)
+# else
+#  define Xupdate(a,ix,ia,ib,ic,id)     ( (a)=(ia^ib^ic^id),    \
                                           ix=(a)=ROTATE((a),1)  \
                                         )
+# endif
 
-#ifndef SHA1_ASM
-static void sha1_block_data_order(SHA_CTX *c, const void *p, size_t num);
-#else
+# ifndef SHA1_ASM
+static
+# endif
 void sha1_block_data_order(SHA_CTX *c, const void *p, size_t num);
+
+#else
+# error "Either SHA_0 or SHA_1 must be defined."
 #endif
 
-#include "internal/md32_common.h"
+#include "md32_common.h"
 
 #define INIT_DATA_h0 0x67452301UL
 #define INIT_DATA_h1 0xefcdab89UL
@@ -50,7 +122,11 @@ void sha1_block_data_order(SHA_CTX *c, const void *p, size_t num);
 #define INIT_DATA_h3 0x10325476UL
 #define INIT_DATA_h4 0xc3d2e1f0UL
 
-int HASH_INIT(SHA_CTX *c)
+#ifdef SHA_0
+fips_md_init(SHA)
+#else
+fips_md_init_ctx(SHA1, SHA)
+#endif
 {
     memset(c, 0, sizeof(*c));
     c->h0 = INIT_DATA_h0;
@@ -115,7 +191,7 @@ int HASH_INIT(SHA_CTX *c)
 # ifndef MD32_XARRAY
   /*
    * Originally X was an array. As it's automatic it's natural
-   * to expect RISC compiler to accommodate at least part of it in
+   * to expect RISC compiler to accomodate at least part of it in
    * the register bank, isn't it? Unfortunately not all compilers
    * "find" this expectation reasonable:-( On order to make such
    * compilers generate better code I replace X[] with a bunch of
@@ -132,7 +208,7 @@ int HASH_INIT(SHA_CTX *c)
 #  define X(i)   XX[i]
 # endif
 
-# if !defined(SHA1_ASM)
+# if !defined(SHA_1) || !defined(SHA1_ASM)
 static void HASH_BLOCK_DATA_ORDER(SHA_CTX *c, const void *p, size_t num)
 {
     const unsigned char *data = p;
@@ -366,7 +442,7 @@ static void HASH_BLOCK_DATA_ORDER(SHA_CTX *c, const void *p, size_t num)
         E=D, D=C, C=ROTATE(B,30), B=A;  \
         A=ROTATE(A,5)+T+xa;         } while(0)
 
-# if !defined(SHA1_ASM)
+# if !defined(SHA_1) || !defined(SHA1_ASM)
 static void HASH_BLOCK_DATA_ORDER(SHA_CTX *c, const void *p, size_t num)
 {
     const unsigned char *data = p;
@@ -382,7 +458,7 @@ static void HASH_BLOCK_DATA_ORDER(SHA_CTX *c, const void *p, size_t num)
 
     for (;;) {
         for (i = 0; i < 16; i++) {
-            (void)HOST_c2l(data, l);
+            HOST_c2l(data, l);
             X[i] = l;
             BODY_00_15(X[i]);
         }
diff --git a/Cryptlib/OpenSSL/crypto/sha/sha_one.c b/Cryptlib/OpenSSL/crypto/sha/sha_one.c
new file mode 100644
index 00000000..0930b98a
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/sha/sha_one.c
@@ -0,0 +1,79 @@
+/* crypto/sha/sha_one.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/sha.h>
+#include <openssl/crypto.h>
+
+#ifndef OPENSSL_NO_SHA0
+unsigned char *SHA(const unsigned char *d, size_t n, unsigned char *md)
+{
+    SHA_CTX c;
+    static unsigned char m[SHA_DIGEST_LENGTH];
+
+    if (md == NULL)
+        md = m;
+    if (!SHA_Init(&c))
+        return NULL;
+    SHA_Update(&c, d, n);
+    SHA_Final(md, &c);
+    OPENSSL_cleanse(&c, sizeof(c));
+    return (md);
+}
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/stack/stack.c b/Cryptlib/OpenSSL/crypto/stack/stack.c
index 43ddf30a..fa50083e 100644
--- a/Cryptlib/OpenSSL/crypto/stack/stack.c
+++ b/Cryptlib/OpenSSL/crypto/stack/stack.c
@@ -1,34 +1,86 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/stack/stack.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
+/*-
+ * Code for stacks
+ * Author - Eric Young v 1.0
+ * 1.2 eay 12-Mar-97 -  Modified sk_find so that it _DOES_ return the
+ *                      lowest index for the searched item.
+ *
+ * 1.1 eay - Take from netdb and added to SSLeay
+ *
+ * 1.0 eay - First version 29/07/92
+ */
 #include <stdio.h>
-#include "internal/cryptlib.h"
-#include "internal/numbers.h"
+#include "cryptlib.h"
 #include <openssl/stack.h>
 #include <openssl/objects.h>
 
-struct stack_st {
-    int num;
-    const char **data;
-    int sorted;
-    size_t num_alloc;
-    OPENSSL_sk_compfunc comp;
-};
-
 #undef MIN_NODES
 #define MIN_NODES       4
 
+const char STACK_version[] = "Stack" OPENSSL_VERSION_PTEXT;
+
 #include <errno.h>
 
-OPENSSL_sk_compfunc OPENSSL_sk_set_cmp_func(OPENSSL_STACK *sk, OPENSSL_sk_compfunc c)
-{
-    OPENSSL_sk_compfunc old = sk->comp;
+int (*sk_set_cmp_func(_STACK *sk, int (*c) (const void *, const void *)))
+ (const void *, const void *) {
+    int (*old) (const void *, const void *) = sk->comp;
 
     if (sk->comp != c)
         sk->sorted = 0;
@@ -37,50 +89,51 @@ OPENSSL_sk_compfunc OPENSSL_sk_set_cmp_func(OPENSSL_STACK *sk, OPENSSL_sk_compfu
     return old;
 }
 
-OPENSSL_STACK *OPENSSL_sk_dup(const OPENSSL_STACK *sk)
+_STACK *sk_dup(_STACK *sk)
 {
-    OPENSSL_STACK *ret;
+    _STACK *ret;
+    char **s;
 
-    if (sk->num < 0)
-        return NULL;
-
-    if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL)
-        return NULL;
-
-    /* direct structure assignment */
-    *ret = *sk;
-
-    if ((ret->data = OPENSSL_malloc(sizeof(*ret->data) * sk->num_alloc)) == NULL)
+    if ((ret = sk_new(sk->comp)) == NULL)
         goto err;
+    s = (char **)OPENSSL_realloc((char *)ret->data,
+                                 (unsigned int)sizeof(char *) *
+                                 sk->num_alloc);
+    if (s == NULL)
+        goto err;
+    ret->data = s;
+
+    ret->num = sk->num;
     memcpy(ret->data, sk->data, sizeof(char *) * sk->num);
-    return ret;
+    ret->sorted = sk->sorted;
+    ret->num_alloc = sk->num_alloc;
+    ret->comp = sk->comp;
+    return (ret);
  err:
-    OPENSSL_sk_free(ret);
-    return NULL;
+    if (ret)
+        sk_free(ret);
+    return (NULL);
 }
 
-OPENSSL_STACK *OPENSSL_sk_deep_copy(const OPENSSL_STACK *sk,
-                             OPENSSL_sk_copyfunc copy_func,
-                             OPENSSL_sk_freefunc free_func)
+_STACK *sk_deep_copy(_STACK *sk, void *(*copy_func) (void *),
+                     void (*free_func) (void *))
 {
-    OPENSSL_STACK *ret;
+    _STACK *ret;
     int i;
 
-    if (sk->num < 0)
-        return NULL;
-
-    if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL)
-        return NULL;
-
-    /* direct structure assignment */
-    *ret = *sk;
-
-    ret->num_alloc = sk->num > MIN_NODES ? (size_t)sk->num : MIN_NODES;
-    ret->data = OPENSSL_zalloc(sizeof(*ret->data) * ret->num_alloc);
+    if ((ret = OPENSSL_malloc(sizeof(_STACK))) == NULL)
+        return ret;
+    ret->comp = sk->comp;
+    ret->sorted = sk->sorted;
+    ret->num = sk->num;
+    ret->num_alloc = sk->num > MIN_NODES ? sk->num : MIN_NODES;
+    ret->data = OPENSSL_malloc(sizeof(char *) * ret->num_alloc);
     if (ret->data == NULL) {
         OPENSSL_free(ret);
         return NULL;
     }
+    for (i = 0; i < ret->num_alloc; i++)
+        ret->data[i] = NULL;
 
     for (i = 0; i < ret->num; ++i) {
         if (sk->data[i] == NULL)
@@ -88,103 +141,112 @@ OPENSSL_STACK *OPENSSL_sk_deep_copy(const OPENSSL_STACK *sk,
         if ((ret->data[i] = copy_func(sk->data[i])) == NULL) {
             while (--i >= 0)
                 if (ret->data[i] != NULL)
-                    free_func((void *)ret->data[i]);
-            OPENSSL_sk_free(ret);
+                    free_func(ret->data[i]);
+            sk_free(ret);
             return NULL;
         }
     }
     return ret;
 }
 
-OPENSSL_STACK *OPENSSL_sk_new_null(void)
+_STACK *sk_new_null(void)
 {
-    return OPENSSL_sk_new((OPENSSL_sk_compfunc)NULL);
+    return sk_new((int (*)(const void *, const void *))0);
 }
 
-OPENSSL_STACK *OPENSSL_sk_new(OPENSSL_sk_compfunc c)
+_STACK *sk_new(int (*c) (const void *, const void *))
 {
-    OPENSSL_STACK *ret;
+    _STACK *ret;
+    int i;
 
-    if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL)
+    if ((ret = OPENSSL_malloc(sizeof(_STACK))) == NULL)
         goto err;
-    if ((ret->data = OPENSSL_zalloc(sizeof(*ret->data) * MIN_NODES)) == NULL)
+    if ((ret->data = OPENSSL_malloc(sizeof(char *) * MIN_NODES)) == NULL)
         goto err;
+    for (i = 0; i < MIN_NODES; i++)
+        ret->data[i] = NULL;
     ret->comp = c;
     ret->num_alloc = MIN_NODES;
+    ret->num = 0;
+    ret->sorted = 0;
     return (ret);
-
  err:
-    OPENSSL_free(ret);
+    if (ret)
+        OPENSSL_free(ret);
     return (NULL);
 }
 
-int OPENSSL_sk_insert(OPENSSL_STACK *st, const void *data, int loc)
+int sk_insert(_STACK *st, void *data, int loc)
 {
-    if (st == NULL || st->num < 0 || st->num == INT_MAX) {
-        return 0;
-    }
-
-    if (st->num_alloc <= (size_t)(st->num + 1)) {
-        size_t doub_num_alloc = st->num_alloc * 2;
-        const char **tmpdata;
+    char **s;
 
-        /* Overflow checks */
-        if (doub_num_alloc < st->num_alloc)
-            return 0;
-
-        /* Avoid overflow due to multiplication by sizeof(char *) */
-        if (doub_num_alloc > SIZE_MAX / sizeof(char *))
-            return 0;
-
-        tmpdata = OPENSSL_realloc((char *)st->data,
-                                  sizeof(char *) * doub_num_alloc);
-        if (tmpdata == NULL)
-            return 0;
-
-        st->data = tmpdata;
-        st->num_alloc = doub_num_alloc;
+    if (st == NULL)
+        return 0;
+    if (st->num_alloc <= st->num + 1) {
+        s = OPENSSL_realloc((char *)st->data,
+                            (unsigned int)sizeof(char *) * st->num_alloc * 2);
+        if (s == NULL)
+            return (0);
+        st->data = s;
+        st->num_alloc *= 2;
     }
-    if ((loc >= st->num) || (loc < 0)) {
+    if ((loc >= (int)st->num) || (loc < 0))
         st->data[st->num] = data;
-    } else {
-        memmove(&st->data[loc + 1], &st->data[loc],
-                sizeof(st->data[0]) * (st->num - loc));
+    else {
+        int i;
+        char **f, **t;
+
+        f = st->data;
+        t = &(st->data[1]);
+        for (i = st->num; i >= loc; i--)
+            t[i] = f[i];
+
+#ifdef undef                    /* no memmove on sunos :-( */
+        memmove(&(st->data[loc + 1]),
+                &(st->data[loc]), sizeof(char *) * (st->num - loc));
+#endif
         st->data[loc] = data;
     }
     st->num++;
     st->sorted = 0;
-    return st->num;
+    return (st->num);
 }
 
-void *OPENSSL_sk_delete_ptr(OPENSSL_STACK *st, const void *p)
+void *sk_delete_ptr(_STACK *st, void *p)
 {
     int i;
 
     for (i = 0; i < st->num; i++)
         if (st->data[i] == p)
-            return OPENSSL_sk_delete(st, i);
-    return NULL;
+            return (sk_delete(st, i));
+    return (NULL);
 }
 
-void *OPENSSL_sk_delete(OPENSSL_STACK *st, int loc)
+void *sk_delete(_STACK *st, int loc)
 {
-    const char *ret;
+    char *ret;
+    int i, j;
 
-    if (st == NULL || loc < 0 || loc >= st->num)
+    if (!st || (loc < 0) || (loc >= st->num))
         return NULL;
 
     ret = st->data[loc];
-    if (loc != st->num - 1)
-         memmove(&st->data[loc], &st->data[loc + 1],
-                 sizeof(st->data[0]) * (st->num - loc - 1));
+    if (loc != st->num - 1) {
+        j = st->num - 1;
+        for (i = loc; i < j; i++)
+            st->data[i] = st->data[i + 1];
+        /*
+         * In theory memcpy is not safe for this memcpy( &(st->data[loc]),
+         * &(st->data[loc+1]), sizeof(char *)*(st->num-loc-1));
+         */
+    }
     st->num--;
-    return (void *)ret;
+    return (ret);
 }
 
-static int internal_find(OPENSSL_STACK *st, const void *data,
-                         int ret_val_options)
+static int internal_find(_STACK *st, void *data, int ret_val_options)
 {
-    const void *r;
+    const void *const *r;
     int i;
 
     if (st == NULL)
@@ -196,65 +258,65 @@ static int internal_find(OPENSSL_STACK *st, const void *data,
                 return (i);
         return (-1);
     }
-    OPENSSL_sk_sort(st);
+    sk_sort(st);
     if (data == NULL)
         return (-1);
     r = OBJ_bsearch_ex_(&data, st->data, st->num, sizeof(void *), st->comp,
                         ret_val_options);
     if (r == NULL)
         return (-1);
-    return (int)((const char **)r - st->data);
+    return (int)((char **)r - st->data);
 }
 
-int OPENSSL_sk_find(OPENSSL_STACK *st, const void *data)
+int sk_find(_STACK *st, void *data)
 {
     return internal_find(st, data, OBJ_BSEARCH_FIRST_VALUE_ON_MATCH);
 }
 
-int OPENSSL_sk_find_ex(OPENSSL_STACK *st, const void *data)
+int sk_find_ex(_STACK *st, void *data)
 {
     return internal_find(st, data, OBJ_BSEARCH_VALUE_ON_NOMATCH);
 }
 
-int OPENSSL_sk_push(OPENSSL_STACK *st, const void *data)
+int sk_push(_STACK *st, void *data)
 {
-    return (OPENSSL_sk_insert(st, data, st->num));
+    return (sk_insert(st, data, st->num));
 }
 
-int OPENSSL_sk_unshift(OPENSSL_STACK *st, const void *data)
+int sk_unshift(_STACK *st, void *data)
 {
-    return (OPENSSL_sk_insert(st, data, 0));
+    return (sk_insert(st, data, 0));
 }
 
-void *OPENSSL_sk_shift(OPENSSL_STACK *st)
+void *sk_shift(_STACK *st)
 {
     if (st == NULL)
         return (NULL);
     if (st->num <= 0)
         return (NULL);
-    return (OPENSSL_sk_delete(st, 0));
+    return (sk_delete(st, 0));
 }
 
-void *OPENSSL_sk_pop(OPENSSL_STACK *st)
+void *sk_pop(_STACK *st)
 {
     if (st == NULL)
         return (NULL);
     if (st->num <= 0)
         return (NULL);
-    return (OPENSSL_sk_delete(st, st->num - 1));
+    return (sk_delete(st, st->num - 1));
 }
 
-void OPENSSL_sk_zero(OPENSSL_STACK *st)
+void sk_zero(_STACK *st)
 {
     if (st == NULL)
         return;
     if (st->num <= 0)
         return;
-    memset(st->data, 0, sizeof(*st->data) * st->num);
+    memset((char *)st->data, 0, sizeof(*st->data) * st->num);
     st->num = 0;
 }
 
-void OPENSSL_sk_pop_free(OPENSSL_STACK *st, OPENSSL_sk_freefunc func)
+void sk_pop_free(_STACK *st, void (*func) (void *))
 {
     int i;
 
@@ -262,51 +324,61 @@ void OPENSSL_sk_pop_free(OPENSSL_STACK *st, OPENSSL_sk_freefunc func)
         return;
     for (i = 0; i < st->num; i++)
         if (st->data[i] != NULL)
-            func((char *)st->data[i]);
-    OPENSSL_sk_free(st);
+            func(st->data[i]);
+    sk_free(st);
 }
 
-void OPENSSL_sk_free(OPENSSL_STACK *st)
+void sk_free(_STACK *st)
 {
     if (st == NULL)
         return;
-    OPENSSL_free(st->data);
+    if (st->data != NULL)
+        OPENSSL_free(st->data);
     OPENSSL_free(st);
 }
 
-int OPENSSL_sk_num(const OPENSSL_STACK *st)
+int sk_num(const _STACK *st)
 {
     if (st == NULL)
         return -1;
     return st->num;
 }
 
-void *OPENSSL_sk_value(const OPENSSL_STACK *st, int i)
+void *sk_value(const _STACK *st, int i)
 {
-    if (st == NULL || i < 0 || i >= st->num)
+    if (!st || (i < 0) || (i >= st->num))
         return NULL;
-    return (void *)st->data[i];
+    return st->data[i];
 }
 
-void *OPENSSL_sk_set(OPENSSL_STACK *st, int i, const void *data)
+void *sk_set(_STACK *st, int i, void *value)
 {
-    if (st == NULL || i < 0 || i >= st->num)
+    if (!st || (i < 0) || (i >= st->num))
         return NULL;
-    st->data[i] = data;
-    return (void *)st->data[i];
+    return (st->data[i] = value);
 }
 
-void OPENSSL_sk_sort(OPENSSL_STACK *st)
+void sk_sort(_STACK *st)
 {
     if (st && !st->sorted && st->comp != NULL) {
-        qsort(st->data, st->num, sizeof(char *), st->comp);
+        int (*comp_func) (const void *, const void *);
+
+        /*
+         * same comment as in sk_find ... previously st->comp was declared as
+         * a (void*,void*) callback type, but this made the population of the
+         * callback pointer illogical - our callbacks compare type** with
+         * type**, so we leave the casting until absolutely necessary (ie.
+         * "now").
+         */
+        comp_func = (int (*)(const void *, const void *))(st->comp);
+        qsort(st->data, st->num, sizeof(char *), comp_func);
         st->sorted = 1;
     }
 }
 
-int OPENSSL_sk_is_sorted(const OPENSSL_STACK *st)
+int sk_is_sorted(const _STACK *st)
 {
-    if (st == NULL)
+    if (!st)
         return 1;
     return st->sorted;
 }
diff --git a/Cryptlib/OpenSSL/crypto/threads_none.c b/Cryptlib/OpenSSL/crypto/threads_none.c
deleted file mode 100644
index 72bf25b0..00000000
--- a/Cryptlib/OpenSSL/crypto/threads_none.c
+++ /dev/null
@@ -1,124 +0,0 @@
-/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/crypto.h>
-
-#if !defined(OPENSSL_THREADS) || defined(CRYPTO_TDEBUG)
-
-CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void)
-{
-    CRYPTO_RWLOCK *lock = OPENSSL_zalloc(sizeof(unsigned int));
-    if (lock == NULL)
-        return NULL;
-
-    *(unsigned int *)lock = 1;
-
-    return lock;
-}
-
-int CRYPTO_THREAD_read_lock(CRYPTO_RWLOCK *lock)
-{
-    OPENSSL_assert(*(unsigned int *)lock == 1);
-    return 1;
-}
-
-int CRYPTO_THREAD_write_lock(CRYPTO_RWLOCK *lock)
-{
-    OPENSSL_assert(*(unsigned int *)lock == 1);
-    return 1;
-}
-
-int CRYPTO_THREAD_unlock(CRYPTO_RWLOCK *lock)
-{
-    OPENSSL_assert(*(unsigned int *)lock == 1);
-    return 1;
-}
-
-void CRYPTO_THREAD_lock_free(CRYPTO_RWLOCK *lock) {
-    if (lock == NULL)
-        return;
-
-    *(unsigned int *)lock = 0;
-    OPENSSL_free(lock);
-
-    return;
-}
-
-int CRYPTO_THREAD_run_once(CRYPTO_ONCE *once, void (*init)(void))
-{
-    if (*once != 0)
-        return 1;
-
-    init();
-    *once = 1;
-
-    return 1;
-}
-
-#define OPENSSL_CRYPTO_THREAD_LOCAL_KEY_MAX 256
-
-static void *thread_local_storage[OPENSSL_CRYPTO_THREAD_LOCAL_KEY_MAX];
-
-int CRYPTO_THREAD_init_local(CRYPTO_THREAD_LOCAL *key, void (*cleanup)(void *))
-{
-    static unsigned int thread_local_key = 0;
-
-    if (thread_local_key >= OPENSSL_CRYPTO_THREAD_LOCAL_KEY_MAX)
-        return 0;
-
-    *key = thread_local_key++;
-
-    thread_local_storage[*key] = NULL;
-
-    return 1;
-}
-
-void *CRYPTO_THREAD_get_local(CRYPTO_THREAD_LOCAL *key)
-{
-    if (*key >= OPENSSL_CRYPTO_THREAD_LOCAL_KEY_MAX)
-        return NULL;
-
-    return thread_local_storage[*key];
-}
-
-int CRYPTO_THREAD_set_local(CRYPTO_THREAD_LOCAL *key, void *val)
-{
-    if (*key >= OPENSSL_CRYPTO_THREAD_LOCAL_KEY_MAX)
-        return 0;
-
-    thread_local_storage[*key] = val;
-
-    return 1;
-}
-
-int CRYPTO_THREAD_cleanup_local(CRYPTO_THREAD_LOCAL *key)
-{
-    *key = OPENSSL_CRYPTO_THREAD_LOCAL_KEY_MAX + 1;
-    return 1;
-}
-
-CRYPTO_THREAD_ID CRYPTO_THREAD_get_current_id(void)
-{
-    return 0;
-}
-
-int CRYPTO_THREAD_compare_id(CRYPTO_THREAD_ID a, CRYPTO_THREAD_ID b)
-{
-    return (a == b);
-}
-
-int CRYPTO_atomic_add(int *val, int amount, int *ret, CRYPTO_RWLOCK *lock)
-{
-    *val += amount;
-    *ret  = *val;
-
-    return 1;
-}
-
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/threads_pthread.c b/Cryptlib/OpenSSL/crypto/threads_pthread.c
deleted file mode 100644
index 151013e4..00000000
--- a/Cryptlib/OpenSSL/crypto/threads_pthread.c
+++ /dev/null
@@ -1,171 +0,0 @@
-/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/crypto.h>
-
-#if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) && !defined(OPENSSL_SYS_WINDOWS)
-
-# ifdef PTHREAD_RWLOCK_INITIALIZER
-#  define USE_RWLOCK
-# endif
-
-CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void)
-{
-# ifdef USE_RWLOCK
-    CRYPTO_RWLOCK *lock = OPENSSL_zalloc(sizeof(pthread_rwlock_t));
-    if (lock == NULL)
-        return NULL;
-
-    if (pthread_rwlock_init(lock, NULL) != 0) {
-        OPENSSL_free(lock);
-        return NULL;
-    }
-# else
-    pthread_mutexattr_t attr;
-    CRYPTO_RWLOCK *lock = OPENSSL_zalloc(sizeof(pthread_mutex_t));
-    if (lock == NULL)
-        return NULL;
-
-    pthread_mutexattr_init(&attr);
-    pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_RECURSIVE);
-
-    if (pthread_mutex_init(lock, &attr) != 0) {
-        pthread_mutexattr_destroy(&attr);
-        OPENSSL_free(lock);
-        return NULL;
-    }
-
-    pthread_mutexattr_destroy(&attr);
-# endif
-
-    return lock;
-}
-
-int CRYPTO_THREAD_read_lock(CRYPTO_RWLOCK *lock)
-{
-# ifdef USE_RWLOCK
-    if (pthread_rwlock_rdlock(lock) != 0)
-        return 0;
-# else
-    if (pthread_mutex_lock(lock) != 0)
-        return 0;
-# endif
-
-    return 1;
-}
-
-int CRYPTO_THREAD_write_lock(CRYPTO_RWLOCK *lock)
-{
-# ifdef USE_RWLOCK
-    if (pthread_rwlock_wrlock(lock) != 0)
-        return 0;
-# else
-    if (pthread_mutex_lock(lock) != 0)
-        return 0;
-# endif
-
-    return 1;
-}
-
-int CRYPTO_THREAD_unlock(CRYPTO_RWLOCK *lock)
-{
-# ifdef USE_RWLOCK
-    if (pthread_rwlock_unlock(lock) != 0)
-        return 0;
-# else
-    if (pthread_mutex_unlock(lock) != 0)
-        return 0;
-# endif
-
-    return 1;
-}
-
-void CRYPTO_THREAD_lock_free(CRYPTO_RWLOCK *lock)
-{
-    if (lock == NULL)
-        return;
-
-# ifdef USE_RWLOCK
-    pthread_rwlock_destroy(lock);
-# else
-    pthread_mutex_destroy(lock);
-# endif
-    OPENSSL_free(lock);
-
-    return;
-}
-
-int CRYPTO_THREAD_run_once(CRYPTO_ONCE *once, void (*init)(void))
-{
-    if (pthread_once(once, init) != 0)
-        return 0;
-
-    return 1;
-}
-
-int CRYPTO_THREAD_init_local(CRYPTO_THREAD_LOCAL *key, void (*cleanup)(void *))
-{
-    if (pthread_key_create(key, cleanup) != 0)
-        return 0;
-
-    return 1;
-}
-
-void *CRYPTO_THREAD_get_local(CRYPTO_THREAD_LOCAL *key)
-{
-    return pthread_getspecific(*key);
-}
-
-int CRYPTO_THREAD_set_local(CRYPTO_THREAD_LOCAL *key, void *val)
-{
-    if (pthread_setspecific(*key, val) != 0)
-        return 0;
-
-    return 1;
-}
-
-int CRYPTO_THREAD_cleanup_local(CRYPTO_THREAD_LOCAL *key)
-{
-    if (pthread_key_delete(*key) != 0)
-        return 0;
-
-    return 1;
-}
-
-CRYPTO_THREAD_ID CRYPTO_THREAD_get_current_id(void)
-{
-    return pthread_self();
-}
-
-int CRYPTO_THREAD_compare_id(CRYPTO_THREAD_ID a, CRYPTO_THREAD_ID b)
-{
-    return pthread_equal(a, b);
-}
-
-int CRYPTO_atomic_add(int *val, int amount, int *ret, CRYPTO_RWLOCK *lock)
-{
-# if defined(__GNUC__) && defined(__ATOMIC_ACQ_REL)
-    if (__atomic_is_lock_free(sizeof(*val), val)) {
-        *ret = __atomic_add_fetch(val, amount, __ATOMIC_ACQ_REL);
-        return 1;
-    }
-# endif
-    if (!CRYPTO_THREAD_write_lock(lock))
-        return 0;
-
-    *val += amount;
-    *ret  = *val;
-
-    if (!CRYPTO_THREAD_unlock(lock))
-        return 0;
-
-    return 1;
-}
-
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/threads_win.c b/Cryptlib/OpenSSL/crypto/threads_win.c
deleted file mode 100644
index 4e0de908..00000000
--- a/Cryptlib/OpenSSL/crypto/threads_win.c
+++ /dev/null
@@ -1,136 +0,0 @@
-/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#if defined(_WIN32)
-# include <windows.h>
-#endif
-
-#include <openssl/crypto.h>
-
-#if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) && defined(OPENSSL_SYS_WINDOWS)
-
-CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void)
-{
-    CRYPTO_RWLOCK *lock = OPENSSL_zalloc(sizeof(CRITICAL_SECTION));
-    if (lock == NULL)
-        return NULL;
-
-    /* 0x400 is the spin count value suggested in the documentation */
-    if (!InitializeCriticalSectionAndSpinCount(lock, 0x400)) {
-        OPENSSL_free(lock);
-        return NULL;
-    }
-
-    return lock;
-}
-
-int CRYPTO_THREAD_read_lock(CRYPTO_RWLOCK *lock)
-{
-    EnterCriticalSection(lock);
-    return 1;
-}
-
-int CRYPTO_THREAD_write_lock(CRYPTO_RWLOCK *lock)
-{
-    EnterCriticalSection(lock);
-    return 1;
-}
-
-int CRYPTO_THREAD_unlock(CRYPTO_RWLOCK *lock)
-{
-    LeaveCriticalSection(lock);
-    return 1;
-}
-
-void CRYPTO_THREAD_lock_free(CRYPTO_RWLOCK *lock)
-{
-    if (lock == NULL)
-        return;
-
-    DeleteCriticalSection(lock);
-    OPENSSL_free(lock);
-
-    return;
-}
-
-#  define ONCE_UNINITED     0
-#  define ONCE_ININIT       1
-#  define ONCE_DONE         2
-
-/*
- * We don't use InitOnceExecuteOnce because that isn't available in WinXP which
- * we still have to support.
- */
-int CRYPTO_THREAD_run_once(CRYPTO_ONCE *once, void (*init)(void))
-{
-    LONG volatile *lock = (LONG *)once;
-    LONG result;
-
-    if (*lock == ONCE_DONE)
-        return 1;
-
-    do {
-        result = InterlockedCompareExchange(lock, ONCE_ININIT, ONCE_UNINITED);
-        if (result == ONCE_UNINITED) {
-            init();
-            *lock = ONCE_DONE;
-            return 1;
-        }
-    } while (result == ONCE_ININIT);
-
-    return (*lock == ONCE_DONE);
-}
-
-int CRYPTO_THREAD_init_local(CRYPTO_THREAD_LOCAL *key, void (*cleanup)(void *))
-{
-    *key = TlsAlloc();
-    if (*key == TLS_OUT_OF_INDEXES)
-        return 0;
-
-    return 1;
-}
-
-void *CRYPTO_THREAD_get_local(CRYPTO_THREAD_LOCAL *key)
-{
-    return TlsGetValue(*key);
-}
-
-int CRYPTO_THREAD_set_local(CRYPTO_THREAD_LOCAL *key, void *val)
-{
-    if (TlsSetValue(*key, val) == 0)
-        return 0;
-
-    return 1;
-}
-
-int CRYPTO_THREAD_cleanup_local(CRYPTO_THREAD_LOCAL *key)
-{
-    if (TlsFree(*key) == 0)
-        return 0;
-
-    return 1;
-}
-
-CRYPTO_THREAD_ID CRYPTO_THREAD_get_current_id(void)
-{
-    return GetCurrentThreadId();
-}
-
-int CRYPTO_THREAD_compare_id(CRYPTO_THREAD_ID a, CRYPTO_THREAD_ID b)
-{
-    return (a == b);
-}
-
-int CRYPTO_atomic_add(int *val, int amount, int *ret, CRYPTO_RWLOCK *lock)
-{
-    *ret = InterlockedExchangeAdd(val, amount) + amount;
-    return 1;
-}
-
-#endif
diff --git a/Cryptlib/OpenSSL/crypto/txt_db/txt_db.c b/Cryptlib/OpenSSL/crypto/txt_db/txt_db.c
index 14322309..f9b42ac6 100644
--- a/Cryptlib/OpenSSL/crypto/txt_db/txt_db.c
+++ b/Cryptlib/OpenSSL/crypto/txt_db/txt_db.c
@@ -1,25 +1,77 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/txt_db/txt_db.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/txt_db.h>
 
 #undef BUFSIZE
 #define BUFSIZE 512
 
+const char TXT_DB_version[] = "TXT_DB" OPENSSL_VERSION_PTEXT;
+
 TXT_DB *TXT_DB_read(BIO *in, int num)
 {
     TXT_DB *ret = NULL;
+    int er = 1;
     int esc = 0;
     long ln = 0;
     int i, add, n;
@@ -34,7 +86,7 @@ TXT_DB *TXT_DB_read(BIO *in, int num)
     if (!BUF_MEM_grow(buf, size))
         goto err;
 
-    if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL)
+    if ((ret = OPENSSL_malloc(sizeof(TXT_DB))) == NULL)
         goto err;
     ret->num_fields = num;
     ret->index = NULL;
@@ -72,7 +124,7 @@ TXT_DB *TXT_DB_read(BIO *in, int num)
             continue;
         else {
             buf->data[offset - 1] = '\0'; /* blat the '\n' */
-            if ((p = OPENSSL_malloc(add + offset)) == NULL)
+            if (!(p = OPENSSL_malloc(add + offset)))
                 goto err;
             offset = 0;
         }
@@ -104,24 +156,46 @@ TXT_DB *TXT_DB_read(BIO *in, int num)
         }
         *(p++) = '\0';
         if ((n != num) || (*f != '\0')) {
-            ret->error = DB_ERROR_WRONG_NUM_FIELDS;
+#if !defined(OPENSSL_NO_STDIO) && !defined(OPENSSL_SYS_WIN16) /* temporary
+                                                               * fix :-( */
+            fprintf(stderr,
+                    "wrong number of fields on line %ld (looking for field %d, got %d, '%s' left)\n",
+                    ln, num, n, f);
+#endif
+            er = 2;
             goto err;
         }
         pp[n] = p;
-        if (!sk_OPENSSL_PSTRING_push(ret->data, pp))
+        if (!sk_OPENSSL_PSTRING_push(ret->data, pp)) {
+#if !defined(OPENSSL_NO_STDIO) && !defined(OPENSSL_SYS_WIN16) /* temporary
+                                                               * fix :-( */
+            fprintf(stderr, "failure in sk_push\n");
+#endif
+            er = 2;
             goto err;
+        }
     }
-    BUF_MEM_free(buf);
-    return ret;
+    er = 0;
  err:
     BUF_MEM_free(buf);
-    if (ret != NULL) {
-        sk_OPENSSL_PSTRING_free(ret->data);
-        OPENSSL_free(ret->index);
-        OPENSSL_free(ret->qual);
-        OPENSSL_free(ret);
-    }
-    return (NULL);
+    if (er) {
+#if !defined(OPENSSL_NO_STDIO) && !defined(OPENSSL_SYS_WIN16)
+        if (er == 1)
+            fprintf(stderr, "OPENSSL_malloc failure\n");
+#endif
+        if (ret != NULL) {
+            if (ret->data != NULL)
+                sk_OPENSSL_PSTRING_free(ret->data);
+            if (ret->index != NULL)
+                OPENSSL_free(ret->index);
+            if (ret->qual != NULL)
+                OPENSSL_free(ret->qual);
+            if (ret != NULL)
+                OPENSSL_free(ret);
+        }
+        return (NULL);
+    } else
+        return (ret);
 }
 
 OPENSSL_STRING *TXT_DB_get_by_index(TXT_DB *db, int idx,
@@ -145,7 +219,7 @@ OPENSSL_STRING *TXT_DB_get_by_index(TXT_DB *db, int idx,
 }
 
 int TXT_DB_create_index(TXT_DB *db, int field, int (*qual) (OPENSSL_STRING *),
-                        OPENSSL_LH_HASHFUNC hash, OPENSSL_LH_COMPFUNC cmp)
+                        LHASH_HASH_FN_TYPE hash, LHASH_COMP_FN_TYPE cmp)
 {
     LHASH_OF(OPENSSL_STRING) *idx;
     OPENSSL_STRING *r;
@@ -156,7 +230,7 @@ int TXT_DB_create_index(TXT_DB *db, int field, int (*qual) (OPENSSL_STRING *),
         return (0);
     }
     /* FIXME: we lose type checking at this point */
-    if ((idx = (LHASH_OF(OPENSSL_STRING) *)OPENSSL_LH_new(hash, cmp)) == NULL) {
+    if ((idx = (LHASH_OF(OPENSSL_STRING) *)lh_new(hash, cmp)) == NULL) {
         db->error = DB_ERROR_MALLOC;
         return (0);
     }
@@ -173,7 +247,8 @@ int TXT_DB_create_index(TXT_DB *db, int field, int (*qual) (OPENSSL_STRING *),
             return (0);
         }
     }
-    lh_OPENSSL_STRING_free(db->index[field]);
+    if (db->index[field] != NULL)
+        lh_OPENSSL_STRING_free(db->index[field]);
     db->index[field] = idx;
     db->qual[field] = qual;
     return (1);
@@ -222,7 +297,8 @@ long TXT_DB_write(BIO *out, TXT_DB *db)
     }
     ret = tot;
  err:
-    BUF_MEM_free(buf);
+    if (buf != NULL)
+        BUF_MEM_free(buf);
     return (ret);
 }
 
@@ -272,10 +348,12 @@ void TXT_DB_free(TXT_DB *db)
 
     if (db->index != NULL) {
         for (i = db->num_fields - 1; i >= 0; i--)
-            lh_OPENSSL_STRING_free(db->index[i]);
+            if (db->index[i] != NULL)
+                lh_OPENSSL_STRING_free(db->index[i]);
         OPENSSL_free(db->index);
     }
-    OPENSSL_free(db->qual);
+    if (db->qual != NULL)
+        OPENSSL_free(db->qual);
     if (db->data != NULL) {
         for (i = sk_OPENSSL_PSTRING_num(db->data) - 1; i >= 0; i--) {
             /*
@@ -286,10 +364,12 @@ void TXT_DB_free(TXT_DB *db)
             max = p[db->num_fields]; /* last address */
             if (max == NULL) {  /* new row */
                 for (n = 0; n < db->num_fields; n++)
-                    OPENSSL_free(p[n]);
+                    if (p[n] != NULL)
+                        OPENSSL_free(p[n]);
             } else {
                 for (n = 0; n < db->num_fields; n++) {
-                    if (((p[n] < (char *)p) || (p[n] > max)))
+                    if (((p[n] < (char *)p) || (p[n] > max))
+                        && (p[n] != NULL))
                         OPENSSL_free(p[n]);
                 }
             }
diff --git a/Cryptlib/OpenSSL/crypto/uid.c b/Cryptlib/OpenSSL/crypto/uid.c
index 12df8a4e..90694c67 100644
--- a/Cryptlib/OpenSSL/crypto/uid.c
+++ b/Cryptlib/OpenSSL/crypto/uid.c
@@ -1,10 +1,56 @@
-/*
- * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/uid.c */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <openssl/crypto.h>
@@ -19,7 +65,7 @@ int OPENSSL_issetugid(void)
     return issetugid();
 }
 
-#elif defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS)
+#elif defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE)
 
 int OPENSSL_issetugid(void)
 {
diff --git a/Cryptlib/OpenSSL/crypto/x509/by_dir.c b/Cryptlib/OpenSSL/crypto/x509/by_dir.c
deleted file mode 100644
index f3a1f054..00000000
--- a/Cryptlib/OpenSSL/crypto/x509/by_dir.c
+++ /dev/null
@@ -1,388 +0,0 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include <time.h>
-#include <errno.h>
-
-#include "internal/cryptlib.h"
-
-#ifndef NO_SYS_TYPES_H
-# include <sys/types.h>
-#endif
-#ifndef OPENSSL_NO_POSIX_IO
-# include <sys/stat.h>
-#endif
-
-
-#include <openssl/lhash.h>
-#include <openssl/x509.h>
-#include "internal/x509_int.h"
-#include "x509_lcl.h"
-
-struct lookup_dir_hashes_st {
-    unsigned long hash;
-    int suffix;
-};
-
-struct lookup_dir_entry_st {
-    char *dir;
-    int dir_type;
-    STACK_OF(BY_DIR_HASH) *hashes;
-};
-
-typedef struct lookup_dir_st {
-    BUF_MEM *buffer;
-    STACK_OF(BY_DIR_ENTRY) *dirs;
-    CRYPTO_RWLOCK *lock;
-} BY_DIR;
-
-static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
-                    char **ret);
-static int new_dir(X509_LOOKUP *lu);
-static void free_dir(X509_LOOKUP *lu);
-static int add_cert_dir(BY_DIR *ctx, const char *dir, int type);
-static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type,
-                               X509_NAME *name, X509_OBJECT *ret);
-static X509_LOOKUP_METHOD x509_dir_lookup = {
-    "Load certs from files in a directory",
-    new_dir,                    /* new */
-    free_dir,                   /* free */
-    NULL,                       /* init */
-    NULL,                       /* shutdown */
-    dir_ctrl,                   /* ctrl */
-    get_cert_by_subject,        /* get_by_subject */
-    NULL,                       /* get_by_issuer_serial */
-    NULL,                       /* get_by_fingerprint */
-    NULL,                       /* get_by_alias */
-};
-
-X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void)
-{
-    return (&x509_dir_lookup);
-}
-
-static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
-                    char **retp)
-{
-    int ret = 0;
-    BY_DIR *ld;
-    char *dir = NULL;
-
-    ld = (BY_DIR *)ctx->method_data;
-
-    switch (cmd) {
-    case X509_L_ADD_DIR:
-        if (argl == X509_FILETYPE_DEFAULT) {
-            dir = (char *)getenv(X509_get_default_cert_dir_env());
-            if (dir)
-                ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
-            else
-                ret = add_cert_dir(ld, X509_get_default_cert_dir(),
-                                   X509_FILETYPE_PEM);
-            if (!ret) {
-                X509err(X509_F_DIR_CTRL, X509_R_LOADING_CERT_DIR);
-            }
-        } else
-            ret = add_cert_dir(ld, argp, (int)argl);
-        break;
-    }
-    return (ret);
-}
-
-static int new_dir(X509_LOOKUP *lu)
-{
-    BY_DIR *a;
-
-    if ((a = OPENSSL_malloc(sizeof(*a))) == NULL)
-        return 0;
-    if ((a->buffer = BUF_MEM_new()) == NULL) {
-        OPENSSL_free(a);
-        return 0;
-    }
-    a->dirs = NULL;
-    a->lock = CRYPTO_THREAD_lock_new();
-    if (a->lock == NULL) {
-        BUF_MEM_free(a->buffer);
-        OPENSSL_free(a);
-        return 0;
-    }
-    lu->method_data = (char *)a;
-    return 1;
-}
-
-static void by_dir_hash_free(BY_DIR_HASH *hash)
-{
-    OPENSSL_free(hash);
-}
-
-static int by_dir_hash_cmp(const BY_DIR_HASH *const *a,
-                           const BY_DIR_HASH *const *b)
-{
-    if ((*a)->hash > (*b)->hash)
-        return 1;
-    if ((*a)->hash < (*b)->hash)
-        return -1;
-    return 0;
-}
-
-static void by_dir_entry_free(BY_DIR_ENTRY *ent)
-{
-    OPENSSL_free(ent->dir);
-    sk_BY_DIR_HASH_pop_free(ent->hashes, by_dir_hash_free);
-    OPENSSL_free(ent);
-}
-
-static void free_dir(X509_LOOKUP *lu)
-{
-    BY_DIR *a;
-
-    a = (BY_DIR *)lu->method_data;
-    sk_BY_DIR_ENTRY_pop_free(a->dirs, by_dir_entry_free);
-    BUF_MEM_free(a->buffer);
-    CRYPTO_THREAD_lock_free(a->lock);
-    OPENSSL_free(a);
-}
-
-static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
-{
-    const char *s, *p;
-
-    if (dir == NULL || !*dir) {
-        X509err(X509_F_ADD_CERT_DIR, X509_R_INVALID_DIRECTORY);
-        return 0;
-    }
-
-    s = dir;
-    p = s;
-    do {
-        if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0')) {
-            BY_DIR_ENTRY *ent;
-            int j;
-            size_t len;
-            const char *ss = s;
-            s = p + 1;
-            len = p - ss;
-            if (len == 0)
-                continue;
-            for (j = 0; j < sk_BY_DIR_ENTRY_num(ctx->dirs); j++) {
-                ent = sk_BY_DIR_ENTRY_value(ctx->dirs, j);
-                if (strlen(ent->dir) == len &&
-                    strncmp(ent->dir, ss, len) == 0)
-                    break;
-            }
-            if (j < sk_BY_DIR_ENTRY_num(ctx->dirs))
-                continue;
-            if (ctx->dirs == NULL) {
-                ctx->dirs = sk_BY_DIR_ENTRY_new_null();
-                if (!ctx->dirs) {
-                    X509err(X509_F_ADD_CERT_DIR, ERR_R_MALLOC_FAILURE);
-                    return 0;
-                }
-            }
-            ent = OPENSSL_malloc(sizeof(*ent));
-            if (ent == NULL)
-                return 0;
-            ent->dir_type = type;
-            ent->hashes = sk_BY_DIR_HASH_new(by_dir_hash_cmp);
-            ent->dir = OPENSSL_strndup(ss, len);
-            if (ent->dir == NULL || ent->hashes == NULL) {
-                by_dir_entry_free(ent);
-                return 0;
-            }
-            if (!sk_BY_DIR_ENTRY_push(ctx->dirs, ent)) {
-                by_dir_entry_free(ent);
-                return 0;
-            }
-        }
-    } while (*p++ != '\0');
-    return 1;
-}
-
-static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type,
-                               X509_NAME *name, X509_OBJECT *ret)
-{
-    BY_DIR *ctx;
-    union {
-        X509 st_x509;
-        X509_CRL crl;
-    } data;
-    int ok = 0;
-    int i, j, k;
-    unsigned long h;
-    BUF_MEM *b = NULL;
-    X509_OBJECT stmp, *tmp;
-    const char *postfix = "";
-
-    if (name == NULL)
-        return (0);
-
-    stmp.type = type;
-    if (type == X509_LU_X509) {
-        data.st_x509.cert_info.subject = name;
-        stmp.data.x509 = &data.st_x509;
-        postfix = "";
-    } else if (type == X509_LU_CRL) {
-        data.crl.crl.issuer = name;
-        stmp.data.crl = &data.crl;
-        postfix = "r";
-    } else {
-        X509err(X509_F_GET_CERT_BY_SUBJECT, X509_R_WRONG_LOOKUP_TYPE);
-        goto finish;
-    }
-
-    if ((b = BUF_MEM_new()) == NULL) {
-        X509err(X509_F_GET_CERT_BY_SUBJECT, ERR_R_BUF_LIB);
-        goto finish;
-    }
-
-    ctx = (BY_DIR *)xl->method_data;
-
-    h = X509_NAME_hash(name);
-    for (i = 0; i < sk_BY_DIR_ENTRY_num(ctx->dirs); i++) {
-        BY_DIR_ENTRY *ent;
-        int idx;
-        BY_DIR_HASH htmp, *hent;
-        ent = sk_BY_DIR_ENTRY_value(ctx->dirs, i);
-        j = strlen(ent->dir) + 1 + 8 + 6 + 1 + 1;
-        if (!BUF_MEM_grow(b, j)) {
-            X509err(X509_F_GET_CERT_BY_SUBJECT, ERR_R_MALLOC_FAILURE);
-            goto finish;
-        }
-        if (type == X509_LU_CRL && ent->hashes) {
-            htmp.hash = h;
-            CRYPTO_THREAD_read_lock(ctx->lock);
-            idx = sk_BY_DIR_HASH_find(ent->hashes, &htmp);
-            if (idx >= 0) {
-                hent = sk_BY_DIR_HASH_value(ent->hashes, idx);
-                k = hent->suffix;
-            } else {
-                hent = NULL;
-                k = 0;
-            }
-            CRYPTO_THREAD_unlock(ctx->lock);
-        } else {
-            k = 0;
-            hent = NULL;
-        }
-        for (;;) {
-            char c = '/';
-#ifdef OPENSSL_SYS_VMS
-            c = ent->dir[strlen(ent->dir) - 1];
-            if (c != ':' && c != '>' && c != ']') {
-                /*
-                 * If no separator is present, we assume the directory
-                 * specifier is a logical name, and add a colon.  We really
-                 * should use better VMS routines for merging things like
-                 * this, but this will do for now... -- Richard Levitte
-                 */
-                c = ':';
-            } else {
-                c = '\0';
-            }
-#endif
-            if (c == '\0') {
-                /*
-                 * This is special.  When c == '\0', no directory separator
-                 * should be added.
-                 */
-                BIO_snprintf(b->data, b->max,
-                             "%s%08lx.%s%d", ent->dir, h, postfix, k);
-            } else {
-                BIO_snprintf(b->data, b->max,
-                             "%s%c%08lx.%s%d", ent->dir, c, h, postfix, k);
-            }
-#ifndef OPENSSL_NO_POSIX_IO
-# ifdef _WIN32
-#  define stat _stat
-# endif
-            {
-                struct stat st;
-                if (stat(b->data, &st) < 0)
-                    break;
-            }
-#endif
-            /* found one. */
-            if (type == X509_LU_X509) {
-                if ((X509_load_cert_file(xl, b->data, ent->dir_type)) == 0)
-                    break;
-            } else if (type == X509_LU_CRL) {
-                if ((X509_load_crl_file(xl, b->data, ent->dir_type)) == 0)
-                    break;
-            }
-            /* else case will caught higher up */
-            k++;
-        }
-
-        /*
-         * we have added it to the cache so now pull it out again
-         */
-        CRYPTO_THREAD_write_lock(ctx->lock);
-        j = sk_X509_OBJECT_find(xl->store_ctx->objs, &stmp);
-        if (j != -1)
-            tmp = sk_X509_OBJECT_value(xl->store_ctx->objs, j);
-        else
-            tmp = NULL;
-        CRYPTO_THREAD_unlock(ctx->lock);
-
-        /* If a CRL, update the last file suffix added for this */
-
-        if (type == X509_LU_CRL) {
-            CRYPTO_THREAD_write_lock(ctx->lock);
-            /*
-             * Look for entry again in case another thread added an entry
-             * first.
-             */
-            if (!hent) {
-                htmp.hash = h;
-                idx = sk_BY_DIR_HASH_find(ent->hashes, &htmp);
-                if (idx >= 0)
-                    hent = sk_BY_DIR_HASH_value(ent->hashes, idx);
-            }
-            if (!hent) {
-                hent = OPENSSL_malloc(sizeof(*hent));
-                if (hent == NULL) {
-                    CRYPTO_THREAD_unlock(ctx->lock);
-                    X509err(X509_F_GET_CERT_BY_SUBJECT, ERR_R_MALLOC_FAILURE);
-                    ok = 0;
-                    goto finish;
-                }
-                hent->hash = h;
-                hent->suffix = k;
-                if (!sk_BY_DIR_HASH_push(ent->hashes, hent)) {
-                    CRYPTO_THREAD_unlock(ctx->lock);
-                    OPENSSL_free(hent);
-                    ok = 0;
-                    goto finish;
-                }
-            } else if (hent->suffix < k) {
-                hent->suffix = k;
-            }
-
-            CRYPTO_THREAD_unlock(ctx->lock);
-
-        }
-
-        if (tmp != NULL) {
-            ok = 1;
-            ret->type = tmp->type;
-            memcpy(&ret->data, &tmp->data, sizeof(ret->data));
-            /*
-             * If we were going to up the reference count, we would need to
-             * do it on a perl 'type' basis
-             */
-        /*- CRYPTO_add(&tmp->data.x509->references,1,
-                    CRYPTO_LOCK_X509);*/
-            goto finish;
-        }
-    }
- finish:
-    BUF_MEM_free(b);
-    return (ok);
-}
diff --git a/Cryptlib/OpenSSL/crypto/x509/by_file.c b/Cryptlib/OpenSSL/crypto/x509/by_file.c
deleted file mode 100644
index 4376bed8..00000000
--- a/Cryptlib/OpenSSL/crypto/x509/by_file.c
+++ /dev/null
@@ -1,221 +0,0 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include <time.h>
-#include <errno.h>
-
-#include "internal/cryptlib.h"
-#include <openssl/lhash.h>
-#include <openssl/buffer.h>
-#include <openssl/x509.h>
-#include <openssl/pem.h>
-#include "x509_lcl.h"
-
-static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
-                        long argl, char **ret);
-static X509_LOOKUP_METHOD x509_file_lookup = {
-    "Load file into cache",
-    NULL,                       /* new */
-    NULL,                       /* free */
-    NULL,                       /* init */
-    NULL,                       /* shutdown */
-    by_file_ctrl,               /* ctrl */
-    NULL,                       /* get_by_subject */
-    NULL,                       /* get_by_issuer_serial */
-    NULL,                       /* get_by_fingerprint */
-    NULL,                       /* get_by_alias */
-};
-
-X509_LOOKUP_METHOD *X509_LOOKUP_file(void)
-{
-    return (&x509_file_lookup);
-}
-
-static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp,
-                        long argl, char **ret)
-{
-    int ok = 0;
-    char *file;
-
-    switch (cmd) {
-    case X509_L_FILE_LOAD:
-        if (argl == X509_FILETYPE_DEFAULT) {
-            file = (char *)getenv(X509_get_default_cert_file_env());
-            if (file)
-                ok = (X509_load_cert_crl_file(ctx, file,
-                                              X509_FILETYPE_PEM) != 0);
-
-            else
-                ok = (X509_load_cert_crl_file
-                      (ctx, X509_get_default_cert_file(),
-                       X509_FILETYPE_PEM) != 0);
-
-            if (!ok) {
-                X509err(X509_F_BY_FILE_CTRL, X509_R_LOADING_DEFAULTS);
-            }
-        } else {
-            if (argl == X509_FILETYPE_PEM)
-                ok = (X509_load_cert_crl_file(ctx, argp,
-                                              X509_FILETYPE_PEM) != 0);
-            else
-                ok = (X509_load_cert_file(ctx, argp, (int)argl) != 0);
-        }
-        break;
-    }
-    return (ok);
-}
-
-int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type)
-{
-    int ret = 0;
-    BIO *in = NULL;
-    int i, count = 0;
-    X509 *x = NULL;
-
-    if (file == NULL)
-        return (1);
-    in = BIO_new(BIO_s_file());
-
-    if ((in == NULL) || (BIO_read_filename(in, file) <= 0)) {
-        X509err(X509_F_X509_LOAD_CERT_FILE, ERR_R_SYS_LIB);
-        goto err;
-    }
-
-    if (type == X509_FILETYPE_PEM) {
-        for (;;) {
-            x = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
-            if (x == NULL) {
-                if ((ERR_GET_REASON(ERR_peek_last_error()) ==
-                     PEM_R_NO_START_LINE) && (count > 0)) {
-                    ERR_clear_error();
-                    break;
-                } else {
-                    X509err(X509_F_X509_LOAD_CERT_FILE, ERR_R_PEM_LIB);
-                    goto err;
-                }
-            }
-            i = X509_STORE_add_cert(ctx->store_ctx, x);
-            if (!i)
-                goto err;
-            count++;
-            X509_free(x);
-            x = NULL;
-        }
-        ret = count;
-    } else if (type == X509_FILETYPE_ASN1) {
-        x = d2i_X509_bio(in, NULL);
-        if (x == NULL) {
-            X509err(X509_F_X509_LOAD_CERT_FILE, ERR_R_ASN1_LIB);
-            goto err;
-        }
-        i = X509_STORE_add_cert(ctx->store_ctx, x);
-        if (!i)
-            goto err;
-        ret = i;
-    } else {
-        X509err(X509_F_X509_LOAD_CERT_FILE, X509_R_BAD_X509_FILETYPE);
-        goto err;
-    }
- err:
-    X509_free(x);
-    BIO_free(in);
-    return (ret);
-}
-
-int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type)
-{
-    int ret = 0;
-    BIO *in = NULL;
-    int i, count = 0;
-    X509_CRL *x = NULL;
-
-    if (file == NULL)
-        return (1);
-    in = BIO_new(BIO_s_file());
-
-    if ((in == NULL) || (BIO_read_filename(in, file) <= 0)) {
-        X509err(X509_F_X509_LOAD_CRL_FILE, ERR_R_SYS_LIB);
-        goto err;
-    }
-
-    if (type == X509_FILETYPE_PEM) {
-        for (;;) {
-            x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
-            if (x == NULL) {
-                if ((ERR_GET_REASON(ERR_peek_last_error()) ==
-                     PEM_R_NO_START_LINE) && (count > 0)) {
-                    ERR_clear_error();
-                    break;
-                } else {
-                    X509err(X509_F_X509_LOAD_CRL_FILE, ERR_R_PEM_LIB);
-                    goto err;
-                }
-            }
-            i = X509_STORE_add_crl(ctx->store_ctx, x);
-            if (!i)
-                goto err;
-            count++;
-            X509_CRL_free(x);
-            x = NULL;
-        }
-        ret = count;
-    } else if (type == X509_FILETYPE_ASN1) {
-        x = d2i_X509_CRL_bio(in, NULL);
-        if (x == NULL) {
-            X509err(X509_F_X509_LOAD_CRL_FILE, ERR_R_ASN1_LIB);
-            goto err;
-        }
-        i = X509_STORE_add_crl(ctx->store_ctx, x);
-        if (!i)
-            goto err;
-        ret = i;
-    } else {
-        X509err(X509_F_X509_LOAD_CRL_FILE, X509_R_BAD_X509_FILETYPE);
-        goto err;
-    }
- err:
-    X509_CRL_free(x);
-    BIO_free(in);
-    return (ret);
-}
-
-int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type)
-{
-    STACK_OF(X509_INFO) *inf;
-    X509_INFO *itmp;
-    BIO *in;
-    int i, count = 0;
-    if (type != X509_FILETYPE_PEM)
-        return X509_load_cert_file(ctx, file, type);
-    in = BIO_new_file(file, "r");
-    if (!in) {
-        X509err(X509_F_X509_LOAD_CERT_CRL_FILE, ERR_R_SYS_LIB);
-        return 0;
-    }
-    inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
-    BIO_free(in);
-    if (!inf) {
-        X509err(X509_F_X509_LOAD_CERT_CRL_FILE, ERR_R_PEM_LIB);
-        return 0;
-    }
-    for (i = 0; i < sk_X509_INFO_num(inf); i++) {
-        itmp = sk_X509_INFO_value(inf, i);
-        if (itmp->x509) {
-            X509_STORE_add_cert(ctx->store_ctx, itmp->x509);
-            count++;
-        }
-        if (itmp->crl) {
-            X509_STORE_add_crl(ctx->store_ctx, itmp->crl);
-            count++;
-        }
-    }
-    sk_X509_INFO_pop_free(inf, X509_INFO_free);
-    return count;
-}
diff --git a/Cryptlib/OpenSSL/crypto/x509/t_crl.c b/Cryptlib/OpenSSL/crypto/x509/t_crl.c
deleted file mode 100644
index f3ca6db8..00000000
--- a/Cryptlib/OpenSSL/crypto/x509/t_crl.c
+++ /dev/null
@@ -1,89 +0,0 @@
-/*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include "internal/cryptlib.h"
-#include <openssl/buffer.h>
-#include <openssl/bn.h>
-#include <openssl/objects.h>
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-
-#ifndef OPENSSL_NO_STDIO
-int X509_CRL_print_fp(FILE *fp, X509_CRL *x)
-{
-    BIO *b;
-    int ret;
-
-    if ((b = BIO_new(BIO_s_file())) == NULL) {
-        X509err(X509_F_X509_CRL_PRINT_FP, ERR_R_BUF_LIB);
-        return (0);
-    }
-    BIO_set_fp(b, fp, BIO_NOCLOSE);
-    ret = X509_CRL_print(b, x);
-    BIO_free(b);
-    return (ret);
-}
-#endif
-
-int X509_CRL_print(BIO *out, X509_CRL *x)
-{
-    STACK_OF(X509_REVOKED) *rev;
-    X509_REVOKED *r;
-    const X509_ALGOR *sig_alg;
-    const ASN1_BIT_STRING *sig;
-    long l;
-    int i;
-    char *p;
-
-    BIO_printf(out, "Certificate Revocation List (CRL):\n");
-    l = X509_CRL_get_version(x);
-    if (l >= 0 && l <= 1)
-        BIO_printf(out, "%8sVersion %ld (0x%lx)\n", "", l + 1, (unsigned long)l);
-    else
-        BIO_printf(out, "%8sVersion unknown (%ld)\n", "", l);
-    X509_CRL_get0_signature(x, &sig, &sig_alg);
-    X509_signature_print(out, sig_alg, NULL);
-    p = X509_NAME_oneline(X509_CRL_get_issuer(x), NULL, 0);
-    BIO_printf(out, "%8sIssuer: %s\n", "", p);
-    OPENSSL_free(p);
-    BIO_printf(out, "%8sLast Update: ", "");
-    ASN1_TIME_print(out, X509_CRL_get0_lastUpdate(x));
-    BIO_printf(out, "\n%8sNext Update: ", "");
-    if (X509_CRL_get0_nextUpdate(x))
-        ASN1_TIME_print(out, X509_CRL_get0_nextUpdate(x));
-    else
-        BIO_printf(out, "NONE");
-    BIO_printf(out, "\n");
-
-    X509V3_extensions_print(out, "CRL extensions",
-                            X509_CRL_get0_extensions(x), 0, 8);
-
-    rev = X509_CRL_get_REVOKED(x);
-
-    if (sk_X509_REVOKED_num(rev) > 0)
-        BIO_printf(out, "Revoked Certificates:\n");
-    else
-        BIO_printf(out, "No Revoked Certificates.\n");
-
-    for (i = 0; i < sk_X509_REVOKED_num(rev); i++) {
-        r = sk_X509_REVOKED_value(rev, i);
-        BIO_printf(out, "    Serial Number: ");
-        i2a_ASN1_INTEGER(out, X509_REVOKED_get0_serialNumber(r));
-        BIO_printf(out, "\n        Revocation Date: ");
-        ASN1_TIME_print(out, X509_REVOKED_get0_revocationDate(r));
-        BIO_printf(out, "\n");
-        X509V3_extensions_print(out, "CRL entry extensions",
-                                X509_REVOKED_get0_extensions(r), 0, 8);
-    }
-    X509_signature_print(out, sig_alg, sig);
-
-    return 1;
-
-}
diff --git a/Cryptlib/OpenSSL/crypto/x509/t_req.c b/Cryptlib/OpenSSL/crypto/x509/t_req.c
deleted file mode 100644
index 77ce8108..00000000
--- a/Cryptlib/OpenSSL/crypto/x509/t_req.c
+++ /dev/null
@@ -1,198 +0,0 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include "internal/cryptlib.h"
-#include <openssl/buffer.h>
-#include <openssl/bn.h>
-#include <openssl/objects.h>
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-#include <openssl/rsa.h>
-#include <openssl/dsa.h>
-
-#ifndef OPENSSL_NO_STDIO
-int X509_REQ_print_fp(FILE *fp, X509_REQ *x)
-{
-    BIO *b;
-    int ret;
-
-    if ((b = BIO_new(BIO_s_file())) == NULL) {
-        X509err(X509_F_X509_REQ_PRINT_FP, ERR_R_BUF_LIB);
-        return (0);
-    }
-    BIO_set_fp(b, fp, BIO_NOCLOSE);
-    ret = X509_REQ_print(b, x);
-    BIO_free(b);
-    return (ret);
-}
-#endif
-
-int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags,
-                      unsigned long cflag)
-{
-    long l;
-    int i;
-    EVP_PKEY *pkey;
-    STACK_OF(X509_EXTENSION) *exts;
-    char mlch = ' ';
-    int nmindent = 0;
-
-    if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
-        mlch = '\n';
-        nmindent = 12;
-    }
-
-    if (nmflags == X509_FLAG_COMPAT)
-        nmindent = 16;
-
-    if (!(cflag & X509_FLAG_NO_HEADER)) {
-        if (BIO_write(bp, "Certificate Request:\n", 21) <= 0)
-            goto err;
-        if (BIO_write(bp, "    Data:\n", 10) <= 0)
-            goto err;
-    }
-    if (!(cflag & X509_FLAG_NO_VERSION)) {
-        l = X509_REQ_get_version(x);
-        if (l >= 0 && l <= 2) {
-            if (BIO_printf(bp, "%8sVersion: %ld (0x%lx)\n", "", l + 1, (unsigned long)l) <= 0)
-                goto err;
-        } else {
-            if (BIO_printf(bp, "%8sVersion: Unknown (%ld)\n", "", l) <= 0)
-                goto err;
-        }
-    }
-    if (!(cflag & X509_FLAG_NO_SUBJECT)) {
-        if (BIO_printf(bp, "        Subject:%c", mlch) <= 0)
-            goto err;
-        if (X509_NAME_print_ex(bp, X509_REQ_get_subject_name(x),
-            nmindent, nmflags) < 0)
-            goto err;
-        if (BIO_write(bp, "\n", 1) <= 0)
-            goto err;
-    }
-    if (!(cflag & X509_FLAG_NO_PUBKEY)) {
-        X509_PUBKEY *xpkey;
-        ASN1_OBJECT *koid;
-        if (BIO_write(bp, "        Subject Public Key Info:\n", 33) <= 0)
-            goto err;
-        if (BIO_printf(bp, "%12sPublic Key Algorithm: ", "") <= 0)
-            goto err;
-        xpkey = X509_REQ_get_X509_PUBKEY(x);
-        X509_PUBKEY_get0_param(&koid, NULL, NULL, NULL, xpkey);
-        if (i2a_ASN1_OBJECT(bp, koid) <= 0)
-            goto err;
-        if (BIO_puts(bp, "\n") <= 0)
-            goto err;
-
-        pkey = X509_REQ_get0_pubkey(x);
-        if (pkey == NULL) {
-            BIO_printf(bp, "%12sUnable to load Public Key\n", "");
-            ERR_print_errors(bp);
-        } else {
-            EVP_PKEY_print_public(bp, pkey, 16, NULL);
-        }
-    }
-
-    if (!(cflag & X509_FLAG_NO_ATTRIBUTES)) {
-        /* may not be */
-        if (BIO_printf(bp, "%8sAttributes:\n", "") <= 0)
-            goto err;
-
-        if (X509_REQ_get_attr_count(x) == 0) {
-            if (BIO_printf(bp, "%12sa0:00\n", "") <= 0)
-                goto err;
-        } else {
-            for (i = 0; i < X509_REQ_get_attr_count(x); i++) {
-                ASN1_TYPE *at;
-                X509_ATTRIBUTE *a;
-                ASN1_BIT_STRING *bs = NULL;
-                ASN1_OBJECT *aobj;
-                int j, type = 0, count = 1, ii = 0;
-
-                a = X509_REQ_get_attr(x, i);
-                aobj = X509_ATTRIBUTE_get0_object(a);
-                if (X509_REQ_extension_nid(OBJ_obj2nid(aobj)))
-                    continue;
-                if (BIO_printf(bp, "%12s", "") <= 0)
-                    goto err;
-                if ((j = i2a_ASN1_OBJECT(bp, aobj)) > 0) {
-                    ii = 0;
-                    count = X509_ATTRIBUTE_count(a);
- get_next:
-                    at = X509_ATTRIBUTE_get0_type(a, ii);
-                    type = at->type;
-                    bs = at->value.asn1_string;
-                }
-                for (j = 25 - j; j > 0; j--)
-                    if (BIO_write(bp, " ", 1) != 1)
-                        goto err;
-                if (BIO_puts(bp, ":") <= 0)
-                    goto err;
-                if ((type == V_ASN1_PRINTABLESTRING) ||
-                    (type == V_ASN1_T61STRING) ||
-                    (type == V_ASN1_UTF8STRING) ||
-                    (type == V_ASN1_IA5STRING)) {
-                    if (BIO_write(bp, (char *)bs->data, bs->length)
-                        != bs->length)
-                        goto err;
-                    BIO_puts(bp, "\n");
-                } else {
-                    BIO_puts(bp, "unable to print attribute\n");
-                }
-                if (++ii < count)
-                    goto get_next;
-            }
-        }
-    }
-    if (!(cflag & X509_FLAG_NO_EXTENSIONS)) {
-        exts = X509_REQ_get_extensions(x);
-        if (exts) {
-            BIO_printf(bp, "%8sRequested Extensions:\n", "");
-            for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
-                ASN1_OBJECT *obj;
-                X509_EXTENSION *ex;
-                int critical;
-                ex = sk_X509_EXTENSION_value(exts, i);
-                if (BIO_printf(bp, "%12s", "") <= 0)
-                    goto err;
-                obj = X509_EXTENSION_get_object(ex);
-                i2a_ASN1_OBJECT(bp, obj);
-                critical = X509_EXTENSION_get_critical(ex);
-                if (BIO_printf(bp, ": %s\n", critical ? "critical" : "") <= 0)
-                    goto err;
-                if (!X509V3_EXT_print(bp, ex, cflag, 16)) {
-                    BIO_printf(bp, "%16s", "");
-                    ASN1_STRING_print(bp, X509_EXTENSION_get_data(ex));
-                }
-                if (BIO_write(bp, "\n", 1) <= 0)
-                    goto err;
-            }
-            sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
-        }
-    }
-
-    if (!(cflag & X509_FLAG_NO_SIGDUMP)) {
-        const X509_ALGOR *sig_alg;
-        const ASN1_BIT_STRING *sig;
-        X509_REQ_get0_signature(x, &sig, &sig_alg);
-        if (!X509_signature_print(bp, sig_alg, sig))
-            goto err;
-    }
-
-    return (1);
- err:
-    X509err(X509_F_X509_REQ_PRINT_EX, ERR_R_BUF_LIB);
-    return (0);
-}
-
-int X509_REQ_print(BIO *bp, X509_REQ *x)
-{
-    return X509_REQ_print_ex(bp, x, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
-}
diff --git a/Cryptlib/OpenSSL/crypto/x509/t_x509.c b/Cryptlib/OpenSSL/crypto/x509/t_x509.c
deleted file mode 100644
index eb65d887..00000000
--- a/Cryptlib/OpenSSL/crypto/x509/t_x509.c
+++ /dev/null
@@ -1,376 +0,0 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include "internal/cryptlib.h"
-#include <openssl/buffer.h>
-#include <openssl/bn.h>
-#include <openssl/objects.h>
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-#include "internal/asn1_int.h"
-
-#ifndef OPENSSL_NO_STDIO
-int X509_print_fp(FILE *fp, X509 *x)
-{
-    return X509_print_ex_fp(fp, x, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
-}
-
-int X509_print_ex_fp(FILE *fp, X509 *x, unsigned long nmflag,
-                     unsigned long cflag)
-{
-    BIO *b;
-    int ret;
-
-    if ((b = BIO_new(BIO_s_file())) == NULL) {
-        X509err(X509_F_X509_PRINT_EX_FP, ERR_R_BUF_LIB);
-        return (0);
-    }
-    BIO_set_fp(b, fp, BIO_NOCLOSE);
-    ret = X509_print_ex(b, x, nmflag, cflag);
-    BIO_free(b);
-    return (ret);
-}
-#endif
-
-int X509_print(BIO *bp, X509 *x)
-{
-    return X509_print_ex(bp, x, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
-}
-
-int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
-                  unsigned long cflag)
-{
-    long l;
-    int ret = 0, i;
-    char *m = NULL, mlch = ' ';
-    int nmindent = 0;
-    ASN1_INTEGER *bs;
-    EVP_PKEY *pkey = NULL;
-    const char *neg;
-
-    if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
-        mlch = '\n';
-        nmindent = 12;
-    }
-
-    if (nmflags == X509_FLAG_COMPAT)
-        nmindent = 16;
-
-    if (!(cflag & X509_FLAG_NO_HEADER)) {
-        if (BIO_write(bp, "Certificate:\n", 13) <= 0)
-            goto err;
-        if (BIO_write(bp, "    Data:\n", 10) <= 0)
-            goto err;
-    }
-    if (!(cflag & X509_FLAG_NO_VERSION)) {
-        l = X509_get_version(x);
-        if (l >= 0 && l <= 2) {
-            if (BIO_printf(bp, "%8sVersion: %ld (0x%lx)\n", "", l + 1, (unsigned long)l) <= 0)
-                goto err;
-        } else {
-            if (BIO_printf(bp, "%8sVersion: Unknown (%ld)\n", "", l) <= 0)
-                goto err;
-        }
-    }
-    if (!(cflag & X509_FLAG_NO_SERIAL)) {
-
-        if (BIO_write(bp, "        Serial Number:", 22) <= 0)
-            goto err;
-
-        bs = X509_get_serialNumber(x);
-        if (bs->length <= (int)sizeof(long)) {
-                ERR_set_mark();
-                l = ASN1_INTEGER_get(bs);
-                ERR_pop_to_mark();
-        } else {
-            l = -1;
-        }
-        if (l != -1) {
-            unsigned long ul;
-            if (bs->type == V_ASN1_NEG_INTEGER) {
-                ul = 0 - (unsigned long)l;
-                neg = "-";
-            } else {
-                ul = l;
-                neg = "";
-            }
-            if (BIO_printf(bp, " %s%lu (%s0x%lx)\n", neg, ul, neg, ul) <= 0)
-                goto err;
-        } else {
-            neg = (bs->type == V_ASN1_NEG_INTEGER) ? " (Negative)" : "";
-            if (BIO_printf(bp, "\n%12s%s", "", neg) <= 0)
-                goto err;
-
-            for (i = 0; i < bs->length; i++) {
-                if (BIO_printf(bp, "%02x%c", bs->data[i],
-                               ((i + 1 == bs->length) ? '\n' : ':')) <= 0)
-                    goto err;
-            }
-        }
-
-    }
-
-    if (!(cflag & X509_FLAG_NO_SIGNAME)) {
-        const X509_ALGOR *tsig_alg = X509_get0_tbs_sigalg(x);
-        if (X509_signature_print(bp, tsig_alg, NULL) <= 0)
-            goto err;
-    }
-
-    if (!(cflag & X509_FLAG_NO_ISSUER)) {
-        if (BIO_printf(bp, "        Issuer:%c", mlch) <= 0)
-            goto err;
-        if (X509_NAME_print_ex(bp, X509_get_issuer_name(x), nmindent, nmflags)
-            < 0)
-            goto err;
-        if (BIO_write(bp, "\n", 1) <= 0)
-            goto err;
-    }
-    if (!(cflag & X509_FLAG_NO_VALIDITY)) {
-        if (BIO_write(bp, "        Validity\n", 17) <= 0)
-            goto err;
-        if (BIO_write(bp, "            Not Before: ", 24) <= 0)
-            goto err;
-        if (!ASN1_TIME_print(bp, X509_get0_notBefore(x)))
-            goto err;
-        if (BIO_write(bp, "\n            Not After : ", 25) <= 0)
-            goto err;
-        if (!ASN1_TIME_print(bp, X509_get0_notAfter(x)))
-            goto err;
-        if (BIO_write(bp, "\n", 1) <= 0)
-            goto err;
-    }
-    if (!(cflag & X509_FLAG_NO_SUBJECT)) {
-        if (BIO_printf(bp, "        Subject:%c", mlch) <= 0)
-            goto err;
-        if (X509_NAME_print_ex
-            (bp, X509_get_subject_name(x), nmindent, nmflags) < 0)
-            goto err;
-        if (BIO_write(bp, "\n", 1) <= 0)
-            goto err;
-    }
-    if (!(cflag & X509_FLAG_NO_PUBKEY)) {
-        X509_PUBKEY *xpkey = X509_get_X509_PUBKEY(x);
-        ASN1_OBJECT *xpoid;
-        X509_PUBKEY_get0_param(&xpoid, NULL, NULL, NULL, xpkey);
-        if (BIO_write(bp, "        Subject Public Key Info:\n", 33) <= 0)
-            goto err;
-        if (BIO_printf(bp, "%12sPublic Key Algorithm: ", "") <= 0)
-            goto err;
-        if (i2a_ASN1_OBJECT(bp, xpoid) <= 0)
-            goto err;
-        if (BIO_puts(bp, "\n") <= 0)
-            goto err;
-
-        pkey = X509_get0_pubkey(x);
-        if (pkey == NULL) {
-            BIO_printf(bp, "%12sUnable to load Public Key\n", "");
-            ERR_print_errors(bp);
-        } else {
-            EVP_PKEY_print_public(bp, pkey, 16, NULL);
-        }
-    }
-
-    if (!(cflag & X509_FLAG_NO_IDS)) {
-        const ASN1_BIT_STRING *iuid, *suid;
-        X509_get0_uids(x, &iuid, &suid);
-        if (iuid != NULL) {
-            if (BIO_printf(bp, "%8sIssuer Unique ID: ", "") <= 0)
-                goto err;
-            if (!X509_signature_dump(bp, iuid, 12))
-                goto err;
-        }
-        if (suid != NULL) {
-            if (BIO_printf(bp, "%8sSubject Unique ID: ", "") <= 0)
-                goto err;
-            if (!X509_signature_dump(bp, suid, 12))
-                goto err;
-        }
-    }
-
-    if (!(cflag & X509_FLAG_NO_EXTENSIONS))
-        X509V3_extensions_print(bp, "X509v3 extensions",
-                                X509_get0_extensions(x), cflag, 8);
-
-    if (!(cflag & X509_FLAG_NO_SIGDUMP)) {
-        const X509_ALGOR *sig_alg;
-        const ASN1_BIT_STRING *sig;
-        X509_get0_signature(&sig, &sig_alg, x);
-        if (X509_signature_print(bp, sig_alg, sig) <= 0)
-            goto err;
-    }
-    if (!(cflag & X509_FLAG_NO_AUX)) {
-        if (!X509_aux_print(bp, x, 0))
-            goto err;
-    }
-    ret = 1;
- err:
-    OPENSSL_free(m);
-    return (ret);
-}
-
-int X509_ocspid_print(BIO *bp, X509 *x)
-{
-    unsigned char *der = NULL;
-    unsigned char *dertmp;
-    int derlen;
-    int i;
-    unsigned char SHA1md[SHA_DIGEST_LENGTH];
-    ASN1_BIT_STRING *keybstr;
-    X509_NAME *subj;
-
-    /*
-     * display the hash of the subject as it would appear in OCSP requests
-     */
-    if (BIO_printf(bp, "        Subject OCSP hash: ") <= 0)
-        goto err;
-    subj = X509_get_subject_name(x);
-    derlen = i2d_X509_NAME(subj, NULL);
-    if ((der = dertmp = OPENSSL_malloc(derlen)) == NULL)
-        goto err;
-    i2d_X509_NAME(subj, &dertmp);
-
-    if (!EVP_Digest(der, derlen, SHA1md, NULL, EVP_sha1(), NULL))
-        goto err;
-    for (i = 0; i < SHA_DIGEST_LENGTH; i++) {
-        if (BIO_printf(bp, "%02X", SHA1md[i]) <= 0)
-            goto err;
-    }
-    OPENSSL_free(der);
-    der = NULL;
-
-    /*
-     * display the hash of the public key as it would appear in OCSP requests
-     */
-    if (BIO_printf(bp, "\n        Public key OCSP hash: ") <= 0)
-        goto err;
-
-    keybstr = X509_get0_pubkey_bitstr(x);
-
-    if (keybstr == NULL)
-        goto err;
-
-    if (!EVP_Digest(ASN1_STRING_get0_data(keybstr),
-                    ASN1_STRING_length(keybstr), SHA1md, NULL, EVP_sha1(),
-                    NULL))
-        goto err;
-    for (i = 0; i < SHA_DIGEST_LENGTH; i++) {
-        if (BIO_printf(bp, "%02X", SHA1md[i]) <= 0)
-            goto err;
-    }
-    BIO_printf(bp, "\n");
-
-    return (1);
- err:
-    OPENSSL_free(der);
-    return (0);
-}
-
-int X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent)
-{
-    const unsigned char *s;
-    int i, n;
-
-    n = sig->length;
-    s = sig->data;
-    for (i = 0; i < n; i++) {
-        if ((i % 18) == 0) {
-            if (BIO_write(bp, "\n", 1) <= 0)
-                return 0;
-            if (BIO_indent(bp, indent, indent) <= 0)
-                return 0;
-        }
-        if (BIO_printf(bp, "%02x%s", s[i], ((i + 1) == n) ? "" : ":") <= 0)
-            return 0;
-    }
-    if (BIO_write(bp, "\n", 1) != 1)
-        return 0;
-
-    return 1;
-}
-
-int X509_signature_print(BIO *bp, const X509_ALGOR *sigalg,
-                         const ASN1_STRING *sig)
-{
-    int sig_nid;
-    if (BIO_puts(bp, "    Signature Algorithm: ") <= 0)
-        return 0;
-    if (i2a_ASN1_OBJECT(bp, sigalg->algorithm) <= 0)
-        return 0;
-
-    sig_nid = OBJ_obj2nid(sigalg->algorithm);
-    if (sig_nid != NID_undef) {
-        int pkey_nid, dig_nid;
-        const EVP_PKEY_ASN1_METHOD *ameth;
-        if (OBJ_find_sigid_algs(sig_nid, &dig_nid, &pkey_nid)) {
-            ameth = EVP_PKEY_asn1_find(NULL, pkey_nid);
-            if (ameth && ameth->sig_print)
-                return ameth->sig_print(bp, sigalg, sig, 9, 0);
-        }
-    }
-    if (sig)
-        return X509_signature_dump(bp, sig, 9);
-    else if (BIO_puts(bp, "\n") <= 0)
-        return 0;
-    return 1;
-}
-
-int X509_aux_print(BIO *out, X509 *x, int indent)
-{
-    char oidstr[80], first;
-    STACK_OF(ASN1_OBJECT) *trust, *reject;
-    const unsigned char *alias, *keyid;
-    int keyidlen;
-    int i;
-    if (X509_trusted(x) == 0)
-        return 1;
-    trust = X509_get0_trust_objects(x);
-    reject = X509_get0_reject_objects(x);
-    if (trust) {
-        first = 1;
-        BIO_printf(out, "%*sTrusted Uses:\n%*s", indent, "", indent + 2, "");
-        for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++) {
-            if (!first)
-                BIO_puts(out, ", ");
-            else
-                first = 0;
-            OBJ_obj2txt(oidstr, sizeof oidstr,
-                        sk_ASN1_OBJECT_value(trust, i), 0);
-            BIO_puts(out, oidstr);
-        }
-        BIO_puts(out, "\n");
-    } else
-        BIO_printf(out, "%*sNo Trusted Uses.\n", indent, "");
-    if (reject) {
-        first = 1;
-        BIO_printf(out, "%*sRejected Uses:\n%*s", indent, "", indent + 2, "");
-        for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++) {
-            if (!first)
-                BIO_puts(out, ", ");
-            else
-                first = 0;
-            OBJ_obj2txt(oidstr, sizeof oidstr,
-                        sk_ASN1_OBJECT_value(reject, i), 0);
-            BIO_puts(out, oidstr);
-        }
-        BIO_puts(out, "\n");
-    } else
-        BIO_printf(out, "%*sNo Rejected Uses.\n", indent, "");
-    alias = X509_alias_get0(x, NULL);
-    if (alias)
-        BIO_printf(out, "%*sAlias: %s\n", indent, "", alias);
-    keyid = X509_keyid_get0(x, &keyidlen);
-    if (keyid) {
-        BIO_printf(out, "%*sKey Id: ", indent, "");
-        for (i = 0; i < keyidlen; i++)
-            BIO_printf(out, "%s%02X", i ? ":" : "", keyid[i]);
-        BIO_write(out, "\n", 1);
-    }
-    return 1;
-}
diff --git a/Cryptlib/OpenSSL/crypto/x509/vpm_int.h b/Cryptlib/OpenSSL/crypto/x509/vpm_int.h
new file mode 100644
index 00000000..9c55defc
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/x509/vpm_int.h
@@ -0,0 +1,70 @@
+/* vpm_int.h */
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2013.
+ */
+/* ====================================================================
+ * Copyright (c) 2013 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* internal only structure to hold additional X509_VERIFY_PARAM data */
+
+struct X509_VERIFY_PARAM_ID_st {
+    STACK_OF(OPENSSL_STRING) *hosts; /* Set of acceptable names */
+    unsigned int hostflags;     /* Flags to control matching features */
+    char *peername;             /* Matching hostname in peer certificate */
+    char *email;                /* If not NULL email address to match */
+    size_t emaillen;
+    unsigned char *ip;          /* If not NULL IP address to match */
+    size_t iplen;               /* Length of IP address */
+};
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_att.c b/Cryptlib/OpenSSL/crypto/x509/x509_att.c
index 15f0e4fc..25010753 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509_att.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509_att.c
@@ -1,21 +1,69 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/x509/x509_att.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <openssl/stack.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
-#include "x509_lcl.h"
 
