Merge pull request #8 from liushuyu/master

libressl: Update to 3.4.2
2021-12-22 16:42:59 -08:00 · 2021-12-22 16:42:59 -08:00 · 5f51486f69
commit 5f51486f69
parent d3aedc4008 a944a45e81
174 changed files with 17124 additions and 6248 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -113,19 +113,21 @@ if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID MATCHES "Clang")
 endif()
 if(WIN32)
 	add_definitions(-Drestrict)
 	add_definitions(-D_CRT_SECURE_NO_WARNINGS)
 	add_definitions(-D_CRT_DEPRECATED_NO_WARNINGS)
 	add_definitions(-D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS)
 	add_definitions(-DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0600)
 	add_definitions(-DCPPFLAGS -DNO_SYSLOG -DNO_CRYPT)
-	set(PLATFORM_LIBS ${PLATFORM_LIBS} ws2_32)
+	add_definitions(-DWIN32_LEAN_AND_MEAN)
 	if(NOT CMAKE_SYSTEM_NAME MATCHES "WindowsStore")
 		add_definitions(-D_WIN32_WINNT=0x0600)
 	endif()
 	set(PLATFORM_LIBS ${PLATFORM_LIBS} ws2_32 bcrypt)
 endif()
 if(MSVC)
 	add_definitions(-Dinline=__inline)
 	message(STATUS "Using [${CMAKE_C_COMPILER_ID}] compiler")
-	if(CMAKE_C_COMPILER_ID MATCHES "MSVC")
+	if(CMAKE_C_COMPILER_ID MATCHES "MSVC" OR CMAKE_C_COMPILER_ID MATCHES "Clang")
 		set(MSVC_DISABLED_WARNINGS_LIST
 			"C4018" # 'expression' : signed/unsigned mismatch
 			"C4057" # 'operator' : 'identifier1' indirection to
@ -298,6 +300,7 @@ if(ENABLE_ASM)
 		elseif(CMAKE_SYSTEM_NAME STREQUAL "SunOS" AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "i386")
 			set(HOST_ASM_ELF_X86_64 true)
 		endif()
 		add_definitions(-DHAVE_GNU_STACK)
 	elseif(APPLE AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64")
 		set(HOST_ASM_MACOSX_X86_64 true)
 	elseif(MSVC AND ("${CMAKE_GENERATOR}" MATCHES "Win64" OR "${CMAKE_GENERATOR_PLATFORM}" STREQUAL "x64"))
@ -331,12 +334,23 @@ if(SIZEOF_TIME_T STREQUAL "4")
 endif()
 add_definitions(-DSIZEOF_TIME_T=${SIZEOF_TIME_T})
-set(OPENSSL_LIBS tls ssl crypto ${PLATFORM_LIBS})
+set(OPENSSL_LIBS ssl crypto ${PLATFORM_LIBS})
 set(LIBTLS_LIBS tls ${PLATFORM_LIBS})
 add_subdirectory(crypto)
 add_subdirectory(ssl)
 if(LIBRESSL_APPS)
 	add_subdirectory(apps)
 endif()
 add_subdirectory(tls)
 add_subdirectory(include)
 if(NOT MSVC)
 	add_subdirectory(man)
 endif()
 # Tests require the openssl executable and are unavailable when building shared libraries
 if(LIBRESSL_APPS AND LIBRESSL_TESTS)
 	add_subdirectory(tests)
 endif()
 if(NOT MSVC)
