Import tools: 4ec067b2ad33ffc54a558270f8506f8405382379 from branch master

ref: 49d61f9a36..4ec067b2ad
for: 3.7.2

TOOLS-1765    mongoreplay crashes with out of memory recording from 8GB pcap file
TOOLS-1773    Change mongoreplay encoding format
TOOLS-1776    mongoreplay hangs on open connection when finishing playback
TOOLS-1794    Add ability to filter a certain duration in mongoreplay
TOOLS-1905    Need to update spacemonkeygo/openssl fork to support newer OpenSSL libraries
TOOLS-1932    Incorrect shebang line for build.sh
TOOLS-1938    Rationalize Evergreen build variants

76 files changed, 2774 insertions, 1105 deletions

diff --git a/src/mongo/gotools/Godeps b/src/mongo/gotools/Godeps
index 8a0702bafda..42f56e7f8c0 100644
--- a/src/mongo/gotools/Godeps
+++ b/src/mongo/gotools/Godeps
@@ -6,7 +6,7 @@ github.com/smartystreets/assertions     287b4346dc4e71a038c346375a9d572453bc469b
 github.com/smartystreets/goconvey       bf58a9a1291224109919756b4dcc469c670cc7e4
 github.com/jessevdk/go-flags            97448c91aac742cbca3d020b3e769013a420a06f
 github.com/3rf/mongo-lint               3550fdcf1f43b89aaeabaa4559eaae6dc4407e42
-github.com/spacemonkeygo/openssl        2869e8ca1a6eb35fb727f41611fd52b55cd0f49c    github.com/10gen/openssl
+github.com/10gen/openssl                e5c6dda7b7f225dfdfe0ebb966789017457e6afe
 github.com/spacemonkeygo/spacelog       f936fb050dc6b5fe4a96b485a6f069e8bdc59aeb
 github.com/howeyc/gopass                44476384cd4721b68705e72f19e95d1a3a504370
 github.com/nsf/termbox-go               0723e7c3d0a317dea811f0fbe4d6edd81908c971
diff --git a/src/mongo/gotools/build.sh b/src/mongo/gotools/build.sh
index 5c8fba2b1b4..9ca53c4f429 100755
--- a/src/mongo/gotools/build.sh
+++ b/src/mongo/gotools/build.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 set -o errexit
 tags=""
 if [ ! -z "$1" ]
diff --git a/src/mongo/gotools/common.yml b/src/mongo/gotools/common.yml
index 3f66412c12c..0c51c8ca668 100644
--- a/src/mongo/gotools/common.yml
+++ b/src/mongo/gotools/common.yml
@@ -1595,11 +1595,47 @@ tasks:
   - func: "upload timeseries"
 
 buildvariants:
+
+#######################################
+#     Debian Buildvariants            #
+#######################################
+
+- name: debian71
+  display_name: Debian 7.1
+  run_on:
+  - debian71-test
+  expansions:
+    gorootvars: PATH="/opt/go/bin:$PATH"
+    build_tags: "sasl ssl"
+  tasks:
+  - name: dist
+
+- name: debian81
+  display_name: Debian 8.1
+  run_on:
+  - debian81-test
+  expansions:
+    gorootvars: PATH="/opt/go/bin:$PATH"
+    build_tags: "sasl ssl"
+  tasks:
+  - name: dist
+
+- name: debian92
+  display_name: Debian 9.2
+  run_on:
+  - debian92-test
+  expansions:
+    gorootvars: PATH="/opt/go/bin:$PATH"
+    build_tags: "sasl ssl"
+  tasks:
+  - name: dist
+
 #######################################
 #           macOS Buildvariant        #
 #######################################
+
 - name: macOS-1012
-  display_name: macOS 10.12 64-bit
+  display_name: MacOS 10.12
   run_on:
   - macos-1012
   expansions:
@@ -1613,7 +1649,7 @@ buildvariants:
   tasks: *macos_1012_tasks
 
 - name: macOS-1012-ssl
-  display_name: macOS 10.12 64-bit SSL
+  display_name: MacOS 10.12 SSL
   run_on:
   - macos-1012
   expansions:
@@ -1622,18 +1658,72 @@ buildvariants:
     mongo_os: "osx"
     mongo_target: "osx-ssl"
     arch: "osx/x86_64"
-    build_tags: "ssl"
-    edition: ssl
+    build_tags: "ssl openssl_pre_1.0"
     excludes: requires_many_files
     gorootvars: CGO_CPPFLAGS=-I/opt/mongodbtoolchain/v2/include CGO_CFLAGS=-mmacosx-version-min=10.10 CGO_LDFLAGS=-mmacosx-version-min=10.10
   tasks: *macos_1012_ssl_tasks
 
 #######################################
+#     RHEL Buildvariants              #
+#######################################
+
+- name: rhel62
+  display_name: RHEL 6.2
+  run_on:
+  - rhel62-test
+  expansions:
+    gorootvars: PATH="/opt/go/bin:$PATH"
+    build_tags: "sasl ssl"
+  tasks:
+  - name: dist
+
+- name: rhel70
+  display_name: RHEL 7.0
+  run_on:
+  - rhel70
+  expansions:
+    gorootvars: PATH="/opt/go/bin:$PATH"
+    build_tags: "sasl ssl"
+  tasks:
+  - name: dist
+
+#######################################
+#     SUSE Buildvariants              #
+#######################################
+
+- name: suse11
+  display_name: SUSE 11
+  run_on:
+  - suse11-test
+  expansions:
+    build_tags: "sasl ssl openssl_pre_1.0"
+  tasks:
+  - name: dist
+
+- name: suse12
+  display_name: SUSE 12
+  run_on:
+  - suse12-test
+  expansions:
+    build_tags: "sasl ssl"
+  tasks:
+  - name: dist
+
+#######################################
 #          Ubuntu Buildvariants       #
 #######################################
 
-- name: ubuntu
-  display_name: Linux 64-bit
+- name: ubuntu1204
+  display_name: Ubuntu 12.04
+  run_on:
+  - ubuntu1204-test
+  expansions:
+    build_tags: "sasl ssl"
+  tasks:
+  - name: dist
+
+- name: ubuntu1404
+  display_name: Ubuntu 14.04
   run_on:
   - ubuntu1404-test
   expansions:
@@ -1641,14 +1731,14 @@ buildvariants:
     <<: *mongo_default_startup_args
     mongo_os: "ubuntu1404"
     mongo_edition: "targeted"
-    build_tags: "ssl"
+    build_tags: "sasl ssl"
     arch: "linux/x86_64"
     integration_test_args: integration
     resmoke_args: --jobs $(grep -c ^processor /proc/cpuinfo)
   tasks: *ubuntu1404_tasks
 
-- name: ubuntu-ssl
-  display_name: Linux 64-bit SSL
+- name: ubuntu1404-ssl
+  display_name: Ubuntu 14.04 SSL
   run_on:
   - ubuntu1404-test
   expansions:
@@ -1656,7 +1746,7 @@ buildvariants:
     <<: *mongo_ssl_startup_args
     mongo_os: "ubuntu1404"
     mongo_edition: "enterprise"
-    build_tags: "ssl"
+    build_tags: "sasl ssl"
     edition: ssl
     arch: "linux/x86_64"
     smoke_use_ssl: --use-ssl
@@ -1666,7 +1756,7 @@ buildvariants:
   tasks: *ubuntu1404_ssl_tasks
 
 - name: ubuntu-enterprise
-  display_name: Linux 64-bit Enterprise
+  display_name: Ubuntu 14.04 Enterprise
   run_on:
   - ubuntu1404-test
   expansions:
@@ -1684,79 +1774,19 @@ buildvariants:
     resmoke_args: --jobs $(grep -c ^processor /proc/cpuinfo)
   tasks: *ubuntu1404_enterprise_tasks
 
-- name: rhel71-ppc64le-enterprise
-  display_name: Linux PPC64LE RHEL 7.1 Enterprise
+- name: ubuntu1604
+  display_name: Ubuntu 16.04
   run_on:
-  - rhel71-power8-test
+  - ubuntu1604-test
   expansions:
-    <<: *mongod_default_startup_args
-    <<: *mongo_default_startup_args
-    mongo_os: "rhel71"
-    mongo_edition: "enterprise"
-    mongo_arch: "ppc64le"
-    # RHEL 7.1 PPC64LE machines kerberos setup does not work for mongo-tools
-    #args: ... libsasl2; build_tags "sasl ssl"
-    args: -gccgoflags "$(pkg-config --libs --cflags libssl)"
-    build_tags: 'ssl'
-    resmoke_use_ssl: _ssl
-    gorootvars: PATH="/opt/mongodbtoolchain/v2/bin/:$PATH"
-    resmoke_args: -j 4
-    excludes: requires_mmap_available,requires_large_ram,requires_mongo_24,requires_mongo_26,requires_mongo_30
-    multiversion_override: "skip"
-    arch: "linux/ppc64le"
-    edition: enterprise
-    run_kinit: true
-    integration_test_args: integration
-  tasks: *rhel71_enterprise_tasks
-
-- name: rhel72-s390x-enterprise
-  display_name: Linux s390x RHEL 7.2 Enterprise
-  run_on:
-  - rhel72-zseries-test
-  expansions:
-    <<: *mongod_default_startup_args
-    <<: *mongo_default_startup_args
-    mongo_os: "rhel72"
-    mongo_edition: "enterprise"
-    mongo_arch: "s390x"
-    args: -gccgoflags "$(pkg-config --libs --cflags libssl libsasl2)"
     build_tags: "sasl ssl"
-    resmoke_use_ssl: _ssl
-    gorootvars: PATH="/opt/mongodbtoolchain/v2/bin/:$PATH"
-    excludes: requires_mmap_available,requires_mongo_24,requires_mongo_26,requires_mongo_30
-    resmoke_args: -j 2
-    multiversion_override: "skip"
-    arch: "linux/s390x"
-    edition: enterprise
-    run_kinit: true
-    integration_test_args: integration
-  tasks: *rhel72_enterprise_tasks
-
-- name: ubuntu1604-arm64
-  display_name: Linux ARM64 Ubuntu 16.04 SSL
-  run_on:
-  - ubuntu1604-arm64-small
-  expansions:
-    <<: *mongod_default_startup_args
-    <<: *mongo_default_startup_args
-    mongo_os: "ubuntu1604"
-    mongo_edition: "targeted"
-    mongo_arch: "arm64"
-    args: -gccgoflags "$(pkg-config --libs --cflags libcrypto libssl)"
-    build_tags: "ssl"
-    resmoke_use_ssl: _ssl
-    gorootvars: PATH="/opt/mongodbtoolchain/v2/bin/:$PATH"
-    excludes: requires_mmap_available,requires_large_ram,requires_mongo_24,requires_mongo_26,requires_mongo_30
-    resmoke_args: -j 2
-    multiversion_override: "skip"
-    arch: "linux/arm64"
-    edition: ssl
-    integration_test_args: integration
-  tasks: *ubuntu1604_ssl_tasks
+  tasks:
+  - name: dist
 
 #######################################
 #        Windows Buildvariants        #
 #######################################
+
 - name: windows-64
   display_name: Windows 64-bit
   run_on:
@@ -1822,84 +1852,98 @@ buildvariants:
   tasks: *windows_64_enterprise_tasks
 
 #######################################
-#     Experimental Buildvariants      #
+#        ZAP Buildvariants            #
 #######################################
 
-- name: ubuntu-race
-  stepback: false
-  batchtime: 1440 # daily
-  display_name: z Race Detector Linux 64-bit
+- name: rhel71-ppc64le-enterprise
+  display_name: ZAP PPC64LE RHEL 7.1 Enterprise
   run_on:
-  - ubuntu1404-test
+  - rhel71-power8-test
   expansions:
     <<: *mongod_default_startup_args
     <<: *mongo_default_startup_args
-    mongo_os: "ubuntu1404"
+    mongo_os: "rhel71"
     mongo_edition: "enterprise"
-    build_tags: "ssl"
-    arch: "linux/x86_64"
-    args: "-race"
-    excludes: requires_large_ram
+    mongo_arch: "ppc64le"
+    # RHEL 7.1 PPC64LE machines kerberos setup does not work for mongo-tools
+    #args: ... libsasl2; build_tags "sasl ssl"
+    args: -gccgoflags "$(pkg-config --libs --cflags libssl)"
+    build_tags: 'ssl'
+    resmoke_use_ssl: _ssl
+    gorootvars: PATH="/opt/mongodbtoolchain/v2/bin/:$PATH"
+    resmoke_args: -j 4
+    excludes: requires_mmap_available,requires_large_ram,requires_mongo_24,requires_mongo_26,requires_mongo_30
+    multiversion_override: "skip"
+    arch: "linux/ppc64le"
+    edition: enterprise
+    run_kinit: true
     integration_test_args: integration
-  tasks: *ubuntu1404_race_tasks
-
-#######################################
-#     Dist only Buildvariants         #
-#######################################
-
-- name: suse11
-  display_name: SUSE 11 SSL
-  run_on:
-  - suse11-test
-  expansions:
-    build_tags: "sasl ssl"
-  tasks:
-  - name: dist
+  tasks: *rhel71_enterprise_tasks
 
-- name: suse12
-  display_name: SUSE 12 SSL
+- name: rhel72-s390x-enterprise
+  display_name: ZAP s390x RHEL 7.2 Enterprise
   run_on:
-  - suse12-test
+  - rhel72-zseries-test
   expansions:
+    <<: *mongod_default_startup_args
+    <<: *mongo_default_startup_args
+    mongo_os: "rhel72"
+    mongo_edition: "enterprise"
+    mongo_arch: "s390x"
+    args: -gccgoflags "$(pkg-config --libs --cflags libssl libsasl2)"
     build_tags: "sasl ssl"
-  tasks:
-  - name: dist
+    resmoke_use_ssl: _ssl
+    gorootvars: PATH="/opt/mongodbtoolchain/v2/bin/:$PATH"
+    excludes: requires_mmap_available,requires_mongo_24,requires_mongo_26,requires_mongo_30
+    resmoke_args: -j 2
+    multiversion_override: "skip"
+    arch: "linux/s390x"
+    edition: enterprise
+    run_kinit: true
+    integration_test_args: integration
+  tasks: *rhel72_enterprise_tasks
 
-- name: rhel62
-  display_name: RHEL 6.2 SSL
+- name: ubuntu1604-arm64
+  display_name: ZAP ARM64 Ubuntu 16.04 SSL
   run_on:
-  - rhel62-test
+  - ubuntu1604-arm64-small
   expansions:
-    gorootvars: PATH="/opt/go/bin:$PATH"
-    build_tags: "sasl ssl"
-  tasks:
-  - name: dist
+    <<: *mongod_default_startup_args
+    <<: *mongo_default_startup_args
+    mongo_os: "ubuntu1604"
+    mongo_edition: "targeted"
+    mongo_arch: "arm64"
+    args: -gccgoflags "$(pkg-config --libs --cflags libcrypto libssl)"
+    build_tags: "ssl"
+    resmoke_use_ssl: _ssl
+    gorootvars: PATH="/opt/mongodbtoolchain/v2/bin/:$PATH"
+    excludes: requires_mmap_available,requires_large_ram,requires_mongo_24,requires_mongo_26,requires_mongo_30
+    resmoke_args: -j 2
+    multiversion_override: "skip"
+    arch: "linux/arm64"
+    edition: ssl
+    integration_test_args: integration
+  tasks: *ubuntu1604_ssl_tasks
 
-- name: rhel70
-  display_name: RHEL 7.0 SSL
-  run_on:
-  - rhel70
-  expansions:
-    gorootvars: PATH="/opt/go/bin:$PATH"
-    build_tags: "sasl ssl"
-  tasks:
-  - name: dist
+#######################################
+#     Experimental Buildvariants      #
+#######################################
 
-- name: ubuntu1404
-  display_name: Ubuntu 14.04 SSL
+- name: ubuntu-race
+  stepback: false
+  batchtime: 1440 # daily
+  display_name: z Race Detector Ubuntu 14.04
   run_on:
   - ubuntu1404-test
   expansions:
+    <<: *mongod_default_startup_args
+    <<: *mongo_default_startup_args
+    mongo_os: "ubuntu1404"
+    mongo_edition: "enterprise"
     build_tags: "sasl ssl"
-  tasks:
-  - name: dist
+    arch: "linux/x86_64"
+    args: "-race"
+    excludes: requires_large_ram
+    integration_test_args: integration
+  tasks: *ubuntu1404_race_tasks
 
-- name: debian71
-  display_name: Debian 7.1 SSL
-  run_on:
-  - debian71-test
-  expansions:
-    gorootvars: PATH="/opt/go/bin:$PATH"
-    build_tags: "sasl ssl"
-  tasks:
-  - name: dist
diff --git a/src/mongo/gotools/common/db/openssl/openssl.go b/src/mongo/gotools/common/db/openssl/openssl.go
index a3474e5276c..ce98204ff7e 100644
--- a/src/mongo/gotools/common/db/openssl/openssl.go
+++ b/src/mongo/gotools/common/db/openssl/openssl.go
@@ -12,11 +12,11 @@ import (
 	"net"
 	"time"
 
+	"github.com/10gen/openssl"
 	"github.com/mongodb/mongo-tools/common/db/kerberos"
 	"github.com/mongodb/mongo-tools/common/log"
 	"github.com/mongodb/mongo-tools/common/options"
 	"github.com/mongodb/mongo-tools/common/util"
-	"github.com/spacemonkeygo/openssl"
 	"gopkg.in/mgo.v2"
 )
 
diff --git a/src/mongo/gotools/common/db/openssl/openssl_fips.go b/src/mongo/gotools/common/db/openssl/openssl_fips.go
index 0d92d94919f..eb7fc5ff7e6 100644
--- a/src/mongo/gotools/common/db/openssl/openssl_fips.go
+++ b/src/mongo/gotools/common/db/openssl/openssl_fips.go
@@ -5,15 +5,23 @@
 // a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
 
 // +build ssl
-// +build -darwin
 
 package openssl
 
-import "github.com/spacemonkeygo/openssl"
+import (
+	"fmt"
 
-func init() { sslInitializationFunctions = append(sslInitializationFunctions, SetUpFIPSMode) }
+	"github.com/10gen/openssl"
+	"github.com/mongodb/mongo-tools/common/options"
+)
 
-func SetUpFIPSMode(opts *ToolOptions) error {
+func init() {
+	if openssl.FIPSModeDefined() {
+		sslInitializationFunctions = append(sslInitializationFunctions, SetUpFIPSMode)
+	}
+}
+
+func SetUpFIPSMode(opts options.ToolOptions) error {
 	if err := openssl.FIPSModeSet(opts.SSLFipsMode); err != nil {
 		return fmt.Errorf("couldn't set FIPS mode to %v: %v", opts.SSLFipsMode, err)
 	}
diff --git a/src/mongo/gotools/common/options/options_ssl.go b/src/mongo/gotools/common/options/options_ssl.go
index 003550133f5..e65f7e81cce 100644
--- a/src/mongo/gotools/common/options/options_ssl.go
+++ b/src/mongo/gotools/common/options/options_ssl.go
@@ -8,7 +8,7 @@
 
 package options
 
-import "github.com/spacemonkeygo/openssl"
+import "github.com/10gen/openssl"
 
 func init() {
 	ConnectionOptFunctions = append(ConnectionOptFunctions, registerSSLOptions)
diff --git a/src/mongo/gotools/import.data b/src/mongo/gotools/import.data
index 44c72b566ba..2e8a9a3eb69 100644
--- a/src/mongo/gotools/import.data
+++ b/src/mongo/gotools/import.data
@@ -1,5 +1,5 @@
 {
-    "commit": "49d61f9a366a073a3d5a48c69bd1523f0b24f4ee", 
+    "commit": "4ec067b2ad33ffc54a558270f8506f8405382379", 
     "github": "mongodb/mongo-tools.git", 
     "vendor": "tools", 
     "branch": "master"
diff --git a/src/mongo/gotools/mongoreplay/filter.go b/src/mongo/gotools/mongoreplay/filter.go
index 8ba38e2de7f..de8927a50c4 100644
--- a/src/mongo/gotools/mongoreplay/filter.go
+++ b/src/mongo/gotools/mongoreplay/filter.go
@@ -21,13 +21,34 @@ type FilterCommand struct {
 	OutFile         string   `description:"path to the output file to write to" short:"o" long:"outputFile"`
 	SplitFilePrefix string   `description:"prefix file name to use for the output files being written when splitting traffic" long:"outfilePrefix"`
 	StartTime       string   `description:"ISO 8601 timestamp to remove all operations before" long:"startAt"`
+	Duration        string   `description:"truncate the end of the file after a certain duration from the time of the first seen operation" long:"duration"`
 	Split           int      `description:"split the traffic into n files with roughly equal numbers of connecitons in each" default:"1" long:"split"`
 	RemoveDriverOps bool     `description:"remove driver issued operations from the playback" long:"removeDriverOps"`
 	Gzip            bool     `long:"gzip" description:"decompress gzipped input"`
 
+	duration  time.Duration
 	startTime time.Time
 }
 
+type skipConfig struct {
+	firstOpTime, lastOpTime *time.Time
+	truncateDuration        *time.Duration
+	removeDriverOps         bool
+}
+
+func newSkipConfig(removeDriverOps bool, startTime time.Time, truncateDuration time.Duration) *skipConfig {
+	skipConf := &skipConfig{
+		removeDriverOps: removeDriverOps,
+	}
+	if !startTime.IsZero() {
+		skipConf.firstOpTime = &startTime
+	}
+	if truncateDuration.Nanoseconds() != 0 {
+		skipConf.truncateDuration = &truncateDuration
+	}
+	return skipConf
+}
+
 // Execute runs the program for the 'filter' subcommand
 func (filter *FilterCommand) Execute(args []string) error {
 	err := filter.ValidateParams(args)
@@ -65,7 +86,9 @@ func (filter *FilterCommand) Execute(args []string) error {
 		}
 	}
 
-	if err := Filter(opChan, outfiles, filter.RemoveDriverOps, filter.startTime); err != nil {
+	skipConf := newSkipConfig(filter.RemoveDriverOps, filter.startTime, filter.duration)
+
+	if err := Filter(opChan, outfiles, skipConf); err != nil {
 		userInfoLogger.Logvf(Always, "Filter: %v\n", err)
 	}
 
@@ -79,8 +102,7 @@ func (filter *FilterCommand) Execute(args []string) error {
 
 func Filter(opChan <-chan *RecordedOp,
 	outfiles []*PlaybackFileWriter,
-	removeDriverOps bool,
-	truncateTime time.Time) error {
+	skipConf *skipConfig) error {
 
 	opWriters := make([]chan<- *RecordedOp, len(outfiles))
 	errChan := make(chan error)
@@ -89,26 +111,19 @@ func Filter(opChan <-chan *RecordedOp,
 	for i := range outfiles {
 		opWriters[i] = newParallelPlaybackWriter(outfiles[i], errChan, wg)
 	}
+
 	for op := range opChan {
-		// if specified, bypass driver operations
-		if removeDriverOps {
-			parsedOp, err := op.RawOp.Parse()
-			if err != nil {
-				return err
-			}
-			if IsDriverOp(parsedOp) {
-				continue
-			}
+		shouldSkip, err := skipConf.shouldFilterOp(op)
+		if err != nil {
+			return err
 		}
-		// if specified, ignore ops before the given timestamp
-		// if truncateTime not specified, it will be time zero and all
-		// operation times will be greater than it
-		if op.Seen.Time.Before(truncateTime) {
+		if shouldSkip {
 			continue
 		}
 		fileNum := op.SeenConnectionNum % int64(len(outfiles))
 		opWriters[fileNum] <- op
 	}
+
 	for _, opWriter := range opWriters {
 		close(opWriter)
 	}
@@ -175,5 +190,43 @@ func (filter *FilterCommand) ValidateParams(args []string) error {
 		}
 		filter.startTime = t
 	}
+
+	if filter.Duration != "" {
+		d, err := time.ParseDuration(filter.Duration)
+		if err != nil {
+			return fmt.Errorf("error parsing duration argument: %v", err)
+		}
+		filter.duration = d
+	}
+
 	return nil
 }
+
+func (sc *skipConfig) shouldFilterOp(op *RecordedOp) (bool, error) {
+	// Skip ops until the target first time if specified
+	if sc.firstOpTime != nil && op.Seen.Before(*sc.firstOpTime) {
+		return true, nil
+	}
+
+	// Initialize target last op time based on first op kept after initial truncation
+	if sc.lastOpTime == nil && sc.truncateDuration != nil {
+		lastOpTime := op.Seen.Add(*sc.truncateDuration)
+		sc.lastOpTime = &lastOpTime
+	}
+
+	// Skip ops after a target last time if specified
+	if sc.lastOpTime != nil && op.Seen.After(*sc.lastOpTime) {
+		return true, nil
+	}
+
+	// Check if driver op
+	if sc.removeDriverOps {
+		parsedOp, err := op.RawOp.Parse()
+		if err != nil {
+			return true, err
+		}
+		return IsDriverOp(parsedOp), nil
+	}
+
+	return false, nil
+}
diff --git a/src/mongo/gotools/mongoreplay/filter_test.go b/src/mongo/gotools/mongoreplay/filter_test.go
index 0bb916125ed..5155f1556ee 100644
--- a/src/mongo/gotools/mongoreplay/filter_test.go
+++ b/src/mongo/gotools/mongoreplay/filter_test.go
@@ -82,8 +82,11 @@ func TestRemoveDriverOpsFromFile(t *testing.T) {
 			}
 		}()
 