 int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x)
 {
@@ -25,15 +73,16 @@ int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x)
 int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid,
                            int lastpos)
 {
-    const ASN1_OBJECT *obj = OBJ_nid2obj(nid);
+    ASN1_OBJECT *obj;
 
+    obj = OBJ_nid2obj(nid);
     if (obj == NULL)
         return (-2);
     return (X509at_get_attr_by_OBJ(x, obj, lastpos));
 }
 
 int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk,
-                           const ASN1_OBJECT *obj, int lastpos)
+                           ASN1_OBJECT *obj, int lastpos)
 {
     int n;
     X509_ATTRIBUTE *ex;
@@ -97,8 +146,10 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
  err:
     X509err(X509_F_X509AT_ADD1_ATTR, ERR_R_MALLOC_FAILURE);
  err2:
-    X509_ATTRIBUTE_free(new_attr);
-    sk_X509_ATTRIBUTE_free(sk);
+    if (new_attr != NULL)
+        X509_ATTRIBUTE_free(new_attr);
+    if (sk != NULL)
+        sk_X509_ATTRIBUTE_free(sk);
     return (NULL);
 }
 
@@ -150,7 +201,7 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE)
 }
 
 void *X509at_get0_data_by_OBJ(STACK_OF(X509_ATTRIBUTE) *x,
-                              const ASN1_OBJECT *obj, int lastpos, int type)
+                              ASN1_OBJECT *obj, int lastpos, int type)
 {
     int i;
     X509_ATTRIBUTE *at;
@@ -239,7 +290,7 @@ int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj)
         return (0);
     ASN1_OBJECT_free(attr->object);
     attr->object = OBJ_dup(obj);
-    return attr->object != NULL;
+    return (1);
 }
 
 int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype,
@@ -259,12 +310,15 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype,
         }
         atype = stmp->type;
     } else if (len != -1) {
-        if ((stmp = ASN1_STRING_type_new(attrtype)) == NULL)
+        if (!(stmp = ASN1_STRING_type_new(attrtype)))
             goto err;
         if (!ASN1_STRING_set(stmp, data, len))
             goto err;
         atype = attrtype;
     }
+    if (!(attr->value.set = sk_ASN1_TYPE_new_null()))
+        goto err;
+    attr->single = 0;
     /*
      * This is a bit naughty because the attribute should really have at
      * least one value but some types use and zero length SET and require
@@ -274,7 +328,7 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype,
         ASN1_STRING_free(stmp);
         return 1;
     }
-    if ((ttmp = ASN1_TYPE_new()) == NULL)
+    if (!(ttmp = ASN1_TYPE_new()))
         goto err;
     if ((len == -1) && !(attrtype & MBSTRING_FLAG)) {
         if (!ASN1_TYPE_set1(ttmp, attrtype, data))
@@ -283,7 +337,7 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype,
         ASN1_TYPE_set(ttmp, atype, stmp);
         stmp = NULL;
     }
-    if (!sk_ASN1_TYPE_push(attr->set, ttmp))
+    if (!sk_ASN1_TYPE_push(attr->value.set, ttmp))
         goto err;
     return 1;
  err:
@@ -293,11 +347,13 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype,
     return 0;
 }
 
-int X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr)
+int X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr)
 {
-    if (attr == NULL)
-        return 0;
-    return sk_ASN1_TYPE_num(attr->set);
+    if (!attr->single)
+        return sk_ASN1_TYPE_num(attr->value.set);
+    if (attr->value.single)
+        return 1;
+    return 0;
 }
 
 ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr)
@@ -324,6 +380,11 @@ void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,
 ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx)
 {
     if (attr == NULL)
+        return (NULL);
+    if (idx >= X509_ATTRIBUTE_count(attr))
         return NULL;
-    return sk_ASN1_TYPE_value(attr->set, idx);
+    if (!attr->single)
+        return sk_ASN1_TYPE_value(attr->value.set, idx);
+    else
+        return attr->value.single;
 }
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_cmp.c b/Cryptlib/OpenSSL/crypto/x509/x509_cmp.c
index 01056356..49c71b91 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509_cmp.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509_cmp.c
@@ -1,29 +1,77 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/x509/x509_cmp.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <ctype.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
-#include "internal/x509_int.h"
 
 int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b)
 {
     int i;
-    const X509_CINF *ai, *bi;
+    X509_CINF *ai, *bi;
 
-    ai = &a->cert_info;
-    bi = &b->cert_info;
-    i = ASN1_INTEGER_cmp(&ai->serialNumber, &bi->serialNumber);
+    ai = a->cert_info;
+    bi = b->cert_info;
+    i = M_ASN1_INTEGER_cmp(ai->serialNumber, bi->serialNumber);
     if (i)
         return (i);
     return (X509_NAME_cmp(ai->issuer, bi->issuer));
@@ -33,97 +81,94 @@ int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b)
 unsigned long X509_issuer_and_serial_hash(X509 *a)
 {
     unsigned long ret = 0;
-    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+    EVP_MD_CTX ctx;
     unsigned char md[16];
     char *f;
 
-    if (ctx == NULL)
+    EVP_MD_CTX_init(&ctx);
+    f = X509_NAME_oneline(a->cert_info->issuer, NULL, 0);
+    if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
         goto err;
-    f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0);
-    if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL))
-        goto err;
-    if (!EVP_DigestUpdate(ctx, (unsigned char *)f, strlen(f)))
+    if (!EVP_DigestUpdate(&ctx, (unsigned char *)f, strlen(f)))
         goto err;
     OPENSSL_free(f);
     if (!EVP_DigestUpdate
-        (ctx, (unsigned char *)a->cert_info.serialNumber.data,
-         (unsigned long)a->cert_info.serialNumber.length))
+        (&ctx, (unsigned char *)a->cert_info->serialNumber->data,
+         (unsigned long)a->cert_info->serialNumber->length))
         goto err;
-    if (!EVP_DigestFinal_ex(ctx, &(md[0]), NULL))
+    if (!EVP_DigestFinal_ex(&ctx, &(md[0]), NULL))
         goto err;
     ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) |
            ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)
         ) & 0xffffffffL;
  err:
-    EVP_MD_CTX_free(ctx);
+    EVP_MD_CTX_cleanup(&ctx);
     return (ret);
 }
 #endif
 
 int X509_issuer_name_cmp(const X509 *a, const X509 *b)
 {
-    return (X509_NAME_cmp(a->cert_info.issuer, b->cert_info.issuer));
+    return (X509_NAME_cmp(a->cert_info->issuer, b->cert_info->issuer));
 }
 
 int X509_subject_name_cmp(const X509 *a, const X509 *b)
 {
-    return (X509_NAME_cmp(a->cert_info.subject, b->cert_info.subject));
+    return (X509_NAME_cmp(a->cert_info->subject, b->cert_info->subject));
 }
 
 int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b)
 {
-    return (X509_NAME_cmp(a->crl.issuer, b->crl.issuer));
+    return (X509_NAME_cmp(a->crl->issuer, b->crl->issuer));
 }
 
+#ifndef OPENSSL_NO_SHA
 int X509_CRL_match(const X509_CRL *a, const X509_CRL *b)
 {
     return memcmp(a->sha1_hash, b->sha1_hash, 20);
 }
+#endif
 
-X509_NAME *X509_get_issuer_name(const X509 *a)
+X509_NAME *X509_get_issuer_name(X509 *a)
 {
-    return (a->cert_info.issuer);
+    return (a->cert_info->issuer);
 }
 
 unsigned long X509_issuer_name_hash(X509 *x)
 {
-    return (X509_NAME_hash(x->cert_info.issuer));
+    return (X509_NAME_hash(x->cert_info->issuer));
 }
 
 #ifndef OPENSSL_NO_MD5
 unsigned long X509_issuer_name_hash_old(X509 *x)
 {
-    return (X509_NAME_hash_old(x->cert_info.issuer));
+    return (X509_NAME_hash_old(x->cert_info->issuer));
 }
 #endif
 
-X509_NAME *X509_get_subject_name(const X509 *a)
+X509_NAME *X509_get_subject_name(X509 *a)
 {
-    return (a->cert_info.subject);
+    return (a->cert_info->subject);
 }
 
 ASN1_INTEGER *X509_get_serialNumber(X509 *a)
 {
-    return &a->cert_info.serialNumber;
-}
-
-const ASN1_INTEGER *X509_get0_serialNumber(const X509 *a)
-{
-    return &a->cert_info.serialNumber;
+    return (a->cert_info->serialNumber);
 }
 
 unsigned long X509_subject_name_hash(X509 *x)
 {
-    return (X509_NAME_hash(x->cert_info.subject));
+    return (X509_NAME_hash(x->cert_info->subject));
 }
 
 #ifndef OPENSSL_NO_MD5
 unsigned long X509_subject_name_hash_old(X509 *x)
 {
-    return (X509_NAME_hash_old(x->cert_info.subject));
+    return (X509_NAME_hash_old(x->cert_info->subject));
 }
 #endif
 
+#ifndef OPENSSL_NO_SHA
 /*
  * Compare two certificates: they must be identical for this to work. NB:
  * Although "cmp" operations are generally prototyped to take "const"
@@ -143,16 +188,16 @@ int X509_cmp(const X509 *a, const X509 *b)
     if (rv)
         return rv;
     /* Check for match against stored encoding too */
-    if (!a->cert_info.enc.modified && !b->cert_info.enc.modified) {
-        if (a->cert_info.enc.len < b->cert_info.enc.len)
-            return -1;
-        if (a->cert_info.enc.len > b->cert_info.enc.len)
-            return 1;
-        return memcmp(a->cert_info.enc.enc, b->cert_info.enc.enc,
-                      a->cert_info.enc.len);
+    if (!a->cert_info->enc.modified && !b->cert_info->enc.modified) {
+        rv = (int)(a->cert_info->enc.len - b->cert_info->enc.len);
+        if (rv)
+            return rv;
+        return memcmp(a->cert_info->enc.enc, b->cert_info->enc.enc,
+                      a->cert_info->enc.len);
     }
     return rv;
 }
+#endif
 
 int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
 {
@@ -206,23 +251,21 @@ unsigned long X509_NAME_hash(X509_NAME *x)
 
 unsigned long X509_NAME_hash_old(X509_NAME *x)
 {
-    EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
+    EVP_MD_CTX md_ctx;
     unsigned long ret = 0;
     unsigned char md[16];
 
-    if (md_ctx == NULL)
-        return ret;
-
     /* Make sure X509_NAME structure contains valid cached encoding */
     i2d_X509_NAME(x, NULL);
-    EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-    if (EVP_DigestInit_ex(md_ctx, EVP_md5(), NULL)
-        && EVP_DigestUpdate(md_ctx, x->bytes->data, x->bytes->length)
-        && EVP_DigestFinal_ex(md_ctx, md, NULL))
+    EVP_MD_CTX_init(&md_ctx);
+    EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+    if (EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL)
+        && EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length)
+        && EVP_DigestFinal_ex(&md_ctx, md, NULL))
         ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) |
                ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)
             ) & 0xffffffffL;
-    EVP_MD_CTX_free(md_ctx);
+    EVP_MD_CTX_cleanup(&md_ctx);
 
     return (ret);
 }
@@ -233,13 +276,15 @@ X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name,
                                      ASN1_INTEGER *serial)
 {
     int i;
+    X509_CINF cinf;
     X509 x, *x509 = NULL;
 
     if (!sk)
         return NULL;
 
-    x.cert_info.serialNumber = *serial;
-    x.cert_info.issuer = name;
+    x.cert_info = &cinf;
+    cinf.serialNumber = serial;
+    cinf.issuer = name;
 
     for (i = 0; i < sk_X509_num(sk); i++) {
         x509 = sk_X509_value(sk, i);
@@ -262,26 +307,26 @@ X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name)
     return (NULL);
 }
 
-EVP_PKEY *X509_get0_pubkey(const X509 *x)
+EVP_PKEY *X509_get_pubkey(X509 *x)
 {
-    if (x == NULL)
-        return NULL;
-    return X509_PUBKEY_get0(x->cert_info.key);
+    if ((x == NULL) || (x->cert_info == NULL))
+        return (NULL);
+    return (X509_PUBKEY_get(x->cert_info->key));
 }
 
-EVP_PKEY *X509_get_pubkey(X509 *x)
+ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x)
 {
-    if (x == NULL)
+    if (!x)
         return NULL;
-    return X509_PUBKEY_get(x->cert_info.key);
+    return x->cert_info->key->public_key;
 }
 
-int X509_check_private_key(const X509 *x, const EVP_PKEY *k)
+int X509_check_private_key(X509 *x, EVP_PKEY *k)
 {
-    const EVP_PKEY *xk;
+    EVP_PKEY *xk;
     int ret;
 
-    xk = X509_get0_pubkey(x);
+    xk = X509_get_pubkey(x);
 
     if (xk)
         ret = EVP_PKEY_cmp(xk, k);
@@ -300,6 +345,8 @@ int X509_check_private_key(const X509 *x, const EVP_PKEY *k)
     case -2:
         X509err(X509_F_X509_CHECK_PRIVATE_KEY, X509_R_UNKNOWN_KEY_TYPE);
     }
+    if (xk)
+        EVP_PKEY_free(xk);
     if (ret > 0)
         return 1;
     return 0;
@@ -317,8 +364,8 @@ static int check_suite_b(EVP_PKEY *pkey, int sign_nid, unsigned long *pflags)
 {
     const EC_GROUP *grp = NULL;
     int curve_nid;
-    if (pkey && EVP_PKEY_id(pkey) == EVP_PKEY_EC)
-        grp = EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(pkey));
+    if (pkey && pkey->type == EVP_PKEY_EC)
+        grp = EC_KEY_get0_group(pkey->pkey.ec);
     if (!grp)
         return X509_V_ERR_SUITE_B_INVALID_ALGORITHM;
     curve_nid = EC_GROUP_get_curve_name(grp);
@@ -348,12 +395,11 @@ int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain,
                             unsigned long flags)
 {
     int rv, i, sign_nid;
-    EVP_PKEY *pk;
-    unsigned long tflags = flags;
-
+    EVP_PKEY *pk = NULL;
+    unsigned long tflags;
     if (!(flags & X509_V_FLAG_SUITEB_128_LOS))
         return X509_V_OK;
-
+    tflags = flags;
     /* If no EE certificate passed in must be first in chain */
     if (x == NULL) {
         x = sk_X509_value(chain, 0);
@@ -361,17 +407,6 @@ int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain,
     } else
         i = 0;
 
-    pk = X509_get0_pubkey(x);
-
-    /*
-     * With DANE-EE(3) success, or DANE-EE(3)/PKIX-EE(1) failure we don't build
-     * a chain all, just report trust success or failure, but must also report
-     * Suite-B errors if applicable.  This is indicated via a NULL chain
-     * pointer.  All we need to do is check the leaf key algorithm.
-     */
-    if (chain == NULL)
-        return check_suite_b(pk, -1, &tflags);
-
     if (X509_get_version(x) != 2) {
         rv = X509_V_ERR_SUITE_B_INVALID_VERSION;
         /* Correct error depth */
@@ -379,6 +414,7 @@ int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain,
         goto end;
     }
 
+    pk = X509_get_pubkey(x);
     /* Check EE key only */
     rv = check_suite_b(pk, -1, &tflags);
     if (rv != X509_V_OK) {
@@ -393,7 +429,8 @@ int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain,
             rv = X509_V_ERR_SUITE_B_INVALID_VERSION;
             goto end;
         }
-        pk = X509_get0_pubkey(x);
+        EVP_PKEY_free(pk);
+        pk = X509_get_pubkey(x);
         rv = check_suite_b(pk, sign_nid, &tflags);
         if (rv != X509_V_OK)
             goto end;
@@ -402,6 +439,8 @@ int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain,
     /* Final check: root CA signature */
     rv = check_suite_b(pk, X509_get_signature_nid(x), &tflags);
  end:
+    if (pk)
+        EVP_PKEY_free(pk);
     if (rv != X509_V_OK) {
         /* Invalid signature or LOS errors are for previous cert */
         if ((rv == X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
@@ -409,7 +448,7 @@ int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain,
             i--;
         /*
          * If we have LOS error and flags changed then we are signing P-384
-         * with P-256. Use more meaningful error.
+         * with P-256. Use more meaninggul error.
          */
         if (rv == X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED && flags != tflags)
             rv = X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256;
@@ -424,7 +463,7 @@ int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, unsigned long flags)
     int sign_nid;
     if (!(flags & X509_V_FLAG_SUITEB_128_LOS))
         return X509_V_OK;
-    sign_nid = OBJ_obj2nid(crl->crl.sig_alg.algorithm);
+    sign_nid = OBJ_obj2nid(crl->crl->sig_alg->algorithm);
     return check_suite_b(pk, sign_nid, &flags);
 }
 
@@ -453,7 +492,7 @@ STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain)
     ret = sk_X509_dup(chain);
     for (i = 0; i < sk_X509_num(ret); i++) {
         X509 *x = sk_X509_value(ret, i);
-        X509_up_ref(x);
+        CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
     }
     return ret;
 }
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_d2.c b/Cryptlib/OpenSSL/crypto/x509/x509_d2.c
index cb03dbfa..50ca2a6d 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509_d2.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509_d2.c
@@ -1,17 +1,67 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/x509/x509_d2.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
 
+#ifndef OPENSSL_NO_STDIO
 int X509_STORE_set_default_paths(X509_STORE *ctx)
 {
     X509_LOOKUP *lookup;
@@ -55,3 +105,5 @@ int X509_STORE_load_locations(X509_STORE *ctx, const char *file,
         return (0);
     return (1);
 }
+
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_def.c b/Cryptlib/OpenSSL/crypto/x509/x509_def.c
index d11358e3..25c55375 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509_def.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509_def.c
@@ -1,14 +1,63 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/x509/x509_def.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
 
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_err.c b/Cryptlib/OpenSSL/crypto/x509/x509_err.c
index 3f4b8ef0..a2a8e1b0 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509_err.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509_err.c
@@ -1,11 +1,62 @@
-/*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/x509/x509_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2016 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
  */
 
 #include <stdio.h>
@@ -19,14 +70,12 @@
 # define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509,0,reason)
 
 static ERR_STRING_DATA X509_str_functs[] = {
-    {ERR_FUNC(X509_F_ADD_CERT_DIR), "add_cert_dir"},
-    {ERR_FUNC(X509_F_BUILD_CHAIN), "build_chain"},
-    {ERR_FUNC(X509_F_BY_FILE_CTRL), "by_file_ctrl"},
-    {ERR_FUNC(X509_F_CHECK_NAME_CONSTRAINTS), "check_name_constraints"},
-    {ERR_FUNC(X509_F_CHECK_POLICY), "check_policy"},
-    {ERR_FUNC(X509_F_DANE_I2D), "dane_i2d"},
-    {ERR_FUNC(X509_F_DIR_CTRL), "dir_ctrl"},
-    {ERR_FUNC(X509_F_GET_CERT_BY_SUBJECT), "get_cert_by_subject"},
+    {ERR_FUNC(X509_F_ADD_CERT_DIR), "ADD_CERT_DIR"},
+    {ERR_FUNC(X509_F_BY_FILE_CTRL), "BY_FILE_CTRL"},
+    {ERR_FUNC(X509_F_CHECK_NAME_CONSTRAINTS), "CHECK_NAME_CONSTRAINTS"},
+    {ERR_FUNC(X509_F_CHECK_POLICY), "CHECK_POLICY"},
+    {ERR_FUNC(X509_F_DIR_CTRL), "DIR_CTRL"},
+    {ERR_FUNC(X509_F_GET_CERT_BY_SUBJECT), "GET_CERT_BY_SUBJECT"},
     {ERR_FUNC(X509_F_NETSCAPE_SPKI_B64_DECODE), "NETSCAPE_SPKI_b64_decode"},
     {ERR_FUNC(X509_F_NETSCAPE_SPKI_B64_ENCODE), "NETSCAPE_SPKI_b64_encode"},
     {ERR_FUNC(X509_F_X509AT_ADD1_ATTR), "X509at_add1_attr"},
@@ -60,10 +109,8 @@ static ERR_STRING_DATA X509_str_functs[] = {
      "X509_NAME_ENTRY_set_object"},
     {ERR_FUNC(X509_F_X509_NAME_ONELINE), "X509_NAME_oneline"},
     {ERR_FUNC(X509_F_X509_NAME_PRINT), "X509_NAME_print"},
-    {ERR_FUNC(X509_F_X509_OBJECT_NEW), "X509_OBJECT_new"},
     {ERR_FUNC(X509_F_X509_PRINT_EX_FP), "X509_print_ex_fp"},
-    {ERR_FUNC(X509_F_X509_PUBKEY_DECODE), "x509_pubkey_decode"},
-    {ERR_FUNC(X509_F_X509_PUBKEY_GET0), "X509_PUBKEY_get0"},
+    {ERR_FUNC(X509_F_X509_PUBKEY_GET), "X509_PUBKEY_get"},
     {ERR_FUNC(X509_F_X509_PUBKEY_SET), "X509_PUBKEY_set"},
     {ERR_FUNC(X509_F_X509_REQ_CHECK_PRIVATE_KEY),
      "X509_REQ_check_private_key"},
@@ -87,7 +134,6 @@ static ERR_STRING_DATA X509_str_functs[] = {
 
 static ERR_STRING_DATA X509_str_reasons[] = {
     {ERR_REASON(X509_R_AKID_MISMATCH), "akid mismatch"},
-    {ERR_REASON(X509_R_BAD_SELECTOR), "bad selector"},
     {ERR_REASON(X509_R_BAD_X509_FILETYPE), "bad x509 filetype"},
     {ERR_REASON(X509_R_BASE64_DECODE_ERROR), "base64 decode error"},
     {ERR_REASON(X509_R_CANT_CHECK_DH_KEY), "cant check dh key"},
@@ -95,6 +141,7 @@ static ERR_STRING_DATA X509_str_reasons[] = {
      "cert already in hash table"},
     {ERR_REASON(X509_R_CRL_ALREADY_DELTA), "crl already delta"},
     {ERR_REASON(X509_R_CRL_VERIFY_FAILURE), "crl verify failure"},
+    {ERR_REASON(X509_R_ERR_ASN1_LIB), "err asn1 lib"},
     {ERR_REASON(X509_R_IDP_MISMATCH), "idp mismatch"},
     {ERR_REASON(X509_R_INVALID_DIRECTORY), "invalid directory"},
     {ERR_REASON(X509_R_INVALID_FIELD_NAME), "invalid field name"},
@@ -129,7 +176,7 @@ static ERR_STRING_DATA X509_str_reasons[] = {
 
 #endif
 
-int ERR_load_X509_strings(void)
+void ERR_load_X509_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
 
@@ -138,5 +185,4 @@ int ERR_load_X509_strings(void)
         ERR_load_strings(0, X509_str_reasons);
     }
 #endif
-    return 1;
 }
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_ext.c b/Cryptlib/OpenSSL/crypto/x509/x509_ext.c
index 3bbb0a6b..fb4e311d 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509_ext.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509_ext.c
@@ -1,139 +1,186 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/x509/x509_ext.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <openssl/stack.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
-#include "internal/x509_int.h"
 #include <openssl/x509v3.h>
 
-int X509_CRL_get_ext_count(const X509_CRL *x)
+int X509_CRL_get_ext_count(X509_CRL *x)
 {
-    return (X509v3_get_ext_count(x->crl.extensions));
+    return (X509v3_get_ext_count(x->crl->extensions));
 }
 
-int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, int lastpos)
+int X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos)
 {
-    return (X509v3_get_ext_by_NID(x->crl.extensions, nid, lastpos));
+    return (X509v3_get_ext_by_NID(x->crl->extensions, nid, lastpos));
 }
 
-int X509_CRL_get_ext_by_OBJ(const X509_CRL *x, const ASN1_OBJECT *obj,
-                            int lastpos)
+int X509_CRL_get_ext_by_OBJ(X509_CRL *x, ASN1_OBJECT *obj, int lastpos)
 {
-    return (X509v3_get_ext_by_OBJ(x->crl.extensions, obj, lastpos));
+    return (X509v3_get_ext_by_OBJ(x->crl->extensions, obj, lastpos));
 }
 
-int X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit, int lastpos)
+int X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos)
 {
-    return (X509v3_get_ext_by_critical(x->crl.extensions, crit, lastpos));
+    return (X509v3_get_ext_by_critical(x->crl->extensions, crit, lastpos));
 }
 
-X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc)
+X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc)
 {
-    return (X509v3_get_ext(x->crl.extensions, loc));
+    return (X509v3_get_ext(x->crl->extensions, loc));
 }
 
 X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc)
 {
-    return (X509v3_delete_ext(x->crl.extensions, loc));
+    return (X509v3_delete_ext(x->crl->extensions, loc));
 }
 
-void *X509_CRL_get_ext_d2i(const X509_CRL *x, int nid, int *crit, int *idx)
+void *X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx)
 {
-    return X509V3_get_d2i(x->crl.extensions, nid, crit, idx);
+    return X509V3_get_d2i(x->crl->extensions, nid, crit, idx);
 }
 
 int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit,
                           unsigned long flags)
 {
-    return X509V3_add1_i2d(&x->crl.extensions, nid, value, crit, flags);
+    return X509V3_add1_i2d(&x->crl->extensions, nid, value, crit, flags);
 }
 
 int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc)
 {
-    return (X509v3_add_ext(&(x->crl.extensions), ex, loc) != NULL);
+    return (X509v3_add_ext(&(x->crl->extensions), ex, loc) != NULL);
 }
 
-int X509_get_ext_count(const X509 *x)
+int X509_get_ext_count(X509 *x)
 {
-    return (X509v3_get_ext_count(x->cert_info.extensions));
+    return (X509v3_get_ext_count(x->cert_info->extensions));
 }
 
-int X509_get_ext_by_NID(const X509 *x, int nid, int lastpos)
+int X509_get_ext_by_NID(X509 *x, int nid, int lastpos)
 {
-    return (X509v3_get_ext_by_NID(x->cert_info.extensions, nid, lastpos));
+    return (X509v3_get_ext_by_NID(x->cert_info->extensions, nid, lastpos));
 }
 
-int X509_get_ext_by_OBJ(const X509 *x, const ASN1_OBJECT *obj, int lastpos)
+int X509_get_ext_by_OBJ(X509 *x, ASN1_OBJECT *obj, int lastpos)
 {
-    return (X509v3_get_ext_by_OBJ(x->cert_info.extensions, obj, lastpos));
+    return (X509v3_get_ext_by_OBJ(x->cert_info->extensions, obj, lastpos));
 }
 
-int X509_get_ext_by_critical(const X509 *x, int crit, int lastpos)
+int X509_get_ext_by_critical(X509 *x, int crit, int lastpos)
 {
     return (X509v3_get_ext_by_critical
-            (x->cert_info.extensions, crit, lastpos));
+            (x->cert_info->extensions, crit, lastpos));
 }
 
-X509_EXTENSION *X509_get_ext(const X509 *x, int loc)
+X509_EXTENSION *X509_get_ext(X509 *x, int loc)
 {
-    return (X509v3_get_ext(x->cert_info.extensions, loc));
+    return (X509v3_get_ext(x->cert_info->extensions, loc));
 }
 
 X509_EXTENSION *X509_delete_ext(X509 *x, int loc)
 {
-    return (X509v3_delete_ext(x->cert_info.extensions, loc));
+    return (X509v3_delete_ext(x->cert_info->extensions, loc));
 }
 
 int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc)
 {
-    return (X509v3_add_ext(&(x->cert_info.extensions), ex, loc) != NULL);
+    return (X509v3_add_ext(&(x->cert_info->extensions), ex, loc) != NULL);
 }
 
-void *X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx)
+void *X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx)
 {
-    return X509V3_get_d2i(x->cert_info.extensions, nid, crit, idx);
+    return X509V3_get_d2i(x->cert_info->extensions, nid, crit, idx);
 }
 
 int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
                       unsigned long flags)
 {
-    return X509V3_add1_i2d(&x->cert_info.extensions, nid, value, crit,
+    return X509V3_add1_i2d(&x->cert_info->extensions, nid, value, crit,
                            flags);
 }
 
-int X509_REVOKED_get_ext_count(const X509_REVOKED *x)
+int X509_REVOKED_get_ext_count(X509_REVOKED *x)
 {
     return (X509v3_get_ext_count(x->extensions));
 }
 
-int X509_REVOKED_get_ext_by_NID(const X509_REVOKED *x, int nid, int lastpos)
+int X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos)
 {
     return (X509v3_get_ext_by_NID(x->extensions, nid, lastpos));
 }
 
-int X509_REVOKED_get_ext_by_OBJ(const X509_REVOKED *x, const ASN1_OBJECT *obj,
+int X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x, ASN1_OBJECT *obj,
                                 int lastpos)
 {
     return (X509v3_get_ext_by_OBJ(x->extensions, obj, lastpos));
 }
 
-int X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x, int crit, int lastpos)
+int X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos)
 {
     return (X509v3_get_ext_by_critical(x->extensions, crit, lastpos));
 }
 
-X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x, int loc)
+X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc)
 {
     return (X509v3_get_ext(x->extensions, loc));
 }
@@ -148,7 +195,7 @@ int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc)
     return (X509v3_add_ext(&(x->extensions), ex, loc) != NULL);
 }
 
-void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *x, int nid, int *crit, int *idx)
+void *X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx)
 {
     return X509V3_get_d2i(x->extensions, nid, crit, idx);
 }
@@ -158,3 +205,7 @@ int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, void *value, int crit,
 {
     return X509V3_add1_i2d(&x->extensions, nid, value, crit, flags);
 }
+
+IMPLEMENT_STACK_OF(X509_EXTENSION)
+
+IMPLEMENT_ASN1_SET_OF(X509_EXTENSION)
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_lcl.h b/Cryptlib/OpenSSL/crypto/x509/x509_lcl.h
deleted file mode 100644
index 40bd102f..00000000
--- a/Cryptlib/OpenSSL/crypto/x509/x509_lcl.h
+++ /dev/null
@@ -1,142 +0,0 @@
-/*
- * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*
- * This structure holds all parameters associated with a verify operation by
- * including an X509_VERIFY_PARAM structure in related structures the
- * parameters used can be customized
- */
-
-struct X509_VERIFY_PARAM_st {
-    char *name;
-    time_t check_time;          /* Time to use */
-    uint32_t inh_flags;         /* Inheritance flags */
-    unsigned long flags;        /* Various verify flags */
-    int purpose;                /* purpose to check untrusted certificates */
-    int trust;                  /* trust setting to check */
-    int depth;                  /* Verify depth */
-    int auth_level;             /* Security level for chain verification */
-    STACK_OF(ASN1_OBJECT) *policies; /* Permissible policies */
-    /* Peer identity details */
-    STACK_OF(OPENSSL_STRING) *hosts; /* Set of acceptable names */
-    unsigned int hostflags;     /* Flags to control matching features */
-    char *peername;             /* Matching hostname in peer certificate */
-    char *email;                /* If not NULL email address to match */
-    size_t emaillen;
-    unsigned char *ip;          /* If not NULL IP address to match */
-    size_t iplen;               /* Length of IP address */
-};
-
-/* No error callback if depth < 0 */
-int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth);
-
-/* a sequence of these are used */
-struct x509_attributes_st {
-    ASN1_OBJECT *object;
-    STACK_OF(ASN1_TYPE) *set;
-};
-
-struct X509_extension_st {
-    ASN1_OBJECT *object;
-    ASN1_BOOLEAN critical;
-    ASN1_OCTET_STRING value;
-};
-
-/*
- * Method to handle CRL access. In general a CRL could be very large (several
- * Mb) and can consume large amounts of resources if stored in memory by
- * multiple processes. This method allows general CRL operations to be
- * redirected to more efficient callbacks: for example a CRL entry database.
- */
-
-#define X509_CRL_METHOD_DYNAMIC         1
-
-struct x509_crl_method_st {
-    int flags;
-    int (*crl_init) (X509_CRL *crl);
-    int (*crl_free) (X509_CRL *crl);
-    int (*crl_lookup) (X509_CRL *crl, X509_REVOKED **ret,
-                       ASN1_INTEGER *ser, X509_NAME *issuer);
-    int (*crl_verify) (X509_CRL *crl, EVP_PKEY *pk);
-};
-
-struct x509_lookup_method_st {
-    const char *name;
-    int (*new_item) (X509_LOOKUP *ctx);
-    void (*free) (X509_LOOKUP *ctx);
-    int (*init) (X509_LOOKUP *ctx);
-    int (*shutdown) (X509_LOOKUP *ctx);
-    int (*ctrl) (X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
-                 char **ret);
-    int (*get_by_subject) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
-                           X509_NAME *name, X509_OBJECT *ret);
-    int (*get_by_issuer_serial) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
-                                 X509_NAME *name, ASN1_INTEGER *serial,
-                                 X509_OBJECT *ret);
-    int (*get_by_fingerprint) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
-                               const unsigned char *bytes, int len,
-                               X509_OBJECT *ret);
-    int (*get_by_alias) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
-                         const char *str, int len, X509_OBJECT *ret);
-};
-
-/* This is the functions plus an instance of the local variables. */
-struct x509_lookup_st {
-    int init;                   /* have we been started */
-    int skip;                   /* don't use us. */
-    X509_LOOKUP_METHOD *method; /* the functions */
-    char *method_data;          /* method data */
-    X509_STORE *store_ctx;      /* who owns us */
-};
-
-/*
- * This is used to hold everything.  It is used for all certificate
- * validation.  Once we have a certificate chain, the 'verify' function is
- * then called to actually check the cert chain.
- */
-struct x509_store_st {
-    /* The following is a cache of trusted certs */
-    int cache;                  /* if true, stash any hits */
-    STACK_OF(X509_OBJECT) *objs; /* Cache of all objects */
-    /* These are external lookup methods */
-    STACK_OF(X509_LOOKUP) *get_cert_methods;
-    X509_VERIFY_PARAM *param;
-    /* Callbacks for various operations */
-    /* called to verify a certificate */
-    int (*verify) (X509_STORE_CTX *ctx);
-    /* error callback */
-    int (*verify_cb) (int ok, X509_STORE_CTX *ctx);
-    /* get issuers cert from ctx */
-    int (*get_issuer) (X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
-    /* check issued */
-    int (*check_issued) (X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
-    /* Check revocation status of chain */
-    int (*check_revocation) (X509_STORE_CTX *ctx);
-    /* retrieve CRL */
-    int (*get_crl) (X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x);
-    /* Check CRL validity */
-    int (*check_crl) (X509_STORE_CTX *ctx, X509_CRL *crl);
-    /* Check certificate against CRL */
-    int (*cert_crl) (X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
-    /* Check policy status of the chain */
-    int (*check_policy) (X509_STORE_CTX *ctx);
-    STACK_OF(X509) *(*lookup_certs) (X509_STORE_CTX *ctx, X509_NAME *nm);
-    STACK_OF(X509_CRL) *(*lookup_crls) (X509_STORE_CTX *ctx, X509_NAME *nm);
-    int (*cleanup) (X509_STORE_CTX *ctx);
-    CRYPTO_EX_DATA ex_data;
-    int references;
-    CRYPTO_RWLOCK *lock;
-};
-
-typedef struct lookup_dir_hashes_st BY_DIR_HASH;
-typedef struct lookup_dir_entry_st BY_DIR_ENTRY;
-DEFINE_STACK_OF(BY_DIR_HASH)
-DEFINE_STACK_OF(BY_DIR_ENTRY)
-typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY;
-DEFINE_STACK_OF(STACK_OF_X509_NAME_ENTRY)
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_lu.c b/Cryptlib/OpenSSL/crypto/x509/x509_lu.c
index 952cbfb3..50120a4d 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509_lu.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509_lu.c
@@ -1,29 +1,80 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/x509/x509_lu.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
-#include "internal/x509_int.h"
 #include <openssl/x509v3.h>
-#include "x509_lcl.h"
 
 X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
 {
     X509_LOOKUP *ret;
 
-    ret = OPENSSL_zalloc(sizeof(*ret));
+    ret = (X509_LOOKUP *)OPENSSL_malloc(sizeof(X509_LOOKUP));
     if (ret == NULL)
         return NULL;
 
+    ret->init = 0;
+    ret->skip = 0;
     ret->method = method;
+    ret->method_data = NULL;
+    ret->store_ctx = NULL;
     if ((method->new_item != NULL) && !method->new_item(ret)) {
         OPENSSL_free(ret);
         return NULL;
@@ -40,16 +91,6 @@ void X509_LOOKUP_free(X509_LOOKUP *ctx)
     OPENSSL_free(ctx);
 }
 
-int X509_STORE_lock(X509_STORE *s)
-{
-    return CRYPTO_THREAD_write_lock(s->lock);
-}
-
-int X509_STORE_unlock(X509_STORE *s)
-{
-    return CRYPTO_THREAD_unlock(s->lock);
-}
-
 int X509_LOOKUP_init(X509_LOOKUP *ctx)
 {
     if (ctx->method == NULL)
@@ -81,39 +122,38 @@ int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
         return 1;
 }
 
-int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
-                           X509_NAME *name, X509_OBJECT *ret)
+int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
+                           X509_OBJECT *ret)
 {
     if ((ctx->method == NULL) || (ctx->method->get_by_subject == NULL))
-        return 0;
+        return X509_LU_FAIL;
     if (ctx->skip)
         return 0;
     return ctx->method->get_by_subject(ctx, type, name, ret);
 }
 
-int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
-                                 X509_NAME *name, ASN1_INTEGER *serial,
-                                 X509_OBJECT *ret)
+int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,
+                                 ASN1_INTEGER *serial, X509_OBJECT *ret)
 {
     if ((ctx->method == NULL) || (ctx->method->get_by_issuer_serial == NULL))
-        return 0;
+        return X509_LU_FAIL;
     return ctx->method->get_by_issuer_serial(ctx, type, name, serial, ret);
 }
 
-int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
-                               const unsigned char *bytes, int len,
+int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,
+                               unsigned char *bytes, int len,
                                X509_OBJECT *ret)
 {
     if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL))
-        return 0;
+        return X509_LU_FAIL;
     return ctx->method->get_by_fingerprint(ctx, type, bytes, len, ret);
 }
 
-int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
-                         const char *str, int len, X509_OBJECT *ret)
+int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len,
+                         X509_OBJECT *ret)
 {
     if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL))
-        return 0;
+        return X509_LU_FAIL;
     return ctx->method->get_by_alias(ctx, type, str, len, ret);
 }
 
@@ -143,33 +183,35 @@ X509_STORE *X509_STORE_new(void)
 {
     X509_STORE *ret;
 
-    if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL)
+    if ((ret = (X509_STORE *)OPENSSL_malloc(sizeof(X509_STORE))) == NULL)
         return NULL;
-    if ((ret->objs = sk_X509_OBJECT_new(x509_object_cmp)) == NULL)
-        goto err;
+    ret->objs = sk_X509_OBJECT_new(x509_object_cmp);
     ret->cache = 1;
-    if ((ret->get_cert_methods = sk_X509_LOOKUP_new_null()) == NULL)
-        goto err;
+    ret->get_cert_methods = sk_X509_LOOKUP_new_null();
+    ret->verify = 0;
+    ret->verify_cb = 0;
 
     if ((ret->param = X509_VERIFY_PARAM_new()) == NULL)
-        goto err;
-
-    if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data))
-        goto err;
+        return NULL;
 
-    ret->lock = CRYPTO_THREAD_lock_new();
-    if (ret->lock == NULL)
-        goto err;
+    ret->get_issuer = 0;
+    ret->check_issued = 0;
+    ret->check_revocation = 0;
+    ret->get_crl = 0;
+    ret->check_crl = 0;
+    ret->cert_crl = 0;
+    ret->lookup_certs = 0;
+    ret->lookup_crls = 0;
+    ret->cleanup = 0;
+
+    if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data)) {
+        sk_X509_OBJECT_free(ret->objs);
+        OPENSSL_free(ret);
+        return NULL;
+    }
 
     ret->references = 1;
     return ret;
-
-err:
-    X509_VERIFY_PARAM_free(ret->param);
-    sk_X509_OBJECT_free(ret->objs);
-    sk_X509_LOOKUP_free(ret->get_cert_methods);
-    OPENSSL_free(ret);
-    return NULL;
 }
 
 static void cleanup(X509_OBJECT *a)
@@ -196,11 +238,18 @@ void X509_STORE_free(X509_STORE *vfy)
     if (vfy == NULL)
         return;
 
-    CRYPTO_atomic_add(&vfy->references, -1, &i, vfy->lock);
-    REF_PRINT_COUNT("X509_STORE", vfy);
+    i = CRYPTO_add(&vfy->references, -1, CRYPTO_LOCK_X509_STORE);
+#ifdef REF_PRINT
+    REF_PRINT("X509_STORE", vfy);
+#endif
     if (i > 0)
         return;
-    REF_ASSERT_ISNT(i < 0);
+#ifdef REF_CHECK
+    if (i < 0) {
+        fprintf(stderr, "X509_STORE_free, bad reference count\n");
+        abort();                /* ok */
+    }
+#endif
 
     sk = vfy->get_cert_methods;
     for (i = 0; i < sk_X509_LOOKUP_num(sk); i++) {
@@ -212,23 +261,11 @@ void X509_STORE_free(X509_STORE *vfy)
     sk_X509_OBJECT_pop_free(vfy->objs, cleanup);
 
     CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data);
-    X509_VERIFY_PARAM_free(vfy->param);
-    CRYPTO_THREAD_lock_free(vfy->lock);
+    if (vfy->param)
+        X509_VERIFY_PARAM_free(vfy->param);
     OPENSSL_free(vfy);
 }
 
-int X509_STORE_up_ref(X509_STORE *vfy)
-{
-    int i;
-
-    if (CRYPTO_atomic_add(&vfy->references, 1, &i, vfy->lock) <= 0)
-        return 0;
-
-    REF_PRINT_COUNT("X509_STORE", a);
-    REF_ASSERT_ISNT(i < 2);
-    return ((i > 1) ? 1 : 0);
-}
-
 X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
 {
     int i;
@@ -257,46 +294,39 @@ X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
     }
 }
 
-X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs,
-                                               X509_LOOKUP_TYPE type,
-                                               X509_NAME *name)
-{
-    X509_OBJECT *ret = X509_OBJECT_new();
-
-    if (ret == NULL)
-        return NULL;
-    if (!X509_STORE_CTX_get_by_subject(vs, type, name, ret)) {
-        X509_OBJECT_free(ret);
-        return NULL;
-    }
-    return ret;
-}
-
-int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type,
-                                  X509_NAME *name, X509_OBJECT *ret)
+int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
+                              X509_OBJECT *ret)
 {
     X509_STORE *ctx = vs->ctx;
     X509_LOOKUP *lu;
     X509_OBJECT stmp, *tmp;
     int i, j;
 
-    CRYPTO_THREAD_write_lock(ctx->lock);
+    CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
     tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name);
-    CRYPTO_THREAD_unlock(ctx->lock);
+    CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
 
     if (tmp == NULL || type == X509_LU_CRL) {
-        for (i = 0; i < sk_X509_LOOKUP_num(ctx->get_cert_methods); i++) {
+        for (i = vs->current_method;
+             i < sk_X509_LOOKUP_num(ctx->get_cert_methods); i++) {
             lu = sk_X509_LOOKUP_value(ctx->get_cert_methods, i);
             j = X509_LOOKUP_by_subject(lu, type, name, &stmp);
-            if (j) {
+            if (j < 0) {
+                vs->current_method = j;
+                return j;
+            } else if (j) {
                 tmp = &stmp;
                 break;
             }
         }
+        vs->current_method = 0;
         if (tmp == NULL)
             return 0;
     }
 
+/*- if (ret->data.ptr != NULL)
+            X509_OBJECT_free_contents(ret); */
+
     ret->type = tmp->type;
     ret->data.ptr = tmp->data.ptr;
 
@@ -308,34 +338,32 @@ int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type,
 int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
 {
     X509_OBJECT *obj;
-    int ret = 1, added = 1;
+    int ret = 1;
 
     if (x == NULL)
         return 0;
-    obj = X509_OBJECT_new();
-    if (obj == NULL)
+    obj = (X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));
+    if (obj == NULL) {
+        X509err(X509_F_X509_STORE_ADD_CERT, ERR_R_MALLOC_FAILURE);
         return 0;
+    }
     obj->type = X509_LU_X509;
     obj->data.x509 = x;
-    X509_OBJECT_up_ref_count(obj);
 
-    CRYPTO_THREAD_write_lock(ctx->lock);
+    CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+
+    X509_OBJECT_up_ref_count(obj);
 
     if (X509_OBJECT_retrieve_match(ctx->objs, obj)) {
+        X509_OBJECT_free_contents(obj);
+        OPENSSL_free(obj);
         X509err(X509_F_X509_STORE_ADD_CERT,
                 X509_R_CERT_ALREADY_IN_HASH_TABLE);
         ret = 0;
-    } else {
-        added = sk_X509_OBJECT_push(ctx->objs, obj);
-        ret = added != 0;
-    }
-
-    CRYPTO_THREAD_unlock(ctx->lock);
+    } else
+        sk_X509_OBJECT_push(ctx->objs, obj);
 
-    if (!ret)                   /* obj not pushed */
-        X509_OBJECT_free(obj);
-    if (!added)                 /* on push failure */
-        X509err(X509_F_X509_STORE_ADD_CERT, ERR_R_MALLOC_FAILURE);
+    CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
 
     return ret;
 }
@@ -343,89 +371,50 @@ int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
 int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
 {
     X509_OBJECT *obj;
-    int ret = 1, added = 1;
+    int ret = 1;
 
     if (x == NULL)
         return 0;
-    obj = X509_OBJECT_new();
-    if (obj == NULL)
+    obj = (X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));
+    if (obj == NULL) {
+        X509err(X509_F_X509_STORE_ADD_CRL, ERR_R_MALLOC_FAILURE);
         return 0;
+    }
     obj->type = X509_LU_CRL;
     obj->data.crl = x;
-    X509_OBJECT_up_ref_count(obj);
 
-    CRYPTO_THREAD_write_lock(ctx->lock);
+    CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+
+    X509_OBJECT_up_ref_count(obj);
 
     if (X509_OBJECT_retrieve_match(ctx->objs, obj)) {
+        X509_OBJECT_free_contents(obj);
+        OPENSSL_free(obj);
         X509err(X509_F_X509_STORE_ADD_CRL, X509_R_CERT_ALREADY_IN_HASH_TABLE);
         ret = 0;
-    } else {
-        added = sk_X509_OBJECT_push(ctx->objs, obj);
-        ret = added != 0;
-    }
+    } else
+        sk_X509_OBJECT_push(ctx->objs, obj);
 
-    CRYPTO_THREAD_unlock(ctx->lock);
-
-    if (!ret)                   /* obj not pushed */
-        X509_OBJECT_free(obj);
-    if (!added)                 /* on push failure */
-        X509err(X509_F_X509_STORE_ADD_CRL, ERR_R_MALLOC_FAILURE);
+    CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
 
     return ret;
 }
 
-int X509_OBJECT_up_ref_count(X509_OBJECT *a)
+void X509_OBJECT_up_ref_count(X509_OBJECT *a)
 {
     switch (a->type) {
-    default:
-        break;
     case X509_LU_X509:
-        return X509_up_ref(a->data.x509);
+        CRYPTO_add(&a->data.x509->references, 1, CRYPTO_LOCK_X509);
+        break;
     case X509_LU_CRL:
-        return X509_CRL_up_ref(a->data.crl);
-    }
-    return 1;
-}
-
-X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a)
-{
-    if (a == NULL || a->type != X509_LU_X509)
-        return NULL;
-    return a->data.x509;
-}
-
-X509_CRL *X509_OBJECT_get0_X509_CRL(X509_OBJECT *a)
-{
-    if (a == NULL || a->type != X509_LU_CRL)
-        return NULL;
-    return a->data.crl;
-}
-
-X509_LOOKUP_TYPE X509_OBJECT_get_type(const X509_OBJECT *a)
-{
-    return a->type;
-}
-
-X509_OBJECT *X509_OBJECT_new()
-{
-    X509_OBJECT *ret = OPENSSL_zalloc(sizeof(*ret));
-
-    if (ret == NULL) {
-        X509err(X509_F_X509_OBJECT_NEW, ERR_R_MALLOC_FAILURE);
-        return NULL;
+        CRYPTO_add(&a->data.crl->references, 1, CRYPTO_LOCK_X509_CRL);
+        break;
     }
-    ret->type = X509_LU_NONE;
-    return ret;
 }
 
-
-void X509_OBJECT_free(X509_OBJECT *a)
+void X509_OBJECT_free_contents(X509_OBJECT *a)
 {
-    if (a == NULL)
-        return;
     switch (a->type) {
-    default:
-        break;
     case X509_LU_X509:
         X509_free(a->data.x509);
         break;
@@ -433,26 +422,29 @@ void X509_OBJECT_free(X509_OBJECT *a)
         X509_CRL_free(a->data.crl);
         break;
     }
-    OPENSSL_free(a);
 }
 
-static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type,
+static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type,
                                X509_NAME *name, int *pnmatch)
 {
     X509_OBJECT stmp;
     X509 x509_s;
+    X509_CINF cinf_s;
     X509_CRL crl_s;
+    X509_CRL_INFO crl_info_s;
     int idx;
 
     stmp.type = type;
     switch (type) {
     case X509_LU_X509:
         stmp.data.x509 = &x509_s;
-        x509_s.cert_info.subject = name;
+        x509_s.cert_info = &cinf_s;
+        cinf_s.subject = name;
         break;
     case X509_LU_CRL:
         stmp.data.crl = &crl_s;
-        crl_s.crl.issuer = name;
+        crl_s.crl = &crl_info_s;
+        crl_info_s.issuer = name;
         break;
     default:
         /* abort(); */
@@ -475,15 +467,14 @@ static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type,
     return idx;
 }
 
-int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type,
+int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
                                X509_NAME *name)
 {
     return x509_object_idx_cnt(h, type, name, NULL);
 }
 
 X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,
-                                             X509_LOOKUP_TYPE type,
-                                             X509_NAME *name)
+                                             int type, X509_NAME *name)
 {
     int idx;
     idx = X509_OBJECT_idx_by_subject(h, type, name);
@@ -492,78 +483,73 @@ X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,
     return sk_X509_OBJECT_value(h, idx);
 }
 
-STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *v)
-{
-    return v->objs;
-}
-
-STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
+STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
 {
     int i, idx, cnt;
-    STACK_OF(X509) *sk = NULL;
+    STACK_OF(X509) *sk;
     X509 *x;
     X509_OBJECT *obj;
-
-    CRYPTO_THREAD_write_lock(ctx->ctx->lock);
+    sk = sk_X509_new_null();
+    CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
     idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
     if (idx < 0) {
         /*
          * Nothing found in cache: do lookup to possibly add new objects to
          * cache
          */
-        X509_OBJECT *xobj = X509_OBJECT_new();
-
-        CRYPTO_THREAD_unlock(ctx->ctx->lock);
-        if (xobj == NULL)
-            return NULL;
-        if (!X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, nm, xobj)) {
-            X509_OBJECT_free(xobj);
+        X509_OBJECT xobj;
+        CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+        if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj)) {
+            sk_X509_free(sk);
             return NULL;
         }
-        X509_OBJECT_free(xobj);
-        CRYPTO_THREAD_write_lock(ctx->ctx->lock);
+        X509_OBJECT_free_contents(&xobj);
+        CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
         idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
         if (idx < 0) {
-            CRYPTO_THREAD_unlock(ctx->ctx->lock);
+            CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+            sk_X509_free(sk);
             return NULL;
         }
     }
-
-    sk = sk_X509_new_null();
     for (i = 0; i < cnt; i++, idx++) {
         obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
         x = obj->data.x509;
-        X509_up_ref(x);
+        CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
         if (!sk_X509_push(sk, x)) {
-            CRYPTO_THREAD_unlock(ctx->ctx->lock);
+            CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
             X509_free(x);
             sk_X509_pop_free(sk, X509_free);
             return NULL;
         }
     }
-    CRYPTO_THREAD_unlock(ctx->ctx->lock);
+    CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
     return sk;
+
 }
 
-STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
+STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
 {
     int i, idx, cnt;
-    STACK_OF(X509_CRL) *sk = sk_X509_CRL_new_null();
+    STACK_OF(X509_CRL) *sk;
     X509_CRL *x;
-    X509_OBJECT *obj, *xobj = X509_OBJECT_new();
-
-    /* Always do lookup to possibly add new CRLs to cache */
-    if (sk == NULL || xobj == NULL ||
-            !X509_STORE_CTX_get_by_subject(ctx, X509_LU_CRL, nm, xobj)) {
-        X509_OBJECT_free(xobj);
+    X509_OBJECT *obj, xobj;
+    sk = sk_X509_CRL_new_null();
+    CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+
+    /*
+     * Always do lookup to possibly add new CRLs to cache
+     */
+    CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+    if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj)) {
         sk_X509_CRL_free(sk);
         return NULL;
     }
-    X509_OBJECT_free(xobj);
-    CRYPTO_THREAD_write_lock(ctx->ctx->lock);
+    X509_OBJECT_free_contents(&xobj);
+    CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
     idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt);
     if (idx < 0) {
-        CRYPTO_THREAD_unlock(ctx->ctx->lock);
+        CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
         sk_X509_CRL_free(sk);
         return NULL;
     }
@@ -571,15 +557,15 @@ STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
     for (i = 0; i < cnt; i++, idx++) {
         obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
         x = obj->data.crl;
-        X509_CRL_up_ref(x);
+        CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL);
         if (!sk_X509_CRL_push(sk, x)) {
-            CRYPTO_THREAD_unlock(ctx->ctx->lock);
+            CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
             X509_CRL_free(x);
             sk_X509_CRL_pop_free(sk, X509_CRL_free);
             return NULL;
         }
     }
-    CRYPTO_THREAD_unlock(ctx->ctx->lock);
+    CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
     return sk;
 }
 
@@ -625,32 +611,32 @@ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h,
 int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
 {
     X509_NAME *xn;
-    X509_OBJECT *obj = X509_OBJECT_new(), *pobj = NULL;
+    X509_OBJECT obj, *pobj;
     int i, ok, idx, ret;
-
-    if (obj == NULL)
-        return -1;
-    *issuer = NULL;
     xn = X509_get_issuer_name(x);
-    ok = X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, xn, obj);
-    if (ok != 1) {
-        X509_OBJECT_free(obj);
+    ok = X509_STORE_get_by_subject(ctx, X509_LU_X509, xn, &obj);
+    if (ok != X509_LU_X509) {
+        if (ok == X509_LU_RETRY) {
+            X509_OBJECT_free_contents(&obj);
+            X509err(X509_F_X509_STORE_CTX_GET1_ISSUER, X509_R_SHOULD_RETRY);
+            return -1;
+        } else if (ok != X509_LU_FAIL) {
+            X509_OBJECT_free_contents(&obj);
+            /* not good :-(, break anyway */
+            return -1;
+        }
         return 0;
     }
     /* If certificate matches all OK */
-    if (ctx->check_issued(ctx, x, obj->data.x509)) {
-        if (x509_check_cert_time(ctx, obj->data.x509, -1)) {
-            *issuer = obj->data.x509;
-            X509_up_ref(*issuer);
-            X509_OBJECT_free(obj);
-            return 1;
-        }
+    if (ctx->check_issued(ctx, x, obj.data.x509)) {
+        *issuer = obj.data.x509;
+        return 1;
     }
-    X509_OBJECT_free(obj);
+    X509_OBJECT_free_contents(&obj);
 
     /* Else find index of first cert accepted by 'check_issued' */
     ret = 0;
-    CRYPTO_THREAD_write_lock(ctx->ctx->lock);
+    CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
     idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
     if (idx != -1) {            /* should be true as we've had at least one
                                  * match */
@@ -664,22 +650,13 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
                 break;
             if (ctx->check_issued(ctx, x, pobj->data.x509)) {
                 *issuer = pobj->data.x509;
+                X509_OBJECT_up_ref_count(pobj);
                 ret = 1;
-                /*
-                 * If times check, exit with match,
-                 * otherwise keep looking. Leave last
-                 * match in issuer so we return nearest
-                 * match if no certificate time is OK.
-                 */
-
-                if (x509_check_cert_time(ctx, *issuer, -1))
-                    break;
+                break;
             }
         }
     }
-    CRYPTO_THREAD_unlock(ctx->ctx->lock);
-    if (*issuer)
-        X509_up_ref(*issuer);
+    CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
     return ret;
 }
 
@@ -709,153 +686,25 @@ int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param)
     return X509_VERIFY_PARAM_set1(ctx->param, param);
 }
 
-X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx)
-{
-    return ctx->param;
-}
-
-void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify_fn verify)
-{
-    ctx->verify = verify;
-}
-
-X509_STORE_CTX_verify_fn X509_STORE_get_verify(X509_STORE *ctx)
-{
-    return ctx->verify;
-}
-
 void X509_STORE_set_verify_cb(X509_STORE *ctx,
-                              X509_STORE_CTX_verify_cb verify_cb)
+                              int (*verify_cb) (int, X509_STORE_CTX *))
 {
     ctx->verify_cb = verify_cb;
 }
 
-X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(X509_STORE *ctx)
-{
-    return ctx->verify_cb;
-}
-
-void X509_STORE_set_get_issuer(X509_STORE *ctx,
-                               X509_STORE_CTX_get_issuer_fn get_issuer)
-{
-    ctx->get_issuer = get_issuer;
-}
-
-X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(X509_STORE *ctx)
-{
-    return ctx->get_issuer;
-}
-
-void X509_STORE_set_check_issued(X509_STORE *ctx,
-                                 X509_STORE_CTX_check_issued_fn check_issued)
-{
-    ctx->check_issued = check_issued;
-}
-
-X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(X509_STORE *ctx)
-{
-    return ctx->check_issued;
-}
-
-void X509_STORE_set_check_revocation(X509_STORE *ctx,
-                                     X509_STORE_CTX_check_revocation_fn check_revocation)
-{
-    ctx->check_revocation = check_revocation;
-}
-
-X509_STORE_CTX_check_revocation_fn X509_STORE_get_check_revocation(X509_STORE *ctx)
-{
-    return ctx->check_revocation;
-}
-
-void X509_STORE_set_get_crl(X509_STORE *ctx,
-                            X509_STORE_CTX_get_crl_fn get_crl)
-{
-    ctx->get_crl = get_crl;
-}
-
-X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(X509_STORE *ctx)
-{
-    return ctx->get_crl;
-}
-
-void X509_STORE_set_check_crl(X509_STORE *ctx,
-                              X509_STORE_CTX_check_crl_fn check_crl)
-{
-    ctx->check_crl = check_crl;
-}
-
-X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(X509_STORE *ctx)
-{
-    return ctx->check_crl;
-}
-
-void X509_STORE_set_cert_crl(X509_STORE *ctx,
-                             X509_STORE_CTX_cert_crl_fn cert_crl)
+void X509_STORE_set_lookup_crls_cb(X509_STORE *ctx,
+                                   STACK_OF(X509_CRL) *(*cb) (X509_STORE_CTX
+                                                              *ctx,
+                                                              X509_NAME *nm))
 {
-    ctx->cert_crl = cert_crl;
-}
-
-X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(X509_STORE *ctx)
-{
-    return ctx->cert_crl;
-}
-
-void X509_STORE_set_check_policy(X509_STORE *ctx,
-                                 X509_STORE_CTX_check_policy_fn check_policy)
-{
-    ctx->check_policy = check_policy;
-}
-
-X509_STORE_CTX_check_policy_fn X509_STORE_get_check_policy(X509_STORE *ctx)
-{
-    return ctx->check_policy;
-}
-
-void X509_STORE_set_lookup_certs(X509_STORE *ctx,
-                                 X509_STORE_CTX_lookup_certs_fn lookup_certs)
-{
-    ctx->lookup_certs = lookup_certs;
-}
-
-X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(X509_STORE *ctx)
-{
-    return ctx->lookup_certs;
-}
-
-void X509_STORE_set_lookup_crls(X509_STORE *ctx,
-                                X509_STORE_CTX_lookup_crls_fn lookup_crls)
-{
-    ctx->lookup_crls = lookup_crls;
-}
-
-X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(X509_STORE *ctx)
-{
-    return ctx->lookup_crls;
-}
-
-void X509_STORE_set_cleanup(X509_STORE *ctx,
-                            X509_STORE_CTX_cleanup_fn ctx_cleanup)
-{
-    ctx->cleanup = ctx_cleanup;
-}
-
-X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(X509_STORE *ctx)
-{
-    return ctx->cleanup;
-}
-
-int X509_STORE_set_ex_data(X509_STORE *ctx, int idx, void *data)
-{
-    return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
-}
-
-void *X509_STORE_get_ex_data(X509_STORE *ctx, int idx)
-{
-    return CRYPTO_get_ex_data(&ctx->ex_data, idx);
+    ctx->lookup_crls = cb;
 }
 
 X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx)
 {
     return ctx->ctx;
 }
+
+IMPLEMENT_STACK_OF(X509_LOOKUP)
+
+IMPLEMENT_STACK_OF(X509_OBJECT)
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_obj.c b/Cryptlib/OpenSSL/crypto/x509/x509_obj.c
index 55dc778b..0a839f3e 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509_obj.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509_obj.c
@@ -1,30 +1,78 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/x509/x509_obj.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/lhash.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/buffer.h>
-#include "internal/x509_int.h"
 
 /*
  * Limit to ensure we don't overflow: much greater than
- * anything encountered in practice.
+ * anything enountered in practice.
  */
 
 #define NAME_ONELINE_MAX    (1024 * 1024)
 
-char *X509_NAME_oneline(const X509_NAME *a, char *buf, int len)
+char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
 {
-    const X509_NAME_ENTRY *ne;
+    X509_NAME_ENTRY *ne;
     int i;
     int n, lold, l, l1, l2, num, j, type;
     const char *s;
@@ -35,7 +83,7 @@ char *X509_NAME_oneline(const X509_NAME *a, char *buf, int len)
     int gs_doit[4];
     char tmp_buf[80];
 #ifdef CHARSET_EBCDIC
-    unsigned char ebcdic_buf[1024];
+    char ebcdic_buf[1024];
 #endif
 
     if (buf == NULL) {
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_r2x.c b/Cryptlib/OpenSSL/crypto/x509/x509_r2x.c
index 3d72787d..2879569e 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509_r2x.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509_r2x.c
@@ -1,19 +1,67 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/x509/x509_r2x.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/evp.h>
 #include <openssl/asn1.h>
 #include <openssl/x509.h>
-#include "internal/x509_int.h"
 #include <openssl/objects.h>
 #include <openssl/buffer.h>
 
@@ -23,6 +71,7 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
     X509_CINF *xi = NULL;
     X509_NAME *xn;
     EVP_PKEY *pubkey = NULL;
+    int res;
 
     if ((ret = X509_new()) == NULL) {
         X509err(X509_F_X509_REQ_TO_X509, ERR_R_MALLOC_FAILURE);
@@ -30,10 +79,10 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
     }
 
     /* duplicate the request */
-    xi = &ret->cert_info;
+    xi = ret->cert_info;
 
-    if (sk_X509_ATTRIBUTE_num(r->req_info.attributes) != 0) {
-        if ((xi->version = ASN1_INTEGER_new()) == NULL)
+    if (sk_X509_ATTRIBUTE_num(r->req_info->attributes) != 0) {
+        if ((xi->version = M_ASN1_INTEGER_new()) == NULL)
             goto err;
         if (!ASN1_INTEGER_set(xi->version, 2))
             goto err;
@@ -47,21 +96,22 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
     if (X509_set_issuer_name(ret, xn) == 0)
         goto err;
 
-    if (X509_gmtime_adj(xi->validity.notBefore, 0) == NULL)
+    if (X509_gmtime_adj(xi->validity->notBefore, 0) == NULL)
         goto err;
-    if (X509_gmtime_adj(xi->validity.notAfter, (long)60 * 60 * 24 * days) ==
+    if (X509_gmtime_adj(xi->validity->notAfter, (long)60 * 60 * 24 * days) ==
         NULL)
         goto err;
 
-    pubkey = X509_REQ_get0_pubkey(r);
-    if (pubkey == NULL || !X509_set_pubkey(ret, pubkey))
-        goto err;
+    pubkey = X509_REQ_get_pubkey(r);
+    res = X509_set_pubkey(ret, pubkey);
+    EVP_PKEY_free(pubkey);
 
-    if (!X509_sign(ret, pkey, EVP_md5()))
+    if (!res || !X509_sign(ret, pkey, EVP_md5()))
         goto err;
-    return ret;
-
+    if (0) {
  err:
-    X509_free(ret);
-    return NULL;
+        X509_free(ret);
+        ret = NULL;
+    }
+    return (ret);
 }
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_req.c b/Cryptlib/OpenSSL/crypto/x509/x509_req.c
index 7b88dbcd..01795f4b 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509_req.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509_req.c
@@ -1,20 +1,68 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/x509/x509_req.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/evp.h>
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
-#include "internal/x509_int.h"
 #include <openssl/objects.h>
 #include <openssl/buffer.h>
 #include <openssl/pem.h>
@@ -32,10 +80,10 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
         goto err;
     }
 
-    ri = &ret->req_info;
+    ri = ret->req_info;
 
     ri->version->length = 1;
-    ri->version->data = OPENSSL_malloc(1);
+    ri->version->data = (unsigned char *)OPENSSL_malloc(1);
     if (ri->version->data == NULL)
         goto err;
     ri->version->data[0] = 0;   /* version == 0 */
@@ -43,10 +91,11 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
     if (!X509_REQ_set_subject_name(ret, X509_get_subject_name(x)))
         goto err;
 
-    pktmp = X509_get0_pubkey(x);
+    pktmp = X509_get_pubkey(x);
     if (pktmp == NULL)
         goto err;
     i = X509_REQ_set_pubkey(ret, pktmp);
+    EVP_PKEY_free(pktmp);
     if (!i)
         goto err;
 
@@ -62,21 +111,9 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
 
 EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req)
 {
-    if (req == NULL)
+    if ((req == NULL) || (req->req_info == NULL))
         return (NULL);
-    return (X509_PUBKEY_get(req->req_info.pubkey));
-}
-
-EVP_PKEY *X509_REQ_get0_pubkey(X509_REQ *req)
-{
-    if (req == NULL)
-        return NULL;
-    return (X509_PUBKEY_get0(req->req_info.pubkey));
-}
-
-X509_PUBKEY *X509_REQ_get_X509_PUBKEY(X509_REQ *req)
-{
-    return req->req_info.pubkey;
+    return (X509_PUBKEY_get(req->req_info->pubkey));
 }
 
 int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k)
@@ -98,13 +135,13 @@ int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k)
         break;
     case -2:
 #ifndef OPENSSL_NO_EC
-        if (EVP_PKEY_id(k) == EVP_PKEY_EC) {
+        if (k->type == EVP_PKEY_EC) {
             X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY, ERR_R_EC_LIB);
             break;
         }
 #endif
 #ifndef OPENSSL_NO_DH
-        if (EVP_PKEY_id(k) == EVP_PKEY_DH) {
+        if (k->type == EVP_PKEY_DH) {
             /* No idea */
             X509err(X509_F_X509_REQ_CHECK_PRIVATE_KEY,
                     X509_R_CANT_CHECK_DH_KEY);
@@ -157,14 +194,17 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
     int idx, *pnid;
     const unsigned char *p;
 
-    if ((req == NULL) || !ext_nids)
+    if ((req == NULL) || (req->req_info == NULL) || !ext_nids)
         return (NULL);
     for (pnid = ext_nids; *pnid != NID_undef; pnid++) {
         idx = X509_REQ_get_attr_by_NID(req, *pnid, -1);
         if (idx == -1)
             continue;
         attr = X509_REQ_get_attr(req, idx);
-        ext = X509_ATTRIBUTE_get0_type(attr, 0);
+        if (attr->single)
+            ext = attr->value.single;
+        else if (sk_ASN1_TYPE_num(attr->value.set))
+            ext = sk_ASN1_TYPE_value(attr->value.set, 0);
         break;
     }
     if (!ext || (ext->type != V_ASN1_SEQUENCE))
@@ -183,17 +223,37 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
 int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
                                 int nid)
 {
-    int extlen;
-    int rv = 0;
-    unsigned char *ext = NULL;
+    ASN1_TYPE *at = NULL;
+    X509_ATTRIBUTE *attr = NULL;
+    if (!(at = ASN1_TYPE_new()) || !(at->value.sequence = ASN1_STRING_new()))
+        goto err;
+
+    at->type = V_ASN1_SEQUENCE;
     /* Generate encoding of extensions */
-    extlen = ASN1_item_i2d((ASN1_VALUE *)exts, &ext,
-                           ASN1_ITEM_rptr(X509_EXTENSIONS));
-    if (extlen <= 0)
-        return 0;
-    rv = X509_REQ_add1_attr_by_NID(req, nid, V_ASN1_SEQUENCE, ext, extlen);
-    OPENSSL_free(ext);
-    return rv;
+    at->value.sequence->length =
+        ASN1_item_i2d((ASN1_VALUE *)exts,
+                      &at->value.sequence->data,
+                      ASN1_ITEM_rptr(X509_EXTENSIONS));
+    if (!(attr = X509_ATTRIBUTE_new()))
+        goto err;
+    if (!(attr->value.set = sk_ASN1_TYPE_new_null()))
+        goto err;
+    if (!sk_ASN1_TYPE_push(attr->value.set, at))
+        goto err;
+    at = NULL;
+    attr->single = 0;
+    attr->object = OBJ_nid2obj(nid);
+    if (!req->req_info->attributes) {
+        if (!(req->req_info->attributes = sk_X509_ATTRIBUTE_new_null()))
+            goto err;
+    }
+    if (!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr))
+        goto err;
+    return 1;
+ err:
+    X509_ATTRIBUTE_free(attr);
+    ASN1_TYPE_free(at);
+    return 0;
 }
 
 /* This is the normal usage: use the "official" OID */
@@ -206,33 +266,33 @@ int X509_REQ_add_extensions(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts)
 
 int X509_REQ_get_attr_count(const X509_REQ *req)
 {
-    return X509at_get_attr_count(req->req_info.attributes);
+    return X509at_get_attr_count(req->req_info->attributes);
 }
 
 int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos)
 {
-    return X509at_get_attr_by_NID(req->req_info.attributes, nid, lastpos);
+    return X509at_get_attr_by_NID(req->req_info->attributes, nid, lastpos);
 }
 
-int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, const ASN1_OBJECT *obj,
+int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, ASN1_OBJECT *obj,
                              int lastpos)
 {
-    return X509at_get_attr_by_OBJ(req->req_info.attributes, obj, lastpos);
+    return X509at_get_attr_by_OBJ(req->req_info->attributes, obj, lastpos);
 }
 
 X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc)
 {
-    return X509at_get_attr(req->req_info.attributes, loc);
+    return X509at_get_attr(req->req_info->attributes, loc);
 }
 
 X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc)
 {
-    return X509at_delete_attr(req->req_info.attributes, loc);
+    return X509at_delete_attr(req->req_info->attributes, loc);
 }
 
 int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr)
 {
-    if (X509at_add1_attr(&req->req_info.attributes, attr))
+    if (X509at_add1_attr(&req->req_info->attributes, attr))
         return 1;
     return 0;
 }
@@ -241,7 +301,7 @@ int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
                               const ASN1_OBJECT *obj, int type,
                               const unsigned char *bytes, int len)
 {
-    if (X509at_add1_attr_by_OBJ(&req->req_info.attributes, obj,
+    if (X509at_add1_attr_by_OBJ(&req->req_info->attributes, obj,
                                 type, bytes, len))
         return 1;
     return 0;
@@ -251,7 +311,7 @@ int X509_REQ_add1_attr_by_NID(X509_REQ *req,
                               int nid, int type,
                               const unsigned char *bytes, int len)
 {
-    if (X509at_add1_attr_by_NID(&req->req_info.attributes, nid,
+    if (X509at_add1_attr_by_NID(&req->req_info->attributes, nid,
                                 type, bytes, len))
         return 1;
     return 0;
@@ -261,38 +321,8 @@ int X509_REQ_add1_attr_by_txt(X509_REQ *req,
                               const char *attrname, int type,
                               const unsigned char *bytes, int len)
 {
-    if (X509at_add1_attr_by_txt(&req->req_info.attributes, attrname,
+    if (X509at_add1_attr_by_txt(&req->req_info->attributes, attrname,
                                 type, bytes, len))
         return 1;
     return 0;
 }
-
-long X509_REQ_get_version(const X509_REQ *req)
-{
-    return ASN1_INTEGER_get(req->req_info.version);
-}
-
-X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req)
-{
-    return req->req_info.subject;
-}
-
-void X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig,
-                             const X509_ALGOR **palg)
-{
-    if (psig != NULL)
-        *psig = req->signature;
-    if (palg != NULL)
-        *palg = &req->sig_alg;
-}
-
-int X509_REQ_get_signature_nid(const X509_REQ *req)
-{
-    return OBJ_obj2nid(req->sig_alg.algorithm);
-}
-
-int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp)
-{
-    req->req_info.enc.modified = 1;
-    return i2d_X509_REQ_INFO(&req->req_info, pp);
-}
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_set.c b/Cryptlib/OpenSSL/crypto/x509/x509_set.c
index c0ea4188..5b802bd6 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509_set.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509_set.c
@@ -1,34 +1,82 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/x509/x509_set.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
-#include "internal/x509_int.h"
 
 int X509_set_version(X509 *x, long version)
 {
     if (x == NULL)
         return (0);
     if (version == 0) {
-        ASN1_INTEGER_free(x->cert_info.version);
-        x->cert_info.version = NULL;
+        M_ASN1_INTEGER_free(x->cert_info->version);
+        x->cert_info->version = NULL;
         return (1);
     }
-    if (x->cert_info.version == NULL) {
-        if ((x->cert_info.version = ASN1_INTEGER_new()) == NULL)
+    if (x->cert_info->version == NULL) {
+        if ((x->cert_info->version = M_ASN1_INTEGER_new()) == NULL)
             return (0);
     }
-    return (ASN1_INTEGER_set(x->cert_info.version, version));
+    return (ASN1_INTEGER_set(x->cert_info->version, version));
 }
 
 int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial)
@@ -36,124 +84,69 @@ int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial)
     ASN1_INTEGER *in;
 
     if (x == NULL)
-        return 0;
-    in = &x->cert_info.serialNumber;
-    if (in != serial)
-        return ASN1_STRING_copy(in, serial);
-    return 1;
+        return (0);
+    in = x->cert_info->serialNumber;
+    if (in != serial) {
+        in = M_ASN1_INTEGER_dup(serial);
+        if (in != NULL) {
+            M_ASN1_INTEGER_free(x->cert_info->serialNumber);
+            x->cert_info->serialNumber = in;
+        }
+    }
+    return (in != NULL);
 }
 
 int X509_set_issuer_name(X509 *x, X509_NAME *name)
 {
-    if (x == NULL)
+    if ((x == NULL) || (x->cert_info == NULL))
         return (0);
-    return (X509_NAME_set(&x->cert_info.issuer, name));
+    return (X509_NAME_set(&x->cert_info->issuer, name));
 }
 
 int X509_set_subject_name(X509 *x, X509_NAME *name)
 {
-    if (x == NULL)
+    if ((x == NULL) || (x->cert_info == NULL))
         return (0);
-    return (X509_NAME_set(&x->cert_info.subject, name));
+    return (X509_NAME_set(&x->cert_info->subject, name));
 }
 
-int x509_set1_time(ASN1_TIME **ptm, const ASN1_TIME *tm)
+int X509_set_notBefore(X509 *x, const ASN1_TIME *tm)
 {
     ASN1_TIME *in;
-    in = *ptm;
+
+    if ((x == NULL) || (x->cert_info->validity == NULL))
+        return (0);
+    in = x->cert_info->validity->notBefore;
     if (in != tm) {
-        in = ASN1_STRING_dup(tm);
+        in = M_ASN1_TIME_dup(tm);
         if (in != NULL) {
-            ASN1_TIME_free(*ptm);
-            *ptm = in;
+            M_ASN1_TIME_free(x->cert_info->validity->notBefore);
+            x->cert_info->validity->notBefore = in;
         }
     }
     return (in != NULL);
 }
 
-int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm)
+int X509_set_notAfter(X509 *x, const ASN1_TIME *tm)
 {
-    if (x == NULL)
-        return 0;
-    return x509_set1_time(&x->cert_info.validity.notBefore, tm);
-}
+    ASN1_TIME *in;
 
-int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm)
-{
-    if (x == NULL)
-        return 0;
-    return x509_set1_time(&x->cert_info.validity.notAfter, tm);
+    if ((x == NULL) || (x->cert_info->validity == NULL))
+        return (0);
+    in = x->cert_info->validity->notAfter;
+    if (in != tm) {
+        in = M_ASN1_TIME_dup(tm);
+        if (in != NULL) {
+            M_ASN1_TIME_free(x->cert_info->validity->notAfter);
+            x->cert_info->validity->notAfter = in;
+        }
+    }
+    return (in != NULL);
 }
 
 int X509_set_pubkey(X509 *x, EVP_PKEY *pkey)
 {
-    if (x == NULL)
+    if ((x == NULL) || (x->cert_info == NULL))
         return (0);
-    return (X509_PUBKEY_set(&(x->cert_info.key), pkey));
-}
-
-int X509_up_ref(X509 *x)
-{
-    int i;
-
-    if (CRYPTO_atomic_add(&x->references, 1, &i, x->lock) <= 0)
-        return 0;
-
-    REF_PRINT_COUNT("X509", x);
-    REF_ASSERT_ISNT(i < 2);
-    return ((i > 1) ? 1 : 0);
-}
-
-long X509_get_version(const X509 *x)
-{
-    return ASN1_INTEGER_get(x->cert_info.version);
-}
-
-const ASN1_TIME *X509_get0_notBefore(const X509 *x)
-{
-    return x->cert_info.validity.notBefore;
-}
-
-const ASN1_TIME *X509_get0_notAfter(const X509 *x)
-{
-    return x->cert_info.validity.notAfter;
-}
-
-ASN1_TIME *X509_getm_notBefore(const X509 *x)
-{
-    return x->cert_info.validity.notBefore;
-}
-
-ASN1_TIME *X509_getm_notAfter(const X509 *x)
-{
-    return x->cert_info.validity.notAfter;
-}
-
-int X509_get_signature_type(const X509 *x)
-{
-    return EVP_PKEY_type(OBJ_obj2nid(x->sig_alg.algorithm));
-}
-
-X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x)
-{
-    return x->cert_info.key;
-}
-
-const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x)
-{
-    return x->cert_info.extensions;
-}
-
-void X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid,
-                    const ASN1_BIT_STRING **psuid)
-{
-    if (piuid != NULL)
-        *piuid = x->cert_info.issuerUID;
-    if (psuid != NULL)
-        *psuid = x->cert_info.subjectUID;
-}
-
-const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x)
-{
-    return &x->cert_info.signature;
+    return (X509_PUBKEY_set(&(x->cert_info->key), pkey));
 }
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_trs.c b/Cryptlib/OpenSSL/crypto/x509/x509_trs.c
index a9bb88d1..2fa33823 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509_trs.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509_trs.c
@@ -1,16 +1,65 @@
+/* x509_trs.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/x509v3.h>
-#include "internal/x509_int.h"
 
 static int tr_cmp(const X509_TRUST *const *a, const X509_TRUST *const *b);
 static void trtable_free(X509_TRUST *p);
@@ -45,7 +94,9 @@ static X509_TRUST trstandard[] = {
     {X509_TRUST_TSA, 0, trust_1oidany, "TSA server", NID_time_stamp, NULL}
 };
 
-#define X509_TRUST_COUNT        OSSL_NELEM(trstandard)
+#define X509_TRUST_COUNT        (sizeof(trstandard)/sizeof(X509_TRUST))
+
+IMPLEMENT_STACK_OF(X509_TRUST)
 
 static STACK_OF(X509_TRUST) *trtable = NULL;
 
@@ -66,15 +117,22 @@ int X509_check_trust(X509 *x, int id, int flags)
 {
     X509_TRUST *pt;
     int idx;
-
+    if (id == -1)
+        return 1;
     /* We get this as a default value */
-    if (id == X509_TRUST_DEFAULT)
-        return obj_trust(NID_anyExtendedKeyUsage, x,
-                         flags | X509_TRUST_DO_SS_COMPAT);
+    if (id == 0) {
+        int rv;
+        rv = obj_trust(NID_anyExtendedKeyUsage, x, 0);
+        if (rv != X509_TRUST_UNTRUSTED)
+            return rv;
+        return trust_compat(NULL, x, 0);
+    }
     idx = X509_TRUST_get_by_id(id);
     if (idx == -1)
         return default_trust(id, x, flags);
     pt = X509_TRUST_get0(idx);
+    if (!pt)
+        return default_trust(id, x, flags);
     return pt->check_trust(pt, x, flags);
 }
 
@@ -120,7 +178,7 @@ int X509_TRUST_set(int *t, int trust)
 }
 
 int X509_TRUST_add(int id, int flags, int (*ck) (X509_TRUST *, X509 *, int),
-                   const char *name, int arg1, void *arg2)
+                   char *name, int arg1, void *arg2)
 {
     int idx;
     X509_TRUST *trtmp;
@@ -134,21 +192,23 @@ int X509_TRUST_add(int id, int flags, int (*ck) (X509_TRUST *, X509 *, int),
     idx = X509_TRUST_get_by_id(id);
     /* Need a new entry */
     if (idx == -1) {
-        if ((trtmp = OPENSSL_malloc(sizeof(*trtmp))) == NULL) {
+        if (!(trtmp = OPENSSL_malloc(sizeof(X509_TRUST)))) {
             X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE);
             return 0;
         }
         trtmp->flags = X509_TRUST_DYNAMIC;
-    } else
-        trtmp = X509_TRUST_get0(idx);
+    } else if (!(trtmp = X509_TRUST_get0(idx))) {
+        X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE);
+        return 0;
+    }
 
     /* OPENSSL_free existing name if dynamic */
     if (trtmp->flags & X509_TRUST_DYNAMIC_NAME)
         OPENSSL_free(trtmp->name);
     /* dup supplied name */
-    if ((trtmp->name = OPENSSL_strdup(name)) == NULL) {
+    if (!(trtmp->name = BUF_strdup(name))) {
         X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE);
-        goto err;
+        return 0;
     }
     /* Keep the dynamic flag of existing entry */
     trtmp->flags &= X509_TRUST_DYNAMIC;
@@ -162,23 +222,16 @@ int X509_TRUST_add(int id, int flags, int (*ck) (X509_TRUST *, X509 *, int),
 
     /* If its a new entry manage the dynamic table */
     if (idx == -1) {
-        if (trtable == NULL
-            && (trtable = sk_X509_TRUST_new(tr_cmp)) == NULL) {
+        if (!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) {
             X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE);
-            goto err;;
+            return 0;
         }
         if (!sk_X509_TRUST_push(trtable, trtmp)) {
             X509err(X509_F_X509_TRUST_ADD, ERR_R_MALLOC_FAILURE);
-            goto err;
+            return 0;
         }
     }
     return 1;
- err:
-    if (idx == -1) {
-        OPENSSL_free(trtmp->name);
-        OPENSSL_free(trtmp);
-    }
-    return 0;
 }
 
 static void trtable_free(X509_TRUST *p)
@@ -194,53 +247,50 @@ static void trtable_free(X509_TRUST *p)
 
 void X509_TRUST_cleanup(void)
 {
+    unsigned int i;
+    for (i = 0; i < X509_TRUST_COUNT; i++)
+        trtable_free(trstandard + i);
     sk_X509_TRUST_pop_free(trtable, trtable_free);
     trtable = NULL;
 }
 
-int X509_TRUST_get_flags(const X509_TRUST *xp)
+int X509_TRUST_get_flags(X509_TRUST *xp)
 {
     return xp->flags;
 }
 
-char *X509_TRUST_get0_name(const X509_TRUST *xp)
+char *X509_TRUST_get0_name(X509_TRUST *xp)
 {
     return xp->name;
 }
 
-int X509_TRUST_get_trust(const X509_TRUST *xp)
+int X509_TRUST_get_trust(X509_TRUST *xp)
 {
     return xp->trust;
 }
 
 static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags)
 {
+    if (x->aux && (x->aux->trust || x->aux->reject))
+        return obj_trust(trust->arg1, x, flags);
     /*
-     * Declare the chain verified if the desired trust OID is not rejected in
-     * any auxiliary trust info for this certificate, and the OID is either
-     * expressly trusted, or else either "anyEKU" is trusted, or the
-     * certificate is self-signed.
+     * we don't have any trust settings: for compatibility we return trusted
+     * if it is self signed
      */
-    flags |= X509_TRUST_DO_SS_COMPAT | X509_TRUST_OK_ANY_EKU;
-    return obj_trust(trust->arg1, x, flags);
+    return trust_compat(trust, x, flags);
 }
 
 static int trust_1oid(X509_TRUST *trust, X509 *x, int flags)
 {
-    /*
-     * Declare the chain verified only if the desired trust OID is not
-     * rejected and is expressly trusted.  Neither "anyEKU" nor "compat"
-     * trust in self-signed certificates apply.
-     */
-    flags &= ~(X509_TRUST_DO_SS_COMPAT | X509_TRUST_OK_ANY_EKU);
-    return obj_trust(trust->arg1, x, flags);
+    if (x->aux)
+        return obj_trust(trust->arg1, x, flags);
+    return X509_TRUST_UNTRUSTED;
 }
 
 static int trust_compat(X509_TRUST *trust, X509 *x, int flags)
 {
-    /* Call for side-effect of computing hash and caching extensions */
     X509_check_purpose(x, -1, 0);
-    if ((flags & X509_TRUST_NO_SS_COMPAT) == 0 && x->ex_flags & EXFLAG_SS)
+    if (x->ex_flags & EXFLAG_SS)
         return X509_TRUST_TRUSTED;
     else
         return X509_TRUST_UNTRUSTED;
@@ -248,51 +298,25 @@ static int trust_compat(X509_TRUST *trust, X509 *x, int flags)
 
 static int obj_trust(int id, X509 *x, int flags)
 {
-    X509_CERT_AUX *ax = x->aux;
+    ASN1_OBJECT *obj;
     int i;
-
-    if (ax && ax->reject) {
+    X509_CERT_AUX *ax;
+    ax = x->aux;
+    if (!ax)
+        return X509_TRUST_UNTRUSTED;
+    if (ax->reject) {
         for (i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {
-            ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(ax->reject, i);
-            int nid = OBJ_obj2nid(obj);
-
-            if (nid == id || (nid == NID_anyExtendedKeyUsage &&
-                (flags & X509_TRUST_OK_ANY_EKU)))
+            obj = sk_ASN1_OBJECT_value(ax->reject, i);
+            if (OBJ_obj2nid(obj) == id)
                 return X509_TRUST_REJECTED;
         }
     }
-
-    if (ax && ax->trust) {
+    if (ax->trust) {
         for (i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
-            ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(ax->trust, i);
-            int nid = OBJ_obj2nid(obj);
-
-            if (nid == id || (nid == NID_anyExtendedKeyUsage &&
-                (flags & X509_TRUST_OK_ANY_EKU)))
+            obj = sk_ASN1_OBJECT_value(ax->trust, i);
+            if (OBJ_obj2nid(obj) == id)
                 return X509_TRUST_TRUSTED;
         }
-        /*
-         * Reject when explicit trust EKU are set and none match.
-         *
-         * Returning untrusted is enough for for full chains that end in
-         * self-signed roots, because when explicit trust is specified it
-         * suppresses the default blanket trust of self-signed objects.
-         *
-         * But for partial chains, this is not enough, because absent a similar
-         * trust-self-signed policy, non matching EKUs are indistinguishable
-         * from lack of EKU constraints.
-         *
-         * Therefore, failure to match any trusted purpose must trigger an
-         * explicit reject.
-         */
-        return X509_TRUST_REJECTED;
     }
-
-    if ((flags & X509_TRUST_DO_SS_COMPAT) == 0)
-        return X509_TRUST_UNTRUSTED;
-
-    /*
-     * Not rejected, and there is no list of accepted uses, try compat.
-     */
-    return trust_compat(NULL, x, flags);
+    return X509_TRUST_UNTRUSTED;
 }
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_txt.c b/Cryptlib/OpenSSL/crypto/x509/x509_txt.c
index 66e5fcd0..35db0955 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509_txt.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509_txt.c
@@ -1,17 +1,66 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/x509/x509_txt.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <time.h>
 #include <errno.h>
 
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/lhash.h>
 #include <openssl/buffer.h>
 #include <openssl/evp.h>
@@ -21,11 +70,11 @@
 
 const char *X509_verify_cert_error_string(long n)
 {
+    static char buf[100];
+
     switch ((int)n) {
     case X509_V_OK:
         return ("ok");
-    case X509_V_ERR_UNSPECIFIED:
-        return ("unspecified certificate verification error");
     case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
         return ("unable to get issuer certificate");
     case X509_V_ERR_UNABLE_TO_GET_CRL:
@@ -42,10 +91,10 @@ const char *X509_verify_cert_error_string(long n)
         return ("CRL signature failure");
     case X509_V_ERR_CERT_NOT_YET_VALID:
         return ("certificate is not yet valid");
-    case X509_V_ERR_CERT_HAS_EXPIRED:
-        return ("certificate has expired");
     case X509_V_ERR_CRL_NOT_YET_VALID:
         return ("CRL is not yet valid");
+    case X509_V_ERR_CERT_HAS_EXPIRED:
+        return ("certificate has expired");
     case X509_V_ERR_CRL_HAS_EXPIRED:
         return ("CRL has expired");
     case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
@@ -72,14 +121,23 @@ const char *X509_verify_cert_error_string(long n)
         return ("certificate revoked");
     case X509_V_ERR_INVALID_CA:
         return ("invalid CA certificate");
+    case X509_V_ERR_INVALID_NON_CA:
+        return ("invalid non-CA certificate (has CA markings)");
     case X509_V_ERR_PATH_LENGTH_EXCEEDED:
         return ("path length constraint exceeded");
+    case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
+        return ("proxy path length constraint exceeded");
+    case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
+        return
+            ("proxy certificates not allowed, please set the appropriate flag");
     case X509_V_ERR_INVALID_PURPOSE:
         return ("unsupported certificate purpose");
     case X509_V_ERR_CERT_UNTRUSTED:
         return ("certificate not trusted");
     case X509_V_ERR_CERT_REJECTED:
         return ("certificate rejected");
+    case X509_V_ERR_APPLICATION_VERIFICATION:
+        return ("application verification failure");
     case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
         return ("subject issuer mismatch");
     case X509_V_ERR_AKID_SKID_MISMATCH:
@@ -94,17 +152,10 @@ const char *X509_verify_cert_error_string(long n)
         return ("unhandled critical extension");
     case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
         return ("key usage does not include CRL signing");
-    case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
-        return ("unhandled critical CRL extension");
-    case X509_V_ERR_INVALID_NON_CA:
-        return ("invalid non-CA certificate (has CA markings)");
-    case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
-        return ("proxy path length constraint exceeded");
     case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
         return ("key usage does not include digital signature");
-    case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
-        return
-            ("proxy certificates not allowed, please set the appropriate flag");
+    case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
+        return ("unhandled critical CRL extension");
     case X509_V_ERR_INVALID_EXTENSION:
         return ("invalid or inconsistent certificate extension");
     case X509_V_ERR_INVALID_POLICY_EXTENSION:
@@ -117,14 +168,13 @@ const char *X509_verify_cert_error_string(long n)
         return ("Unsupported extension feature");
     case X509_V_ERR_UNNESTED_RESOURCE:
         return ("RFC 3779 resource not subset of parent's resources");
+
     case X509_V_ERR_PERMITTED_VIOLATION:
         return ("permitted subtree violation");
     case X509_V_ERR_EXCLUDED_VIOLATION:
         return ("excluded subtree violation");
     case X509_V_ERR_SUBTREE_MINMAX:
         return ("name constraints minimum and maximum not supported");
-    case X509_V_ERR_APPLICATION_VERIFICATION:
-        return ("application verification failure");
     case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE:
         return ("unsupported name constraint type");
     case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX:
@@ -133,8 +183,7 @@ const char *X509_verify_cert_error_string(long n)
         return ("unsupported or invalid name syntax");
     case X509_V_ERR_CRL_PATH_VALIDATION_ERROR:
         return ("CRL path validation error");
-    case X509_V_ERR_PATH_LOOP:
-        return ("Path Loop");
+
     case X509_V_ERR_SUITE_B_INVALID_VERSION:
         return ("Suite B: certificate version invalid");
     case X509_V_ERR_SUITE_B_INVALID_ALGORITHM:
@@ -147,31 +196,23 @@ const char *X509_verify_cert_error_string(long n)
         return ("Suite B: curve not allowed for this LOS");
     case X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256:
         return ("Suite B: cannot sign P-384 with P-256");
+
     case X509_V_ERR_HOSTNAME_MISMATCH:
         return ("Hostname mismatch");
     case X509_V_ERR_EMAIL_MISMATCH:
         return ("Email address mismatch");
     case X509_V_ERR_IP_ADDRESS_MISMATCH:
         return ("IP address mismatch");
-    case X509_V_ERR_DANE_NO_MATCH:
-        return ("No matching DANE TLSA records");
-    case X509_V_ERR_EE_KEY_TOO_SMALL:
-        return ("EE certificate key too weak");
-    case X509_V_ERR_CA_KEY_TOO_SMALL:
-        return ("CA certificate key too weak");
-    case X509_V_ERR_CA_MD_TOO_WEAK:
-        return ("CA signature digest algorithm too weak");
+
     case X509_V_ERR_INVALID_CALL:
         return ("Invalid certificate verification context");
     case X509_V_ERR_STORE_LOOKUP:
         return ("Issuer certificate lookup error");
-    case X509_V_ERR_NO_VALID_SCTS:
-        return ("Certificate Transparency required, but no valid SCTs found");
     case X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION:
         return ("proxy subject name violation");
 
     default:
-        /* Printing an error number into a static buffer is not thread-safe */
-        return ("unknown certificate verification error");
+        BIO_snprintf(buf, sizeof buf, "error number %ld", n);
+        return (buf);
     }
 }
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_v3.c b/Cryptlib/OpenSSL/crypto/x509/x509_v3.c
index ad126efe..4a03445a 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509_v3.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509_v3.c
@@ -1,21 +1,69 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/x509/x509_v3.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <openssl/stack.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
-#include "x509_lcl.h"
 
 int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x)
 {
@@ -36,7 +84,7 @@ int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid,
 }
 
 int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk,
-                          const ASN1_OBJECT *obj, int lastpos)
+                          ASN1_OBJECT *obj, int lastpos)
 {
     int n;
     X509_EXTENSION *ex;
@@ -127,8 +175,10 @@ STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
  err:
     X509err(X509_F_X509V3_ADD_EXT, ERR_R_MALLOC_FAILURE);
  err2:
-    X509_EXTENSION_free(new_ex);
-    sk_X509_EXTENSION_free(sk);
+    if (new_ex != NULL)
+        X509_EXTENSION_free(new_ex);
+    if (sk != NULL)
+        sk_X509_EXTENSION_free(sk);
     return (NULL);
 }
 
@@ -151,7 +201,7 @@ X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid,
 }
 
 X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex,
-                                             const ASN1_OBJECT *obj, int crit,
+                                             ASN1_OBJECT *obj, int crit,
                                              ASN1_OCTET_STRING *data)
 {
     X509_EXTENSION *ret;
@@ -181,13 +231,13 @@ X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex,
     return (NULL);
 }
 
-int X509_EXTENSION_set_object(X509_EXTENSION *ex, const ASN1_OBJECT *obj)
+int X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj)
 {
     if ((ex == NULL) || (obj == NULL))
         return (0);
     ASN1_OBJECT_free(ex->object);
     ex->object = OBJ_dup(obj);
-    return ex->object != NULL;
+    return (1);
 }
 
 int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit)
@@ -204,7 +254,7 @@ int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data)
 
     if (ex == NULL)
         return (0);
-    i = ASN1_OCTET_STRING_set(&ex->value, data->data, data->length);
+    i = M_ASN1_OCTET_STRING_set(ex->value, data->data, data->length);
     if (!i)
         return (0);
     return (1);
@@ -221,10 +271,10 @@ ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex)
 {
     if (ex == NULL)
         return (NULL);
-    return &ex->value;
+    return (ex->value);
 }
 
-int X509_EXTENSION_get_critical(const X509_EXTENSION *ex)
+int X509_EXTENSION_get_critical(X509_EXTENSION *ex)
 {
     if (ex == NULL)
         return (0);
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c b/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c
index ebc44240..96f306b2 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c
@@ -1,18 +1,66 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/x509/x509_vfy.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <time.h>
 #include <errno.h>
-#include <limits.h>
 
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/crypto.h>
 #include <openssl/lhash.h>
 #include <openssl/buffer.h>
@@ -21,9 +69,7 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
-#include <internal/dane.h>
-#include <internal/x509_int.h>
-#include "x509_lcl.h"
+#include "vpm_int.h"
 
 /* CRL score values */
 
@@ -63,23 +109,16 @@
 
 #define CRL_SCORE_TIME_DELTA    0x002
 
-static int build_chain(X509_STORE_CTX *ctx);
-static int verify_chain(X509_STORE_CTX *ctx);
-static int dane_verify(X509_STORE_CTX *ctx);
 static int null_callback(int ok, X509_STORE_CTX *e);
 static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
 static int check_chain_extensions(X509_STORE_CTX *ctx);
 static int check_name_constraints(X509_STORE_CTX *ctx);
 static int check_id(X509_STORE_CTX *ctx);
-static int check_trust(X509_STORE_CTX *ctx, int num_untrusted);
+static int check_trust(X509_STORE_CTX *ctx);
 static int check_revocation(X509_STORE_CTX *ctx);
 static int check_cert(X509_STORE_CTX *ctx);
 static int check_policy(X509_STORE_CTX *ctx);
-static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
-static int check_dane_issuer(X509_STORE_CTX *ctx, int depth);
-static int check_key_level(X509_STORE_CTX *ctx, X509 *cert);
-static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert);
 
 static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
                          unsigned int *preasons, X509_CRL *crl, X509 *x);
@@ -98,20 +137,22 @@ static int check_crl_chain(X509_STORE_CTX *ctx,
                            STACK_OF(X509) *crl_path);
 
 static int internal_verify(X509_STORE_CTX *ctx);
+const char X509_version[] = "X.509" OPENSSL_VERSION_PTEXT;
 
 static int null_callback(int ok, X509_STORE_CTX *e)
 {
     return ok;
 }
 
+#if 0
+static int x509_subject_cmp(X509 **a, X509 **b)
+{
+    return X509_subject_name_cmp(*a, *b);
+}
+#endif
 /* Return 1 is a certificate is self signed */
 static int cert_self_signed(X509 *x)
 {
-    /*
-     * FIXME: x509v3_cache_extensions() needs to detect more failures and not
-     * set EXFLAG_SET when that happens.  Especially, if the failures are
-     * parse errors, rather than memory pressure!
-     */
     X509_check_purpose(x, -1, 0);
     if (x->ex_flags & EXFLAG_SS)
         return 1;
@@ -137,128 +178,30 @@ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
             break;
     }
     if (i < sk_X509_num(certs))
-        X509_up_ref(xtmp);
+        CRYPTO_add(&xtmp->references, 1, CRYPTO_LOCK_X509);
     else
         xtmp = NULL;
     sk_X509_pop_free(certs, X509_free);
     return xtmp;
 }
 
-/*-
- * Inform the verify callback of an error.
- * If B<x> is not NULL it is the error cert, otherwise use the chain cert at
- * B<depth>.
- * If B<err> is not X509_V_OK, that's the error value, otherwise leave
- * unchanged (presumably set by the caller).
- *
- * Returns 0 to abort verification with an error, non-zero to continue.
- */
-static int verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err)
-{
-    ctx->error_depth = depth;
-    ctx->current_cert = (x != NULL) ? x : sk_X509_value(ctx->chain, depth);
-    if (err != X509_V_OK)
-        ctx->error = err;
-    return ctx->verify_cb(0, ctx);
-}
-
-/*-
- * Inform the verify callback of an error, CRL-specific variant.  Here, the
- * error depth and certificate are already set, we just specify the error
- * number.
- *
- * Returns 0 to abort verification with an error, non-zero to continue.
- */
-static int verify_cb_crl(X509_STORE_CTX *ctx, int err)
-{
-    ctx->error = err;
-    return ctx->verify_cb(0, ctx);
-}
-
-static int check_auth_level(X509_STORE_CTX *ctx)
-{
-    int i;
-    int num = sk_X509_num(ctx->chain);
-
-    if (ctx->param->auth_level <= 0)
-        return 1;
-
-    for (i = 0; i < num; ++i) {
-        X509 *cert = sk_X509_value(ctx->chain, i);
-
-        /*
-         * We've already checked the security of the leaf key, so here we only
-         * check the security of issuer keys.
-         */
-        if (i > 0 && !check_key_level(ctx, cert) &&
-            verify_cb_cert(ctx, cert, i, X509_V_ERR_CA_KEY_TOO_SMALL) == 0)
-            return 0;
-        /*
-         * We also check the signature algorithm security of all certificates
-         * except those of the trust anchor at index num-1.
-         */
-        if (i < num - 1 && !check_sig_level(ctx, cert) &&
-            verify_cb_cert(ctx, cert, i, X509_V_ERR_CA_MD_TOO_WEAK) == 0)
-            return 0;
-    }
-    return 1;
-}
-
-static int verify_chain(X509_STORE_CTX *ctx)
-{
-    int err;
-    int ok;
-
-    /*
-     * Before either returning with an error, or continuing with CRL checks,
-     * instantiate chain public key parameters.
-     */
-    if ((ok = build_chain(ctx)) == 0 ||
-        (ok = check_chain_extensions(ctx)) == 0 ||
-        (ok = check_auth_level(ctx)) == 0 ||
-        (ok = check_name_constraints(ctx)) == 0 ||
-        (ok = check_id(ctx)) == 0 || 1)
-        X509_get_pubkey_parameters(NULL, ctx->chain);
-    if (ok == 0 || (ok = ctx->check_revocation(ctx)) == 0)
-        return ok;
-
-    err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain,
-                                  ctx->param->flags);
-    if (err != X509_V_OK) {
-        if ((ok = verify_cb_cert(ctx, NULL, ctx->error_depth, err)) == 0)
-            return ok;
-    }
-
-    /* Verify chain signatures and expiration times */
-    ok = (ctx->verify != NULL) ? ctx->verify(ctx) : internal_verify(ctx);
-    if (!ok)
-        return ok;
-
-#ifndef OPENSSL_NO_RFC3779
-    /* RFC 3779 path validation, now that CRL check has been done */
-    if ((ok = X509v3_asid_validate_path(ctx)) == 0)
-        return ok;
-    if ((ok = X509v3_addr_validate_path(ctx)) == 0)
-        return ok;
-#endif
-
-    /* If we get this far evaluate policies */
-    if (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)
-        ok = ctx->check_policy(ctx);
-    return ok;
-}
-
 int X509_verify_cert(X509_STORE_CTX *ctx)
 {
-    SSL_DANE *dane = ctx->dane;
-    int ret;
+    X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
+    int bad_chain = 0;
+    X509_VERIFY_PARAM *param = ctx->param;
+    int depth, i, ok = 0;
+    int num, j, retry;
+    int (*cb) (int xok, X509_STORE_CTX *xctx);
+    STACK_OF(X509) *sktmp = NULL;
+    int trust = X509_TRUST_UNTRUSTED;
+    int err;
 
     if (ctx->cert == NULL) {
         X509err(X509_F_X509_VERIFY_CERT, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
         ctx->error = X509_V_ERR_INVALID_CALL;
         return -1;
     }
-
     if (ctx->chain != NULL) {
         /*
          * This X509_STORE_CTX has already been used to verify a cert. We
@@ -269,6 +212,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
         return -1;
     }
 
+    cb = ctx->verify_cb;
+
     /*
      * first we make sure the chain we are going to build is present and that
      * the first entry is in place
@@ -277,48 +222,332 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
         (!sk_X509_push(ctx->chain, ctx->cert))) {
         X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
         ctx->error = X509_V_ERR_OUT_OF_MEM;
-        return -1;
+        ok = -1;
+        goto err;
     }
-    X509_up_ref(ctx->cert);
-    ctx->num_untrusted = 1;
+    CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509);
+    ctx->last_untrusted = 1;
 
-    /* If the peer's public key is too weak, we can stop early. */
-    if (!check_key_level(ctx, ctx->cert) &&
-        !verify_cb_cert(ctx, ctx->cert, 0, X509_V_ERR_EE_KEY_TOO_SMALL))
-        return 0;
+    /* We use a temporary STACK so we can chop and hack at it */
+    if (ctx->untrusted != NULL
+        && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
+        X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
+        ctx->error = X509_V_ERR_OUT_OF_MEM;
+        ok = -1;
+        goto err;
+    }
 
-    if (DANETLS_ENABLED(dane))
-        ret = dane_verify(ctx);
-    else
-        ret = verify_chain(ctx);
+    num = sk_X509_num(ctx->chain);
+    x = sk_X509_value(ctx->chain, num - 1);
+    depth = param->depth;
+
+    for (;;) {
+        /* If we have enough, we break */
+        if (depth < num)
+            break;              /* FIXME: If this happens, we should take
+                                 * note of it and, if appropriate, use the
+                                 * X509_V_ERR_CERT_CHAIN_TOO_LONG error code
+                                 * later. */
+
+        /* If we are self signed, we break */
+        if (cert_self_signed(x))
+            break;
+        /*
+         * If asked see if we can find issuer in trusted store first
+         */
+        if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) {
+            ok = ctx->get_issuer(&xtmp, ctx, x);
+            if (ok < 0) {
+                ctx->error = X509_V_ERR_STORE_LOOKUP;
+                goto err;
+            }
+            /*
+             * If successful for now free up cert so it will be picked up
+             * again later.
+             */
+            if (ok > 0) {
+                X509_free(xtmp);
+                break;
+            }
+        }
+
+        /* If we were passed a cert chain, use it first */
+        if (ctx->untrusted != NULL) {
+            xtmp = find_issuer(ctx, sktmp, x);
+            if (xtmp != NULL) {
+                if (!sk_X509_push(ctx->chain, xtmp)) {
+                    X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
+                    ctx->error = X509_V_ERR_OUT_OF_MEM;
+                    ok = -1;
+                    goto err;
+                }
+                CRYPTO_add(&xtmp->references, 1, CRYPTO_LOCK_X509);
+                (void)sk_X509_delete_ptr(sktmp, xtmp);
+                ctx->last_untrusted++;
+                x = xtmp;
+                num++;
+                /*
+                 * reparse the full chain for the next one
+                 */
+                continue;
+            }
+        }
+        break;
+    }
+
+    /* Remember how many untrusted certs we have */
+    j = num;
+    /*
+     * at this point, chain should contain a list of untrusted certificates.
+     * We now need to add at least one trusted one, if possible, otherwise we
+     * complain.
+     */
+
+    do {
+        /*
+         * Examine last certificate in chain and see if it is self signed.
+         */
+        i = sk_X509_num(ctx->chain);
+        x = sk_X509_value(ctx->chain, i - 1);
+        if (cert_self_signed(x)) {
+            /* we have a self signed certificate */
+            if (sk_X509_num(ctx->chain) == 1) {
+                /*
+                 * We have a single self signed certificate: see if we can
+                 * find it in the store. We must have an exact match to avoid
+                 * possible impersonation.
+                 */
+                ok = ctx->get_issuer(&xtmp, ctx, x);
+                if ((ok <= 0) || X509_cmp(x, xtmp)) {
+                    ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
+                    ctx->current_cert = x;
+                    ctx->error_depth = i - 1;
+                    if (ok == 1)
+                        X509_free(xtmp);
+                    bad_chain = 1;
+                    ok = cb(0, ctx);
+                    if (!ok)
+                        goto err;
+                } else {
+                    /*
+                     * We have a match: replace certificate with store
+                     * version so we get any trust settings.
+                     */
+                    X509_free(x);
+                    x = xtmp;
+                    (void)sk_X509_set(ctx->chain, i - 1, x);
+                    ctx->last_untrusted = 0;
+                }
+            } else {
+                /*
+                 * extract and save self signed certificate for later use
+                 */
+                chain_ss = sk_X509_pop(ctx->chain);
+                ctx->last_untrusted--;
+                num--;
+                j--;
+                x = sk_X509_value(ctx->chain, num - 1);
+            }
+        }
+        /* We now lookup certs from the certificate store */
+        for (;;) {
+            /* If we have enough, we break */
+            if (depth < num)
+                break;
+            /* If we are self signed, we break */
+            if (cert_self_signed(x))
+                break;
+            ok = ctx->get_issuer(&xtmp, ctx, x);
+
+            if (ok < 0) {
+                ctx->error = X509_V_ERR_STORE_LOOKUP;
+                goto err;
+            }
+            if (ok == 0)
+                break;
+            x = xtmp;
+            if (!sk_X509_push(ctx->chain, x)) {
+                X509_free(xtmp);
+                X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
+                ctx->error = X509_V_ERR_OUT_OF_MEM;
+                ok = -1;
+                goto err;
+            }
+            num++;
+        }
+
+        /* we now have our chain, lets check it... */
+        if ((trust = check_trust(ctx)) == X509_TRUST_REJECTED) {
+            /* Callback already issued */
+            ok = 0;
+            goto err;
+        }
+
+        /*
+         * If it's not explicitly trusted then check if there is an alternative
+         * chain that could be used. We only do this if we haven't already
+         * checked via TRUSTED_FIRST and the user hasn't switched off alternate
+         * chain checking
+         */
+        retry = 0;
+        if (trust != X509_TRUST_TRUSTED
+            && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
+            && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
+            while (j-- > 1) {
+                xtmp2 = sk_X509_value(ctx->chain, j - 1);
+                ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
+                if (ok < 0) {
+                    ctx->error = X509_V_ERR_STORE_LOOKUP;
+                    goto err;
+                }
+                /* Check if we found an alternate chain */
+                if (ok > 0) {
+                    /*
+                     * Free up the found cert we'll add it again later
+                     */
+                    X509_free(xtmp);
+
+                    /*
+                     * Dump all the certs above this point - we've found an
+                     * alternate chain
+                     */
+                    while (num > j) {
+                        xtmp = sk_X509_pop(ctx->chain);
+                        X509_free(xtmp);
+                        num--;
+                    }
+                    ctx->last_untrusted = sk_X509_num(ctx->chain);
+                    retry = 1;
+                    break;
+                }
+            }
+        }
+    } while (retry);
+
+    /*
+     * If not explicitly trusted then indicate error unless it's a single
+     * self signed certificate in which case we've indicated an error already
+     * and set bad_chain == 1
+     */
+    if (trust != X509_TRUST_TRUSTED && !bad_chain) {
+        if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
+            if (ctx->last_untrusted >= num)
+                ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
+            else
+                ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
+            ctx->current_cert = x;
+        } else {
+
+            sk_X509_push(ctx->chain, chain_ss);
+            num++;
+            ctx->last_untrusted = num;
+            ctx->current_cert = chain_ss;
+            ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
+            chain_ss = NULL;
+        }
+
+        ctx->error_depth = num - 1;
+        bad_chain = 1;
+        ok = cb(0, ctx);
+        if (!ok)
+            goto err;
+    }
+
+    /* We have the chain complete: now we need to check its purpose */
+    ok = check_chain_extensions(ctx);
+
+    if (!ok)
+        goto err;
+
+    /* Check name constraints */
+
+    ok = check_name_constraints(ctx);
+
+    if (!ok)
+        goto err;
+
+    ok = check_id(ctx);
+
+    if (!ok)
+        goto err;
+
+    /* We may as well copy down any DSA parameters that are required */
+    X509_get_pubkey_parameters(NULL, ctx->chain);
 
     /*
-     * Safety-net.  If we are returning an error, we must also set ctx->error,
-     * so that the chain is not considered verified should the error be ignored
-     * (e.g. TLS with SSL_VERIFY_NONE).
+     * Check revocation status: we do this after copying parameters because
+     * they may be needed for CRL signature verification.
      */
-    if (ret <= 0 && ctx->error == X509_V_OK)
+
+    ok = ctx->check_revocation(ctx);
+    if (!ok)
+        goto err;
+
+    err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain,
+                                  ctx->param->flags);
+    if (err != X509_V_OK) {
+        ctx->error = err;
+        ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth);
+        ok = cb(0, ctx);
+        if (!ok)
+            goto err;
+    }
+
+    /* At this point, we have a chain and need to verify it */
+    if (ctx->verify != NULL)
+        ok = ctx->verify(ctx);
+    else
+        ok = internal_verify(ctx);
+    if (!ok)
+        goto err;
+
+#ifndef OPENSSL_NO_RFC3779
+    /* RFC 3779 path validation, now that CRL check has been done */
+    ok = v3_asid_validate_path(ctx);
+    if (!ok)
+        goto err;
+    ok = v3_addr_validate_path(ctx);
+    if (!ok)
+        goto err;
+#endif
+
+    /* If we get this far evaluate policies */
+    if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
+        ok = ctx->check_policy(ctx);
+    if (!ok)
+        goto err;
+    if (0) {
+ err:
+        /* Ensure we return an error */
+        if (ok > 0)
+            ok = 0;
+        X509_get_pubkey_parameters(NULL, ctx->chain);
+    }
+    if (sktmp != NULL)
+        sk_X509_free(sktmp);
+    if (chain_ss != NULL)
+        X509_free(chain_ss);
+
+    /* Safety net, error returns must set ctx->error */
+    if (ok <= 0 && ctx->error == X509_V_OK)
         ctx->error = X509_V_ERR_UNSPECIFIED;
-    return ret;
+    return ok;
 }
 
 /*
  * Given a STACK_OF(X509) find the issuer of cert (if any)
  */
+
 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
 {
     int i;
-    X509 *issuer, *rv = NULL;
-
+    X509 *issuer;
     for (i = 0; i < sk_X509_num(sk); i++) {
         issuer = sk_X509_value(sk, i);
-        if (ctx->check_issued(ctx, x, issuer)) {
-            rv = issuer;
-            if (x509_check_cert_time(ctx, rv, -1))
-                break;
-        }
+        if (ctx->check_issued(ctx, x, issuer))
+            return issuer;
     }
-    return rv;
+    return NULL;
 }
 
 /* Given a possible certificate and issuer check them */
@@ -326,25 +555,17 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
 static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
 {
     int ret;
-    if (x == issuer)
-        return cert_self_signed(x);
     ret = X509_check_issued(issuer, x);
-    if (ret == X509_V_OK) {
-        int i;
-        X509 *ch;
-        /* Special case: single self signed certificate */
-        if (cert_self_signed(x) && sk_X509_num(ctx->chain) == 1)
-            return 1;
-        for (i = 0; i < sk_X509_num(ctx->chain); i++) {
-            ch = sk_X509_value(ctx->chain, i);
-            if (ch == issuer || !X509_cmp(ch, issuer)) {
-                ret = X509_V_ERR_PATH_LOOP;
-                break;
-            }
-        }
-    }
+    if (ret == X509_V_OK)
+        return 1;
+    /* If we haven't asked for issuer errors don't set ctx */
+    if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK))
+        return 0;
 
-    return (ret == X509_V_OK);
+    ctx->error = ret;
+    ctx->current_cert = x;
+    ctx->current_issuer = issuer;
+    return ctx->verify_cb(0, ctx);
 }
 
 /* Alternative lookup method: look from a STACK stored in other_ctx */
@@ -353,83 +574,12 @@ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
 {
     *issuer = find_issuer(ctx, ctx->other_ctx, x);
     if (*issuer) {
-        X509_up_ref(*issuer);
+        CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509);
         return 1;
     } else
         return 0;
 }
 
-static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx, X509_NAME *nm)
-{
-    STACK_OF(X509) *sk = NULL;
-    X509 *x;
-    int i;
-    for (i = 0; i < sk_X509_num(ctx->other_ctx); i++) {
-        x = sk_X509_value(ctx->other_ctx, i);
-        if (X509_NAME_cmp(nm, X509_get_subject_name(x)) == 0) {
-            if (sk == NULL)
-                sk = sk_X509_new_null();
-            if (sk == NULL || sk_X509_push(sk, x) == 0) {
-                sk_X509_pop_free(sk, X509_free);
-                return NULL;
-            }
-            X509_up_ref(x);
-        }
-    }
-    return sk;
-}
-
-/*
- * Check EE or CA certificate purpose.  For trusted certificates explicit local
- * auxiliary trust can be used to override EKU-restrictions.
- */
-static int check_purpose(X509_STORE_CTX *ctx, X509 *x, int purpose, int depth,
-                         int must_be_ca)
-{
-    int tr_ok = X509_TRUST_UNTRUSTED;
-
-    /*
-     * For trusted certificates we want to see whether any auxiliary trust
-     * settings trump the purpose constraints.
-     *
-     * This is complicated by the fact that the trust ordinals in
-     * ctx->param->trust are entirely independent of the purpose ordinals in
-     * ctx->param->purpose!
-     *
-     * What connects them is their mutual initialization via calls from
-     * X509_STORE_CTX_set_default() into X509_VERIFY_PARAM_lookup() which sets
-     * related values of both param->trust and param->purpose.  It is however
-     * typically possible to infer associated trust values from a purpose value
-     * via the X509_PURPOSE API.
-     *
-     * Therefore, we can only check for trust overrides when the purpose we're
-     * checking is the same as ctx->param->purpose and ctx->param->trust is
-     * also set.
-     */
-    if (depth >= ctx->num_untrusted && purpose == ctx->param->purpose)
-        tr_ok = X509_check_trust(x, ctx->param->trust, X509_TRUST_NO_SS_COMPAT);
-
-    switch (tr_ok) {
-    case X509_TRUST_TRUSTED:
-        return 1;
-    case X509_TRUST_REJECTED:
-        break;
-    default:
-        switch (X509_check_purpose(x, purpose, must_be_ca > 0)) {
-        case 1:
-            return 1;
-        case 0:
-            break;
-        default:
-            if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) == 0)
-                return 1;
-        }
-        break;
-    }
-
-    return verify_cb_cert(ctx, x, depth, X509_V_ERR_INVALID_PURPOSE);
-}
-
 /*
  * Check a certificate chains extensions for consistency with the supplied
  * purpose
@@ -437,12 +587,16 @@ static int check_purpose(X509_STORE_CTX *ctx, X509 *x, int purpose, int depth,
 
 static int check_chain_extensions(X509_STORE_CTX *ctx)
 {
-    int i, must_be_ca, plen = 0;
+#ifdef OPENSSL_NO_CHAIN_VERIFY
+    return 1;
+#else
+    int i, ok = 0, must_be_ca, plen = 0;
     X509 *x;
+    int (*cb) (int xok, X509_STORE_CTX *xctx);
     int proxy_path_length = 0;
     int purpose;
     int allow_proxy_certs;
-    int num = sk_X509_num(ctx->chain);
+    cb = ctx->verify_cb;
 