 	# Create pkgconfig files.
@ -358,3 +372,23 @@ if(NOT MSVC)
 		DESTINATION ${CMAKE_INSTALL_LIBDIR})
 endif()
 if(NOT "${OPENSSLDIR}" STREQUAL "")
 	set(CONF_DIR "${OPENSSLDIR}")
 else()
 	set(CONF_DIR "${CMAKE_INSTALL_PREFIX}/etc/ssl")
 endif()
 if(ENABLE_LIBRESSL_INSTALL)
 	install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
 	install(DIRECTORY DESTINATION ${CONF_DIR}/certs)
 endif(ENABLE_LIBRESSL_INSTALL)
 if(NOT TARGET uninstall)
 	configure_file(
 		"${CMAKE_CURRENT_SOURCE_DIR}/cmake_uninstall.cmake.in"
 		"${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake"
 		IMMEDIATE @ONLY)
 	add_custom_target(uninstall
 		COMMAND ${CMAKE_COMMAND} -P ${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake)
 endif()
--- a/513
+++ b/513
@ -28,6 +28,514 @@ history is also available from Git.
 LibreSSL Portable Release Notes:
 3.4.2 - Security fix
 	* In some situations the X.509 verifier would discard an error on an
 	  unverified certificate chain, resulting in an authentication bypass.
 	  Thanks to Ilya Shipitsin and Timo Steinlein for reporting.
 3.4.1 - Stable release
 	* New Features
 	  - Added support for OpenSSL 1.1.1 TLSv1.3 APIs.
 	  - Enabled the new X.509 validator to allow verification of
 	    modern certificate chains.
 	* Portable Improvements
 	  - Ported continuous integration and test infrastructure to Github
 	    actions.
 	  - Added Universal Windows Platform (UWP) build support.
 	  - Fixed mingw-w64 builds on newer versions with missing SSP support.
 	  - Added non-executable stack annotations for CMake builds.
 	* API and Documentation Enhancements
 	  - Added the following APIs from OpenSSL
 	    BN_bn2binpad BN_bn2lebinpad BN_lebin2bn EC_GROUP_get_curve
 	    EC_GROUP_order_bits EC_GROUP_set_curve
 	    EC_POINT_get_affine_coordinates
 	    EC_POINT_set_affine_coordinates
 	    EC_POINT_set_compressed_coordinates EVP_DigestSign
 	    EVP_DigestVerify SSL_CIPHER_find SSL_CTX_get0_privatekey
 	    SSL_CTX_get_max_early_data SSL_CTX_get_ssl_method
 	    SSL_CTX_set_ciphersuites SSL_CTX_set_max_early_data
 	    SSL_CTX_set_post_handshake_auth SSL_SESSION_get0_cipher
 	    SSL_SESSION_get_max_early_data SSL_SESSION_is_resumable
 	    SSL_SESSION_set_max_early_data SSL_get_early_data_status
 	    SSL_get_max_early_data SSL_read_early_data SSL_set0_rbio
 	    SSL_set_ciphersuites SSL_set_max_early_data
 	    SSL_set_post_handshake_auth
 	    SSL_set_psk_use_session_callback
 	    SSL_verify_client_post_handshake SSL_write_early_data
 	  - Added AES-GCM constants from RFC 7714 for SRTP.
 	* Compatibility Changes
 	  - Implement flushing for TLSv1.3 handshakes behavior, needed for Apache.
 	  - Call the info callback on connect/accept exit in TLSv1.3,
 	    needed for p5-Net-SSLeay.
 	  - Default to using named curve parameter encoding from
 	    pre-OpenSSL 1.1.0, adding OPENSSL_EC_EXPLICIT_CURVE.
 	  - Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callback.
 	* Testing and Proactive Security
 	  - Added additional state machine test coverage.
 	  - Improved integration test support with ruby/openssl tests.
 	  - Error codes and callback support in new X.509 validator made
 	    compatible with p5-Net_SSLeay tests.
 	* Internal Improvements
 	  - Numerous fixes and improvements to the new X.509 validator to
 	    ensure compatible error codes and callback support compatible
 	    with the legacy OpenSSL validator.
 3.4.0 - Development release
 	* Add support for OpenSSL 1.1.1 TLSv1.3 APIs.
 	* Enable new x509 validator.
 	* More details to come, testing is appreciated.