+		skipConf := newSkipConfig(c.shouldRemoveDriverOps, time.Time{}, 0*time.Second)
+
 		// run Filter to remove the driver op from the file
-		if err := Filter(generator.opChan, []*PlaybackFileWriter{playbackWriter}, c.shouldRemoveDriverOps, time.Time{}); err != nil {
+		if err := Filter(generator.opChan, []*PlaybackFileWriter{playbackWriter},
+			skipConf); err != nil {
 			t.Error(err)
 		}
 
@@ -180,8 +183,9 @@ func TestSplitInputFile(t *testing.T) {
 			close(opChan)
 		}()
 
+		skipConf := newSkipConfig(false, time.Time{}, 0*time.Second)
 		// run the main filter routine with the given input
-		if err := Filter(opChan, outfiles, false, time.Time{}); err != nil {
+		if err := Filter(opChan, outfiles, skipConf); err != nil {
 			t.Error(err)
 		}
 
@@ -277,8 +281,10 @@ func TestRemoveOpsBeforeTime(t *testing.T) {
 			close(inputOpChan)
 		}()
 
+		skipConf := newSkipConfig(false, c.timeToTruncateBefore, 0*time.Second)
+
 		// run the main filter routine with the given input
-		if err := Filter(inputOpChan, []*PlaybackFileWriter{playbackWriter}, false, c.timeToTruncateBefore); err != nil {
+		if err := Filter(inputOpChan, []*PlaybackFileWriter{playbackWriter}, skipConf); err != nil {
 			t.Error(err)
 		}
 
@@ -308,6 +314,126 @@ func TestRemoveOpsBeforeTime(t *testing.T) {
 	}
 }
 
+func TestRemoveOpsAfterDuration(t *testing.T) {
+	// array of times to use for testing
+	timesForTest := make([]time.Time, 16)
+	now := time.Now()
+	for i := range timesForTest {
+		timesForTest[i] = now.Add(time.Second * time.Duration(i))
+	}
+
+	cases := []struct {
+		name string
+
+		durationToTruncateAfter time.Duration
+		timeToTruncateBefore    time.Time
+		timesOfRecordedOps      []time.Time
+
+		numOpsExpectedAfterFilter int
+	}{
+		{
+			"no truncation",
+
+			time.Second * 0,
+			time.Time{},
+			timesForTest,
+			16,
+		},
+		{
+			"truncate all but one",
+
+			time.Nanosecond * 1,
+			time.Time{},
+			timesForTest,
+			1,
+		},
+		{
+			"truncate half",
+
+			(time.Second * time.Duration(len(timesForTest)/2-1)),
+			time.Time{},
+			timesForTest,
+
+			8,
+		},
+		{
+			"truncate after duration with initial truncation",
+
+			(time.Second * time.Duration(len(timesForTest)/2-1)),
+			timesForTest[3],
+			timesForTest,
+
+			8,
+		},
+	}
+	for _, c := range cases {
+		t.Logf("running case: %s\n", c.name)
+		t.Logf("initial time is: %v\n", now)
+		t.Logf("duration is  %v\n", c.durationToTruncateAfter)
+		t.Logf("time to truncate before is %v\n", c.timeToTruncateBefore)
+
+		// create a bytes buffer to write output into
+		b := &bytes.Buffer{}
+		bufferFile := NopWriteCloser(b)
+
+		playbackWriter, err := playbackFileWriterFromWriteCloser(bufferFile, "file", PlaybackFileMetadata{})
+		if err != nil {
+			t.Fatalf("couldn't create playbackfile writer %v", err)
+		}
+
+		//create a recorded op for each time specified
+		inputOpChan := make(chan *RecordedOp)
+		go func() {
+			generator := newRecordedOpGenerator()
+			generator.generateInsertHelper("insert", 0, len(c.timesOfRecordedOps))
+			close(generator.opChan)
+			i := 0
+			for recordedOp := range generator.opChan {
+				recordedOp.Seen = &PreciseTime{c.timesOfRecordedOps[i]}
+				inputOpChan <- recordedOp
+				i++
+			}
+			close(inputOpChan)
+		}()
+
+		skipConf := newSkipConfig(false, c.timeToTruncateBefore, c.durationToTruncateAfter)
+		// run the main filter routine with the given input
+		if err := Filter(inputOpChan, []*PlaybackFileWriter{playbackWriter}, skipConf); err != nil {
+			t.Error(err)
+		}
+
+		rs := bytes.NewReader(b.Bytes())
+		playbackReader, err := playbackFileReaderFromReadSeeker(rs, "")
+		if err != nil {
+			t.Fatalf("couldn't create playbackfile reader %v", err)
+		}
+		resultOpChan, errChan := playbackReader.OpChan(1)
+
+		numOpsSeen := 0
+		for op := range resultOpChan {
+			numOpsSeen++
+			var endTime time.Time
+			if c.timeToTruncateBefore.After(now) {
+				endTime = c.timeToTruncateBefore.Add(c.durationToTruncateAfter)
+			} else {
+				endTime = now.Add(c.durationToTruncateAfter)
+			}
+			if c.durationToTruncateAfter.Nanoseconds() != 0 && op.Seen.Time.After(endTime) {
+				t.Errorf("execpected op with time %v to be truncated", op.Seen.Time)
+			}
+		}
+
+		if numOpsSeen != c.numOpsExpectedAfterFilter {
+			t.Errorf("expected to see %d ops but instead saw %d", c.numOpsExpectedAfterFilter, numOpsSeen)
+		}
+
+		err = <-errChan
+		if err != io.EOF {
+			t.Errorf("should have eof at end, but got %v", err)
+		}
+	}
+}
+
 // convienence function for adding a close method to an io.Writer
 func NopWriteCloser(w io.Writer) io.WriteCloser {
 	return &nopWriteCloser{w}
diff --git a/src/mongo/gotools/mongoreplay/mongo_op_handler.go b/src/mongo/gotools/mongoreplay/mongo_op_handler.go
index c1a50603b30..776b1eca2d7 100644
--- a/src/mongo/gotools/mongoreplay/mongo_op_handler.go
+++ b/src/mongo/gotools/mongoreplay/mongo_op_handler.go
@@ -24,6 +24,7 @@ type OpStreamSettings struct {
 	CaptureBufSize   int    `long:"capSize" description:"Size in KiB of the PCAP capture buffer"`
 	Expression       string `short:"e" long:"expr" description:"BPF filter expression to apply to packets"`
 	NetworkInterface string `short:"i" description:"network interface to listen on"`
+	MaxBufferedPages int    `long:"maxBufferedPages" description:"maximum number of memory pages to store when buffering packets. The cache size is unlimited if not set"`
 }
 
 // tcpassembly.Stream implementation.
diff --git a/src/mongo/gotools/mongoreplay/packet_handler.go b/src/mongo/gotools/mongoreplay/packet_handler.go
index d38b1540847..86fa4e0adde 100644
--- a/src/mongo/gotools/mongoreplay/packet_handler.go
+++ b/src/mongo/gotools/mongoreplay/packet_handler.go
@@ -18,17 +18,19 @@ import (
 
 // PacketHandler wraps pcap.Handle to maintain other useful information.
 type PacketHandler struct {
-	Verbose    bool
-	pcap       *pcap.Handle
-	numDropped int64
-	stop       chan struct{}
+	Verbose          bool
+	pcap             *pcap.Handle
+	assemblerOptions AssemblerOptions
+	numDropped       int64
+	stop             chan struct{}
 }
 
 // NewPacketHandler initializes a new PacketHandler
-func NewPacketHandler(pcapHandle *pcap.Handle) *PacketHandler {
+func NewPacketHandler(pcapHandle *pcap.Handle, assemblerOptions AssemblerOptions) *PacketHandler {
 	return &PacketHandler{
-		pcap: pcapHandle,
-		stop: make(chan struct{}),
+		pcap:             pcapHandle,
+		assemblerOptions: assemblerOptions,
+		stop:             make(chan struct{}),
 	}
 }
 
@@ -66,6 +68,8 @@ func (p *PacketHandler) Handle(streamHandler StreamHandler, numToHandle int) err
 	source := gopacket.NewPacketSource(p.pcap, p.pcap.LinkType())
 	streamPool := NewStreamPool(streamHandler)
 	assembler := NewAssembler(streamPool)
+	assembler.AssemblerOptions = p.assemblerOptions
+
 	defer func() {
 		if userInfoLogger.isInVerbosity(DebugLow) {
 			userInfoLogger.Logv(DebugLow, "flushing assembler.")
diff --git a/src/mongo/gotools/mongoreplay/parallel_file_read_manager.go b/src/mongo/gotools/mongoreplay/parallel_file_read_manager.go
new file mode 100644
index 00000000000..f87f0c2fab3
--- /dev/null
+++ b/src/mongo/gotools/mongoreplay/parallel_file_read_manager.go
@@ -0,0 +1,138 @@
+// Copyright (C) MongoDB, Inc. 2014-present.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+package mongoreplay
+
+import (
+	"io"
+	"sync"
+
+	"github.com/10gen/llmgo/bson"
+)
+
+type parallelFileReadManager struct {
+	fileReadErr                     error
+	parseJobsChan                   chan *parseJob
+	workerResultManagers            []workerResultManager
+	stopChan                        chan struct{}
+	currentWorkerResultManagerIndex int
+}
+
+type parseJob struct {
+	rawDoc              []byte
+	workerResultManager workerResultManager
+}
+
+type workerResultManager struct {
+	resultChan chan *recordedOpResult
+	available  chan struct{}
+}
+
+type recordedOpResult struct {
+	recordedOp *RecordedOp
+	err        error
+}
+
+func (pm *parallelFileReadManager) runFileReader(numWorkers int, reader io.Reader) {
+	currentWorkerResultManagerIndex := 0
+	go func() {
+		defer close(pm.parseJobsChan)
+		for {
+			currentWorkerResultManager := pm.workerResultManagers[currentWorkerResultManagerIndex]
+			currentWorkerResultManagerIndex = (currentWorkerResultManagerIndex + 1) % numWorkers
+			nextDoc, err := ReadDocument(reader)
+			if err != nil {
+				if err == io.EOF {
+					return
+				}
+				pm.fileReadErr = err
+				close(pm.stopChan)
+				return
+			}
+
+			<-currentWorkerResultManager.available
+			pm.parseJobsChan <- &parseJob{
+				rawDoc:              nextDoc,
+				workerResultManager: currentWorkerResultManager,
+			}
+		}
+	}()
+}
+
+func (pm *parallelFileReadManager) runParsePool(numWorkers int) {
+	wg := &sync.WaitGroup{}
+	for i := 0; i < numWorkers; i++ {
+		wg.Add(1)
+		go runParseWorker(pm.parseJobsChan, wg, pm.stopChan)
+	}
+	go func() {
+		wg.Wait()
+		for _, workerResultManager := range pm.workerResultManagers {
+			close(workerResultManager.resultChan)
+			close(workerResultManager.available)
+		}
+	}()
+}
+
+func runParseWorker(parseJobsChan chan *parseJob, wg *sync.WaitGroup, stop chan struct{}) {
+	defer wg.Done()
+	for parseJob := range parseJobsChan {
+		doc := new(RecordedOp)
+		err := bson.Unmarshal(parseJob.rawDoc, doc)
+
+		result := &recordedOpResult{
+			err:        err,
+			recordedOp: doc,
+		}
+
+		select {
+		case parseJob.workerResultManager.resultChan <- result:
+			parseJob.workerResultManager.available <- struct{}{}
+		case <-stop:
+			return
+		}
+	}
+
+}
+
+// begin initiates all aspects of the parallelFileReadManager. begin sets up the
+// channels that work will be communicated on, starts the goroutine that will
+// read through the file, and spawns the pool of goroutines that will parse
+// the file in parallel.
+func (pm *parallelFileReadManager) begin(numWorkers int, reader io.Reader) {
+	pm.workerResultManagers = make([]workerResultManager, numWorkers)
+	for i := 0; i < numWorkers; i++ {
+		pm.workerResultManagers[i] = workerResultManager{
+			resultChan: make(chan *recordedOpResult),
+			available:  make(chan struct{}, 1),
+		}
+		pm.workerResultManagers[i].available <- struct{}{}
+	}
+
+	pm.parseJobsChan = make(chan *parseJob, numWorkers)
+	pm.stopChan = make(chan struct{})
+
+	pm.runFileReader(numWorkers, reader)
+	pm.runParsePool(numWorkers)
+}
+
+// next is the function to be called to fetch each document from the file reader.
+// It returns the next document parsed from the input file. next is not safe to
+// call from a multi-threaded context.
+func (pm *parallelFileReadManager) next() (*RecordedOp, error) {
+	currentWorkerResultManager := pm.workerResultManagers[pm.currentWorkerResultManagerIndex]
+	recordedOpResult := <-currentWorkerResultManager.resultChan
+	if recordedOpResult == nil {
+		return nil, io.EOF
+	}
+
+	pm.currentWorkerResultManagerIndex = (pm.currentWorkerResultManagerIndex + 1) % len(pm.workerResultManagers)
+	return recordedOpResult.recordedOp, recordedOpResult.err
+}
+
+func (pm *parallelFileReadManager) err() error {
+	return pm.fileReadErr
+}
diff --git a/src/mongo/gotools/mongoreplay/play.go b/src/mongo/gotools/mongoreplay/play.go
index 440f25be858..6eb3617f874 100644
--- a/src/mongo/gotools/mongoreplay/play.go
+++ b/src/mongo/gotools/mongoreplay/play.go
@@ -77,6 +77,8 @@ func (play *PlayCommand) Execute(args []string) error {
 	context := NewExecutionContext(statColl, session, &ExecutionOptions{fullSpeed: play.FullSpeed,
 		driverOpsFiltered: playbackFileReader.metadata.DriverOpsFiltered})
 
+	session.SetPoolLimit(-1)
+
 	var opChan <-chan *RecordedOp
 	var errChan <-chan error
 
diff --git a/src/mongo/gotools/mongoreplay/playbackfile.go b/src/mongo/gotools/mongoreplay/playbackfile.go
index ca028eeaaf3..a5224d27f56 100644
--- a/src/mongo/gotools/mongoreplay/playbackfile.go
+++ b/src/mongo/gotools/mongoreplay/playbackfile.go
@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"runtime"
 	"time"
 
 	"github.com/10gen/llmgo/bson"
@@ -28,9 +29,9 @@ type PlaybackFileMetadata struct {
 // which is just an io.ReadCloser.
 type PlaybackFileReader struct {
 	io.ReadSeeker
-	fname string
-
-	metadata PlaybackFileMetadata
+	fname                   string
+	parallelFileReadManager *parallelFileReadManager
+	metadata                PlaybackFileMetadata
 }
 
 // PlaybackFileWriter stores the necessary information for a playback destination,
@@ -68,7 +69,6 @@ func NewPlaybackFileReader(filename string, gzip bool) (*PlaybackFileReader, err
 }
 
 func playbackFileReaderFromReadSeeker(rs io.ReadSeeker, filename string) (*PlaybackFileReader, error) {
-
 	// read the metadata from the file
 	metadata := new(PlaybackFileMetadata)
 	err := bsonFromReader(rs, metadata)
@@ -84,18 +84,16 @@ func playbackFileReaderFromReadSeeker(rs io.ReadSeeker, filename string) (*Playb
 	}, nil
 }
 
+func (pfReader *PlaybackFileReader) beginParallelRead() {
+	pfReader.parallelFileReadManager = &parallelFileReadManager{}
+	numWorkers := runtime.NumCPU()
+	pfReader.parallelFileReadManager.begin(numWorkers, pfReader.ReadSeeker)
+}
+
 // NextRecordedOp iterates through the PlaybackFileReader to yield the next
 // RecordedOp. It returns io.EOF when successfully complete.
 func (file *PlaybackFileReader) NextRecordedOp() (*RecordedOp, error) {
-	doc := new(RecordedOp)
-	err := bsonFromReader(file, doc)
-	if err != nil {
-		if err != io.EOF {
-			err = fmt.Errorf("ReadDocument Error: %v", err)
-		}
-		return nil, err
-	}
-	return doc, nil
+	return file.parallelFileReadManager.next()
 }
 
 // NewPlaybackFileWriter initializes a new PlaybackFileWriter
@@ -196,8 +194,12 @@ func (pfReader *PlaybackFileReader) OpChan(repeat int) (<-chan *RecordedOp, <-ch
 					return fmt.Errorf("bson read error: %v", err)
 				}
 
+				pfReader.beginParallelRead()
 				var order int64
 				for {
+					if err = pfReader.parallelFileReadManager.err(); err != nil {
+						return err
+					}
 					recordedOp, err := pfReader.NextRecordedOp()
 					if err != nil {
 						if err == io.EOF {
diff --git a/src/mongo/gotools/mongoreplay/record.go b/src/mongo/gotools/mongoreplay/record.go
index e79ac136443..125e2893843 100644
--- a/src/mongo/gotools/mongoreplay/record.go
+++ b/src/mongo/gotools/mongoreplay/record.go
@@ -94,8 +94,11 @@ func getOpstream(cfg OpStreamSettings) (*packetHandlerContext, error) {
 			return nil, fmt.Errorf("error setting packet filter expression: %v", err)
 		}
 	}
+	assemblerOptions := AssemblerOptions{
+		MaxBufferedPagesTotal: cfg.MaxBufferedPages,
+	}
 
-	h := NewPacketHandler(pcapHandle)
+	h := NewPacketHandler(pcapHandle, assemblerOptions)
 	h.Verbose = userInfoLogger.isInVerbosity(DebugLow)
 
 	toolDebugLogger.Logvf(Info, "Created packet buffer size %d", cfg.PacketBufSize)
@@ -119,6 +122,9 @@ func (record *RecordCommand) ValidateParams(args []string) error {
 		// default capture buffer size to 2 MiB (same as libpcap)
 		record.OpStreamSettings.CaptureBufSize = 2 * 1024
 	}
+	if record.OpStreamSettings.MaxBufferedPages < 0 {
+		return fmt.Errorf("bufferedPagesMax cannot be less than 0")
+	}
 	return nil
 }
 
diff --git a/src/mongo/gotools/test.sh b/src/mongo/gotools/test.sh
index 6cbf06fb438..6ea8bafebab 100755
--- a/src/mongo/gotools/test.sh
+++ b/src/mongo/gotools/test.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 set -o errexit
 tags=""
 if [ ! -z "$1" ]
diff --git a/src/mongo/gotools/vendor/src/github.com/10gen/openssl/.gitignore b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/.gitignore
new file mode 100644
index 00000000000..805d350b7e5
--- /dev/null
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/.gitignore
@@ -0,0 +1 @@
+openssl.test
diff --git a/src/mongo/gotools/vendor/src/github.com/10gen/openssl/AUTHORS b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/AUTHORS
new file mode 100644
index 00000000000..ad3a8ae8153
--- /dev/null
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/AUTHORS
@@ -0,0 +1,22 @@
+Andrew Brampton <github@bramp.net>
+Anton Baklanov <antonbaklanov@gmail.com>
+Carlos Martín Nieto <cmn@dwim.me>
+Charles Strahan <charles@cstrahan.com>
+Christopher Dudley <chris@github.chrisdudley.xyz>
+Christopher Fredericks <cfredmakecode@gmail.com>
+Colin Misare
+dequis <dx@dxzone.com.ar>
+Gabriel Russell <gabriel.russell@mongodb.com>
+Giulio <programmatore@ditieri.it>
+Jakob Unterwurzacher <jakobunt@gmail.com>
+Juuso Haavisto <juuso@mail.com>
+kujenga <ataylor0123@gmail.com>
+Phus Lu <phuslu@hotmail.com>
+Russ Egan <russ@safemonk.com>
+Ryan Hileman <lunixbochs@gmail.com>
+Scott J. Goldman <scottjg@github.com>
+Scott Kidder <skidder@brightcove.com>
+Space Monkey, Inc <hello@spacemonkey.com>
+Stephen Gallagher <sgallagh@redhat.com>
+Viacheslav Biriukov <v.v.biriukov@gmail.com>
+Zack Owens <zowens2009@gmail.com>
\ No newline at end of file
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/LICENSE b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/LICENSE
index 37ec93a14fd..37ec93a14fd 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/LICENSE
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/LICENSE
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/README.md b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/README.md
index 6bd3383a0e8..854df05ae92 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/README.md
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/README.md
@@ -4,7 +4,7 @@ Please see http://godoc.org/github.com/spacemonkeygo/openssl for more info
 
 ### License
 
-Copyright (C) 2014 Space Monkey, Inc.
+Copyright (C) 2017. See AUTHORS.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -18,6 +18,10 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 
+### Using on macOS
+1. Install [homebrew](http://brew.sh/)
+2. `$ brew install openssl` or `$ brew install openssl@1.1`
+
 ### Using on Windows
 1. Install [mingw-w64](http://mingw-w64.sourceforge.net/)
 2. Install [pkg-config-lite](http://sourceforge.net/projects/pkgconfiglite)
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/bio.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/bio.go
index 8d0da8998eb..9fe32aa8032 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/bio.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/bio.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,56 +12,9 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// +build cgo
-
 package openssl
 
-/*
-#include <string.h>
-#include <openssl/bio.h>
-
-extern int cbioNew(BIO *b);
-static int cbioFree(BIO *b) {
-	return 1;
-}
-
-extern int writeBioWrite(BIO *b, char *buf, int size);
-extern long writeBioCtrl(BIO *b, int cmd, long arg1, void *arg2);
-static int writeBioPuts(BIO *b, const char *str) {
-    return writeBioWrite(b, (char*)str, (int)strlen(str));
-}
-
-extern int readBioRead(BIO *b, char *buf, int size);
-extern long readBioCtrl(BIO *b, int cmd, long arg1, void *arg2);
-
-static BIO_METHOD writeBioMethod = {
-    BIO_TYPE_SOURCE_SINK,
-    "Go Write BIO",
-    (int (*)(BIO *, const char *, int))writeBioWrite,
-    NULL,
-    writeBioPuts,
-    NULL,
-    writeBioCtrl,
-    cbioNew,
-    cbioFree,
-    NULL};
-
-static BIO_METHOD* BIO_s_writeBio() { return &writeBioMethod; }
-
-static BIO_METHOD readBioMethod = {
-    BIO_TYPE_SOURCE_SINK,
-    "Go Read BIO",
-    NULL,
-    readBioRead,
-    NULL,
-    NULL,
-    readBioCtrl,
-    cbioNew,
-    cbioFree,
-    NULL};
-
-static BIO_METHOD* BIO_s_readBio() { return &readBioMethod; }
-*/
+// #include "shim.h"
 import "C"
 
 import (
@@ -89,16 +42,6 @@ func nonCopyCString(data *C.char, size C.int) []byte {
 	return nonCopyGoBytes(uintptr(unsafe.Pointer(data)), int(size))
 }
 
-//export cbioNew
-func cbioNew(b *C.BIO) C.int {
-	b.shutdown = 1
-	b.init = 1
-	b.num = -1
-	b.ptr = nil
-	b.flags = 0
-	return 1
-}
-
 var writeBioMapping = newMapping()
 
 type writeBio struct {
@@ -109,21 +52,20 @@ type writeBio struct {
 }
 
 func loadWritePtr(b *C.BIO) *writeBio {
-	return (*writeBio)(writeBioMapping.Get(token(b.ptr)))
+	t := token(C.X_BIO_get_data(b))
+	return (*writeBio)(writeBioMapping.Get(t))
 }
 
 func bioClearRetryFlags(b *C.BIO) {
-	// from BIO_clear_retry_flags and BIO_clear_flags
-	b.flags &= ^(C.BIO_FLAGS_RWS | C.BIO_FLAGS_SHOULD_RETRY)
+	C.X_BIO_clear_flags(b, C.BIO_FLAGS_RWS|C.BIO_FLAGS_SHOULD_RETRY)
 }
 
 func bioSetRetryRead(b *C.BIO) {
-	// from BIO_set_retry_read and BIO_set_flags
-	b.flags |= (C.BIO_FLAGS_READ | C.BIO_FLAGS_SHOULD_RETRY)
+	C.X_BIO_set_flags(b, C.BIO_FLAGS_READ|C.BIO_FLAGS_SHOULD_RETRY)
 }
 
-//export writeBioWrite
-func writeBioWrite(b *C.BIO, data *C.char, size C.int) (rc C.int) {
+//export go_write_bio_write
+func go_write_bio_write(b *C.BIO, data *C.char, size C.int) (rc C.int) {
 	defer func() {
 		if err := recover(); err != nil {
 			logger.Critf("openssl: writeBioWrite panic'd: %v", err)
@@ -141,8 +83,8 @@ func writeBioWrite(b *C.BIO, data *C.char, size C.int) (rc C.int) {
 	return size
 }
 