     /*-
      *  must_be_ca can have 1 of 3 values:
@@ -462,22 +616,35 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
     } else {
         allow_proxy_certs =
             ! !(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
+        /*
+         * A hack to keep people who don't want to modify their software
+         * happy
+         */
+        if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
+            allow_proxy_certs = 1;
         purpose = ctx->param->purpose;
     }
 
-    for (i = 0; i < num; i++) {
+    /* Check all untrusted certificates */
+    for (i = 0; i < ctx->last_untrusted; i++) {
         int ret;
         x = sk_X509_value(ctx->chain, i);
         if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
             && (x->ex_flags & EXFLAG_CRITICAL)) {
-            if (!verify_cb_cert(ctx, x, i,
-                                X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION))
-                return 0;
+            ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
+            ctx->error_depth = i;
+            ctx->current_cert = x;
+            ok = cb(0, ctx);
+            if (!ok)
+                goto end;
         }
         if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
-            if (!verify_cb_cert(ctx, x, i,
-                                X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED))
-                return 0;
+            ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
+            ctx->error_depth = i;
+            ctx->current_cert = x;
+            ok = cb(0, ctx);
+            if (!ok)
+                goto end;
         }
         ret = X509_check_ca(x);
         switch (must_be_ca) {
@@ -497,9 +664,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                 ret = 1;
             break;
         default:
-            /* X509_V_FLAG_X509_STRICT is implicit for intermediate CAs */
             if ((ret == 0)
-                || ((i + 1 < num || ctx->param->flags & X509_V_FLAG_X509_STRICT)
+                || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
                     && (ret != 1))) {
                 ret = 0;
                 ctx->error = X509_V_ERR_INVALID_CA;
@@ -507,17 +673,36 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                 ret = 1;
             break;
         }
-        if (ret == 0 && !verify_cb_cert(ctx, x, i, X509_V_OK))
-            return 0;
-        /* check_purpose() makes the callback as needed */
-        if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca))
-            return 0;
+        if (ret == 0) {
+            ctx->error_depth = i;
+            ctx->current_cert = x;
+            ok = cb(0, ctx);
+            if (!ok)
+                goto end;
+        }
+        if (ctx->param->purpose > 0) {
+            ret = X509_check_purpose(x, purpose, must_be_ca > 0);
+            if ((ret == 0)
+                || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
+                    && (ret != 1))) {
+                ctx->error = X509_V_ERR_INVALID_PURPOSE;
+                ctx->error_depth = i;
+                ctx->current_cert = x;
+                ok = cb(0, ctx);
+                if (!ok)
+                    goto end;
+            }
+        }
         /* Check pathlen if not self issued */
         if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
             && (x->ex_pathlen != -1)
             && (plen > (x->ex_pathlen + proxy_path_length + 1))) {
-            if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED))
-                return 0;
+            ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
+            ctx->error_depth = i;
+            ctx->current_cert = x;
+            ok = cb(0, ctx);
+            if (!ok)
+                goto end;
         }
         /* Increment path length if not self issued */
         if (!(x->ex_flags & EXFLAG_SI))
@@ -541,9 +726,12 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
              */
             if (x->ex_pcpathlen != -1) {
                 if (proxy_path_length > x->ex_pcpathlen) {
-                    if (!verify_cb_cert(ctx, x, i,
-                                        X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED))
-                        return 0;
+                    ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
+                    ctx->error_depth = i;
+                    ctx->current_cert = x;
+                    ok = cb(0, ctx);
+                    if (!ok)
+                        goto end;
                 }
                 proxy_path_length = x->ex_pcpathlen;
             }
@@ -552,18 +740,19 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
         } else
             must_be_ca = 1;
     }
-    return 1;
+    ok = 1;
+ end:
+    return ok;
+#endif
 }
 
 static int check_name_constraints(X509_STORE_CTX *ctx)
 {
-    int i;
-
+    X509 *x;
+    int i, j, rv;
     /* Check name constraints for all certificates */
     for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
-        X509 *x = sk_X509_value(ctx->chain, i);
-        int j;
-
+        x = sk_X509_value(ctx->chain, i);
         /* Ignore self issued certs unless last in chain */
         if (i && (x->ex_flags & EXFLAG_SI))
             continue;
@@ -602,10 +791,8 @@ static int check_name_constraints(X509_STORE_CTX *ctx)
              * Check that the last subject component isn't part of a
              * multivalued RDN
              */
-            if (X509_NAME_ENTRY_set(X509_NAME_get_entry(tmpsubject,
-                                                        last_object_loc))
-                == X509_NAME_ENTRY_set(X509_NAME_get_entry(tmpsubject,
-                                                           last_object_loc - 1))) {
+            if (X509_NAME_get_entry(tmpsubject, last_object_loc)->set
+                == X509_NAME_get_entry(tmpsubject, last_object_loc - 1)->set) {
                 err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION;
                 goto proxy_name_done;
             }
@@ -635,9 +822,13 @@ static int check_name_constraints(X509_STORE_CTX *ctx)
             X509_NAME_free(tmpsubject);
 
          proxy_name_done:
-            if (err != X509_V_OK
-                && !verify_cb_cert(ctx, x, i, err))
-                return 0;
+            if (err != X509_V_OK) {
+                ctx->error = err;
+                ctx->error_depth = i;
+                ctx->current_cert = x;
+                if (!ctx->verify_cb(0, ctx))
+                    return 0;
+            }
         }
 
         /*
@@ -648,21 +839,19 @@ static int check_name_constraints(X509_STORE_CTX *ctx)
          */
         for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) {
             NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
-
             if (nc) {
-                int rv = NAME_CONSTRAINTS_check(x, nc);
-
-                /* If EE certificate check commonName too */
-                if (rv == X509_V_OK && i == 0)
-                    rv = NAME_CONSTRAINTS_check_CN(x, nc);
-
+                rv = NAME_CONSTRAINTS_check(x, nc);
                 switch (rv) {
                 case X509_V_OK:
-                    break;
+                    continue;
                 case X509_V_ERR_OUT_OF_MEM:
+                    ctx->error = rv;
                     return 0;
                 default:
-                    if (!verify_cb_cert(ctx, x, i, rv))
+                    ctx->error = rv;
+                    ctx->error_depth = i;
+                    ctx->current_cert = x;
+                    if (!ctx->verify_cb(0, ctx))
                         return 0;
                     break;
                 }
@@ -674,22 +863,25 @@ static int check_name_constraints(X509_STORE_CTX *ctx)
 
 static int check_id_error(X509_STORE_CTX *ctx, int errcode)
 {
-    return verify_cb_cert(ctx, ctx->cert, 0, errcode);
+    ctx->error = errcode;
+    ctx->current_cert = ctx->cert;
+    ctx->error_depth = 0;
+    return ctx->verify_cb(0, ctx);
 }
 
-static int check_hosts(X509 *x, X509_VERIFY_PARAM *vpm)
+static int check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id)
 {
     int i;
-    int n = sk_OPENSSL_STRING_num(vpm->hosts);
+    int n = sk_OPENSSL_STRING_num(id->hosts);
     char *name;
 
-    if (vpm->peername != NULL) {
-        OPENSSL_free(vpm->peername);
-        vpm->peername = NULL;
+    if (id->peername != NULL) {
+        OPENSSL_free(id->peername);
+        id->peername = NULL;
     }
     for (i = 0; i < n; ++i) {
-        name = sk_OPENSSL_STRING_value(vpm->hosts, i);
-        if (X509_check_host(x, name, 0, vpm->hostflags, &vpm->peername) > 0)
+        name = sk_OPENSSL_STRING_value(id->hosts, i);
+        if (X509_check_host(x, name, 0, id->hostflags, &id->peername) > 0)
             return 1;
     }
     return n == 0;
@@ -698,95 +890,65 @@ static int check_hosts(X509 *x, X509_VERIFY_PARAM *vpm)
 static int check_id(X509_STORE_CTX *ctx)
 {
     X509_VERIFY_PARAM *vpm = ctx->param;
+    X509_VERIFY_PARAM_ID *id = vpm->id;
     X509 *x = ctx->cert;
-    if (vpm->hosts && check_hosts(x, vpm) <= 0) {
+    if (id->hosts && check_hosts(x, id) <= 0) {
         if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
             return 0;
     }
-    if (vpm->email && X509_check_email(x, vpm->email, vpm->emaillen, 0) <= 0) {
+    if (id->email && X509_check_email(x, id->email, id->emaillen, 0) <= 0) {
         if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH))
             return 0;
     }
-    if (vpm->ip && X509_check_ip(x, vpm->ip, vpm->iplen, 0) <= 0) {
+    if (id->ip && X509_check_ip(x, id->ip, id->iplen, 0) <= 0) {
         if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH))
             return 0;
     }
     return 1;
 }
 
-static int check_trust(X509_STORE_CTX *ctx, int num_untrusted)
+static int check_trust(X509_STORE_CTX *ctx)
 {
-    int i;
+    int i, ok;
     X509 *x = NULL;
-    X509 *mx;
-    SSL_DANE *dane = ctx->dane;
-    int num = sk_X509_num(ctx->chain);
-    int trust;
-
-    /*
-     * Check for a DANE issuer at depth 1 or greater, if it is a DANE-TA(2)
-     * match, we're done, otherwise we'll merely record the match depth.
-     */
-    if (DANETLS_HAS_TA(dane) && num_untrusted > 0 && num_untrusted < num) {
-        switch (trust = check_dane_issuer(ctx, num_untrusted)) {
-        case X509_TRUST_TRUSTED:
-        case X509_TRUST_REJECTED:
-            return trust;
-        }
-    }
-
-    /*
-     * Check trusted certificates in chain at depth num_untrusted and up.
-     * Note, that depths 0..num_untrusted-1 may also contain trusted
-     * certificates, but the caller is expected to have already checked those,
-     * and wants to incrementally check just any added since.
-     */
-    for (i = num_untrusted; i < num; i++) {
+    int (*cb) (int xok, X509_STORE_CTX *xctx);
+    cb = ctx->verify_cb;
+    /* Check all trusted certificates in chain */
+    for (i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) {
         x = sk_X509_value(ctx->chain, i);
-        trust = X509_check_trust(x, ctx->param->trust, 0);
+        ok = X509_check_trust(x, ctx->param->trust, 0);
         /* If explicitly trusted return trusted */
-        if (trust == X509_TRUST_TRUSTED)
-            goto trusted;
-        if (trust == X509_TRUST_REJECTED)
-            goto rejected;
+        if (ok == X509_TRUST_TRUSTED)
+            return X509_TRUST_TRUSTED;
+        /*
+         * If explicitly rejected notify callback and reject if not
+         * overridden.
+         */
+        if (ok == X509_TRUST_REJECTED) {
+            ctx->error_depth = i;
+            ctx->current_cert = x;
+            ctx->error = X509_V_ERR_CERT_REJECTED;
+            ok = cb(0, ctx);
+            if (!ok)
+                return X509_TRUST_REJECTED;
+        }
     }
-
     /*
-     * If we are looking at a trusted certificate, and accept partial chains,
-     * the chain is PKIX trusted.
+     * If we accept partial chains and have at least one trusted certificate
+     * return success.
      */
-    if (num_untrusted < num) {
-        if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN)
-            goto trusted;
-        return X509_TRUST_UNTRUSTED;
-    }
-
-    if (num_untrusted == num && ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
-        /*
-         * Last-resort call with no new trusted certificates, check the leaf
-         * for a direct trust store match.
-         */
-        i = 0;
-        x = sk_X509_value(ctx->chain, i);
+    if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
+        X509 *mx;
+        if (ctx->last_untrusted < sk_X509_num(ctx->chain))
+            return X509_TRUST_TRUSTED;
+        x = sk_X509_value(ctx->chain, 0);
         mx = lookup_cert_match(ctx, x);
-        if (!mx)
-            return X509_TRUST_UNTRUSTED;
-
-        /*
-         * Check explicit auxiliary trust/reject settings.  If none are set,
-         * we'll accept X509_TRUST_UNTRUSTED when not self-signed.
-         */
-        trust = X509_check_trust(mx, ctx->param->trust, 0);
-        if (trust == X509_TRUST_REJECTED) {
-            X509_free(mx);
-            goto rejected;
+        if (mx) {
+            (void)sk_X509_set(ctx->chain, 0, mx);
+            X509_free(x);
+            ctx->last_untrusted = 0;
+            return X509_TRUST_TRUSTED;
         }
-
-        /* Replace leaf with trusted match */
-        (void) sk_X509_set(ctx->chain, 0, mx);
-        X509_free(x);
-        ctx->num_untrusted = 0;
-        goto trusted;
     }
 
     /*
@@ -794,26 +956,11 @@ static int check_trust(X509_STORE_CTX *ctx, int num_untrusted)
      * standard (no issuer cert) etc errors to be indicated.
      */
     return X509_TRUST_UNTRUSTED;
-
- rejected:
-    if (!verify_cb_cert(ctx, x, i, X509_V_ERR_CERT_REJECTED))
-        return X509_TRUST_REJECTED;
-    return X509_TRUST_UNTRUSTED;
-
- trusted:
-    if (!DANETLS_ENABLED(dane))
-        return X509_TRUST_TRUSTED;
-    if (dane->pdpth < 0)
-        dane->pdpth = num_untrusted;
-    /* With DANE, PKIX alone is not trusted until we have both */
-    if (dane->mdpth >= 0)
-        return X509_TRUST_TRUSTED;
-    return X509_TRUST_UNTRUSTED;
 }
 
 static int check_revocation(X509_STORE_CTX *ctx)
 {
-    int i = 0, last = 0, ok = 0;
+    int i, last, ok;
     if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
         return 1;
     if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
@@ -836,21 +983,20 @@ static int check_revocation(X509_STORE_CTX *ctx)
 static int check_cert(X509_STORE_CTX *ctx)
 {
     X509_CRL *crl = NULL, *dcrl = NULL;
-    int ok = 0;
-    int cnum = ctx->error_depth;
-    X509 *x = sk_X509_value(ctx->chain, cnum);
-
+    X509 *x;
+    int ok = 0; /* current openssl sets 'ok' to zero here */
+    int cnum;
+    unsigned int last_reasons;
+    cnum = ctx->error_depth;
+    x = sk_X509_value(ctx->chain, cnum);
     ctx->current_cert = x;
     ctx->current_issuer = NULL;
     ctx->current_crl_score = 0;
     ctx->current_reasons = 0;
-
     if (x->ex_flags & EXFLAG_PROXY)
         return 1;
-
     while (ctx->current_reasons != CRLDP_ALL_REASONS) {
-        unsigned int last_reasons = ctx->current_reasons;
-
+        last_reasons = ctx->current_reasons;
         /* Try to retrieve relevant CRL */
         if (ctx->get_crl)
             ok = ctx->get_crl(ctx, &crl, x);
@@ -860,21 +1006,22 @@ static int check_cert(X509_STORE_CTX *ctx)
          * If error looking up CRL, nothing we can do except notify callback
          */
         if (!ok) {
-            ok = verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL);
-            goto done;
+            ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
+            ok = ctx->verify_cb(0, ctx);
+            goto err;
         }
         ctx->current_crl = crl;
         ok = ctx->check_crl(ctx, crl);
         if (!ok)
-            goto done;
+            goto err;
 
         if (dcrl) {
             ok = ctx->check_crl(ctx, dcrl);
             if (!ok)
-                goto done;
+                goto err;
             ok = ctx->cert_crl(ctx, dcrl, x);
             if (!ok)
-                goto done;
+                goto err;
         } else
             ok = 1;
 
@@ -882,7 +1029,7 @@ static int check_cert(X509_STORE_CTX *ctx)
         if (ok != 2) {
             ok = ctx->cert_crl(ctx, crl, x);
             if (!ok)
-                goto done;
+                goto err;
         }
 
         X509_CRL_free(crl);
@@ -890,20 +1037,22 @@ static int check_cert(X509_STORE_CTX *ctx)
         crl = NULL;
         dcrl = NULL;
         /*
-         * If reasons not updated we won't get anywhere by another iteration,
+         * If reasons not updated we wont get anywhere by another iteration,
          * so exit loop.
          */
         if (last_reasons == ctx->current_reasons) {
-            ok = verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL);
-            goto done;
+            ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
+            ok = ctx->verify_cb(0, ctx);
+            goto err;
         }
     }
- done:
+ err:
     X509_CRL_free(crl);
     X509_CRL_free(dcrl);
 
     ctx->current_crl = NULL;
     return ok;
+
 }
 
 /* Check CRL times against values in X509_STORE_CTX */
@@ -912,7 +1061,6 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
 {
     time_t *ptime;
     int i;
-
     if (notify)
         ctx->current_crl = crl;
     if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
@@ -922,35 +1070,39 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
     else
         ptime = NULL;
 
-    i = X509_cmp_time(X509_CRL_get0_lastUpdate(crl), ptime);
+    i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
     if (i == 0) {
         if (!notify)
             return 0;
-        if (!verify_cb_crl(ctx, X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD))
+        ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
+        if (!ctx->verify_cb(0, ctx))
             return 0;
     }
 
     if (i > 0) {
         if (!notify)
             return 0;
-        if (!verify_cb_crl(ctx, X509_V_ERR_CRL_NOT_YET_VALID))
+        ctx->error = X509_V_ERR_CRL_NOT_YET_VALID;
+        if (!ctx->verify_cb(0, ctx))
             return 0;
     }
 
-    if (X509_CRL_get0_nextUpdate(crl)) {
-        i = X509_cmp_time(X509_CRL_get0_nextUpdate(crl), ptime);
+    if (X509_CRL_get_nextUpdate(crl)) {
+        i = X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
 
         if (i == 0) {
             if (!notify)
                 return 0;
-            if (!verify_cb_crl(ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD))
+            ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
+            if (!ctx->verify_cb(0, ctx))
                 return 0;
         }
         /* Ignore expiry of base CRL is delta is valid */
         if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
             if (!notify)
                 return 0;
-            if (!verify_cb_crl(ctx, X509_V_ERR_CRL_HAS_EXPIRED))
+            ctx->error = X509_V_ERR_CRL_HAS_EXPIRED;
+            if (!ctx->verify_cb(0, ctx))
                 return 0;
         }
     }
@@ -980,8 +1132,8 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
         /* If current CRL is equivalent use it if it is newer */
         if (crl_score == best_score && best_crl != NULL) {
             int day, sec;
-            if (ASN1_TIME_diff(&day, &sec, X509_CRL_get0_lastUpdate(best_crl),
-                               X509_CRL_get0_lastUpdate(crl)) == 0)
+            if (ASN1_TIME_diff(&day, &sec, X509_CRL_get_lastUpdate(best_crl),
+                               X509_CRL_get_lastUpdate(crl)) == 0)
                 continue;
             /*
              * ASN1_TIME_diff never returns inconsistent signs for |day|
@@ -997,14 +1149,17 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
     }
 
     if (best_crl) {
-        X509_CRL_free(*pcrl);
+        if (*pcrl)
+            X509_CRL_free(*pcrl);
         *pcrl = best_crl;
         *pissuer = best_crl_issuer;
         *pscore = best_score;
         *preasons = best_reasons;
-        X509_CRL_up_ref(best_crl);
-        X509_CRL_free(*pdcrl);
-        *pdcrl = NULL;
+        CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL);
+        if (*pdcrl) {
+            X509_CRL_free(*pdcrl);
+            *pdcrl = NULL;
+        }
         get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
     }
 
@@ -1100,7 +1255,7 @@ static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
         if (check_delta_base(delta, base)) {
             if (check_crl_time(ctx, delta, 0))
                 *pscore |= CRL_SCORE_TIME_DELTA;
-            X509_CRL_up_ref(delta);
+            CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL);
             *dcrl = delta;
             return;
         }
@@ -1242,7 +1397,6 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
 {
     X509_STORE_CTX crl_ctx;
     int ret;
-
     /* Don't allow recursive CRL path validation */
     if (ctx->parent)
         return 0;
@@ -1258,10 +1412,12 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
 
     /* Verify CRL issuer */
     ret = X509_verify_cert(&crl_ctx);
+
     if (ret <= 0)
         goto err;
 
     /* Check chain is acceptable */
+
     ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
  err:
     X509_STORE_CTX_cleanup(&crl_ctx);
@@ -1418,10 +1574,10 @@ static int get_crl_delta(X509_STORE_CTX *ctx,
     X509_CRL *crl = NULL, *dcrl = NULL;
     STACK_OF(X509_CRL) *skcrl;
     X509_NAME *nm = X509_get_issuer_name(x);
-
     reasons = ctx->current_reasons;
     ok = get_crl_sk(ctx, &crl, &dcrl,
                     &issuer, &crl_score, &reasons, ctx->crls);
+
     if (ok)
         goto done;
 
@@ -1438,6 +1594,7 @@ static int get_crl_delta(X509_STORE_CTX *ctx,
     sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
 
  done:
+
     /* If we got any kind of CRL use it and return success */
     if (crl) {
         ctx->current_issuer = issuer;
@@ -1447,6 +1604,7 @@ static int get_crl_delta(X509_STORE_CTX *ctx,
         *pdcrl = dcrl;
         return 1;
     }
+
     return 0;
 }
 
@@ -1455,12 +1613,13 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
 {
     X509 *issuer = NULL;
     EVP_PKEY *ikey = NULL;
-    int cnum = ctx->error_depth;
-    int chnum = sk_X509_num(ctx->chain) - 1;
-
+    int ok = 0, chnum, cnum;
+    cnum = ctx->error_depth;
+    chnum = sk_X509_num(ctx->chain) - 1;
     /* if we have an alternative CRL issuer cert use that */
     if (ctx->current_issuer)
         issuer = ctx->current_issuer;
+
     /*
      * Else find CRL issuer: if not last certificate then issuer is next
      * certificate in chain.
@@ -1470,85 +1629,121 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
     else {
         issuer = sk_X509_value(ctx->chain, chnum);
         /* If not self signed, can't check signature */
-        if (!ctx->check_issued(ctx, issuer, issuer) &&
-            !verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER))
-            return 0;
+        if (!ctx->check_issued(ctx, issuer, issuer)) {
+            ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
+            ok = ctx->verify_cb(0, ctx);
+            if (!ok)
+                goto err;
+        }
     }
 
-    if (issuer == NULL)
-        return 1;
+    if (issuer) {
+        /*
+         * Skip most tests for deltas because they have already been done
+         */
+        if (!crl->base_crl_number) {
+            /* Check for cRLSign bit if keyUsage present */
+            if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
+                !(issuer->ex_kusage & KU_CRL_SIGN)) {
+                ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
+                ok = ctx->verify_cb(0, ctx);
+                if (!ok)
+                    goto err;
+            }
 
-    /*
-     * Skip most tests for deltas because they have already been done
-     */
-    if (!crl->base_crl_number) {
-        /* Check for cRLSign bit if keyUsage present */
-        if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
-            !(issuer->ex_kusage & KU_CRL_SIGN) &&
-            !verify_cb_crl(ctx, X509_V_ERR_KEYUSAGE_NO_CRL_SIGN))
-            return 0;
+            if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {
+                ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
+                ok = ctx->verify_cb(0, ctx);
+                if (!ok)
+                    goto err;
+            }
 
-        if (!(ctx->current_crl_score & CRL_SCORE_SCOPE) &&
-            !verify_cb_crl(ctx, X509_V_ERR_DIFFERENT_CRL_SCOPE))
-            return 0;
+            if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) {
+                if (check_crl_path(ctx, ctx->current_issuer) <= 0) {
+                    ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
+                    ok = ctx->verify_cb(0, ctx);
+                    if (!ok)
+                        goto err;
+                }
+            }
 
-        if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH) &&
-            check_crl_path(ctx, ctx->current_issuer) <= 0 &&
-            !verify_cb_crl(ctx, X509_V_ERR_CRL_PATH_VALIDATION_ERROR))
-            return 0;
+            if (crl->idp_flags & IDP_INVALID) {
+                ctx->error = X509_V_ERR_INVALID_EXTENSION;
+                ok = ctx->verify_cb(0, ctx);
+                if (!ok)
+                    goto err;
+            }
 
-        if ((crl->idp_flags & IDP_INVALID) &&
-            !verify_cb_crl(ctx, X509_V_ERR_INVALID_EXTENSION))
-            return 0;
-    }
+        }
 
-    if (!(ctx->current_crl_score & CRL_SCORE_TIME) &&
-        !check_crl_time(ctx, crl, 1))
-        return 0;
+        if (!(ctx->current_crl_score & CRL_SCORE_TIME)) {
+            ok = check_crl_time(ctx, crl, 1);
+            if (!ok)
+                goto err;
+        }
 
-    /* Attempt to get issuer certificate public key */
-    ikey = X509_get0_pubkey(issuer);
+        /* Attempt to get issuer certificate public key */
+        ikey = X509_get_pubkey(issuer);
 
-    if (!ikey &&
-        !verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY))
-        return 0;
+        if (!ikey) {
+            ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
+            ok = ctx->verify_cb(0, ctx);
+            if (!ok)
+                goto err;
+        } else {
+            int rv;
+            rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags);
+            if (rv != X509_V_OK) {
+                ctx->error = rv;
+                ok = ctx->verify_cb(0, ctx);
+                if (!ok)
+                    goto err;
+            }
+            /* Verify CRL signature */
+            if (X509_CRL_verify(crl, ikey) <= 0) {
+                ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE;
+                ok = ctx->verify_cb(0, ctx);
+                if (!ok)
+                    goto err;
+            }
+        }
+    }
 
-    if (ikey) {
-        int rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags);
+    ok = 1;
 
-        if (rv != X509_V_OK && !verify_cb_crl(ctx, rv))
-            return 0;
-        /* Verify CRL signature */
-        if (X509_CRL_verify(crl, ikey) <= 0 &&
-            !verify_cb_crl(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE))
-            return 0;
-    }
-    return 1;
+ err:
+    EVP_PKEY_free(ikey);
+    return ok;
 }
 
 /* Check certificate against CRL */
 static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
 {
+    int ok;
     X509_REVOKED *rev;
-
     /*
      * The rules changed for this... previously if a CRL contained unhandled
      * critical extensions it could still be used to indicate a certificate
-     * was revoked. This has since been changed since critical extensions can
+     * was revoked. This has since been changed since critical extension can
      * change the meaning of CRL entries.
      */
     if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
-        && (crl->flags & EXFLAG_CRITICAL) &&
-        !verify_cb_crl(ctx, X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION))
-        return 0;
+        && (crl->flags & EXFLAG_CRITICAL)) {
+        ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
+        ok = ctx->verify_cb(0, ctx);
+        if (!ok)
+            return 0;
+    }
     /*
-     * Look for serial number of certificate in CRL.  If found, make sure
-     * reason is not removeFromCRL.
+     * Look for serial number of certificate in CRL If found make sure reason
+     * is not removeFromCRL.
      */
     if (X509_CRL_get0_by_cert(crl, &rev, x)) {
         if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
             return 2;
-        if (!verify_cb_crl(ctx, X509_V_ERR_CERT_REVOKED))
+        ctx->error = X509_V_ERR_CERT_REVOKED;
+        ok = ctx->verify_cb(0, ctx);
+        if (!ok)
             return 0;
     }
 
@@ -1558,60 +1753,38 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
 static int check_policy(X509_STORE_CTX *ctx)
 {
     int ret;
-
     if (ctx->parent)
         return 1;
-    /*
-     * With DANE, the trust anchor might be a bare public key, not a
-     * certificate!  In that case our chain does not have the trust anchor
-     * certificate as a top-most element.  This comports well with RFC5280
-     * chain verification, since there too, the trust anchor is not part of the
-     * chain to be verified.  In particular, X509_policy_check() does not look
-     * at the TA cert, but assumes that it is present as the top-most chain
-     * element.  We therefore temporarily push a NULL cert onto the chain if it
-     * was verified via a bare public key, and pop it off right after the
-     * X509_policy_check() call.
-     */
-    if (ctx->bare_ta_signed && !sk_X509_push(ctx->chain, NULL)) {
-        X509err(X509_F_CHECK_POLICY, ERR_R_MALLOC_FAILURE);
-        ctx->error = X509_V_ERR_OUT_OF_MEM;
-        return 0;
-    }
     ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
                             ctx->param->policies, ctx->param->flags);
-    if (ctx->bare_ta_signed)
-        sk_X509_pop(ctx->chain);
-
-    if (ret == X509_PCY_TREE_INTERNAL) {
+    if (ret == 0) {
         X509err(X509_F_CHECK_POLICY, ERR_R_MALLOC_FAILURE);
         ctx->error = X509_V_ERR_OUT_OF_MEM;
         return 0;
     }
     /* Invalid or inconsistent extensions */
-    if (ret == X509_PCY_TREE_INVALID) {
+    if (ret == -1) {
+        /*
+         * Locate certificates with bad extensions and notify callback.
+         */
+        X509 *x;
         int i;
-
-        /* Locate certificates with bad extensions and notify callback. */
         for (i = 1; i < sk_X509_num(ctx->chain); i++) {
-            X509 *x = sk_X509_value(ctx->chain, i);
-
+            x = sk_X509_value(ctx->chain, i);
             if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
                 continue;
-            if (!verify_cb_cert(ctx, x, i,
-                                X509_V_ERR_INVALID_POLICY_EXTENSION))
+            ctx->current_cert = x;
+            ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
+            if (!ctx->verify_cb(0, ctx))
                 return 0;
         }
         return 1;
     }
-    if (ret == X509_PCY_TREE_FAILURE) {
+    if (ret == -2) {
         ctx->current_cert = NULL;
         ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
         return ctx->verify_cb(0, ctx);
     }
-    if (ret != X509_PCY_TREE_VALID) {
-        X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
-        return 0;
-    }
 
     if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
         ctx->current_cert = NULL;
@@ -1628,14 +1801,7 @@ static int check_policy(X509_STORE_CTX *ctx)
     return 1;
 }
 
-/*-
- * Check certificate validity times.
- * If depth >= 0, invoke verification callbacks on error, otherwise just return
- * the validation status.
- *
- * Return 1 on success, 0 otherwise.
- */
-int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
+static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
 {
     time_t *ptime;
     int i;
@@ -1647,42 +1813,52 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
     else
         ptime = NULL;
 
-    i = X509_cmp_time(X509_get0_notBefore(x), ptime);
-    if (i >= 0 && depth < 0)
-        return 0;
-    if (i == 0 && !verify_cb_cert(ctx, x, depth,
-                                  X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD))
-        return 0;
-    if (i > 0 && !verify_cb_cert(ctx, x, depth, X509_V_ERR_CERT_NOT_YET_VALID))
-        return 0;
+    i = X509_cmp_time(X509_get_notBefore(x), ptime);
+    if (i == 0) {
+        ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
+        ctx->current_cert = x;
+        if (!ctx->verify_cb(0, ctx))
+            return 0;
+    }
+
+    if (i > 0) {
+        ctx->error = X509_V_ERR_CERT_NOT_YET_VALID;
+        ctx->current_cert = x;
+        if (!ctx->verify_cb(0, ctx))
+            return 0;
+    }
+
+    i = X509_cmp_time(X509_get_notAfter(x), ptime);
+    if (i == 0) {
+        ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
+        ctx->current_cert = x;
+        if (!ctx->verify_cb(0, ctx))
+            return 0;
+    }
+
+    if (i < 0) {
+        ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;
+        ctx->current_cert = x;
+        if (!ctx->verify_cb(0, ctx))
+            return 0;
+    }
 
-    i = X509_cmp_time(X509_get0_notAfter(x), ptime);
-    if (i <= 0 && depth < 0)
-        return 0;
-    if (i == 0 && !verify_cb_cert(ctx, x, depth,
-                                  X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD))
-        return 0;
-    if (i < 0 && !verify_cb_cert(ctx, x, depth, X509_V_ERR_CERT_HAS_EXPIRED))
-        return 0;
     return 1;
 }
 
 static int internal_verify(X509_STORE_CTX *ctx)
 {
-    int n = sk_X509_num(ctx->chain) - 1;
-    X509 *xi = sk_X509_value(ctx->chain, n);
-    X509 *xs;
+    int ok = 0, n;
+    X509 *xs, *xi;
+    EVP_PKEY *pkey = NULL;
+    int (*cb) (int xok, X509_STORE_CTX *xctx);
 
-    /*
-     * With DANE-verified bare public key TA signatures, it remains only to
-     * check the timestamps of the top certificate.  We report the issuer as
-     * NULL, since all we have is a bare key.
-     */
-    if (ctx->bare_ta_signed) {
-        xs = xi;
-        xi = NULL;
-        goto check_cert;
-    }
+    cb = ctx->verify_cb;
+
+    n = sk_X509_num(ctx->chain);
+    ctx->error_depth = n - 1;
+    n--;
+    xi = sk_X509_value(ctx->chain, n);
 
     if (ctx->check_issued(ctx, xi, xi))
         xs = xi;
@@ -1691,60 +1867,72 @@ static int internal_verify(X509_STORE_CTX *ctx)
             xs = xi;
             goto check_cert;
         }
-        if (n <= 0)
-            return verify_cb_cert(ctx, xi, 0,
-                                  X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE);
-        n--;
-        ctx->error_depth = n;
-        xs = sk_X509_value(ctx->chain, n);
+        if (n <= 0) {
+            ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
+            ctx->current_cert = xi;
+            ok = cb(0, ctx);
+            goto end;
+        } else {
+            n--;
+            ctx->error_depth = n;
+            xs = sk_X509_value(ctx->chain, n);
+        }
     }
 
-    /*
-     * Do not clear ctx->error=0, it must be "sticky", only the user's callback
-     * is allowed to reset errors (at its own peril).
-     */
+/*      ctx->error=0;  not needed */
     while (n >= 0) {
-        EVP_PKEY *pkey;
+        ctx->error_depth = n;
 
         /*
-         * Skip signature check for self signed certificates unless explicitly
-         * asked for.  It doesn't add any security and just wastes time.  If
-         * the issuer's public key is unusable, report the issuer certificate
-         * and its depth (rather than the depth of the subject).
+         * Skip signature check for self signed certificates unless
+         * explicitly asked for. It doesn't add any security and just wastes
+         * time.
          */
-        if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {
-            if ((pkey = X509_get0_pubkey(xi)) == NULL) {
-                if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n,
-                        X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY))
-                    return 0;
+        if (!xs->valid
+            && (xs != xi
+                || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) {
+            if ((pkey = X509_get_pubkey(xi)) == NULL) {
+                ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
+                ctx->current_cert = xi;
+                ok = (*cb) (0, ctx);
+                if (!ok)
+                    goto end;
             } else if (X509_verify(xs, pkey) <= 0) {
-                if (!verify_cb_cert(ctx, xs, n,
-                                    X509_V_ERR_CERT_SIGNATURE_FAILURE))
-                    return 0;
+                ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
+                ctx->current_cert = xs;
+                ok = (*cb) (0, ctx);
+                if (!ok) {
+                    EVP_PKEY_free(pkey);
+                    goto end;
+                }
             }
+            EVP_PKEY_free(pkey);
+            pkey = NULL;
         }
 
+        xs->valid = 1;
+
  check_cert:
-        /* Calls verify callback as needed */
-        if (!x509_check_cert_time(ctx, xs, n))
-            return 0;
+        ok = check_cert_time(ctx, xs);
+        if (!ok)
+            goto end;
 
-        /*
-         * Signal success at this depth.  However, the previous error (if any)
-         * is retained.
-         */
+        /* The last error (if any) is still in the error value */
         ctx->current_issuer = xi;
         ctx->current_cert = xs;
-        ctx->error_depth = n;
-        if (!ctx->verify_cb(1, ctx))
-            return 0;
+        ok = (*cb) (1, ctx);
+        if (!ok)
+            goto end;
 
-        if (--n >= 0) {
+        n--;
+        if (n >= 0) {
             xi = xs;
             xs = sk_X509_value(ctx->chain, n);
         }
     }
-    return 1;
+    ok = 1;
+ end:
+    return ok;
 }
 
 int X509_cmp_current_time(const ASN1_TIME *ctm)
@@ -1907,7 +2095,7 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
         return 1;
 
     for (i = 0; i < sk_X509_num(chain); i++) {
-        ktmp = X509_get0_pubkey(sk_X509_value(chain, i));
+        ktmp = X509_get_pubkey(sk_X509_value(chain, i));
         if (ktmp == NULL) {
             X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,
                     X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
@@ -1915,6 +2103,10 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
         }
         if (!EVP_PKEY_missing_parameters(ktmp))
             break;
+        else {
+            EVP_PKEY_free(ktmp);
+            ktmp = NULL;
+        }
     }
     if (ktmp == NULL) {
         X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,
@@ -1924,12 +2116,14 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
 
     /* first, populate the other certs */
     for (j = i - 1; j >= 0; j--) {
-        ktmp2 = X509_get0_pubkey(sk_X509_value(chain, j));
+        ktmp2 = X509_get_pubkey(sk_X509_value(chain, j));
         EVP_PKEY_copy_parameters(ktmp2, ktmp);
+        EVP_PKEY_free(ktmp2);
     }
 
     if (pkey != NULL)
         EVP_PKEY_copy_parameters(pkey, ktmp);
+    EVP_PKEY_free(ktmp);
     return 1;
 }
 
@@ -1978,15 +2172,15 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
     }
     /* Create new CRL */
     crl = X509_CRL_new();
-    if (crl == NULL || !X509_CRL_set_version(crl, 1))
+    if (!crl || !X509_CRL_set_version(crl, 1))
         goto memerr;
     /* Set issuer name */
     if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer)))
         goto memerr;
 
-    if (!X509_CRL_set1_lastUpdate(crl, X509_CRL_get0_lastUpdate(newer)))
+    if (!X509_CRL_set_lastUpdate(crl, X509_CRL_get_lastUpdate(newer)))
         goto memerr;
-    if (!X509_CRL_set1_nextUpdate(crl, X509_CRL_get0_nextUpdate(newer)))
+    if (!X509_CRL_set_nextUpdate(crl, X509_CRL_get_nextUpdate(newer)))
         goto memerr;
 
     /* Set base CRL number: must be critical */
@@ -2017,7 +2211,7 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
          * Add only if not also in base. TODO: need something cleverer here
          * for some more complex CRLs covering multiple CAs.
          */
-        if (!X509_CRL_get0_by_serial(base, &rvtmp, &rvn->serialNumber)) {
+        if (!X509_CRL_get0_by_serial(base, &rvtmp, rvn->serialNumber)) {
             rvtmp = X509_REVOKED_dup(rvn);
             if (!rvtmp)
                 goto memerr;
@@ -2036,10 +2230,24 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
 
  memerr:
     X509err(X509_F_X509_CRL_DIFF, ERR_R_MALLOC_FAILURE);
-    X509_CRL_free(crl);
+    if (crl)
+        X509_CRL_free(crl);
     return NULL;
 }
 
+int X509_STORE_CTX_get_ex_new_index(long argl, void *argp,
+                                    CRYPTO_EX_new *new_func,
+                                    CRYPTO_EX_dup *dup_func,
+                                    CRYPTO_EX_free *free_func)
+{
+    /*
+     * This function is (usually) called only once, by
+     * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c).
+     */
+    return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp,
+                                   new_func, dup_func, free_func);
+}
+
 int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
 {
     return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
@@ -2065,22 +2273,12 @@ int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
     return ctx->error_depth;
 }
 
-void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth)
-{
-    ctx->error_depth = depth;
-}
-
 X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
 {
     return ctx->current_cert;
 }
 
-void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x)
-{
-    ctx->current_cert = x;
-}
-
-STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx)
+STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
 {
     return ctx->chain;
 }
@@ -2112,6 +2310,11 @@ void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
     ctx->cert = x;
 }
 
+void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
+{
+    ctx->untrusted = sk;
+}
+
 void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
 {
     ctx->crls = sk;
@@ -2119,20 +2322,11 @@ void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
 
 int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
 {
-    /*
-     * XXX: Why isn't this function always used to set the associated trust?
-     * Should there even be a VPM->trust field at all?  Or should the trust
-     * always be inferred from the purpose by X509_STORE_CTX_init().
-     */
     return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
 }
 
 int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
 {
-    /*
-     * XXX: See above, this function would only be needed when the default
-     * trust for the purpose needs an override in a corner case.
-     */
     return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
 }
 
@@ -2166,11 +2360,6 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
         ptmp = X509_PURPOSE_get0(idx);
         if (ptmp->trust == X509_TRUST_DEFAULT) {
             idx = X509_PURPOSE_get_by_id(def_purpose);
-            /*
-             * XXX: In the two callers above def_purpose is always 0, which is
-             * not a known value, so idx will always be -1.  How is the
-             * X509_TRUST_DEFAULT case actually supposed to be handled?
-             */
             if (idx == -1) {
                 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
                         X509_R_UNKNOWN_PURPOSE_ID);
@@ -2200,20 +2389,20 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
 
 X509_STORE_CTX *X509_STORE_CTX_new(void)
 {
-    X509_STORE_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
-
-    if (ctx == NULL) {
+    X509_STORE_CTX *ctx;
+    ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX));
+    if (!ctx) {
         X509err(X509_F_X509_STORE_CTX_NEW, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
+    memset(ctx, 0, sizeof(X509_STORE_CTX));
     return ctx;
 }
 
 void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
 {
-    if (ctx == NULL)
+    if (!ctx)
         return;
-
     X509_STORE_CTX_cleanup(ctx);
     OPENSSL_free(ctx);
 }
@@ -2222,12 +2411,12 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
                         STACK_OF(X509) *chain)
 {
     int ret = 1;
-
     ctx->ctx = store;
+    ctx->current_method = 0;
     ctx->cert = x509;
     ctx->untrusted = chain;
     ctx->crls = NULL;
-    ctx->num_untrusted = 0;
+    ctx->last_untrusted = 0;
     ctx->other_ctx = NULL;
     ctx->valid = 0;
     ctx->chain = NULL;
@@ -2241,17 +2430,39 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
     ctx->current_reasons = 0;
     ctx->tree = NULL;
     ctx->parent = NULL;
-    ctx->dane = NULL;
-    ctx->bare_ta_signed = 0;
     /* Zero ex_data to make sure we're cleanup-safe */
     memset(&ctx->ex_data, 0, sizeof(ctx->ex_data));
 
-    /* store->cleanup is always 0 in OpenSSL, if set must be idempotent */
+    ctx->param = X509_VERIFY_PARAM_new();
+    if (!ctx->param) {
+        X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
+        return 0;
+    }
+
+    /*
+     * Inherit callbacks and flags from X509_STORE if not set use defaults.
+     */
     if (store)
-        ctx->cleanup = store->cleanup;
+        ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
     else
+        ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT | X509_VP_FLAG_ONCE;
+
+    if (store) {
+        ctx->verify_cb = store->verify_cb;
+        /* Seems to always be 0 in OpenSSL, else must be idempotent */
+        ctx->cleanup = store->cleanup;
+    } else
         ctx->cleanup = 0;
 
+    if (ret)
+        ret = X509_VERIFY_PARAM_inherit(ctx->param,
+                                        X509_VERIFY_PARAM_lookup("default"));
+
+    if (ret == 0) {
+        X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+
     if (store && store->check_issued)
         ctx->check_issued = store->check_issued;
     else
@@ -2292,55 +2503,17 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
     else
         ctx->cert_crl = cert_crl;
 
-    if (store && store->check_policy)
-        ctx->check_policy = store->check_policy;
-    else
-        ctx->check_policy = check_policy;
-
     if (store && store->lookup_certs)
         ctx->lookup_certs = store->lookup_certs;
     else
-        ctx->lookup_certs = X509_STORE_CTX_get1_certs;
+        ctx->lookup_certs = X509_STORE_get1_certs;
 
     if (store && store->lookup_crls)
         ctx->lookup_crls = store->lookup_crls;
     else
-        ctx->lookup_crls = X509_STORE_CTX_get1_crls;
-
-    ctx->param = X509_VERIFY_PARAM_new();
-    if (ctx->param == NULL) {
-        X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
-        goto err;
-    }
-
-    /*
-     * Inherit callbacks and flags from X509_STORE if not set use defaults.
-     */
-    if (store)
-        ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
-    else
-        ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT | X509_VP_FLAG_ONCE;
-
-    if (ret)
-        ret = X509_VERIFY_PARAM_inherit(ctx->param,
-                                        X509_VERIFY_PARAM_lookup("default"));
-
-    if (ret == 0) {
-        X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
-        goto err;
-    }
-
-    /*
-     * XXX: For now, continue to inherit trust from VPM, but infer from the
-     * purpose if this still yields the default value.
-     */
-    if (ctx->param->trust == X509_TRUST_DEFAULT) {
-        int idx = X509_PURPOSE_get_by_id(ctx->param->purpose);
-        X509_PURPOSE *xp = X509_PURPOSE_get0(idx);
+        ctx->lookup_crls = X509_STORE_get1_crls;
 
-        if (xp != NULL)
-            ctx->param->trust = X509_PURPOSE_get_trust(xp);
-    }
+    ctx->check_policy = check_policy;
 
     if (CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
                            &ctx->ex_data))
@@ -2360,11 +2533,11 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
  * Set alternative lookup method: just a STACK of trusted certificates. This
  * avoids X509_STORE nastiness where it isn't needed.
  */
-void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
+
+void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
 {
     ctx->other_ctx = sk;
     ctx->get_issuer = get_issuer_sk;
-    ctx->lookup_certs = lookup_certs_sk;
 }
 
 void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
@@ -2385,12 +2558,16 @@ void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
             X509_VERIFY_PARAM_free(ctx->param);
         ctx->param = NULL;
     }
-    X509_policy_tree_free(ctx->tree);
-    ctx->tree = NULL;
-    sk_X509_pop_free(ctx->chain, X509_free);
-    ctx->chain = NULL;
+    if (ctx->tree != NULL) {
+        X509_policy_tree_free(ctx->tree);
+        ctx->tree = NULL;
+    }
+    if (ctx->chain != NULL) {
+        sk_X509_pop_free(ctx->chain, X509_free);
+        ctx->chain = NULL;
+    }
     CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
-    memset(&ctx->ex_data, 0, sizeof(ctx->ex_data));
+    memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA));
 }
 
 void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
@@ -2409,99 +2586,12 @@ void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
     X509_VERIFY_PARAM_set_time(ctx->param, t);
 }
 
-X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
-{
-    return ctx->cert;
-}
-
-STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx)
-{
-    return ctx->untrusted;
-}
-
-void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
-{
-    ctx->untrusted = sk;
-}
-
-void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
-{
-    sk_X509_pop_free(ctx->chain, X509_free);
-    ctx->chain = sk;
-}
-
 void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
-                                  X509_STORE_CTX_verify_cb verify_cb)
+                                  int (*verify_cb) (int, X509_STORE_CTX *))
 {
     ctx->verify_cb = verify_cb;
 }
 
-X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx)
-{
-    return ctx->verify_cb;
-}
-
-void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx,
-                               X509_STORE_CTX_verify_fn verify)
-{
-    ctx->verify = verify;
-}
-
-X509_STORE_CTX_verify_fn X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx)
-{
-    return ctx->verify;
-}
-
-X509_STORE_CTX_get_issuer_fn X509_STORE_CTX_get_get_issuer(X509_STORE_CTX *ctx)
-{
-    return ctx->get_issuer;
-}
-
-X509_STORE_CTX_check_issued_fn X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx)
-{
-    return ctx->check_issued;
-}
-
-X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(X509_STORE_CTX *ctx)
-{
-    return ctx->check_revocation;
-}
-
-X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(X509_STORE_CTX *ctx)
-{
-    return ctx->get_crl;
-}
-
-X509_STORE_CTX_check_crl_fn X509_STORE_CTX_get_check_crl(X509_STORE_CTX *ctx)
-{
-    return ctx->check_crl;
-}
-
-X509_STORE_CTX_cert_crl_fn X509_STORE_CTX_get_cert_crl(X509_STORE_CTX *ctx)
-{
-    return ctx->cert_crl;
-}
-
-X509_STORE_CTX_check_policy_fn X509_STORE_CTX_get_check_policy(X509_STORE_CTX *ctx)
-{
-    return ctx->check_policy;
-}
-
-X509_STORE_CTX_lookup_certs_fn X509_STORE_CTX_get_lookup_certs(X509_STORE_CTX *ctx)
-{
-    return ctx->lookup_certs;
-}
-
-X509_STORE_CTX_lookup_crls_fn X509_STORE_CTX_get_lookup_crls(X509_STORE_CTX *ctx)
-{
-    return ctx->lookup_crls;
-}
-
-X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(X509_STORE_CTX *ctx)
-{
-    return ctx->cleanup;
-}
-
 X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
 {
     return ctx->tree;
@@ -2512,11 +2602,6 @@ int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
     return ctx->explicit_policy;
 }
 
-int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx)
-{
-    return ctx->num_untrusted;
-}
-
 int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
 {
     const X509_VERIFY_PARAM *param;
@@ -2533,743 +2618,17 @@ X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
 
 void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
 {
-    X509_VERIFY_PARAM_free(ctx->param);
+    if (ctx->param)
+        X509_VERIFY_PARAM_free(ctx->param);
     ctx->param = param;
 }
 
-void X509_STORE_CTX_set0_dane(X509_STORE_CTX *ctx, SSL_DANE *dane)
-{
-    ctx->dane = dane;
-}
+IMPLEMENT_STACK_OF(X509)
 
-static unsigned char *dane_i2d(
-    X509 *cert,
-    uint8_t selector,
-    unsigned int *i2dlen)
-{
-    unsigned char *buf = NULL;
-    int len;
+IMPLEMENT_ASN1_SET_OF(X509)
 
-    /*
-     * Extract ASN.1 DER form of certificate or public key.
-     */
-    switch (selector) {
-    case DANETLS_SELECTOR_CERT:
-        len = i2d_X509(cert, &buf);
-        break;
-    case DANETLS_SELECTOR_SPKI:
-        len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf);
-        break;
-    default:
-        X509err(X509_F_DANE_I2D, X509_R_BAD_SELECTOR);
-        return NULL;
-    }
+IMPLEMENT_STACK_OF(X509_NAME)
 
-    if (len < 0 || buf == NULL) {
-        X509err(X509_F_DANE_I2D, ERR_R_MALLOC_FAILURE);
-        return NULL;
-    }
+IMPLEMENT_STACK_OF(X509_ATTRIBUTE)
 
-    *i2dlen = (unsigned int)len;
-    return buf;
-}
-
-#define DANETLS_NONE 256        /* impossible uint8_t */
-
-static int dane_match(X509_STORE_CTX *ctx, X509 *cert, int depth)
-{
-    SSL_DANE *dane = ctx->dane;
-    unsigned usage = DANETLS_NONE;
-    unsigned selector = DANETLS_NONE;
-    unsigned ordinal = DANETLS_NONE;
-    unsigned mtype = DANETLS_NONE;
-    unsigned char *i2dbuf = NULL;
-    unsigned int i2dlen = 0;
-    unsigned char mdbuf[EVP_MAX_MD_SIZE];
-    unsigned char *cmpbuf = NULL;
-    unsigned int cmplen = 0;
-    int i;
-    int recnum;
-    int matched = 0;
-    danetls_record *t = NULL;
-    uint32_t mask;
-
-    mask = (depth == 0) ? DANETLS_EE_MASK : DANETLS_TA_MASK;
-
-    /*
-     * The trust store is not applicable with DANE-TA(2)
-     */
-    if (depth >= ctx->num_untrusted)
-        mask &= DANETLS_PKIX_MASK;
-
-    /*
-     * If we've previously matched a PKIX-?? record, no need to test any
-     * further PKIX-?? records, it remains to just build the PKIX chain.
-     * Had the match been a DANE-?? record, we'd be done already.
-     */
-    if (dane->mdpth >= 0)
-        mask &= ~DANETLS_PKIX_MASK;
-
-    /*-
-     * https://tools.ietf.org/html/rfc7671#section-5.1
-     * https://tools.ietf.org/html/rfc7671#section-5.2
-     * https://tools.ietf.org/html/rfc7671#section-5.3
-     * https://tools.ietf.org/html/rfc7671#section-5.4
-     *
-     * We handle DANE-EE(3) records first as they require no chain building
-     * and no expiration or hostname checks.  We also process digests with
-     * higher ordinals first and ignore lower priorities except Full(0) which
-     * is always processed (last).  If none match, we then process PKIX-EE(1).
-     *
-     * NOTE: This relies on DANE usages sorting before the corresponding PKIX
-     * usages in SSL_dane_tlsa_add(), and also on descending sorting of digest
-     * priorities.  See twin comment in ssl/ssl_lib.c.
-     *
-     * We expect that most TLSA RRsets will have just a single usage, so we
-     * don't go out of our way to cache multiple selector-specific i2d buffers
-     * across usages, but if the selector happens to remain the same as switch
-     * usages, that's OK.  Thus, a set of "3 1 1", "3 0 1", "1 1 1", "1 0 1",
-     * records would result in us generating each of the certificate and public
-     * key DER forms twice, but more typically we'd just see multiple "3 1 1"
-     * or multiple "3 0 1" records.
-     *
-     * As soon as we find a match at any given depth, we stop, because either
-     * we've matched a DANE-?? record and the peer is authenticated, or, after
-     * exhausting all DANE-?? records, we've matched a PKIX-?? record, which is
-     * sufficient for DANE, and what remains to do is ordinary PKIX validation.
-     */
-    recnum = (dane->umask & mask) ? sk_danetls_record_num(dane->trecs) : 0;
-    for (i = 0; matched == 0 && i < recnum; ++i) {
-        t = sk_danetls_record_value(dane->trecs, i);
-        if ((DANETLS_USAGE_BIT(t->usage) & mask) == 0)
-            continue;
-        if (t->usage != usage) {
-            usage = t->usage;
-
-            /* Reset digest agility for each usage/selector pair */
-            mtype = DANETLS_NONE;
-            ordinal = dane->dctx->mdord[t->mtype];
-        }
-        if (t->selector != selector) {
-            selector = t->selector;
-
-            /* Update per-selector state */
-            OPENSSL_free(i2dbuf);
-            i2dbuf = dane_i2d(cert, selector, &i2dlen);
-            if (i2dbuf == NULL)
-                return -1;
-
-            /* Reset digest agility for each usage/selector pair */
-            mtype = DANETLS_NONE;
-            ordinal = dane->dctx->mdord[t->mtype];
-        } else if (t->mtype != DANETLS_MATCHING_FULL) {
-            /*-
-             * Digest agility:
-             *
-             *     <https://tools.ietf.org/html/rfc7671#section-9>
-             *
-             * For a fixed selector, after processing all records with the
-             * highest mtype ordinal, ignore all mtypes with lower ordinals
-             * other than "Full".
-             */
-            if (dane->dctx->mdord[t->mtype] < ordinal)
-                continue;
-        }
-
-        /*
-         * Each time we hit a (new selector or) mtype, re-compute the relevant
-         * digest, more complex caching is not worth the code space.
-         */
-        if (t->mtype != mtype) {
-            const EVP_MD *md = dane->dctx->mdevp[mtype = t->mtype];
-            cmpbuf = i2dbuf;
-            cmplen = i2dlen;
-
-            if (md != NULL) {
-                cmpbuf = mdbuf;
-                if (!EVP_Digest(i2dbuf, i2dlen, cmpbuf, &cmplen, md, 0)) {
-                    matched = -1;
-                    break;
-                }
-            }
-        }
-
-        /*
-         * Squirrel away the certificate and depth if we have a match.  Any
-         * DANE match is dispositive, but with PKIX we still need to build a
-         * full chain.
-         */
-        if (cmplen == t->dlen &&
-            memcmp(cmpbuf, t->data, cmplen) == 0) {
-            if (DANETLS_USAGE_BIT(usage) & DANETLS_DANE_MASK)
-                matched = 1;
-            if (matched || dane->mdpth < 0) {
-                dane->mdpth = depth;
-                dane->mtlsa = t;
-                OPENSSL_free(dane->mcert);
-                dane->mcert = cert;
-                X509_up_ref(cert);
-            }
-            break;
-        }
-    }
-
-    /* Clear the one-element DER cache */
-    OPENSSL_free(i2dbuf);
-    return matched;
-}
-
-static int check_dane_issuer(X509_STORE_CTX *ctx, int depth)
-{
-    SSL_DANE *dane = ctx->dane;
-    int matched = 0;
-    X509 *cert;
-
-    if (!DANETLS_HAS_TA(dane) || depth == 0)
-        return  X509_TRUST_UNTRUSTED;
-
-    /*
-     * Record any DANE trust-anchor matches, for the first depth to test, if
-     * there's one at that depth. (This'll be false for length 1 chains looking
-     * for an exact match for the leaf certificate).
-     */
-    cert = sk_X509_value(ctx->chain, depth);
-    if (cert != NULL && (matched = dane_match(ctx, cert, depth)) < 0)
-        return  X509_TRUST_REJECTED;
-    if (matched > 0) {
-        ctx->num_untrusted = depth - 1;
-        return  X509_TRUST_TRUSTED;
-    }
-
-    return  X509_TRUST_UNTRUSTED;
-}
-
-static int check_dane_pkeys(X509_STORE_CTX *ctx)
-{
-    SSL_DANE *dane = ctx->dane;
-    danetls_record *t;
-    int num = ctx->num_untrusted;
-    X509 *cert = sk_X509_value(ctx->chain, num - 1);
-    int recnum = sk_danetls_record_num(dane->trecs);
-    int i;
-
-    for (i = 0; i < recnum; ++i) {
-        t = sk_danetls_record_value(dane->trecs, i);
-        if (t->usage != DANETLS_USAGE_DANE_TA ||
-            t->selector != DANETLS_SELECTOR_SPKI ||
-            t->mtype != DANETLS_MATCHING_FULL ||
-            X509_verify(cert, t->spki) <= 0)
-            continue;
-
-        /* Clear any PKIX-?? matches that failed to extend to a full chain */
-        X509_free(dane->mcert);
-        dane->mcert = NULL;
-
-        /* Record match via a bare TA public key */
-        ctx->bare_ta_signed = 1;
-        dane->mdpth = num - 1;
-        dane->mtlsa = t;
-
-        /* Prune any excess chain certificates */
-        num = sk_X509_num(ctx->chain);
-        for (; num > ctx->num_untrusted; --num)
-            X509_free(sk_X509_pop(ctx->chain));
-
-        return X509_TRUST_TRUSTED;
-    }
-
-    return X509_TRUST_UNTRUSTED;
-}
-
-static void dane_reset(SSL_DANE *dane)
-{
-    /*
-     * Reset state to verify another chain, or clear after failure.
-     */
-    X509_free(dane->mcert);
-    dane->mcert = NULL;
-    dane->mtlsa = NULL;
-    dane->mdpth = -1;
-    dane->pdpth = -1;
-}
-
-static int check_leaf_suiteb(X509_STORE_CTX *ctx, X509 *cert)
-{
-    int err = X509_chain_check_suiteb(NULL, cert, NULL, ctx->param->flags);
-
-    if (err == X509_V_OK)
-        return 1;
-    return verify_cb_cert(ctx, cert, 0, err);
-}
-
-static int dane_verify(X509_STORE_CTX *ctx)
-{
-    X509 *cert = ctx->cert;
-    SSL_DANE *dane = ctx->dane;
-    int matched;
-    int done;
-
-    dane_reset(dane);
-
-    /*-
-     * When testing the leaf certificate, if we match a DANE-EE(3) record,
-     * dane_match() returns 1 and we're done.  If however we match a PKIX-EE(1)
-     * record, the match depth and matching TLSA record are recorded, but the
-     * return value is 0, because we still need to find a PKIX trust-anchor.
-     * Therefore, when DANE authentication is enabled (required), we're done
-     * if:
-     *   + matched < 0, internal error.
-     *   + matched == 1, we matched a DANE-EE(3) record
-     *   + matched == 0, mdepth < 0 (no PKIX-EE match) and there are no
-     *     DANE-TA(2) or PKIX-TA(0) to test.
-     */
-    matched = dane_match(ctx, ctx->cert, 0);
-    done = matched != 0 || (!DANETLS_HAS_TA(dane) && dane->mdpth < 0);
-
-    if (done)
-        X509_get_pubkey_parameters(NULL, ctx->chain);
-
-    if (matched > 0) {
-        /* Callback invoked as needed */
-        if (!check_leaf_suiteb(ctx, cert))
-            return 0;
-        /* Callback invoked as needed */
-        if ((dane->flags & DANE_FLAG_NO_DANE_EE_NAMECHECKS) == 0 &&
-            !check_id(ctx))
-            return 0;
-        /* Bypass internal_verify(), issue depth 0 success callback */
-        ctx->error_depth = 0;
-        ctx->current_cert = cert;
-        return ctx->verify_cb(1, ctx);
-    }
-
-    if (matched < 0) {
-        ctx->error_depth = 0;
-        ctx->current_cert = cert;
-        ctx->error = X509_V_ERR_OUT_OF_MEM;
-        return -1;
-    }
-
-    if (done) {
-        /* Fail early, TA-based success is not possible */
-        if (!check_leaf_suiteb(ctx, cert))
-            return 0;
-        return verify_cb_cert(ctx, cert, 0, X509_V_ERR_DANE_NO_MATCH);
-    }
-
-    /*
-     * Chain verification for usages 0/1/2.  TLSA record matching of depth > 0
-     * certificates happens in-line with building the rest of the chain.
-     */
-    return verify_chain(ctx);
-}
-
-/* Get issuer, without duplicate suppression */
-static int get_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *cert)
-{
-    STACK_OF(X509) *saved_chain = ctx->chain;
-    int ok;
-
-    ctx->chain = NULL;
-    ok = ctx->get_issuer(issuer, ctx, cert);
-    ctx->chain = saved_chain;
-
-    return ok;
-}
-
-static int build_chain(X509_STORE_CTX *ctx)
-{
-    SSL_DANE *dane = ctx->dane;
-    int num = sk_X509_num(ctx->chain);
-    X509 *cert = sk_X509_value(ctx->chain, num - 1);
-    int ss = cert_self_signed(cert);
-    STACK_OF(X509) *sktmp = NULL;
-    unsigned int search;
-    int may_trusted = 0;
-    int may_alternate = 0;
-    int trust = X509_TRUST_UNTRUSTED;
-    int alt_untrusted = 0;
-    int depth;
-    int ok = 0;
-    int i;
-
-    /* Our chain starts with a single untrusted element. */
-    OPENSSL_assert(num == 1 && ctx->num_untrusted == num);
-
-#define S_DOUNTRUSTED      (1 << 0)     /* Search untrusted chain */
-#define S_DOTRUSTED        (1 << 1)     /* Search trusted store */
-#define S_DOALTERNATE      (1 << 2)     /* Retry with pruned alternate chain */
-    /*
-     * Set up search policy, untrusted if possible, trusted-first if enabled.
-     * If we're doing DANE and not doing PKIX-TA/PKIX-EE, we never look in the
-     * trust_store, otherwise we might look there first.  If not trusted-first,
-     * and alternate chains are not disabled, try building an alternate chain
-     * if no luck with untrusted first.
-     */
-    search = (ctx->untrusted != NULL) ? S_DOUNTRUSTED : 0;
-    if (DANETLS_HAS_PKIX(dane) || !DANETLS_HAS_DANE(dane)) {
-        if (search == 0 || ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
-            search |= S_DOTRUSTED;
-        else if (!(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS))
-            may_alternate = 1;
-        may_trusted = 1;
-    }
-
-    /*
-     * Shallow-copy the stack of untrusted certificates (with TLS, this is
-     * typically the content of the peer's certificate message) so can make
-     * multiple passes over it, while free to remove elements as we go.
-     */
-    if (ctx->untrusted && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
-        X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
-        ctx->error = X509_V_ERR_OUT_OF_MEM;
-        return 0;
-    }
-
-    /*
-     * If we got any "DANE-TA(2) Cert(0) Full(0)" trust-anchors from DNS, add
-     * them to our working copy of the untrusted certificate stack.  Since the
-     * caller of X509_STORE_CTX_init() may have provided only a leaf cert with
-     * no corresponding stack of untrusted certificates, we may need to create
-     * an empty stack first.  [ At present only the ssl library provides DANE
-     * support, and ssl_verify_cert_chain() always provides a non-null stack
-     * containing at least the leaf certificate, but we must be prepared for
-     * this to change. ]
-     */
-    if (DANETLS_ENABLED(dane) && dane->certs != NULL) {
-        if (sktmp == NULL && (sktmp = sk_X509_new_null()) == NULL) {
-            X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
-            ctx->error = X509_V_ERR_OUT_OF_MEM;
-            return 0;
-        }
-        for (i = 0; i < sk_X509_num(dane->certs); ++i) {
-            if (!sk_X509_push(sktmp, sk_X509_value(dane->certs, i))) {
-                sk_X509_free(sktmp);
-                X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
-                ctx->error = X509_V_ERR_OUT_OF_MEM;
-                return 0;
-            }
-        }
-    }
-
-    /*
-     * Still absurdly large, but arithmetically safe, a lower hard upper bound
-     * might be reasonable.
-     */
-    if (ctx->param->depth > INT_MAX/2)
-        ctx->param->depth = INT_MAX/2;
-
-    /*
-     * Try to Extend the chain until we reach an ultimately trusted issuer.
-     * Build chains up to one longer the limit, later fail if we hit the limit,
-     * with an X509_V_ERR_CERT_CHAIN_TOO_LONG error code.
-     */
-    depth = ctx->param->depth + 1;
-
-    while (search != 0) {
-        X509 *x;
-        X509 *xtmp = NULL;
-
-        /*
-         * Look in the trust store if enabled for first lookup, or we've run
-         * out of untrusted issuers and search here is not disabled.  When we
-         * reach the depth limit, we stop extending the chain, if by that point
-         * we've not found a trust-anchor, any trusted chain would be too long.
-         *
-         * The error reported to the application verify callback is at the
-         * maximal valid depth with the current certificate equal to the last
-         * not ultimately-trusted issuer.  For example, with verify_depth = 0,
-         * the callback will report errors at depth=1 when the immediate issuer
-         * of the leaf certificate is not a trust anchor.  No attempt will be
-         * made to locate an issuer for that certificate, since such a chain
-         * would be a-priori too long.
-         */
-        if ((search & S_DOTRUSTED) != 0) {
-            i = num = sk_X509_num(ctx->chain);
-            if ((search & S_DOALTERNATE) != 0) {
-                /*
-                 * As high up the chain as we can, look for an alternative
-                 * trusted issuer of an untrusted certificate that currently
-                 * has an untrusted issuer.  We use the alt_untrusted variable
-                 * to track how far up the chain we find the first match.  It
-                 * is only if and when we find a match, that we prune the chain
-                 * and reset ctx->num_untrusted to the reduced count of
-                 * untrusted certificates.  While we're searching for such a
-                 * match (which may never be found), it is neither safe nor
-                 * wise to preemptively modify either the chain or
-                 * ctx->num_untrusted.
-                 *
-                 * Note, like ctx->num_untrusted, alt_untrusted is a count of
-                 * untrusted certificates, not a "depth".
-                 */
-                i = alt_untrusted;
-            }
-            x = sk_X509_value(ctx->chain, i-1);
-
-            ok = (depth < num) ? 0 : get_issuer(&xtmp, ctx, x);
-
-            if (ok < 0) {
-                trust = X509_TRUST_REJECTED;
-                ctx->error = X509_V_ERR_STORE_LOOKUP;
-                search = 0;
-                continue;
-            }
-
-            if (ok > 0) {
-                /*
-                 * Alternative trusted issuer for a mid-chain untrusted cert?
-                 * Pop the untrusted cert's successors and retry.  We might now
-                 * be able to complete a valid chain via the trust store.  Note
-                 * that despite the current trust-store match we might still
-                 * fail complete the chain to a suitable trust-anchor, in which
-                 * case we may prune some more untrusted certificates and try
-                 * again.  Thus the S_DOALTERNATE bit may yet be turned on
-                 * again with an even shorter untrusted chain!
-                 *
-                 * If in the process we threw away our matching PKIX-TA trust
-                 * anchor, reset DANE trust.  We might find a suitable trusted
-                 * certificate among the ones from the trust store.
-                 */
-                if ((search & S_DOALTERNATE) != 0) {
-                    OPENSSL_assert(num > i && i > 0 && ss == 0);
-                    search &= ~S_DOALTERNATE;
-                    for (; num > i; --num)
-                        X509_free(sk_X509_pop(ctx->chain));
-                    ctx->num_untrusted = num;
-
-                    if (DANETLS_ENABLED(dane) &&
-                        dane->mdpth >= ctx->num_untrusted) {
-                        dane->mdpth = -1;
-                        X509_free(dane->mcert);
-                        dane->mcert = NULL;
-                    }
-                    if (DANETLS_ENABLED(dane) &&
-                        dane->pdpth >= ctx->num_untrusted)
-                        dane->pdpth = -1;
-                }
-
-                /*
-                 * Self-signed untrusted certificates get replaced by their
-                 * trusted matching issuer.  Otherwise, grow the chain.
-                 */
-                if (ss == 0) {
-                    if (!sk_X509_push(ctx->chain, x = xtmp)) {
-                        X509_free(xtmp);
-                        X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
-                        trust = X509_TRUST_REJECTED;
-                        ctx->error = X509_V_ERR_OUT_OF_MEM;
-                        search = 0;
-                        continue;
-                    }
-                    ss = cert_self_signed(x);
-                } else if (num == ctx->num_untrusted) {
-                    /*
-                     * We have a self-signed certificate that has the same
-                     * subject name (and perhaps keyid and/or serial number) as
-                     * a trust-anchor.  We must have an exact match to avoid
-                     * possible impersonation via key substitution etc.
-                     */
-                    if (X509_cmp(x, xtmp) != 0) {
-                        /* Self-signed untrusted mimic. */
-                        X509_free(xtmp);
-                        ok = 0;
-                    } else {
-                        X509_free(x);
-                        ctx->num_untrusted = --num;
-                        (void) sk_X509_set(ctx->chain, num, x = xtmp);
-                    }
-                }
-
-                /*
-                 * We've added a new trusted certificate to the chain, recheck
-                 * trust.  If not done, and not self-signed look deeper.
-                 * Whether or not we're doing "trusted first", we no longer
-                 * look for untrusted certificates from the peer's chain.
-                 *
-                 * At this point ctx->num_trusted and num must reflect the
-                 * correct number of untrusted certificates, since the DANE
-                 * logic in check_trust() depends on distinguishing CAs from
-                 * "the wire" from CAs from the trust store.  In particular, the
-                 * certificate at depth "num" should be the new trusted
-                 * certificate with ctx->num_untrusted <= num.
-                 */
-                if (ok) {
-                    OPENSSL_assert(ctx->num_untrusted <= num);
-                    search &= ~S_DOUNTRUSTED;
-                    switch (trust = check_trust(ctx, num)) {
-                    case X509_TRUST_TRUSTED:
-                    case X509_TRUST_REJECTED:
-                        search = 0;
-                        continue;
-                    }
-                    if (ss == 0)
-                        continue;
-                }
-            }
-
-            /*
-             * No dispositive decision, and either self-signed or no match, if
-             * we were doing untrusted-first, and alt-chains are not disabled,
-             * do that, by repeatedly losing one untrusted element at a time,
-             * and trying to extend the shorted chain.
-             */
-            if ((search & S_DOUNTRUSTED) == 0) {
-                /* Continue search for a trusted issuer of a shorter chain? */
-                if ((search & S_DOALTERNATE) != 0 && --alt_untrusted > 0)
-                    continue;
-                /* Still no luck and no fallbacks left? */
-                if (!may_alternate || (search & S_DOALTERNATE) != 0 ||
-                    ctx->num_untrusted < 2)
-                    break;
-                /* Search for a trusted issuer of a shorter chain */
-                search |= S_DOALTERNATE;
-                alt_untrusted = ctx->num_untrusted - 1;
-                ss = 0;
-            }
-        }
-
-        /*
-         * Extend chain with peer-provided certificates
-         */
-        if ((search & S_DOUNTRUSTED) != 0) {
-            num = sk_X509_num(ctx->chain);
-            OPENSSL_assert(num == ctx->num_untrusted);
-            x = sk_X509_value(ctx->chain, num-1);
-
-            /*
-             * Once we run out of untrusted issuers, we stop looking for more
-             * and start looking only in the trust store if enabled.
-             */
-            xtmp = (ss || depth < num) ? NULL : find_issuer(ctx, sktmp, x);
-            if (xtmp == NULL) {
-                search &= ~S_DOUNTRUSTED;
-                if (may_trusted)
-                    search |= S_DOTRUSTED;
-                continue;
-            }
-
-            /* Drop this issuer from future consideration */
-            (void) sk_X509_delete_ptr(sktmp, xtmp);
-
-            if (!sk_X509_push(ctx->chain, xtmp)) {
-                X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
-                trust = X509_TRUST_REJECTED;
-                ctx->error = X509_V_ERR_OUT_OF_MEM;
-                search = 0;
-                continue;
-            }
-
-            X509_up_ref(x = xtmp);
-            ++ctx->num_untrusted;
-            ss = cert_self_signed(xtmp);
-
-            /*
-             * Check for DANE-TA trust of the topmost untrusted certificate.
-             */
-            switch (trust = check_dane_issuer(ctx, ctx->num_untrusted - 1)) {
-            case X509_TRUST_TRUSTED:
-            case X509_TRUST_REJECTED:
-                search = 0;
-                continue;
-            }
-        }
-    }
-    sk_X509_free(sktmp);
-
-    /*
-     * Last chance to make a trusted chain, either bare DANE-TA public-key
-     * signers, or else direct leaf PKIX trust.
-     */
-    num = sk_X509_num(ctx->chain);
-    if (num <= depth) {
-        if (trust == X509_TRUST_UNTRUSTED && DANETLS_HAS_DANE_TA(dane))
-            trust = check_dane_pkeys(ctx);
-        if (trust == X509_TRUST_UNTRUSTED && num == ctx->num_untrusted)
-            trust = check_trust(ctx, num);
-    }
-
-    switch (trust) {
-    case X509_TRUST_TRUSTED:
-        return 1;
-    case X509_TRUST_REJECTED:
-        /* Callback already issued */
-        return 0;
-    case X509_TRUST_UNTRUSTED:
-    default:
-        num = sk_X509_num(ctx->chain);
-        if (num > depth)
-            return verify_cb_cert(ctx, NULL, num-1,
-                                  X509_V_ERR_CERT_CHAIN_TOO_LONG);
-        if (DANETLS_ENABLED(dane) &&
-            (!DANETLS_HAS_PKIX(dane) || dane->pdpth >= 0))
-            return verify_cb_cert(ctx, NULL, num-1, X509_V_ERR_DANE_NO_MATCH);
-        if (ss && sk_X509_num(ctx->chain) == 1)
-            return verify_cb_cert(ctx, NULL, num-1,
-                                  X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT);
-        if (ss)
-            return verify_cb_cert(ctx, NULL, num-1,
-                                  X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN);
-        if (ctx->num_untrusted < num)
-            return verify_cb_cert(ctx, NULL, num-1,
-                                  X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT);
-        return verify_cb_cert(ctx, NULL, num-1,
-                              X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY);
-    }
-}
-
-static const int minbits_table[] = { 80, 112, 128, 192, 256 };
-static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
-
-/*
- * Check whether the public key of ``cert`` meets the security level of
- * ``ctx``.
- *
- * Returns 1 on success, 0 otherwise.
- */
-static int check_key_level(X509_STORE_CTX *ctx, X509 *cert)
-{
-    EVP_PKEY *pkey = X509_get0_pubkey(cert);
-    int level = ctx->param->auth_level;
-
-    /* Unsupported or malformed keys are not secure */
-    if (pkey == NULL)
-        return 0;
-
-    if (level <= 0)
-        return 1;
-    if (level > NUM_AUTH_LEVELS)
-        level = NUM_AUTH_LEVELS;
-
-    return EVP_PKEY_security_bits(pkey) >= minbits_table[level - 1];
-}
-
-/*
- * Check whether the signature digest algorithm of ``cert`` meets the security
- * level of ``ctx``.  Should not be checked for trust anchors (whether
- * self-signed or otherwise).
- *
- * Returns 1 on success, 0 otherwise.
- */
-static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)
-{
-    int nid = X509_get_signature_nid(cert);
-    int mdnid = NID_undef;
-    int secbits = -1;
-    int level = ctx->param->auth_level;
-
-    if (level <= 0)
-        return 1;
-    if (level > NUM_AUTH_LEVELS)
-        level = NUM_AUTH_LEVELS;
-
-    /* Lookup signature algorithm digest */
-    if (nid && OBJ_find_sigid_algs(nid, &mdnid, NULL)) {
-        const EVP_MD *md;
-
-        /* Assume 4 bits of collision resistance for each hash octet */
-        if (mdnid != NID_undef && (md = EVP_get_digestbynid(mdnid)) != NULL)
-            secbits = EVP_MD_size(md) * 4;
-    }
-
-    return secbits >= minbits_table[level - 1];
-}
+IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE)
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_vpm.c b/Cryptlib/OpenSSL/crypto/x509/x509_vpm.c
index b5067220..1ac15a88 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509_vpm.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509_vpm.c
@@ -1,23 +1,72 @@
+/* x509_vpm.c */
 /*
- * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/crypto.h>
 #include <openssl/lhash.h>
 #include <openssl/buffer.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
-#include "internal/x509_int.h"
 