 3.3.5 - Security fix
 	* A stack overread could occur when checking X.509 name constraints.
 	  From GoldBinocle on GitHub.
 	* Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.
 	  This compensates for the expiry of the DST Root X3 certificate.
 3.3.4 - Security fix
 	* In LibreSSL, printing a certificate can result in a crash in
 	  X509_CERT_AUX_print().
 	  From Ingo Schwarze
 	* Ensure GNU-stack is set on ELF platforms when building with CMake to
 	  enable non-executable stack annotations for the GNU toolchain.
 	  From Tobias Heider
 3.3.3 - Stable release
 	* This is the first stable release from the 3.3.x series.
 	  There are no changes from 3.3.2.
 3.3.2 - Development release
 	* This release adds support for DTLSv1.2 and continues the rewrite
 	  of the record layer for the legacy stack. Numerous bugs and
 	  interoperability issues were fixed in the new verifier. A few bugs
 	  and incompatibilities remain, so this release uses the old verifier
 	  by default. The OpenSSL 1.1 TLSv1.3 API is not yet available.
 	* Switch finish{,_peer}_md_len from an int to a size_t.
 	* Make SSL_get{,_peer}_finished() work when used with TLSv1.3.
 	* Use EVP_MD_MAX_MD_SIZE instead of 2 * EVP_MD_MAX_MD_SIZE as size
 	  for cert_verify_md[], finish_md[] and peer_finish_md[]. The factor 2
 	  was a historical artefact.
 	* Correct the return value type from ERR_peek_error() to a long.
 	* Avoid use of uninitialized in ASN1_time_parse() which could happen
 	  on parsing UTCTime if the caller did not initialise the passed
 	  struct tm.
 	* Destroy the mutex in a tls_config object on tls_config_free().
 	* Free alert_data and phh_data in tls13_record_layer_free()
 	  these could leak if SSL_shutdown() or tls_close() were called
 	  after closing the underlying socket().
 	* Free struct members in tls13_record_layer_free() in their natural
 	  order for reviewability.
 	* Gracefully handle root certificates being both trusted and
 	  untrusted.
 	* Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in the new
 	  verifier.
 	* Use the legacy verifier when building auto chains for TLS.
 	* Use consistent names in tls13_{client,server}_finished_{recv,send}().
 	* Add tls13_secret_{init,cleanup}() and use them throughout the
 	  TLSv1.3 code base.
 	* Move the read MAC key into the TLSv1.2 record layer.
 	* Make tls12_record_layer_free() NULL safe.
 	* Search the intermediates only after searching the root certs in the
 	  new verifier to avoid problems with the legacy callback.
 	* Bail out early after finding a single chain in the new verifier, if
 	  we have been called via the legacy verifier API.
 	* Set (invalid and likely incomplete) chain on the xsc on chain build
 	  failure prior to calling the callback. This is required by various
 	  callers, including auto chain.
 	* Align SSL_get_shared_ciphers() with OpenSSL. This takes into account
 	  that it never returned server ciphers, so now it will fail when
 	  called from the client side.
 	* Add support for SSL_get_shared_ciphers() with TLSv1.3.
 	* Split the record protection from the TLSv1.2 record layer.
 	* Clean up sequence number handling in the new TLSv1.2 record layer.
 	* Clean up sequence number handling in DTLS.
 	* Clean up dtls1_reset_seq_numbers().
 	* Factor out code for explicit IV length, block size and MAC length
 	  from tls12_record_layer_open_record_protected_cipher().
 	* Provide record layer overhead for DTLS.
 	* Provide functions to determine if TLSv1.2 record protection is
 	  engaged.
 	* Add code to handle change of cipher state in the new TLSv1.2 record
 	  layer.
 	* Mop up now unused dtls1_build_sequence_numbers() function.
 	* Allow setting a keypair on a tls context without specifying the
 	  private key, and fake it internally in libtls. This removes the
 	  need for privsep engines like relayd to use bogus keys.