-//export writeBioCtrl
-func writeBioCtrl(b *C.BIO, cmd C.int, arg1 C.long, arg2 unsafe.Pointer) (
+//export go_write_bio_ctrl
+func go_write_bio_ctrl(b *C.BIO, cmd C.int, arg1 C.long, arg2 unsafe.Pointer) (
 	rc C.long) {
 	defer func() {
 		if err := recover(); err != nil {
@@ -197,15 +139,15 @@ func (b *writeBio) WriteTo(w io.Writer) (rv int64, err error) {
 
 func (self *writeBio) Disconnect(b *C.BIO) {
 	if loadWritePtr(b) == self {
-		writeBioMapping.Del(token(b.ptr))
-		b.ptr = nil
+		writeBioMapping.Del(token(C.X_BIO_get_data(b)))
+		C.X_BIO_set_data(b, nil)
 	}
 }
 
 func (b *writeBio) MakeCBIO() *C.BIO {
-	rv := C.BIO_new(C.BIO_s_writeBio())
+	rv := C.X_BIO_new_write_bio()
 	token := writeBioMapping.Add(unsafe.Pointer(b))
-	rv.ptr = unsafe.Pointer(token)
+	C.X_BIO_set_data(rv, unsafe.Pointer(token))
 	return rv
 }
 
@@ -220,14 +162,14 @@ type readBio struct {
 }
 
 func loadReadPtr(b *C.BIO) *readBio {
-	return (*readBio)(readBioMapping.Get(token(b.ptr)))
+	return (*readBio)(readBioMapping.Get(token(C.X_BIO_get_data(b))))
 }
 
-//export readBioRead
-func readBioRead(b *C.BIO, data *C.char, size C.int) (rc C.int) {
+//export go_read_bio_read
+func go_read_bio_read(b *C.BIO, data *C.char, size C.int) (rc C.int) {
 	defer func() {
 		if err := recover(); err != nil {
-			logger.Critf("openssl: readBioRead panic'd: %v", err)
+			logger.Critf("openssl: go_read_bio_read panic'd: %v", err)
 			rc = -1
 		}
 	}()
@@ -256,8 +198,8 @@ func readBioRead(b *C.BIO, data *C.char, size C.int) (rc C.int) {
 	return C.int(n)
 }
 
-//export readBioCtrl
-func readBioCtrl(b *C.BIO, cmd C.int, arg1 C.long, arg2 unsafe.Pointer) (
+//export go_read_bio_ctrl
+func go_read_bio_ctrl(b *C.BIO, cmd C.int, arg1 C.long, arg2 unsafe.Pointer) (
 	rc C.long) {
 
 	defer func() {
@@ -316,16 +258,16 @@ func (b *readBio) ReadFromOnce(r io.Reader) (n int, err error) {
 }
 
 func (b *readBio) MakeCBIO() *C.BIO {
-	rv := C.BIO_new(C.BIO_s_readBio())
+	rv := C.X_BIO_new_read_bio()
 	token := readBioMapping.Add(unsafe.Pointer(b))
-	rv.ptr = unsafe.Pointer(token)
+	C.X_BIO_set_data(rv, unsafe.Pointer(token))
 	return rv
 }
 
 func (self *readBio) Disconnect(b *C.BIO) {
 	if loadReadPtr(b) == self {
-		readBioMapping.Del(token(b.ptr))
-		b.ptr = nil
+		readBioMapping.Del(token(C.X_BIO_get_data(b)))
+		C.X_BIO_set_data(b, nil)
 	}
 }
 
@@ -343,7 +285,7 @@ func (b *anyBio) Read(buf []byte) (n int, err error) {
 	if len(buf) == 0 {
 		return 0, nil
 	}
-	n = int(C.BIO_read((*C.BIO)(b), unsafe.Pointer(&buf[0]), C.int(len(buf))))
+	n = int(C.X_BIO_read((*C.BIO)(b), unsafe.Pointer(&buf[0]), C.int(len(buf))))
 	if n <= 0 {
 		return 0, io.EOF
 	}
@@ -354,7 +296,7 @@ func (b *anyBio) Write(buf []byte) (written int, err error) {
 	if len(buf) == 0 {
 		return 0, nil
 	}
-	n := int(C.BIO_write((*C.BIO)(b), unsafe.Pointer(&buf[0]),
+	n := int(C.X_BIO_write((*C.BIO)(b), unsafe.Pointer(&buf[0]),
 		C.int(len(buf))))
 	if n != len(buf) {
 		return n, errors.New("BIO write failed")
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/build.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/build.go
index 0425aa5f368..d286163ffcb 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/build.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/build.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,13 +12,13 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// +build cgo
+// +build !openssl_static
 
 package openssl
 
-// #cgo linux pkg-config: openssl
-// #cgo windows CFLAGS: -DWIN32_LEAN_AND_MEAN
-// #cgo windows LDFLAGS: -lcrypt32
-// #cgo darwin CFLAGS: -Wno-deprecated-declarations
-// #cgo darwin LDFLAGS: -lssl -lcrypto -framework CoreFoundation -framework Foundation -framework Security
+// #cgo linux darwin pkg-config: openssl
+// #cgo CFLAGS: -Wno-deprecated-declarations
+// #cgo windows CFLAGS: -DWIN32_LEAN_AND_MEAN -I"c:/openssl/include"
+// #cgo windows LDFLAGS: -lssleay32 -llibeay32 -lcrypt32 -L "c:/openssl/bin"
+// #cgo darwin LDFLAGS: -framework CoreFoundation -framework Foundation -framework Security
 import "C"
diff --git a/src/mongo/gotools/vendor/src/github.com/10gen/openssl/build_static.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/build_static.go
new file mode 100644
index 00000000000..1450d52e1a9
--- /dev/null
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/build_static.go
@@ -0,0 +1,24 @@
+// Copyright (C) 2017. See AUTHORS.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build openssl_static
+
+package openssl
+
+// #cgo linux windows darwin pkg-config: --static libssl libcrypto
+// #cgo CFLAGS: -Wno-deprecated-declarations
+// #cgo windows CFLAGS: -DWIN32_LEAN_AND_MEAN -I"c:/openssl/include"
+// #cgo windows LDFLAGS: -lssleay32 -llibeay32 -lcrypt32 -L "c:/openssl/bin"
+// #cgo darwin LDFLAGS: -framework CoreFoundation -framework Foundation -framework Security
+import "C"
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/cert.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/cert.go
index 61637c649fa..d3df63507e3 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/cert.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/cert.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,16 +12,9 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// +build cgo
-
 package openssl
 
-// #include <openssl/conf.h>
-// #include <openssl/ssl.h>
-// #include <openssl/x509v3.h>
-//
-// void OPENSSL_free_not_a_macro(void *ref) { OPENSSL_free(ref); }
-//
+// #include "shim.h"
 import "C"
 
 import (
@@ -229,7 +222,7 @@ func (c *Certificate) SetSerial(serial *big.Int) error {
 // SetIssueDate sets the certificate issue date relative to the current time.
 func (c *Certificate) SetIssueDate(when time.Duration) error {
 	offset := C.long(when / time.Second)
-	result := C.X509_gmtime_adj(c.x.cert_info.validity.notBefore, offset)
+	result := C.X509_gmtime_adj(C.X_X509_get0_notBefore(c.x), offset)
 	if result == nil {
 		return errors.New("failed to set issue date")
 	}
@@ -239,7 +232,7 @@ func (c *Certificate) SetIssueDate(when time.Duration) error {
 // SetExpireDate sets the certificate issue date relative to the current time.
 func (c *Certificate) SetExpireDate(when time.Duration) error {
 	offset := C.long(when / time.Second)
-	result := C.X509_gmtime_adj(c.x.cert_info.validity.notAfter, offset)
+	result := C.X509_gmtime_adj(C.X_X509_get0_notAfter(c.x), offset)
 	if result == nil {
 		return errors.New("failed to set expire date")
 	}
@@ -270,37 +263,41 @@ func (c *Certificate) Sign(privKey PrivateKey, digest EVP_MD) error {
 }
 
 func (c *Certificate) insecureSign(privKey PrivateKey, digest EVP_MD) error {
-	var md *C.EVP_MD
+	var md *C.EVP_MD = getDigestFunction(digest)
+	if C.X509_sign(c.x, privKey.evpPKey(), md) <= 0 {
+		return errors.New("failed to sign certificate")
+	}
+	return nil
+}
+
+func getDigestFunction(digest EVP_MD) (md *C.EVP_MD) {
 	switch digest {
 	// please don't use these digest functions
 	case EVP_NULL:
-		md = C.EVP_md_null()
+		md = C.X_EVP_md_null()
 	case EVP_MD5:
-		md = C.EVP_md5()
+		md = C.X_EVP_md5()
 	case EVP_SHA:
-		md = C.EVP_sha()
+		md = C.X_EVP_sha()
 	case EVP_SHA1:
-		md = C.EVP_sha1()
+		md = C.X_EVP_sha1()
 	case EVP_DSS:
-		md = C.EVP_dss()
+		md = C.X_EVP_dss()
 	case EVP_DSS1:
-		md = C.EVP_dss1()
+		md = C.X_EVP_dss1()
 	case EVP_RIPEMD160:
-		md = C.EVP_ripemd160()
+		md = C.X_EVP_ripemd160()
 	case EVP_SHA224:
-		md = C.EVP_sha224()
+		md = C.X_EVP_sha224()
 	// you actually want one of these
 	case EVP_SHA256:
-		md = C.EVP_sha256()
+		md = C.X_EVP_sha256()
 	case EVP_SHA384:
-		md = C.EVP_sha384()
+		md = C.X_EVP_sha384()
 	case EVP_SHA512:
-		md = C.EVP_sha512()
-	}
-	if C.X509_sign(c.x, privKey.evpPKey(), md) <= 0 {
-		return errors.New("failed to sign certificate")
+		md = C.X_EVP_sha512()
 	}
-	return nil
+	return md
 }
 
 // Add an extension to a certificate.
@@ -388,7 +385,7 @@ func (c *Certificate) GetSerialNumberHex() (serial string) {
 	hex := C.BN_bn2hex(bignum)
 	serial = C.GoString(hex)
 	C.BN_free(bignum)
-	C.OPENSSL_free_not_a_macro(unsafe.Pointer(hex))
+	C.X_OPENSSL_free(unsafe.Pointer(hex))
 	return
 }
 
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/cert_test.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/cert_test.go
index c32883ba4eb..96083260507 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/cert_test.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/cert_test.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Ryan Hileman
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/ciphers.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ciphers.go
index 12662707f54..e4f5771f8dc 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/ciphers.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ciphers.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,43 +12,9 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// +build cgo
-
 package openssl
 
-// #include <openssl/evp.h>
-//
-// int EVP_CIPHER_block_size_not_a_macro(EVP_CIPHER *c) {
-//     return EVP_CIPHER_block_size(c);
-// }
-//
-// int EVP_CIPHER_key_length_not_a_macro(EVP_CIPHER *c) {
-//     return EVP_CIPHER_key_length(c);
-// }
-//
-// int EVP_CIPHER_iv_length_not_a_macro(EVP_CIPHER *c) {
-//     return EVP_CIPHER_iv_length(c);
-// }
-//
-// int EVP_CIPHER_nid_not_a_macro(EVP_CIPHER *c) {
-//     return EVP_CIPHER_nid(c);
-// }
-//
-// int EVP_CIPHER_CTX_block_size_not_a_macro(EVP_CIPHER_CTX *ctx) {
-//     return EVP_CIPHER_CTX_block_size(ctx);
-// }
-//
-// int EVP_CIPHER_CTX_key_length_not_a_macro(EVP_CIPHER_CTX *ctx) {
-//     return EVP_CIPHER_CTX_key_length(ctx);
-// }
-//
-// int EVP_CIPHER_CTX_iv_length_not_a_macro(EVP_CIPHER_CTX *ctx) {
-//     return EVP_CIPHER_CTX_iv_length(ctx);
-// }
-//
-// const EVP_CIPHER *EVP_CIPHER_CTX_cipher_not_a_macro(EVP_CIPHER_CTX *ctx) {
-//     return EVP_CIPHER_CTX_cipher(ctx);
-// }
+// #include "shim.h"
 import "C"
 
 import (
@@ -74,7 +40,7 @@ type Cipher struct {
 }
 
 func (c *Cipher) Nid() NID {
-	return NID(C.EVP_CIPHER_nid_not_a_macro(c.ptr))
+	return NID(C.X_EVP_CIPHER_nid(c.ptr))
 }
 
 func (c *Cipher) ShortName() (string, error) {
@@ -82,15 +48,15 @@ func (c *Cipher) ShortName() (string, error) {
 }
 
 func (c *Cipher) BlockSize() int {
-	return int(C.EVP_CIPHER_block_size_not_a_macro(c.ptr))
+	return int(C.X_EVP_CIPHER_block_size(c.ptr))
 }
 
 func (c *Cipher) KeySize() int {
-	return int(C.EVP_CIPHER_key_length_not_a_macro(c.ptr))
+	return int(C.X_EVP_CIPHER_key_length(c.ptr))
 }
 
 func (c *Cipher) IVSize() int {
-	return int(C.EVP_CIPHER_iv_length_not_a_macro(c.ptr))
+	return int(C.X_EVP_CIPHER_iv_length(c.ptr))
 }
 
 func Nid2ShortName(nid NID) (string, error) {
@@ -154,7 +120,7 @@ func (ctx *cipherCtx) applyKeyAndIV(key, iv []byte) error {
 	}
 	if kptr != nil || iptr != nil {
 		var res C.int
-		if ctx.ctx.encrypt != 0 {
+		if C.X_EVP_CIPHER_CTX_encrypting(ctx.ctx) != 0 {
 			res = C.EVP_EncryptInit_ex(ctx.ctx, nil, nil, kptr, iptr)
 		} else {
 			res = C.EVP_DecryptInit_ex(ctx.ctx, nil, nil, kptr, iptr)
@@ -167,19 +133,19 @@ func (ctx *cipherCtx) applyKeyAndIV(key, iv []byte) error {
 }
 
 func (ctx *cipherCtx) Cipher() *Cipher {
-	return &Cipher{ptr: C.EVP_CIPHER_CTX_cipher_not_a_macro(ctx.ctx)}
+	return &Cipher{ptr: C.X_EVP_CIPHER_CTX_cipher(ctx.ctx)}
 }
 
 func (ctx *cipherCtx) BlockSize() int {
-	return int(C.EVP_CIPHER_CTX_block_size_not_a_macro(ctx.ctx))
+	return int(C.X_EVP_CIPHER_CTX_block_size(ctx.ctx))
 }
 
 func (ctx *cipherCtx) KeySize() int {
-	return int(C.EVP_CIPHER_CTX_key_length_not_a_macro(ctx.ctx))
+	return int(C.X_EVP_CIPHER_CTX_key_length(ctx.ctx))
 }
 
 func (ctx *cipherCtx) IVSize() int {
-	return int(C.EVP_CIPHER_CTX_iv_length_not_a_macro(ctx.ctx))
+	return int(C.X_EVP_CIPHER_CTX_iv_length(ctx.ctx))
 }
 
 func (ctx *cipherCtx) setCtrl(code, arg int) error {
diff --git a/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ciphers_gcm.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ciphers_gcm.go
new file mode 100644
index 00000000000..e184c95e5df
--- /dev/null
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ciphers_gcm.go
@@ -0,0 +1,154 @@
+// Copyright (C) 2017. See AUTHORS.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build !openssl_pre_1.0
+
+package openssl
+
+// #include <openssl/evp.h>
+import "C"
+
+import (
+	"errors"
+	"fmt"
+)
+
+type AuthenticatedEncryptionCipherCtx interface {
+	EncryptionCipherCtx
+
+	// data passed in to ExtraData() is part of the final output; it is
+	// not encrypted itself, but is part of the authenticated data. when
+	// decrypting or authenticating, pass back with the decryption
+	// context's ExtraData()
+	ExtraData([]byte) error
+
+	// use after finalizing encryption to get the authenticating tag
+	GetTag() ([]byte, error)
+}
+
+type AuthenticatedDecryptionCipherCtx interface {
+	DecryptionCipherCtx
+
+	// pass in any extra data that was added during encryption with the
+	// encryption context's ExtraData()
+	ExtraData([]byte) error
+
+	// use before finalizing decryption to tell the library what the
+	// tag is expected to be
+	SetTag([]byte) error
+}
+
+type authEncryptionCipherCtx struct {
+	*encryptionCipherCtx
+}
+
+type authDecryptionCipherCtx struct {
+	*decryptionCipherCtx
+}
+
+func getGCMCipher(blocksize int) (*Cipher, error) {
+	var cipherptr *C.EVP_CIPHER
+	switch blocksize {
+	case 256:
+		cipherptr = C.EVP_aes_256_gcm()
+	case 192:
+		cipherptr = C.EVP_aes_192_gcm()
+	case 128:
+		cipherptr = C.EVP_aes_128_gcm()
+	default:
+		return nil, fmt.Errorf("unknown block size %d", blocksize)
+	}
+	return &Cipher{ptr: cipherptr}, nil
+}
+
+func NewGCMEncryptionCipherCtx(blocksize int, e *Engine, key, iv []byte) (
+	AuthenticatedEncryptionCipherCtx, error) {
+	cipher, err := getGCMCipher(blocksize)
+	if err != nil {
+		return nil, err
+	}
+	ctx, err := newEncryptionCipherCtx(cipher, e, key, nil)
+	if err != nil {
+		return nil, err
+	}
+	if len(iv) > 0 {
+		err := ctx.setCtrl(C.EVP_CTRL_GCM_SET_IVLEN, len(iv))
+		if err != nil {
+			return nil, fmt.Errorf("could not set IV len to %d: %s",
+				len(iv), err)
+		}
+		if 1 != C.EVP_EncryptInit_ex(ctx.ctx, nil, nil, nil,
+			(*C.uchar)(&iv[0])) {
+			return nil, errors.New("failed to apply IV")
+		}
+	}
+	return &authEncryptionCipherCtx{encryptionCipherCtx: ctx}, nil
+}
+
+func NewGCMDecryptionCipherCtx(blocksize int, e *Engine, key, iv []byte) (
+	AuthenticatedDecryptionCipherCtx, error) {
+	cipher, err := getGCMCipher(blocksize)
+	if err != nil {
+		return nil, err
+	}
+	ctx, err := newDecryptionCipherCtx(cipher, e, key, nil)
+	if err != nil {
+		return nil, err
+	}
+	if len(iv) > 0 {
+		err := ctx.setCtrl(C.EVP_CTRL_GCM_SET_IVLEN, len(iv))
+		if err != nil {
+			return nil, fmt.Errorf("could not set IV len to %d: %s",
+				len(iv), err)
+		}
+		if 1 != C.EVP_DecryptInit_ex(ctx.ctx, nil, nil, nil,
+			(*C.uchar)(&iv[0])) {
+			return nil, errors.New("failed to apply IV")
+		}
+	}
+	return &authDecryptionCipherCtx{decryptionCipherCtx: ctx}, nil
+}
+
+func (ctx *authEncryptionCipherCtx) ExtraData(aad []byte) error {
+	if aad == nil {
+		return nil
+	}
+	var outlen C.int
+	if 1 != C.EVP_EncryptUpdate(ctx.ctx, nil, &outlen, (*C.uchar)(&aad[0]),
+		C.int(len(aad))) {
+		return errors.New("failed to add additional authenticated data")
+	}
+	return nil
+}
+
+func (ctx *authDecryptionCipherCtx) ExtraData(aad []byte) error {
+	if aad == nil {
+		return nil
+	}
+	var outlen C.int
+	if 1 != C.EVP_DecryptUpdate(ctx.ctx, nil, &outlen, (*C.uchar)(&aad[0]),
+		C.int(len(aad))) {
+		return errors.New("failed to add additional authenticated data")
+	}
+	return nil
+}
+
+func (ctx *authEncryptionCipherCtx) GetTag() ([]byte, error) {
+	return ctx.getCtrlBytes(C.EVP_CTRL_GCM_GET_TAG, GCM_TAG_MAXLEN,
+		GCM_TAG_MAXLEN)
+}
+
+func (ctx *authDecryptionCipherCtx) SetTag(tag []byte) error {
+	return ctx.setCtrlBytes(C.EVP_CTRL_GCM_SET_TAG, len(tag), tag)
+}
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/ciphers_test.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ciphers_test.go
index d1d430b1e15..96b16817f9d 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/ciphers_test.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ciphers_test.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// +build !darwin
+// +build !openssl_pre_1.0
 
 package openssl
 
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/conn.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/conn.go
index 992033d2a30..2d2f208489d 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/conn.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/conn.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,30 +12,9 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// +build cgo
-
 package openssl
 
-/*
-#include <stdlib.h>
-#include <openssl/ssl.h>
-#include <openssl/conf.h>
-#include <openssl/err.h>
-
-int sk_X509_num_not_a_macro(STACK_OF(X509) *sk) { return sk_X509_num(sk); }
-X509 *sk_X509_value_not_a_macro(STACK_OF(X509)* sk, int i) {
-   return sk_X509_value(sk, i);
-}
-long SSL_set_tlsext_host_name_not_a_macro(SSL *ssl, const char *name) {
-   return SSL_set_tlsext_host_name(ssl, name);
-}
-const char * SSL_get_cipher_name_not_a_macro(const SSL *ssl) {
-   return SSL_get_cipher_name(ssl);
-}
-static int SSL_session_reused_not_a_macro(SSL *ssl) {
-    return SSL_session_reused(ssl);
-}
-*/
+// #include "shim.h"
 import "C"
 
 import (
@@ -48,7 +27,7 @@ import (
 	"time"
 	"unsafe"
 
-	"github.com/spacemonkeygo/openssl/utils"
+	"github.com/10gen/openssl/utils"
 )
 
 var (
@@ -59,8 +38,9 @@ var (
 )
 
 type Conn struct {
+	*SSL
+
 	conn             net.Conn
-	ssl              *C.SSL
 	ctx              *Ctx // for gc
 	into_ssl         *readBio
 	from_ssl         *writeBio
@@ -156,9 +136,13 @@ func newConn(conn net.Conn, ctx *Ctx) (*Conn, error) {
 	// the ssl object takes ownership of these objects now
 	C.SSL_set_bio(ssl, into_ssl_cbio, from_ssl_cbio)
 
+	s := &SSL{ssl: ssl}
+	C.SSL_set_ex_data(s.ssl, get_ssl_idx(), unsafe.Pointer(s))
+
 	c := &Conn{
+		SSL: s,
+
 		conn:     conn,
-		ssl:      ssl,
 		ctx:      ctx,
 		into_ssl: into_ssl,
 		from_ssl: from_ssl}
@@ -203,8 +187,10 @@ func Server(conn net.Conn, ctx *Ctx) (*Conn, error) {
 	return c, nil
 }
 
+func (c *Conn) GetCtx() *Ctx { return c.ctx }
+
 func (c *Conn) CurrentCipher() (string, error) {
-	p := C.SSL_get_cipher_name_not_a_macro(c.ssl)
+	p := C.X_SSL_get_cipher_name(c.ssl)
 	if p == nil {
 		return "", errors.New("Session not established")
 	}
@@ -358,10 +344,10 @@ func (c *Conn) PeerCertificateChain() (rv []*Certificate, err error) {
 	if sk == nil {
 		return nil, errors.New("no peer certificates found")
 	}
-	sk_num := int(C.sk_X509_num_not_a_macro(sk))
+	sk_num := int(C.X_sk_X509_num(sk))
 	rv = make([]*Certificate, 0, sk_num)
 	for i := 0; i < sk_num; i++ {
-		x := C.sk_X509_value_not_a_macro(sk, C.int(i))
+		x := C.X_sk_X509_value(sk, C.int(i))
 		// ref holds on to the underlying connection memory so we don't need to
 		// worry about incrementing refcounts manually or freeing the X509
 		rv = append(rv, &Certificate{x: x, ref: c})
@@ -578,7 +564,7 @@ func (c *Conn) SetTlsExtHostName(name string) error {
 	defer C.free(unsafe.Pointer(cname))
 	runtime.LockOSThread()
 	defer runtime.UnlockOSThread()
-	if C.SSL_set_tlsext_host_name_not_a_macro(c.ssl, cname) == 0 {
+	if C.X_SSL_set_tlsext_host_name(c.ssl, cname) == 0 {
 		return errorFromErrorQueue()
 	}
 	return nil
@@ -589,7 +575,7 @@ func (c *Conn) VerifyResult() VerifyResult {
 }
 
 func (c *Conn) SessionReused() bool {
-	return C.SSL_session_reused_not_a_macro(c.ssl) == 1
+	return C.X_SSL_session_reused(c.ssl) == 1
 }
 
 func (c *Conn) GetSession() ([]byte, error) {
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/ctx.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ctx.go
index 8daa1bbbb1f..a092c3aae72 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/ctx.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ctx.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,83 +12,11 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// +build cgo
-
 package openssl
 