-#include "x509_lcl.h"
+#include "vpm_int.h"
 
 /* X509_VERIFY_PARAM functions */
 
@@ -34,7 +83,9 @@ static void str_free(char *s)
     OPENSSL_free(s);
 }
 
-static int int_x509_param_set_hosts(X509_VERIFY_PARAM *vpm, int mode,
+#define string_stack_free(sk) sk_OPENSSL_STRING_pop_free(sk, str_free)
+
+static int int_x509_param_set_hosts(X509_VERIFY_PARAM_ID *id, int mode,
                                     const char *name, size_t namelen)
 {
     char *copy;
@@ -50,28 +101,28 @@ static int int_x509_param_set_hosts(X509_VERIFY_PARAM *vpm, int mode,
     if (namelen > 0 && name[namelen - 1] == '\0')
         --namelen;
 
-    if (mode == SET_HOST) {
-        sk_OPENSSL_STRING_pop_free(vpm->hosts, str_free);
-        vpm->hosts = NULL;
+    if (mode == SET_HOST && id->hosts) {
+        string_stack_free(id->hosts);
+        id->hosts = NULL;
     }
     if (name == NULL || namelen == 0)
         return 1;
 
-    copy = OPENSSL_strndup(name, namelen);
+    copy = BUF_strndup(name, namelen);
     if (copy == NULL)
         return 0;
 
-    if (vpm->hosts == NULL &&
-        (vpm->hosts = sk_OPENSSL_STRING_new_null()) == NULL) {
+    if (id->hosts == NULL &&
+        (id->hosts = sk_OPENSSL_STRING_new_null()) == NULL) {
         OPENSSL_free(copy);
         return 0;
     }
 
-    if (!sk_OPENSSL_STRING_push(vpm->hosts, copy)) {
+    if (!sk_OPENSSL_STRING_push(id->hosts, copy)) {
         OPENSSL_free(copy);
-        if (sk_OPENSSL_STRING_num(vpm->hosts) == 0) {
-            sk_OPENSSL_STRING_free(vpm->hosts);
-            vpm->hosts = NULL;
+        if (sk_OPENSSL_STRING_num(id->hosts) == 0) {
+            sk_OPENSSL_STRING_free(id->hosts);
+            id->hosts = NULL;
         }
         return 0;
     }
@@ -81,48 +132,75 @@ static int int_x509_param_set_hosts(X509_VERIFY_PARAM *vpm, int mode,
 
 static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
 {
+    X509_VERIFY_PARAM_ID *paramid;
     if (!param)
         return;
     param->name = NULL;
     param->purpose = 0;
-    param->trust = X509_TRUST_DEFAULT;
+    param->trust = 0;
     /*
      * param->inh_flags = X509_VP_FLAG_DEFAULT;
      */
     param->inh_flags = 0;
     param->flags = 0;
     param->depth = -1;
-    param->auth_level = -1; /* -1 means unset, 0 is explicit */
-    sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
-    param->policies = NULL;
-    sk_OPENSSL_STRING_pop_free(param->hosts, str_free);
-    param->hosts = NULL;
-    OPENSSL_free(param->peername);
-    param->peername = NULL;
-    OPENSSL_free(param->email);
-    param->email = NULL;
-    param->emaillen = 0;
-    OPENSSL_free(param->ip);
-    param->ip = NULL;
-    param->iplen = 0;
+    if (param->policies) {
+        sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
+        param->policies = NULL;
+    }
+    paramid = param->id;
+    if (paramid->hosts) {
+        string_stack_free(paramid->hosts);
+        paramid->hosts = NULL;
+    }
+    if (paramid->peername)
+        OPENSSL_free(paramid->peername);
+    paramid->peername = NULL;
+    if (paramid->email) {
+        OPENSSL_free(paramid->email);
+        paramid->email = NULL;
+        paramid->emaillen = 0;
+    }
+    if (paramid->ip) {
+        OPENSSL_free(paramid->ip);
+        paramid->ip = NULL;
+        paramid->iplen = 0;
+    }
 }
 
 X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
 {
     X509_VERIFY_PARAM *param;
+    X509_VERIFY_PARAM_ID *paramid;
 
-    param = OPENSSL_zalloc(sizeof(*param));
-    if (param == NULL)
+    param = OPENSSL_malloc(sizeof *param);
+    if (!param)
         return NULL;
+    memset(param, 0, sizeof(*param));
+
+    paramid = OPENSSL_malloc(sizeof(*paramid));
+    if (!paramid) {
+        OPENSSL_free(param);
+        return NULL;
+    }
+    memset(paramid, 0, sizeof(*paramid));
+    /* Exotic platforms may have non-zero bit representation of NULL */
+    paramid->hosts = NULL;
+    paramid->peername = NULL;
+    paramid->email = NULL;
+    paramid->ip = NULL;
+
+    param->id = paramid;
     x509_verify_param_zero(param);
     return param;
 }
 
 void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
 {
-    if (!param)
+    if (param == NULL)
         return;
     x509_verify_param_zero(param);
+    OPENSSL_free(param->id);
     OPENSSL_free(param);
 }
 
@@ -164,6 +242,11 @@ void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
         (to_overwrite || \
                 ((src->field != def) && (to_default || (dest->field == def))))
 
+/* As above but for ID fields */
+
+#define test_x509_verify_param_copy_id(idf, def) \
+        test_x509_verify_param_copy(id->idf, def)
+
 /* Macro to test and copy a field if necessary */
 
 #define x509_verify_param_copy(field, def) \
@@ -175,8 +258,10 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
 {
     unsigned long inh_flags;
     int to_default, to_overwrite;
+    X509_VERIFY_PARAM_ID *id;
     if (!src)
         return 1;
+    id = src->id;
     inh_flags = dest->inh_flags | src->inh_flags;
 
     if (inh_flags & X509_VP_FLAG_ONCE)
@@ -196,9 +281,8 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
         to_overwrite = 0;
 
     x509_verify_param_copy(purpose, 0);
-    x509_verify_param_copy(trust, X509_TRUST_DEFAULT);
+    x509_verify_param_copy(trust, 0);
     x509_verify_param_copy(depth, -1);
-    x509_verify_param_copy(auth_level, -1);
 
     /* If overwrite or check time not set, copy across */
 
@@ -219,25 +303,27 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
     }
 
     /* Copy the host flags if and only if we're copying the host list */
-    if (test_x509_verify_param_copy(hosts, NULL)) {
-        sk_OPENSSL_STRING_pop_free(dest->hosts, str_free);
-        dest->hosts = NULL;
-        if (src->hosts) {
-            dest->hosts =
-                sk_OPENSSL_STRING_deep_copy(src->hosts, str_copy, str_free);
-            if (dest->hosts == NULL)
+    if (test_x509_verify_param_copy_id(hosts, NULL)) {
+        if (dest->id->hosts) {
+            string_stack_free(dest->id->hosts);
+            dest->id->hosts = NULL;
+        }
+        if (id->hosts) {
+            dest->id->hosts =
+                sk_OPENSSL_STRING_deep_copy(id->hosts, str_copy, str_free);
+            if (dest->id->hosts == NULL)
                 return 0;
-            dest->hostflags = src->hostflags;
+            dest->id->hostflags = id->hostflags;
         }
     }
 
-    if (test_x509_verify_param_copy(email, NULL)) {
-        if (!X509_VERIFY_PARAM_set1_email(dest, src->email, src->emaillen))
+    if (test_x509_verify_param_copy_id(email, NULL)) {
+        if (!X509_VERIFY_PARAM_set1_email(dest, id->email, id->emaillen))
             return 0;
     }
 
-    if (test_x509_verify_param_copy(ip, NULL)) {
-        if (!X509_VERIFY_PARAM_set1_ip(dest, src->ip, src->iplen))
+    if (test_x509_verify_param_copy_id(ip, NULL)) {
+        if (!X509_VERIFY_PARAM_set1_ip(dest, id->ip, id->iplen))
             return 0;
     }
 
@@ -260,27 +346,30 @@ static int int_x509_param_set1(char **pdest, size_t *pdestlen,
 {
     void *tmp;
     if (src) {
-        if (srclen == 0)
+        if (srclen == 0) {
+            tmp = BUF_strdup(src);
             srclen = strlen(src);
-
-        tmp = OPENSSL_memdup(src, srclen);
-        if (tmp == NULL)
+        } else
+            tmp = BUF_memdup(src, srclen);
+        if (!tmp)
             return 0;
     } else {
         tmp = NULL;
         srclen = 0;
     }
-    OPENSSL_free(*pdest);
+    if (*pdest)
+        OPENSSL_free(*pdest);
     *pdest = tmp;
-    if (pdestlen != NULL)
+    if (pdestlen)
         *pdestlen = srclen;
     return 1;
 }
 
 int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
 {
-    OPENSSL_free(param->name);
-    param->name = OPENSSL_strdup(name);
+    if (param->name)
+        OPENSSL_free(param->name);
+    param->name = BUF_strdup(name);
     if (param->name)
         return 1;
     return 0;
@@ -306,17 +395,6 @@ unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param)
     return param->flags;
 }
 
-uint32_t X509_VERIFY_PARAM_get_inh_flags(const X509_VERIFY_PARAM *param)
-{
-    return param->inh_flags;
-}
-
-int X509_VERIFY_PARAM_set_inh_flags(X509_VERIFY_PARAM *param, uint32_t flags)
-{
-    param->inh_flags = flags;
-    return 1;
-}
-
 int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose)
 {
     return X509_PURPOSE_set(&param->purpose, purpose);
@@ -332,16 +410,6 @@ void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth)
     param->depth = depth;
 }
 
-void X509_VERIFY_PARAM_set_auth_level(X509_VERIFY_PARAM *param, int auth_level)
-{
-    param->auth_level = auth_level;
-}
-
-time_t X509_VERIFY_PARAM_get_time(const X509_VERIFY_PARAM *param)
-{
-    return param->check_time;
-}
-
 void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t)
 {
     param->check_time = t;
@@ -366,10 +434,10 @@ int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
 {
     int i;
     ASN1_OBJECT *oid, *doid;
-
     if (!param)
         return 0;
-    sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
+    if (param->policies)
+        sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
 
     if (!policies) {
         param->policies = NULL;
@@ -397,48 +465,30 @@ int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
 int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
                                 const char *name, size_t namelen)
 {
-    return int_x509_param_set_hosts(param, SET_HOST, name, namelen);
+    return int_x509_param_set_hosts(param->id, SET_HOST, name, namelen);
 }
 
 int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
                                 const char *name, size_t namelen)
 {
-    return int_x509_param_set_hosts(param, ADD_HOST, name, namelen);
+    return int_x509_param_set_hosts(param->id, ADD_HOST, name, namelen);
 }
 
 void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
                                      unsigned int flags)
 {
-    param->hostflags = flags;
+    param->id->hostflags = flags;
 }
 
 char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param)
 {
-    return param->peername;
-}
-
-/*
- * Move peername from one param structure to another, freeing any name present
- * at the target.  If the source is a NULL parameter structure, free and zero
- * the target peername.
- */
-void X509_VERIFY_PARAM_move_peername(X509_VERIFY_PARAM *to,
-                                     X509_VERIFY_PARAM *from)
-{
-    char *peername = (from != NULL) ? from->peername : NULL;
-
-    if (to->peername != peername) {
-        OPENSSL_free(to->peername);
-        to->peername = peername;
-    }
-    if (from)
-        from->peername = NULL;
+    return param->id->peername;
 }
 
 int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
                                  const char *email, size_t emaillen)
 {
-    return int_x509_param_set1(&param->email, &param->emaillen,
+    return int_x509_param_set1(&param->id->email, &param->id->emaillen,
                                email, emaillen);
 }
 
@@ -447,7 +497,7 @@ int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,
 {
     if (iplen != 0 && iplen != 4 && iplen != 16)
         return 0;
-    return int_x509_param_set1((char **)&param->ip, &param->iplen,
+    return int_x509_param_set1((char **)&param->id->ip, &param->id->iplen,
                                (char *)ip, iplen);
 }
 
@@ -467,17 +517,14 @@ int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
     return param->depth;
 }
 
-int X509_VERIFY_PARAM_get_auth_level(const X509_VERIFY_PARAM *param)
-{
-    return param->auth_level;
-}
-
 const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param)
 {
     return param->name;
 }
 
-#define vpm_empty_id NULL, 0U, NULL, NULL, 0, NULL, 0
+static X509_VERIFY_PARAM_ID _empty_id = { NULL, 0U, NULL, NULL, 0, NULL, 0 };
+
+#define vpm_empty_id (X509_VERIFY_PARAM_ID *)&_empty_id
 
 /*
  * Default verify parameters: these are used for various applications and can
@@ -490,11 +537,10 @@ static const X509_VERIFY_PARAM default_table[] = {
      "default",                 /* X509 default parameters */
      0,                         /* Check time */
      0,                         /* internal flags */
-     X509_V_FLAG_TRUSTED_FIRST, /* flags */
+     0,                         /* flags */
      0,                         /* purpose */
      0,                         /* trust */
      100,                       /* depth */
-     -1,                        /* auth_level */
      NULL,                      /* policies */
      vpm_empty_id},
     {
@@ -505,7 +551,6 @@ static const X509_VERIFY_PARAM default_table[] = {
      X509_PURPOSE_SMIME_SIGN,   /* purpose */
      X509_TRUST_EMAIL,          /* trust */
      -1,                        /* depth */
-     -1,                        /* auth_level */
      NULL,                      /* policies */
      vpm_empty_id},
     {
@@ -516,7 +561,6 @@ static const X509_VERIFY_PARAM default_table[] = {
      X509_PURPOSE_SMIME_SIGN,   /* purpose */
      X509_TRUST_EMAIL,          /* trust */
      -1,                        /* depth */
-     -1,                        /* auth_level */
      NULL,                      /* policies */
      vpm_empty_id},
     {
@@ -527,7 +571,6 @@ static const X509_VERIFY_PARAM default_table[] = {
      X509_PURPOSE_SSL_CLIENT,   /* purpose */
      X509_TRUST_SSL_CLIENT,     /* trust */
      -1,                        /* depth */
-     -1,                        /* auth_level */
      NULL,                      /* policies */
      vpm_empty_id},
     {
@@ -538,7 +581,6 @@ static const X509_VERIFY_PARAM default_table[] = {
      X509_PURPOSE_SSL_SERVER,   /* purpose */
      X509_TRUST_SSL_SERVER,     /* trust */
      -1,                        /* depth */
-     -1,                        /* auth_level */
      NULL,                      /* policies */
      vpm_empty_id}
 };
@@ -563,9 +605,9 @@ int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
 {
     int idx;
     X509_VERIFY_PARAM *ptmp;
-    if (param_table == NULL) {
+    if (!param_table) {
         param_table = sk_X509_VERIFY_PARAM_new(param_cmp);
-        if (param_table == NULL)
+        if (!param_table)
             return 0;
     } else {
         idx = sk_X509_VERIFY_PARAM_find(param_table, param);
@@ -582,7 +624,7 @@ int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
 
 int X509_VERIFY_PARAM_get_count(void)
 {
-    int num = OSSL_NELEM(default_table);
+    int num = sizeof(default_table) / sizeof(X509_VERIFY_PARAM);
     if (param_table)
         num += sk_X509_VERIFY_PARAM_num(param_table);
     return num;
@@ -590,7 +632,7 @@ int X509_VERIFY_PARAM_get_count(void)
 
 const X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id)
 {
-    int num = OSSL_NELEM(default_table);
+    int num = sizeof(default_table) / sizeof(X509_VERIFY_PARAM);
     if (id < num)
         return default_table + id;
     return sk_X509_VERIFY_PARAM_value(param_table, id - num);
@@ -607,11 +649,14 @@ const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name)
         if (idx != -1)
             return sk_X509_VERIFY_PARAM_value(param_table, idx);
     }
-    return OBJ_bsearch_table(&pm, default_table, OSSL_NELEM(default_table));
+    return OBJ_bsearch_table(&pm, default_table,
+                             sizeof(default_table) /
+                             sizeof(X509_VERIFY_PARAM));
 }
 
 void X509_VERIFY_PARAM_table_cleanup(void)
 {
-    sk_X509_VERIFY_PARAM_pop_free(param_table, X509_VERIFY_PARAM_free);
+    if (param_table)
+        sk_X509_VERIFY_PARAM_pop_free(param_table, X509_VERIFY_PARAM_free);
     param_table = NULL;
 }
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509cset.c b/Cryptlib/OpenSSL/crypto/x509/x509cset.c
index 20578596..24ca35b5 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509cset.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509cset.c
@@ -1,50 +1,119 @@
+/* crypto/x509/x509cset.c */
 /*
- * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
-#include "internal/x509_int.h"
 
 int X509_CRL_set_version(X509_CRL *x, long version)
 {
     if (x == NULL)
         return (0);
-    if (x->crl.version == NULL) {
-        if ((x->crl.version = ASN1_INTEGER_new()) == NULL)
+    if (x->crl->version == NULL) {
+        if ((x->crl->version = M_ASN1_INTEGER_new()) == NULL)
             return (0);
     }
-    return (ASN1_INTEGER_set(x->crl.version, version));
+    return (ASN1_INTEGER_set(x->crl->version, version));
 }
 
 int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name)
 {
-    if (x == NULL)
+    if ((x == NULL) || (x->crl == NULL))
         return (0);
-    return (X509_NAME_set(&x->crl.issuer, name));
+    return (X509_NAME_set(&x->crl->issuer, name));
 }
 
-int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm)
+int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm)
 {
+    ASN1_TIME *in;
+
     if (x == NULL)
-        return 0;
-    return x509_set1_time(&x->crl.lastUpdate, tm);
+        return (0);
+    in = x->crl->lastUpdate;
+    if (in != tm) {
+        in = M_ASN1_TIME_dup(tm);
+        if (in != NULL) {
+            M_ASN1_TIME_free(x->crl->lastUpdate);
+            x->crl->lastUpdate = in;
+        }
+    }
+    return (in != NULL);
 }
 
-int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm)
+int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm)
 {
+    ASN1_TIME *in;
+
     if (x == NULL)
-        return 0;
-    return x509_set1_time(&x->crl.nextUpdate, tm);
+        return (0);
+    in = x->crl->nextUpdate;
+    if (in != tm) {
+        in = M_ASN1_TIME_dup(tm);
+        if (in != NULL) {
+            M_ASN1_TIME_free(x->crl->nextUpdate);
+            x->crl->nextUpdate = in;
+        }
+    }
+    return (in != NULL);
 }
 
 int X509_CRL_sort(X509_CRL *c)
@@ -54,88 +123,15 @@ int X509_CRL_sort(X509_CRL *c)
     /*
      * sort the data so it will be written in serial number order
      */
-    sk_X509_REVOKED_sort(c->crl.revoked);
-    for (i = 0; i < sk_X509_REVOKED_num(c->crl.revoked); i++) {
-        r = sk_X509_REVOKED_value(c->crl.revoked, i);
+    sk_X509_REVOKED_sort(c->crl->revoked);
+    for (i = 0; i < sk_X509_REVOKED_num(c->crl->revoked); i++) {
+        r = sk_X509_REVOKED_value(c->crl->revoked, i);
         r->sequence = i;
     }
-    c->crl.enc.modified = 1;
+    c->crl->enc.modified = 1;
     return 1;
 }
 
-int X509_CRL_up_ref(X509_CRL *crl)
-{
-    int i;
-
-    if (CRYPTO_atomic_add(&crl->references, 1, &i, crl->lock) <= 0)
-        return 0;
-
-    REF_PRINT_COUNT("X509_CRL", crl);
-    REF_ASSERT_ISNT(i < 2);
-    return ((i > 1) ? 1 : 0);
-}
-
-long X509_CRL_get_version(const X509_CRL *crl)
-{
-    return ASN1_INTEGER_get(crl->crl.version);
-}
-
-const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl)
-{
-    return crl->crl.lastUpdate;
-}
-
-const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl)
-{
-    return crl->crl.nextUpdate;
-}
-
-#if OPENSSL_API_COMPAT < 0x10100000L
-ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl)
-{
-    return crl->crl.lastUpdate;
-}
-
-ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl)
-{
-    return crl->crl.nextUpdate;
-}
-#endif
-
-X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl)
-{
-    return crl->crl.issuer;
-}
-
-const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl)
-{
-    return crl->crl.extensions;
-}
-
-STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl)
-{
-    return crl->crl.revoked;
-}
-
-void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
-                             const X509_ALGOR **palg)
-{
-    if (psig != NULL)
-        *psig = &crl->signature;
-    if (palg != NULL)
-        *palg = &crl->sig_alg;
-}
-
-int X509_CRL_get_signature_nid(const X509_CRL *crl)
-{
-    return OBJ_obj2nid(crl->sig_alg.algorithm);
-}
-
-const ASN1_TIME *X509_REVOKED_get0_revocationDate(const X509_REVOKED *x)
-{
-    return x->revocationDate;
-}
-
 int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm)
 {
     ASN1_TIME *in;
@@ -144,39 +140,28 @@ int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm)
         return (0);
     in = x->revocationDate;
     if (in != tm) {
-        in = ASN1_STRING_dup(tm);
+        in = M_ASN1_TIME_dup(tm);
         if (in != NULL) {
-            ASN1_TIME_free(x->revocationDate);
+            M_ASN1_TIME_free(x->revocationDate);
             x->revocationDate = in;
         }
     }
     return (in != NULL);
 }
 
-const ASN1_INTEGER *X509_REVOKED_get0_serialNumber(const X509_REVOKED *x)
-{
-    return &x->serialNumber;
-}
-
 int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial)
 {
     ASN1_INTEGER *in;
 
     if (x == NULL)
         return (0);
-    in = &x->serialNumber;
-    if (in != serial)
-        return ASN1_STRING_copy(in, serial);
-    return 1;
-}
-
-const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(const X509_REVOKED *r)
-{
-    return r->extensions;
-}
-
-int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp)
-{
-    crl->crl.enc.modified = 1;
-    return i2d_X509_CRL_INFO(&crl->crl, pp);
+    in = x->serialNumber;
+    if (in != serial) {
+        in = M_ASN1_INTEGER_dup(serial);
+        if (in != NULL) {
+            M_ASN1_INTEGER_free(x->serialNumber);
+            x->serialNumber = in;
+        }
+    }
+    return (in != NULL);
 }
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509name.c b/Cryptlib/OpenSSL/crypto/x509/x509name.c
index 919d8c1e..6ea601f9 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509name.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509name.c
@@ -1,20 +1,68 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/x509/x509name.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <openssl/stack.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
-#include "internal/x509_int.h"
 
 int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len)
 {
@@ -26,11 +74,11 @@ int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len)
     return (X509_NAME_get_text_by_OBJ(name, obj, buf, len));
 }
 
-int X509_NAME_get_text_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, char *buf,
+int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf,
                               int len)
 {
     int i;
-    const ASN1_STRING *data;
+    ASN1_STRING *data;
 
     i = X509_NAME_get_index_by_OBJ(name, obj, -1);
     if (i < 0)
@@ -44,7 +92,7 @@ int X509_NAME_get_text_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, char *buf
     return (i);
 }
 
-int X509_NAME_entry_count(const X509_NAME *name)
+int X509_NAME_entry_count(X509_NAME *name)
 {
     if (name == NULL)
         return (0);
@@ -61,8 +109,8 @@ int X509_NAME_get_index_by_NID(X509_NAME *name, int nid, int lastpos)
     return (X509_NAME_get_index_by_OBJ(name, obj, lastpos));
 }
 
-/* NOTE: you should be passing -1, not 0 as lastpos */
-int X509_NAME_get_index_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int lastpos)
+/* NOTE: you should be passsing -1, not 0 as lastpos */
+int X509_NAME_get_index_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int lastpos)
 {
     int n;
     X509_NAME_ENTRY *ne;
@@ -82,7 +130,7 @@ int X509_NAME_get_index_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int last
     return (-1);
 }
 
-X509_NAME_ENTRY *X509_NAME_get_entry(const X509_NAME *name, int loc)
+X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc)
 {
     if (name == NULL || sk_X509_NAME_ENTRY_num(name->entries) <= loc
         || loc < 0)
@@ -130,8 +178,8 @@ X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc)
     return (ret);
 }
 
-int X509_NAME_add_entry_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int type,
-                               const unsigned char *bytes, int len, int loc,
+int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
+                               unsigned char *bytes, int len, int loc,
                                int set)
 {
     X509_NAME_ENTRY *ne;
@@ -145,7 +193,7 @@ int X509_NAME_add_entry_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int type
 }
 
 int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
-                               const unsigned char *bytes, int len, int loc,
+                               unsigned char *bytes, int len, int loc,
                                int set)
 {
     X509_NAME_ENTRY *ne;
@@ -176,7 +224,7 @@ int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
  * if set is -1, append to previous set, 0 'a new one', and 1, prepend to the
  * guy we are about to stomp on.
  */
-int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne, int loc,
+int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc,
                         int set)
 {
     X509_NAME_ENTRY *new_name = NULL;
@@ -214,11 +262,7 @@ int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne, int loc,
         inc = (set == 0) ? 1 : 0;
     }
 
-    /*
-     * X509_NAME_ENTRY_dup is ASN1 generated code, that can't be easily
-     * const'ified; harmless cast as dup() don't modify its input.
-     */
-    if ((new_name = X509_NAME_ENTRY_dup((X509_NAME_ENTRY *)ne)) == NULL)
+    if ((new_name = X509_NAME_ENTRY_dup(ne)) == NULL)
         goto err;
     new_name->set = set;
     if (!sk_X509_NAME_ENTRY_insert(sk, new_name, loc)) {
@@ -232,7 +276,8 @@ int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne, int loc,
     }
     return (1);
  err:
-    X509_NAME_ENTRY_free(new_name);
+    if (new_name != NULL)
+        X509_NAME_ENTRY_free(new_name);
     return (0);
 }
 
@@ -257,8 +302,7 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
 }
 
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
-                                               int type,
-                                               const unsigned char *bytes,
+                                               int type, unsigned char *bytes,
                                                int len)
 {
     ASN1_OBJECT *obj;
@@ -275,7 +319,7 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
 }
 
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
-                                               const ASN1_OBJECT *obj, int type,
+                                               ASN1_OBJECT *obj, int type,
                                                const unsigned char *bytes,
                                                int len)
 {
@@ -301,7 +345,7 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
     return (NULL);
 }
 
-int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, const ASN1_OBJECT *obj)
+int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj)
 {
     if ((ne == NULL) || (obj == NULL)) {
         X509err(X509_F_X509_NAME_ENTRY_SET_OBJECT,
@@ -338,21 +382,16 @@ int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
     return (1);
 }
 
-ASN1_OBJECT *X509_NAME_ENTRY_get_object(const X509_NAME_ENTRY *ne)
+ASN1_OBJECT *X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne)
 {
     if (ne == NULL)
         return (NULL);
     return (ne->object);
 }
 
-ASN1_STRING *X509_NAME_ENTRY_get_data(const X509_NAME_ENTRY *ne)
+ASN1_STRING *X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne)
 {
     if (ne == NULL)
         return (NULL);
     return (ne->value);
 }
-
-int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne)
-{
-    return ne->set;
-}
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509rset.c b/Cryptlib/OpenSSL/crypto/x509/x509rset.c
index 6dee297a..80e273e6 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509rset.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509rset.c
@@ -1,40 +1,85 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/x509/x509rset.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
-#include "internal/x509_int.h"
 
 int X509_REQ_set_version(X509_REQ *x, long version)
 {
     if (x == NULL)
         return (0);
-    x->req_info.enc.modified = 1;
-    return (ASN1_INTEGER_set(x->req_info.version, version));
+    return (ASN1_INTEGER_set(x->req_info->version, version));
 }
 
 int X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name)
 {
-    if (x == NULL)
+    if ((x == NULL) || (x->req_info == NULL))
         return (0);
-    x->req_info.enc.modified = 1;
-    return (X509_NAME_set(&x->req_info.subject, name));
+    return (X509_NAME_set(&x->req_info->subject, name));
 }
 
 int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey)
 {
-    if (x == NULL)
+    if ((x == NULL) || (x->req_info == NULL))
         return (0);
-    x->req_info.enc.modified = 1;
-    return (X509_PUBKEY_set(&x->req_info.pubkey, pkey));
+    return (X509_PUBKEY_set(&x->req_info->pubkey, pkey));
 }
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509spki.c b/Cryptlib/OpenSSL/crypto/x509/x509spki.c
index b142485d..5ae5d30a 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509spki.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509spki.c
@@ -1,14 +1,64 @@
+/* x509spki.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/x509.h>
 
 int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey)
@@ -35,7 +85,7 @@ NETSCAPE_SPKI *NETSCAPE_SPKI_b64_decode(const char *str, int len)
     NETSCAPE_SPKI *spki;
     if (len <= 0)
         len = strlen(str);
-    if ((spki_der = OPENSSL_malloc(len + 1)) == NULL) {
+    if (!(spki_der = OPENSSL_malloc(len + 1))) {
         X509err(X509_F_NETSCAPE_SPKI_B64_DECODE, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
@@ -61,10 +111,10 @@ char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki)
     der_len = i2d_NETSCAPE_SPKI(spki, NULL);
     der_spki = OPENSSL_malloc(der_len);
     b64_str = OPENSSL_malloc(der_len * 2);
-    if (der_spki == NULL || b64_str == NULL) {
-        X509err(X509_F_NETSCAPE_SPKI_B64_ENCODE, ERR_R_MALLOC_FAILURE);
+    if (!der_spki || !b64_str) {
         OPENSSL_free(der_spki);
         OPENSSL_free(b64_str);
+        X509err(X509_F_NETSCAPE_SPKI_B64_ENCODE, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
     p = der_spki;
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509type.c b/Cryptlib/OpenSSL/crypto/x509/x509type.c
index aca83552..9219f753 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509type.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509type.c
@@ -1,35 +1,84 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/x509/x509type.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
-int X509_certificate_type(const X509 *x, const EVP_PKEY *pkey)
+int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
 {
-    const EVP_PKEY *pk;
+    EVP_PKEY *pk;
     int ret = 0, i;
 
     if (x == NULL)
         return (0);
 
     if (pkey == NULL)
-        pk = X509_get0_pubkey(x);
+        pk = X509_get_pubkey(x);
     else
         pk = pkey;
 
     if (pk == NULL)
         return (0);
 
-    switch (EVP_PKEY_id(pk)) {
+    switch (pk->type) {
     case EVP_PKEY_RSA:
         ret = EVP_PK_RSA | EVP_PKT_SIGN;
 /*              if (!sign only extension) */
@@ -44,16 +93,15 @@ int X509_certificate_type(const X509 *x, const EVP_PKEY *pkey)
     case EVP_PKEY_DH:
         ret = EVP_PK_DH | EVP_PKT_EXCH;
         break;
+    case NID_id_GostR3410_94:
     case NID_id_GostR3410_2001:
-    case NID_id_GostR3410_2012_256:
-    case NID_id_GostR3410_2012_512:
         ret = EVP_PKT_EXCH | EVP_PKT_SIGN;
         break;
     default:
         break;
     }
 
-    i = X509_get_signature_nid(x);
+    i = OBJ_obj2nid(x->sig_alg->algorithm);
     if (i && OBJ_find_sigid_algs(i, NULL, &i)) {
 
         switch (i) {
@@ -73,5 +121,7 @@ int X509_certificate_type(const X509 *x, const EVP_PKEY *pkey)
         }
     }
 
+    if (pkey == NULL)
+        EVP_PKEY_free(pk);
     return (ret);
 }
diff --git a/Cryptlib/OpenSSL/crypto/x509/x_all.c b/Cryptlib/OpenSSL/crypto/x509/x_all.c
index 124dd2d2..0f26c546 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x_all.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x_all.c
@@ -1,113 +1,159 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/x509/x_all.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #include <stdio.h>
 #include <openssl/stack.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/asn1.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
-#include "internal/x509_int.h"
 #include <openssl/ocsp.h>
-#include <openssl/rsa.h>
-#include <openssl/dsa.h>
-#include <openssl/x509v3.h>
+#ifndef OPENSSL_NO_RSA
+# include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+# include <openssl/dsa.h>
+#endif
 
 int X509_verify(X509 *a, EVP_PKEY *r)
 {
-    if (X509_ALGOR_cmp(&a->sig_alg, &a->cert_info.signature))
+    if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature))
         return 0;
-    return (ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF), &a->sig_alg,
-                             &a->signature, &a->cert_info, r));
+    return (ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF), a->sig_alg,
+                             a->signature, a->cert_info, r));
 }
 
 int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r)
 {
     return (ASN1_item_verify(ASN1_ITEM_rptr(X509_REQ_INFO),
-                             &a->sig_alg, a->signature, &a->req_info, r));
+                             a->sig_alg, a->signature, a->req_info, r));
 }
 
 int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
 {
     return (ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC),
-                             &a->sig_algor, a->signature, a->spkac, r));
+                             a->sig_algor, a->signature, a->spkac, r));
 }
 
 int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
-    x->cert_info.enc.modified = 1;
-    return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature,
-                           &x->sig_alg, &x->signature, &x->cert_info, pkey,
-                           md));
+    x->cert_info->enc.modified = 1;
+    return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), x->cert_info->signature,
+                           x->sig_alg, x->signature, x->cert_info, pkey, md));
 }
 
 int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
 {
-    x->cert_info.enc.modified = 1;
+    x->cert_info->enc.modified = 1;
     return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF),
-                              &x->cert_info.signature,
-                              &x->sig_alg, &x->signature, &x->cert_info, ctx);
+                              x->cert_info->signature,
+                              x->sig_alg, x->signature, x->cert_info, ctx);
 }
 
-#ifndef OPENSSL_NO_OCSP
 int X509_http_nbio(OCSP_REQ_CTX *rctx, X509 **pcert)
 {
     return OCSP_REQ_CTX_nbio_d2i(rctx,
                                  (ASN1_VALUE **)pcert, ASN1_ITEM_rptr(X509));
 }
-#endif
 
 int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
-    return (ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL,
-                           x->signature, &x->req_info, pkey, md));
+    return (ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), x->sig_alg, NULL,
+                           x->signature, x->req_info, pkey, md));
 }
 
 int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx)
 {
     return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_REQ_INFO),
-                              &x->sig_alg, NULL, x->signature, &x->req_info,
+                              x->sig_alg, NULL, x->signature, x->req_info,
                               ctx);
 }
 
 int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
-    x->crl.enc.modified = 1;
-    return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg,
-                           &x->sig_alg, &x->signature, &x->crl, pkey, md));
+    x->crl->enc.modified = 1;
+    return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), x->crl->sig_alg,
+                           x->sig_alg, x->signature, x->crl, pkey, md));
 }
 
 int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
 {
-    x->crl.enc.modified = 1;
+    x->crl->enc.modified = 1;
     return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO),
-                              &x->crl.sig_alg, &x->sig_alg, &x->signature,
-                              &x->crl, ctx);
+                              x->crl->sig_alg, x->sig_alg, x->signature,
+                              x->crl, ctx);
 }
 
-#ifndef OPENSSL_NO_OCSP
 int X509_CRL_http_nbio(OCSP_REQ_CTX *rctx, X509_CRL **pcrl)
 {
     return OCSP_REQ_CTX_nbio_d2i(rctx,
                                  (ASN1_VALUE **)pcrl,
                                  ASN1_ITEM_rptr(X509_CRL));
 }
-#endif
 
 int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
-    return (ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL,
+    return (ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), x->sig_algor, NULL,
                            x->signature, x->spkac, pkey, md));
 }
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 X509 *d2i_X509_fp(FILE *fp, X509 **x509)
 {
     return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509), fp, x509);
@@ -129,7 +175,7 @@ int i2d_X509_bio(BIO *bp, X509 *x509)
     return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509), bp, x509);
 }
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl)
 {
     return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_CRL), fp, crl);
@@ -151,7 +197,7 @@ int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl)
     return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509_CRL), bp, crl);
 }
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 PKCS7 *d2i_PKCS7_fp(FILE *fp, PKCS7 **p7)
 {
     return ASN1_item_d2i_fp(ASN1_ITEM_rptr(PKCS7), fp, p7);
@@ -173,7 +219,7 @@ int i2d_PKCS7_bio(BIO *bp, PKCS7 *p7)
     return ASN1_item_i2d_bio(ASN1_ITEM_rptr(PKCS7), bp, p7);
 }
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req)
 {
     return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_REQ), fp, req);
@@ -197,7 +243,7 @@ int i2d_X509_REQ_bio(BIO *bp, X509_REQ *req)
 
 #ifndef OPENSSL_NO_RSA
 
-# ifndef OPENSSL_NO_STDIO
+# ifndef OPENSSL_NO_FP_API
 RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa)
 {
     return ASN1_item_d2i_fp(ASN1_ITEM_rptr(RSAPrivateKey), fp, rsa);
@@ -263,7 +309,7 @@ int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa)
 #endif
 
 #ifndef OPENSSL_NO_DSA
-# ifndef OPENSSL_NO_STDIO
+# ifndef OPENSSL_NO_FP_API
 DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa)
 {
     return ASN1_d2i_fp_of(DSA, DSA_new, d2i_DSAPrivateKey, fp, dsa);
@@ -308,7 +354,7 @@ int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa)
 #endif
 
 #ifndef OPENSSL_NO_EC
-# ifndef OPENSSL_NO_STDIO
+# ifndef OPENSSL_NO_FP_API
 EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey)
 {
     return ASN1_d2i_fp_of(EC_KEY, EC_KEY_new, d2i_EC_PUBKEY, fp, eckey);
@@ -363,13 +409,6 @@ int X509_pubkey_digest(const X509 *data, const EVP_MD *type,
 int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
                 unsigned int *len)
 {
-    if (type == EVP_sha1() && (data->ex_flags & EXFLAG_SET) != 0) {
-        /* Asking for SHA1 and we already computed it. */
-        if (len != NULL)
-            *len = sizeof(data->sha1_hash);
-        memcpy(md, data->sha1_hash, sizeof(data->sha1_hash));
-        return 1;
-    }
     return (ASN1_item_digest
             (ASN1_ITEM_rptr(X509), type, (char *)data, md, len));
 }
@@ -377,13 +416,6 @@ int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
 int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type,
                     unsigned char *md, unsigned int *len)
 {
-    if (type == EVP_sha1() && (data->flags & EXFLAG_SET) != 0) {
-        /* Asking for SHA1; always computed in CRL d2i. */
-        if (len != NULL)
-            *len = sizeof(data->sha1_hash);
-        memcpy(md, data->sha1_hash, sizeof(data->sha1_hash));
-        return 1;
-    }
     return (ASN1_item_digest
             (ASN1_ITEM_rptr(X509_CRL), type, (char *)data, md, len));
 }
@@ -410,7 +442,7 @@ int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data,
                              (char *)data, md, len));
 }
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8)
 {
     return ASN1_d2i_fp_of(X509_SIG, X509_SIG_new, d2i_X509_SIG, fp, p8);
@@ -432,7 +464,7 @@ int i2d_PKCS8_bio(BIO *bp, X509_SIG *p8)
     return ASN1_i2d_bio_of(X509_SIG, i2d_X509_SIG, bp, p8);
 }
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
                                                 PKCS8_PRIV_KEY_INFO **p8inf)
 {
diff --git a/Cryptlib/OpenSSL/crypto/x509/x_attrib.c b/Cryptlib/OpenSSL/crypto/x509/x_attrib.c
deleted file mode 100644
index 35f4aeef..00000000
--- a/Cryptlib/OpenSSL/crypto/x509/x_attrib.c
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include "internal/cryptlib.h"
-#include <openssl/objects.h>
-#include <openssl/asn1t.h>
-#include <openssl/x509.h>
-#include "x509_lcl.h"
-
-/*-
- * X509_ATTRIBUTE: this has the following form:
- *
- * typedef struct x509_attributes_st
- *      {
- *      ASN1_OBJECT *object;
- *      STACK_OF(ASN1_TYPE) *set;
- *      } X509_ATTRIBUTE;
- *
- */
-
-ASN1_SEQUENCE(X509_ATTRIBUTE) = {
-        ASN1_SIMPLE(X509_ATTRIBUTE, object, ASN1_OBJECT),
-        ASN1_SET_OF(X509_ATTRIBUTE, set, ASN1_ANY)
-} ASN1_SEQUENCE_END(X509_ATTRIBUTE)
-
-IMPLEMENT_ASN1_FUNCTIONS(X509_ATTRIBUTE)
-IMPLEMENT_ASN1_DUP_FUNCTION(X509_ATTRIBUTE)
-
-X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value)
-{
-    X509_ATTRIBUTE *ret = NULL;
-    ASN1_TYPE *val = NULL;
-
-    if ((ret = X509_ATTRIBUTE_new()) == NULL)
-        return (NULL);
-    ret->object = OBJ_nid2obj(nid);
-    if ((val = ASN1_TYPE_new()) == NULL)
-        goto err;
-    if (!sk_ASN1_TYPE_push(ret->set, val))
-        goto err;
-
-    ASN1_TYPE_set(val, atrtype, value);
-    return (ret);
- err:
-    X509_ATTRIBUTE_free(ret);
-    ASN1_TYPE_free(val);
-    return (NULL);
-}
diff --git a/Cryptlib/OpenSSL/crypto/x509/x_exten.c b/Cryptlib/OpenSSL/crypto/x509/x_exten.c
deleted file mode 100644
index f10f4a4d..00000000
--- a/Cryptlib/OpenSSL/crypto/x509/x_exten.c
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stddef.h>
-#include <openssl/x509.h>
-#include <openssl/asn1.h>
-#include <openssl/asn1t.h>
-#include "x509_lcl.h"
-
-ASN1_SEQUENCE(X509_EXTENSION) = {
-        ASN1_SIMPLE(X509_EXTENSION, object, ASN1_OBJECT),
-        ASN1_OPT(X509_EXTENSION, critical, ASN1_BOOLEAN),
-        ASN1_EMBED(X509_EXTENSION, value, ASN1_OCTET_STRING)
-} ASN1_SEQUENCE_END(X509_EXTENSION)
-
-ASN1_ITEM_TEMPLATE(X509_EXTENSIONS) =
-        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, Extension, X509_EXTENSION)
-ASN1_ITEM_TEMPLATE_END(X509_EXTENSIONS)
-
-IMPLEMENT_ASN1_FUNCTIONS(X509_EXTENSION)
-IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(X509_EXTENSIONS, X509_EXTENSIONS, X509_EXTENSIONS)
-IMPLEMENT_ASN1_DUP_FUNCTION(X509_EXTENSION)
diff --git a/Cryptlib/OpenSSL/crypto/x509/x_req.c b/Cryptlib/OpenSSL/crypto/x509/x_req.c
deleted file mode 100644
index c2da95a7..00000000
--- a/Cryptlib/OpenSSL/crypto/x509/x_req.c
+++ /dev/null
@@ -1,68 +0,0 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include "internal/cryptlib.h"
-#include <openssl/asn1t.h>
-#include <openssl/x509.h>
-#include "internal/x509_int.h"
-
-/*-
- * X509_REQ_INFO is handled in an unusual way to get round
- * invalid encodings. Some broken certificate requests don't
- * encode the attributes field if it is empty. This is in
- * violation of PKCS#10 but we need to tolerate it. We do
- * this by making the attributes field OPTIONAL then using
- * the callback to initialise it to an empty STACK.
- *
- * This means that the field will be correctly encoded unless
- * we NULL out the field.
- *
- * As a result we no longer need the req_kludge field because
- * the information is now contained in the attributes field:
- * 1. If it is NULL then it's the invalid omission.
- * 2. If it is empty it is the correct encoding.
- * 3. If it is not empty then some attributes are present.
- *
- */
-
-static int rinf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
-                   void *exarg)
-{
-    X509_REQ_INFO *rinf = (X509_REQ_INFO *)*pval;
-
-    if (operation == ASN1_OP_NEW_POST) {
-        rinf->attributes = sk_X509_ATTRIBUTE_new_null();
-        if (!rinf->attributes)
-            return 0;
-    }
-    return 1;
-}
-
-ASN1_SEQUENCE_enc(X509_REQ_INFO, enc, rinf_cb) = {
-        ASN1_SIMPLE(X509_REQ_INFO, version, ASN1_INTEGER),
-        ASN1_SIMPLE(X509_REQ_INFO, subject, X509_NAME),
-        ASN1_SIMPLE(X509_REQ_INFO, pubkey, X509_PUBKEY),
-        /* This isn't really OPTIONAL but it gets round invalid
-         * encodings
-         */
-        ASN1_IMP_SET_OF_OPT(X509_REQ_INFO, attributes, X509_ATTRIBUTE, 0)
-} ASN1_SEQUENCE_END_enc(X509_REQ_INFO, X509_REQ_INFO)
-
-IMPLEMENT_ASN1_FUNCTIONS(X509_REQ_INFO)
-
-ASN1_SEQUENCE_ref(X509_REQ, 0) = {
-        ASN1_EMBED(X509_REQ, req_info, X509_REQ_INFO),
-        ASN1_EMBED(X509_REQ, sig_alg, X509_ALGOR),
-        ASN1_SIMPLE(X509_REQ, signature, ASN1_BIT_STRING)
-} ASN1_SEQUENCE_END_ref(X509_REQ, X509_REQ)
-
-IMPLEMENT_ASN1_FUNCTIONS(X509_REQ)
-
-IMPLEMENT_ASN1_DUP_FUNCTION(X509_REQ)
diff --git a/Cryptlib/OpenSSL/crypto/x509/x_x509a.c b/Cryptlib/OpenSSL/crypto/x509/x_x509a.c
deleted file mode 100644
index 8c9ad71d..00000000
--- a/Cryptlib/OpenSSL/crypto/x509/x_x509a.c
+++ /dev/null
@@ -1,169 +0,0 @@
-/*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include "internal/cryptlib.h"
-#include <openssl/evp.h>
-#include <openssl/asn1t.h>
-#include <openssl/x509.h>
-#include "internal/x509_int.h"
-
-/*
- * X509_CERT_AUX routines. These are used to encode additional user
- * modifiable data about a certificate. This data is appended to the X509
- * encoding when the *_X509_AUX routines are used. This means that the
- * "traditional" X509 routines will simply ignore the extra data.
- */
-
-static X509_CERT_AUX *aux_get(X509 *x);
-
-ASN1_SEQUENCE(X509_CERT_AUX) = {
-        ASN1_SEQUENCE_OF_OPT(X509_CERT_AUX, trust, ASN1_OBJECT),
-        ASN1_IMP_SEQUENCE_OF_OPT(X509_CERT_AUX, reject, ASN1_OBJECT, 0),
-        ASN1_OPT(X509_CERT_AUX, alias, ASN1_UTF8STRING),
-        ASN1_OPT(X509_CERT_AUX, keyid, ASN1_OCTET_STRING),
-        ASN1_IMP_SEQUENCE_OF_OPT(X509_CERT_AUX, other, X509_ALGOR, 1)
-} ASN1_SEQUENCE_END(X509_CERT_AUX)
-
-IMPLEMENT_ASN1_FUNCTIONS(X509_CERT_AUX)
-
-int X509_trusted(const X509 *x)
-{
-    return x->aux ? 1 : 0;
-}
-
-static X509_CERT_AUX *aux_get(X509 *x)
-{
-    if (x == NULL)
-        return NULL;
-    if (x->aux == NULL && (x->aux = X509_CERT_AUX_new()) == NULL)
-        return NULL;
-    return x->aux;
-}
-
-int X509_alias_set1(X509 *x, const unsigned char *name, int len)
-{
-    X509_CERT_AUX *aux;
-    if (!name) {
-        if (!x || !x->aux || !x->aux->alias)
-            return 1;
-        ASN1_UTF8STRING_free(x->aux->alias);
-        x->aux->alias = NULL;
-        return 1;
-    }
-    if ((aux = aux_get(x)) == NULL)
-        return 0;
-    if (aux->alias == NULL && (aux->alias = ASN1_UTF8STRING_new()) == NULL)
-        return 0;
-    return ASN1_STRING_set(aux->alias, name, len);
-}
-
-int X509_keyid_set1(X509 *x, const unsigned char *id, int len)
-{
-    X509_CERT_AUX *aux;
-    if (!id) {
-        if (!x || !x->aux || !x->aux->keyid)
-            return 1;
-        ASN1_OCTET_STRING_free(x->aux->keyid);
-        x->aux->keyid = NULL;
-        return 1;
-    }
-    if ((aux = aux_get(x)) == NULL)
-        return 0;
-    if (aux->keyid == NULL
-        && (aux->keyid = ASN1_OCTET_STRING_new()) == NULL)
-        return 0;
-    return ASN1_STRING_set(aux->keyid, id, len);
-}
-
-unsigned char *X509_alias_get0(X509 *x, int *len)
-{
-    if (!x->aux || !x->aux->alias)
-        return NULL;
-    if (len)
-        *len = x->aux->alias->length;
-    return x->aux->alias->data;
-}
-
-unsigned char *X509_keyid_get0(X509 *x, int *len)
-{
-    if (!x->aux || !x->aux->keyid)
-        return NULL;
-    if (len)
-        *len = x->aux->keyid->length;
-    return x->aux->keyid->data;
-}
-
-int X509_add1_trust_object(X509 *x, const ASN1_OBJECT *obj)
-{
-    X509_CERT_AUX *aux;
-    ASN1_OBJECT *objtmp = NULL;
-    if (obj) {
-        objtmp = OBJ_dup(obj);
-        if (!objtmp)
-            return 0;
-    }
-    if ((aux = aux_get(x)) == NULL)
-        goto err;
-    if (aux->trust == NULL
-        && (aux->trust = sk_ASN1_OBJECT_new_null()) == NULL)
-        goto err;
-    if (!objtmp || sk_ASN1_OBJECT_push(aux->trust, objtmp))
-        return 1;
- err:
-    ASN1_OBJECT_free(objtmp);
-    return 0;
-}
-
-int X509_add1_reject_object(X509 *x, const ASN1_OBJECT *obj)
-{
-    X509_CERT_AUX *aux;
-    ASN1_OBJECT *objtmp;
-    if ((objtmp = OBJ_dup(obj)) == NULL)
-        return 0;
-    if ((aux = aux_get(x)) == NULL)
-        goto err;
-    if (aux->reject == NULL
-        && (aux->reject = sk_ASN1_OBJECT_new_null()) == NULL)
-        goto err;
-    return sk_ASN1_OBJECT_push(aux->reject, objtmp);
- err:
-    ASN1_OBJECT_free(objtmp);
-    return 0;
-}
-
-void X509_trust_clear(X509 *x)
-{
-    if (x->aux) {
-        sk_ASN1_OBJECT_pop_free(x->aux->trust, ASN1_OBJECT_free);
-        x->aux->trust = NULL;
-    }
-}
-
-void X509_reject_clear(X509 *x)
-{
-    if (x->aux) {
-        sk_ASN1_OBJECT_pop_free(x->aux->reject, ASN1_OBJECT_free);
-        x->aux->reject = NULL;
-    }
-}
-
-STACK_OF(ASN1_OBJECT) *X509_get0_trust_objects(X509 *x)
-{
-    if (x->aux != NULL)
-        return x->aux->trust;
-    return NULL;
-}
-
-STACK_OF(ASN1_OBJECT) *X509_get0_reject_objects(X509 *x)
-{
-    if (x->aux != NULL)
-        return x->aux->reject;
-    return NULL;
-}
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/ext_dat.h b/Cryptlib/OpenSSL/crypto/x509v3/ext_dat.h
index c9ede960..09ebbcae 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/ext_dat.h
+++ b/Cryptlib/OpenSSL/crypto/x509v3/ext_dat.h
@@ -1,24 +1,138 @@
+/* ext_dat.h */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
+/* This file contains a table of "standard" extensions */
+
+extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
+extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo;
+extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
+extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
+extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl;
+extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
+extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
+extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
+extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
+extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
+extern X509V3_EXT_METHOD v3_addr, v3_asid;
+extern X509V3_EXT_METHOD v3_ct_scts[];
+
+/*
+ * This table will be searched using OBJ_bsearch so it *must* kept in order
+ * of the ext_nid values.
+ */
+
+static const X509V3_EXT_METHOD *standard_exts[] = {
+    &v3_nscert,
+    &v3_ns_ia5_list[0],
+    &v3_ns_ia5_list[1],
+    &v3_ns_ia5_list[2],
+    &v3_ns_ia5_list[3],
+    &v3_ns_ia5_list[4],
+    &v3_ns_ia5_list[5],
+    &v3_ns_ia5_list[6],
+    &v3_skey_id,
+    &v3_key_usage,
+    &v3_pkey_usage_period,
+    &v3_alt[0],
+    &v3_alt[1],
+    &v3_bcons,
+    &v3_crl_num,
+    &v3_cpols,
+    &v3_akey_id,
+    &v3_crld,
+    &v3_ext_ku,
+    &v3_delta_crl,
+    &v3_crl_reason,
+#ifndef OPENSSL_NO_OCSP
+    &v3_crl_invdate,
+#endif
+    &v3_sxnet,
+    &v3_info,
+#ifndef OPENSSL_NO_RFC3779
+    &v3_addr,
+    &v3_asid,
+#endif
+#ifndef OPENSSL_NO_OCSP
+    &v3_ocsp_nonce,
+    &v3_ocsp_crlid,
+    &v3_ocsp_accresp,
+    &v3_ocsp_nocheck,
+    &v3_ocsp_acutoff,
+    &v3_ocsp_serviceloc,
+#endif
+    &v3_sinfo,
+    &v3_policy_constraints,
+#ifndef OPENSSL_NO_OCSP
+    &v3_crl_hold,
+#endif
+    &v3_pci,
+    &v3_name_constraints,
+    &v3_policy_mappings,
+    &v3_inhibit_anyp,
+    &v3_idp,
+    &v3_alt[2],
+    &v3_freshest_crl,
+#ifndef OPENSSL_NO_SCT
+    &v3_ct_scts[0],
+    &v3_ct_scts[1],
+#endif
+};
 
-int name_cmp(const char *name, const char *cmp);
+/* Number of standard extensions */
 
-extern const X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
-extern const X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo;
-extern const X509V3_EXT_METHOD v3_ns_ia5_list[8], v3_alt[3], v3_skey_id, v3_akey_id;
-extern const X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
-extern const X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl;
-extern const X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
-extern const X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
-extern const X509V3_EXT_METHOD v3_crl_hold, v3_pci;
-extern const X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
-extern const X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
-extern const X509V3_EXT_METHOD v3_addr, v3_asid;
-extern const X509V3_EXT_METHOD v3_ct_scts[3];
-extern const X509V3_EXT_METHOD v3_tls_feature;
+#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *))
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_cache.c b/Cryptlib/OpenSSL/crypto/x509v3/pcy_cache.c
index a9ee30a8..c8f41f24 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/pcy_cache.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/pcy_cache.c
@@ -1,16 +1,65 @@
+/* pcy_cache.c */
 /*
- * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
-#include "internal/x509_int.h"
 
 #include "pcy_int.h"
 
@@ -34,12 +83,12 @@ static int policy_cache_create(X509 *x,
     if (sk_POLICYINFO_num(policies) == 0)
         goto bad_policy;
     cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
-    if (cache->data == NULL)
+    if (!cache->data)
         goto bad_policy;
     for (i = 0; i < sk_POLICYINFO_num(policies); i++) {
         policy = sk_POLICYINFO_value(policies, i);
         data = policy_data_new(policy, NULL, crit);
-        if (data == NULL)
+        if (!data)
             goto bad_policy;
         /*
          * Duplicate policy OIDs are illegal: reject if matches found.
@@ -61,7 +110,8 @@ static int policy_cache_create(X509 *x,
  bad_policy:
     if (ret == -1)
         x->ex_flags |= EXFLAG_INVALID_POLICY;
-    policy_data_free(data);
+    if (data)
+        policy_data_free(data);
     sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
     if (ret <= 0) {
         sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
@@ -78,11 +128,8 @@ static int policy_cache_new(X509 *x)
     CERTIFICATEPOLICIES *ext_cpols = NULL;
     POLICY_MAPPINGS *ext_pmaps = NULL;
     int i;
-
-    if (x->policy_cache != NULL)
-        return 1;
-    cache = OPENSSL_malloc(sizeof(*cache));
-    if (cache == NULL)
+    cache = OPENSSL_malloc(sizeof(X509_POLICY_CACHE));
+    if (!cache)
         return 0;
     cache->anyPolicy = NULL;
     cache->data = NULL;
@@ -153,14 +200,18 @@ static int policy_cache_new(X509 *x)
             goto bad_cache;
     } else if (!policy_cache_set_int(&cache->any_skip, ext_any))
         goto bad_cache;
-    goto just_cleanup;
 
+    if (0) {
  bad_cache:
-    x->ex_flags |= EXFLAG_INVALID_POLICY;
+        x->ex_flags |= EXFLAG_INVALID_POLICY;
+    }
+
+    if (ext_pcons)
+        POLICY_CONSTRAINTS_free(ext_pcons);
+
+    if (ext_any)
+        ASN1_INTEGER_free(ext_any);
 
- just_cleanup:
-    POLICY_CONSTRAINTS_free(ext_pcons);
-    ASN1_INTEGER_free(ext_any);
     return 1;
 