 	* Skip the private key check for fake private keys.
 	* Move the private key setup from tls_configure_ssl_keypair() to a
 	  helper function with proper error checking.
 	* Change the internal tls_configure_ssl_keypair() function to
 	  return -1 instead of 1 on failure.
 	* Move sequence numbers into the new TLSv1.2 record layer.
 	* Move AEAD handling into the new TLSv1.2 record layer.
 	* Remove direct assignment of aead_ctx to avoid a leak.
 	* Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360,
 	  draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds.
 	* Fail early in legacy exporter if the master secret is not available
 	  to avoid a segfault if it is called when the handshake is not
 	  completed.
 	* Factor out legacy stack version checks.
 	* Correct handshake MAC/PRF for various TLSv1.2 cipher suites which
 	  were originally added with the default handshake MAC and PRF rather
 	  than the SHA256 handshake MAC and PRF.
 	* Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md().
 	* Use dtls1_record_retrieve_buffered_record() to load buffered
 	  application data.
 	* Enforce read ahead with DTLS.
 	* Remove bogus DTLS checks that disabled ECC and OCSP.
 	* Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA".
 	* Only print the certificate file once on verification failure.
 	* Pull in fix for EVP_CipherUpdate() overflow from OpenSSL.
 	* Clean up and simplify dtls1_get_cipher().
 	* Group HelloVerifyRequest decoding and add missing check for trailing
 	  data.
 	* Revise HelloVerifyRequest handling for DTLSv1.2.
 	* Handle DTLS1_2_VERSION in various places.
 	* Add DTLSv1.2 methods.
 	* Make SSL{_CTX,}_get_{min,max}_proto_version() return a version of
 	  zero if the minimum or maximum has been set to zero to match
 	  OpenSSL's behavior.
 	* Rename the "truncated" label into "decode_err" and the "f_err"
 	  label into "fatal_err".
 	* Factor out and change some of the legacy client version code.
 	* Simplify version checks in the TLSv1.3 client. Ensure that the
 	  server announced TLSv1.3 and nothing higher and check that the
 	  legacy_version is set to TLSv1.2 as required by RFC 8446.
 	* Fix an off-by-one in x509_verify_set_xsc_chain() to make sure that
 	  the new validator checks for EXFLAG_CRITICAL in
 	  x509_vfy_check_chain_extension() for all untrusted certs in the
 	  chain. Take into account that the root is not necessarily trusted.
 	* Avoid passing last and depth to x509_verify_cert_error() on ENOMEM.
 	* Rename depth to num_untrusted.
 	* Only use TLS versions internally rather than both TLS and DTLS
 	  versions since the latter are the one's complement of the human
 	  readable version numbers, which means that newer versions decrease
 	  in value.
 	* Fix two bugs in the legacy verifier that resulted from refactoring
 	  of X509_verify_cert() for the new verifier: a return value was
 	  incorrectly treated as boolean, making it insufficient to decide
 	  whether validation should carry on or not.
 	* Identify DTLS based on the version major value.
 	* Move handling of cipher/hash based cipher suites into the new record
 	  layer.
 	* Add tls12_record_protection_unused() and call it from CCS functions.
 	* Move key/IV length checks closer to usage sites. Also add explicit
 	  checks against EVP_CIPHER_{iv,key}_length().
 	* Replace two handrolled tls12_record_protection_engaged().
 	* Improve internal version handling: add handshake fields for our
 	  minimum version, our maximum version and the TLS version negotiated
 	  during the handshake. Convert most of the internal code to use these
 	  version fields.
 	* Guard against future internal use of TLS1_get_{client,}_version()
 	  macros.
 	* Remove the internal ssl_downgrade_max_version() function which is no
 	  longer needed.