 /*
-#include <openssl/crypto.h>
-#include <openssl/ssl.h>
+#include "shim.h"
 #include <openssl/err.h>
-#include <openssl/conf.h>
-#include <openssl/x509.h>
-
-static long SSL_CTX_set_options_not_a_macro(SSL_CTX* ctx, long options) {
-   return SSL_CTX_set_options(ctx, options);
-}
-
-static long SSL_CTX_clear_options_not_a_macro(SSL_CTX* ctx, long options) {
-   return SSL_CTX_clear_options(ctx, options);
-}
-
-static long SSL_CTX_get_options_not_a_macro(SSL_CTX* ctx) {
-   return SSL_CTX_get_options(ctx);
-}
-
-static long SSL_CTX_set_mode_not_a_macro(SSL_CTX* ctx, long modes) {
-   return SSL_CTX_set_mode(ctx, modes);
-}
-
-static long SSL_CTX_get_mode_not_a_macro(SSL_CTX* ctx) {
-   return SSL_CTX_get_mode(ctx);
-}
-
-static long SSL_CTX_set_session_cache_mode_not_a_macro(SSL_CTX* ctx, long modes) {
-   return SSL_CTX_set_session_cache_mode(ctx, modes);
-}
-
-static long SSL_CTX_sess_set_cache_size_not_a_macro(SSL_CTX* ctx, long t) {
-	return SSL_CTX_sess_set_cache_size(ctx, t);
-}
-
-static long SSL_CTX_sess_get_cache_size_not_a_macro(SSL_CTX* ctx) {
-	return SSL_CTX_sess_get_cache_size(ctx);
-}
-
-static long SSL_CTX_set_timeout_not_a_macro(SSL_CTX* ctx, long t) {
-   return SSL_CTX_set_timeout(ctx, t);
-}
-
-static long SSL_CTX_get_timeout_not_a_macro(SSL_CTX* ctx) {
-   return SSL_CTX_get_timeout(ctx);
-}
-
-static int CRYPTO_add_not_a_macro(int *pointer,int amount,int type) {
-   return CRYPTO_add(pointer, amount, type);
-}
-
-static long SSL_CTX_add_extra_chain_cert_not_a_macro(SSL_CTX* ctx, X509 *cert) {
-    return SSL_CTX_add_extra_chain_cert(ctx, cert);
-}
-
-static long SSL_CTX_set_tlsext_servername_callback_not_a_macro(
-		SSL_CTX* ctx, int (*cb)(SSL *con, int *ad, void *args)) {
-	return SSL_CTX_set_tlsext_servername_callback(ctx, cb);
-}
-
-#ifndef SSL_MODE_RELEASE_BUFFERS
-#define SSL_MODE_RELEASE_BUFFERS 0
-#endif
-
-#ifndef SSL_OP_NO_COMPRESSION
-#define SSL_OP_NO_COMPRESSION 0
-#endif
-
-#if defined SSL_CTRL_SET_TLSEXT_HOSTNAME
-	extern int sni_cb(SSL *ssl_conn, int *ad, void *arg);
-#endif
-
-extern int verify_cb(int ok, X509_STORE_CTX* store);
 
 typedef STACK_OF(X509_NAME) *STACK_OF_X509_NAME_not_a_macro;
 
@@ -97,6 +25,7 @@ static void sk_X509_NAME_pop_free_not_a_macro(STACK_OF_X509_NAME_not_a_macro st)
 }
 
 extern int password_cb(char *buf, int size, int rwflag, void *password);
+
 */
 import "C"
 
@@ -114,7 +43,7 @@ import (
 )
 
 var (
-	ssl_ctx_idx = C.SSL_CTX_get_ex_new_index(0, nil, nil, nil, nil)
+	ssl_ctx_idx = C.X_SSL_CTX_new_index()
 
 	logger = spacelog.GetLogger()
 )
@@ -169,10 +98,10 @@ const (
 func NewCtxWithVersion(version SSLVersion) (*Ctx, error) {
 	var method *C.SSL_METHOD
 	switch version {
-	case TLSv1:
-		method = C.TLSv1_method()
+	case SSLv3:
+		method = C.X_SSLv3_method()
 	case AnyVersion:
-		method = C.SSLv23_method()
+		method = C.X_SSLv23_method()
 	}
 	if method == nil {
 		return nil, errors.New("unknown ssl/tls version")
@@ -255,6 +184,8 @@ const (
 	Prime256v1 EllipticCurve = C.NID_X9_62_prime256v1
 	// P-384: NIST/SECG curve over a 384 bit prime field
 	Secp384r1 EllipticCurve = C.NID_secp384r1
+	// P-521: NIST/SECG curve over a 521 bit prime field
+	Secp521r1 EllipticCurve = C.NID_secp521r1
 )
 
 // UseCertificate configures the context to present the given certificate to
@@ -386,7 +317,7 @@ func (c *Ctx) AddChainCertificate(cert *Certificate) error {
 	runtime.LockOSThread()
 	defer runtime.UnlockOSThread()
 	c.chain = append(c.chain, cert)
-	if int(C.SSL_CTX_add_extra_chain_cert_not_a_macro(c.ctx, cert.x)) != 1 {
+	if int(C.X_SSL_CTX_add_extra_chain_cert(c.ctx, cert.x)) != 1 {
 		return errorFromErrorQueue()
 	}
 	// OpenSSL takes ownership via SSL_CTX_add_extra_chain_cert
@@ -581,7 +512,9 @@ func (self *CertificateStoreCtx) GetCurrentCert() *Certificate {
 		return nil
 	}
 	// add a ref
-	C.CRYPTO_add_not_a_macro(&x509.references, 1, C.CRYPTO_LOCK_X509)
+	if 1 != C.X_X509_add_ref(x509) {
+		return nil
+	}
 	cert := &Certificate{
 		x: x509,
 	}
@@ -630,19 +563,19 @@ const (
 // SetOptions sets context options. See
 // http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
 func (c *Ctx) SetOptions(options Options) Options {
-	return Options(C.SSL_CTX_set_options_not_a_macro(
+	return Options(C.X_SSL_CTX_set_options(
 		c.ctx, C.long(options)))
 }
 
 func (c *Ctx) ClearOptions(options Options) Options {
-	return Options(C.SSL_CTX_clear_options_not_a_macro(
+	return Options(C.X_SSL_CTX_clear_options(
 		c.ctx, C.long(options)))
 }
 
 // GetOptions returns context options. See
 // https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
 func (c *Ctx) GetOptions() Options {
-	return Options(C.SSL_CTX_get_options_not_a_macro(c.ctx))
+	return Options(C.X_SSL_CTX_get_options(c.ctx))
 }
 
 type Modes int
@@ -656,13 +589,13 @@ const (
 // SetMode sets context modes. See
 // http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html
 func (c *Ctx) SetMode(modes Modes) Modes {
-	return Modes(C.SSL_CTX_set_mode_not_a_macro(c.ctx, C.long(modes)))
+	return Modes(C.X_SSL_CTX_set_mode(c.ctx, C.long(modes)))
 }
 
 // GetMode returns context modes. See
 // http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html
 func (c *Ctx) GetMode() Modes {
-	return Modes(C.SSL_CTX_get_mode_not_a_macro(c.ctx))
+	return Modes(C.X_SSL_CTX_get_mode(c.ctx))
 }
 
 type VerifyOptions int
@@ -683,8 +616,8 @@ const (
 
 type VerifyCallback func(ok bool, store *CertificateStoreCtx) bool
 
-//export verify_cb_thunk
-func verify_cb_thunk(p unsafe.Pointer, ok C.int, ctx *C.X509_STORE_CTX) C.int {
+//export go_ssl_ctx_verify_cb_thunk
+func go_ssl_ctx_verify_cb_thunk(p unsafe.Pointer, ok C.int, ctx *C.X509_STORE_CTX) C.int {
 	defer func() {
 		if err := recover(); err != nil {
 			logger.Critf("openssl: verify callback panic'd: %v", err)
@@ -709,7 +642,7 @@ func verify_cb_thunk(p unsafe.Pointer, ok C.int, ctx *C.X509_STORE_CTX) C.int {
 func (c *Ctx) SetVerify(options VerifyOptions, verify_cb VerifyCallback) {
 	c.verify_cb = verify_cb
 	if verify_cb != nil {
-		C.SSL_CTX_set_verify(c.ctx, C.int(options), (*[0]byte)(C.verify_cb))
+		C.SSL_CTX_set_verify(c.ctx, C.int(options), (*[0]byte)(C.X_SSL_CTX_verify_cb))
 	} else {
 		C.SSL_CTX_set_verify(c.ctx, C.int(options), nil)
 	}
@@ -752,7 +685,7 @@ type TLSExtServernameCallback func(ssl *SSL) SSLTLSExtErr
 // http://stackoverflow.com/questions/22373332/serving-multiple-domains-in-one-box-with-sni
 func (c *Ctx) SetTLSExtServernameCallback(sni_cb TLSExtServernameCallback) {
 	c.sni_cb = sni_cb
-	C.SSL_CTX_set_tlsext_servername_callback_not_a_macro(c.ctx, (*[0]byte)(C.sni_cb))
+	C.X_SSL_CTX_set_tlsext_servername_callback(c.ctx, (*[0]byte)(C.sni_cb))
 }
 
 func (c *Ctx) SetSessionId(session_id []byte) error {
@@ -800,30 +733,30 @@ const (
 // http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html
 func (c *Ctx) SetSessionCacheMode(modes SessionCacheModes) SessionCacheModes {
 	return SessionCacheModes(
-		C.SSL_CTX_set_session_cache_mode_not_a_macro(c.ctx, C.long(modes)))
+		C.X_SSL_CTX_set_session_cache_mode(c.ctx, C.long(modes)))
 }
 
 // Set session cache timeout. Returns previously set value.
 // See https://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html
 func (c *Ctx) SetTimeout(t time.Duration) time.Duration {
-	prev := C.SSL_CTX_set_timeout_not_a_macro(c.ctx, C.long(t/time.Second))
+	prev := C.X_SSL_CTX_set_timeout(c.ctx, C.long(t/time.Second))
 	return time.Duration(prev) * time.Second
 }
 
 // Get session cache timeout.
 // See https://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html
 func (c *Ctx) GetTimeout() time.Duration {
-	return time.Duration(C.SSL_CTX_get_timeout_not_a_macro(c.ctx)) * time.Second
+	return time.Duration(C.X_SSL_CTX_get_timeout(c.ctx)) * time.Second
 }
 
 // Set session cache size. Returns previously set value.
 // https://www.openssl.org/docs/ssl/SSL_CTX_sess_set_cache_size.html
 func (c *Ctx) SessSetCacheSize(t int) int {
-	return int(C.SSL_CTX_sess_set_cache_size_not_a_macro(c.ctx, C.long(t)))
+	return int(C.X_SSL_CTX_sess_set_cache_size(c.ctx, C.long(t)))
 }
 
 // Get session cache size.
 // https://www.openssl.org/docs/ssl/SSL_CTX_sess_set_cache_size.html
 func (c *Ctx) SessGetCacheSize() int {
-	return int(C.SSL_CTX_sess_get_cache_size_not_a_macro(c.ctx))
+	return int(C.X_SSL_CTX_sess_get_cache_size(c.ctx))
 }
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/ctx_test.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ctx_test.go
index 9644e518bf3..cd2a82a5a66 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/ctx_test.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ctx_test.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Ryan Hileman
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
diff --git a/src/mongo/gotools/vendor/src/github.com/10gen/openssl/dh.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/dh.go
new file mode 100644
index 00000000000..7d0cc703985
--- /dev/null
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/dh.go
@@ -0,0 +1,68 @@
+// Copyright (C) 2017. See AUTHORS.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build !openssl_pre_1.0
+
+package openssl
+
+// #include "shim.h"
+import "C"
+import (
+	"errors"
+	"unsafe"
+)
+
+// DeriveSharedSecret derives a shared secret using a private key and a peer's
+// public key.
+// The specific algorithm that is used depends on the types of the
+// keys, but it is most commonly a variant of Diffie-Hellman.
+func DeriveSharedSecret(private PrivateKey, public PublicKey) ([]byte, error) {
+	// Create context for the shared secret derivation
+	dhCtx := C.EVP_PKEY_CTX_new(private.evpPKey(), nil)
+	if dhCtx == nil {
+		return nil, errors.New("failed creating shared secret derivation context")
+	}
+	defer C.EVP_PKEY_CTX_free(dhCtx)
+
+	// Initialize the context
+	if int(C.EVP_PKEY_derive_init(dhCtx)) != 1 {
+		return nil, errors.New("failed initializing shared secret derivation context")
+	}
+
+	// Provide the peer's public key
+	if int(C.EVP_PKEY_derive_set_peer(dhCtx, public.evpPKey())) != 1 {
+		return nil, errors.New("failed adding peer public key to context")
+	}
+
+	// Determine how large of a buffer we need for the shared secret
+	var buffLen C.size_t
+	if int(C.EVP_PKEY_derive(dhCtx, nil, &buffLen)) != 1 {
+		return nil, errors.New("failed determining shared secret length")
+	}
+
+	// Allocate a buffer
+	buffer := C.X_OPENSSL_malloc(buffLen)
+	if buffer == nil {
+		return nil, errors.New("failed allocating buffer for shared secret")
+	}
+	defer C.X_OPENSSL_free(buffer)
+
+	// Derive the shared secret
+	if int(C.EVP_PKEY_derive(dhCtx, (*C.uchar)(buffer), &buffLen)) != 1 {
+		return nil, errors.New("failed deriving the shared secret")
+	}
+
+	secret := C.GoBytes(unsafe.Pointer(buffer), C.int(buffLen))
+	return secret, nil
+}
diff --git a/src/mongo/gotools/vendor/src/github.com/10gen/openssl/dh_test.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/dh_test.go
new file mode 100644
index 00000000000..ce8e644940c
--- /dev/null
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/dh_test.go
@@ -0,0 +1,48 @@
+// Copyright (C) 2017. See AUTHORS.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build !openssl_pre_1.0
+
+package openssl
+
+import (
+	"bytes"
+	"testing"
+)
+
+func TestECDH(t *testing.T) {
+	t.Parallel()
+
+	myKey, err := GenerateECKey(Prime256v1)
+	if err != nil {
+		t.Fatal(err)
+	}
+	peerKey, err := GenerateECKey(Prime256v1)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	mySecret, err := DeriveSharedSecret(myKey, peerKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	theirSecret, err := DeriveSharedSecret(peerKey, myKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if bytes.Compare(mySecret, theirSecret) != 0 {
+		t.Fatal("shared secrets are different")
+	}
+}
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/dhparam.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/dhparam.go
index a698645c1ec..294d0645c03 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/dhparam.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/dhparam.go
@@ -1,21 +1,20 @@
-// +build cgo
+// Copyright (C) 2017. See AUTHORS.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
 
 package openssl
 
-/*
-#include <openssl/crypto.h>
-#include <openssl/ssl.h>
-#include <openssl/err.h>
-#include <openssl/conf.h>
-#include <openssl/dh.h>
-
-static long SSL_CTX_set_tmp_dh_not_a_macro(SSL_CTX* ctx, DH *dh) {
-    return SSL_CTX_set_tmp_dh(ctx, dh);
-}
-static long PEM_read_DHparams_not_a_macro(SSL_CTX* ctx, DH *dh) {
-    return SSL_CTX_set_tmp_dh(ctx, dh);
-}
-*/
+// #include "shim.h"
 import "C"
 
 import (
@@ -58,7 +57,7 @@ func (c *Ctx) SetDHParameters(dh *DH) error {
 	runtime.LockOSThread()
 	defer runtime.UnlockOSThread()
 
-	if int(C.SSL_CTX_set_tmp_dh_not_a_macro(c.ctx, dh.dh)) != 1 {
+	if int(C.X_SSL_CTX_set_tmp_dh(c.ctx, dh.dh)) != 1 {
 		return errorFromErrorQueue()
 	}
 	return nil
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/digest.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/digest.go
index 44d4d001b13..6d8d2635aee 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/digest.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/digest.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2015 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,11 +12,9 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// +build cgo
-
 package openssl
 
-// #include <openssl/evp.h>
+// #include "shim.h"
 import "C"
 
 import (
@@ -34,7 +32,7 @@ type Digest struct {
 func GetDigestByName(name string) (*Digest, error) {
 	cname := C.CString(name)
 	defer C.free(unsafe.Pointer(cname))
-	p := C.EVP_get_digestbyname(cname)
+	p := C.X_EVP_get_digestbyname(cname)
 	if p == nil {
 		return nil, fmt.Errorf("Digest %v not found", name)
 	}
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/engine.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/engine.go
index 7a175b70f7c..78aef956fca 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/engine.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/engine.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,8 +12,6 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// +build cgo
-
 package openssl
 
 /*
diff --git a/src/mongo/gotools/vendor/src/github.com/10gen/openssl/fips.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/fips.go
new file mode 100644
index 00000000000..77e1dc3eddf
--- /dev/null
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/fips.go
@@ -0,0 +1,66 @@
+// Copyright (C) 2017. See AUTHORS.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build cgo
+
+package openssl
+
+/*
+#include "shim.h"
+
+static int X_FIPS_defined() {
+#ifdef OPENSSL_FIPS
+	return 1;
+#else
+	return 0;
+#endif
+}
+
+*/
+import "C"
+import "runtime"
+
+// FIPSModeDefined indicates if the openssl library has the FIPS
+// module complied in, specifically if the "OPENSSL_FIPS" macro is defined.
+func FIPSModeDefined() bool {
+	if C.X_FIPS_defined() == 1 {
+		return true
+	}
+	return false
+}
+
+// FIPSModeSet enables a FIPS 140-2 validated mode of operation.
+// https://wiki.openssl.org/index.php/FIPS_mode_set()
+func FIPSModeSet(mode bool) error {
+	runtime.LockOSThread()
+	defer runtime.UnlockOSThread()
+
+	var r C.int
+	if mode {
+		r = C.X_FIPS_mode_set(1)
+	} else {
+		r = C.X_FIPS_mode_set(0)
+	}
+	if r != 1 {
+		return errorFromErrorQueue()
+	}
+	return nil
+}
+
+func FIPSMode() bool {
+	if FIPSModeDefined() && C.X_FIPS_mode() != 0 {
+		return true
+	}
+	return false
+}
diff --git a/src/mongo/gotools/vendor/src/github.com/10gen/openssl/fips_test.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/fips_test.go
new file mode 100644
index 00000000000..7c8ec3a8c40
--- /dev/null
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/fips_test.go
@@ -0,0 +1,35 @@
+package openssl_test
+
+import (
+	"testing"
+
+	"github.com/10gen/openssl"
+)
+
+func TestSetFIPSMode(t *testing.T) {
+	if !openssl.FIPSModeDefined() {
+		t.Skip()
+	}
+
+	if openssl.FIPSMode() {
+		t.Fatal("Expected FIPS mode to be disabled, but was enabled")
+	}
+
+	err := openssl.FIPSModeSet(true)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if !openssl.FIPSMode() {
+		t.Fatal("Expected FIPS mode to be enabled, but was disabled")
+	}
+
+	err = openssl.FIPSModeSet(false)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if openssl.FIPSMode() {
+		t.Fatal("Expected FIPS mode to be disabled, but was enabled")
+	}
+}
diff --git a/src/mongo/gotools/vendor/src/github.com/10gen/openssl/hmac.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/hmac.go
new file mode 100644
index 00000000000..a8640cfac63
--- /dev/null
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/hmac.go
@@ -0,0 +1,91 @@
+// Copyright (C) 2017. See AUTHORS.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package openssl
+
+// #include "shim.h"
+import "C"
+
+import (
+	"errors"
+	"runtime"
+	"unsafe"
+)
+
+type HMAC struct {
+	ctx    *C.HMAC_CTX
+	engine *Engine
+	md     *C.EVP_MD
+}
+
+func NewHMAC(key []byte, digestAlgorithm EVP_MD) (*HMAC, error) {
+	return NewHMACWithEngine(key, digestAlgorithm, nil)
+}
+
+func NewHMACWithEngine(key []byte, digestAlgorithm EVP_MD, e *Engine) (*HMAC, error) {
+	var md *C.EVP_MD = getDigestFunction(digestAlgorithm)
+	h := &HMAC{engine: e, md: md}
+	h.ctx = C.X_HMAC_CTX_new()
+	if h.ctx == nil {
+		return nil, errors.New("unable to allocate HMAC_CTX")
+	}
+
+	var c_e *C.ENGINE
+	if e != nil {
+		c_e = e.e
+	}
+	if rc := C.X_HMAC_Init_ex(h.ctx,
+		unsafe.Pointer(&key[0]),
+		C.int(len(key)),
+		md,
+		c_e); rc != 1 {
+		C.X_HMAC_CTX_free(h.ctx)
+		return nil, errors.New("failed to initialize HMAC_CTX")
+	}
+
+	runtime.SetFinalizer(h, func(h *HMAC) { h.Close() })
+	return h, nil
+}
+
+func (h *HMAC) Close() {
+	C.X_HMAC_CTX_free(h.ctx)
+}
+
+func (h *HMAC) Write(data []byte) (n int, err error) {
+	if len(data) == 0 {
+		return 0, nil
+	}
+	if rc := C.X_HMAC_Update(h.ctx, (*C.uchar)(unsafe.Pointer(&data[0])),
+		C.size_t(len(data))); rc != 1 {
+		return 0, errors.New("failed to update HMAC")
+	}
+	return len(data), nil
+}
+
+func (h *HMAC) Reset() error {
+	if 1 != C.X_HMAC_Init_ex(h.ctx, nil, 0, nil, nil) {
+		return errors.New("failed to reset HMAC_CTX")
+	}
+	return nil
+}
+
+func (h *HMAC) Final() (result []byte, err error) {
+	mdLength := C.X_EVP_MD_size(h.md)
+	result = make([]byte, mdLength)
+	if rc := C.X_HMAC_Final(h.ctx, (*C.uchar)(unsafe.Pointer(&result[0])),
+		(*C.uint)(unsafe.Pointer(&mdLength))); rc != 1 {
+		return nil, errors.New("failed to finalized HMAC")
+	}
+	return result, h.Reset()
+}
diff --git a/src/mongo/gotools/vendor/src/github.com/10gen/openssl/hmac_test.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/hmac_test.go
new file mode 100644
index 00000000000..424720e2171
--- /dev/null
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/hmac_test.go
@@ -0,0 +1,74 @@
+// Copyright (C) 2017. See AUTHORS.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build !openssl_pre_1.0
+
+package openssl
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/hex"
+	"testing"
+)
+
+func TestSHA256HMAC(t *testing.T) {
+	key := []byte("d741787cc61851af045ccd37")
+	data := []byte("5912EEFD-59EC-43E3-ADB8-D5325AEC3271")
+
+	h, err := NewHMAC(key, EVP_SHA256)
+	if err != nil {
+		t.Fatalf("Unable to create new HMAC: %s", err)
+	}
+	if _, err := h.Write(data); err != nil {
+		t.Fatalf("Unable to write data into HMAC: %s", err)
+	}
+
+	var actualHMACBytes []byte
+	if actualHMACBytes, err = h.Final(); err != nil {
+		t.Fatalf("Error while finalizing HMAC: %s", err)
+	}
+	actualString := hex.EncodeToString(actualHMACBytes)
+
+	// generate HMAC with built-in crypto lib
+	mac := hmac.New(sha256.New, key)
+	mac.Write(data)
+	expectedString := hex.EncodeToString(mac.Sum(nil))
+
+	if expectedString != actualString {
+		t.Errorf("HMAC was incorrect: expected=%s, actual=%s", expectedString, actualString)
+	}
+}
+
+func BenchmarkSHA256HMAC(b *testing.B) {
+	key := []byte("d741787cc61851af045ccd37")
+	data := []byte("5912EEFD-59EC-43E3-ADB8-D5325AEC3271")
+
+	h, err := NewHMAC(key, EVP_SHA256)
+	if err != nil {
+		b.Fatalf("Unable to create new HMAC: %s", err)
+	}
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		if _, err := h.Write(data); err != nil {
+			b.Fatalf("Unable to write data into HMAC: %s", err)
+		}
+
+		var err error
+		if _, err = h.Final(); err != nil {
+			b.Fatalf("Error while finalizing HMAC: %s", err)
+		}
+	}
+}
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/hostname.c b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/hostname.c
index 9a610292067..aef33355262 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/hostname.c
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/hostname.c
@@ -1,7 +1,8 @@
-/* Go-OpenSSL notice:
-   This file is required for all OpenSSL versions prior to 1.1.0. This simply
-   provides the new 1.1.0 X509_check_* methods for hostname validation if they
-   don't already exist.
+/*
+ * Go-OpenSSL notice:
+ * This file is required for all OpenSSL versions prior to 1.1.0. This simply
+ * provides the new 1.1.0 X509_check_* methods for hostname validation if they
+ * don't already exist.
  */
 