 }
@@ -169,8 +220,10 @@ void policy_cache_free(X509_POLICY_CACHE *cache)
 {
     if (!cache)
         return;
-    policy_data_free(cache->anyPolicy);
-    sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
+    if (cache->anyPolicy)
+        policy_data_free(cache->anyPolicy);
+    if (cache->data)
+        sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
     OPENSSL_free(cache);
 }
 
@@ -178,9 +231,9 @@ const X509_POLICY_CACHE *policy_cache_set(X509 *x)
 {
 
     if (x->policy_cache == NULL) {
-        CRYPTO_THREAD_write_lock(x->lock);
+        CRYPTO_w_lock(CRYPTO_LOCK_X509);
         policy_cache_new(x);
-        CRYPTO_THREAD_unlock(x->lock);
+        CRYPTO_w_unlock(CRYPTO_LOCK_X509);
     }
 
     return x->policy_cache;
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_data.c b/Cryptlib/OpenSSL/crypto/x509v3/pcy_data.c
index cf1d635e..90e9970e 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/pcy_data.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/pcy_data.c
@@ -1,13 +1,63 @@
+/* pcy_data.c */
 /*
- * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
@@ -17,8 +67,6 @@
 
 void policy_data_free(X509_POLICY_DATA *data)
 {
-    if (!data)
-        return;
     ASN1_OBJECT_free(data->valid_policy);
     /* Don't free qualifiers if shared */
     if (!(data->flags & POLICY_DATA_FLAG_SHARED_QUALIFIERS))
@@ -28,9 +76,9 @@ void policy_data_free(X509_POLICY_DATA *data)
 }
 
 /*
- * Create a data based on an existing policy. If 'id' is NULL use the OID in
+ * Create a data based on an existing policy. If 'id' is NULL use the oid in
  * the policy, otherwise use 'id'. This behaviour covers the two types of
- * data in RFC3280: data with from a CertificatePolicies extension and
+ * data in RFC3280: data with from a CertificatePolcies extension and
  * additional data with just the qualifiers of anyPolicy and ID from another
  * source.
  */
@@ -48,18 +96,21 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy,
             return NULL;
     } else
         id = NULL;
-    ret = OPENSSL_zalloc(sizeof(*ret));
-    if (ret == NULL)
+    ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA));
+    if (!ret)
         return NULL;
     ret->expected_policy_set = sk_ASN1_OBJECT_new_null();
-    if (ret->expected_policy_set == NULL) {
+    if (!ret->expected_policy_set) {
         OPENSSL_free(ret);
-        ASN1_OBJECT_free(id);
+        if (id)
+            ASN1_OBJECT_free(id);
         return NULL;
     }
 
     if (crit)
         ret->flags = POLICY_DATA_FLAG_CRITICAL;
+    else
+        ret->flags = 0;
 
     if (id)
         ret->valid_policy = id;
@@ -71,7 +122,8 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy,
     if (policy) {
         ret->qualifier_set = policy->qualifiers;
         policy->qualifiers = NULL;
-    }
+    } else
+        ret->qualifier_set = NULL;
 
     return ret;
 }
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_int.h b/Cryptlib/OpenSSL/crypto/x509v3/pcy_int.h
index 5daf78de..b5075f9e 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/pcy_int.h
+++ b/Cryptlib/OpenSSL/crypto/x509v3/pcy_int.h
@@ -1,15 +1,65 @@
+/* pcy_int.h */
 /*
- * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
 
-DEFINE_STACK_OF(X509_POLICY_DATA)
+DECLARE_STACK_OF(X509_POLICY_DATA)
 
 /* Internal structures */
 
@@ -119,7 +169,7 @@ struct X509_POLICY_TREE_st {
      * required.
      */
     STACK_OF(X509_POLICY_DATA) *extra_data;
-    /* This is the authority constrained policy set */
+    /* This is the authority constained policy set */
     STACK_OF(X509_POLICY_NODE) *auth_policies;
     STACK_OF(X509_POLICY_NODE) *user_policies;
     unsigned int flags;
@@ -157,7 +207,7 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
                                const ASN1_OBJECT *id);
 
 X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
-                                 X509_POLICY_DATA *data,
+                                 const X509_POLICY_DATA *data,
                                  X509_POLICY_NODE *parent,
                                  X509_POLICY_TREE *tree);
 void policy_node_free(X509_POLICY_NODE *node);
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_lib.c b/Cryptlib/OpenSSL/crypto/x509v3/pcy_lib.c
index 67f7eafc..dbb29835 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/pcy_lib.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/pcy_lib.c
@@ -1,13 +1,63 @@
+/* pcy_lib.c */
 /*
- * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
@@ -90,6 +140,15 @@ const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node)
     return node->data->valid_policy;
 }
 
+#if 0
+int X509_policy_node_get_critical(const X509_POLICY_NODE *node)
+{
+    if (node_critical(node))
+        return 1;
+    return 0;
+}
+#endif
+
 STACK_OF(POLICYQUALINFO) *X509_policy_node_get0_qualifiers(const
                                                            X509_POLICY_NODE
                                                            *node)
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_map.c b/Cryptlib/OpenSSL/crypto/x509v3/pcy_map.c
index ab9dd21b..b99eb91c 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/pcy_map.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/pcy_map.c
@@ -1,16 +1,65 @@
+/* pcy_map.c */
 /*
- * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
-#include "internal/x509_int.h"
 
 #include "pcy_int.h"
 
@@ -42,15 +91,15 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
         /* Attempt to find matching policy data */
         data = policy_cache_find_data(cache, map->issuerDomainPolicy);
         /* If we don't have anyPolicy can't map */
-        if (data == NULL && !cache->anyPolicy)
+        if (!data && !cache->anyPolicy)
             continue;
 
         /* Create a NODE from anyPolicy */
-        if (data == NULL) {
+        if (!data) {
             data = policy_data_new(NULL, map->issuerDomainPolicy,
                                    cache->anyPolicy->flags
                                    & POLICY_DATA_FLAG_CRITICAL);
-            if (data == NULL)
+            if (!data)
                 goto bad_mapping;
             data->qualifier_set = cache->anyPolicy->qualifier_set;
             /*
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_node.c b/Cryptlib/OpenSSL/crypto/x509v3/pcy_node.c
index 80443bff..d6c91765 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/pcy_node.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/pcy_node.c
@@ -1,10 +1,60 @@
+/* pcy_node.c */
 /*
- * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <openssl/asn1.h>
@@ -59,17 +109,17 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
 }
 
 X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
-                                 X509_POLICY_DATA *data,
+                                 const X509_POLICY_DATA *data,
                                  X509_POLICY_NODE *parent,
                                  X509_POLICY_TREE *tree)
 {
     X509_POLICY_NODE *node;
-
-    node = OPENSSL_zalloc(sizeof(*node));
-    if (node == NULL)
+    node = OPENSSL_malloc(sizeof(X509_POLICY_NODE));
+    if (!node)
         return NULL;
     node->data = data;
     node->parent = parent;
+    node->nchild = 0;
     if (level) {
         if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
             if (level->anyPolicy)
@@ -77,9 +127,9 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
             level->anyPolicy = node;
         } else {
 
-            if (level->nodes == NULL)
+            if (!level->nodes)
                 level->nodes = policy_node_cmp_new();
-            if (level->nodes == NULL)
+            if (!level->nodes)
                 goto node_error;
             if (!sk_X509_POLICY_NODE_push(level->nodes, node))
                 goto node_error;
@@ -87,9 +137,9 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
     }
 
     if (tree) {
-        if (tree->extra_data == NULL)
+        if (!tree->extra_data)
             tree->extra_data = sk_X509_POLICY_DATA_new_null();
-        if (tree->extra_data == NULL)
+        if (!tree->extra_data)
             goto node_error;
         if (!sk_X509_POLICY_DATA_push(tree->extra_data, data))
             goto node_error;
@@ -102,7 +152,8 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
 
  node_error:
     policy_node_free(node);
-    return NULL;
+    return 0;
+
 }
 
 void policy_node_free(X509_POLICY_NODE *node)
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_tree.c b/Cryptlib/OpenSSL/crypto/x509v3/pcy_tree.c
index 9f9246be..09b8691c 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/pcy_tree.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/pcy_tree.c
@@ -1,13 +1,63 @@
+/* pcy_tree.c */
 /*
- * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
@@ -48,26 +98,22 @@ static void expected_print(BIO *err, X509_POLICY_LEVEL *lev,
 static void tree_print(char *str, X509_POLICY_TREE *tree,
                        X509_POLICY_LEVEL *curr)
 {
-    BIO *err = BIO_new_fp(stderr, BIO_NOCLOSE);
     X509_POLICY_LEVEL *plev;
-
-    if (err == NULL)
-        return;
+    X509_POLICY_NODE *node;
+    int i;
+    BIO *err;
+    err = BIO_new_fp(stderr, BIO_NOCLOSE);
     if (!curr)
         curr = tree->levels + tree->nlevel;
     else
         curr++;
-
     BIO_printf(err, "Level print after %s\n", str);
     BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels);
     for (plev = tree->levels; plev != curr; plev++) {
-        int i;
-
         BIO_printf(err, "Level %ld, flags = %x\n",
-                   (long)(plev - tree->levels), plev->flags);
+                   plev - tree->levels, plev->flags);
         for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++) {
-            X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(plev->nodes, i);
-
+            node = sk_X509_POLICY_NODE_value(plev->nodes, i);
             X509_POLICY_NODE_print(err, node, 2);
             expected_print(err, plev, node, 2);
             BIO_printf(err, "  Flags: %x\n", node->data->flags);
@@ -75,17 +121,26 @@ static void tree_print(char *str, X509_POLICY_TREE *tree,
         if (plev->anyPolicy)
             X509_POLICY_NODE_print(err, plev->anyPolicy, 2);
     }
+
     BIO_free(err);
+
 }
+#else
+
+# define tree_print(a,b,c)      /* */
+
 #endif
 
 /*-
- * Return value: <= 0 on error, or positive bit mask:
- *
- * X509_PCY_TREE_VALID: valid tree
- * X509_PCY_TREE_EMPTY: empty tree (including bare TA case)
- * X509_PCY_TREE_EXPLICIT: explicit policy required
+ * Initialize policy tree. Return values:
+ *  0 Some internal error occurred.
+ * -1 Inconsistent or invalid extensions in certificates.
+ *  1 Tree initialized OK.
+ *  2 Policy tree is empty.
+ *  5 Tree OK and requireExplicitPolicy true.
+ *  6 Tree empty and requireExplicitPolicy true.
  */
+
 static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                      unsigned int flags)
 {
@@ -93,112 +148,114 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
     X509_POLICY_LEVEL *level;
     const X509_POLICY_CACHE *cache;
     X509_POLICY_DATA *data = NULL;
-    int ret = X509_PCY_TREE_VALID;
-    int n = sk_X509_num(certs) - 1; /* RFC5280 paths omit the TA */
-    int explicit_policy = (flags & X509_V_FLAG_EXPLICIT_POLICY) ? 0 : n+1;
-    int any_skip = (flags & X509_V_FLAG_INHIBIT_ANY) ? 0 : n+1;
-    int map_skip = (flags & X509_V_FLAG_INHIBIT_MAP) ? 0 : n+1;
-    int i;
-
+    X509 *x;
+    int ret = 1;
+    int i, n;
+    int explicit_policy;
+    int any_skip;
+    int map_skip;
     *ptree = NULL;
+    n = sk_X509_num(certs);
 
-    /* Can't do anything with just a trust anchor */
-    if (n == 0)
-        return X509_PCY_TREE_EMPTY;
+#if 0
+    /* Disable policy mapping for now... */
+    flags |= X509_V_FLAG_INHIBIT_MAP;
+#endif
 
-    /*
-     * First setup the policy cache in all n non-TA certificates, this will be
-     * used in X509_verify_cert() which will invoke the verify callback for all
-     * certificates with invalid policy extensions.
-     */
-    for (i = n - 1; i >= 0; i--) {
-        X509 *x = sk_X509_value(certs, i);
+    if (flags & X509_V_FLAG_EXPLICIT_POLICY)
+        explicit_policy = 0;
+    else
+        explicit_policy = n + 1;
 
-        /* Call for side-effect of computing hash and caching extensions */
-        X509_check_purpose(x, -1, 0);
+    if (flags & X509_V_FLAG_INHIBIT_ANY)
+        any_skip = 0;
+    else
+        any_skip = n + 1;
 
-        /* If cache is NULL, likely ENOMEM: return immediately */
-        if (policy_cache_set(x) == NULL)
-            return X509_PCY_TREE_INTERNAL;
-    }
+    if (flags & X509_V_FLAG_INHIBIT_MAP)
+        map_skip = 0;
+    else
+        map_skip = n + 1;
 
+    /* Can't do anything with just a trust anchor */
+    if (n == 1)
+        return 1;
     /*
-     * At this point check for invalid policies and required explicit policy.
-     * Note that the explicit_policy counter is a count-down to zero, with the
-     * requirement kicking in if and once it does that.  The counter is
-     * decremented for every non-self-issued certificate in the path, but may
-     * be further reduced by policy constraints in a non-leaf certificate.
-     *
-     * The ultimate policy set is the intersection of all the policies along
-     * the path, if we hit a certificate with an empty policy set, and explicit
-     * policy is required we're done.
+     * First setup policy cache in all certificates apart from the trust
+     * anchor. Note any bad cache results on the way. Also can calculate
+     * explicit_policy value at this point.
      */
-    for (i = n - 1;
-         i >= 0 && (explicit_policy > 0 || (ret & X509_PCY_TREE_EMPTY) == 0);
-         i--) {
-        X509 *x = sk_X509_value(certs, i);
-        uint32_t ex_flags = X509_get_extension_flags(x);
-
-        /* All the policies are already cached, we can return early */
-        if (ex_flags & EXFLAG_INVALID_POLICY)
-            return X509_PCY_TREE_INVALID;
-
-        /* Access the cache which we now know exists */
+    for (i = n - 2; i >= 0; i--) {
+        x = sk_X509_value(certs, i);
+        X509_check_purpose(x, -1, -1);
         cache = policy_cache_set(x);
-
-        if ((ret & X509_PCY_TREE_VALID) && cache->data == NULL)
-            ret = X509_PCY_TREE_EMPTY;
+        /* If cache NULL something bad happened: return immediately */
+        if (cache == NULL)
+            return 0;
+        /*
+         * If inconsistent extensions keep a note of it but continue
+         */
+        if (x->ex_flags & EXFLAG_INVALID_POLICY)
+            ret = -1;
+        /*
+         * Otherwise if we have no data (hence no CertificatePolicies) and
+         * haven't already set an inconsistent code note it.
+         */
+        else if ((ret == 1) && !cache->data)
+            ret = 2;
         if (explicit_policy > 0) {
-            if (!(ex_flags & EXFLAG_SI))
+            if (!(x->ex_flags & EXFLAG_SI))
                 explicit_policy--;
-            if ((cache->explicit_skip >= 0)
+            if ((cache->explicit_skip != -1)
                 && (cache->explicit_skip < explicit_policy))
                 explicit_policy = cache->explicit_skip;
         }
     }
 
-    if (explicit_policy == 0)
-        ret |= X509_PCY_TREE_EXPLICIT;
-    if ((ret & X509_PCY_TREE_VALID) == 0)
+    if (ret != 1) {
+        if (ret == 2 && !explicit_policy)
+            return 6;
         return ret;
+    }
 
     /* If we get this far initialize the tree */
-    if ((tree = OPENSSL_zalloc(sizeof(*tree))) == NULL)
-        return X509_PCY_TREE_INTERNAL;
 
-    /*
-     * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
-     *
-     * The top level is implicitly for the trust anchor with valid expected
-     * policies of anyPolicy.  (RFC 5280 has the TA at depth 0 and the leaf at
-     * depth n, we have the leaf at depth 0 and the TA at depth n).
-     */
-    if ((tree->levels = OPENSSL_zalloc(sizeof(*tree->levels)*(n+1))) == NULL) {
+    tree = OPENSSL_malloc(sizeof(X509_POLICY_TREE));
+
+    if (!tree)
+        return 0;
+
+    tree->flags = 0;
+    tree->levels = OPENSSL_malloc(sizeof(X509_POLICY_LEVEL) * n);
+    tree->nlevel = 0;
+    tree->extra_data = NULL;
+    tree->auth_policies = NULL;
+    tree->user_policies = NULL;
+
+    if (!tree->levels) {
         OPENSSL_free(tree);
-        return X509_PCY_TREE_INTERNAL;
+        return 0;
     }
-    tree->nlevel = n+1;
+
+    memset(tree->levels, 0, n * sizeof(X509_POLICY_LEVEL));
+
+    tree->nlevel = n;
+
     level = tree->levels;
-    if ((data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) == NULL)
-        goto bad_tree;
-    if (level_add_node(level, data, NULL, tree) == NULL) {
-        policy_data_free(data);
-        goto bad_tree;
-    }
 
-    /*
-     * In this pass initialize all the tree levels and whether anyPolicy and
-     * policy mapping are inhibited at each level.
-     */
-    for (i = n - 1; i >= 0; i--) {
-        X509 *x = sk_X509_value(certs, i);
-        uint32_t ex_flags = X509_get_extension_flags(x);
+    /* Root data: initialize to anyPolicy */
 
-        /* Access the cache which we now know exists */
-        cache = policy_cache_set(x);
+    data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0);
 
-        X509_up_ref(x);
-        (++level)->cert = x;
+    if (!data || !level_add_node(level, data, NULL, tree))
+        goto bad_tree;
+
+    for (i = n - 2; i >= 0; i--) {
+        level++;
+        x = sk_X509_value(certs, i);
+        cache = policy_cache_set(x);
+        CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+        level->cert = x;
 
         if (!cache->anyPolicy)
             level->flags |= X509_V_FLAG_INHIBIT_ANY;
@@ -206,57 +263,63 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
         /* Determine inhibit any and inhibit map flags */
         if (any_skip == 0) {
             /*
-             * Any matching allowed only if certificate is self issued and not
-             * the last in the chain.
+             * Any matching allowed if certificate is self issued and not the
+             * last in the chain.
              */
-            if (!(ex_flags & EXFLAG_SI) || (i == 0))
+            if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
                 level->flags |= X509_V_FLAG_INHIBIT_ANY;
         } else {
-            if (!(ex_flags & EXFLAG_SI))
+            if (!(x->ex_flags & EXFLAG_SI))
                 any_skip--;
-            if ((cache->any_skip >= 0) && (cache->any_skip < any_skip))
+            if ((cache->any_skip >= 0)
+                && (cache->any_skip < any_skip))
                 any_skip = cache->any_skip;
         }
 
         if (map_skip == 0)
             level->flags |= X509_V_FLAG_INHIBIT_MAP;
         else {
-            if (!(ex_flags & EXFLAG_SI))
+            if (!(x->ex_flags & EXFLAG_SI))
                 map_skip--;
-            if ((cache->map_skip >= 0) && (cache->map_skip < map_skip))
+            if ((cache->map_skip >= 0)
+                && (cache->map_skip < map_skip))
                 map_skip = cache->map_skip;
         }
+
     }
 
     *ptree = tree;
-    return ret;
+
+    if (explicit_policy)
+        return 1;
+    else
+        return 5;
 
  bad_tree:
+
     X509_policy_tree_free(tree);
-    return X509_PCY_TREE_INTERNAL;
+
+    return 0;
+
 }
 
-/*
- * Return value: 1 on success, 0 otherwise
- */
 static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
-                                    X509_POLICY_DATA *data)
+                                    const X509_POLICY_DATA *data)
 {
     X509_POLICY_LEVEL *last = curr - 1;
+    X509_POLICY_NODE *node;
     int i, matched = 0;
-
     /* Iterate through all in nodes linking matches */
     for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) {
-        X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
-
+        node = sk_X509_POLICY_NODE_value(last->nodes, i);
         if (policy_node_match(last, node, data->valid_policy)) {
-            if (level_add_node(curr, data, node, NULL) == NULL)
+            if (!level_add_node(curr, data, node, NULL))
                 return 0;
             matched = 1;
         }
     }
     if (!matched && last->anyPolicy) {
-        if (level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
+        if (!level_add_node(curr, data, last->anyPolicy, NULL))
             return 0;
     }
     return 1;
@@ -265,17 +328,29 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
 /*
  * This corresponds to RFC3280 6.1.3(d)(1): link any data from
  * CertificatePolicies onto matching parent or anyPolicy if no match.
- *
- * Return value: 1 on success, 0 otherwise.
  */
+
 static int tree_link_nodes(X509_POLICY_LEVEL *curr,
                            const X509_POLICY_CACHE *cache)
 {
     int i;
+    X509_POLICY_DATA *data;
 
     for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++) {
-        X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
-
+        data = sk_X509_POLICY_DATA_value(cache->data, i);
+        /*
+         * If a node is mapped any it doesn't have a corresponding
+         * CertificatePolicies entry. However such an identical node would
+         * be created if anyPolicy matching is enabled because there would be
+         * no match with the parent valid_policy_set. So we create link
+         * because then it will have the mapping flags right and we can prune
+         * it later.
+         */
+#if 0
+        if ((data->flags & POLICY_DATA_FLAG_MAPPED_ANY)
+            && !(curr->flags & X509_V_FLAG_INHIBIT_ANY))
+            continue;
+#endif
         /* Look for matching nodes in previous level */
         if (!tree_link_matching_nodes(curr, data))
             return 0;
@@ -286,38 +361,35 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
 /*
  * This corresponds to RFC3280 6.1.3(d)(2): Create new data for any unmatched
  * policies in the parent and link to anyPolicy.
- *
- * Return value: 1 on success, 0 otherwise.
  */
+
 static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
                               const X509_POLICY_CACHE *cache,
                               const ASN1_OBJECT *id,
                               X509_POLICY_NODE *node, X509_POLICY_TREE *tree)
 {
     X509_POLICY_DATA *data;
-
     if (id == NULL)
         id = node->data->valid_policy;
     /*
      * Create a new node with qualifiers from anyPolicy and id from unmatched
      * node.
      */
-    if ((data = policy_data_new(NULL, id, node_critical(node))) == NULL)
-        return 0;
+    data = policy_data_new(NULL, id, node_critical(node));
 
+    if (data == NULL)
+        return 0;
     /* Curr may not have anyPolicy */
     data->qualifier_set = cache->anyPolicy->qualifier_set;
     data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
-    if (level_add_node(curr, data, node, tree) == NULL) {
+    if (!level_add_node(curr, data, node, tree)) {
         policy_data_free(data);
         return 0;
     }
+
     return 1;
 }
 
-/*
- * Return value: 1 on success, 0 otherwise.
- */
 static int tree_link_unmatched(X509_POLICY_LEVEL *curr,
                                const X509_POLICY_CACHE *cache,
                                X509_POLICY_NODE *node, X509_POLICY_TREE *tree)
@@ -348,17 +420,19 @@ static int tree_link_unmatched(X509_POLICY_LEVEL *curr,
         }
 
     }
+
     return 1;
+
 }
 
-/*
- * Return value: 1 on success, 0 otherwise
- */
 static int tree_link_any(X509_POLICY_LEVEL *curr,
                          const X509_POLICY_CACHE *cache,
                          X509_POLICY_TREE *tree)
 {
     int i;
+    /*
+     * X509_POLICY_DATA *data;
+     */
     X509_POLICY_NODE *node;
     X509_POLICY_LEVEL *last = curr - 1;
 
@@ -367,24 +441,50 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
 
         if (!tree_link_unmatched(curr, cache, node, tree))
             return 0;
+
+#if 0
+
+        /*
+         * Skip any node with any children: we only want unmathced nodes.
+         * Note: need something better for policy mapping because each node
+         * may have multiple children
+         */
+        if (node->nchild)
+            continue;
+
+        /*
+         * Create a new node with qualifiers from anyPolicy and id from
+         * unmatched node.
+         */
+        data = policy_data_new(NULL, node->data->valid_policy,
+                               node_critical(node));
+
+        if (data == NULL)
+            return 0;
+        /* Curr may not have anyPolicy */
+        data->qualifier_set = cache->anyPolicy->qualifier_set;
+        data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
+        if (!level_add_node(curr, data, node, tree)) {
+            policy_data_free(data);
+            return 0;
+        }
+#endif
+
     }
     /* Finally add link to anyPolicy */
-    if (last->anyPolicy &&
-        level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL) == NULL)
-        return 0;
+    if (last->anyPolicy) {
+        if (!level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL))
+            return 0;
+    }
     return 1;
 }
 
-/*-
- * Prune the tree: delete any child mapped child data on the current level then
- * proceed up the tree deleting any data with no children. If we ever have no
- * data on a level we can halt because the tree will be empty.
- *
- * Return value: <= 0 error, otherwise one of:
- *
- * X509_PCY_TREE_VALID: valid tree
- * X509_PCY_TREE_EMPTY: empty tree
+/*
+ * Prune the tree: delete any child mapped child data on the current level
+ * then proceed up the tree deleting any data with no children. If we ever
+ * have no data on a level we can halt because the tree will be empty.
  */
+
 static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
 {
     STACK_OF(X509_POLICY_NODE) *nodes;
@@ -423,43 +523,41 @@ static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
         if (curr == tree->levels) {
             /* If we zapped anyPolicy at top then tree is empty */
             if (!curr->anyPolicy)
-                return X509_PCY_TREE_EMPTY;
-            break;
+                return 2;
+            return 1;
         }
     }
-    return X509_PCY_TREE_VALID;
+
+    return 1;
+
 }
 
-/*
- * Return value: 1 on success, 0 otherwise.
- */
 static int tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes,
                               X509_POLICY_NODE *pcy)
 {
-    if (*pnodes == NULL &&
-        (*pnodes = policy_node_cmp_new()) == NULL)
-        return 0;
-    if (sk_X509_POLICY_NODE_find(*pnodes, pcy) != -1)
+    if (!*pnodes) {
+        *pnodes = policy_node_cmp_new();
+        if (!*pnodes)
+            return 0;
+    } else if (sk_X509_POLICY_NODE_find(*pnodes, pcy) != -1)
         return 1;
-    return sk_X509_POLICY_NODE_push(*pnodes, pcy) != 0;
-}
 
-#define TREE_CALC_FAILURE 0
-#define TREE_CALC_OK_NOFREE 1
-#define TREE_CALC_OK_DOFREE 2
+    if (!sk_X509_POLICY_NODE_push(*pnodes, pcy))
+        return 0;
 
-/*-
- * Calculate the authority set based on policy tree. The 'pnodes' parameter is
- * used as a store for the set of policy nodes used to calculate the user set.
- * If the authority set is not anyPolicy then pnodes will just point to the
- * authority set. If however the authority set is anyPolicy then the set of
- * valid policies (other than anyPolicy) is store in pnodes.
- *
- * Return value:
- *  TREE_CALC_FAILURE on failure,
- *  TREE_CALC_OK_NOFREE on success and pnodes need not be freed,
- *  TREE_CALC_OK_DOFREE on success and pnodes needs to be freed
+    return 1;
+
+}
+
+/*
+ * Calculate the authority set based on policy tree. The 'pnodes' parameter
+ * is used as a store for the set of policy nodes used to calculate the user
+ * set. If the authority set is not anyPolicy then pnodes will just point to
+ * the authority set. If however the authority set is anyPolicy then the set
+ * of valid policies (other than anyPolicy) is store in pnodes. The return
+ * value of '2' is used in this case to indicate that pnodes should be freed.
  */
+
 static int tree_calculate_authority_set(X509_POLICY_TREE *tree,
                                         STACK_OF(X509_POLICY_NODE) **pnodes)
 {
@@ -472,7 +570,7 @@ static int tree_calculate_authority_set(X509_POLICY_TREE *tree,
     /* If last level contains anyPolicy set is anyPolicy */
     if (curr->anyPolicy) {
         if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy))
-            return TREE_CALC_FAILURE;
+            return 0;
         addnodes = pnodes;
     } else
         /* Add policies to authority set */
@@ -484,31 +582,25 @@ static int tree_calculate_authority_set(X509_POLICY_TREE *tree,
          * If no anyPolicy node on this this level it can't appear on lower
          * levels so end search.
          */
-        if ((anyptr = curr->anyPolicy) == NULL)
+        if (!(anyptr = curr->anyPolicy))
             break;
         curr++;
         for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++) {
             node = sk_X509_POLICY_NODE_value(curr->nodes, j);
             if ((node->parent == anyptr)
-                && !tree_add_auth_node(addnodes, node)) {
-                if (addnodes == pnodes) {
-                    sk_X509_POLICY_NODE_free(*pnodes);
-                    *pnodes = NULL;
-                }
-                return TREE_CALC_FAILURE;
-            }
+                && !tree_add_auth_node(addnodes, node))
+                return 0;
         }
     }
+
     if (addnodes == pnodes)
-        return TREE_CALC_OK_DOFREE;
+        return 2;
 
     *pnodes = tree->auth_policies;
-    return TREE_CALC_OK_NOFREE;
+
+    return 1;
 }
 
-/*
- * Return value: 1 on success, 0 otherwise.
- */
 static int tree_calculate_user_set(X509_POLICY_TREE *tree,
                                    STACK_OF(ASN1_OBJECT) *policy_oids,
                                    STACK_OF(X509_POLICY_NODE) *auth_nodes)
@@ -516,6 +608,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
     int i;
     X509_POLICY_NODE *node;
     ASN1_OBJECT *oid;
+
     X509_POLICY_NODE *anyPolicy;
     X509_POLICY_DATA *extra;
 
@@ -523,6 +616,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
      * Check if anyPolicy present in authority constrained policy set: this
      * will happen if it is a leaf node.
      */
+
     if (sk_ASN1_OBJECT_num(policy_oids) <= 0)
         return 1;
 
@@ -547,7 +641,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
              * from anyPolicy.
              */
             extra = policy_data_new(NULL, oid, node_critical(anyPolicy));
-            if (extra == NULL)
+            if (!extra)
                 return 0;
             extra->qualifier_set = anyPolicy->data->qualifier_set;
             extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
@@ -563,14 +657,9 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
             return 0;
     }
     return 1;
+
 }
 
-/*-
- * Return value: <= 0 error, otherwise one of:
- *  X509_PCY_TREE_VALID: valid tree
- *  X509_PCY_TREE_EMPTY: empty tree
- * (see tree_prune()).
- */
 static int tree_evaluate(X509_POLICY_TREE *tree)
 {
     int ret, i;
@@ -580,19 +669,19 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
     for (i = 1; i < tree->nlevel; i++, curr++) {
         cache = policy_cache_set(curr->cert);
         if (!tree_link_nodes(curr, cache))
-            return X509_PCY_TREE_INTERNAL;
+            return 0;
 
         if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
             && !tree_link_any(curr, cache, tree))
-            return X509_PCY_TREE_INTERNAL;
-#ifdef OPENSSL_POLICY_DEBUG
+            return 0;
         tree_print("before tree_prune()", tree, curr);
-#endif
         ret = tree_prune(tree, curr);
-        if (ret != X509_PCY_TREE_VALID)
+        if (ret != 1)
             return ret;
     }
-    return X509_PCY_TREE_VALID;
+
+    return 1;
+
 }
 
 static void exnode_free(X509_POLICY_NODE *node)
@@ -613,12 +702,17 @@ void X509_policy_tree_free(X509_POLICY_TREE *tree)
     sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free);
 
     for (i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++) {
-        X509_free(curr->cert);
-        sk_X509_POLICY_NODE_pop_free(curr->nodes, policy_node_free);
-        policy_node_free(curr->anyPolicy);
+        if (curr->cert)
+            X509_free(curr->cert);
+        if (curr->nodes)
+            sk_X509_POLICY_NODE_pop_free(curr->nodes, policy_node_free);
+        if (curr->anyPolicy)
+            policy_node_free(curr->anyPolicy);
     }
 
-    sk_X509_POLICY_DATA_pop_free(tree->extra_data, policy_data_free);
+    if (tree->extra_data)
+        sk_X509_POLICY_DATA_pop_free(tree->extra_data, policy_data_free);
+
     OPENSSL_free(tree->levels);
     OPENSSL_free(tree);
 
@@ -627,70 +721,111 @@ void X509_policy_tree_free(X509_POLICY_TREE *tree)
 /*-
  * Application policy checking function.
  * Return codes:
- *  X509_PCY_TREE_FAILURE:  Failure to satisfy explicit policy
- *  X509_PCY_TREE_INVALID:  Inconsistent or invalid extensions
- *  X509_PCY_TREE_INTERNAL: Internal error, most likely malloc
- *  X509_PCY_TREE_VALID:    Success (null tree if empty or bare TA)
+ *  0   Internal Error.
+ *  1   Successful.
+ * -1   One or more certificates contain invalid or inconsistent extensions
+ * -2   User constrained policy set empty and requireExplicit true.
  */
+
 int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
                       STACK_OF(X509) *certs,
                       STACK_OF(ASN1_OBJECT) *policy_oids, unsigned int flags)
 {
-    int init_ret;
     int ret;
     X509_POLICY_TREE *tree = NULL;
     STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL;
-
     *ptree = NULL;
+
     *pexplicit_policy = 0;
-    init_ret = tree_init(&tree, certs, flags);
+    ret = tree_init(&tree, certs, flags);
 
-    if (init_ret <= 0)
-        return init_ret;
+    switch (ret) {
 
-    if ((init_ret & X509_PCY_TREE_EXPLICIT) == 0) {
-        if (init_ret & X509_PCY_TREE_EMPTY) {
-            X509_policy_tree_free(tree);
-            return X509_PCY_TREE_VALID;
-        }
-    } else {
+        /* Tree empty requireExplicit False: OK */
+    case 2:
+        return 1;
+
+        /* Some internal error */
+    case -1:
+        return -1;
+
+        /* Some internal error */
+    case 0:
+        return 0;
+
+        /* Tree empty requireExplicit True: Error */
+
+    case 6:
         *pexplicit_policy = 1;
-        /* Tree empty and requireExplicit True: Error */
-        if (init_ret & X509_PCY_TREE_EMPTY)
-            return X509_PCY_TREE_FAILURE;
+        return -2;
+
+        /* Tree OK requireExplicit True: OK and continue */
+    case 5:
+        *pexplicit_policy = 1;
+        break;
+
+        /* Tree OK: continue */
+
+    case 1:
+        if (!tree)
+            /*
+             * tree_init() returns success and a null tree
+             * if it's just looking at a trust anchor.
+             * I'm not sure that returning success here is
+             * correct, but I'm sure that reporting this
+             * as an internal error which our caller
+             * interprets as a malloc failure is wrong.
+             */
+            return 1;
+        break;
     }
 
+    if (!tree)
+        goto error;
     ret = tree_evaluate(tree);
-#ifdef OPENSSL_POLICY_DEBUG
+
     tree_print("tree_evaluate()", tree, NULL);
-#endif
+
     if (ret <= 0)
         goto error;
 
-    if (ret == X509_PCY_TREE_EMPTY) {
+    /* Return value 2 means tree empty */
+    if (ret == 2) {
         X509_policy_tree_free(tree);
-        if (init_ret & X509_PCY_TREE_EXPLICIT)
-            return X509_PCY_TREE_FAILURE;
-        return X509_PCY_TREE_VALID;
+        if (*pexplicit_policy)
+            return -2;
+        else
+            return 1;
     }
 
     /* Tree is not empty: continue */
-    if ((ret = tree_calculate_authority_set(tree, &auth_nodes)) == 0 ||
-        !tree_calculate_user_set(tree, policy_oids, auth_nodes))
+
+    ret = tree_calculate_authority_set(tree, &auth_nodes);
+
+    if (!ret)
         goto error;
-    if (ret == TREE_CALC_OK_DOFREE)
+
+    if (!tree_calculate_user_set(tree, policy_oids, auth_nodes))
+        goto error;
+
+    if (ret == 2)
         sk_X509_POLICY_NODE_free(auth_nodes);
 
-    *ptree = tree;
+    if (tree)
+        *ptree = tree;
 
-    if (init_ret & X509_PCY_TREE_EXPLICIT) {
+    if (*pexplicit_policy) {
         nodes = X509_policy_tree_get0_user_policies(tree);
         if (sk_X509_POLICY_NODE_num(nodes) <= 0)
-            return X509_PCY_TREE_FAILURE;
+            return -2;
     }
-    return X509_PCY_TREE_VALID;
+
+    return 1;
 
  error:
+
     X509_policy_tree_free(tree);
-    return X509_PCY_TREE_INTERNAL;
+
+    return 0;
+
 }
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_addr.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_addr.c
index ef1d775a..1290dec9 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_addr.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_addr.c
@@ -1,10 +1,58 @@
 /*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Contributed to the OpenSSL Project by the American Registry for
+ * Internet Numbers ("ARIN").
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  */
 
 /*
@@ -14,14 +62,12 @@
 #include <stdio.h>
 #include <stdlib.h>
 
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/buffer.h>
 #include <openssl/x509v3.h>
-#include "internal/x509_int.h"
-#include "ext_dat.h"
 
 #ifndef OPENSSL_NO_RFC3779
 
@@ -52,7 +98,7 @@ ASN1_SEQUENCE(IPAddressFamily) = {
 ASN1_ITEM_TEMPLATE(IPAddrBlocks) =
   ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
                         IPAddrBlocks, IPAddressFamily)
-static_ASN1_ITEM_TEMPLATE_END(IPAddrBlocks)
+ASN1_ITEM_TEMPLATE_END(IPAddrBlocks)
 
 IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange)
 IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange)
@@ -62,7 +108,7 @@ IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily)
 /*
  * How much buffer space do we need for a raw address?
  */
-#define ADDR_RAW_BUF_LEN        16
+# define ADDR_RAW_BUF_LEN        16
 
 /*
  * What's the address length associated with this AFI?
@@ -82,7 +128,7 @@ static int length_from_afi(const unsigned afi)
 /*
  * Extract the AFI from an IPAddressFamily.
  */
-unsigned int X509v3_addr_get_afi(const IPAddressFamily *f)
+unsigned int v3_addr_get_afi(const IPAddressFamily *f)
 {
     return ((f != NULL &&
              f->addressFamily != NULL && f->addressFamily->data != NULL)
@@ -117,7 +163,7 @@ static int addr_expand(unsigned char *addr,
 /*
  * Extract the prefix length from a bitstring.
  */
-#define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7)))
+# define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7)))
 
 /*
  * i2r handler for one address bitstring.
@@ -200,7 +246,7 @@ static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method,
     int i;
     for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
         IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
-        const unsigned int afi = X509v3_addr_get_afi(f);
+        const unsigned int afi = v3_addr_get_afi(f);
         switch (afi) {
         case IANA_AFI_IPV4:
             BIO_printf(out, "%*sIPv4", indent, "");
@@ -312,7 +358,7 @@ static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
 
 /*
  * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort()
- * comparison routines are only allowed two arguments.
+ * comparision routines are only allowed two arguments.
  */
 static int v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
                                   const IPAddressOrRange *const *b)
@@ -322,7 +368,7 @@ static int v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
 
 /*
  * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort()
- * comparison routines are only allowed two arguments.
+ * comparision routines are only allowed two arguments.
  */
 static int v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
                                   const IPAddressOrRange *const *b)
@@ -482,7 +528,7 @@ static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr,
 {
     IPAddressFamily *f;
     unsigned char key[3];
-    int keylen;
+    unsigned keylen;
     int i;
 
     key[0] = (afi >> 8) & 0xFF;
@@ -525,8 +571,8 @@ static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr,
 /*
  * Add an inheritance element.
  */
-int X509v3_addr_add_inherit(IPAddrBlocks *addr,
-                            const unsigned afi, const unsigned *safi)
+int v3_addr_add_inherit(IPAddrBlocks *addr,
+                        const unsigned afi, const unsigned *safi)
 {
     IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
     if (f == NULL ||
@@ -581,10 +627,10 @@ static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
 /*
  * Add a prefix.
  */
-int X509v3_addr_add_prefix(IPAddrBlocks *addr,
-                           const unsigned afi,
-                           const unsigned *safi,
-                           unsigned char *a, const int prefixlen)
+int v3_addr_add_prefix(IPAddrBlocks *addr,
+                       const unsigned afi,
+                       const unsigned *safi,
+                       unsigned char *a, const int prefixlen)
 {
     IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
     IPAddressOrRange *aor;
@@ -599,10 +645,10 @@ int X509v3_addr_add_prefix(IPAddrBlocks *addr,
 /*
  * Add a range.
  */
-int X509v3_addr_add_range(IPAddrBlocks *addr,
-                          const unsigned afi,
-                          const unsigned *safi,
-                          unsigned char *min, unsigned char *max)
+int v3_addr_add_range(IPAddrBlocks *addr,
+                      const unsigned afi,
+                      const unsigned *safi,
+                      unsigned char *min, unsigned char *max)
 {
     IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
     IPAddressOrRange *aor;
@@ -639,10 +685,10 @@ static int extract_min_max(IPAddressOrRange *aor,
 /*
  * Public wrapper for extract_min_max().
  */
-int X509v3_addr_get_range(IPAddressOrRange *aor,
-                          const unsigned afi,
-                          unsigned char *min,
-                          unsigned char *max, const int length)
+int v3_addr_get_range(IPAddressOrRange *aor,
+                      const unsigned afi,
+                      unsigned char *min,
+                      unsigned char *max, const int length)
 {
     int afi_length = length_from_afi(afi);
     if (aor == NULL || min == NULL || max == NULL ||
@@ -656,7 +702,7 @@ int X509v3_addr_get_range(IPAddressOrRange *aor,
 }
 
 /*
- * Sort comparison function for a sequence of IPAddressFamily.
+ * Sort comparision function for a sequence of IPAddressFamily.
  *
  * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about
  * the ordering: I can read it as meaning that IPv6 without a SAFI
@@ -678,7 +724,7 @@ static int IPAddressFamily_cmp(const IPAddressFamily *const *a_,
 /*
  * Check whether an IPAddrBLocks is in canonical form.
  */
-int X509v3_addr_is_canonical(IPAddrBlocks *addr)
+int v3_addr_is_canonical(IPAddrBlocks *addr)
 {
     unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
     unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
@@ -686,7 +732,7 @@ int X509v3_addr_is_canonical(IPAddrBlocks *addr)
     int i, j, k;
 
     /*
-     * Empty extension is canonical.
+     * Empty extension is cannonical.
      */
     if (addr == NULL)
         return 1;
@@ -706,7 +752,7 @@ int X509v3_addr_is_canonical(IPAddrBlocks *addr)
      */
     for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
         IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
-        int length = length_from_afi(X509v3_addr_get_afi(f));
+        int length = length_from_afi(v3_addr_get_afi(f));
 
         /*
          * Inheritance is canonical.  Anything other than inheritance or
@@ -849,8 +895,7 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
         IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
         if (a != NULL && a->type == IPAddressOrRange_addressRange) {
             unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
-            if (!extract_min_max(a, a_min, a_max, length))
-                return 0;
+            extract_min_max(a, a_min, a_max, length);
             if (memcmp(a_min, a_max, length) > 0)
                 return 0;
         }
@@ -862,7 +907,7 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
 /*
  * Whack an IPAddrBlocks extension into canonical form.
  */
-int X509v3_addr_canonize(IPAddrBlocks *addr)
+int v3_addr_canonize(IPAddrBlocks *addr)
 {
     int i;
     for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
@@ -870,12 +915,12 @@ int X509v3_addr_canonize(IPAddrBlocks *addr)
         if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
             !IPAddressOrRanges_canonize(f->ipAddressChoice->
                                         u.addressesOrRanges,
-                                        X509v3_addr_get_afi(f)))
+                                        v3_addr_get_afi(f)))
             return 0;
     }
     (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
     sk_IPAddressFamily_sort(addr);
-    OPENSSL_assert(X509v3_addr_is_canonical(addr));
+    OPENSSL_assert(v3_addr_is_canonical(addr));
     return 1;
 }
 
@@ -901,7 +946,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
         CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
         unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN];
         unsigned afi, *safi = NULL, safi_;
-        const char *addr_chars = NULL;
+        const char *addr_chars;
         int prefixlen, i1, i2, delim, length;
 
         if (!name_cmp(val->name, "IPv4")) {
@@ -933,7 +978,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
         length = length_from_afi(afi);
 
         /*
-         * Handle SAFI, if any, and OPENSSL_strdup() so we can null-terminate
+         * Handle SAFI, if any, and BUF_strdup() so we can null-terminate
          * the other input values.
          */
         if (safi != NULL) {
@@ -945,9 +990,9 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
                 goto err;
             }
             t += strspn(t, " \t");
-            s = OPENSSL_strdup(t);
+            s = BUF_strdup(t);
         } else {
-            s = OPENSSL_strdup(val->value);
+            s = BUF_strdup(val->value);
         }
         if (s == NULL) {
             X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
@@ -958,8 +1003,8 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
          * Check for inheritance.  Not worth additional complexity to
          * optimize this (seldom-used) case.
          */
-        if (strcmp(s, "inherit") == 0) {
-            if (!X509v3_addr_add_inherit(addr, afi, safi)) {
+        if (!strcmp(s, "inherit")) {
+            if (!v3_addr_add_inherit(addr, afi, safi)) {
                 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
                           X509V3_R_INVALID_INHERITANCE);
                 X509V3_conf_err(val);
@@ -990,7 +1035,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
                 X509V3_conf_err(val);
                 goto err;
             }
-            if (!X509v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) {
+            if (!v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) {
                 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
                 goto err;
             }
@@ -1016,13 +1061,13 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
                 X509V3_conf_err(val);
                 goto err;
             }
-            if (!X509v3_addr_add_range(addr, afi, safi, min, max)) {
+            if (!v3_addr_add_range(addr, afi, safi, min, max)) {
                 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
                 goto err;
             }
             break;
         case '\0':
-            if (!X509v3_addr_add_prefix(addr, afi, safi, min, length * 8)) {
+            if (!v3_addr_add_prefix(addr, afi, safi, min, length * 8)) {
                 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
                 goto err;
             }
@@ -1041,7 +1086,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
     /*
      * Canonize the result, then we're done.
      */
-    if (!X509v3_addr_canonize(addr))
+    if (!v3_addr_canonize(addr))
         goto err;
     return addr;
 
@@ -1071,7 +1116,7 @@ const X509V3_EXT_METHOD v3_addr = {
 /*
  * Figure out whether extension sues inheritance.
  */
-int X509v3_addr_inherits(IPAddrBlocks *addr)
+int v3_addr_inherits(IPAddrBlocks *addr)
 {
     int i;
     if (addr == NULL)
@@ -1124,12 +1169,12 @@ static int addr_contains(IPAddressOrRanges *parent,
 /*
  * Test whether a is a subset of b.
  */
-int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
+int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
 {
     int i;
     if (a == NULL || a == b)
         return 1;
-    if (b == NULL || X509v3_addr_inherits(a) || X509v3_addr_inherits(b))
+    if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
         return 0;
     (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
     for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
@@ -1141,7 +1186,7 @@ int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
             return 0;
         if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges,
                            fa->ipAddressChoice->u.addressesOrRanges,
-                           length_from_afi(X509v3_addr_get_afi(fb))))
+                           length_from_afi(v3_addr_get_afi(fb))))
             return 0;
     }
     return 1;
@@ -1150,7 +1195,7 @@ int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
 /*
  * Validation error handling via callback.
  */
-#define validation_err(_err_)           \
+# define validation_err(_err_)           \
   do {                                  \
     if (ctx != NULL) {                  \
       ctx->error = _err_;               \
@@ -1172,9 +1217,9 @@ int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
  * When returning 0, ctx->error MUST be set to an appropriate value other than
  * X509_V_OK.
  */
-static int addr_validate_path_internal(X509_STORE_CTX *ctx,
-                                       STACK_OF(X509) *chain,
-                                       IPAddrBlocks *ext)
+static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
+                                          STACK_OF(X509) *chain,
+                                          IPAddrBlocks *ext)
 {
     IPAddrBlocks *child = NULL;
     int i, j, ret = 1;
@@ -1199,11 +1244,11 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx,
         if ((ext = x->rfc3779_addr) == NULL)
             goto done;
     }
-    if (!X509v3_addr_is_canonical(ext))
+    if (!v3_addr_is_canonical(ext))
         validation_err(X509_V_ERR_INVALID_EXTENSION);
     (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
     if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
-        X509V3err(X509V3_F_ADDR_VALIDATE_PATH_INTERNAL,
+        X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL,
                   ERR_R_MALLOC_FAILURE);
         ctx->error = X509_V_ERR_OUT_OF_MEM;
         ret = 0;
@@ -1217,7 +1262,7 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx,
     for (i++; i < sk_X509_num(chain); i++) {
         x = sk_X509_value(chain, i);
         OPENSSL_assert(x != NULL);
-        if (!X509v3_addr_is_canonical(x->rfc3779_addr))
+        if (!v3_addr_is_canonical(x->rfc3779_addr))
             validation_err(X509_V_ERR_INVALID_EXTENSION);
         if (x->rfc3779_addr == NULL) {
             for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
@@ -1249,7 +1294,7 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx,
                 if (fc->ipAddressChoice->type == IPAddressChoice_inherit
                     || addr_contains(fp->ipAddressChoice->u.addressesOrRanges,
                                      fc->ipAddressChoice->u.addressesOrRanges,
-                                     length_from_afi(X509v3_addr_get_afi(fc))))
+                                     length_from_afi(v3_addr_get_afi(fc))))
                     sk_IPAddressFamily_set(child, j, fp);
                 else
                     validation_err(X509_V_ERR_UNNESTED_RESOURCE);
@@ -1276,30 +1321,30 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx,
     return ret;
 }
 
-#undef validation_err
+# undef validation_err
 
 /*
  * RFC 3779 2.3 path validation -- called from X509_verify_cert().
  */
-int X509v3_addr_validate_path(X509_STORE_CTX *ctx)
+int v3_addr_validate_path(X509_STORE_CTX *ctx)
 {
-    return addr_validate_path_internal(ctx, ctx->chain, NULL);
+    return v3_addr_validate_path_internal(ctx, ctx->chain, NULL);
 }
 
 /*
  * RFC 3779 2.3 path validation of an extension.
  * Test whether chain covers extension.
  */
-int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain,
+int v3_addr_validate_resource_set(STACK_OF(X509) *chain,
                                   IPAddrBlocks *ext, int allow_inheritance)
 {
     if (ext == NULL)
         return 1;
     if (chain == NULL || sk_X509_num(chain) == 0)
         return 0;
-    if (!allow_inheritance && X509v3_addr_inherits(ext))
+    if (!allow_inheritance && v3_addr_inherits(ext))
         return 0;
-    return addr_validate_path_internal(NULL, chain, ext);
+    return v3_addr_validate_path_internal(NULL, chain, ext);
 }
 
 #endif                          /* OPENSSL_NO_RFC3779 */
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_akey.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_akey.c
index d9f77043..e920270e 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_akey.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_akey.c
@@ -1,19 +1,68 @@
+/* v3_akey.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/x509v3.h>
-#include "ext_dat.h"
 
 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
                                                  AUTHORITY_KEYID *akeyid,
@@ -41,14 +90,14 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
 {
     char *tmp;
     if (akeyid->keyid) {
-        tmp = OPENSSL_buf2hexstr(akeyid->keyid->data, akeyid->keyid->length);
+        tmp = hex_to_string(akeyid->keyid->data, akeyid->keyid->length);
         X509V3_add_value("keyid", tmp, &extlist);
         OPENSSL_free(tmp);
     }
     if (akeyid->issuer)
         extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);
     if (akeyid->serial) {
-        tmp = OPENSSL_buf2hexstr(akeyid->serial->data, akeyid->serial->length);
+        tmp = hex_to_string(akeyid->serial->data, akeyid->serial->length);
         X509V3_add_value("serial", tmp, &extlist);
         OPENSSL_free(tmp);
     }
@@ -82,13 +131,13 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
 
     for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
         cnf = sk_CONF_VALUE_value(values, i);
-        if (strcmp(cnf->name, "keyid") == 0) {
+        if (!strcmp(cnf->name, "keyid")) {
             keyid = 1;
-            if (cnf->value && strcmp(cnf->value, "always") == 0)
+            if (cnf->value && !strcmp(cnf->value, "always"))
                 keyid = 2;
-        } else if (strcmp(cnf->name, "issuer") == 0) {
+        } else if (!strcmp(cnf->name, "issuer")) {
             issuer = 1;
-            if (cnf->value && strcmp(cnf->value, "always") == 0)
+            if (cnf->value && !strcmp(cnf->value, "always"))
                 issuer = 2;
         } else {
             X509V3err(X509V3_F_V2I_AUTHORITY_KEYID, X509V3_R_UNKNOWN_OPTION);
@@ -120,7 +169,7 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
 
     if ((issuer && !ikeyid) || (issuer == 2)) {
         isname = X509_NAME_dup(X509_get_issuer_name(cert));
-        serial = ASN1_INTEGER_dup(X509_get_serialNumber(cert));
+        serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(cert));
         if (!isname || !serial) {
             X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,
                       X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
@@ -128,12 +177,12 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
         }
     }
 
-    if ((akeyid = AUTHORITY_KEYID_new()) == NULL)
+    if (!(akeyid = AUTHORITY_KEYID_new()))
         goto err;
 
     if (isname) {
-        if ((gens = sk_GENERAL_NAME_new_null()) == NULL
-            || (gen = GENERAL_NAME_new()) == NULL
+        if (!(gens = sk_GENERAL_NAME_new_null())
+            || !(gen = GENERAL_NAME_new())
             || !sk_GENERAL_NAME_push(gens, gen)) {
             X509V3err(X509V3_F_V2I_AUTHORITY_KEYID, ERR_R_MALLOC_FAILURE);
             goto err;
@@ -143,18 +192,14 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
     }
 
     akeyid->issuer = gens;
-    gen = NULL;
-    gens = NULL;
     akeyid->serial = serial;
     akeyid->keyid = ikeyid;
 
     return akeyid;
 
  err:
-    sk_GENERAL_NAME_free(gens);
-    GENERAL_NAME_free(gen);
     X509_NAME_free(isname);
-    ASN1_INTEGER_free(serial);
-    ASN1_OCTET_STRING_free(ikeyid);
+    M_ASN1_INTEGER_free(serial);
+    M_ASN1_OCTET_STRING_free(ikeyid);
     return NULL;
 }
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_akeya.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_akeya.c
index d6dd6bcb..2cc85b76 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_akeya.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_akeya.c
@@ -1,14 +1,64 @@
+/* v3_akey_asn1.c */
 /*
- * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_alt.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_alt.c
index 0364e336..7f1e71dd 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_alt.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_alt.c
@@ -1,17 +1,66 @@
+/* v3_alt.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
-#include "ext_dat.h"
 
 static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
                                       X509V3_CTX *ctx,
@@ -21,10 +70,10 @@ static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
                                      STACK_OF(CONF_VALUE) *nval);
 static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p);
 static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
-static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
-static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
+static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx);
+static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx);
 
-const X509V3_EXT_METHOD v3_alt[3] = {
+const X509V3_EXT_METHOD v3_alt[] = {
     {NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
      0, 0, 0, 0,
      0, 0,
@@ -158,7 +207,7 @@ int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
         break;
 
     case GEN_DIRNAME:
-        BIO_printf(out, "DirName:");
+        BIO_printf(out, "DirName: ");
         X509_NAME_print_ex(out, gen->d.dirn, 0, XN_FLAG_ONELINE);
         break;
 
@@ -180,7 +229,7 @@ int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
         break;
 
     case GEN_RID:
-        BIO_printf(out, "Registered ID:");
+        BIO_printf(out, "Registered ID");
         i2a_ASN1_OBJECT(out, gen->d.rid);
         break;
     }
@@ -194,20 +243,19 @@ static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
     GENERAL_NAMES *gens = NULL;
     CONF_VALUE *cnf;
     int i;
-
-    if ((gens = sk_GENERAL_NAME_new_null()) == NULL) {
+    if (!(gens = sk_GENERAL_NAME_new_null())) {
         X509V3err(X509V3_F_V2I_ISSUER_ALT, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
     for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
         cnf = sk_CONF_VALUE_value(nval, i);
-        if (!name_cmp(cnf->name, "issuer")
-            && cnf->value && strcmp(cnf->value, "copy") == 0) {
+        if (!name_cmp(cnf->name, "issuer") && cnf->value &&
+            !strcmp(cnf->value, "copy")) {
             if (!copy_issuer(ctx, gens))
                 goto err;
         } else {
             GENERAL_NAME *gen;
-            if ((gen = v2i_GENERAL_NAME(method, ctx, cnf)) == NULL)
+            if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
                 goto err;
             sk_GENERAL_NAME_push(gens, gen);
         }
@@ -226,7 +274,6 @@ static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens)
     GENERAL_NAME *gen;
     X509_EXTENSION *ext;
     int i;
-
     if (ctx && (ctx->flags == CTX_TEST))
         return 1;
     if (!ctx || !ctx->issuer_cert) {
@@ -236,8 +283,8 @@ static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens)
     i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1);
     if (i < 0)
         return 1;
-    if ((ext = X509_get_ext(ctx->issuer_cert, i)) == NULL
-        || (ialt = X509V3_EXT_d2i(ext)) == NULL) {
+    if (!(ext = X509_get_ext(ctx->issuer_cert, i)) ||
+        !(ialt = X509V3_EXT_d2i(ext))) {
         X509V3err(X509V3_F_COPY_ISSUER, X509V3_R_ISSUER_DECODE_ERROR);
         goto err;
     }
@@ -265,24 +312,23 @@ static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
     GENERAL_NAMES *gens = NULL;
     CONF_VALUE *cnf;
     int i;
-
-    if ((gens = sk_GENERAL_NAME_new_null()) == NULL) {
+    if (!(gens = sk_GENERAL_NAME_new_null())) {
         X509V3err(X509V3_F_V2I_SUBJECT_ALT, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
     for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
         cnf = sk_CONF_VALUE_value(nval, i);
-        if (!name_cmp(cnf->name, "email")
-            && cnf->value && strcmp(cnf->value, "copy") == 0) {
+        if (!name_cmp(cnf->name, "email") && cnf->value &&
+            !strcmp(cnf->value, "copy")) {
             if (!copy_email(ctx, gens, 0))
                 goto err;
-        } else if (!name_cmp(cnf->name, "email")
-                   && cnf->value && strcmp(cnf->value, "move") == 0) {
+        } else if (!name_cmp(cnf->name, "email") && cnf->value &&
+                   !strcmp(cnf->value, "move")) {
             if (!copy_email(ctx, gens, 1))
                 goto err;
         } else {
             GENERAL_NAME *gen;
-            if ((gen = v2i_GENERAL_NAME(method, ctx, cnf)) == NULL)
+            if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
                 goto err;
             sk_GENERAL_NAME_push(gens, gen);
         }
@@ -321,13 +367,13 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
     while ((i = X509_NAME_get_index_by_NID(nm,
                                            NID_pkcs9_emailAddress, i)) >= 0) {
         ne = X509_NAME_get_entry(nm, i);
-        email = ASN1_STRING_dup(X509_NAME_ENTRY_get_data(ne));
+        email = M_ASN1_IA5STRING_dup(X509_NAME_ENTRY_get_data(ne));
         if (move_p) {
             X509_NAME_delete_entry(nm, i);
             X509_NAME_ENTRY_free(ne);
             i--;
         }
-        if (email == NULL || (gen = GENERAL_NAME_new()) == NULL) {
+        if (!email || !(gen = GENERAL_NAME_new())) {
             X509V3err(X509V3_F_COPY_EMAIL, ERR_R_MALLOC_FAILURE);
             goto err;
         }
@@ -345,7 +391,7 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
 
  err:
     GENERAL_NAME_free(gen);
-    ASN1_IA5STRING_free(email);
+    M_ASN1_IA5STRING_free(email);
     return 0;
 
 }
@@ -357,14 +403,13 @@ GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
     GENERAL_NAMES *gens = NULL;
     CONF_VALUE *cnf;
     int i;
-
-    if ((gens = sk_GENERAL_NAME_new_null()) == NULL) {
+    if (!(gens = sk_GENERAL_NAME_new_null())) {
         X509V3err(X509V3_F_V2I_GENERAL_NAMES, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
     for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
         cnf = sk_CONF_VALUE_value(nval, i);
-        if ((gen = v2i_GENERAL_NAME(method, ctx, cnf)) == NULL)
+        if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
             goto err;
         sk_GENERAL_NAME_push(gens, gen);
     }
@@ -382,7 +427,7 @@ GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method,
 
 GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
                                const X509V3_EXT_METHOD *method,
-                               X509V3_CTX *ctx, int gen_type, const char *value,
+                               X509V3_CTX *ctx, int gen_type, char *value,
                                int is_nc)
 {
     char is_string = 0;
@@ -413,7 +458,7 @@ GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
     case GEN_RID:
         {
             ASN1_OBJECT *obj;
-            if ((obj = OBJ_txt2obj(value, 0)) == NULL) {
+            if (!(obj = OBJ_txt2obj(value, 0))) {
                 X509V3err(X509V3_F_A2I_GENERAL_NAME, X509V3_R_BAD_OBJECT);
                 ERR_add_error_data(2, "value=", value);
                 goto err;
@@ -453,7 +498,7 @@ GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
     }
 
     if (is_string) {
-        if ((gen->d.ia5 = ASN1_IA5STRING_new()) == NULL ||
+        if (!(gen->d.ia5 = M_ASN1_IA5STRING_new()) ||
             !ASN1_STRING_set(gen->d.ia5, (unsigned char *)value,
                              strlen(value))) {
             X509V3err(X509V3_F_A2I_GENERAL_NAME, ERR_R_MALLOC_FAILURE);
@@ -511,26 +556,27 @@ GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
 
 }
 
-static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx)
+static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
 {
     char *objtmp = NULL, *p;
     int objlen;
-
-    if ((p = strchr(value, ';')) == NULL)
+    if (!(p = strchr(value, ';')))
         return 0;
-    if ((gen->d.otherName = OTHERNAME_new()) == NULL)
+    if (!(gen->d.otherName = OTHERNAME_new()))
         return 0;
     /*
      * Free this up because we will overwrite it. no need to free type_id
      * because it is static
      */
     ASN1_TYPE_free(gen->d.otherName->value);
-    if ((gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx)) == NULL)
+    if (!(gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx)))
         return 0;
     objlen = p - value;
-    objtmp = OPENSSL_strndup(value, objlen);
+    objtmp = OPENSSL_malloc(objlen + 1);
     if (objtmp == NULL)
         return 0;
+    strncpy(objtmp, value, objlen);
+    objtmp[objlen] = 0;
     gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
     OPENSSL_free(objtmp);
     if (!gen->d.otherName->type_id)
@@ -538,13 +584,12 @@ static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx)
     return 1;
 }
 
-static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx)
+static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
 {
     int ret = 0;
     STACK_OF(CONF_VALUE) *sk = NULL;
-    X509_NAME *nm;
-
-    if ((nm = X509_NAME_new()) == NULL)
+    X509_NAME *nm = NULL;
+    if (!(nm = X509_NAME_new()))
         goto err;
     sk = X509V3_get_section(ctx, value);
     if (!sk) {
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_asid.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_asid.c
index af4fcf4c..2a32c9d0 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_asid.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_asid.c
@@ -1,10 +1,58 @@
 /*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Contributed to the OpenSSL Project by the American Registry for
+ * Internet Numbers ("ARIN").
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  */
 
 /*
@@ -13,15 +61,13 @@
 
 #include <stdio.h>
 #include <string.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/x509v3.h>
 #include <openssl/x509.h>
-#include "internal/x509_int.h"
 #include <openssl/bn.h>
-#include "ext_dat.h"
 
 #ifndef OPENSSL_NO_RFC3779
 
@@ -116,7 +162,7 @@ static int i2r_ASIdentifiers(const X509V3_EXT_METHOD *method,
 }
 
 /*
- * Sort comparison function for a sequence of ASIdOrRange elements.
+ * Sort comparision function for a sequence of ASIdOrRange elements.
  */
 static int ASIdOrRange_cmp(const ASIdOrRange *const *a_,
                            const ASIdOrRange *const *b_)
@@ -149,7 +195,7 @@ static int ASIdOrRange_cmp(const ASIdOrRange *const *a_,
 /*
  * Add an inherit element.
  */
-int X509v3_asid_add_inherit(ASIdentifiers *asid, int which)
+int v3_asid_add_inherit(ASIdentifiers *asid, int which)
 {
     ASIdentifierChoice **choice;
     if (asid == NULL)
@@ -178,8 +224,8 @@ int X509v3_asid_add_inherit(ASIdentifiers *asid, int which)
 /*
  * Add an ID or range to an ASIdentifierChoice.
  */
-int X509v3_asid_add_id_or_range(ASIdentifiers *asid,
-                                int which, ASN1_INTEGER *min, ASN1_INTEGER *max)
+int v3_asid_add_id_or_range(ASIdentifiers *asid,
+                            int which, ASN1_INTEGER *min, ASN1_INTEGER *max)
 {
     ASIdentifierChoice **choice;
     ASIdOrRange *aor;
@@ -276,8 +322,7 @@ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
     for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
         ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
         ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1);
-        ASN1_INTEGER *a_min = NULL, *a_max = NULL, *b_min = NULL, *b_max =
-            NULL;
+        ASN1_INTEGER *a_min, *a_max, *b_min, *b_max;
 
         extract_min_max(a, &a_min, &a_max);
         extract_min_max(b, &b_min, &b_max);
@@ -335,7 +380,7 @@ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
 /*
  * Check whether an ASIdentifier extension is in canonical form.
  */
-int X509v3_asid_is_canonical(ASIdentifiers *asid)
+int v3_asid_is_canonical(ASIdentifiers *asid)
 {
     return (asid == NULL ||
             (ASIdentifierChoice_is_canonical(asid->asnum) &&
@@ -379,8 +424,7 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
     for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
         ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
         ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1);
-        ASN1_INTEGER *a_min = NULL, *a_max = NULL, *b_min = NULL, *b_max =
-            NULL;
+        ASN1_INTEGER *a_min, *a_max, *b_min, *b_max;
 
         extract_min_max(a, &a_min, &a_max);
         extract_min_max(b, &b_min, &b_max);
@@ -426,7 +470,7 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
             ASRange *r;
             switch (a->type) {
             case ASIdOrRange_id:
-                if ((r = OPENSSL_malloc(sizeof(*r))) == NULL) {
+                if ((r = OPENSSL_malloc(sizeof(ASRange))) == NULL) {
                     X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
                               ERR_R_MALLOC_FAILURE);
                     goto done;
@@ -483,7 +527,7 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
 /*
  * Whack an ASIdentifier extension into canonical form.
  */
-int X509v3_asid_canonize(ASIdentifiers *asid)
+int v3_asid_canonize(ASIdentifiers *asid)
 {
     return (asid == NULL ||
             (ASIdentifierChoice_canonize(asid->asnum) &&
@@ -508,7 +552,7 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
 
     for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
         CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
-        int i1 = 0, i2 = 0, i3 = 0, is_range = 0, which = 0;
+        int i1, i2, i3, is_range, which;
 
         /*
          * Figure out whether this is an AS or an RDI.
@@ -527,8 +571,8 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
         /*
          * Handle inheritance.
          */
-        if (strcmp(val->value, "inherit") == 0) {
-            if (X509v3_asid_add_inherit(asid, which))
+        if (!strcmp(val->value, "inherit")) {
+            if (v3_asid_add_inherit(asid, which))
                 continue;
             X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
                       X509V3_R_INVALID_INHERITANCE);
@@ -571,7 +615,7 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
                 goto err;
             }
         } else {
-            char *s = OPENSSL_strdup(val->value);
+            char *s = BUF_strdup(val->value);
             if (s == NULL) {
                 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
                 goto err;
@@ -590,7 +634,7 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
                 goto err;
             }
         }
-        if (!X509v3_asid_add_id_or_range(asid, which, min, max)) {
+        if (!v3_asid_add_id_or_range(asid, which, min, max)) {
             X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
             goto err;
         }
@@ -600,7 +644,7 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
     /*
      * Canonize the result, then we're done.
      */
-    if (!X509v3_asid_canonize(asid))
+    if (!v3_asid_canonize(asid))
         goto err;
     return asid;
 