 	* Fix checks for memory caps of constraints names. There are internal
 	  caps on the number of name constraints and other names, that the new
 	  name constraints code allocates per cert chain. These limits were
 	  checked too late, making them only partially effective.
 	* Use EXFLAG_INVALID to handle out of memory and parse errors in
 	  x509v3_cache_extensions().
 	* Add support for DTLSv1.2 version handling.
 	* Enable DTLSv1.2 support.
 	* Add DTLSv1.2 support to openssl s_client/s_server.
 	* Remove no longer needed read ahead workarounds in the s_client and
 	  s_server.
 	* Fix a copy-paste error - skid was confused with an akid when
 	  checking for EXFLAG_INVALID. This broke OCSP validation with
 	  certain mirrors.
 	* Make supported protocols and options for DHE params more prominent
 	  in tls_config_set_protocols.3.
 	* Avoid a use-after-scope in tls13_cert_add().
 	* Split TLSv1.3 record protection from record layer.
 	* Move the TLSv1.3 handshake struct inside the shared handshake
 	  struct.
 	* Fully initialize rrec in tls12_record_layer_open_record_protected()
 	  to avoid confusing some static analyzers.
 	* Use tls_set_errorx() on OCSP_basic_verify() failure since the latter
 	  does not set errno.
 	* Convert openssl(1) x509 to new option handling and do the usual
 	  clean up that goes along with it.
 	* Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
 	* Rename new_cipher to cipher to align naming with keyblock or other
 	  parts of the handshake data.
 	* Avoid mangled output in BIO_debug_callback().
 	* Fix client initiated renegotiation by replacing use of s->internal-type
 	  with s->server.
 	* Move the TLSv1.2 record number increment into the new record layer.
 	* Move finished and peer finished into the handshake struct.
 	* Avoid transcript initialization when sending a TLS HelloRequest,
 	  fixing server initiated renegotiation.
 	* Remove pointless assignment in SSL_get0_alpn_selected().
 	* Provide EVP_PKEY_new_CMAC_KEY(3).
 	* Add missing prototype for d2i_DSAPrivateKey_fp(3) to x509.h.
 	* Add DTLSv1.2 to openssl(1) s_server and s_client protocol message
 	  logging.
 	* Avoid leaking param->name in x509_verify_param_zero().
 	* Avoid a leak in an error path in openssl(1) x509.
 	* Add some error checking to openssl(1) x509.
 	* When sending an alert in TLSv1.3, only set its error code when no
 	  other error was set previously. Certain clients rely on specific
 	  SSL_R_ error codes to identify that they are dealing with a self
 	  signed cert.
 	* Switch to the legacy verifier for the stable release.
 	* Provide SSL_use_certificate_chain_file(3).
 	* Provide SSL_set_hostflags(3) and SSL_get0_peername(3).
 	* Provide various DTLSv1.2 specific functions and defines.
 	* Document meaning of '*' in the genrsa output.
 	* Updated documentation for SSL_get_shared_ciphers(3).
 	* Add documentation for SSL_get_finished(3).
 	* Document EVP_PKEY_new_CMAC_key(3)
 	* Document SSL_use_certificate_chain_file(3).
 	* Document SSL_set_hostflags(3) and SSL_get0_peername(3).
 	* Update SSL_get_version.3 manual for DTLSv.1.2 support.
 	* Added '--enable-libtls-only' build option, which builds and installs a
 	  statically-linked libtls, skipping libcrypto and libssl. This is useful
 	  for systems that ship with OpenSSL but wish to also package libtls.
 3.3.1 - Security fix
 	* Malformed ASN.1 in a certificate revocation list or a timestamp
 	  response token can lead to a NULL pointer dereference.
 	Bug fixes
 	* Move point-on-curve check to set_affine_coordinates to avoid
 	  verifying ECDSA signatures with unchecked public keys.
 	* Fix SSL_is_server() to behave as documented by re-introducing the
 	  client-specific methods.