 #include <openssl/x509.h>
@@ -67,6 +68,7 @@
  */
 /* X509 v3 extension utilities */
 
+#include <string.h>
 #include <stdlib.h>
 #include <openssl/ssl.h>
 #include <openssl/conf.h>
@@ -346,22 +348,26 @@ static int do_x509_check(X509 *x, const unsigned char *chk, size_t chklen,
 	return 0;
 	}
 
-int _X509_check_host(X509 *x, const unsigned char *chk, size_t chklen,
-					unsigned int flags)
+#if OPENSSL_VERSION_NUMBER < 0x1000200fL
+
+int X509_check_host(X509 *x, const unsigned char *chk, size_t chklen,
+					unsigned int flags, char **peername)
 	{
 	return do_x509_check(x, chk, chklen, flags, GEN_DNS);
 	}
 
-int _X509_check_email(X509 *x, const unsigned char *chk, size_t chklen,
+int X509_check_email(X509 *x, const unsigned char *chk, size_t chklen,
 					unsigned int flags)
 	{
 	return do_x509_check(x, chk, chklen, flags, GEN_EMAIL);
 	}
 
-int _X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
+int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
 					unsigned int flags)
 	{
 	return do_x509_check(x, chk, chklen, flags, GEN_IPADD);
 	}
 
+#endif /* OPENSSL_VERSION_NUMBER */
+
 #endif
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/hostname.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/hostname.go
index c1d1202fb65..f0b36db678d 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/hostname.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/hostname.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,8 +12,6 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// +build cgo
-
 package openssl
 
 /*
@@ -25,11 +23,11 @@ package openssl
 #define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT	0x1
 #define X509_CHECK_FLAG_NO_WILDCARDS	0x2
 
-extern int _X509_check_host(X509 *x, const unsigned char *chk, size_t chklen,
-    unsigned int flags);
-extern int _X509_check_email(X509 *x, const unsigned char *chk, size_t chklen,
+extern int X509_check_host(X509 *x, const unsigned char *chk, size_t chklen,
+    unsigned int flags, char **peername);
+extern int X509_check_email(X509 *x, const unsigned char *chk, size_t chklen,
     unsigned int flags);
-extern int _X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
+extern int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
 		unsigned int flags);
 #endif
 */
@@ -60,8 +58,9 @@ const (
 func (c *Certificate) CheckHost(host string, flags CheckFlags) error {
 	chost := unsafe.Pointer(C.CString(host))
 	defer C.free(chost)
-	rv := C._X509_check_host(c.x, (*C.uchar)(chost), C.size_t(len(host)),
-		C.uint(flags))
+
+	rv := C.X509_check_host(c.x, (*C.uchar)(chost), C.size_t(len(host)),
+		C.uint(flags), nil)
 	if rv > 0 {
 		return nil
 	}
@@ -79,7 +78,7 @@ func (c *Certificate) CheckHost(host string, flags CheckFlags) error {
 func (c *Certificate) CheckEmail(email string, flags CheckFlags) error {
 	cemail := unsafe.Pointer(C.CString(email))
 	defer C.free(cemail)
-	rv := C._X509_check_email(c.x, (*C.uchar)(cemail), C.size_t(len(email)),
+	rv := C.X509_check_email(c.x, (*C.uchar)(cemail), C.size_t(len(email)),
 		C.uint(flags))
 	if rv > 0 {
 		return nil
@@ -97,7 +96,7 @@ func (c *Certificate) CheckEmail(email string, flags CheckFlags) error {
 // there was no internal error.
 func (c *Certificate) CheckIP(ip net.IP, flags CheckFlags) error {
 	cip := unsafe.Pointer(&ip[0])
-	rv := C._X509_check_ip(c.x, (*C.uchar)(cip), C.size_t(len(ip)),
+	rv := C.X509_check_ip(c.x, (*C.uchar)(cip), C.size_t(len(ip)),
 		C.uint(flags))
 	if rv > 0 {
 		return nil
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/http.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/http.go
index e3be32c264a..39bd5a28b5f 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/http.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/http.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/init.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/init.go
index 314e5415c18..17dc6f38751 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/init.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/init.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,8 +12,6 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// +build cgo
-
 /*
 Package openssl is a light wrapper around OpenSSL for Go.
 
@@ -86,33 +84,7 @@ supported the generality needed to use OpenSSL instead of crypto/tls.
 */
 package openssl
 
-/*
-#include <openssl/ssl.h>
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/engine.h>
-
-extern int Goopenssl_init_locks();
-extern unsigned long Goopenssl_thread_id_callback();
-extern void Goopenssl_thread_locking_callback(int, int, const char*, int);
-
-static int Goopenssl_init_threadsafety() {
-	// Set up OPENSSL thread safety callbacks.
-	// TOOLS-1694 added setting of thread id callback for compatibility with openssl 0.9.8
-	int rc = Goopenssl_init_locks();
-	if (rc == 0) {
-		CRYPTO_set_locking_callback(Goopenssl_thread_locking_callback);
-	}
-	CRYPTO_set_id_callback(Goopenssl_thread_id_callback);
-	return rc;
-}
-
-static void OpenSSL_add_all_algorithms_not_a_macro() {
-	OpenSSL_add_all_algorithms();
-}
-
-*/
+// #include "shim.h"
 import "C"
 
 import (
@@ -122,15 +94,8 @@ import (
 )
 
 func init() {
-	C.ERR_load_crypto_strings()
-	C.OPENSSL_config(nil)
-	C.ENGINE_load_builtin_engines()
-	C.SSL_load_error_strings()
-	C.SSL_library_init()
-	C.OpenSSL_add_all_algorithms_not_a_macro()
-	rc := C.Goopenssl_init_threadsafety()
-	if rc != 0 {
-		panic(fmt.Errorf("Goopenssl_init_locks failed with %d", rc))
+	if rc := C.X_shim_init(); rc != 0 {
+		panic(fmt.Errorf("X_shim_init failed with %d", rc))
 	}
 }
 
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/init_posix.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/init_posix.go
index 99558298e3a..d485893bb6e 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/init_posix.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/init_posix.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -24,7 +24,7 @@ package openssl
 
 pthread_mutex_t* goopenssl_locks;
 
-int Goopenssl_init_locks() {
+int go_init_locks() {
 	int rc = 0;
 	int nlock;
 	int i;
@@ -53,7 +53,7 @@ int Goopenssl_init_locks() {
 }
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
-void Goopenssl_thread_locking_callback(int mode, int n, const char *file,
+void go_thread_locking_callback(int mode, int n, const char *file,
 	int line) {
 	if (mode & CRYPTO_LOCK) {
 		pthread_mutex_lock(&goopenssl_locks[n]);
@@ -61,7 +61,7 @@ void Goopenssl_thread_locking_callback(int mode, int n, const char *file,
 		pthread_mutex_unlock(&goopenssl_locks[n]);
 	}
 }
-unsigned long Goopenssl_thread_id_callback() {
+unsigned long go_thread_id_callback() {
 	return (unsigned long) pthread_self();
 }
 #endif
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/init_windows.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/init_windows.go
index ec817926b7a..55079a271cd 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/init_windows.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/init_windows.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -17,20 +17,13 @@
 package openssl
 
 /*
-
-#cgo windows LDFLAGS:  -lssleay32 -llibeay32 -L c:/openssl/bin
-#cgo windows CFLAGS: -I"c:/openssl/include"
-
-#ifndef WIN32_LEAN_AND_MEAN
-#define WIN32_LEAN_AND_MEAN
-#endif
 #include <errno.h>
 #include <openssl/crypto.h>
 #include <windows.h>
 
 CRITICAL_SECTION* goopenssl_locks;
 
-int Goopenssl_init_locks() {
+int go_init_locks() {
 	int rc = 0;
 	int nlock;
 	int i;
@@ -48,7 +41,7 @@ int Goopenssl_init_locks() {
 	return 0;
 }
 
-void Goopenssl_thread_locking_callback(int mode, int n, const char *file,
+void go_thread_locking_callback(int mode, int n, const char *file,
 	int line) {
 	if (mode & CRYPTO_LOCK) {
 		EnterCriticalSection(&goopenssl_locks[n]);
@@ -57,7 +50,7 @@ void Goopenssl_thread_locking_callback(int mode, int n, const char *file,
 	}
 }
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
-unsigned long Goopenssl_thread_id_callback() {
+unsigned long go_thread_id_callback() {
 	return (unsigned long) GetCurrentThreadId();
 }
 #endif
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/key.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/key.go
index cc17f5fcf7d..4e39a38a579 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/key.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/key.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,35 +12,9 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// +build cgo
-
 package openssl
 
-// #include <openssl/evp.h>
-// #include <openssl/ssl.h>
-// #include <openssl/conf.h>
-//
-// int EVP_SignInit_not_a_macro(EVP_MD_CTX *ctx, const EVP_MD *type) {
-//     return EVP_SignInit(ctx, type);
-// }
-//
-// int EVP_SignUpdate_not_a_macro(EVP_MD_CTX *ctx, const void *d,
-//   unsigned int cnt) {
-//     return EVP_SignUpdate(ctx, d, cnt);
-// }
-//
-// int EVP_VerifyInit_not_a_macro(EVP_MD_CTX *ctx, const EVP_MD *type) {
-//     return EVP_VerifyInit(ctx, type);
-// }
-//
-// int EVP_VerifyUpdate_not_a_macro(EVP_MD_CTX *ctx, const void *d,
-//   unsigned int cnt) {
-//     return EVP_VerifyUpdate(ctx, d, cnt);
-// }
-//
-// int EVP_PKEY_assign_charp(EVP_PKEY *pkey, int type, char *key) {
-//     return EVP_PKEY_assign(pkey, type, key);
-// }
+// #include "shim.h"
 import "C"
 
 import (
@@ -53,25 +27,30 @@ import (
 type Method *C.EVP_MD
 
 var (
-	SHA1_Method   Method = C.EVP_sha1()
-	SHA256_Method Method = C.EVP_sha256()
-	SHA512_Method Method = C.EVP_sha512()
+	SHA1_Method   Method = C.X_EVP_sha1()
+	SHA256_Method Method = C.X_EVP_sha256()
+	SHA512_Method Method = C.X_EVP_sha512()
 )
 
-type PublicKey interface {
-	// Verifies the data signature using PKCS1.15
-	VerifyPKCS1v15(method Method, data, sig []byte) error
-
-	// MarshalPKIXPublicKeyPEM converts the public key to PEM-encoded PKIX
-	// format
-	MarshalPKIXPublicKeyPEM() (pem_block []byte, err error)
-
-	// MarshalPKIXPublicKeyDER converts the public key to DER-encoded PKIX
-	// format
-	MarshalPKIXPublicKeyDER() (der_block []byte, err error)
-
-	evpPKey() *C.EVP_PKEY
-}
+// Constants for the various key types.
+// Mapping of name -> NID taken from openssl/evp.h
+const (
+	KeyTypeNone    = NID_undef
+	KeyTypeRSA     = NID_rsaEncryption
+	KeyTypeRSA2    = NID_rsa
+	KeyTypeDSA     = NID_dsa
+	KeyTypeDSA1    = NID_dsa_2
+	KeyTypeDSA2    = NID_dsaWithSHA
+	KeyTypeDSA3    = NID_dsaWithSHA1
+	KeyTypeDSA4    = NID_dsaWithSHA1_2
+	KeyTypeDH      = NID_dhKeyAgreement
+	KeyTypeDHX     = NID_dhpublicnumber
+	KeyTypeEC      = NID_X9_62_id_ecPublicKey
+	KeyTypeHMAC    = NID_hmac
+	KeyTypeCMAC    = NID_cmac
+	KeyTypeTLS1PRF = NID_tls1_prf
+	KeyTypeHKDF    = NID_hkdf
+)
 
 type PrivateKey interface {
 	PublicKey
@@ -95,22 +74,21 @@ type pKey struct {
 func (key *pKey) evpPKey() *C.EVP_PKEY { return key.key }
 
 func (key *pKey) SignPKCS1v15(method Method, data []byte) ([]byte, error) {
-	var ctx C.EVP_MD_CTX
-	C.EVP_MD_CTX_init(&ctx)
-	defer C.EVP_MD_CTX_cleanup(&ctx)
+	ctx := C.X_EVP_MD_CTX_new()
+	defer C.X_EVP_MD_CTX_free(ctx)
 
-	if 1 != C.EVP_SignInit_not_a_macro(&ctx, method) {
+	if 1 != C.X_EVP_SignInit(ctx, method) {
 		return nil, errors.New("signpkcs1v15: failed to init signature")
 	}
 	if len(data) > 0 {
-		if 1 != C.EVP_SignUpdate_not_a_macro(
-			&ctx, unsafe.Pointer(&data[0]), C.uint(len(data))) {
+		if 1 != C.X_EVP_SignUpdate(
+			ctx, unsafe.Pointer(&data[0]), C.uint(len(data))) {
 			return nil, errors.New("signpkcs1v15: failed to update signature")
 		}
 	}
-	sig := make([]byte, C.EVP_PKEY_size(key.key))
+	sig := make([]byte, C.X_EVP_PKEY_size(key.key))
 	var sigblen C.uint
-	if 1 != C.EVP_SignFinal(&ctx,
+	if 1 != C.X_EVP_SignFinal(ctx,
 		((*C.uchar)(unsafe.Pointer(&sig[0]))), &sigblen, key.key) {
 		return nil, errors.New("signpkcs1v15: failed to finalize signature")
 	}
@@ -118,45 +96,25 @@ func (key *pKey) SignPKCS1v15(method Method, data []byte) ([]byte, error) {
 }
 
 func (key *pKey) VerifyPKCS1v15(method Method, data, sig []byte) error {
-	var ctx C.EVP_MD_CTX
-	C.EVP_MD_CTX_init(&ctx)
-	defer C.EVP_MD_CTX_cleanup(&ctx)
+	ctx := C.X_EVP_MD_CTX_new()
+	defer C.X_EVP_MD_CTX_free(ctx)
 
-	if 1 != C.EVP_VerifyInit_not_a_macro(&ctx, method) {
+	if 1 != C.X_EVP_VerifyInit(ctx, method) {
 		return errors.New("verifypkcs1v15: failed to init verify")
 	}
 	if len(data) > 0 {
-		if 1 != C.EVP_VerifyUpdate_not_a_macro(
-			&ctx, unsafe.Pointer(&data[0]), C.uint(len(data))) {
+		if 1 != C.X_EVP_VerifyUpdate(
+			ctx, unsafe.Pointer(&data[0]), C.uint(len(data))) {
 			return errors.New("verifypkcs1v15: failed to update verify")
 		}
 	}
-	if 1 != C.EVP_VerifyFinal(&ctx,
+	if 1 != C.X_EVP_VerifyFinal(ctx,
 		((*C.uchar)(unsafe.Pointer(&sig[0]))), C.uint(len(sig)), key.key) {
 		return errors.New("verifypkcs1v15: failed to finalize verify")
 	}
 	return nil
 }
 
-func (key *pKey) MarshalPKCS1PrivateKeyPEM() (pem_block []byte,
-	err error) {
-	bio := C.BIO_new(C.BIO_s_mem())
-	if bio == nil {
-		return nil, errors.New("failed to allocate memory BIO")
-	}
-	defer C.BIO_free(bio)
-	rsa := (*C.RSA)(C.EVP_PKEY_get1_RSA(key.key))
-	if rsa == nil {
-		return nil, errors.New("failed getting rsa key")
-	}
-	defer C.RSA_free(rsa)
-	if int(C.PEM_write_bio_RSAPrivateKey(bio, rsa, nil, nil, C.int(0), nil,
-		nil)) != 1 {
-		return nil, errors.New("failed dumping private key")
-	}
-	return ioutil.ReadAll(asAnyBio(bio))
-}
-
 func (key *pKey) MarshalPKCS1PrivateKeyDER() (der_block []byte,
 	err error) {
 	bio := C.BIO_new(C.BIO_s_mem())
@@ -164,14 +122,11 @@ func (key *pKey) MarshalPKCS1PrivateKeyDER() (der_block []byte,
 		return nil, errors.New("failed to allocate memory BIO")
 	}
 	defer C.BIO_free(bio)
-	rsa := (*C.RSA)(C.EVP_PKEY_get1_RSA(key.key))
-	if rsa == nil {
-		return nil, errors.New("failed getting rsa key")
-	}
-	defer C.RSA_free(rsa)
-	if int(C.i2d_RSAPrivateKey_bio(bio, rsa)) != 1 {
+
+	if int(C.i2d_PrivateKey_bio(bio, key.key)) != 1 {
 		return nil, errors.New("failed dumping private key der")
 	}
+
 	return ioutil.ReadAll(asAnyBio(bio))
 }
 
@@ -182,14 +137,11 @@ func (key *pKey) MarshalPKIXPublicKeyPEM() (pem_block []byte,
 		return nil, errors.New("failed to allocate memory BIO")
 	}
 	defer C.BIO_free(bio)
-	rsa := (*C.RSA)(C.EVP_PKEY_get1_RSA(key.key))
-	if rsa == nil {
-		return nil, errors.New("failed getting rsa key")
-	}
-	defer C.RSA_free(rsa)
-	if int(C.PEM_write_bio_RSA_PUBKEY(bio, rsa)) != 1 {
+
+	if int(C.PEM_write_bio_PUBKEY(bio, key.key)) != 1 {
 		return nil, errors.New("failed dumping public key pem")
 	}
+
 	return ioutil.ReadAll(asAnyBio(bio))
 }
 
@@ -200,14 +152,11 @@ func (key *pKey) MarshalPKIXPublicKeyDER() (der_block []byte,
 		return nil, errors.New("failed to allocate memory BIO")
 	}
 	defer C.BIO_free(bio)
-	rsa := (*C.RSA)(C.EVP_PKEY_get1_RSA(key.key))
-	if rsa == nil {
-		return nil, errors.New("failed getting rsa key")
-	}
-	defer C.RSA_free(rsa)
-	if int(C.i2d_RSA_PUBKEY_bio(bio, rsa)) != 1 {
+
+	if int(C.i2d_PUBKEY_bio(bio, key.key)) != 1 {
 		return nil, errors.New("failed dumping public key der")
 	}
+
 	return ioutil.ReadAll(asAnyBio(bio))
 }
 
@@ -223,31 +172,20 @@ func LoadPrivateKeyFromPEM(pem_block []byte) (PrivateKey, error) {
 	}
 	defer C.BIO_free(bio)
 
-	rsakey := C.PEM_read_bio_RSAPrivateKey(bio, nil, nil, nil)
-	if rsakey == nil {
-		return nil, errors.New("failed reading rsa key")
-	}
-	defer C.RSA_free(rsakey)
-
-	// convert to PKEY
-	key := C.EVP_PKEY_new()
+	key := C.PEM_read_bio_PrivateKey(bio, nil, nil, nil)
 	if key == nil {
-		return nil, errors.New("failed converting to evp_pkey")
-	}
-	if C.EVP_PKEY_set1_RSA(key, (*C.struct_rsa_st)(rsakey)) != 1 {
-		C.EVP_PKEY_free(key)
-		return nil, errors.New("failed converting to evp_pkey")
+		return nil, errors.New("failed reading private key")
 	}
 
 	p := &pKey{key: key}
 	runtime.SetFinalizer(p, func(p *pKey) {
-		C.EVP_PKEY_free(p.key)
+		C.X_EVP_PKEY_free(p.key)
 	})
 	return p, nil
 }
 
-// LoadPrivateKeyFromPEM loads a private key from a PEM-encoded block.
-func LoadPrivateKeyFromPEMWidthPassword(pem_block []byte, password string) (
+// LoadPrivateKeyFromPEMWithPassword loads a private key from a PEM-encoded block.
+func LoadPrivateKeyFromPEMWithPassword(pem_block []byte, password string) (
 	PrivateKey, error) {
 	if len(pem_block) == 0 {
 		return nil, errors.New("empty pem block")
@@ -260,25 +198,14 @@ func LoadPrivateKeyFromPEMWidthPassword(pem_block []byte, password string) (
 	defer C.BIO_free(bio)
 	cs := C.CString(password)
 	defer C.free(unsafe.Pointer(cs))
-	rsakey := C.PEM_read_bio_RSAPrivateKey(bio, nil, nil, unsafe.Pointer(cs))
-	if rsakey == nil {
-		return nil, errors.New("failed reading rsa key")
-	}
-	defer C.RSA_free(rsakey)
-
-	// convert to PKEY
-	key := C.EVP_PKEY_new()
+	key := C.PEM_read_bio_PrivateKey(bio, nil, nil, unsafe.Pointer(cs))
 	if key == nil {
-		return nil, errors.New("failed converting to evp_pkey")
-	}
-	if C.EVP_PKEY_set1_RSA(key, (*C.struct_rsa_st)(rsakey)) != 1 {
-		C.EVP_PKEY_free(key)
-		return nil, errors.New("failed converting to evp_pkey")
+		return nil, errors.New("failed reading private key")
 	}
 
 	p := &pKey{key: key}
 	runtime.SetFinalizer(p, func(p *pKey) {
-		C.EVP_PKEY_free(p.key)
+		C.X_EVP_PKEY_free(p.key)
 	})
 	return p, nil
 }
@@ -295,29 +222,25 @@ func LoadPrivateKeyFromDER(der_block []byte) (PrivateKey, error) {
 	}
 	defer C.BIO_free(bio)
 
-	rsakey := C.d2i_RSAPrivateKey_bio(bio, nil)
-	if rsakey == nil {
-		return nil, errors.New("failed reading rsa key")
-	}
-	defer C.RSA_free(rsakey)
-
-	// convert to PKEY
-	key := C.EVP_PKEY_new()
+	key := C.d2i_PrivateKey_bio(bio, nil)
 	if key == nil {
-		return nil, errors.New("failed converting to evp_pkey")
-	}
-	if C.EVP_PKEY_set1_RSA(key, (*C.struct_rsa_st)(rsakey)) != 1 {
-		C.EVP_PKEY_free(key)
-		return nil, errors.New("failed converting to evp_pkey")
+		return nil, errors.New("failed reading private key der")
 	}
 
 	p := &pKey{key: key}
 	runtime.SetFinalizer(p, func(p *pKey) {
-		C.EVP_PKEY_free(p.key)
+		C.X_EVP_PKEY_free(p.key)
 	})
 	return p, nil
 }
 
+// LoadPrivateKeyFromPEMWidthPassword loads a private key from a PEM-encoded block.
+// Backwards-compatible with typo
+func LoadPrivateKeyFromPEMWidthPassword(pem_block []byte, password string) (
+	PrivateKey, error) {
+	return LoadPrivateKeyFromPEMWithPassword(pem_block, password)
+}
+
 // LoadPublicKeyFromPEM loads a public key from a PEM-encoded block.
 func LoadPublicKeyFromPEM(pem_block []byte) (PublicKey, error) {
 	if len(pem_block) == 0 {
@@ -330,25 +253,14 @@ func LoadPublicKeyFromPEM(pem_block []byte) (PublicKey, error) {
 	}
 	defer C.BIO_free(bio)
 
-	rsakey := C.PEM_read_bio_RSA_PUBKEY(bio, nil, nil, nil)
-	if rsakey == nil {
-		return nil, errors.New("failed reading rsa key")
-	}
-	defer C.RSA_free(rsakey)
-
-	// convert to PKEY
-	key := C.EVP_PKEY_new()
+	key := C.PEM_read_bio_PUBKEY(bio, nil, nil, nil)
 	if key == nil {
-		return nil, errors.New("failed converting to evp_pkey")
-	}
-	if C.EVP_PKEY_set1_RSA(key, (*C.struct_rsa_st)(rsakey)) != 1 {
-		C.EVP_PKEY_free(key)
-		return nil, errors.New("failed converting to evp_pkey")
+		return nil, errors.New("failed reading public key der")
 	}
 
 	p := &pKey{key: key}
 	runtime.SetFinalizer(p, func(p *pKey) {
-		C.EVP_PKEY_free(p.key)
+		C.X_EVP_PKEY_free(p.key)
 	})
 	return p, nil
 }
@@ -365,25 +277,14 @@ func LoadPublicKeyFromDER(der_block []byte) (PublicKey, error) {
 	}
 	defer C.BIO_free(bio)
 