@@ -631,7 +675,7 @@ const X509V3_EXT_METHOD v3_asid = {
 /*
  * Figure out whether extension uses inheritance.
  */
-int X509v3_asid_inherits(ASIdentifiers *asid)
+int v3_asid_inherits(ASIdentifiers *asid)
 {
     return (asid != NULL &&
             ((asid->asnum != NULL &&
@@ -645,7 +689,7 @@ int X509v3_asid_inherits(ASIdentifiers *asid)
  */
 static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child)
 {
-    ASN1_INTEGER *p_min = NULL, *p_max = NULL, *c_min = NULL, *c_max = NULL;
+    ASN1_INTEGER *p_min, *p_max, *c_min, *c_max;
     int p, c;
 
     if (child == NULL || parent == child)
@@ -672,15 +716,15 @@ static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child)
 }
 
 /*
- * Test whether a is a subset of b.
+ * Test whether a is a subet of b.
  */
-int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
+int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
 {
     return (a == NULL ||
             a == b ||
             (b != NULL &&
-             !X509v3_asid_inherits(a) &&
-             !X509v3_asid_inherits(b) &&
+             !v3_asid_inherits(a) &&
+             !v3_asid_inherits(b) &&
              asid_contains(b->asnum->u.asIdsOrRanges,
                            a->asnum->u.asIdsOrRanges) &&
              asid_contains(b->rdi->u.asIdsOrRanges,
@@ -690,7 +734,7 @@ int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
 /*
  * Validation error handling via callback.
  */
-#define validation_err(_err_)           \
+# define validation_err(_err_)           \
   do {                                  \
     if (ctx != NULL) {                  \
       ctx->error = _err_;               \
@@ -707,9 +751,9 @@ int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
 /*
  * Core code for RFC 3779 3.3 path validation.
  */
-static int asid_validate_path_internal(X509_STORE_CTX *ctx,
-                                       STACK_OF(X509) *chain,
-                                       ASIdentifiers *ext)
+static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx,
+                                          STACK_OF(X509) *chain,
+                                          ASIdentifiers *ext)
 {
     ASIdOrRanges *child_as = NULL, *child_rdi = NULL;
     int i, ret = 1, inherit_as = 0, inherit_rdi = 0;
@@ -734,7 +778,7 @@ static int asid_validate_path_internal(X509_STORE_CTX *ctx,
         if ((ext = x->rfc3779_asid) == NULL)
             goto done;
     }
-    if (!X509v3_asid_is_canonical(ext))
+    if (!v3_asid_is_canonical(ext))
         validation_err(X509_V_ERR_INVALID_EXTENSION);
     if (ext->asnum != NULL) {
         switch (ext->asnum->type) {
@@ -769,7 +813,7 @@ static int asid_validate_path_internal(X509_STORE_CTX *ctx,
                 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
             continue;
         }
-        if (!X509v3_asid_is_canonical(x->rfc3779_asid))
+        if (!v3_asid_is_canonical(x->rfc3779_asid))
             validation_err(X509_V_ERR_INVALID_EXTENSION);
         if (x->rfc3779_asid->asnum == NULL && child_as != NULL) {
             validation_err(X509_V_ERR_UNNESTED_RESOURCE);
@@ -823,30 +867,30 @@ static int asid_validate_path_internal(X509_STORE_CTX *ctx,
     return ret;
 }
 
-#undef validation_err
+# undef validation_err
 
 /*
  * RFC 3779 3.3 path validation -- called from X509_verify_cert().
  */
-int X509v3_asid_validate_path(X509_STORE_CTX *ctx)
+int v3_asid_validate_path(X509_STORE_CTX *ctx)
 {
-    return asid_validate_path_internal(ctx, ctx->chain, NULL);
+    return v3_asid_validate_path_internal(ctx, ctx->chain, NULL);
 }
 
 /*
  * RFC 3779 3.3 path validation of an extension.
  * Test whether chain covers extension.
  */
-int X509v3_asid_validate_resource_set(STACK_OF(X509) *chain,
-                                      ASIdentifiers *ext, int allow_inheritance)
+int v3_asid_validate_resource_set(STACK_OF(X509) *chain,
+                                  ASIdentifiers *ext, int allow_inheritance)
 {
     if (ext == NULL)
         return 1;
     if (chain == NULL || sk_X509_num(chain) == 0)
         return 0;
-    if (!allow_inheritance && X509v3_asid_inherits(ext))
+    if (!allow_inheritance && v3_asid_inherits(ext))
         return 0;
-    return asid_validate_path_internal(NULL, chain, ext);
+    return v3_asid_validate_path_internal(NULL, chain, ext);
 }
 
 #endif                          /* OPENSSL_NO_RFC3779 */
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_bcons.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_bcons.c
index 3bbf1555..dc00b9cb 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_bcons.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_bcons.c
@@ -1,19 +1,68 @@
+/* v3_bcons.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
-#include "ext_dat.h"
 
 static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
                                                    BASIC_CONSTRAINTS *bcons,
@@ -58,17 +107,16 @@ static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
     BASIC_CONSTRAINTS *bcons = NULL;
     CONF_VALUE *val;
     int i;
-
-    if ((bcons = BASIC_CONSTRAINTS_new()) == NULL) {
+    if (!(bcons = BASIC_CONSTRAINTS_new())) {
         X509V3err(X509V3_F_V2I_BASIC_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
     for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
         val = sk_CONF_VALUE_value(values, i);
-        if (strcmp(val->name, "CA") == 0) {
+        if (!strcmp(val->name, "CA")) {
             if (!X509V3_get_value_bool(val, &bcons->ca))
                 goto err;
-        } else if (strcmp(val->name, "pathlen") == 0) {
+        } else if (!strcmp(val->name, "pathlen")) {
             if (!X509V3_get_value_int(val, &bcons->pathlen))
                 goto err;
         } else {
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_bitst.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_bitst.c
index 4802116b..b7bb3b55 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_bitst.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_bitst.c
@@ -1,17 +1,66 @@
+/* v3_bitst.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
-#include "ext_dat.h"
 
 static BIT_STRING_BITNAME ns_cert_type_table[] = {
     {0, "SSL Client", "client"},
@@ -63,19 +112,19 @@ ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
     ASN1_BIT_STRING *bs;
     int i;
     BIT_STRING_BITNAME *bnam;
-    if ((bs = ASN1_BIT_STRING_new()) == NULL) {
+    if (!(bs = M_ASN1_BIT_STRING_new())) {
         X509V3err(X509V3_F_V2I_ASN1_BIT_STRING, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
     for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
         val = sk_CONF_VALUE_value(nval, i);
         for (bnam = method->usr_data; bnam->lname; bnam++) {
-            if (strcmp(bnam->sname, val->name) == 0
-                || strcmp(bnam->lname, val->name) == 0) {
+            if (!strcmp(bnam->sname, val->name) ||
+                !strcmp(bnam->lname, val->name)) {
                 if (!ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1)) {
                     X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
                               ERR_R_MALLOC_FAILURE);
-                    ASN1_BIT_STRING_free(bs);
+                    M_ASN1_BIT_STRING_free(bs);
                     return NULL;
                 }
                 break;
@@ -85,7 +134,7 @@ ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
             X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
                       X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT);
             X509V3_conf_err(val);
-            ASN1_BIT_STRING_free(bs);
+            M_ASN1_BIT_STRING_free(bs);
             return NULL;
         }
     }
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_conf.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_conf.c
index f625ff54..c1b4c1a8 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_conf.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_conf.c
@@ -1,40 +1,88 @@
+/* v3_conf.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
-
 /* extension creation utilities */
 
 #include <stdio.h>
 #include <ctype.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/x509.h>
-#include "internal/x509_int.h"
 #include <openssl/x509v3.h>
 
-static int v3_check_critical(const char **value);
-static int v3_check_generic(const char **value);
+static int v3_check_critical(char **value);
+static int v3_check_generic(char **value);
 static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
-                                    int crit, const char *value);
-static X509_EXTENSION *v3_generic_extension(const char *ext, const char *value,
+                                    int crit, char *value);
+static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
                                             int crit, int type,
                                             X509V3_CTX *ctx);
-static char *conf_lhash_get_string(void *db, const char *section, const char *value);
-static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, const char *section);
+static char *conf_lhash_get_string(void *db, char *section, char *value);
+static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section);
 static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method,
                                   int ext_nid, int crit, void *ext_struc);
-static unsigned char *generic_asn1(const char *value, X509V3_CTX *ctx,
+static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx,
                                    long *ext_len);
 /* CONF *conf:  Config file    */
 /* char *name:  Name    */
 /* char *value:  Value    */
-X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
-                                 const char *value)
+X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name,
+                                 char *value)
 {
     int crit;
     int ext_type;
@@ -53,7 +101,7 @@ X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
 /* CONF *conf:  Config file    */
 /* char *value:  Value    */
 X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
-                                     const char *value)
+                                     char *value)
 {
     int crit;
     int ext_type;
@@ -67,18 +115,17 @@ X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
 /* CONF *conf:  Config file    */
 /* char *value:  Value    */
 static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
-                                    int crit, const char *value)
+                                    int crit, char *value)
 {
     const X509V3_EXT_METHOD *method;
     X509_EXTENSION *ext;
     STACK_OF(CONF_VALUE) *nval;
     void *ext_struc;
-
     if (ext_nid == NID_undef) {
         X509V3err(X509V3_F_DO_EXT_NCONF, X509V3_R_UNKNOWN_EXTENSION_NAME);
         return NULL;
     }
-    if ((method = X509V3_EXT_get_nid(ext_nid)) == NULL) {
+    if (!(method = X509V3_EXT_get_nid(ext_nid))) {
         X509V3err(X509V3_F_DO_EXT_NCONF, X509V3_R_UNKNOWN_EXTENSION);
         return NULL;
     }
@@ -94,7 +141,7 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
             ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=",
                                value);
             if (*value != '@')
-                sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
+                sk_CONF_VALUE_free(nval);
             return NULL;
         }
         ext_struc = method->v2i(method, ctx, nval);
@@ -103,14 +150,14 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
         if (!ext_struc)
             return NULL;
     } else if (method->s2i) {
-        if ((ext_struc = method->s2i(method, ctx, value)) == NULL)
+        if (!(ext_struc = method->s2i(method, ctx, value)))
             return NULL;
     } else if (method->r2i) {
         if (!ctx->db || !ctx->db_meth) {
             X509V3err(X509V3_F_DO_EXT_NCONF, X509V3_R_NO_CONFIG_DATABASE);
             return NULL;
         }
-        if ((ext_struc = method->r2i(method, ctx, value)) == NULL)
+        if (!(ext_struc = method->r2i(method, ctx, value)))
             return NULL;
     } else {
         X509V3err(X509V3_F_DO_EXT_NCONF,
@@ -131,9 +178,9 @@ static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
 static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method,
                                   int ext_nid, int crit, void *ext_struc)
 {
-    unsigned char *ext_der = NULL;
+    unsigned char *ext_der;
     int ext_len;
-    ASN1_OCTET_STRING *ext_oct = NULL;
+    ASN1_OCTET_STRING *ext_oct;
     X509_EXTENSION *ext;
     /* Convert internal representation to DER */
     if (method->it) {
@@ -144,30 +191,26 @@ static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method,
             goto merr;
     } else {
         unsigned char *p;
-
         ext_len = method->i2d(ext_struc, NULL);
-        if ((ext_der = OPENSSL_malloc(ext_len)) == NULL)
+        if (!(ext_der = OPENSSL_malloc(ext_len)))
             goto merr;
         p = ext_der;
         method->i2d(ext_struc, &p);
     }
-    if ((ext_oct = ASN1_OCTET_STRING_new()) == NULL)
+    if (!(ext_oct = M_ASN1_OCTET_STRING_new()))
         goto merr;
     ext_oct->data = ext_der;
-    ext_der = NULL;
     ext_oct->length = ext_len;
 
     ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
     if (!ext)
         goto merr;
-    ASN1_OCTET_STRING_free(ext_oct);
+    M_ASN1_OCTET_STRING_free(ext_oct);
 
     return ext;
 
  merr:
     X509V3err(X509V3_F_DO_EXT_I2D, ERR_R_MALLOC_FAILURE);
-    OPENSSL_free(ext_der);
-    ASN1_OCTET_STRING_free(ext_oct);
     return NULL;
 
 }
@@ -177,8 +220,7 @@ static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method,
 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
 {
     const X509V3_EXT_METHOD *method;
-
-    if ((method = X509V3_EXT_get_nid(ext_nid)) == NULL) {
+    if (!(method = X509V3_EXT_get_nid(ext_nid))) {
         X509V3err(X509V3_F_X509V3_EXT_I2D, X509V3_R_UNKNOWN_EXTENSION);
         return NULL;
     }
@@ -186,9 +228,9 @@ X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
 }
 
 /* Check the extension string for critical flag */
-static int v3_check_critical(const char **value)
+static int v3_check_critical(char **value)
 {
-    const char *p = *value;
+    char *p = *value;
     if ((strlen(p) < 9) || strncmp(p, "critical,", 9))
         return 0;
     p += 9;
@@ -199,14 +241,14 @@ static int v3_check_critical(const char **value)
 }
 
 /* Check extension string for generic extension and return the type */
-static int v3_check_generic(const char **value)
+static int v3_check_generic(char **value)
 {
     int gen_type = 0;
-    const char *p = *value;
-    if ((strlen(p) >= 4) && strncmp(p, "DER:", 4) == 0) {
+    char *p = *value;
+    if ((strlen(p) >= 4) && !strncmp(p, "DER:", 4)) {
         p += 4;
         gen_type = 1;
-    } else if ((strlen(p) >= 5) && strncmp(p, "ASN1:", 5) == 0) {
+    } else if ((strlen(p) >= 5) && !strncmp(p, "ASN1:", 5)) {
         p += 5;
         gen_type = 2;
     } else
@@ -219,17 +261,16 @@ static int v3_check_generic(const char **value)
 }
 
 /* Create a generic extension: for now just handle DER type */
-static X509_EXTENSION *v3_generic_extension(const char *ext, const char *value,
+static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
                                             int crit, int gen_type,
                                             X509V3_CTX *ctx)
 {
     unsigned char *ext_der = NULL;
-    long ext_len = 0;
+    long ext_len;
     ASN1_OBJECT *obj = NULL;
     ASN1_OCTET_STRING *oct = NULL;
     X509_EXTENSION *extension = NULL;
-
-    if ((obj = OBJ_txt2obj(ext, 0)) == NULL) {
+    if (!(obj = OBJ_txt2obj(ext, 0))) {
         X509V3err(X509V3_F_V3_GENERIC_EXTENSION,
                   X509V3_R_EXTENSION_NAME_ERROR);
         ERR_add_error_data(2, "name=", ext);
@@ -237,7 +278,7 @@ static X509_EXTENSION *v3_generic_extension(const char *ext, const char *value,
     }
 
     if (gen_type == 1)
-        ext_der = OPENSSL_hexstr2buf(value, &ext_len);
+        ext_der = string_to_hex(value, &ext_len);
     else if (gen_type == 2)
         ext_der = generic_asn1(value, ctx, &ext_len);
 
@@ -248,7 +289,7 @@ static X509_EXTENSION *v3_generic_extension(const char *ext, const char *value,
         goto err;
     }
 
-    if ((oct = ASN1_OCTET_STRING_new()) == NULL) {
+    if (!(oct = M_ASN1_OCTET_STRING_new())) {
         X509V3err(X509V3_F_V3_GENERIC_EXTENSION, ERR_R_MALLOC_FAILURE);
         goto err;
     }
@@ -261,13 +302,14 @@ static X509_EXTENSION *v3_generic_extension(const char *ext, const char *value,
 
  err:
     ASN1_OBJECT_free(obj);
-    ASN1_OCTET_STRING_free(oct);
-    OPENSSL_free(ext_der);
+    M_ASN1_OCTET_STRING_free(oct);
+    if (ext_der)
+        OPENSSL_free(ext_der);
     return extension;
 
 }
 
-static unsigned char *generic_asn1(const char *value, X509V3_CTX *ctx,
+static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx,
                                    long *ext_len)
 {
     ASN1_TYPE *typ;
@@ -280,39 +322,24 @@ static unsigned char *generic_asn1(const char *value, X509V3_CTX *ctx,
     return ext_der;
 }
 
-static void delete_ext(STACK_OF(X509_EXTENSION) *sk, X509_EXTENSION *dext)
-{
-    int idx;
-    ASN1_OBJECT *obj;
-    obj = X509_EXTENSION_get_object(dext);
-    while ((idx = X509v3_get_ext_by_OBJ(sk, obj, -1)) >= 0) {
-        X509_EXTENSION *tmpext = X509v3_get_ext(sk, idx);
-        X509v3_delete_ext(sk, idx);
-        X509_EXTENSION_free(tmpext);
-    }
-}
-
 /*
  * This is the main function: add a bunch of extensions based on a config
  * file section to an extension STACK.
  */
 
-int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section,
+int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section,
                             STACK_OF(X509_EXTENSION) **sk)
 {
     X509_EXTENSION *ext;
     STACK_OF(CONF_VALUE) *nval;
     CONF_VALUE *val;
     int i;
-
-    if ((nval = NCONF_get_section(conf, section)) == NULL)
+    if (!(nval = NCONF_get_section(conf, section)))
         return 0;
     for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
         val = sk_CONF_VALUE_value(nval, i);
-        if ((ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value)) == NULL)
+        if (!(ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value)))
             return 0;
-        if (ctx->flags == X509V3_CTX_REPLACE)
-            delete_ext(*sk, ext);
         if (sk)
             X509v3_add_ext(sk, ext, -1);
         X509_EXTENSION_free(ext);
@@ -324,29 +351,29 @@ int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section,
  * Convenience functions to add extensions to a certificate, CRL and request
  */
 
-int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
+int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
                          X509 *cert)
 {
     STACK_OF(X509_EXTENSION) **sk = NULL;
     if (cert)
-        sk = &cert->cert_info.extensions;
+        sk = &cert->cert_info->extensions;
     return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
 }
 
 /* Same as above but for a CRL */
 
-int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
+int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
                              X509_CRL *crl)
 {
     STACK_OF(X509_EXTENSION) **sk = NULL;
     if (crl)
-        sk = &crl->crl.extensions;
+        sk = &crl->crl->extensions;
     return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
 }
 
 /* Add extensions to certificate request */
 
-int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
+int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
                              X509_REQ *req)
 {
     STACK_OF(X509_EXTENSION) *extlist = NULL, **sk = NULL;
@@ -363,7 +390,7 @@ int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
 
 /* Config database functions */
 
-char *X509V3_get_string(X509V3_CTX *ctx, const char *name, const char *section)
+char *X509V3_get_string(X509V3_CTX *ctx, char *name, char *section)
 {
     if (!ctx->db || !ctx->db_meth || !ctx->db_meth->get_string) {
         X509V3err(X509V3_F_X509V3_GET_STRING, X509V3_R_OPERATION_NOT_DEFINED);
@@ -374,7 +401,7 @@ char *X509V3_get_string(X509V3_CTX *ctx, const char *name, const char *section)
     return NULL;
 }
 
-STACK_OF(CONF_VALUE) *X509V3_get_section(X509V3_CTX *ctx, const char *section)
+STACK_OF(CONF_VALUE) *X509V3_get_section(X509V3_CTX *ctx, char *section)
 {
     if (!ctx->db || !ctx->db_meth || !ctx->db_meth->get_section) {
         X509V3err(X509V3_F_X509V3_GET_SECTION,
@@ -402,12 +429,12 @@ void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section)
         ctx->db_meth->free_section(ctx->db, section);
 }
 
-static char *nconf_get_string(void *db, const char *section, const char *value)
+static char *nconf_get_string(void *db, char *section, char *value)
 {
     return NCONF_get_string(db, section, value);
 }
 
-static STACK_OF(CONF_VALUE) *nconf_get_section(void *db, const char *section)
+static STACK_OF(CONF_VALUE) *nconf_get_section(void *db, char *section)
 {
     return NCONF_get_section(db, section);
 }
@@ -438,7 +465,7 @@ void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
 /* Old conf compatibility functions */
 
 X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-                                const char *name, const char *value)
+                                char *name, char *value)
 {
     CONF ctmp;
     CONF_set_nconf(&ctmp, conf);
@@ -448,19 +475,19 @@ X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
 /* LHASH *conf:  Config file    */
 /* char *value:  Value    */
 X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf,
-                                    X509V3_CTX *ctx, int ext_nid, const char *value)
+                                    X509V3_CTX *ctx, int ext_nid, char *value)
 {
     CONF ctmp;
     CONF_set_nconf(&ctmp, conf);
     return X509V3_EXT_nconf_nid(&ctmp, ctx, ext_nid, value);
 }
 
-static char *conf_lhash_get_string(void *db, const char *section, const char *value)
+static char *conf_lhash_get_string(void *db, char *section, char *value)
 {
     return CONF_get_string(db, section, value);
 }
 
-static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, const char *section)
+static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section)
 {
     return CONF_get_section(db, section);
 }
@@ -479,7 +506,7 @@ void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash)
 }
 
 int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-                        const char *section, X509 *cert)
+                        char *section, X509 *cert)
 {
     CONF ctmp;
     CONF_set_nconf(&ctmp, conf);
@@ -489,7 +516,7 @@ int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
 /* Same as above but for a CRL */
 
 int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-                            const char *section, X509_CRL *crl)
+                            char *section, X509_CRL *crl)
 {
     CONF ctmp;
     CONF_set_nconf(&ctmp, conf);
@@ -499,7 +526,7 @@ int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
 /* Add extensions to certificate request */
 
 int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-                            const char *section, X509_REQ *req)
+                            char *section, X509_REQ *req)
 {
     CONF ctmp;
     CONF_set_nconf(&ctmp, conf);
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_cpols.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_cpols.c
index f717e132..d97f6226 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_cpols.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_cpols.c
@@ -1,28 +1,77 @@
+/* v3_cpols.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/x509v3.h>
 
 #include "pcy_int.h"
-#include "ext_dat.h"
 
 /* Certificate policies extension support: this one is a bit complex... */
 
 static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol,
                        BIO *out, int indent);
 static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
-                                         X509V3_CTX *ctx, const char *value);
+                                         X509V3_CTX *ctx, char *value);
 static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
                              int indent);
 static void print_notice(BIO *out, USERNOTICE *notice, int indent);
@@ -84,7 +133,7 @@ ASN1_SEQUENCE(NOTICEREF) = {
 IMPLEMENT_ASN1_FUNCTIONS(NOTICEREF)
 
 static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
-                                         X509V3_CTX *ctx, const char *value)
+                                         X509V3_CTX *ctx, char *value)
 {
     STACK_OF(POLICYINFO) *pols = NULL;
     char *pstr;
@@ -113,7 +162,7 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
             goto err;
         }
         pstr = cnf->name;
-        if (strcmp(pstr, "ia5org") == 0) {
+        if (!strcmp(pstr, "ia5org")) {
             ia5org = 1;
             continue;
         } else if (*pstr == '@') {
@@ -127,10 +176,10 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
             }
             pol = policy_section(ctx, polsect, ia5org);
             X509V3_section_free(ctx, polsect);
-            if (pol == NULL)
+            if (!pol)
                 goto err;
         } else {
-            if ((pobj = OBJ_txt2obj(cnf->name, 0)) == NULL) {
+            if (!(pobj = OBJ_txt2obj(cnf->name, 0))) {
                 X509V3err(X509V3_F_R2I_CERTPOL,
                           X509V3_R_INVALID_OBJECT_IDENTIFIER);
                 X509V3_conf_err(cnf);
@@ -139,7 +188,6 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
             pol = POLICYINFO_new();
             if (pol == NULL) {
                 X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
-                ASN1_OBJECT_free(pobj);
                 goto err;
             }
             pol->policyid = pobj;
@@ -165,14 +213,13 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
     CONF_VALUE *cnf;
     POLICYINFO *pol;
     POLICYQUALINFO *qual;
-
-    if ((pol = POLICYINFO_new()) == NULL)
+    if (!(pol = POLICYINFO_new()))
         goto merr;
     for (i = 0; i < sk_CONF_VALUE_num(polstrs); i++) {
         cnf = sk_CONF_VALUE_value(polstrs, i);
-        if (strcmp(cnf->name, "policyIdentifier") == 0) {
+        if (!strcmp(cnf->name, "policyIdentifier")) {
             ASN1_OBJECT *pobj;
-            if ((pobj = OBJ_txt2obj(cnf->value, 0)) == NULL) {
+            if (!(pobj = OBJ_txt2obj(cnf->value, 0))) {
                 X509V3err(X509V3_F_POLICY_SECTION,
                           X509V3_R_INVALID_OBJECT_IDENTIFIER);
                 X509V3_conf_err(cnf);
@@ -181,17 +228,17 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
             pol->policyid = pobj;
 
         } else if (!name_cmp(cnf->name, "CPS")) {
-            if (pol->qualifiers == NULL)
+            if (!pol->qualifiers)
                 pol->qualifiers = sk_POLICYQUALINFO_new_null();
-            if ((qual = POLICYQUALINFO_new()) == NULL)
+            if (!(qual = POLICYQUALINFO_new()))
                 goto merr;
             if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
                 goto merr;
-            if ((qual->pqualid = OBJ_nid2obj(NID_id_qt_cps)) == NULL) {
+            if (!(qual->pqualid = OBJ_nid2obj(NID_id_qt_cps))) {
                 X509V3err(X509V3_F_POLICY_SECTION, ERR_R_INTERNAL_ERROR);
                 goto err;
             }
-            if ((qual->d.cpsuri = ASN1_IA5STRING_new()) == NULL)
+            if (!(qual->d.cpsuri = M_ASN1_IA5STRING_new()))
                 goto merr;
             if (!ASN1_STRING_set(qual->d.cpsuri, cnf->value,
                                  strlen(cnf->value)))
@@ -249,28 +296,27 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
     CONF_VALUE *cnf;
     USERNOTICE *not;
     POLICYQUALINFO *qual;
-
-    if ((qual = POLICYQUALINFO_new()) == NULL)
+    if (!(qual = POLICYQUALINFO_new()))
         goto merr;
-    if ((qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice)) == NULL) {
+    if (!(qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice))) {
         X509V3err(X509V3_F_NOTICE_SECTION, ERR_R_INTERNAL_ERROR);
         goto err;
     }
-    if ((not = USERNOTICE_new()) == NULL)
+    if (!(not = USERNOTICE_new()))
         goto merr;
     qual->d.usernotice = not;
     for (i = 0; i < sk_CONF_VALUE_num(unot); i++) {
         cnf = sk_CONF_VALUE_value(unot, i);
-        if (strcmp(cnf->name, "explicitText") == 0) {
-            if ((not->exptext = ASN1_VISIBLESTRING_new()) == NULL)
+        if (!strcmp(cnf->name, "explicitText")) {
+            if (!(not->exptext = M_ASN1_VISIBLESTRING_new()))
                 goto merr;
             if (!ASN1_STRING_set(not->exptext, cnf->value,
                                  strlen(cnf->value)))
                 goto merr;
-        } else if (strcmp(cnf->name, "organization") == 0) {
+        } else if (!strcmp(cnf->name, "organization")) {
             NOTICEREF *nref;
             if (!not->noticeref) {
-                if ((nref = NOTICEREF_new()) == NULL)
+                if (!(nref = NOTICEREF_new()))
                     goto merr;
                 not->noticeref = nref;
             } else
@@ -282,11 +328,11 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
             if (!ASN1_STRING_set(nref->organization, cnf->value,
                                  strlen(cnf->value)))
                 goto merr;
-        } else if (strcmp(cnf->name, "noticeNumbers") == 0) {
+        } else if (!strcmp(cnf->name, "noticeNumbers")) {
             NOTICEREF *nref;
             STACK_OF(CONF_VALUE) *nos;
             if (!not->noticeref) {
-                if ((nref = NOTICEREF_new()) == NULL)
+                if (!(nref = NOTICEREF_new()))
                     goto merr;
                 not->noticeref = nref;
             } else
@@ -295,7 +341,6 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
             if (!nos || !sk_CONF_VALUE_num(nos)) {
                 X509V3err(X509V3_F_NOTICE_SECTION, X509V3_R_INVALID_NUMBERS);
                 X509V3_conf_err(cnf);
-                sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
                 goto err;
             }
             ret = nref_nos(nref->noticenos, nos);
@@ -335,7 +380,7 @@ static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
 
     for (i = 0; i < sk_CONF_VALUE_num(nos); i++) {
         cnf = sk_CONF_VALUE_value(nos, i);
-        if ((aint = s2i_ASN1_INTEGER(NULL, cnf->name)) == NULL) {
+        if (!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) {
             X509V3err(X509V3_F_NREF_NOS, X509V3_R_INVALID_NUMBER);
             goto err;
         }
@@ -345,10 +390,10 @@ static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
     return 1;
 
  merr:
-    ASN1_INTEGER_free(aint);
     X509V3err(X509V3_F_NREF_NOS, ERR_R_MALLOC_FAILURE);
 
  err:
+    sk_ASN1_INTEGER_pop_free(nnums, ASN1_STRING_free);
     return 0;
 }
 
@@ -439,3 +484,8 @@ void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
     else
         BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
 }
+
+
+IMPLEMENT_STACK_OF(X509_POLICY_NODE)
+
+IMPLEMENT_STACK_OF(X509_POLICY_DATA)
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_crld.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_crld.c
index c4c77f18..d3e1d1b0 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_crld.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_crld.c
@@ -1,22 +1,69 @@
+/* v3_crld.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/x509v3.h>
 
-#include "internal/x509_int.h"
-#include "ext_dat.h"
-
 static void *v2i_crld(const X509V3_EXT_METHOD *method,
                       X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
 static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
@@ -68,17 +115,16 @@ static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx,
 {
     STACK_OF(GENERAL_NAME) *fnm = NULL;
     STACK_OF(X509_NAME_ENTRY) *rnm = NULL;
-
-    if (strncmp(cnf->name, "fullname", 9) == 0) {
+    if (!strncmp(cnf->name, "fullname", 9)) {
         fnm = gnames_from_sectname(ctx, cnf->value);
         if (!fnm)
             goto err;
-    } else if (strcmp(cnf->name, "relativename") == 0) {
+    } else if (!strcmp(cnf->name, "relativename")) {
         int ret;
         STACK_OF(CONF_VALUE) *dnsect;
         X509_NAME *nm;
         nm = X509_NAME_new();
-        if (nm == NULL)
+        if (!nm)
             return -1;
         dnsect = X509V3_get_section(ctx, cnf->value);
         if (!dnsect) {
@@ -112,7 +158,7 @@ static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx,
     }
 
     *pdp = DIST_POINT_NAME_new();
-    if (*pdp == NULL)
+    if (!*pdp)
         goto err;
     if (fnm) {
         (*pdp)->type = 0;
@@ -125,8 +171,10 @@ static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx,
     return 1;
 
  err:
-    sk_GENERAL_NAME_pop_free(fnm, GENERAL_NAME_free);
-    sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free);
+    if (fnm)
+        sk_GENERAL_NAME_pop_free(fnm, GENERAL_NAME_free);
+    if (rnm)
+        sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free);
     return -1;
 }
 
@@ -150,19 +198,19 @@ static int set_reasons(ASN1_BIT_STRING **preas, char *value)
     const char *bnam;
     int i, ret = 0;
     rsk = X509V3_parse_list(value);
-    if (rsk == NULL)
+    if (!rsk)
+        return 0;
+    if (*preas)
         return 0;
-    if (*preas != NULL)
-        goto err;
     for (i = 0; i < sk_CONF_VALUE_num(rsk); i++) {
         bnam = sk_CONF_VALUE_value(rsk, i)->name;
-        if (*preas == NULL) {
+        if (!*preas) {
             *preas = ASN1_BIT_STRING_new();
-            if (*preas == NULL)
+            if (!*preas)
                 goto err;
         }
         for (pbn = reason_flags; pbn->lname; pbn++) {
-            if (strcmp(pbn->sname, bnam) == 0) {
+            if (!strcmp(pbn->sname, bnam)) {
                 if (!ASN1_BIT_STRING_set_bit(*preas, pbn->bitnum, 1))
                     goto err;
                 break;
@@ -207,7 +255,7 @@ static DIST_POINT *crldp_from_section(X509V3_CTX *ctx,
     CONF_VALUE *cnf;
     DIST_POINT *point = NULL;
     point = DIST_POINT_new();
-    if (point == NULL)
+    if (!point)
         goto err;
     for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
         int ret;
@@ -217,10 +265,10 @@ static DIST_POINT *crldp_from_section(X509V3_CTX *ctx,
             continue;
         if (ret < 0)
             goto err;
-        if (strcmp(cnf->name, "reasons") == 0) {
+        if (!strcmp(cnf->name, "reasons")) {
             if (!set_reasons(&point->reasons, cnf->value))
                 goto err;
-        } else if (strcmp(cnf->name, "CRLissuer") == 0) {
+        } else if (!strcmp(cnf->name, "CRLissuer")) {
             point->CRLissuer = gnames_from_sectname(ctx, cnf->value);
             if (!point->CRLissuer)
                 goto err;
@@ -230,7 +278,8 @@ static DIST_POINT *crldp_from_section(X509V3_CTX *ctx,
     return point;
 
  err:
-    DIST_POINT_free(point);
+    if (point)
+        DIST_POINT_free(point);
     return NULL;
 }
 
@@ -242,8 +291,7 @@ static void *v2i_crld(const X509V3_EXT_METHOD *method,
     GENERAL_NAME *gen = NULL;
     CONF_VALUE *cnf;
     int i;
-
-    if ((crld = sk_DIST_POINT_new_null()) == NULL)
+    if (!(crld = sk_DIST_POINT_new_null()))
         goto merr;
     for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
         DIST_POINT *point;
@@ -262,20 +310,20 @@ static void *v2i_crld(const X509V3_EXT_METHOD *method,
                 goto merr;
             }
         } else {
-            if ((gen = v2i_GENERAL_NAME(method, ctx, cnf)) == NULL)
+            if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
                 goto err;
-            if ((gens = GENERAL_NAMES_new()) == NULL)
+            if (!(gens = GENERAL_NAMES_new()))
                 goto merr;
             if (!sk_GENERAL_NAME_push(gens, gen))
                 goto merr;
             gen = NULL;
-            if ((point = DIST_POINT_new()) == NULL)
+            if (!(point = DIST_POINT_new()))
                 goto merr;
             if (!sk_DIST_POINT_push(crld, point)) {
                 DIST_POINT_free(point);
                 goto merr;
             }
-            if ((point->distpoint = DIST_POINT_NAME_new()) == NULL)
+            if (!(point->distpoint = DIST_POINT_NAME_new()))
                 goto merr;
             point->distpoint->name.fullname = gens;
             point->distpoint->type = 0;
@@ -293,6 +341,10 @@ static void *v2i_crld(const X509V3_EXT_METHOD *method,
     return NULL;
 }
 
+IMPLEMENT_STACK_OF(DIST_POINT)
+
+IMPLEMENT_ASN1_SET_OF(DIST_POINT)
+
 static int dpn_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
                   void *exarg)
 {
@@ -304,7 +356,8 @@ static int dpn_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
         break;
 
     case ASN1_OP_FREE_POST:
-        X509_NAME_free(dpn->dpname);
+        if (dpn->dpname)
+            X509_NAME_free(dpn->dpname);
         break;
     }
     return 1;
@@ -368,7 +421,7 @@ static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
     char *name, *val;
     int i, ret;
     idp = ISSUING_DIST_POINT_new();
-    if (idp == NULL)
+    if (!idp)
         goto merr;
     for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
         cnf = sk_CONF_VALUE_value(nval, i);
@@ -379,19 +432,19 @@ static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
             continue;
         if (ret < 0)
             goto err;
-        if (strcmp(name, "onlyuser") == 0) {
+        if (!strcmp(name, "onlyuser")) {
             if (!X509V3_get_value_bool(cnf, &idp->onlyuser))
                 goto err;
-        } else if (strcmp(name, "onlyCA") == 0) {
+        } else if (!strcmp(name, "onlyCA")) {
             if (!X509V3_get_value_bool(cnf, &idp->onlyCA))
                 goto err;
-        } else if (strcmp(name, "onlyAA") == 0) {
+        } else if (!strcmp(name, "onlyAA")) {
             if (!X509V3_get_value_bool(cnf, &idp->onlyattr))
                 goto err;
-        } else if (strcmp(name, "indirectCRL") == 0) {
+        } else if (!strcmp(name, "indirectCRL")) {
             if (!X509V3_get_value_bool(cnf, &idp->indirectCRL))
                 goto err;
-        } else if (strcmp(name, "onlysomereasons") == 0) {
+        } else if (!strcmp(name, "onlysomereasons")) {
             if (!set_reasons(&idp->onlysomereasons, val))
                 goto err;
         } else {
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_enum.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_enum.c
index f39cb5ac..7678664f 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_enum.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_enum.c
@@ -1,16 +1,65 @@
+/* v3_enum.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/x509v3.h>
-#include "ext_dat.h"
 
 static ENUMERATED_NAMES crl_reasons[] = {
     {CRL_REASON_UNSPECIFIED, "Unspecified", "unspecified"},
@@ -38,16 +87,14 @@ const X509V3_EXT_METHOD v3_crl_reason = {
     crl_reasons
 };
 
-char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method, 
-                                const ASN1_ENUMERATED *e)
+char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method, ASN1_ENUMERATED *e)
 {
     ENUMERATED_NAMES *enam;
     long strval;
-
     strval = ASN1_ENUMERATED_get(e);
     for (enam = method->usr_data; enam->lname; enam++) {
         if (strval == enam->bitnum)
-            return OPENSSL_strdup(enam->lname);
+            return BUF_strdup(enam->lname);
     }
     return i2s_ASN1_ENUMERATED(method, e);
 }
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_extku.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_extku.c
index bae755e3..6092c2e4 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_extku.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_extku.c
@@ -1,18 +1,67 @@
+/* v3_extku.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
-#include "ext_dat.h"
 
 static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
                                     X509V3_CTX *ctx,
@@ -76,7 +125,7 @@ static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
     CONF_VALUE *val;
     int i;
 
-    if ((extku = sk_ASN1_OBJECT_new_null()) == NULL) {
+    if (!(extku = sk_ASN1_OBJECT_new_null())) {
         X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
@@ -87,7 +136,7 @@ static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
             extval = val->value;
         else
             extval = val->name;
-        if ((objtmp = OBJ_txt2obj(extval, 0)) == NULL) {
+        if (!(objtmp = OBJ_txt2obj(extval, 0))) {
             sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
             X509V3err(X509V3_F_V2I_EXTENDED_KEY_USAGE,
                       X509V3_R_INVALID_OBJECT_IDENTIFIER);
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_genn.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_genn.c
index 8d119974..7f40bfab 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_genn.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_genn.c
@@ -1,14 +1,64 @@
+/* v3_genn.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
@@ -179,7 +229,7 @@ int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
 {
     OTHERNAME *oth;
     oth = OTHERNAME_new();
-    if (oth == NULL)
+    if (!oth)
         return 0;
     oth->type_id = oid;
     oth->value = value;
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_ia5.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_ia5.c
index c1170d46..c170a55f 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_ia5.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_ia5.c
@@ -1,20 +1,73 @@
+/* v3_ia5.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
-#include "ext_dat.h"
 
-const X509V3_EXT_METHOD v3_ns_ia5_list[8] = {
+static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
+                                ASN1_IA5STRING *ia5);
+static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
+                                          X509V3_CTX *ctx, char *str);
+const X509V3_EXT_METHOD v3_ns_ia5_list[] = {
     EXT_IA5STRING(NID_netscape_base_url),
     EXT_IA5STRING(NID_netscape_revocation_url),
     EXT_IA5STRING(NID_netscape_ca_revocation_url),
@@ -25,13 +78,13 @@ const X509V3_EXT_METHOD v3_ns_ia5_list[8] = {
     EXT_END
 };
 
-char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5)
+static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
+                                ASN1_IA5STRING *ia5)
 {
     char *tmp;
-
     if (!ia5 || !ia5->length)
         return NULL;
-    if ((tmp = OPENSSL_malloc(ia5->length + 1)) == NULL) {
+    if (!(tmp = OPENSSL_malloc(ia5->length + 1))) {
         X509V3err(X509V3_F_I2S_ASN1_IA5STRING, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
@@ -40,8 +93,8 @@ char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5)
     return tmp;
 }
 
-ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
-                                   X509V3_CTX *ctx, const char *str)
+static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
+                                          X509V3_CTX *ctx, char *str)
 {
     ASN1_IA5STRING *ia5;
     if (!str) {
@@ -49,11 +102,12 @@ ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
                   X509V3_R_INVALID_NULL_ARGUMENT);
         return NULL;
     }
-    if ((ia5 = ASN1_IA5STRING_new()) == NULL)
+    if (!(ia5 = M_ASN1_IA5STRING_new()))
+        goto err;
+    if (!ASN1_STRING_set((ASN1_STRING *)ia5, (unsigned char *)str,
+                         strlen(str))) {
+        M_ASN1_IA5STRING_free(ia5);
         goto err;
-    if (!ASN1_STRING_set((ASN1_STRING *)ia5, str, strlen(str))) {
-        ASN1_IA5STRING_free(ia5);
-        return NULL;
     }
 #ifdef CHARSET_EBCDIC
     ebcdic2ascii(ia5->data, ia5->data, ia5->length);
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_info.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_info.c
index 61ef2138..e052a34b 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_info.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_info.c
@@ -1,19 +1,68 @@
+/* v3_info.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/x509v3.h>
-#include "ext_dat.h"
 
 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD
                                                        *method, AUTHORITY_INFO_ACCESS
@@ -76,14 +125,14 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD
         i2t_ASN1_OBJECT(objtmp, sizeof objtmp, desc->method);
         nlen = strlen(objtmp) + strlen(vtmp->name) + 5;
         ntmp = OPENSSL_malloc(nlen);
-        if (ntmp == NULL) {
+        if (!ntmp) {
             X509V3err(X509V3_F_I2V_AUTHORITY_INFO_ACCESS,
                       ERR_R_MALLOC_FAILURE);
             return NULL;
         }
-        OPENSSL_strlcpy(ntmp, objtmp, nlen);
-        OPENSSL_strlcat(ntmp, " - ", nlen);
-        OPENSSL_strlcat(ntmp, vtmp->name, nlen);
+        BUF_strlcpy(ntmp, objtmp, nlen);
+        BUF_strlcat(ntmp, " - ", nlen);
+        BUF_strlcat(ntmp, vtmp->name, nlen);
         OPENSSL_free(vtmp->name);
         vtmp->name = ntmp;
 
@@ -104,14 +153,13 @@ static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD
     ACCESS_DESCRIPTION *acc;
     int i, objlen;
     char *objtmp, *ptmp;
-
-    if ((ainfo = sk_ACCESS_DESCRIPTION_new_null()) == NULL) {
+    if (!(ainfo = sk_ACCESS_DESCRIPTION_new_null())) {
         X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
     for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
         cnf = sk_CONF_VALUE_value(nval, i);
-        if ((acc = ACCESS_DESCRIPTION_new()) == NULL
+        if (!(acc = ACCESS_DESCRIPTION_new())
             || !sk_ACCESS_DESCRIPTION_push(ainfo, acc)) {
             X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,
                       ERR_R_MALLOC_FAILURE);
@@ -128,11 +176,13 @@ static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD
         ctmp.value = cnf->value;
         if (!v2i_GENERAL_NAME_ex(acc->location, method, ctx, &ctmp, 0))
             goto err;
-        if ((objtmp = OPENSSL_strndup(cnf->name, objlen)) == NULL) {
+        if (!(objtmp = OPENSSL_malloc(objlen + 1))) {
             X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,
                       ERR_R_MALLOC_FAILURE);
             goto err;
         }
+        strncpy(objtmp, cnf->name, objlen);
+        objtmp[objlen] = 0;
         acc->method = OBJ_txt2obj(objtmp, 0);
         if (!acc->method) {
             X509V3err(X509V3_F_V2I_AUTHORITY_INFO_ACCESS,
@@ -150,8 +200,11 @@ static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD
     return NULL;
 }
 
-int i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION *a)
+int i2a_ACCESS_DESCRIPTION(BIO *bp, ACCESS_DESCRIPTION *a)
 {
     i2a_ASN1_OBJECT(bp, a->method);
+#ifdef UNDEF
+    i2a_GENERAL_NAME(bp, a->location);
+#endif
     return 2;
 }
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_int.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_int.c
index 690c90e8..8bfdb37e 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_int.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_int.c
@@ -1,16 +1,65 @@
+/* v3_int.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/x509v3.h>
-#include "ext_dat.h"
 
 const X509V3_EXT_METHOD v3_crl_num = {
     NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER),
@@ -29,7 +78,7 @@ const X509V3_EXT_METHOD v3_delta_crl = {
 };
 
 static void *s2i_asn1_int(X509V3_EXT_METHOD *meth, X509V3_CTX *ctx,
-                          const char *value)
+                          char *value)
 {
     return s2i_ASN1_INTEGER(meth, value);
 }
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_lib.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_lib.c
index a3ca720f..8350429a 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_lib.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_lib.c
@@ -1,16 +1,65 @@
+/* v3_lib.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
-
 /* X509 v3 extension utilities */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
 
@@ -24,8 +73,7 @@ static void ext_list_free(X509V3_EXT_METHOD *ext);
 
 int X509V3_EXT_add(X509V3_EXT_METHOD *ext)
 {
-    if (ext_list == NULL
-        && (ext_list = sk_X509V3_EXT_METHOD_new(ext_cmp)) == NULL) {
+    if (!ext_list && !(ext_list = sk_X509V3_EXT_METHOD_new(ext_cmp))) {
         X509V3err(X509V3_F_X509V3_EXT_ADD, ERR_R_MALLOC_FAILURE);
         return 0;
     }
@@ -47,74 +95,6 @@ DECLARE_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *,
 IMPLEMENT_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *,
                              const X509V3_EXT_METHOD *, ext);
 
-/*
- * This table will be searched using OBJ_bsearch so it *must* kept in order
- * of the ext_nid values.
- */
-
-static const X509V3_EXT_METHOD *standard_exts[] = {
-    &v3_nscert,
-    &v3_ns_ia5_list[0],
-    &v3_ns_ia5_list[1],
-    &v3_ns_ia5_list[2],
-    &v3_ns_ia5_list[3],
-    &v3_ns_ia5_list[4],
-    &v3_ns_ia5_list[5],
-    &v3_ns_ia5_list[6],
-    &v3_skey_id,
-    &v3_key_usage,
-    &v3_pkey_usage_period,
-    &v3_alt[0],
-    &v3_alt[1],
-    &v3_bcons,
-    &v3_crl_num,
-    &v3_cpols,
-    &v3_akey_id,
-    &v3_crld,
-    &v3_ext_ku,
-    &v3_delta_crl,
-    &v3_crl_reason,
-#ifndef OPENSSL_NO_OCSP
-    &v3_crl_invdate,
-#endif
-    &v3_sxnet,
-    &v3_info,
-#ifndef OPENSSL_NO_RFC3779
-    &v3_addr,
-    &v3_asid,
-#endif
-#ifndef OPENSSL_NO_OCSP
-    &v3_ocsp_nonce,
-    &v3_ocsp_crlid,
-    &v3_ocsp_accresp,
-    &v3_ocsp_nocheck,
-    &v3_ocsp_acutoff,
-    &v3_ocsp_serviceloc,
-#endif
-    &v3_sinfo,
-    &v3_policy_constraints,
-#ifndef OPENSSL_NO_OCSP
-    &v3_crl_hold,
-#endif
-    &v3_pci,
-    &v3_name_constraints,
-    &v3_policy_mappings,
-    &v3_inhibit_anyp,
-    &v3_idp,
-    &v3_alt[2],
-    &v3_freshest_crl,
-#ifndef OPENSSL_NO_CT
-    &v3_ct_scts[0],
-    &v3_ct_scts[1],
-    &v3_ct_scts[2],
-#endif
-    &v3_tls_feature,
-};
-
-/* Number of standard extensions */
-
-#define STANDARD_EXTENSION_COUNT OSSL_NELEM(standard_exts)
-
 const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid)
 {
     X509V3_EXT_METHOD tmp;
@@ -137,11 +117,33 @@ const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid)
 const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext)
 {
     int nid;
-    if ((nid = OBJ_obj2nid(X509_EXTENSION_get_object(ext))) == NID_undef)
+    if ((nid = OBJ_obj2nid(ext->object)) == NID_undef)
         return NULL;
     return X509V3_EXT_get_nid(nid);
 }
 
+int X509V3_EXT_free(int nid, void *ext_data)
+{
+    const X509V3_EXT_METHOD *ext_method = X509V3_EXT_get_nid(nid);
+    if (ext_method == NULL) {
+        X509V3err(X509V3_F_X509V3_EXT_FREE,
+                  X509V3_R_CANNOT_FIND_FREE_FUNCTION);
+        return 0;
+    }
+
+    if (ext_method->it != NULL)
+        ASN1_item_free(ext_data, ASN1_ITEM_ptr(ext_method->it));
+    else if (ext_method->ext_free != NULL)
+        ext_method->ext_free(ext_data);
+    else {
+        X509V3err(X509V3_F_X509V3_EXT_FREE,
+                  X509V3_R_CANNOT_FIND_FREE_FUNCTION);
+        return 0;
+    }
+
+    return 1;
+}
+
 int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist)
 {
     for (; extlist->ext_nid != -1; extlist++)
@@ -155,11 +157,14 @@ int X509V3_EXT_add_alias(int nid_to, int nid_from)
     const X509V3_EXT_METHOD *ext;
     X509V3_EXT_METHOD *tmpext;
 
-    if ((ext = X509V3_EXT_get_nid(nid_from)) == NULL) {
-        X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS, X509V3_R_EXTENSION_NOT_FOUND);
+    if (!(ext = X509V3_EXT_get_nid(nid_from))) {
+        X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,
+                  X509V3_R_EXTENSION_NOT_FOUND);
         return 0;
     }
-    if ((tmpext = OPENSSL_malloc(sizeof(*tmpext))) == NULL) {
+    if (!
+        (tmpext =
+         (X509V3_EXT_METHOD *)OPENSSL_malloc(sizeof(X509V3_EXT_METHOD)))) {
         X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS, ERR_R_MALLOC_FAILURE);
         return 0;
     }
@@ -197,17 +202,14 @@ void *X509V3_EXT_d2i(X509_EXTENSION *ext)
 {
     const X509V3_EXT_METHOD *method;
     const unsigned char *p;
-    ASN1_STRING *extvalue;
-    int extlen;
 
-    if ((method = X509V3_EXT_get(ext)) == NULL)
+    if (!(method = X509V3_EXT_get(ext)))
         return NULL;
-    extvalue = X509_EXTENSION_get_data(ext);
-    p = ASN1_STRING_get0_data(extvalue);
-    extlen = ASN1_STRING_length(extvalue);
+    p = ext->value->data;
     if (method->it)
-        return ASN1_item_d2i(NULL, &p, extlen, ASN1_ITEM_ptr(method->it));
-    return method->d2i(NULL, &p, extlen);
+        return ASN1_item_d2i(NULL, &p, ext->value->length,
+                             ASN1_ITEM_ptr(method->it));
+    return method->d2i(NULL, &p, ext->value->length);
 }
 
 /*-
@@ -226,7 +228,7 @@ void *X509V3_EXT_d2i(X509_EXTENSION *ext)
  * -2 extension occurs more than once.
  */
 
-void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
+void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
                      int *idx)
 {
     int lastpos, i;
@@ -246,7 +248,7 @@ void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
         lastpos = 0;
     for (i = lastpos; i < sk_X509_EXTENSION_num(x); i++) {
         ex = sk_X509_EXTENSION_value(x, i);
-        if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == nid) {
+        if (OBJ_obj2nid(ex->object) == nid) {
             if (idx) {
                 *idx = i;
                 found_ex = ex;
@@ -345,8 +347,7 @@ int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
         return 1;
     }
 
-    if (*x == NULL
-        && (*x = sk_X509_EXTENSION_new_null()) == NULL)
+    if (!*x && !(*x = sk_X509_EXTENSION_new_null()))
         return -1;
     if (!sk_X509_EXTENSION_push(*x, ext))
         return -1;
@@ -358,3 +359,5 @@ int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
         X509V3err(X509V3_F_X509V3_ADD1_I2D, errcode);
     return 0;
 }
+
+IMPLEMENT_STACK_OF(X509V3_EXT_METHOD)
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_ncons.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_ncons.c
index 9b3bb128..28552696 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_ncons.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_ncons.c
@@ -1,22 +1,68 @@
+/* v3_ncons.c */
 /*
- * Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
-#include "internal/asn1_int.h"
+#include "cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
 
-#include "internal/x509_int.h"
-#include "ext_dat.h"
-
 static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
                                   X509V3_CTX *ctx,
                                   STACK_OF(CONF_VALUE) *nval);
@@ -24,7 +70,7 @@ static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
                                 BIO *bp, int ind);
 static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
                                    STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp,
-                                   int ind, const char *name);
+                                   int ind, char *name);
 static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
 
 static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
@@ -33,7 +79,6 @@ static int nc_dn(X509_NAME *sub, X509_NAME *nm);
 static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
 static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
 static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base);
-static int nc_ip(ASN1_OCTET_STRING *ip, ASN1_OCTET_STRING *base);
 
 const X509V3_EXT_METHOD v3_name_constraints = {
     NID_name_constraints, 0,
@@ -70,16 +115,15 @@ static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
     STACK_OF(GENERAL_SUBTREE) **ptree = NULL;
     NAME_CONSTRAINTS *ncons = NULL;
     GENERAL_SUBTREE *sub = NULL;
-
     ncons = NAME_CONSTRAINTS_new();
-    if (ncons == NULL)
+    if (!ncons)
         goto memerr;
     for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
         val = sk_CONF_VALUE_value(nval, i);
-        if (strncmp(val->name, "permitted", 9) == 0 && val->name[9]) {
+        if (!strncmp(val->name, "permitted", 9) && val->name[9]) {
             ptree = &ncons->permittedSubtrees;
             tval.name = val->name + 10;
-        } else if (strncmp(val->name, "excluded", 8) == 0 && val->name[8]) {
+        } else if (!strncmp(val->name, "excluded", 8) && val->name[8]) {
             ptree = &ncons->excludedSubtrees;
             tval.name = val->name + 9;
         } else {
@@ -92,9 +136,9 @@ static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
             goto memerr;
         if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1))
             goto err;
-        if (*ptree == NULL)
+        if (!*ptree)
             *ptree = sk_GENERAL_SUBTREE_new_null();
-        if (*ptree == NULL || !sk_GENERAL_SUBTREE_push(*ptree, sub))
+        if (!*ptree || !sk_GENERAL_SUBTREE_push(*ptree, sub))
             goto memerr;
         sub = NULL;
     }
@@ -104,8 +148,10 @@ static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
  memerr:
     X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
  err:
-    NAME_CONSTRAINTS_free(ncons);
-    GENERAL_SUBTREE_free(sub);
+    if (ncons)
+        NAME_CONSTRAINTS_free(ncons);
+    if (sub)
+        GENERAL_SUBTREE_free(sub);
 
     return NULL;
 }
@@ -123,7 +169,7 @@ static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
 
 static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
                                    STACK_OF(GENERAL_SUBTREE) *trees,
-                                   BIO *bp, int ind, const char *name)
+                                   BIO *bp, int ind, char *name)
 {
     GENERAL_SUBTREE *tree;
     int i;
@@ -199,8 +245,7 @@ int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
         /* Process any email address attributes in subject name */
 
         for (i = -1;;) {
-            const X509_NAME_ENTRY *ne;
-
+            X509_NAME_ENTRY *ne;
             i = X509_NAME_get_index_by_NID(nm, NID_pkcs9_emailAddress, i);
             if (i == -1)
                 break;
@@ -228,51 +273,6 @@ int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
 
 }
 
-int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc)
-{
-    int r, i;
-    X509_NAME *nm;
-
-    ASN1_STRING stmp;
-    GENERAL_NAME gntmp;
-    stmp.flags = 0;
-    stmp.type = V_ASN1_IA5STRING;
-    gntmp.type = GEN_DNS;
-    gntmp.d.dNSName = &stmp;
-
-    nm = X509_get_subject_name(x);
-
-    /* Process any commonName attributes in subject name */
-
-    for (i = -1;;) {
-        X509_NAME_ENTRY *ne;
-        ASN1_STRING *hn;
-        i = X509_NAME_get_index_by_NID(nm, NID_commonName, i);
-        if (i == -1)
-            break;
-        ne = X509_NAME_get_entry(nm, i);
-        hn = X509_NAME_ENTRY_get_data(ne);
-        /* Only process attributes that look like host names */
-        if (asn1_valid_host(hn)) {
-            unsigned char *h;
-            int hlen = ASN1_STRING_to_UTF8(&h, hn);
-            if (hlen <= 0)
-                return X509_V_ERR_OUT_OF_MEM;
-
-            stmp.length = hlen;
-            stmp.data = h;
-
-            r = nc_match(&gntmp, nc);
-
-            OPENSSL_free(h);
-
-            if (r != X509_V_OK)
-                    return r;
-        }
-    }
-    return X509_V_OK;
-}
-
 static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
 {
     GENERAL_SUBTREE *sub;
@@ -341,9 +341,6 @@ static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
         return nc_uri(gen->d.uniformResourceIdentifier,
                       base->d.uniformResourceIdentifier);
 
-    case GEN_IPADD:
-        return nc_ip(gen->d.iPAddress, base->d.iPAddress);
-
     default:
         return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
     }
@@ -403,11 +400,11 @@ static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
     const char *emlat = strchr(emlptr, '@');
     if (!emlat)
         return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
-    /* Special case: initial '.' is RHS match */
+    /* Special case: inital '.' is RHS match */
     if (!baseat && (*baseptr == '.')) {
         if (eml->length > base->length) {
             emlptr += eml->length - base->length;
-            if (strcasecmp(baseptr, emlptr) == 0)
+            if (!strcasecmp(baseptr, emlptr))
                 return X509_V_OK;
         }
         return X509_V_ERR_PERMITTED_VIOLATION;
@@ -463,11 +460,11 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
     if (hostlen == 0)
         return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
 
-    /* Special case: initial '.' is RHS match */
+    /* Special case: inital '.' is RHS match */
     if (*baseptr == '.') {
         if (hostlen > base->length) {
             p = hostptr + hostlen - base->length;
-            if (strncasecmp(p, baseptr, base->length) == 0)
+            if (!strncasecmp(p, baseptr, base->length))
                 return X509_V_OK;
         }
         return X509_V_ERR_PERMITTED_VIOLATION;
@@ -480,34 +477,3 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
     return X509_V_OK;
 
 }
-
-static int nc_ip(ASN1_OCTET_STRING *ip, ASN1_OCTET_STRING *base)
-{
-    int hostlen, baselen, i;
-    unsigned char *hostptr, *baseptr, *maskptr;
-    hostptr = ip->data;
-    hostlen = ip->length;
-    baseptr = base->data;
-    baselen = base->length;
-
-    /* Invalid if not IPv4 or IPv6 */
-    if (!((hostlen == 4) || (hostlen == 16)))
-        return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
-    if (!((baselen == 8) || (baselen == 32)))
-        return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
-
-    /* Do not match IPv4 with IPv6 */
-    if (hostlen * 2 != baselen)
-        return X509_V_ERR_PERMITTED_VIOLATION;
-
-    maskptr = base->data + hostlen;
-
-    /* Considering possible not aligned base ipAddress */
-    /* Not checking for wrong mask definition: i.e.: 255.0.255.0 */
-    for (i = 0; i < hostlen; i++)
-        if ((hostptr[i] & maskptr[i]) != (baseptr[i] & maskptr[i]))
-            return X509_V_ERR_PERMITTED_VIOLATION;
-
-    return X509_V_OK;
-
-}
diff --git a/Cryptlib/OpenSSL/crypto/ocsp/v3_ocsp.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_ocsp.c
index 2d425a89..b151eacc 100644
--- a/Cryptlib/OpenSSL/crypto/ocsp/v3_ocsp.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_ocsp.c
@@ -1,20 +1,70 @@
+/* v3_ocsp.c */
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
+#ifndef OPENSSL_NO_OCSP
+
 # include <stdio.h>
-# include "internal/cryptlib.h"
+# include "cryptlib.h"
 # include <openssl/conf.h>
 # include <openssl/asn1.h>
 # include <openssl/ocsp.h>
-# include "ocsp_lcl.h"
 # include <openssl/x509v3.h>
-# include "../x509v3/ext_dat.h"
 
 /*
  * OCSP extensions and a couple of CRL entry extensions
@@ -184,13 +234,10 @@ static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length)
 {
     ASN1_OCTET_STRING *os, **pos;
     pos = a;
-    if (pos == NULL || *pos == NULL) {
+    if (!pos || !*pos)
         os = ASN1_OCTET_STRING_new();
-        if (os == NULL)
-            goto err;
-    } else {
+    else
         os = *pos;
-    }
     if (!ASN1_OCTET_STRING_set(os, *pp, length))
         goto err;
 
@@ -201,15 +248,15 @@ static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length)
     return os;
 
  err:
-    if ((pos == NULL) || (*pos != os))
-        ASN1_OCTET_STRING_free(os);
+    if (os && (!pos || (*pos != os)))
+        M_ASN1_OCTET_STRING_free(os);
     OCSPerr(OCSP_F_D2I_OCSP_NONCE, ERR_R_MALLOC_FAILURE);
     return NULL;
 }
 
 static void ocsp_nonce_free(void *a)
 {
-    ASN1_OCTET_STRING_free(a);
+    M_ASN1_OCTET_STRING_free(a);
 }
 
 static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
@@ -262,3 +309,4 @@ static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
  err:
     return 0;
 }
+#endif
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c
index 2c05edb8..12f12a76 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c
@@ -1,12 +1,8 @@
+/* v3_pci.c */
 /*
- * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Contributed to the OpenSSL Project 2004 by Richard Levitte
+ * (richard@levitte.org)
  */
-
 /* Copyright (c) 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
@@ -40,10 +36,9 @@
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
-#include "ext_dat.h"
 
 static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
                    BIO *out, int indent);
@@ -91,7 +86,7 @@ static int process_pci_value(CONF_VALUE *val,
             X509V3_conf_err(val);
             return 0;
         }
-        if ((*language = OBJ_txt2obj(val->value, 0)) == NULL) {
+        if (!(*language = OBJ_txt2obj(val->value, 0))) {
             X509V3err(X509V3_F_PROCESS_PCI_VALUE,
                       X509V3_R_INVALID_OBJECT_IDENTIFIER);
             X509V3_conf_err(val);
@@ -115,7 +110,7 @@ static int process_pci_value(CONF_VALUE *val,
         long val_len;
         if (!*policy) {
             *policy = ASN1_OCTET_STRING_new();
-            if (*policy == NULL) {
+            if (!*policy) {
                 X509V3err(X509V3_F_PROCESS_PCI_VALUE, ERR_R_MALLOC_FAILURE);
                 X509V3_conf_err(val);
                 return 0;
@@ -124,9 +119,11 @@ static int process_pci_value(CONF_VALUE *val,
         }
         if (strncmp(val->value, "hex:", 4) == 0) {
             unsigned char *tmp_data2 =
-                OPENSSL_hexstr2buf(val->value + 4, &val_len);
+                string_to_hex(val->value + 4, &val_len);
 
             if (!tmp_data2) {
+                X509V3err(X509V3_F_PROCESS_PCI_VALUE,
+                          X509V3_R_ILLEGAL_HEX_DIGIT);
                 X509V3_conf_err(val);
                 goto err;
             }
@@ -145,7 +142,6 @@ static int process_pci_value(CONF_VALUE *val,
                  * realloc failure implies the original data space is b0rked
                  * too!
                  */
-                OPENSSL_free((*policy)->data);
                 (*policy)->data = NULL;
                 (*policy)->length = 0;
                 X509V3err(X509V3_F_PROCESS_PCI_VALUE, ERR_R_MALLOC_FAILURE);
@@ -153,6 +149,7 @@ static int process_pci_value(CONF_VALUE *val,
                 goto err;
             }
             OPENSSL_free(tmp_data2);
+#ifndef OPENSSL_NO_STDIO
         } else if (strncmp(val->value, "file:", 5) == 0) {
             unsigned char buf[2048];
             int n;
@@ -170,16 +167,8 @@ static int process_pci_value(CONF_VALUE *val,
                 tmp_data = OPENSSL_realloc((*policy)->data,
                                            (*policy)->length + n + 1);
 
-                if (!tmp_data) {
-                    OPENSSL_free((*policy)->data);
-                    (*policy)->data = NULL;
-                    (*policy)->length = 0;
-                    X509V3err(X509V3_F_PROCESS_PCI_VALUE,
-                              ERR_R_MALLOC_FAILURE);
-                    X509V3_conf_err(val);
-                    BIO_free_all(b);
-                    goto err;
-                }
+                if (!tmp_data)
+                    break;
 