 	* Avoid undefined behavior due to memcpy(NULL, NULL, 0).
 	* Mark a few more internal static tables const.
 3.3.0 - Development release
 	* Make openssl(1) s_server ignore -4 and -6 for compatibility with
 	  OpenSSL.
 	* Further cleanup of the DTLS record handling.
 	* Continue the replacement of the TLSv1.2 record layer by
 	  reimplementing the read side of the TLSv1.2 record handling.
 	* Replace DTLSv1_enc_data() with TLSv1_1_enc_data().
 	* Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c.
 	* When switching from the TLSv1.3 stack to the legacy stack include
 	  a TLS record header. This is necessary if there is more than one
 	  handshake message in the TLS plaintext record.
 	* Set SO_REUSEADDR on the server socket in the openssl(1) ocsp
 	  command.
 	* Fix resource handling on error in OCSP_request_add0_id().
 	* Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into
 	  .data.rel.ro and .rodata, respectively.
 	* Add a const qualifier to srtp_known_profiles.
 	* Simplify TLS method by removing the client and server specific
 	  methods internally.
 	* Avoid casting away const in ssl_ctx_make_profiles().
 	* Make sure there is enough room for stashing the handshake message
 	  when switching to the legacy TLS stack.
 	* Avoid explicitly conditioning an assert on DTLS1_VERSION to make
 	  the assert work for newer DTLS versions.
 	* Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL.
 	* Send a host header with OCSP queries to make openssl(1) ocsp
 	  work with some widely used OCSP responders.
 	* Fix a memory leak in the openssl(1) s_client.
 	* Add a flag to mark DTLS methods as DTLS to have an easy way to
 	  recognize DTLS methods that avoids inspecting the version number.
 	* Implement SSL_is_dtls() and use it internally in place of the
 	  SSL_IS_DTLS macro.
 	* Unbreak DTLS retransmissions for flights that include a CCS.
 	* Add ability to ocspcheck(8) to parse a port in the specified
 	  OCSP URL.
 	* Refactor and clean up ocspcheck(8) and add regression tests.
 	* If x509_verify() fails, ensure that the error is set on both
 	  the x509_verify_ctx() and its store context to make some failures
 	  visible from SSL_get_verify_result().
 	* Use the X509_STORE_CTX get_issuer() callback from the new X.509
 	  verifier to fix hashed certificate directories.
 	* Only check BIO_should_read() on read and BIO_should_write() on
 	  write.  Previously, BIO_should_write() was also checked after read
 	  and BIO_should_read() after write which could cause stalls in
 	  software that uses the same BIO for read and write.
 	* In openssl(1) verify, also check for error on the store context
 	  since the return value of X509_verify_cert() is unreliable in
 	  presence of a callback that returns 1 too often.
 	* Update getentropy on Windows to use Cryptography Next Generation
 	  (CNG). wincrypt is deprecated and no longer works with newer Windows
 	  environments, such as in Windows Store apps.
 	* Implement auto chain for the TLSv1.3 server since some software
 	  relies on this.
 	* Handle additional certificate error cases in the new X.509 verifier.
 	  Keep track of the errors encountered if a verify callback tells the
 	  verifier to continue and report them back via the error on the store
 	  context. This mimics the behavior of the old verifier that would
 	  persist the first error encountered while building the chain.
 	* Report specific failures for "self signed certificates" in a way
 	  compatible with the old verifier since software relies on the
 	  error code.
 	* Implement key exporter for TLSv1.3.
 	* Plug a large memory leak in the new verifier caused by calling
 	  X509_policy_check() repeatedly.
 	* Avoid leaking memory in x509_verify_chain_dup().
 	* Various documentation improvements, particularly around TLS methods.
 3.2.3 - Security fix
 	* Malformed ASN.1 in a certificate revocation list or a timestamp
 	  response token can lead to a NULL pointer dereference.