-	rsakey := C.d2i_RSA_PUBKEY_bio(bio, nil)
-	if rsakey == nil {
-		return nil, errors.New("failed reading rsa key")
-	}
-	defer C.RSA_free(rsakey)
-
-	// convert to PKEY
-	key := C.EVP_PKEY_new()
+	key := C.d2i_PUBKEY_bio(bio, nil)
 	if key == nil {
-		return nil, errors.New("failed converting to evp_pkey")
-	}
-	if C.EVP_PKEY_set1_RSA(key, (*C.struct_rsa_st)(rsakey)) != 1 {
-		C.EVP_PKEY_free(key)
-		return nil, errors.New("failed converting to evp_pkey")
+		return nil, errors.New("failed reading public key der")
 	}
 
 	p := &pKey{key: key}
 	runtime.SetFinalizer(p, func(p *pKey) {
-		C.EVP_PKEY_free(p.key)
+		C.X_EVP_PKEY_free(p.key)
 	})
 	return p, nil
 }
@@ -399,17 +300,17 @@ func GenerateRSAKeyWithExponent(bits int, exponent int) (PrivateKey, error) {
 	if rsa == nil {
 		return nil, errors.New("failed to generate RSA key")
 	}
-	key := C.EVP_PKEY_new()
+	key := C.X_EVP_PKEY_new()
 	if key == nil {
 		return nil, errors.New("failed to allocate EVP_PKEY")
 	}
-	if C.EVP_PKEY_assign_charp(key, C.EVP_PKEY_RSA, (*C.char)(unsafe.Pointer(rsa))) != 1 {
-		C.EVP_PKEY_free(key)
+	if C.X_EVP_PKEY_assign_charp(key, C.EVP_PKEY_RSA, (*C.char)(unsafe.Pointer(rsa))) != 1 {
+		C.X_EVP_PKEY_free(key)
 		return nil, errors.New("failed to assign RSA key")
 	}
 	p := &pKey{key: key}
 	runtime.SetFinalizer(p, func(p *pKey) {
-		C.EVP_PKEY_free(p.key)
+		C.X_EVP_PKEY_free(p.key)
 	})
 	return p, nil
 }
diff --git a/src/mongo/gotools/vendor/src/github.com/10gen/openssl/key_0_9.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/key_0_9.go
new file mode 100644
index 00000000000..ed17ef08a40
--- /dev/null
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/key_0_9.go
@@ -0,0 +1,58 @@
+// Copyright (C) 2017. See AUTHORS.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build openssl_pre_1.0
+
+package openssl
+
+// #include "shim.h"
+import "C"
+import (
+	"errors"
+	"io/ioutil"
+)
+
+type PublicKey interface {
+	// Verifies the data signature using PKCS1.15
+	VerifyPKCS1v15(method Method, data, sig []byte) error
+
+	// MarshalPKIXPublicKeyPEM converts the public key to PEM-encoded PKIX
+	// format
+	MarshalPKIXPublicKeyPEM() (pem_block []byte, err error)
+
+	// MarshalPKIXPublicKeyDER converts the public key to DER-encoded PKIX
+	// format
+	MarshalPKIXPublicKeyDER() (der_block []byte, err error)
+
+	evpPKey() *C.EVP_PKEY
+}
+
+func (key *pKey) MarshalPKCS1PrivateKeyPEM() (pem_block []byte,
+	err error) {
+	bio := C.BIO_new(C.BIO_s_mem())
+	if bio == nil {
+		return nil, errors.New("failed to allocate memory BIO")
+	}
+	defer C.BIO_free(bio)
+	rsa := (*C.RSA)(C.EVP_PKEY_get1_RSA(key.key))
+	if rsa == nil {
+		return nil, errors.New("failed getting rsa key")
+	}
+	defer C.RSA_free(rsa)
+	if int(C.PEM_write_bio_RSAPrivateKey(bio, rsa, nil, nil, C.int(0), nil,
+		nil)) != 1 {
+		return nil, errors.New("failed dumping private key")
+	}
+	return ioutil.ReadAll(asAnyBio(bio))
+}
diff --git a/src/mongo/gotools/vendor/src/github.com/10gen/openssl/key_1_0.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/key_1_0.go
new file mode 100644
index 00000000000..6ea2a46e073
--- /dev/null
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/key_1_0.go
@@ -0,0 +1,132 @@
+// Copyright (C) 2017. See AUTHORS.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build !openssl_pre_1.0
+
+package openssl
+
+// #include "shim.h"
+import "C"
+
+import (
+	"errors"
+	"io/ioutil"
+	"runtime"
+)
+
+type PublicKey interface {
+	// Verifies the data signature using PKCS1.15
+	VerifyPKCS1v15(method Method, data, sig []byte) error
+
+	// MarshalPKIXPublicKeyPEM converts the public key to PEM-encoded PKIX
+	// format
+	MarshalPKIXPublicKeyPEM() (pem_block []byte, err error)
+
+	// MarshalPKIXPublicKeyDER converts the public key to DER-encoded PKIX
+	// format
+	MarshalPKIXPublicKeyDER() (der_block []byte, err error)
+
+	// KeyType returns an identifier for what kind of key is represented by this
+	// object.
+	KeyType() NID
+
+	// BaseType returns an identifier for what kind of key is represented
+	// by this object.
+	// Keys that share same algorithm but use different legacy formats
+	// will have the same BaseType.
+	//
+	// For example, a key with a `KeyType() == KeyTypeRSA` and a key with a
+	// `KeyType() == KeyTypeRSA2` would both have `BaseType() == KeyTypeRSA`.
+	BaseType() NID
+
+	evpPKey() *C.EVP_PKEY
+}
+
+func (key *pKey) MarshalPKCS1PrivateKeyPEM() (pem_block []byte,
+	err error) {
+	bio := C.BIO_new(C.BIO_s_mem())
+	if bio == nil {
+		return nil, errors.New("failed to allocate memory BIO")
+	}
+	defer C.BIO_free(bio)
+
+	// PEM_write_bio_PrivateKey_traditional will use the key-specific PKCS1
+	// format if one is available for that key type, otherwise it will encode
+	// to a PKCS8 key.
+	if int(C.X_PEM_write_bio_PrivateKey_traditional(bio, key.key, nil, nil,
+		C.int(0), nil, nil)) != 1 {
+		return nil, errors.New("failed dumping private key")
+	}
+
+	return ioutil.ReadAll(asAnyBio(bio))
+}
+
+func (key *pKey) KeyType() NID {
+	return NID(C.EVP_PKEY_id(key.key))
+}
+
+func (key *pKey) BaseType() NID {
+	return NID(C.EVP_PKEY_base_id(key.key))
+}
+
+// GenerateECKey generates a new elliptic curve private key on the speicified
+// curve.
+func GenerateECKey(curve EllipticCurve) (PrivateKey, error) {
+
+	// Create context for parameter generation
+	paramCtx := C.EVP_PKEY_CTX_new_id(C.EVP_PKEY_EC, nil)
+	if paramCtx == nil {
+		return nil, errors.New("failed creating EC parameter generation context")
+	}
+	defer C.EVP_PKEY_CTX_free(paramCtx)
+
+	// Intialize the parameter generation
+	if int(C.EVP_PKEY_paramgen_init(paramCtx)) != 1 {
+		return nil, errors.New("failed initializing EC parameter generation context")
+	}
+
+	// Set curve in EC parameter generation context
+	if int(C.X_EVP_PKEY_CTX_set_ec_paramgen_curve_nid(paramCtx, C.int(curve))) != 1 {
+		return nil, errors.New("failed setting curve in EC parameter generation context")
+	}
+
+	// Create parameter object
+	var params *C.EVP_PKEY
+	if int(C.EVP_PKEY_paramgen(paramCtx, &params)) != 1 {
+		return nil, errors.New("failed creating EC key generation parameters")
+	}
+	defer C.EVP_PKEY_free(params)
+
+	// Create context for the key generation
+	keyCtx := C.EVP_PKEY_CTX_new(params, nil)
+	if keyCtx == nil {
+		return nil, errors.New("failed creating EC key generation context")
+	}
+	defer C.EVP_PKEY_CTX_free(keyCtx)
+
+	// Generate the key
+	var privKey *C.EVP_PKEY
+	if int(C.EVP_PKEY_keygen_init(keyCtx)) != 1 {
+		return nil, errors.New("failed initializing EC key generation context")
+	}
+	if int(C.EVP_PKEY_keygen(keyCtx, &privKey)) != 1 {
+		return nil, errors.New("failed generating EC private key")
+	}
+
+	p := &pKey{key: privKey}
+	runtime.SetFinalizer(p, func(p *pKey) {
+		C.X_EVP_PKEY_free(p.key)
+	})
+	return p, nil
+}
diff --git a/src/mongo/gotools/vendor/src/github.com/10gen/openssl/key_1_0_test.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/key_1_0_test.go
new file mode 100644
index 00000000000..c7987d9156f
--- /dev/null
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/key_1_0_test.go
@@ -0,0 +1,145 @@
+// Copyright (C) 2017. See AUTHORS.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build !openssl_pre_1.0
+
+package openssl
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/hex"
+	pem_pkg "encoding/pem"
+	"io/ioutil"
+	"testing"
+)
+
+func TestMarshalEC(t *testing.T) {
+	key, err := LoadPrivateKeyFromPEM(prime256v1KeyBytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	cert, err := LoadCertificateFromPEM(prime256v1CertBytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	privateBlock, _ := pem_pkg.Decode(prime256v1KeyBytes)
+	key, err = LoadPrivateKeyFromDER(privateBlock.Bytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pem, err := cert.MarshalPEM()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !bytes.Equal(pem, prime256v1CertBytes) {
+		ioutil.WriteFile("generated", pem, 0644)
+		ioutil.WriteFile("hardcoded", prime256v1CertBytes, 0644)
+		t.Fatal("invalid cert pem bytes")
+	}
+
+	pem, err = key.MarshalPKCS1PrivateKeyPEM()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !bytes.Equal(pem, prime256v1KeyBytes) {
+		ioutil.WriteFile("generated", pem, 0644)
+		ioutil.WriteFile("hardcoded", prime256v1KeyBytes, 0644)
+		t.Fatal("invalid private key pem bytes")
+	}
+	tls_cert, err := tls.X509KeyPair(prime256v1CertBytes, prime256v1KeyBytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	tls_key, ok := tls_cert.PrivateKey.(*ecdsa.PrivateKey)
+	if !ok {
+		t.Fatal("FASDFASDF")
+	}
+	_ = tls_key
+
+	der, err := key.MarshalPKCS1PrivateKeyDER()
+	if err != nil {
+		t.Fatal(err)
+	}
+	tls_der, err := x509.MarshalECPrivateKey(tls_key)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !bytes.Equal(der, tls_der) {
+		t.Fatalf("invalid private key der bytes: %s\n v.s. %s\n",
+			hex.Dump(der), hex.Dump(tls_der))
+	}
+
+	der, err = key.MarshalPKIXPublicKeyDER()
+	if err != nil {
+		t.Fatal(err)
+	}
+	tls_der, err = x509.MarshalPKIXPublicKey(&tls_key.PublicKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !bytes.Equal(der, tls_der) {
+		ioutil.WriteFile("generated", []byte(hex.Dump(der)), 0644)
+		ioutil.WriteFile("hardcoded", []byte(hex.Dump(tls_der)), 0644)
+		t.Fatal("invalid public key der bytes")
+	}
+
+	pem, err = key.MarshalPKIXPublicKeyPEM()
+	if err != nil {
+		t.Fatal(err)
+	}
+	tls_pem := pem_pkg.EncodeToMemory(&pem_pkg.Block{
+		Type: "PUBLIC KEY", Bytes: tls_der})
+	if !bytes.Equal(pem, tls_pem) {
+		ioutil.WriteFile("generated", pem, 0644)
+		ioutil.WriteFile("hardcoded", tls_pem, 0644)
+		t.Fatal("invalid public key pem bytes")
+	}
+
+	loaded_pubkey_from_pem, err := LoadPublicKeyFromPEM(pem)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	loaded_pubkey_from_der, err := LoadPublicKeyFromDER(der)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	new_der_from_pem, err := loaded_pubkey_from_pem.MarshalPKIXPublicKeyDER()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	new_der_from_der, err := loaded_pubkey_from_der.MarshalPKIXPublicKeyDER()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if !bytes.Equal(new_der_from_der, tls_der) {
+		ioutil.WriteFile("generated", []byte(hex.Dump(new_der_from_der)), 0644)
+		ioutil.WriteFile("hardcoded", []byte(hex.Dump(tls_der)), 0644)
+		t.Fatal("invalid public key der bytes")
+	}
+
+	if !bytes.Equal(new_der_from_pem, tls_der) {
+		ioutil.WriteFile("generated", []byte(hex.Dump(new_der_from_pem)), 0644)
+		ioutil.WriteFile("hardcoded", []byte(hex.Dump(tls_der)), 0644)
+		t.Fatal("invalid public key der bytes")
+	}
+}
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/key_test.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/key_test.go
index 0af90128530..635ef638ec9 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/key_test.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/key_test.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -76,7 +76,7 @@ func TestMarshal(t *testing.T) {
 	}
 	tls_der := x509.MarshalPKCS1PrivateKey(tls_key)
 	if !bytes.Equal(der, tls_der) {
-		t.Fatal("invalid private key der bytes: %s\n v.s. %s\n",
+		t.Fatalf("invalid private key der bytes: %s\n v.s. %s\n",
 			hex.Dump(der), hex.Dump(tls_der))
 	}
 
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/mapping.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/mapping.go
index 066aba6b5db..d78cc703472 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/mapping.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/mapping.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,8 +12,6 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// +build cgo
-
 package openssl
 
 import (
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/net.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/net.go
index 0d9d72b0e00..15c897addd1 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/net.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/net.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -80,6 +80,27 @@ func Dial(network, addr string, ctx *Ctx, flags DialFlags) (*Conn, error) {
 	return DialSession(network, addr, ctx, flags, nil)
 }
 
+// DialWithDialer will connect to network/address using the provided dialer and
+// then wrap the corresponding underlying connection with an OpenSSL client
+// connection using context ctx. If flags includes InsecureSkipHostVerification,
+// the server certificate's hostname will not be checked to match the hostname
+// in addr. Otherwise, flags should be 0.
+//
+// Dial probably won't work for you unless you set a verify location or add
+// some certs to the certificate store of the client context you're using.
+// This library is not nice enough to use the system certificate store by
+// default for you yet.
+func DialWithDialer(dialer *net.Dialer, network, addr string, ctx *Ctx, flags DialFlags) (*Conn, error) {
+	return dialSessionWithDialer(
+		dialer,
+		network,
+		addr,
+		ctx,
+		flags,
+		nil,
+	)
+}
+
 // DialSession will connect to network/address and then wrap the corresponding
 // underlying connection with an OpenSSL client connection using context ctx.
 // If flags includes InsecureSkipHostVerification, the server certificate's
@@ -95,6 +116,18 @@ func Dial(network, addr string, ctx *Ctx, flags DialFlags) (*Conn, error) {
 // can be retrieved from the GetSession method on the Conn.
 func DialSession(network, addr string, ctx *Ctx, flags DialFlags,
 	session []byte) (*Conn, error) {
+	return dialSessionWithDialer(
+		new(net.Dialer),
+		network,
+		addr,
+		ctx,
+		flags,
+		session,
+	)
+}
+
+func dialSessionWithDialer(dialer *net.Dialer, network, addr string, ctx *Ctx, flags DialFlags,
+	session []byte) (*Conn, error) {
 
 	host, _, err := net.SplitHostPort(addr)
 	if err != nil {
@@ -108,7 +141,7 @@ func DialSession(network, addr string, ctx *Ctx, flags DialFlags,
 		}
 		// TODO: use operating system default certificate chain?
 	}
-	c, err := net.Dial(network, addr)
+	c, err := dialer.Dial(network, addr)
 	if err != nil {
 		return nil, err
 	}
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/nid.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/nid.go
index c80f237b605..6766b849e76 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/nid.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/nid.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Ryan Hileman
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -17,6 +17,7 @@ package openssl
 type NID int
 
 const (
+	NID_undef                              NID = 0
 	NID_rsadsi                             NID = 1
 	NID_pkcs                               NID = 2
 	NID_md2                                NID = 3
@@ -196,4 +197,10 @@ const (
 	NID_ad_OCSP                            NID = 178
 	NID_ad_ca_issuers                      NID = 179
 	NID_OCSP_sign                          NID = 180
+	NID_X9_62_id_ecPublicKey               NID = 408
+	NID_hmac                               NID = 855
+	NID_cmac                               NID = 894
+	NID_dhpublicnumber                     NID = 920
+	NID_tls1_prf                           NID = 1021
+	NID_hkdf                               NID = 1036
 )
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/password.c b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/password.c
index db9582ca726..db9582ca726 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/password.c
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/password.c
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/pem.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/pem.go
index 6dad5972dbd..c8b0c1cf19d 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/pem.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/pem.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Ryan Hileman
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/sha1.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/sha1.go
index 2592b6627d1..c227bee8461 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/sha1.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/sha1.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,18 +12,9 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// +build cgo
-
 package openssl
 
-/*
-#include <errno.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include "openssl/evp.h"
-*/
+// #include "shim.h"
 import "C"
 
 import (
@@ -33,7 +24,7 @@ import (
 )
 
 type SHA1Hash struct {
-	ctx    C.EVP_MD_CTX
+	ctx    *C.EVP_MD_CTX
 	engine *Engine
 }
 
@@ -41,7 +32,10 @@ func NewSHA1Hash() (*SHA1Hash, error) { return NewSHA1HashWithEngine(nil) }
 
 func NewSHA1HashWithEngine(e *Engine) (*SHA1Hash, error) {
 	hash := &SHA1Hash{engine: e}
-	C.EVP_MD_CTX_init(&hash.ctx)
+	hash.ctx = C.X_EVP_MD_CTX_new()
+	if hash.ctx == nil {
+		return nil, errors.New("openssl: sha1: unable to allocate ctx")
+	}
 	runtime.SetFinalizer(hash, func(hash *SHA1Hash) { hash.Close() })
 	if err := hash.Reset(); err != nil {
 		return nil, err
@@ -50,7 +44,10 @@ func NewSHA1HashWithEngine(e *Engine) (*SHA1Hash, error) {
 }
 
 func (s *SHA1Hash) Close() {
-	C.EVP_MD_CTX_cleanup(&s.ctx)
+	if s.ctx != nil {
+		C.X_EVP_MD_CTX_free(s.ctx)
+		s.ctx = nil
+	}
 }
 
 func engineRef(e *Engine) *C.ENGINE {
@@ -61,7 +58,7 @@ func engineRef(e *Engine) *C.ENGINE {
 }
 
 func (s *SHA1Hash) Reset() error {
-	if 1 != C.EVP_DigestInit_ex(&s.ctx, C.EVP_sha1(), engineRef(s.engine)) {
+	if 1 != C.X_EVP_DigestInit_ex(s.ctx, C.X_EVP_sha1(), engineRef(s.engine)) {
 		return errors.New("openssl: sha1: cannot init digest ctx")
 	}
 	return nil
@@ -71,7 +68,7 @@ func (s *SHA1Hash) Write(p []byte) (n int, err error) {
 	if len(p) == 0 {
 		return 0, nil
 	}
-	if 1 != C.EVP_DigestUpdate(&s.ctx, unsafe.Pointer(&p[0]),
+	if 1 != C.X_EVP_DigestUpdate(s.ctx, unsafe.Pointer(&p[0]),
 		C.size_t(len(p))) {
 		return 0, errors.New("openssl: sha1: cannot update digest")
 	}
@@ -79,7 +76,7 @@ func (s *SHA1Hash) Write(p []byte) (n int, err error) {
 }
 
 func (s *SHA1Hash) Sum() (result [20]byte, err error) {
-	if 1 != C.EVP_DigestFinal_ex(&s.ctx,
+	if 1 != C.X_EVP_DigestFinal_ex(s.ctx,
 		(*C.uchar)(unsafe.Pointer(&result[0])), nil) {
 		return result, errors.New("openssl: sha1: cannot finalize ctx")
 	}
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/sha1_test.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/sha1_test.go
index 37037e4468b..37808b5a53e 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/sha1_test.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/sha1_test.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,8 +12,6 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// +build cgo
-
 package openssl
 
 import (
@@ -37,7 +35,7 @@ func TestSHA1(t *testing.T) {
 		}
 
 		if expected != got {
-			t.Fatal("exp:%x got:%x", expected, got)
+			t.Fatalf("exp:%x got:%x", expected, got)
 		}
 	}
 }
@@ -75,7 +73,7 @@ func TestSHA1Writer(t *testing.T) {
 		}
 
 		if got != exp {
-			t.Fatal("exp:%x got:%x", exp, got)
+			t.Fatalf("exp:%x got:%x", exp, got)
 		}
 	}
 }
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/sha256.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/sha256.go
index 6785b32f881..d25c7a959d7 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/sha256.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/sha256.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,18 +12,9 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// +build cgo
-
 package openssl
 
-/*
-#include <errno.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include "openssl/evp.h"
-*/
+// #include "shim.h"
 import "C"
 
 import (
@@ -33,7 +24,7 @@ import (
 )
 
 type SHA256Hash struct {
-	ctx    C.EVP_MD_CTX
+	ctx    *C.EVP_MD_CTX
 	engine *Engine
 }
 
@@ -41,7 +32,10 @@ func NewSHA256Hash() (*SHA256Hash, error) { return NewSHA256HashWithEngine(nil)
 
 func NewSHA256HashWithEngine(e *Engine) (*SHA256Hash, error) {
 	hash := &SHA256Hash{engine: e}
-	C.EVP_MD_CTX_init(&hash.ctx)
+	hash.ctx = C.X_EVP_MD_CTX_new()
+	if hash.ctx == nil {
+		return nil, errors.New("openssl: sha256: unable to allocate ctx")
+	}
 	runtime.SetFinalizer(hash, func(hash *SHA256Hash) { hash.Close() })
 	if err := hash.Reset(); err != nil {
 		return nil, err
@@ -50,11 +44,14 @@ func NewSHA256HashWithEngine(e *Engine) (*SHA256Hash, error) {
 }
 
 func (s *SHA256Hash) Close() {
-	C.EVP_MD_CTX_cleanup(&s.ctx)
+	if s.ctx != nil {
+		C.X_EVP_MD_CTX_free(s.ctx)
+		s.ctx = nil
+	}
 }
 
 func (s *SHA256Hash) Reset() error {
-	if 1 != C.EVP_DigestInit_ex(&s.ctx, C.EVP_sha256(), engineRef(s.engine)) {
+	if 1 != C.X_EVP_DigestInit_ex(s.ctx, C.X_EVP_sha256(), engineRef(s.engine)) {
 		return errors.New("openssl: sha256: cannot init digest ctx")
 	}
 	return nil
@@ -64,7 +61,7 @@ func (s *SHA256Hash) Write(p []byte) (n int, err error) {
 	if len(p) == 0 {
 		return 0, nil
 	}
-	if 1 != C.EVP_DigestUpdate(&s.ctx, unsafe.Pointer(&p[0]),
+	if 1 != C.X_EVP_DigestUpdate(s.ctx, unsafe.Pointer(&p[0]),
 		C.size_t(len(p))) {
 		return 0, errors.New("openssl: sha256: cannot update digest")
 	}
@@ -72,7 +69,7 @@ func (s *SHA256Hash) Write(p []byte) (n int, err error) {
 }
 
 func (s *SHA256Hash) Sum() (result [32]byte, err error) {
-	if 1 != C.EVP_DigestFinal_ex(&s.ctx,
+	if 1 != C.X_EVP_DigestFinal_ex(s.ctx,
 		(*C.uchar)(unsafe.Pointer(&result[0])), nil) {
 		return result, errors.New("openssl: sha256: cannot finalize ctx")
 	}
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/sha256_test.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/sha256_test.go
index 89df88afd44..467e503ab42 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/sha256_test.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/sha256_test.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,8 +12,6 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// +build cgo
-
 package openssl
 
 import (
@@ -37,7 +35,7 @@ func TestSHA256(t *testing.T) {
 		}
 
 		if expected != got {
-			t.Fatal("exp:%x got:%x", expected, got)
+			t.Fatalf("exp:%x got:%x", expected, got)
 		}
 	}
 }
@@ -75,7 +73,7 @@ func TestSHA256Writer(t *testing.T) {
 		}
 