                 (*policy)->data = tmp_data;
                 memcpy(&(*policy)->data[(*policy)->length], buf, n);
@@ -193,6 +182,7 @@ static int process_pci_value(CONF_VALUE *val,
                 X509V3_conf_err(val);
                 goto err;
             }
+#endif /* !OPENSSL_NO_STDIO */
         } else if (strncmp(val->value, "text:", 5) == 0) {
             val_len = strlen(val->value + 5);
             tmp_data = OPENSSL_realloc((*policy)->data,
@@ -208,7 +198,6 @@ static int process_pci_value(CONF_VALUE *val,
                  * realloc failure implies the original data space is b0rked
                  * too!
                  */
-                OPENSSL_free((*policy)->data);
                 (*policy)->data = NULL;
                 (*policy)->length = 0;
                 X509V3err(X509V3_F_PROCESS_PCI_VALUE, ERR_R_MALLOC_FAILURE);
@@ -295,7 +284,7 @@ static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
     }
 
     pci = PROXY_CERT_INFO_EXTENSION_new();
-    if (pci == NULL) {
+    if (!pci) {
         X509V3err(X509V3_F_R2I_PCI, ERR_R_MALLOC_FAILURE);
         goto err;
     }
@@ -308,13 +297,22 @@ static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
     pathlen = NULL;
     goto end;
  err:
-    ASN1_OBJECT_free(language);
-    ASN1_INTEGER_free(pathlen);
-    pathlen = NULL;
-    ASN1_OCTET_STRING_free(policy);
-    policy = NULL;
-    PROXY_CERT_INFO_EXTENSION_free(pci);
-    pci = NULL;
+    if (language) {
+        ASN1_OBJECT_free(language);
+        language = NULL;
+    }
+    if (pathlen) {
+        ASN1_INTEGER_free(pathlen);
+        pathlen = NULL;
+    }
+    if (policy) {
+        ASN1_OCTET_STRING_free(policy);
+        policy = NULL;
+    }
+    if (pci) {
+        PROXY_CERT_INFO_EXTENSION_free(pci);
+        pci = NULL;
+    }
  end:
     sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
     return pci;
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c
index e6f7a917..e53c82e8 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c
@@ -1,12 +1,8 @@
+/* v3_pcia.c */
 /*
- * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * Contributed to the OpenSSL Project 2004 by Richard Levitte
+ * (richard@levitte.org)
  */
-
 /* Copyright (c) 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_pcons.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_pcons.c
index 24f7ff49..cfccb97d 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_pcons.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_pcons.c
@@ -1,19 +1,68 @@
+/* v3_pcons.c */
 /*
- * Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
-#include "ext_dat.h"
 
 static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD
                                                     *method, void *bcons, STACK_OF(CONF_VALUE)
@@ -59,17 +108,16 @@ static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
     POLICY_CONSTRAINTS *pcons = NULL;
     CONF_VALUE *val;
     int i;
-
-    if ((pcons = POLICY_CONSTRAINTS_new()) == NULL) {
+    if (!(pcons = POLICY_CONSTRAINTS_new())) {
         X509V3err(X509V3_F_V2I_POLICY_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
     for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
         val = sk_CONF_VALUE_value(values, i);
-        if (strcmp(val->name, "requireExplicitPolicy") == 0) {
+        if (!strcmp(val->name, "requireExplicitPolicy")) {
             if (!X509V3_get_value_int(val, &pcons->requireExplicitPolicy))
                 goto err;
-        } else if (strcmp(val->name, "inhibitPolicyMapping") == 0) {
+        } else if (!strcmp(val->name, "inhibitPolicyMapping")) {
             if (!X509V3_get_value_int(val, &pcons->inhibitPolicyMapping))
                 goto err;
         } else {
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_pku.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_pku.c
index ed82bca8..dd01c441 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_pku.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_pku.c
@@ -1,18 +1,67 @@
+/* v3_pku.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/x509v3.h>
-#include "ext_dat.h"
 
 static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,
                                  PKEY_USAGE_PERIOD *usage, BIO *out,
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_pmaps.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_pmaps.c
index 73f4ec24..a168343b 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_pmaps.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_pmaps.c
@@ -1,18 +1,67 @@
+/* v3_pmaps.c */
 /*
- * Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
-#include "ext_dat.h"
 
 static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
                                  X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
@@ -64,13 +113,13 @@ static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD
 static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
                                  X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
 {
-    POLICY_MAPPINGS *pmaps = NULL;
-    POLICY_MAPPING *pmap = NULL;
-    ASN1_OBJECT *obj1 = NULL, *obj2 = NULL;
+    POLICY_MAPPINGS *pmaps;
+    POLICY_MAPPING *pmap;
+    ASN1_OBJECT *obj1, *obj2;
     CONF_VALUE *val;
     int i;
 
-    if ((pmaps = sk_POLICY_MAPPING_new_null()) == NULL) {
+    if (!(pmaps = sk_POLICY_MAPPING_new_null())) {
         X509V3err(X509V3_F_V2I_POLICY_MAPPINGS, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
@@ -78,33 +127,30 @@ static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
     for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
         val = sk_CONF_VALUE_value(nval, i);
         if (!val->value || !val->name) {
+            sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
             X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,
                       X509V3_R_INVALID_OBJECT_IDENTIFIER);
             X509V3_conf_err(val);
-            goto err;
+            return NULL;
         }
         obj1 = OBJ_txt2obj(val->name, 0);
         obj2 = OBJ_txt2obj(val->value, 0);
         if (!obj1 || !obj2) {
+            sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
             X509V3err(X509V3_F_V2I_POLICY_MAPPINGS,
                       X509V3_R_INVALID_OBJECT_IDENTIFIER);
             X509V3_conf_err(val);
-            goto err;
+            return NULL;
         }
         pmap = POLICY_MAPPING_new();
-        if (pmap == NULL) {
+        if (!pmap) {
+            sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
             X509V3err(X509V3_F_V2I_POLICY_MAPPINGS, ERR_R_MALLOC_FAILURE);
-            goto err;
+            return NULL;
         }
         pmap->issuerDomainPolicy = obj1;
         pmap->subjectDomainPolicy = obj2;
-        obj1 = obj2 = NULL;
         sk_POLICY_MAPPING_push(pmaps, pmap);
     }
     return pmaps;
- err:
-    ASN1_OBJECT_free(obj1);
-    ASN1_OBJECT_free(obj2);
-    sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
-    return NULL;
 }
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_prn.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_prn.c
index f384c342..acc9c6d9 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_prn.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_prn.c
@@ -1,22 +1,71 @@
+/* v3_prn.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
-
 /* X509 v3 extension utilities */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
 
 /* Extension printing routines */
 
-static int unknown_ext_print(BIO *out, const unsigned char *ext, int extlen,
+static int unknown_ext_print(BIO *out, X509_EXTENSION *ext,
                              unsigned long flag, int indent, int supported);
 
 /* Print out a name+value stack */
@@ -52,7 +101,7 @@ void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent,
             char *tmp;
             len = strlen(nval->value) + 1;
             tmp = OPENSSL_malloc(len);
-            if (tmp != NULL) {
+            if (tmp) {
                 ascii2ebcdic(tmp, nval->value, len);
                 BIO_printf(out, "%s:%s", nval->name, tmp);
                 OPENSSL_free(tmp);
@@ -71,29 +120,26 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
 {
     void *ext_str = NULL;
     char *value = NULL;
-    ASN1_OCTET_STRING *extoct;
     const unsigned char *p;
-    int extlen;
     const X509V3_EXT_METHOD *method;
     STACK_OF(CONF_VALUE) *nval = NULL;
     int ok = 1;
 
-    extoct = X509_EXTENSION_get_data(ext);
-    p = ASN1_STRING_get0_data(extoct);
-    extlen = ASN1_STRING_length(extoct);
-
-    if ((method = X509V3_EXT_get(ext)) == NULL)
-        return unknown_ext_print(out, p, extlen, flag, indent, 0);
+    if (!(method = X509V3_EXT_get(ext)))
+        return unknown_ext_print(out, ext, flag, indent, 0);
+    p = ext->value->data;
     if (method->it)
-        ext_str = ASN1_item_d2i(NULL, &p, extlen, ASN1_ITEM_ptr(method->it));
+        ext_str =
+            ASN1_item_d2i(NULL, &p, ext->value->length,
+                          ASN1_ITEM_ptr(method->it));
     else
-        ext_str = method->d2i(NULL, &p, extlen);
+        ext_str = method->d2i(NULL, &p, ext->value->length);
 
     if (!ext_str)
-        return unknown_ext_print(out, p, extlen, flag, indent, 1);
+        return unknown_ext_print(out, ext, flag, indent, 1);
 
     if (method->i2s) {
-        if ((value = method->i2s(method, ext_str)) == NULL) {
+        if (!(value = method->i2s(method, ext_str))) {
             ok = 0;
             goto err;
         }
@@ -105,7 +151,7 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
             char *tmp;
             len = strlen(value) + 1;
             tmp = OPENSSL_malloc(len);
-            if (tmp != NULL) {
+            if (tmp) {
                 ascii2ebcdic(tmp, value, len);
                 BIO_printf(out, "%*s%s", indent, "", tmp);
                 OPENSSL_free(tmp);
@@ -113,7 +159,7 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
         }
 #endif
     } else if (method->i2v) {
-        if ((nval = method->i2v(method, ext_str, NULL)) == NULL) {
+        if (!(nval = method->i2v(method, ext_str, NULL))) {
             ok = 0;
             goto err;
         }
@@ -127,7 +173,8 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
 
  err:
     sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
-    OPENSSL_free(value);
+    if (value)
+        OPENSSL_free(value);
     if (method->it)
         ASN1_item_free(ext_str, ASN1_ITEM_ptr(method->it));
     else
@@ -135,8 +182,8 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
     return ok;
 }
 
-int X509V3_extensions_print(BIO *bp, const char *title,
-                            const STACK_OF(X509_EXTENSION) *exts,
+int X509V3_extensions_print(BIO *bp, char *title,
+                            STACK_OF(X509_EXTENSION) *exts,
                             unsigned long flag, int indent)
 {
     int i, j;
@@ -162,7 +209,7 @@ int X509V3_extensions_print(BIO *bp, const char *title,
             return 0;
         if (!X509V3_EXT_print(bp, ex, flag, indent + 4)) {
             BIO_printf(bp, "%*s", indent + 4, "");
-            ASN1_STRING_print(bp, X509_EXTENSION_get_data(ex));
+            M_ASN1_OCTET_STRING_print(bp, ex->value);
         }
         if (BIO_write(bp, "\n", 1) <= 0)
             return 0;
@@ -170,7 +217,7 @@ int X509V3_extensions_print(BIO *bp, const char *title,
     return 1;
 }
 
-static int unknown_ext_print(BIO *out, const unsigned char *ext, int extlen,
+static int unknown_ext_print(BIO *out, X509_EXTENSION *ext,
                              unsigned long flag, int indent, int supported)
 {
     switch (flag & X509V3_EXT_UNKNOWN_MASK) {
@@ -186,22 +233,24 @@ static int unknown_ext_print(BIO *out, const unsigned char *ext, int extlen,
         return 1;
 
     case X509V3_EXT_PARSE_UNKNOWN:
-        return ASN1_parse_dump(out, ext, extlen, indent, -1);
+        return ASN1_parse_dump(out,
+                               ext->value->data, ext->value->length, indent,
+                               -1);
     case X509V3_EXT_DUMP_UNKNOWN:
-        return BIO_dump_indent(out, (const char *)ext, extlen, indent);
+        return BIO_dump_indent(out, (char *)ext->value->data,
+                               ext->value->length, indent);
 
     default:
         return 1;
     }
 }
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 int X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent)
 {
     BIO *bio_tmp;
     int ret;
-
-    if ((bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE)) == NULL)
+    if (!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE)))
         return 0;
     ret = X509V3_EXT_print(bio_tmp, ext, flag, indent);
     BIO_free(bio_tmp);
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c
index 451e7f87..845be673 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_purp.c
@@ -1,18 +1,66 @@
+/* v3_purp.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
-#include "internal/numbers.h"
+#include "cryptlib.h"
 #include <openssl/x509v3.h>
 #include <openssl/x509_vfy.h>
-#include "internal/x509_int.h"
 
 static void x509v3_cache_extensions(X509 *x);
 
@@ -60,7 +108,9 @@ static X509_PURPOSE xstandard[] = {
      NULL},
 };
 
-#define X509_PURPOSE_COUNT OSSL_NELEM(xstandard)
+#define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
+
+IMPLEMENT_STACK_OF(X509_PURPOSE)
 
 static STACK_OF(X509_PURPOSE) *xptable = NULL;
 
@@ -79,11 +129,10 @@ int X509_check_purpose(X509 *x, int id, int ca)
     int idx;
     const X509_PURPOSE *pt;
     if (!(x->ex_flags & EXFLAG_SET)) {
-        CRYPTO_THREAD_write_lock(x->lock);
+        CRYPTO_w_lock(CRYPTO_LOCK_X509);
         x509v3_cache_extensions(x);
-        CRYPTO_THREAD_unlock(x->lock);
+        CRYPTO_w_unlock(CRYPTO_LOCK_X509);
     }
-    /* Return if side-effect only call */
     if (id == -1)
         return 1;
     idx = X509_PURPOSE_get_by_id(id);
@@ -119,13 +168,13 @@ X509_PURPOSE *X509_PURPOSE_get0(int idx)
     return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
 }
 
-int X509_PURPOSE_get_by_sname(const char *sname)
+int X509_PURPOSE_get_by_sname(char *sname)
 {
     int i;
     X509_PURPOSE *xptmp;
     for (i = 0; i < X509_PURPOSE_get_count(); i++) {
         xptmp = X509_PURPOSE_get0(i);
-        if (strcmp(xptmp->sname, sname) == 0)
+        if (!strcmp(xptmp->sname, sname))
             return i;
     }
     return -1;
@@ -148,7 +197,7 @@ int X509_PURPOSE_get_by_id(int purpose)
 
 int X509_PURPOSE_add(int id, int trust, int flags,
                      int (*ck) (const X509_PURPOSE *, const X509 *, int),
-                     const char *name, const char *sname, void *arg)
+                     char *name, char *sname, void *arg)
 {
     int idx;
     X509_PURPOSE *ptmp;
@@ -162,7 +211,7 @@ int X509_PURPOSE_add(int id, int trust, int flags,
     idx = X509_PURPOSE_get_by_id(id);
     /* Need a new entry */
     if (idx == -1) {
-        if ((ptmp = OPENSSL_malloc(sizeof(*ptmp))) == NULL) {
+        if (!(ptmp = OPENSSL_malloc(sizeof(X509_PURPOSE)))) {
             X509V3err(X509V3_F_X509_PURPOSE_ADD, ERR_R_MALLOC_FAILURE);
             return 0;
         }
@@ -176,11 +225,11 @@ int X509_PURPOSE_add(int id, int trust, int flags,
         OPENSSL_free(ptmp->sname);
     }
     /* dup supplied name */
-    ptmp->name = OPENSSL_strdup(name);
-    ptmp->sname = OPENSSL_strdup(sname);
+    ptmp->name = BUF_strdup(name);
+    ptmp->sname = BUF_strdup(sname);
     if (!ptmp->name || !ptmp->sname) {
         X509V3err(X509V3_F_X509_PURPOSE_ADD, ERR_R_MALLOC_FAILURE);
-        goto err;
+        return 0;
     }
     /* Keep the dynamic flag of existing entry */
     ptmp->flags &= X509_PURPOSE_DYNAMIC;
@@ -194,24 +243,16 @@ int X509_PURPOSE_add(int id, int trust, int flags,
 
     /* If its a new entry manage the dynamic table */
     if (idx == -1) {
-        if (xptable == NULL
-            && (xptable = sk_X509_PURPOSE_new(xp_cmp)) == NULL) {
+        if (!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) {
             X509V3err(X509V3_F_X509_PURPOSE_ADD, ERR_R_MALLOC_FAILURE);
-            goto err;
+            return 0;
         }
         if (!sk_X509_PURPOSE_push(xptable, ptmp)) {
             X509V3err(X509V3_F_X509_PURPOSE_ADD, ERR_R_MALLOC_FAILURE);
-            goto err;
+            return 0;
         }
     }
     return 1;
- err:
-    if (idx == -1) {
-        OPENSSL_free(ptmp->name);
-        OPENSSL_free(ptmp->sname);
-        OPENSSL_free(ptmp);
-    }
-    return 0;
 }
 
 static void xptable_free(X509_PURPOSE *p)
@@ -229,26 +270,29 @@ static void xptable_free(X509_PURPOSE *p)
 
 void X509_PURPOSE_cleanup(void)
 {
+    unsigned int i;
     sk_X509_PURPOSE_pop_free(xptable, xptable_free);
+    for (i = 0; i < X509_PURPOSE_COUNT; i++)
+        xptable_free(xstandard + i);
     xptable = NULL;
 }
 
-int X509_PURPOSE_get_id(const X509_PURPOSE *xp)
+int X509_PURPOSE_get_id(X509_PURPOSE *xp)
 {
     return xp->purpose;
 }
 
-char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp)
+char *X509_PURPOSE_get0_name(X509_PURPOSE *xp)
 {
     return xp->name;
 }
 
-char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp)
+char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp)
 {
     return xp->sname;
 }
 
-int X509_PURPOSE_get_trust(const X509_PURPOSE *xp)
+int X509_PURPOSE_get_trust(X509_PURPOSE *xp)
 {
     return xp->trust;
 }
@@ -294,7 +338,8 @@ int X509_supported_extension(X509_EXTENSION *ex)
     if (ex_nid == NID_undef)
         return 0;
 
-    if (OBJ_bsearch_nid(&ex_nid, supported_nids, OSSL_NELEM(supported_nids)))
+    if (OBJ_bsearch_nid(&ex_nid, supported_nids,
+                        sizeof(supported_nids) / sizeof(int)))
         return 1;
     return 0;
 }
@@ -355,7 +400,9 @@ static void x509v3_cache_extensions(X509 *x)
     int i;
     if (x->ex_flags & EXFLAG_SET)
         return;
+#ifndef OPENSSL_NO_SHA
     X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
+#endif
     /* V1 should mean no extensions ... */
     if (!X509_get_version(x))
         x->ex_flags |= EXFLAG_V1;
@@ -528,22 +575,12 @@ static int check_ca(const X509 *x)
     }
 }
 
-void X509_set_proxy_flag(X509 *x)
-{
-    x->ex_flags |= EXFLAG_PROXY;
-}
-
-void X509_set_proxy_pathlen(X509 *x, long l)
-{
-    x->ex_pcpathlen = l;
-}
-
 int X509_check_ca(X509 *x)
 {
     if (!(x->ex_flags & EXFLAG_SET)) {
-        CRYPTO_THREAD_write_lock(x->lock);
+        CRYPTO_w_lock(CRYPTO_LOCK_X509);
         x509v3_cache_extensions(x);
-        CRYPTO_THREAD_unlock(x->lock);
+        CRYPTO_w_unlock(CRYPTO_LOCK_X509);
     }
 
     return check_ca(x);
@@ -725,7 +762,7 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
         return 0;
 
     /* Extended Key Usage MUST be critical */
-    i_ext = X509_get_ext_by_NID(x, NID_ext_key_usage, -1);
+    i_ext = X509_get_ext_by_NID((X509 *)x, NID_ext_key_usage, -1);
     if (i_ext >= 0) {
         X509_EXTENSION *ext = X509_get_ext((X509 *)x, i_ext);
         if (!X509_EXTENSION_get_critical(ext))
@@ -813,53 +850,3 @@ int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
     }
     return X509_V_OK;
 }
-
-uint32_t X509_get_extension_flags(X509 *x)
-{
-    /* Call for side-effect of computing hash and caching extensions */
-    X509_check_purpose(x, -1, -1);
-    return x->ex_flags;
-}
-
-uint32_t X509_get_key_usage(X509 *x)
-{
-    /* Call for side-effect of computing hash and caching extensions */
-    X509_check_purpose(x, -1, -1);
-    if (x->ex_flags & EXFLAG_KUSAGE)
-        return x->ex_kusage;
-    return UINT32_MAX;
-}
-
-uint32_t X509_get_extended_key_usage(X509 *x)
-{
-    /* Call for side-effect of computing hash and caching extensions */
-    X509_check_purpose(x, -1, -1);
-    if (x->ex_flags & EXFLAG_XKUSAGE)
-        return x->ex_xkusage;
-    return UINT32_MAX;
-}
-
-const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x)
-{
-    /* Call for side-effect of computing hash and caching extensions */
-    X509_check_purpose(x, -1, -1);
-    return x->skid;
-}
-
-long X509_get_pathlen(X509 *x)
-{
-    /* Called for side effect of caching extensions */
-    if (X509_check_purpose(x, -1, -1) != 1
-            || (x->ex_flags & EXFLAG_BCONS) == 0)
-        return -1;
-    return x->ex_pathlen;
-}
-
-long X509_get_proxy_pathlen(X509 *x)
-{
-    /* Called for side effect of caching extensions */
-    if (X509_check_purpose(x, -1, -1) != 1
-            || (x->ex_flags & EXFLAG_PROXY) == 0)
-        return -1;
-    return x->ex_pcpathlen;
-}
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_skey.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_skey.c
index 39597dc4..1cede047 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_skey.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_skey.c
@@ -1,17 +1,65 @@
+/* v3_skey.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/x509v3.h>
-#include "internal/x509_int.h"
-#include "ext_dat.h"
 
 static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
                                       X509V3_CTX *ctx, char *str);
@@ -24,25 +72,24 @@ const X509V3_EXT_METHOD v3_skey_id = {
     NULL
 };
 
-char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, 
-                            const ASN1_OCTET_STRING *oct)
+char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *oct)
 {
-    return OPENSSL_buf2hexstr(oct->data, oct->length);
+    return hex_to_string(oct->data, oct->length);
 }
 
 ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
-                                         X509V3_CTX *ctx, const char *str)
+                                         X509V3_CTX *ctx, char *str)
 {
     ASN1_OCTET_STRING *oct;
     long length;
 
-    if ((oct = ASN1_OCTET_STRING_new()) == NULL) {
+    if (!(oct = M_ASN1_OCTET_STRING_new())) {
         X509V3err(X509V3_F_S2I_ASN1_OCTET_STRING, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
 
-    if ((oct->data = OPENSSL_hexstr2buf(str, &length)) == NULL) {
-        ASN1_OCTET_STRING_free(oct);
+    if (!(oct->data = string_to_hex(str, &length))) {
+        M_ASN1_OCTET_STRING_free(oct);
         return NULL;
     }
 
@@ -56,16 +103,14 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
                                       X509V3_CTX *ctx, char *str)
 {
     ASN1_OCTET_STRING *oct;
-    X509_PUBKEY *pubkey;
-    const unsigned char *pk;
-    int pklen;
+    ASN1_BIT_STRING *pk;
     unsigned char pkey_dig[EVP_MAX_MD_SIZE];
     unsigned int diglen;
 
     if (strcmp(str, "hash"))
         return s2i_ASN1_OCTET_STRING(method, ctx, str);
 
-    if ((oct = ASN1_OCTET_STRING_new()) == NULL) {
+    if (!(oct = M_ASN1_OCTET_STRING_new())) {
         X509V3err(X509V3_F_S2I_SKEY_ID, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
@@ -79,21 +124,20 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
     }
 
     if (ctx->subject_req)
-        pubkey = ctx->subject_req->req_info.pubkey;
+        pk = ctx->subject_req->req_info->pubkey->public_key;
     else
-        pubkey = ctx->subject_cert->cert_info.key;
+        pk = ctx->subject_cert->cert_info->key->public_key;
 
-    if (pubkey == NULL) {
+    if (!pk) {
         X509V3err(X509V3_F_S2I_SKEY_ID, X509V3_R_NO_PUBLIC_KEY);
         goto err;
     }
 
-    X509_PUBKEY_get0_param(NULL, &pk, &pklen, NULL, pubkey);
-
-    if (!EVP_Digest(pk, pklen, pkey_dig, &diglen, EVP_sha1(), NULL))
+    if (!EVP_Digest
+        (pk->data, pk->length, pkey_dig, &diglen, EVP_sha1(), NULL))
         goto err;
 
-    if (!ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {
+    if (!M_ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {
         X509V3err(X509V3_F_S2I_SKEY_ID, ERR_R_MALLOC_FAILURE);
         goto err;
     }
@@ -101,6 +145,6 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
     return oct;
 
  err:
-    ASN1_OCTET_STRING_free(oct);
+    M_ASN1_OCTET_STRING_free(oct);
     return NULL;
 }
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_sxnet.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_sxnet.c
index 89cda01b..a4e6a93e 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_sxnet.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_sxnet.c
@@ -1,19 +1,68 @@
+/* v3_sxnet.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/x509v3.h>
-#include "ext_dat.h"
 
 /* Support for Thawte strong extranet extension */
 
@@ -68,7 +117,7 @@ static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
         tmp = i2s_ASN1_INTEGER(NULL, id->zone);
         BIO_printf(out, "\n%*sZone: %s, User: ", indent, "", tmp);
         OPENSSL_free(tmp);
-        ASN1_STRING_print(out, id->user);
+        M_ASN1_OCTET_STRING_print(out, id->user);
     }
     return 1;
 }
@@ -101,11 +150,10 @@ static SXNET *sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
 
 /* Add an id given the zone as an ASCII number */
 
-int SXNET_add_id_asc(SXNET **psx, const char *zone, const char *user, int userlen)
+int SXNET_add_id_asc(SXNET **psx, char *zone, char *user, int userlen)
 {
-    ASN1_INTEGER *izone;
-
-    if ((izone = s2i_ASN1_INTEGER(NULL, zone)) == NULL) {
+    ASN1_INTEGER *izone = NULL;
+    if (!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
         X509V3err(X509V3_F_SXNET_ADD_ID_ASC, X509V3_R_ERROR_CONVERTING_ZONE);
         return 0;
     }
@@ -114,15 +162,13 @@ int SXNET_add_id_asc(SXNET **psx, const char *zone, const char *user, int userle
 
 /* Add an id given the zone as an unsigned long */
 
-int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, const char *user,
+int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user,
                        int userlen)
 {
-    ASN1_INTEGER *izone;
-
-    if ((izone = ASN1_INTEGER_new()) == NULL
-        || !ASN1_INTEGER_set(izone, lzone)) {
+    ASN1_INTEGER *izone = NULL;
+    if (!(izone = M_ASN1_INTEGER_new()) || !ASN1_INTEGER_set(izone, lzone)) {
         X509V3err(X509V3_F_SXNET_ADD_ID_ULONG, ERR_R_MALLOC_FAILURE);
-        ASN1_INTEGER_free(izone);
+        M_ASN1_INTEGER_free(izone);
         return 0;
     }
     return SXNET_add_id_INTEGER(psx, izone, user, userlen);
@@ -134,7 +180,7 @@ int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, const char *user,
  * passed integer and doesn't make a copy so don't free it up afterwards.
  */
 
-int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, const char *user,
+int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, char *user,
                          int userlen)
 {
     SXNET *sx = NULL;
@@ -150,8 +196,8 @@ int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, const char *user,
         X509V3err(X509V3_F_SXNET_ADD_ID_INTEGER, X509V3_R_USER_TOO_LONG);
         return 0;
     }
-    if (*psx == NULL) {
-        if ((sx = SXNET_new()) == NULL)
+    if (!*psx) {
+        if (!(sx = SXNET_new()))
             goto err;
         if (!ASN1_INTEGER_set(sx->version, 0))
             goto err;
@@ -163,12 +209,12 @@ int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, const char *user,
         return 0;
     }
 
-    if ((id = SXNETID_new()) == NULL)
+    if (!(id = SXNETID_new()))
         goto err;
     if (userlen == -1)
         userlen = strlen(user);
 
-    if (!ASN1_OCTET_STRING_set(id->user, (const unsigned char *)user, userlen))
+    if (!M_ASN1_OCTET_STRING_set(id->user, user, userlen))
         goto err;
     if (!sk_SXNETID_push(sx->ids, id))
         goto err;
@@ -183,33 +229,30 @@ int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, const char *user,
     return 0;
 }
 
-ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, const char *zone)
+ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, char *zone)
 {
-    ASN1_INTEGER *izone;
+    ASN1_INTEGER *izone = NULL;
     ASN1_OCTET_STRING *oct;
-
-    if ((izone = s2i_ASN1_INTEGER(NULL, zone)) == NULL) {
+    if (!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
         X509V3err(X509V3_F_SXNET_GET_ID_ASC, X509V3_R_ERROR_CONVERTING_ZONE);
         return NULL;
     }
     oct = SXNET_get_id_INTEGER(sx, izone);
-    ASN1_INTEGER_free(izone);
+    M_ASN1_INTEGER_free(izone);
     return oct;
 }
 
 ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone)
 {
-    ASN1_INTEGER *izone;
+    ASN1_INTEGER *izone = NULL;
     ASN1_OCTET_STRING *oct;
-
-    if ((izone = ASN1_INTEGER_new()) == NULL
-        || !ASN1_INTEGER_set(izone, lzone)) {
+    if (!(izone = M_ASN1_INTEGER_new()) || !ASN1_INTEGER_set(izone, lzone)) {
         X509V3err(X509V3_F_SXNET_GET_ID_ULONG, ERR_R_MALLOC_FAILURE);
-        ASN1_INTEGER_free(izone);
+        M_ASN1_INTEGER_free(izone);
         return NULL;
     }
     oct = SXNET_get_id_INTEGER(sx, izone);
-    ASN1_INTEGER_free(izone);
+    M_ASN1_INTEGER_free(izone);
     return oct;
 }
 
@@ -219,8 +262,12 @@ ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone)
     int i;
     for (i = 0; i < sk_SXNETID_num(sx->ids); i++) {
         id = sk_SXNETID_value(sx->ids, i);
-        if (!ASN1_INTEGER_cmp(id->zone, zone))
+        if (!M_ASN1_INTEGER_cmp(id->zone, zone))
             return id->user;
     }
     return NULL;
 }
+
+IMPLEMENT_STACK_OF(SXNETID)
+
+IMPLEMENT_ASN1_SET_OF(SXNETID)
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_tlsf.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_tlsf.c
deleted file mode 100644
index fec67243..00000000
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_tlsf.c
+++ /dev/null
@@ -1,137 +0,0 @@
-/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include "internal/cryptlib.h"
-#include "internal/o_str.h"
-#include <openssl/asn1t.h>
-#include <openssl/conf.h>
-#include <openssl/x509v3.h>
-#include "ext_dat.h"
-
-static STACK_OF(CONF_VALUE) *i2v_TLS_FEATURE(const X509V3_EXT_METHOD *method,
-                                             TLS_FEATURE *tls_feature,
-                                             STACK_OF(CONF_VALUE) *ext_list);
-static TLS_FEATURE *v2i_TLS_FEATURE(const X509V3_EXT_METHOD *method,
-                                    X509V3_CTX *ctx,
-                                    STACK_OF(CONF_VALUE) *nval);
-
-ASN1_ITEM_TEMPLATE(TLS_FEATURE) =
-        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, TLS_FEATURE, ASN1_INTEGER)
-static_ASN1_ITEM_TEMPLATE_END(TLS_FEATURE)
-
-IMPLEMENT_ASN1_ALLOC_FUNCTIONS(TLS_FEATURE)
-
-const X509V3_EXT_METHOD v3_tls_feature = {
-    NID_tlsfeature, 0,
-    ASN1_ITEM_ref(TLS_FEATURE),
-    0, 0, 0, 0,
-    0, 0,
-    (X509V3_EXT_I2V)i2v_TLS_FEATURE,
-    (X509V3_EXT_V2I)v2i_TLS_FEATURE,
-    0, 0,
-    NULL
-};
-
-
-typedef struct {
-    long num;
-    const char *name;
-} TLS_FEATURE_NAME;
-
-static TLS_FEATURE_NAME tls_feature_tbl[] = {
-    { 5, "status_request" },
-    { 17, "status_request_v2" }
-};
-
-/*
- * i2v_TLS_FEATURE converts the TLS_FEATURE structure tls_feature into the
- * STACK_OF(CONF_VALUE) structure ext_list. STACK_OF(CONF_VALUE) is the format
- * used by the CONF library to represent a multi-valued extension.  ext_list is
- * returned.
- */
-static STACK_OF(CONF_VALUE) *i2v_TLS_FEATURE(const X509V3_EXT_METHOD *method,
-                                             TLS_FEATURE *tls_feature,
-                                             STACK_OF(CONF_VALUE) *ext_list)
-{
-    int i;
-    size_t j;
-    ASN1_INTEGER *ai;
-    long tlsextid;
-    for (i = 0; i < sk_ASN1_INTEGER_num(tls_feature); i++) {
-        ai = sk_ASN1_INTEGER_value(tls_feature, i);
-        tlsextid = ASN1_INTEGER_get(ai);
-        for (j = 0; j < OSSL_NELEM(tls_feature_tbl); j++)
-            if (tlsextid == tls_feature_tbl[j].num)
-                break;
-        if (j < OSSL_NELEM(tls_feature_tbl))
-            X509V3_add_value(NULL, tls_feature_tbl[j].name, &ext_list);
-        else
-            X509V3_add_value_int(NULL, ai, &ext_list);
-    }
-    return ext_list;
-}
-
-/*
- * v2i_TLS_FEATURE converts the multi-valued extension nval into a TLS_FEATURE
- * structure, which is returned if the conversion is successful.  In case of
- * error, NULL is returned.
- */
-static TLS_FEATURE *v2i_TLS_FEATURE(const X509V3_EXT_METHOD *method,
-                                    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
-{
-    TLS_FEATURE *tlsf;
-    char *extval, *endptr;
-    ASN1_INTEGER *ai;
-    CONF_VALUE *val;
-    int i;
-    size_t j;
-    long tlsextid;
-
-    if ((tlsf = sk_ASN1_INTEGER_new_null()) == NULL) {
-        X509V3err(X509V3_F_V2I_TLS_FEATURE, ERR_R_MALLOC_FAILURE);
-        return NULL;
-    }
-
-    for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
-        val = sk_CONF_VALUE_value(nval, i);
-        if (val->value)
-            extval = val->value;
-        else
-            extval = val->name;
-
-        for (j = 0; j < OSSL_NELEM(tls_feature_tbl); j++)
-            if (strcasecmp(extval, tls_feature_tbl[j].name) == 0)
-                break;
-        if (j < OSSL_NELEM(tls_feature_tbl))
-            tlsextid = tls_feature_tbl[j].num;
-        else {
-            tlsextid = strtol(extval, &endptr, 10);
-            if (((*endptr) != '\0') || (extval == endptr) || (tlsextid < 0) ||
-                (tlsextid > 65535)) {
-                X509V3err(X509V3_F_V2I_TLS_FEATURE, X509V3_R_INVALID_SYNTAX);
-                X509V3_conf_err(val);
-                goto err;
-            }
-        }
-
-        ai = ASN1_INTEGER_new();
-        if (ai == NULL) {
-            X509V3err(X509V3_F_V2I_TLS_FEATURE, ERR_R_MALLOC_FAILURE);
-            goto err;
-        }
-        ASN1_INTEGER_set(ai, tlsextid);
-        sk_ASN1_INTEGER_push(tlsf, ai);
-    }
-    return tlsf;
-
- err:
-    sk_ASN1_INTEGER_pop_free(tlsf, ASN1_INTEGER_free);
-    return NULL;
-}
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_utl.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_utl.c
index 7dc9a453..43b9cb9c 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_utl.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_utl.c
@@ -1,29 +1,76 @@
+/* v3_utl.c */
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
  */
-
 /* X509 v3 extension utilities */
 
 #include <stdio.h>
 #include <ctype.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
-#include "internal/x509_int.h"
 #include <openssl/bn.h>
-#include "ext_dat.h"
 
 static char *strip_spaces(char *name);
 static int sk_strcmp(const char *const *a, const char *const *b);
 static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name,
                                            GENERAL_NAMES *gens);
 static void str_free(OPENSSL_STRING str);
-static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, const ASN1_IA5STRING *email);
+static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email);
 
 static int ipv4_from_asc(unsigned char *v4, const char *in);
 static int ipv6_from_asc(unsigned char *v6, const char *in);
@@ -37,14 +84,13 @@ int X509V3_add_value(const char *name, const char *value,
 {
     CONF_VALUE *vtmp = NULL;
     char *tname = NULL, *tvalue = NULL;
-
-    if (name && (tname = OPENSSL_strdup(name)) == NULL)
+    if (name && !(tname = BUF_strdup(name)))
         goto err;
-    if (value && (tvalue = OPENSSL_strdup(value)) == NULL)
+    if (value && !(tvalue = BUF_strdup(value)))
         goto err;
-    if ((vtmp = OPENSSL_malloc(sizeof(*vtmp))) == NULL)
+    if (!(vtmp = (CONF_VALUE *)OPENSSL_malloc(sizeof(CONF_VALUE))))
         goto err;
-    if (*extlist == NULL && (*extlist = sk_CONF_VALUE_new_null()) == NULL)
+    if (!*extlist && !(*extlist = sk_CONF_VALUE_new_null()))
         goto err;
     vtmp->section = NULL;
     vtmp->name = tname;
@@ -54,9 +100,12 @@ int X509V3_add_value(const char *name, const char *value,
     return 1;
  err:
     X509V3err(X509V3_F_X509V3_ADD_VALUE, ERR_R_MALLOC_FAILURE);
-    OPENSSL_free(vtmp);
-    OPENSSL_free(tname);
-    OPENSSL_free(tvalue);
+    if (vtmp)
+        OPENSSL_free(vtmp);
+    if (tname)
+        OPENSSL_free(tname);
+    if (tvalue)
+        OPENSSL_free(tvalue);
     return 0;
 }
 
@@ -72,9 +121,12 @@ void X509V3_conf_free(CONF_VALUE *conf)
 {
     if (!conf)
         return;
-    OPENSSL_free(conf->name);
-    OPENSSL_free(conf->value);
-    OPENSSL_free(conf->section);
+    if (conf->name)
+        OPENSSL_free(conf->name);
+    if (conf->value)
+        OPENSSL_free(conf->value);
+    if (conf->section)
+        OPENSSL_free(conf->section);
     OPENSSL_free(conf);
 }
 
@@ -86,7 +138,7 @@ int X509V3_add_value_bool(const char *name, int asn1_bool,
     return X509V3_add_value(name, "FALSE", extlist);
 }
 
-int X509V3_add_value_bool_nf(const char *name, int asn1_bool,
+int X509V3_add_value_bool_nf(char *name, int asn1_bool,
                              STACK_OF(CONF_VALUE) **extlist)
 {
     if (asn1_bool)
@@ -94,49 +146,43 @@ int X509V3_add_value_bool_nf(const char *name, int asn1_bool,
     return 1;
 }
 
-char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method, const ASN1_ENUMERATED *a)
+char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method, ASN1_ENUMERATED *a)
 {
     BIGNUM *bntmp = NULL;
     char *strtmp = NULL;
-
     if (!a)
         return NULL;
-    if ((bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) == NULL
-        || (strtmp = BN_bn2dec(bntmp)) == NULL)
+    if (!(bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) ||
+        !(strtmp = BN_bn2dec(bntmp)))
         X509V3err(X509V3_F_I2S_ASN1_ENUMERATED, ERR_R_MALLOC_FAILURE);
     BN_free(bntmp);
     return strtmp;
 }
 
-char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, const ASN1_INTEGER *a)
+char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, ASN1_INTEGER *a)
 {
     BIGNUM *bntmp = NULL;
     char *strtmp = NULL;
-
     if (!a)
         return NULL;
-    if ((bntmp = ASN1_INTEGER_to_BN(a, NULL)) == NULL
-        || (strtmp = BN_bn2dec(bntmp)) == NULL)
+    if (!(bntmp = ASN1_INTEGER_to_BN(a, NULL)) ||
+        !(strtmp = BN_bn2dec(bntmp)))
         X509V3err(X509V3_F_I2S_ASN1_INTEGER, ERR_R_MALLOC_FAILURE);
     BN_free(bntmp);
     return strtmp;
 }
 
-ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, const char *value)
+ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, char *value)
 {
     BIGNUM *bn = NULL;
     ASN1_INTEGER *aint;
     int isneg, ishex;
     int ret;
-    if (value == NULL) {
+    if (!value) {
         X509V3err(X509V3_F_S2I_ASN1_INTEGER, X509V3_R_INVALID_NULL_VALUE);
-        return NULL;
+        return 0;
     }
     bn = BN_new();
-    if (bn == NULL) {
-        X509V3err(X509V3_F_S2I_ASN1_INTEGER, ERR_R_MALLOC_FAILURE);
-        return NULL;
-    }
     if (value[0] == '-') {
         value++;
         isneg = 1;
@@ -157,7 +203,7 @@ ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, const char *value)
     if (!ret || value[ret]) {
         BN_free(bn);
         X509V3err(X509V3_F_S2I_ASN1_INTEGER, X509V3_R_BN_DEC2BN_ERROR);
-        return NULL;
+        return 0;
     }
 
     if (isneg && BN_is_zero(bn))
@@ -168,49 +214,40 @@ ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, const char *value)
     if (!aint) {
         X509V3err(X509V3_F_S2I_ASN1_INTEGER,
                   X509V3_R_BN_TO_ASN1_INTEGER_ERROR);
-        return NULL;
+        return 0;
     }
     if (isneg)
         aint->type |= V_ASN1_NEG;
     return aint;
 }
 
-int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint,
+int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint,
                          STACK_OF(CONF_VALUE) **extlist)
 {
     char *strtmp;
     int ret;
-
     if (!aint)
         return 1;
-    if ((strtmp = i2s_ASN1_INTEGER(NULL, aint)) == NULL)
+    if (!(strtmp = i2s_ASN1_INTEGER(NULL, aint)))
         return 0;
     ret = X509V3_add_value(name, strtmp, extlist);
     OPENSSL_free(strtmp);
     return ret;
 }
 
-int X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool)
+int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool)
 {
-    const char *btmp;
-
-    if ((btmp = value->value) == NULL)
+    char *btmp;
+    if (!(btmp = value->value))
         goto err;
-    if (strcmp(btmp, "TRUE") == 0
-        || strcmp(btmp, "true") == 0
-        || strcmp(btmp, "Y") == 0
-        || strcmp(btmp, "y") == 0
-        || strcmp(btmp, "YES") == 0
-        || strcmp(btmp, "yes") == 0) {
+    if (!strcmp(btmp, "TRUE") || !strcmp(btmp, "true")
+        || !strcmp(btmp, "Y") || !strcmp(btmp, "y")
+        || !strcmp(btmp, "YES") || !strcmp(btmp, "yes")) {
         *asn1_bool = 0xff;
         return 1;
-    }
-    if (strcmp(btmp, "FALSE") == 0
-        || strcmp(btmp, "false") == 0
-        || strcmp(btmp, "N") == 0
-        || strcmp(btmp, "n") == 0
-        || strcmp(btmp, "NO") == 0
-        || strcmp(btmp, "no") == 0) {
+    } else if (!strcmp(btmp, "FALSE") || !strcmp(btmp, "false")
+               || !strcmp(btmp, "N") || !strcmp(btmp, "n")
+               || !strcmp(btmp, "NO") || !strcmp(btmp, "no")) {
         *asn1_bool = 0;
         return 1;
     }
@@ -221,11 +258,10 @@ int X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool)
     return 0;
 }
 
-int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint)
+int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint)
 {
     ASN1_INTEGER *itmp;
-
-    if ((itmp = s2i_ASN1_INTEGER(NULL, value->value)) == NULL) {
+    if (!(itmp = s2i_ASN1_INTEGER(NULL, value->value))) {
         X509V3_conf_err(value);
         return 0;
     }
@@ -248,7 +284,7 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
     char *linebuf;
     int state;
     /* We are going to modify the line so copy it first */
-    linebuf = OPENSSL_strdup(line);
+    linebuf = BUF_strdup(line);
     if (linebuf == NULL) {
         X509V3err(X509V3_F_X509V3_PARSE_LIST, ERR_R_MALLOC_FAILURE);
         goto err;
@@ -275,6 +311,9 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
                 *p = 0;
                 ntmp = strip_spaces(q);
                 q = p + 1;
+#if 0
+                printf("%s\n", ntmp);
+#endif
                 if (!ntmp) {
                     X509V3err(X509V3_F_X509V3_PARSE_LIST,
                               X509V3_R_INVALID_NULL_NAME);
@@ -289,6 +328,9 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
                 state = HDR_NAME;
                 *p = 0;
                 vtmp = strip_spaces(q);
+#if 0
+                printf("%s\n", ntmp);
+#endif
                 if (!vtmp) {
                     X509V3err(X509V3_F_X509V3_PARSE_LIST,
                               X509V3_R_INVALID_NULL_VALUE);
@@ -304,6 +346,9 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
 
     if (state == HDR_VALUE) {
         vtmp = strip_spaces(q);
+#if 0
+        printf("%s=%s\n", ntmp, vtmp);
+#endif
         if (!vtmp) {
             X509V3err(X509V3_F_X509V3_PARSE_LIST,
                       X509V3_R_INVALID_NULL_VALUE);
@@ -312,6 +357,9 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
         X509V3_add_value(ntmp, vtmp, &values);
     } else {
         ntmp = strip_spaces(q);
+#if 0
+        printf("%s\n", ntmp);
+#endif
         if (!ntmp) {
             X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
             goto err;
@@ -348,6 +396,109 @@ static char *strip_spaces(char *name)
     return p;
 }
 
+/* hex string utilities */
+
+/*
+ * Given a buffer of length 'len' return a OPENSSL_malloc'ed string with its
+ * hex representation @@@ (Contents of buffer are always kept in ASCII, also
+ * on EBCDIC machines)
+ */
+
+char *hex_to_string(const unsigned char *buffer, long len)
+{
+    char *tmp, *q;
+    const unsigned char *p;
+    int i;
+    const static char hexdig[] = "0123456789ABCDEF";
+    if (!buffer || !len)
+        return NULL;
+    if (!(tmp = OPENSSL_malloc(len * 3 + 1))) {
+        X509V3err(X509V3_F_HEX_TO_STRING, ERR_R_MALLOC_FAILURE);
+        return NULL;
+    }
+    q = tmp;
+    for (i = 0, p = buffer; i < len; i++, p++) {
+        *q++ = hexdig[(*p >> 4) & 0xf];
+        *q++ = hexdig[*p & 0xf];
+        *q++ = ':';
+    }
+    q[-1] = 0;
+#ifdef CHARSET_EBCDIC
+    ebcdic2ascii(tmp, tmp, q - tmp - 1);
+#endif
+
+    return tmp;
+}
+
+/*
+ * Give a string of hex digits convert to a buffer
+ */
+
+unsigned char *string_to_hex(const char *str, long *len)
+{
+    unsigned char *hexbuf, *q;
+    unsigned char ch, cl, *p;
+    if (!str) {
+        X509V3err(X509V3_F_STRING_TO_HEX, X509V3_R_INVALID_NULL_ARGUMENT);
+        return NULL;
+    }
+    if (!(hexbuf = OPENSSL_malloc(strlen(str) >> 1)))
+        goto err;
+    for (p = (unsigned char *)str, q = hexbuf; *p;) {
+        ch = *p++;
+#ifdef CHARSET_EBCDIC
+        ch = os_toebcdic[ch];
+#endif
+        if (ch == ':')
+            continue;
+        cl = *p++;
+#ifdef CHARSET_EBCDIC
+        cl = os_toebcdic[cl];
+#endif
+        if (!cl) {
+            X509V3err(X509V3_F_STRING_TO_HEX, X509V3_R_ODD_NUMBER_OF_DIGITS);
+            OPENSSL_free(hexbuf);
+            return NULL;
+        }
+        if (isupper(ch))
+            ch = tolower(ch);
+        if (isupper(cl))
+            cl = tolower(cl);
+
+        if ((ch >= '0') && (ch <= '9'))
+            ch -= '0';
+        else if ((ch >= 'a') && (ch <= 'f'))
+            ch -= 'a' - 10;
+        else
+            goto badhex;
+
+        if ((cl >= '0') && (cl <= '9'))
+            cl -= '0';
+        else if ((cl >= 'a') && (cl <= 'f'))
+            cl -= 'a' - 10;
+        else
+            goto badhex;
+
+        *q++ = (ch << 4) | cl;
+    }
+
+    if (len)
+        *len = q - hexbuf;
+
+    return hexbuf;
+
+ err:
+    if (hexbuf)
+        OPENSSL_free(hexbuf);
+    X509V3err(X509V3_F_STRING_TO_HEX, ERR_R_MALLOC_FAILURE);
+    return NULL;
+
+ badhex:
+    OPENSSL_free(hexbuf);
+    X509V3err(X509V3_F_STRING_TO_HEX, X509V3_R_ILLEGAL_HEX_DIGIT);
+    return NULL;
+
+}
 
 /*
  * V2I name comparison function: returns zero if 'name' matches cmp or cmp.*
@@ -452,7 +603,7 @@ static void str_free(OPENSSL_STRING str)
     OPENSSL_free(str);
 }
 
-static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, const ASN1_IA5STRING *email)
+static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email)
 {
     char *emtmp;
     /* First some sanity checks */
@@ -460,16 +611,15 @@ static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, const ASN1_IA5STRING *email
         return 1;
     if (!email->data || !email->length)
         return 1;
-    if (*sk == NULL)
+    if (!*sk)
         *sk = sk_OPENSSL_STRING_new(sk_strcmp);
-    if (*sk == NULL)
+    if (!*sk)
         return 0;
     /* Don't add duplicates */
     if (sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1)
         return 1;
-    emtmp = OPENSSL_strdup((char *)email->data);
-    if (emtmp == NULL || !sk_OPENSSL_STRING_push(*sk, emtmp)) {
-        OPENSSL_free(emtmp);    /* free on push failure */
+    emtmp = BUF_strdup((char *)email->data);
+    if (!emtmp || !sk_OPENSSL_STRING_push(*sk, emtmp)) {
         X509_email_free(*sk);
         *sk = NULL;
         return 0;
@@ -488,7 +638,7 @@ typedef int (*equal_fn) (const unsigned char *pattern, size_t pattern_len,
 
 /* Skip pattern prefix to match "wildcard" subject */
 static void skip_prefix(const unsigned char **p, size_t *plen,
-                        size_t subject_len,
+                        const unsigned char *subject, size_t subject_len,
                         unsigned int flags)
 {
     const unsigned char *pattern = *p;
@@ -523,7 +673,7 @@ static int equal_nocase(const unsigned char *pattern, size_t pattern_len,
                         const unsigned char *subject, size_t subject_len,
                         unsigned int flags)
 {
-    skip_prefix(&pattern, &pattern_len, subject_len, flags);
+    skip_prefix(&pattern, &pattern_len, subject, subject_len, flags);
     if (pattern_len != subject_len)
         return 0;
     while (pattern_len) {
@@ -552,7 +702,7 @@ static int equal_case(const unsigned char *pattern, size_t pattern_len,
                       const unsigned char *subject, size_t subject_len,
                       unsigned int flags)
 {
-    skip_prefix(&pattern, &pattern_len, subject_len, flags);
+    skip_prefix(&pattern, &pattern_len, subject, subject_len, flags);
     if (pattern_len != subject_len)
         return 0;
     return !memcmp(pattern, subject, pattern_len);
@@ -735,7 +885,7 @@ static int equal_wildcard(const unsigned char *pattern, size_t pattern_len,
  * to UTF8.
  */
 
-static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal,
+static int do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal,
                            unsigned int flags, const char *b, size_t blen,
                            char **peername)
 {
@@ -751,7 +901,7 @@ static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal,
         else if (a->length == (int)blen && !memcmp(a->data, b, blen))
             rv = 1;
         if (rv > 0 && peername)
-            *peername = OPENSSL_strndup((char *)a->data, a->length);
+            *peername = BUF_strndup((char *)a->data, a->length);
     } else {
         int astrlen;
         unsigned char *astr;
@@ -765,7 +915,7 @@ static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal,
         }
         rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
         if (rv > 0 && peername)
-            *peername = OPENSSL_strndup((char *)astr, astrlen);
+            *peername = BUF_strndup((char *)astr, astrlen);
         OPENSSL_free(astr);
     }
     return rv;
@@ -830,20 +980,23 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
         GENERAL_NAMES_free(gens);
         if (rv != 0)
             return rv;
-        if (san_present && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT))
+        if (cnid == NID_undef
+            || (san_present
+                && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)))
             return 0;
     }
 
     /* We're done if CN-ID is not pertinent */
-    if (cnid == NID_undef || (flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT))
+    if (cnid == NID_undef)
         return 0;
 
     i = -1;
     name = X509_get_subject_name(x);
     while ((i = X509_NAME_get_index_by_NID(name, cnid, i)) >= 0) {
-        const X509_NAME_ENTRY *ne = X509_NAME_get_entry(name, i);
-        const ASN1_STRING *str = X509_NAME_ENTRY_get_data(ne);
-
+        X509_NAME_ENTRY *ne;
+        ASN1_STRING *str;
+        ne = X509_NAME_get_entry(name, i);
+        str = X509_NAME_ENTRY_get_data(ne);
         /* Positive on success, negative on error! */
         if ((rv = do_check_string(str, -1, equal, flags,
                                   chk, chklen, peername)) != 0)
@@ -930,7 +1083,7 @@ ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc)
         return NULL;
 
     ret = ASN1_OCTET_STRING_new();
-    if (ret == NULL)
+    if (!ret)
         return NULL;
     if (!ASN1_OCTET_STRING_set(ret, ipout, iplen)) {
         ASN1_OCTET_STRING_free(ret);
@@ -948,7 +1101,7 @@ ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc)
     p = strchr(ipasc, '/');
     if (!p)
         return NULL;
-    iptmp = OPENSSL_strdup(ipasc);
+    iptmp = BUF_strdup(ipasc);
     if (!iptmp)
         return NULL;
     p = iptmp + (p - ipasc);
@@ -968,7 +1121,7 @@ ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc)
         goto err;
 
     ret = ASN1_OCTET_STRING_new();
-    if (ret == NULL)
+    if (!ret)
         goto err;
     if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2))
         goto err;
@@ -976,8 +1129,10 @@ ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc)
     return ret;
 
  err:
-    OPENSSL_free(iptmp);
-    ASN1_OCTET_STRING_free(ret);
+    if (iptmp)
+        OPENSSL_free(iptmp);
+    if (ret)
+        ASN1_OCTET_STRING_free(ret);
     return NULL;
 }
 
@@ -1129,17 +1284,19 @@ static int ipv6_hex(unsigned char *out, const char *in, int inlen)
 {
     unsigned char c;
     unsigned int num = 0;
-    int x;
-
     if (inlen > 4)
         return 0;
     while (inlen--) {
         c = *in++;
         num <<= 4;
-        x = OPENSSL_hexchar2int(c);
-        if (x < 0)
+        if ((c >= '0') && (c <= '9'))
+            num |= c - '0';
+        else if ((c >= 'A') && (c <= 'F'))
+            num |= c - 'A' + 10;
+        else if ((c >= 'a') && (c <= 'f'))
+            num |= c - 'a' + 10;
+        else
             return 0;
-        num |= (char)x;
     }
     out[0] = num >> 8;
     out[1] = num & 0xff;
@@ -1150,7 +1307,7 @@ int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE) *dn_sk,
                              unsigned long chtype)
 {
     CONF_VALUE *v;
-    int i, mval, spec_char, plus_char;
+    int i, mval;
     char *p, *type;
     if (!nm)
         return 0;
@@ -1161,26 +1318,25 @@ int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE) *dn_sk,
         /*
          * Skip past any leading X. X: X, etc to allow for multiple instances
          */
-        for (p = type; *p; p++) {
+        for (p = type; *p; p++)
 #ifndef CHARSET_EBCDIC
-            spec_char = ((*p == ':') || (*p == ',') || (*p == '.'));
+            if ((*p == ':') || (*p == ',') || (*p == '.'))
 #else
-            spec_char = ((*p == os_toascii[':']) || (*p == os_toascii[','])
-                    || (*p == os_toascii['.']));
+            if ((*p == os_toascii[':']) || (*p == os_toascii[','])
+                || (*p == os_toascii['.']))
 #endif
-            if (spec_char) {
+            {
                 p++;
                 if (*p)
                     type = p;
                 break;
             }
-        }
 #ifndef CHARSET_EBCDIC
-        plus_char = (*type == '+');
+        if (*type == '+')
 #else
-        plus_char = (*type == os_toascii['+']);
+        if (*type == os_toascii['+'])
 #endif
-        if (plus_char) {
+        {
             mval = -1;
             type++;
         } else
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3err.c b/Cryptlib/OpenSSL/crypto/x509v3/v3err.c
index 5d79c8c6..bcc1be72 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3err.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3err.c
@@ -1,11 +1,62 @@
-/*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/x509v3/v3err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2014 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
  */
 
 #include <stdio.h>
@@ -20,62 +71,68 @@
 
 static ERR_STRING_DATA X509V3_str_functs[] = {
     {ERR_FUNC(X509V3_F_A2I_GENERAL_NAME), "a2i_GENERAL_NAME"},
-    {ERR_FUNC(X509V3_F_ADDR_VALIDATE_PATH_INTERNAL),
-     "addr_validate_path_internal"},
     {ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE),
-     "ASIdentifierChoice_canonize"},
+     "ASIDENTIFIERCHOICE_CANONIZE"},
     {ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL),
-     "ASIdentifierChoice_is_canonical"},
-    {ERR_FUNC(X509V3_F_COPY_EMAIL), "copy_email"},
-    {ERR_FUNC(X509V3_F_COPY_ISSUER), "copy_issuer"},
-    {ERR_FUNC(X509V3_F_DO_DIRNAME), "do_dirname"},
-    {ERR_FUNC(X509V3_F_DO_EXT_I2D), "do_ext_i2d"},
-    {ERR_FUNC(X509V3_F_DO_EXT_NCONF), "do_ext_nconf"},
-    {ERR_FUNC(X509V3_F_GNAMES_FROM_SECTNAME), "gnames_from_sectname"},
+     "ASIDENTIFIERCHOICE_IS_CANONICAL"},
+    {ERR_FUNC(X509V3_F_COPY_EMAIL), "COPY_EMAIL"},
+    {ERR_FUNC(X509V3_F_COPY_ISSUER), "COPY_ISSUER"},
+    {ERR_FUNC(X509V3_F_DO_DIRNAME), "DO_DIRNAME"},
+    {ERR_FUNC(X509V3_F_DO_EXT_CONF), "DO_EXT_CONF"},
+    {ERR_FUNC(X509V3_F_DO_EXT_I2D), "DO_EXT_I2D"},
+    {ERR_FUNC(X509V3_F_DO_EXT_NCONF), "DO_EXT_NCONF"},
+    {ERR_FUNC(X509V3_F_DO_I2V_NAME_CONSTRAINTS), "DO_I2V_NAME_CONSTRAINTS"},
+    {ERR_FUNC(X509V3_F_GNAMES_FROM_SECTNAME), "GNAMES_FROM_SECTNAME"},
+    {ERR_FUNC(X509V3_F_HEX_TO_STRING), "hex_to_string"},
     {ERR_FUNC(X509V3_F_I2S_ASN1_ENUMERATED), "i2s_ASN1_ENUMERATED"},
-    {ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING), "i2s_ASN1_IA5STRING"},
+    {ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING), "I2S_ASN1_IA5STRING"},
     {ERR_FUNC(X509V3_F_I2S_ASN1_INTEGER), "i2s_ASN1_INTEGER"},
     {ERR_FUNC(X509V3_F_I2V_AUTHORITY_INFO_ACCESS),
-     "i2v_AUTHORITY_INFO_ACCESS"},
-    {ERR_FUNC(X509V3_F_NOTICE_SECTION), "notice_section"},
-    {ERR_FUNC(X509V3_F_NREF_NOS), "nref_nos"},
-    {ERR_FUNC(X509V3_F_POLICY_SECTION), "policy_section"},
-    {ERR_FUNC(X509V3_F_PROCESS_PCI_VALUE), "process_pci_value"},
-    {ERR_FUNC(X509V3_F_R2I_CERTPOL), "r2i_certpol"},
-    {ERR_FUNC(X509V3_F_R2I_PCI), "r2i_pci"},
-    {ERR_FUNC(X509V3_F_S2I_ASN1_IA5STRING), "s2i_ASN1_IA5STRING"},
+     "I2V_AUTHORITY_INFO_ACCESS"},
+    {ERR_FUNC(X509V3_F_NOTICE_SECTION), "NOTICE_SECTION"},
+    {ERR_FUNC(X509V3_F_NREF_NOS), "NREF_NOS"},
+    {ERR_FUNC(X509V3_F_POLICY_SECTION), "POLICY_SECTION"},
+    {ERR_FUNC(X509V3_F_PROCESS_PCI_VALUE), "PROCESS_PCI_VALUE"},
+    {ERR_FUNC(X509V3_F_R2I_CERTPOL), "R2I_CERTPOL"},
+    {ERR_FUNC(X509V3_F_R2I_PCI), "R2I_PCI"},
+    {ERR_FUNC(X509V3_F_S2I_ASN1_IA5STRING), "S2I_ASN1_IA5STRING"},
     {ERR_FUNC(X509V3_F_S2I_ASN1_INTEGER), "s2i_ASN1_INTEGER"},
     {ERR_FUNC(X509V3_F_S2I_ASN1_OCTET_STRING), "s2i_ASN1_OCTET_STRING"},
-    {ERR_FUNC(X509V3_F_S2I_SKEY_ID), "s2i_skey_id"},
-    {ERR_FUNC(X509V3_F_SET_DIST_POINT_NAME), "set_dist_point_name"},
+    {ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID), "S2I_ASN1_SKEY_ID"},
+    {ERR_FUNC(X509V3_F_S2I_SKEY_ID), "S2I_SKEY_ID"},
+    {ERR_FUNC(X509V3_F_SET_DIST_POINT_NAME), "SET_DIST_POINT_NAME"},
+    {ERR_FUNC(X509V3_F_STRING_TO_HEX), "string_to_hex"},
     {ERR_FUNC(X509V3_F_SXNET_ADD_ID_ASC), "SXNET_add_id_asc"},
     {ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER), "SXNET_add_id_INTEGER"},
     {ERR_FUNC(X509V3_F_SXNET_ADD_ID_ULONG), "SXNET_add_id_ulong"},
     {ERR_FUNC(X509V3_F_SXNET_GET_ID_ASC), "SXNET_get_id_asc"},
     {ERR_FUNC(X509V3_F_SXNET_GET_ID_ULONG), "SXNET_get_id_ulong"},
-    {ERR_FUNC(X509V3_F_V2I_ASIDENTIFIERS), "v2i_ASIdentifiers"},
+    {ERR_FUNC(X509V3_F_V2I_ASIDENTIFIERS), "V2I_ASIDENTIFIERS"},
     {ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING), "v2i_ASN1_BIT_STRING"},
     {ERR_FUNC(X509V3_F_V2I_AUTHORITY_INFO_ACCESS),
-     "v2i_AUTHORITY_INFO_ACCESS"},
-    {ERR_FUNC(X509V3_F_V2I_AUTHORITY_KEYID), "v2i_AUTHORITY_KEYID"},
-    {ERR_FUNC(X509V3_F_V2I_BASIC_CONSTRAINTS), "v2i_BASIC_CONSTRAINTS"},
-    {ERR_FUNC(X509V3_F_V2I_CRLD), "v2i_crld"},
-    {ERR_FUNC(X509V3_F_V2I_EXTENDED_KEY_USAGE), "v2i_EXTENDED_KEY_USAGE"},
+     "V2I_AUTHORITY_INFO_ACCESS"},
+    {ERR_FUNC(X509V3_F_V2I_AUTHORITY_KEYID), "V2I_AUTHORITY_KEYID"},
+    {ERR_FUNC(X509V3_F_V2I_BASIC_CONSTRAINTS), "V2I_BASIC_CONSTRAINTS"},
+    {ERR_FUNC(X509V3_F_V2I_CRLD), "V2I_CRLD"},
+    {ERR_FUNC(X509V3_F_V2I_EXTENDED_KEY_USAGE), "V2I_EXTENDED_KEY_USAGE"},
     {ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES), "v2i_GENERAL_NAMES"},
     {ERR_FUNC(X509V3_F_V2I_GENERAL_NAME_EX), "v2i_GENERAL_NAME_ex"},
-    {ERR_FUNC(X509V3_F_V2I_IDP), "v2i_idp"},
-    {ERR_FUNC(X509V3_F_V2I_IPADDRBLOCKS), "v2i_IPAddrBlocks"},
-    {ERR_FUNC(X509V3_F_V2I_ISSUER_ALT), "v2i_issuer_alt"},
-    {ERR_FUNC(X509V3_F_V2I_NAME_CONSTRAINTS), "v2i_NAME_CONSTRAINTS"},
-    {ERR_FUNC(X509V3_F_V2I_POLICY_CONSTRAINTS), "v2i_POLICY_CONSTRAINTS"},
-    {ERR_FUNC(X509V3_F_V2I_POLICY_MAPPINGS), "v2i_POLICY_MAPPINGS"},
-    {ERR_FUNC(X509V3_F_V2I_SUBJECT_ALT), "v2i_subject_alt"},
-    {ERR_FUNC(X509V3_F_V2I_TLS_FEATURE), "v2i_TLS_FEATURE"},
-    {ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION), "v3_generic_extension"},
+    {ERR_FUNC(X509V3_F_V2I_IDP), "V2I_IDP"},
+    {ERR_FUNC(X509V3_F_V2I_IPADDRBLOCKS), "V2I_IPADDRBLOCKS"},
+    {ERR_FUNC(X509V3_F_V2I_ISSUER_ALT), "V2I_ISSUER_ALT"},
+    {ERR_FUNC(X509V3_F_V2I_NAME_CONSTRAINTS), "V2I_NAME_CONSTRAINTS"},
+    {ERR_FUNC(X509V3_F_V2I_POLICY_CONSTRAINTS), "V2I_POLICY_CONSTRAINTS"},
+    {ERR_FUNC(X509V3_F_V2I_POLICY_MAPPINGS), "V2I_POLICY_MAPPINGS"},
+    {ERR_FUNC(X509V3_F_V2I_SUBJECT_ALT), "V2I_SUBJECT_ALT"},
+    {ERR_FUNC(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL),
+     "V3_ADDR_VALIDATE_PATH_INTERNAL"},
+    {ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION), "V3_GENERIC_EXTENSION"},
     {ERR_FUNC(X509V3_F_X509V3_ADD1_I2D), "X509V3_add1_i2d"},
     {ERR_FUNC(X509V3_F_X509V3_ADD_VALUE), "X509V3_add_value"},
     {ERR_FUNC(X509V3_F_X509V3_EXT_ADD), "X509V3_EXT_add"},
     {ERR_FUNC(X509V3_F_X509V3_EXT_ADD_ALIAS), "X509V3_EXT_add_alias"},
+    {ERR_FUNC(X509V3_F_X509V3_EXT_CONF), "X509V3_EXT_conf"},
+    {ERR_FUNC(X509V3_F_X509V3_EXT_FREE), "X509V3_EXT_free"},
     {ERR_FUNC(X509V3_F_X509V3_EXT_I2D), "X509V3_EXT_i2d"},
     {ERR_FUNC(X509V3_F_X509V3_EXT_NCONF), "X509V3_EXT_nconf"},
     {ERR_FUNC(X509V3_F_X509V3_GET_SECTION), "X509V3_get_section"},
@@ -93,6 +150,8 @@ static ERR_STRING_DATA X509V3_str_reasons[] = {
     {ERR_REASON(X509V3_R_BN_DEC2BN_ERROR), "bn dec2bn error"},
     {ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR),
      "bn to asn1 integer error"},
+    {ERR_REASON(X509V3_R_CANNOT_FIND_FREE_FUNCTION),
+     "cannot find free function"},
     {ERR_REASON(X509V3_R_DIRNAME_ERROR), "dirname error"},
     {ERR_REASON(X509V3_R_DISTPOINT_ALREADY_SET), "distpoint already set"},
     {ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID), "duplicate zone id"},
@@ -108,6 +167,7 @@ static ERR_STRING_DATA X509V3_str_reasons[] = {
      "extension setting not supported"},
     {ERR_REASON(X509V3_R_EXTENSION_VALUE_ERROR), "extension value error"},
     {ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION), "illegal empty extension"},
+    {ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT), "illegal hex digit"},
     {ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG),
      "incorrect policy syntax tag"},
     {ERR_REASON(X509V3_R_INVALID_ASNUMBER), "invalid asnumber"},
@@ -147,6 +207,7 @@ static ERR_STRING_DATA X509V3_str_reasons[] = {
      "no proxy cert policy language defined"},
     {ERR_REASON(X509V3_R_NO_PUBLIC_KEY), "no public key"},
     {ERR_REASON(X509V3_R_NO_SUBJECT_DETAILS), "no subject details"},
+    {ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS), "odd number of digits"},
     {ERR_REASON(X509V3_R_OPERATION_NOT_DEFINED), "operation not defined"},
     {ERR_REASON(X509V3_R_OTHERNAME_ERROR), "othername error"},
     {ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED),
@@ -154,6 +215,8 @@ static ERR_STRING_DATA X509V3_str_reasons[] = {
     {ERR_REASON(X509V3_R_POLICY_PATH_LENGTH), "policy path length"},
     {ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED),
      "policy path length already defined"},
+    {ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED),
+     "policy syntax not currently supported"},
     {ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY),
      "policy when proxy language requires no policy"},
     {ERR_REASON(X509V3_R_SECTION_NOT_FOUND), "section not found"},
@@ -174,7 +237,7 @@ static ERR_STRING_DATA X509V3_str_reasons[] = {
 
 #endif
 
-int ERR_load_X509V3_strings(void)
+void ERR_load_X509V3_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
 
@@ -183,5 +246,4 @@ int ERR_load_X509V3_strings(void)
         ERR_load_strings(0, X509V3_str_reasons);
     }
 #endif
-    return 1;
 }