 3.2.2 - Stable release
 	* This is the first stable release with the new TLSv1.3
@ -279,6 +787,11 @@ LibreSSL Portable Release Notes:
 	* Use non-expired certificates first when building a certificate chain.
 3.1.5 - Security fix
 	* Malformed ASN.1 in a certificate revocation list or a timestamp
 	  response token can lead to a NULL pointer dereference.
 3.1.4 - Interoperability and bug fixes for the TLSv1.3 client:
 	* Improve client certificate selection to allow EC certificates
--- a/README.md
+++ b/README.md
@ -1,4 +1,4 @@
-Built from https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.2.tar.gz
+Built from https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4.2.tar.gz
 Modifications:
 - Removed tests/mandocs/pkgconfig/scripts/apps/cmake_uninstall from both filesystem and CMakeLists.txt
@ -9,7 +9,11 @@ Modifications:
 ![LibreSSL image](https://www.libressl.org/images/libressl.jpg)
 ## Official portable version of [LibreSSL](https://www.libressl.org) ##
-[![Build Status](https://travis-ci.org/libressl-portable/portable.svg?branch=master)](https://travis-ci.org/libressl-portable/portable) [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/libressl.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:libressl)
+[![Linux Build Status](https://github.com/libressl-portable/portable/actions/workflows/linux_test.yml/badge.svg)](https://github.com/libressl-portable/portable/actions/workflows/linux_test.yml)
 [![macOS Build Status](https://github.com/libressl-portable/portable/actions/workflows/macos_test.yml/badge.svg)](https://github.com/libressl-portable/portable/actions/workflows/macos_test.yml)
 [![Android_Build Status](https://github.com/libressl-portable/portable/actions/workflows/android_test.yml/badge.svg)](https://github.com/libressl-portable/portable/actions/workflows/android_test.yml)
 [![Cross_Build Status](https://github.com/libressl-portable/portable/actions/workflows/cross_test.yml/badge.svg)](https://github.com/libressl-portable/portable/actions/workflows/cross_test.yml)
 [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/libressl.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:libressl)
 LibreSSL is a fork of [OpenSSL](https://www.openssl.org) 1.0.1g developed by the
 [OpenBSD](https://www.openbsd.org) project.  Our goal is to modernize the codebase,
@ -45,9 +49,9 @@ At the time of this writing, LibreSSL is known to build and work on:
 * AIX (5.3 and later)
 LibreSSL also supports the following Windows environments:
-* Microsoft Windows (Vista or higher, x86 and x64)
+* Microsoft Windows (Windows 7 / Windows Server 2008r2 or later, x86 and x64)
 * Wine (32-bit and 64-bit)
-* Builds with Mingw-w64, Cygwin, and Visual Studio
+* Mingw-w64, Cygwin, and Visual Studio
 Official release tarballs are available at your friendly neighborhood
 OpenBSD mirror in directory
--- a/2
+++ b/2
@ -1,2 +1,2 @@
-3.2.2
+3.4.2
--- a/cert.pem
+++ b/cert.pem
--- a/crypto/CMakeLists.txt
+++ b/crypto/CMakeLists.txt
@ -968,7 +968,25 @@ if(EXTRA_EXPORT)
 	endforeach()
 endif()
-add_library(crypto ${CRYPTO_SRC})
+set(LIBTLS_EXTRA_EXPORT ${EXTRA_EXPORT} PARENT_SCOPE)
 add_library(crypto_obj OBJECT ${CRYPTO_SRC})
 target_include_directories(crypto_obj
 	PRIVATE
 		.
 		asn1
 		bn
 		dsa
 		ec
 		ecdh
 		ecdsa
 		evp
 		modes
 		../include/compat
 	PUBLIC
 		../include)
 add_library(crypto $<TARGET_OBJECTS:crypto_obj>)
 target_include_directories(crypto
 	PRIVATE
 		.