 		if got != exp {
-			t.Fatal("exp:%x got:%x", exp, got)
+			t.Fatalf("exp:%x got:%x", exp, got)
 		}
 	}
 }
diff --git a/src/mongo/gotools/vendor/src/github.com/10gen/openssl/shim.c b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/shim.c
new file mode 100644
index 00000000000..f26d75e211c
--- /dev/null
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/shim.c
@@ -0,0 +1,737 @@
+/*
+ * Copyright (C) 2014 Space Monkey, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include <string.h>
+
+#include "shim.h"
+
+#include "_cgo_export.h"
+
+/*
+ * Functions defined in other .c files
+ */
+extern int go_init_locks();
+extern unsigned long go_thread_id_callback();
+extern void go_thread_locking_callback(int, int, const char*, int);
+static int go_write_bio_puts(BIO *b, const char *str) {
+	return go_write_bio_write(b, (char*)str, (int)strlen(str));
+}
+
+/*
+ ************************************************
+ * v1.1.X and later implementation
+ ************************************************
+ */
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
+
+void X_BIO_set_data(BIO* bio, void* data) {
+	BIO_set_data(bio, data);
+}
+
+void* X_BIO_get_data(BIO* bio) {
+	return BIO_get_data(bio);
+}
+
+EVP_MD_CTX* X_EVP_MD_CTX_new() {
+	return EVP_MD_CTX_new();
+}
+
+void X_EVP_MD_CTX_free(EVP_MD_CTX* ctx) {
+	EVP_MD_CTX_free(ctx);
+}
+
+static int x_bio_create(BIO *b) {
+	BIO_set_shutdown(b, 1);
+	BIO_set_init(b, 1);
+	BIO_set_data(b, NULL);
+	BIO_clear_flags(b, ~0);
+	return 1;
+}
+
+static int x_bio_free(BIO *b) {
+	return 1;
+}
+
+static BIO_METHOD *writeBioMethod;
+static BIO_METHOD *readBioMethod;
+
+BIO_METHOD* BIO_s_readBio() { return readBioMethod; }
+BIO_METHOD* BIO_s_writeBio() { return writeBioMethod; }
+
+int x_bio_init_methods() {
+	writeBioMethod = BIO_meth_new(BIO_TYPE_SOURCE_SINK, "Go Write BIO");
+	if (!writeBioMethod) {
+		return 1;
+	}
+	if (1 != BIO_meth_set_write(writeBioMethod,
+				(int (*)(BIO *, const char *, int))go_write_bio_write)) {
+		return 2;
+	}
+	if (1 != BIO_meth_set_puts(writeBioMethod, go_write_bio_puts)) {
+		return 3;
+	}
+	if (1 != BIO_meth_set_ctrl(writeBioMethod, go_write_bio_ctrl)) {
+		return 4;
+	}
+	if (1 != BIO_meth_set_create(writeBioMethod, x_bio_create)) {
+		return 5;
+	}
+	if (1 != BIO_meth_set_destroy(writeBioMethod, x_bio_free)) {
+		return 6;
+	}
+
+	readBioMethod = BIO_meth_new(BIO_TYPE_SOURCE_SINK, "Go Read BIO");
+	if (!readBioMethod) {
+		return 7;
+	}
+	if (1 != BIO_meth_set_read(readBioMethod, go_read_bio_read)) {
+		return 8;
+	}
+	if (1 != BIO_meth_set_ctrl(readBioMethod, go_read_bio_ctrl)) {
+		return 9;
+	}
+	if (1 != BIO_meth_set_create(readBioMethod, x_bio_create)) {
+		return 10;
+	}
+	if (1 != BIO_meth_set_destroy(readBioMethod, x_bio_free)) {
+		return 11;
+	}
+
+	return 0;
+}
+
+const EVP_MD *X_EVP_dss() {
+	return NULL;
+}
+
+const EVP_MD *X_EVP_dss1() {
+	return NULL;
+}
+
+const EVP_MD *X_EVP_sha() {
+	return NULL;
+}
+
+int X_EVP_CIPHER_CTX_encrypting(const EVP_CIPHER_CTX *ctx) {
+	return EVP_CIPHER_CTX_encrypting(ctx);
+}
+
+int X_X509_add_ref(X509* x509) {
+	return X509_up_ref(x509);
+}
+
+const ASN1_TIME *X_X509_get0_notBefore(const X509 *x) {
+	return X509_get0_notBefore(x);
+}
+
+const ASN1_TIME *X_X509_get0_notAfter(const X509 *x) {
+	return X509_get0_notAfter(x);
+}
+
+HMAC_CTX *X_HMAC_CTX_new(void) {
+	return HMAC_CTX_new();
+}
+
+void X_HMAC_CTX_free(HMAC_CTX *ctx) {
+	HMAC_CTX_free(ctx);
+}
+
+int X_PEM_write_bio_PrivateKey_traditional(BIO *bio, EVP_PKEY *key, const EVP_CIPHER *enc, unsigned char *kstr, int klen, pem_password_cb *cb, void *u) {
+	return PEM_write_bio_PrivateKey_traditional(bio, key, enc, kstr, klen, cb, u);
+}
+
+#endif
+
+
+
+/*
+ ************************************************
+ * v1.0.X implementation
+ ************************************************
+ */
+#if OPENSSL_VERSION_NUMBER < 0x1010000fL
+
+static int x_bio_create(BIO *b) {
+	b->shutdown = 1;
+	b->init = 1;
+	b->num = -1;
+	b->ptr = NULL;
+	b->flags = 0;
+	return 1;
+}
+
+static int x_bio_free(BIO *b) {
+	return 1;
+}
+
+static BIO_METHOD writeBioMethod = {
+	BIO_TYPE_SOURCE_SINK,
+	"Go Write BIO",
+	(int (*)(BIO *, const char *, int))go_write_bio_write,
+	NULL,
+	go_write_bio_puts,
+	NULL,
+	go_write_bio_ctrl,
+	x_bio_create,
+	x_bio_free,
+	NULL};
+
+static BIO_METHOD* BIO_s_writeBio() { return &writeBioMethod; }
+
+static BIO_METHOD readBioMethod = {
+	BIO_TYPE_SOURCE_SINK,
+	"Go Read BIO",
+	NULL,
+	go_read_bio_read,
+	NULL,
+	NULL,
+	go_read_bio_ctrl,
+	x_bio_create,
+	x_bio_free,
+	NULL};
+
+static BIO_METHOD* BIO_s_readBio() { return &readBioMethod; }
+
+int x_bio_init_methods() {
+	/* statically initialized above */
+	return 0;
+}
+
+void X_BIO_set_data(BIO* bio, void* data) {
+	bio->ptr = data;
+}
+
+void* X_BIO_get_data(BIO* bio) {
+	return bio->ptr;
+}
+
+EVP_MD_CTX* X_EVP_MD_CTX_new() {
+	return EVP_MD_CTX_create();
+}
+
+void X_EVP_MD_CTX_free(EVP_MD_CTX* ctx) {
+	EVP_MD_CTX_destroy(ctx);
+}
+
+int X_X509_add_ref(X509* x509) {
+	CRYPTO_add(&x509->references, 1, CRYPTO_LOCK_X509);
+	return 1;
+}
+
+const ASN1_TIME *X_X509_get0_notBefore(const X509 *x) {
+	return x->cert_info->validity->notBefore;
+}
+
+const ASN1_TIME *X_X509_get0_notAfter(const X509 *x) {
+	return x->cert_info->validity->notAfter;
+}
+
+const EVP_MD *X_EVP_dss() {
+	return EVP_dss();
+}
+
+const EVP_MD *X_EVP_dss1() {
+	return EVP_dss1();
+}
+
+const EVP_MD *X_EVP_sha() {
+	return EVP_sha();
+}
+
+int X_EVP_CIPHER_CTX_encrypting(const EVP_CIPHER_CTX *ctx) {
+	return ctx->encrypt;
+}
+
+HMAC_CTX *X_HMAC_CTX_new(void) {
+	/* v1.1.0 uses a OPENSSL_zalloc to allocate the memory which does not exist
+	 * in previous versions. malloc+memset to get the same behavior */
+	HMAC_CTX *ctx = (HMAC_CTX *)OPENSSL_malloc(sizeof(HMAC_CTX));
+	if (ctx) {
+		memset(ctx, 0, sizeof(HMAC_CTX));
+		HMAC_CTX_init(ctx);
+	}
+	return ctx;
+}
+
+void X_HMAC_CTX_free(HMAC_CTX *ctx) {
+	if (ctx) {
+		HMAC_CTX_cleanup(ctx);
+		OPENSSL_free(ctx);
+	}
+}
+
+int X_PEM_write_bio_PrivateKey_traditional(BIO *bio, EVP_PKEY *key, const EVP_CIPHER *enc, unsigned char *kstr, int klen, pem_password_cb *cb, void *u) {
+#if OPENSSL_VERSION_NUMBER >  0x10000000L
+	/* PEM_write_bio_PrivateKey always tries to use the PKCS8 format if it
+	 * is available, instead of using the "traditional" format as stated in the
+	 * OpenSSL man page.
+	 * i2d_PrivateKey should give us the correct DER encoding, so we'll just
+	 * use PEM_ASN1_write_bio directly to write the DER encoding with the correct
+	 * type header. */
+
+	int ppkey_id, pkey_base_id, ppkey_flags;
+	const char *pinfo, *ppem_str;
+	char pem_type_str[80];
+
+	// Lookup the ASN1 method information to get the pem type
+	if (EVP_PKEY_asn1_get0_info(&ppkey_id, &pkey_base_id, &ppkey_flags, &pinfo, &ppem_str, key->ameth) != 1) {
+		return 0;
+	}
+	// Set up the PEM type string
+	if (BIO_snprintf(pem_type_str, 80, "%s PRIVATE KEY", ppem_str) <= 0) {
+		// Failed to write out the pem type string, something is really wrong.
+		return 0;
+	}
+	// Write out everything to the BIO
+	return PEM_ASN1_write_bio((i2d_of_void *)i2d_PrivateKey,
+		pem_type_str, bio, key, enc, kstr, klen, cb, u);
+#else
+   return -1;
+#endif
+}
+
+#endif
+
+
+
+/*
+ ************************************************
+ * common implementation
+ ************************************************
+ */
+
+int X_shim_init() {
+	int rc = 0;
+
+	OPENSSL_config(NULL);
+	ENGINE_load_builtin_engines();
+	SSL_load_error_strings();
+	SSL_library_init();
+	OpenSSL_add_all_algorithms();
+	//
+	// Set up OPENSSL thread safety callbacks.  We only set the locking
+	// callback because the default id callback implementation is good
+	// enough for us.
+	rc = go_init_locks();
+	if (rc != 0) {
+		return rc;
+	}
+	CRYPTO_set_locking_callback(go_thread_locking_callback);
+
+	CRYPTO_set_id_callback(go_thread_id_callback);
+
+	rc = x_bio_init_methods();
+	if (rc != 0) {
+		return rc;
+	}
+
+	return 0;
+}
+
+void * X_OPENSSL_malloc(size_t size) {
+	return OPENSSL_malloc(size);
+}
+
+void X_OPENSSL_free(void *ref) {
+	OPENSSL_free(ref);
+}
+
+long X_SSL_set_options(SSL* ssl, long options) {
+	return SSL_set_options(ssl, options);
+}
+
+long X_SSL_get_options(SSL* ssl) {
+	return SSL_get_options(ssl);
+}
+
+long X_SSL_clear_options(SSL* ssl, long options) {
+	return SSL_clear_options(ssl, options);
+}
+
+long X_SSL_set_tlsext_host_name(SSL *ssl, const char *name) {
+   return SSL_set_tlsext_host_name(ssl, name);
+}
+const char * X_SSL_get_cipher_name(const SSL *ssl) {
+   return SSL_get_cipher_name(ssl);
+}
+int X_SSL_session_reused(SSL *ssl) {
+    return SSL_session_reused(ssl);
+}
+
+int X_SSL_new_index() {
+	return SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+}
+
+int X_SSL_verify_cb(int ok, X509_STORE_CTX* store) {
+	SSL* ssl = (SSL *)X509_STORE_CTX_get_ex_data(store,
+			SSL_get_ex_data_X509_STORE_CTX_idx());
+	void* p = SSL_get_ex_data(ssl, get_ssl_idx());
+	// get the pointer to the go Ctx object and pass it back into the thunk
+	return go_ssl_verify_cb_thunk(p, ok, store);
+}
+
+const SSL_METHOD *X_SSLv23_method() {
+	return SSLv23_method();
+}
+
+const SSL_METHOD *X_SSLv3_method() {
+#ifndef OPENSSL_NO_SSL3_METHOD
+	return SSLv3_method();
+#else
+	return NULL;
+#endif
+}
+
+const SSL_METHOD *X_TLSv1_method() {
+	return TLSv1_method();
+}
+
+/*
+const SSL_METHOD *X_TLSv1_1_method() {
+#if defined(TLS1_1_VERSION) && !defined(OPENSSL_SYSNAME_MACOSX)
+	return TLSv1_1_method();
+#else
+	return NULL;
+#endif
+}
+
+const SSL_METHOD *X_TLSv1_2_method() {
+#if defined(TLS1_2_VERSION) && !defined(OPENSSL_SYSNAME_MACOSX)
+	return TLSv1_2_method();
+#else
+	return NULL;
+#endif
+}
+
+*/
+int X_SSL_CTX_new_index() {
+	return SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+}
+
+long X_SSL_CTX_set_options(SSL_CTX* ctx, long options) {
+	return SSL_CTX_set_options(ctx, options);
+}
+
+long X_SSL_CTX_clear_options(SSL_CTX* ctx, long options) {
+	return SSL_CTX_clear_options(ctx, options);
+}
+
+long X_SSL_CTX_get_options(SSL_CTX* ctx) {
+	return SSL_CTX_get_options(ctx);
+}
+
+long X_SSL_CTX_set_mode(SSL_CTX* ctx, long modes) {
+	return SSL_CTX_set_mode(ctx, modes);
+}
+
+long X_SSL_CTX_get_mode(SSL_CTX* ctx) {
+	return SSL_CTX_get_mode(ctx);
+}
+
+long X_SSL_CTX_set_session_cache_mode(SSL_CTX* ctx, long modes) {
+	return SSL_CTX_set_session_cache_mode(ctx, modes);
+}
+
+long X_SSL_CTX_sess_set_cache_size(SSL_CTX* ctx, long t) {
+	return SSL_CTX_sess_set_cache_size(ctx, t);
+}
+
+long X_SSL_CTX_sess_get_cache_size(SSL_CTX* ctx) {
+	return SSL_CTX_sess_get_cache_size(ctx);
+}
+
+long X_SSL_CTX_set_timeout(SSL_CTX* ctx, long t) {
+	return SSL_CTX_set_timeout(ctx, t);
+}
+
+long X_SSL_CTX_get_timeout(SSL_CTX* ctx) {
+	return SSL_CTX_get_timeout(ctx);
+}
+
+long X_SSL_CTX_add_extra_chain_cert(SSL_CTX* ctx, X509 *cert) {
+	return SSL_CTX_add_extra_chain_cert(ctx, cert);
+}
+
+long X_SSL_CTX_set_tmp_ecdh(SSL_CTX* ctx, EC_KEY *key) {
+	return SSL_CTX_set_tmp_ecdh(ctx, key);
+}
+
+long X_SSL_CTX_set_tlsext_servername_callback(
+		SSL_CTX* ctx, int (*cb)(SSL *con, int *ad, void *args)) {
+	return SSL_CTX_set_tlsext_servername_callback(ctx, cb);
+}
+
+int X_SSL_CTX_verify_cb(int ok, X509_STORE_CTX* store) {
+	SSL* ssl = (SSL *)X509_STORE_CTX_get_ex_data(store,
+			SSL_get_ex_data_X509_STORE_CTX_idx());
+	SSL_CTX* ssl_ctx = SSL_get_SSL_CTX(ssl);
+	void* p = SSL_CTX_get_ex_data(ssl_ctx, get_ssl_ctx_idx());
+	// get the pointer to the go Ctx object and pass it back into the thunk
+	return go_ssl_ctx_verify_cb_thunk(p, ok, store);
+}
+
+long X_SSL_CTX_set_tmp_dh(SSL_CTX* ctx, DH *dh) {
+    return SSL_CTX_set_tmp_dh(ctx, dh);
+}
+
+long X_PEM_read_DHparams(SSL_CTX* ctx, DH *dh) {
+    return SSL_CTX_set_tmp_dh(ctx, dh);
+}
+
+int X_SSL_CTX_set_tlsext_ticket_key_cb(SSL_CTX *sslctx,
+        int (*cb)(SSL *s, unsigned char key_name[16],
+                  unsigned char iv[EVP_MAX_IV_LENGTH],
+                  EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)) {
+    return SSL_CTX_set_tlsext_ticket_key_cb(sslctx, cb);
+}
+
+int X_SSL_CTX_ticket_key_cb(SSL *s, unsigned char key_name[16],
+		unsigned char iv[EVP_MAX_IV_LENGTH],
+		EVP_CIPHER_CTX *cctx, HMAC_CTX *hctx, int enc) {
+
+	SSL_CTX* ssl_ctx = SSL_get_SSL_CTX(s);
+	void* p = SSL_CTX_get_ex_data(ssl_ctx, get_ssl_ctx_idx());
+	// get the pointer to the go Ctx object and pass it back into the thunk
+	return go_ticket_key_cb_thunk(p, s, key_name, iv, cctx, hctx, enc);
+}
+
+int X_BIO_get_flags(BIO *b) {
+	return BIO_get_flags(b);
+}
+
+void X_BIO_set_flags(BIO *b, int flags) {
+	return BIO_set_flags(b, flags);
+}
+
+void X_BIO_clear_flags(BIO *b, int flags) {
+	BIO_clear_flags(b, flags);
+}
+
+int X_BIO_read(BIO *b, void *buf, int len) {
+	return BIO_read(b, buf, len);
+}
+
+int X_BIO_write(BIO *b, const void *buf, int len) {
+	return BIO_write(b, buf, len);
+}
+
+BIO *X_BIO_new_write_bio() {
+	return BIO_new(BIO_s_writeBio());
+}
+
+BIO *X_BIO_new_read_bio() {
+	return BIO_new(BIO_s_readBio());
+}
+
+const EVP_MD *X_EVP_get_digestbyname(const char *name) {
+	return EVP_get_digestbyname(name);
+}
+
+const EVP_MD *X_EVP_md_null() {
+	return EVP_md_null();
+}
+
+const EVP_MD *X_EVP_md5() {
+	return EVP_md5();
+}
+
+const EVP_MD *X_EVP_ripemd160() {
+	return EVP_ripemd160();
+}
+
+const EVP_MD *X_EVP_sha224() {
+	return EVP_sha224();
+}
+
+const EVP_MD *X_EVP_sha1() {
+	return EVP_sha1();
+}
+
+const EVP_MD *X_EVP_sha256() {
+	return EVP_sha256();
+}
+
+const EVP_MD *X_EVP_sha384() {
+	return EVP_sha384();
+}
+
+const EVP_MD *X_EVP_sha512() {
+	return EVP_sha512();
+}
+
+int X_EVP_MD_size(const EVP_MD *md) {
+	return EVP_MD_size(md);
+}
+
+int X_EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) {
+	return EVP_DigestInit_ex(ctx, type, impl);
+}
+
+int X_EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt) {
+	return EVP_DigestUpdate(ctx, d, cnt);
+}
+
+int X_EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s) {
+	return EVP_DigestFinal_ex(ctx, md, s);
+}
+
+int X_EVP_SignInit(EVP_MD_CTX *ctx, const EVP_MD *type) {
+	return EVP_SignInit(ctx, type);
+}
+
+int X_EVP_SignUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt) {
+	return EVP_SignUpdate(ctx, d, cnt);
+}
+
+EVP_PKEY *X_EVP_PKEY_new(void) {
+	return EVP_PKEY_new();
+}
+
+void X_EVP_PKEY_free(EVP_PKEY *pkey) {
+	EVP_PKEY_free(pkey);
+}
+
+int X_EVP_PKEY_size(EVP_PKEY *pkey) {
+	return EVP_PKEY_size(pkey);
+}
+
+struct rsa_st *X_EVP_PKEY_get1_RSA(EVP_PKEY *pkey) {
+	return EVP_PKEY_get1_RSA(pkey);
+}
+
+int X_EVP_PKEY_set1_RSA(EVP_PKEY *pkey, struct rsa_st *key) {
+	return EVP_PKEY_set1_RSA(pkey, key);
+}
+
+int X_EVP_PKEY_assign_charp(EVP_PKEY *pkey, int type, char *key) {
+	return EVP_PKEY_assign(pkey, type, key);
+}
+
+
+
+int X_EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s, EVP_PKEY *pkey) {
+	return EVP_SignFinal(ctx, md, s, pkey);
+}
+
+int X_EVP_VerifyInit(EVP_MD_CTX *ctx, const EVP_MD *type) {
+	return EVP_VerifyInit(ctx, type);
+}
+
+int X_EVP_VerifyUpdate(EVP_MD_CTX *ctx, const void *d,
+		unsigned int cnt) {
+	return EVP_VerifyUpdate(ctx, d, cnt);
+}
+
+int X_EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf, unsigned int siglen, EVP_PKEY *pkey) {
+	return EVP_VerifyFinal(ctx, sigbuf, siglen, pkey);
+}
+
+int X_EVP_CIPHER_block_size(EVP_CIPHER *c) {
+    return EVP_CIPHER_block_size(c);
+}
+
+int X_EVP_CIPHER_key_length(EVP_CIPHER *c) {
+    return EVP_CIPHER_key_length(c);
+}
+
+int X_EVP_CIPHER_iv_length(EVP_CIPHER *c) {
+    return EVP_CIPHER_iv_length(c);
+}
+
+int X_EVP_CIPHER_nid(EVP_CIPHER *c) {
+    return EVP_CIPHER_nid(c);
+}
+
+int X_EVP_CIPHER_CTX_block_size(EVP_CIPHER_CTX *ctx) {
+    return EVP_CIPHER_CTX_block_size(ctx);
+}
+
+int X_EVP_CIPHER_CTX_key_length(EVP_CIPHER_CTX *ctx) {
+    return EVP_CIPHER_CTX_key_length(ctx);
+}
+
+int X_EVP_CIPHER_CTX_iv_length(EVP_CIPHER_CTX *ctx) {
+    return EVP_CIPHER_CTX_iv_length(ctx);
+}
+
+const EVP_CIPHER *X_EVP_CIPHER_CTX_cipher(EVP_CIPHER_CTX *ctx) {
+    return EVP_CIPHER_CTX_cipher(ctx);
+}
+
+#if OPENSSL_VERSION_NUMBER >  0x10000000L
+int X_EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid) {
+	return EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid);
+}
+#endif
+
+// END HERE
+
+size_t X_HMAC_size(const HMAC_CTX *e) {
+#if OPENSSL_VERSION_NUMBER >  0x10000000L
+	return HMAC_size(e);
+#else
+  return 0;
+#endif
+}
+
+int X_HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, const EVP_MD *md, ENGINE *impl) {
+#if OPENSSL_VERSION_NUMBER >  0x10000000L
+	return HMAC_Init_ex(ctx, key, len, md, impl);
+#else
+  return -1;
+#endif
+}
+
+int X_HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len) {
+#if OPENSSL_VERSION_NUMBER >  0x10000000L
+	return HMAC_Update(ctx, data, len);
+#else
+  return -1;
+#endif
+}
+
+int X_HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len) {
+#if OPENSSL_VERSION_NUMBER >  0x10000000L
+	return HMAC_Final(ctx, md, len);
+#else
+  return -1;
+#endif
+}
+
+int X_sk_X509_num(STACK_OF(X509) *sk) {
+	return sk_X509_num(sk);
+}
+
+X509 *X_sk_X509_value(STACK_OF(X509)* sk, int i) {
+   return sk_X509_value(sk, i);
+}
+
+#if OPENSSL_VERSION_NUMBER < 0x10000000L
+int X_FIPS_mode(void) {
+    return 0;
+}
+int X_FIPS_mode_set(int r) {
+    return 0;
+}
+#else
+int X_FIPS_mode(void) {
+    return FIPS_mode();
+}
+int X_FIPS_mode_set(int r) {
+    return FIPS_mode_set(r);
+}
+#endif
diff --git a/src/mongo/gotools/vendor/src/github.com/10gen/openssl/shim.h b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/shim.h
new file mode 100644
index 00000000000..2dc2f5c8b0a
--- /dev/null
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/shim.h
@@ -0,0 +1,172 @@
+/*
+ * Copyright (C) 2014 Space Monkey, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/opensslconf.h>
+
+#include <openssl/bio.h>
+#include <openssl/conf.h>
+#include <openssl/crypto.h>
+#include <openssl/dh.h>
+#include <openssl/ec.h>
+#include <openssl/engine.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/pem.h>
+#include <openssl/ssl.h>
+#include <openssl/x509v3.h>
+
+#ifndef SSL_MODE_RELEASE_BUFFERS
+#define SSL_MODE_RELEASE_BUFFERS 0
+#endif
+
+#ifndef SSL_OP_NO_COMPRESSION
+#define SSL_OP_NO_COMPRESSION 0
+#endif
+
+/* shim  methods */
+extern int X_shim_init();
+
+/* Library methods */
+extern void X_OPENSSL_free(void *ref);
+extern void *X_OPENSSL_malloc(size_t size);
+
+/* SSL methods */
+extern long X_SSL_set_options(SSL* ssl, long options);
+extern long X_SSL_get_options(SSL* ssl);
+extern long X_SSL_clear_options(SSL* ssl, long options);
+extern long X_SSL_set_tlsext_host_name(SSL *ssl, const char *name);
+extern const char * X_SSL_get_cipher_name(const SSL *ssl);
+extern int X_SSL_session_reused(SSL *ssl);
+extern int X_SSL_new_index();
+
+extern const SSL_METHOD *X_SSLv23_method();
+extern const SSL_METHOD *X_SSLv3_method();
+extern const SSL_METHOD *X_TLSv1_method();
+extern const SSL_METHOD *X_TLSv1_1_method();
+extern const SSL_METHOD *X_TLSv1_2_method();
+
+#if defined SSL_CTRL_SET_TLSEXT_HOSTNAME
+extern int sni_cb(SSL *ssl_conn, int *ad, void *arg);
+#endif
+extern int X_SSL_verify_cb(int ok, X509_STORE_CTX* store);
+
+/* SSL_CTX methods */
+extern int X_SSL_CTX_new_index();
+extern long X_SSL_CTX_set_options(SSL_CTX* ctx, long options);
+extern long X_SSL_CTX_clear_options(SSL_CTX* ctx, long options);
+extern long X_SSL_CTX_get_options(SSL_CTX* ctx);
+extern long X_SSL_CTX_set_mode(SSL_CTX* ctx, long modes);
+extern long X_SSL_CTX_get_mode(SSL_CTX* ctx);
+extern long X_SSL_CTX_set_session_cache_mode(SSL_CTX* ctx, long modes);
+extern long X_SSL_CTX_sess_set_cache_size(SSL_CTX* ctx, long t);
+extern long X_SSL_CTX_sess_get_cache_size(SSL_CTX* ctx);
+extern long X_SSL_CTX_set_timeout(SSL_CTX* ctx, long t);
+extern long X_SSL_CTX_get_timeout(SSL_CTX* ctx);
+extern long X_SSL_CTX_add_extra_chain_cert(SSL_CTX* ctx, X509 *cert);
+extern long X_SSL_CTX_set_tmp_ecdh(SSL_CTX* ctx, EC_KEY *key);
+extern long X_SSL_CTX_set_tlsext_servername_callback(SSL_CTX* ctx, int (*cb)(SSL *con, int *ad, void *args));
+extern int X_SSL_CTX_verify_cb(int ok, X509_STORE_CTX* store);
+extern long X_SSL_CTX_set_tmp_dh(SSL_CTX* ctx, DH *dh);
+extern long X_PEM_read_DHparams(SSL_CTX* ctx, DH *dh);
+extern int X_SSL_CTX_set_tlsext_ticket_key_cb(SSL_CTX *sslctx,
+        int (*cb)(SSL *s, unsigned char key_name[16],
+                  unsigned char iv[EVP_MAX_IV_LENGTH],
+                  EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc));
+extern int X_SSL_CTX_ticket_key_cb(SSL *s, unsigned char key_name[16],
+        unsigned char iv[EVP_MAX_IV_LENGTH],
+        EVP_CIPHER_CTX *cctx, HMAC_CTX *hctx, int enc);
+
+/* BIO methods */
+extern int X_BIO_get_flags(BIO *b);
+extern void X_BIO_set_flags(BIO *bio, int flags);
+extern void X_BIO_clear_flags(BIO *bio, int flags);
+extern void X_BIO_set_data(BIO *bio, void* data);
+extern void *X_BIO_get_data(BIO *bio);
+extern int X_BIO_read(BIO *b, void *buf, int len);
+extern int X_BIO_write(BIO *b, const void *buf, int len);
+extern BIO *X_BIO_new_write_bio();
+extern BIO *X_BIO_new_read_bio();
+
+/* EVP methods */
+extern const EVP_MD *X_EVP_get_digestbyname(const char *name);
+extern EVP_MD_CTX *X_EVP_MD_CTX_new();
+extern void X_EVP_MD_CTX_free(EVP_MD_CTX *ctx);
+extern const EVP_MD *X_EVP_md_null();
+extern const EVP_MD *X_EVP_md5();
+extern const EVP_MD *X_EVP_sha();
+extern const EVP_MD *X_EVP_sha1();
+extern const EVP_MD *X_EVP_dss();
+extern const EVP_MD *X_EVP_dss1();
+extern const EVP_MD *X_EVP_ripemd160();
+extern const EVP_MD *X_EVP_sha224();
+extern const EVP_MD *X_EVP_sha256();
+extern const EVP_MD *X_EVP_sha384();
+extern const EVP_MD *X_EVP_sha512();
+extern int X_EVP_MD_size(const EVP_MD *md);
+extern int X_EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl);
+extern int X_EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt);
+extern int X_EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s);
+extern int X_EVP_SignInit(EVP_MD_CTX *ctx, const EVP_MD *type);
+extern int X_EVP_SignUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
+extern EVP_PKEY *X_EVP_PKEY_new(void);
+extern void X_EVP_PKEY_free(EVP_PKEY *pkey);
+extern int X_EVP_PKEY_size(EVP_PKEY *pkey);
+extern struct rsa_st *X_EVP_PKEY_get1_RSA(EVP_PKEY *pkey);
+extern int X_EVP_PKEY_set1_RSA(EVP_PKEY *pkey, struct rsa_st *key);
+extern int X_EVP_PKEY_assign_charp(EVP_PKEY *pkey, int type, char *key);
+extern int X_EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s, EVP_PKEY *pkey);
+extern int X_EVP_VerifyInit(EVP_MD_CTX *ctx, const EVP_MD *type);
+extern int X_EVP_VerifyUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
+extern int X_EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf, unsigned int siglen, EVP_PKEY *pkey);
+extern int X_EVP_CIPHER_block_size(EVP_CIPHER *c);
+extern int X_EVP_CIPHER_key_length(EVP_CIPHER *c);
+extern int X_EVP_CIPHER_iv_length(EVP_CIPHER *c);
+extern int X_EVP_CIPHER_nid(EVP_CIPHER *c);
+extern int X_EVP_CIPHER_CTX_block_size(EVP_CIPHER_CTX *ctx);
+extern int X_EVP_CIPHER_CTX_key_length(EVP_CIPHER_CTX *ctx);
+extern int X_EVP_CIPHER_CTX_iv_length(EVP_CIPHER_CTX *ctx);
+extern const EVP_CIPHER *X_EVP_CIPHER_CTX_cipher(EVP_CIPHER_CTX *ctx);
+extern int X_EVP_CIPHER_CTX_encrypting(const EVP_CIPHER_CTX *ctx);
+#if OPENSSL_VERSION_NUMBER >  0x10000000L
+extern int X_EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid);
+#endif
+
+/* HMAC methods */
+extern size_t X_HMAC_size(const HMAC_CTX *e);
+extern HMAC_CTX *X_HMAC_CTX_new(void);
+extern void X_HMAC_CTX_free(HMAC_CTX *ctx);
+extern int X_HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, const EVP_MD *md, ENGINE *impl);
+extern int X_HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len);
+extern int X_HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);
+
+/* X509 methods */
+extern int X_X509_add_ref(X509* x509);
+extern const ASN1_TIME *X_X509_get0_notBefore(const X509 *x);
+extern const ASN1_TIME *X_X509_get0_notAfter(const X509 *x);
+extern int X_sk_X509_num(STACK_OF(X509) *sk);
+extern X509 *X_sk_X509_value(STACK_OF(X509)* sk, int i);
+
+/* PEM methods */
+extern int X_PEM_write_bio_PrivateKey_traditional(BIO *bio, EVP_PKEY *key, const EVP_CIPHER *enc, unsigned char *kstr, int klen, pem_password_cb *cb, void *u);
+
+/* FIPS methods */
+extern int X_FIPS_mode(void);
+extern int X_FIPS_mode_set(int r);
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/sni.c b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/sni.c
index 5398da869b8..f9e8d16b0e3 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/sni.c
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/sni.c
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/sni_test.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/sni_test.go
index ee3b1a8bbaf..09e831a45c9 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/sni_test.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/sni_test.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/ssl.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ssl.go
index 3cc630601d3..117c30c0f99 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/ssl.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ssl.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,30 +12,9 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// +build cgo
-
 package openssl
 
-/*
-#include <openssl/crypto.h>
-#include <openssl/ssl.h>
-#include <openssl/err.h>
-#include <openssl/conf.h>
-
-static long SSL_set_options_not_a_macro(SSL* ssl, long options) {
-   return SSL_set_options(ssl, options);
-}
-
-static long SSL_get_options_not_a_macro(SSL* ssl) {
-   return SSL_get_options(ssl);
-}
-
-static long SSL_clear_options_not_a_macro(SSL* ssl, long options) {
-   return SSL_clear_options(ssl, options);
-}
-
-extern int verify_ssl_cb(int ok, X509_STORE_CTX* store);
-*/
+// #include "shim.h"
 import "C"
 
 import (
@@ -53,7 +32,7 @@ const (
 )
 
 var (
-	ssl_idx = C.SSL_get_ex_new_index(0, nil, nil, nil, nil)
+	ssl_idx = C.X_SSL_new_index()
 )
 
 //export get_ssl_idx
@@ -66,8 +45,8 @@ type SSL struct {
 	verify_cb VerifyCallback
 }
 
-//export verify_ssl_cb_thunk
-func verify_ssl_cb_thunk(p unsafe.Pointer, ok C.int, ctx *C.X509_STORE_CTX) C.int {
+//export go_ssl_verify_cb_thunk
+func go_ssl_verify_cb_thunk(p unsafe.Pointer, ok C.int, ctx *C.X509_STORE_CTX) C.int {
 	defer func() {
 		if err := recover(); err != nil {
 			logger.Critf("openssl: verify callback panic'd: %v", err)
@@ -96,19 +75,19 @@ func (s *SSL) GetServername() string {
 // GetOptions returns SSL options. See
 // https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
 func (s *SSL) GetOptions() Options {
-	return Options(C.SSL_get_options_not_a_macro(s.ssl))
+	return Options(C.X_SSL_get_options(s.ssl))
 }
 
 // SetOptions sets SSL options. See
 // https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
 func (s *SSL) SetOptions(options Options) Options {
-	return Options(C.SSL_set_options_not_a_macro(s.ssl, C.long(options)))
+	return Options(C.X_SSL_set_options(s.ssl, C.long(options)))
 }
 
 // ClearOptions clear SSL options. See
 // https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
 func (s *SSL) ClearOptions(options Options) Options {
-	return Options(C.SSL_clear_options_not_a_macro(s.ssl, C.long(options)))
+	return Options(C.X_SSL_clear_options(s.ssl, C.long(options)))
 }
 
 // SetVerify controls peer verification settings. See
@@ -116,7 +95,7 @@ func (s *SSL) ClearOptions(options Options) Options {
 func (s *SSL) SetVerify(options VerifyOptions, verify_cb VerifyCallback) {
 	s.verify_cb = verify_cb
 	if verify_cb != nil {
-		C.SSL_set_verify(s.ssl, C.int(options), (*[0]byte)(C.verify_ssl_cb))
+		C.SSL_set_verify(s.ssl, C.int(options), (*[0]byte)(C.X_SSL_verify_cb))
 	} else {
 		C.SSL_set_verify(s.ssl, C.int(options), nil)
 	}
@@ -131,7 +110,7 @@ func (s *SSL) SetVerifyMode(options VerifyOptions) {
 // SetVerifyCallback controls peer verification setting. See
 // http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
 func (s *SSL) SetVerifyCallback(verify_cb VerifyCallback) {
-	s.SetVerify(s.VerifyMode(), s.verify_cb)
+	s.SetVerify(s.VerifyMode(), verify_cb)
 }
 
 // GetVerifyCallback returns callback function. See
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/ssl_test.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ssl_test.go
index f83225dec97..fe2e0de4592 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/ssl_test.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ssl_test.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2014 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -25,7 +25,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/spacemonkeygo/openssl/utils"
+	"github.com/10gen/openssl/utils"
 )
 
 var (
@@ -81,6 +81,29 @@ ucCCa4lOGgPtXJ0Qf1c8yq5vh4yqkQjrgUTkr+CFDGR6y4CxmNDQxEMYIajaIiSY
 qmgvgyRayemfO2zR0CPgC6wSoGBth+xW6g+WA8y0z76ZSaWpFi8lVM4=
 -----END RSA PRIVATE KEY-----
 `)
+	prime256v1KeyBytes = []byte(`-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIB/XL0zZSsAu+IQF1AI/nRneabb2S126WFlvvhzmYr1KoAoGCCqGSM49
+AwEHoUQDQgAESSFGWwF6W1hoatKGPPorh4+ipyk0FqpiWdiH+4jIiU39qtOeZGSh
+1QgSbzfdHxvoYI0FXM+mqE7wec0kIvrrHw==
+-----END EC PRIVATE KEY-----
+`)
+	prime256v1CertBytes = []byte(`-----BEGIN CERTIFICATE-----
+MIIChTCCAiqgAwIBAgIJAOQII2LQl4uxMAoGCCqGSM49BAMCMIGcMQswCQYDVQQG
+EwJVUzEPMA0GA1UECAwGS2Fuc2FzMRAwDgYDVQQHDAdOb3doZXJlMR8wHQYDVQQK
+DBZGYWtlIENlcnRpZmljYXRlcywgSW5jMUkwRwYDVQQDDEBhMWJkZDVmZjg5ZjQy
+N2IwZmNiOTdlNDMyZTY5Nzg2NjI2ODJhMWUyNzM4MDhkODE0ZWJiZjY4ODBlYzA3
+NDljMB4XDTE3MTIxNTIwNDU1MVoXDTI3MTIxMzIwNDU1MVowgZwxCzAJBgNVBAYT
+AlVTMQ8wDQYDVQQIDAZLYW5zYXMxEDAOBgNVBAcMB05vd2hlcmUxHzAdBgNVBAoM
+FkZha2UgQ2VydGlmaWNhdGVzLCBJbmMxSTBHBgNVBAMMQGExYmRkNWZmODlmNDI3
+YjBmY2I5N2U0MzJlNjk3ODY2MjY4MmExZTI3MzgwOGQ4MTRlYmJmNjg4MGVjMDc0
+OWMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARJIUZbAXpbWGhq0oY8+iuHj6Kn
+KTQWqmJZ2If7iMiJTf2q055kZKHVCBJvN90fG+hgjQVcz6aoTvB5zSQi+usfo1Mw
+UTAdBgNVHQ4EFgQUfRYAFhlGM1wzvusyGrm26Vrbqm4wHwYDVR0jBBgwFoAUfRYA
+FhlGM1wzvusyGrm26Vrbqm4wDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNJ
+ADBGAiEA6PWNjm4B6zs3Wcha9qyDdfo1ILhHfk9rZEAGrnfyc2UCIQD1IDVJUkI4
+J/QVoOtP5DOdRPs/3XFy0Bk0qH+Uj5D7LQ==
+-----END CERTIFICATE-----
+`)
 )
 
 func NetPipe(t testing.TB) (net.Conn, net.Conn) {
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/system_certs.c b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/system_certs.c
index 056f524aa1e..056f524aa1e 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/system_certs.c
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/system_certs.c
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/system_certs.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/system_certs.go
index 9751622f837..9751622f837 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/system_certs.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/system_certs.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/tickets.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/tickets.go
index 23dc3e08305..a064d38592f 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/tickets.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/tickets.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2015 Space Monkey, Inc.
+// Copyright (C) 2017. See AUTHORS.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,26 +12,9 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// +build cgo
-
 package openssl
 
-/*
-#include <openssl/ssl.h>
-#include <openssl/evp.h>
-
-static int SSL_CTX_set_tlsext_ticket_key_cb_not_a_macro(SSL_CTX *sslctx,
-        int (*cb)(SSL *s, unsigned char key_name[16],
-                  unsigned char iv[EVP_MAX_IV_LENGTH],
-                  EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)) {
-
-    return SSL_CTX_set_tlsext_ticket_key_cb(sslctx, cb);
-}
-
-extern int ticket_key_cb(SSL *s, unsigned char key_name[16],
-        unsigned char iv[EVP_MAX_IV_LENGTH],
-        EVP_CIPHER_CTX *cctx, HMAC_CTX *hctx, int enc);
-*/
+// #include "shim.h"
 import "C"
 
 import (
@@ -131,8 +114,8 @@ const (
 	ticket_req_lookupSession = 0
 )
 
-//export ticket_key_cb_thunk
-func ticket_key_cb_thunk(p unsafe.Pointer, s *C.SSL, key_name *C.uchar,
+//export go_ticket_key_cb_thunk
+func go_ticket_key_cb_thunk(p unsafe.Pointer, s *C.SSL, key_name *C.uchar,
 	iv *C.uchar, cctx *C.EVP_CIPHER_CTX, hctx *C.HMAC_CTX, enc C.int) C.int {
 
 	// no panic's allowed. it's super hard to guarantee any state at this point
@@ -231,9 +214,9 @@ func (c *Ctx) SetTicketStore(store *TicketStore) {
 	c.ticket_store = store
 
 	if store == nil {
-		C.SSL_CTX_set_tlsext_ticket_key_cb_not_a_macro(c.ctx, nil)
+		C.X_SSL_CTX_set_tlsext_ticket_key_cb(c.ctx, nil)
 	} else {
-		C.SSL_CTX_set_tlsext_ticket_key_cb_not_a_macro(c.ctx,
-			(*[0]byte)(C.ticket_key_cb))
+		C.X_SSL_CTX_set_tlsext_ticket_key_cb(c.ctx,
+			(*[0]byte)(C.X_SSL_CTX_ticket_key_cb))
 	}
 }
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/utils/errors.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/utils/errors.go
index bab314c95d7..bab314c95d7 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/utils/errors.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/utils/errors.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/utils/future.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/utils/future.go
index fa1bbbfb861..fa1bbbfb861 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/utils/future.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/utils/future.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/version.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/version.go
index 8f3d392cde8..8f3d392cde8 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/version.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/version.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/fips.go b/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/fips.go
deleted file mode 100644
index cc463f17a18..00000000000
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/fips.go
+++ /dev/null
@@ -1,22 +0,0 @@
-// +build cgo
-// +build -darwin
-
-package openssl
-
-/*
-#include <openssl/ssl.h>
-*/
-import "C"
-
-func FIPSModeSet(mode bool) error {
-	var r C.int
-	if mode {
-		r = C.FIPS_mode_set(1)
-	} else {
-		r = C.FIPS_mode_set(0)
-	}
-	if r != 1 {
-		return errorFromErrorQueue()
-	}
-	return nil
-}
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/oracle_stubs.go b/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/oracle_stubs.go
deleted file mode 100644
index 30492f3b9d8..00000000000
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/oracle_stubs.go
+++ /dev/null
@@ -1,162 +0,0 @@
-// Copyright (C) 2014 Space Monkey, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// +build !cgo
-
-package openssl
-
-import (
-	"errors"
-	"net"
-	"time"
-)
-
-const (
-	SSLRecordSize = 16 * 1024
-)
-
-type Conn struct{}
-
-func Client(conn net.Conn, ctx *Ctx) (*Conn, error)
-func Server(conn net.Conn, ctx *Ctx) (*Conn, error)
-
-func (c *Conn) Handshake() error
-func (c *Conn) PeerCertificate() (*Certificate, error)
-func (c *Conn) Close() error
-func (c *Conn) Read(b []byte) (n int, err error)
-func (c *Conn) Write(b []byte) (written int, err error)
-
-func (c *Conn) VerifyHostname(host string) error
-
-func (c *Conn) LocalAddr() net.Addr
-func (c *Conn) RemoteAddr() net.Addr
-func (c *Conn) SetDeadline(t time.Time) error
-func (c *Conn) SetReadDeadline(t time.Time) error
-func (c *Conn) SetWriteDeadline(t time.Time) error
-
-type Ctx struct{}
-
-type SSLVersion int
-
-const (
-	SSLv3      SSLVersion = 0x02
-	TLSv1      SSLVersion = 0x03
-	TLSv1_1    SSLVersion = 0x04
-	TLSv1_2    SSLVersion = 0x05
-	AnyVersion SSLVersion = 0x06
-)
-
-func NewCtxWithVersion(version SSLVersion) (*Ctx, error)
-func NewCtx() (*Ctx, error)
-func NewCtxFromFiles(cert_file string, key_file string) (*Ctx, error)
-func (c *Ctx) UseCertificate(cert *Certificate) error
-func (c *Ctx) UsePrivateKey(key PrivateKey) error
-
-type CertificateStore struct{}
-
-func (c *Ctx) GetCertificateStore() *CertificateStore
-
-func (s *CertificateStore) AddCertificate(cert *Certificate) error
-
-func (c *Ctx) LoadVerifyLocations(ca_file string, ca_path string) error
-
-type Options int
-
-const (
-	NoCompression                      Options = 0
-	NoSSLv2                            Options = 0
-	NoSSLv3                            Options = 0
-	NoTLSv1                            Options = 0
-	CipherServerPreference             Options = 0
-	NoSessionResumptionOrRenegotiation Options = 0
-	NoTicket                           Options = 0
-)
-
-func (c *Ctx) SetOptions(options Options) Options
-
-type Modes int
-
-const (
-	ReleaseBuffers Modes = 0
-)
-
-func (c *Ctx) SetMode(modes Modes) Modes
-
-type VerifyOptions int
-
-const (
-	VerifyNone             VerifyOptions = 0
-	VerifyPeer             VerifyOptions = 0
-	VerifyFailIfNoPeerCert VerifyOptions = 0
-	VerifyClientOnce       VerifyOptions = 0
-)
-
-func (c *Ctx) SetVerify(options VerifyOptions)
-func (c *Ctx) SetVerifyDepth(depth int)
-func (c *Ctx) SetSessionId(session_id []byte) error
-
-func (c *Ctx) SetCipherList(list string) error
-
-type SessionCacheModes int
-
-const (
-	SessionCacheOff    SessionCacheModes = 0
-	SessionCacheClient SessionCacheModes = 0
-	SessionCacheServer SessionCacheModes = 0
-	SessionCacheBoth   SessionCacheModes = 0
-	NoAutoClear        SessionCacheModes = 0
-	NoInternalLookup   SessionCacheModes = 0
-	NoInternalStore    SessionCacheModes = 0
-	NoInternal         SessionCacheModes = 0
-)
-
-func (c *Ctx) SetSessionCacheMode(modes SessionCacheModes) SessionCacheModes
-
-var (
-	ValidationError = errors.New("Host validation error")
-)
-
-type CheckFlags int
-
-const (
-	AlwaysCheckSubject CheckFlags = 0
-	NoWildcards        CheckFlags = 0
-)
-
-func (c *Certificate) CheckHost(host string, flags CheckFlags) error
-func (c *Certificate) CheckEmail(email string, flags CheckFlags) error
-func (c *Certificate) CheckIP(ip net.IP, flags CheckFlags) error
-func (c *Certificate) VerifyHostname(host string) error
-
-type PublicKey interface {
-	MarshalPKIXPublicKeyPEM() (pem_block []byte, err error)
-	MarshalPKIXPublicKeyDER() (der_block []byte, err error)
-	evpPKey() struct{}
-}
-
-type PrivateKey interface {
-	PublicKey
-	MarshalPKCS1PrivateKeyPEM() (pem_block []byte, err error)
-	MarshalPKCS1PrivateKeyDER() (der_block []byte, err error)
-}
-
-func LoadPrivateKeyFromPEM(pem_block []byte) (PrivateKey, error)
-
-type Certificate struct{}
-
-func LoadCertificateFromPEM(pem_block []byte) (*Certificate, error)
-
-func (c *Certificate) MarshalPEM() (pem_block []byte, err error)
-
-func (c *Certificate) PublicKey() (PublicKey, error)
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/tickets.c b/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/tickets.c
deleted file mode 100644
index 894c2676038..00000000000
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/tickets.c
+++ /dev/null
@@ -1,27 +0,0 @@
-// Copyright (C) 2015 Space Monkey, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include <openssl/ssl.h>
-#include <openssl/evp.h>
-#include "_cgo_export.h"
-
-int ticket_key_cb(SSL *s, unsigned char key_name[16],
-		unsigned char iv[EVP_MAX_IV_LENGTH],
-		EVP_CIPHER_CTX *cctx, HMAC_CTX *hctx, int enc) {
-
-	SSL_CTX* ssl_ctx = SSL_get_SSL_CTX(s);
-	void* p = SSL_CTX_get_ex_data(ssl_ctx, get_ssl_ctx_idx());
-	// get the pointer to the go Ctx object and pass it back into the thunk
-	return ticket_key_cb_thunk(p, s, key_name, iv, cctx, hctx, enc);
-}
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/verify.c b/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/verify.c
deleted file mode 100644
index d55866c4cf0..00000000000
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/verify.c
+++ /dev/null
@@ -1,31 +0,0 @@
-// Copyright (C) 2014 Space Monkey, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include <openssl/ssl.h>
-#include "_cgo_export.h"
-
-int verify_cb(int ok, X509_STORE_CTX* store) {
-	SSL* ssl = (SSL *)X509_STORE_CTX_get_app_data(store);
-	SSL_CTX* ssl_ctx = SSL_get_SSL_CTX(ssl);
-	void* p = SSL_CTX_get_ex_data(ssl_ctx, get_ssl_ctx_idx());
-	// get the pointer to the go Ctx object and pass it back into the thunk
-	return verify_cb_thunk(p, ok, store);
-}
-
-int verify_ssl_cb(int ok, X509_STORE_CTX* store) {
-	SSL* ssl = (SSL *)X509_STORE_CTX_get_app_data(store);
-	void* p = SSL_get_ex_data(ssl, get_ssl_idx());
-	// get the pointer to the go Ctx object and pass it back into the thunk
-	return verify_ssl_cb_thunk(p, ok, store);
-}