--- a/crypto/VERSION
+++ b/crypto/VERSION
@ -1 +1 @@
-46:1:0
+47:0:0
--- a/crypto/asn1/a_object.c
+++ b/crypto/asn1/a_object.c
@ -1,4 +1,4 @@
-/* $OpenBSD: a_object.c,v 1.31 2018/04/25 11:48:21 tb Exp $ */
+/* $OpenBSD: a_object.c,v 1.32 2021/05/01 13:16:30 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -304,8 +304,6 @@ c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long len)
 		}
 	}
 	/* only the ASN1_OBJECTs from the 'table' will have values
 	 * for ->sn or ->ln */
 	if ((a == NULL) || ((*a) == NULL) ||
 	    !((*a)->flags & ASN1_OBJECT_FLAG_DYNAMIC)) {
 		if ((ret = ASN1_OBJECT_new()) == NULL)
@ -327,6 +325,13 @@ c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long len)
 	memcpy(data, p, length);
 	/* If there are dynamic strings, free them here, and clear the flag. */
 	if ((ret->flags & ASN1_OBJECT_FLAG_DYNAMIC_STRINGS) != 0) {
 		free((void *)ret->sn);
 		free((void *)ret->ln);
 		ret->flags &= ~ASN1_OBJECT_FLAG_DYNAMIC_STRINGS;
 	}
 	/* reattach data to object, after which it remains const */
 	ret->data = data;
 	ret->length = length;
--- a/crypto/asn1/a_time_tm.c
+++ b/crypto/asn1/a_time_tm.c
@ -1,4 +1,4 @@
-/* $OpenBSD: a_time_tm.c,v 1.15 2018/04/25 11:48:21 tb Exp $ */
+/* $OpenBSD: a_time_tm.c,v 1.18 2021/08/28 08:22:48 tb Exp $ */
 /*
 * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
 *
@ -163,10 +163,9 @@ ASN1_time_parse(const char *bytes, size_t len, struct tm *tm, int mode)
 		return (-1);
 	lt = tm;
-	if (lt == NULL) {
+	if (lt == NULL)
 		memset(&ltm, 0, sizeof(ltm));
 		lt = &ltm;
-	}
+	memset(lt, 0, sizeof(*lt));
 	/* Timezone is required and must be GMT (Zulu). */
 	if (bytes[len - 1] != 'Z')
@ -262,8 +261,8 @@ ASN1_TIME_adj_internal(ASN1_TIME *s, time_t t, int offset_day, long offset_sec,
 	size_t len;
 	char * p;
- 	if (gmtime_r(&t, &tm) == NULL)
+	if (gmtime_r(&t, &tm) == NULL)
- 		return (NULL);
+		return (NULL);
 	if (offset_day || offset_sec) {
 		if (!OPENSSL_gmtime_adj(&tm, offset_day, offset_sec))
@ -299,7 +298,7 @@ ASN1_TIME_adj_internal(ASN1_TIME *s, time_t t, int offset_day, long offset_sec,
 	case GENTIME_LENGTH:
 		s->type = V_ASN1_GENERALIZEDTIME;
 		break;
- 	case UTCTIME_LENGTH:
+	case UTCTIME_LENGTH:
 		s->type = V_ASN1_UTCTIME;
 		break;
 	default:
@ -354,7 +353,6 @@ ASN1_TIME_to_generalizedtime(const ASN1_TIME *t, ASN1_GENERALIZEDTIME **out)
 	if (t->type != V_ASN1_GENERALIZEDTIME && t->type != V_ASN1_UTCTIME)
 		return (NULL);
 	memset(&tm, 0, sizeof(tm));
 	if (t->type != ASN1_time_parse(t->data, t->length, &tm, t->type))
 		return (NULL);
 	if ((str = gentime_string_from_tm(&tm)) == NULL)
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_err.c,v 1.21 2018/03/29 02:29:24 inoguchi Exp $ */
+/* $OpenBSD: asn1_err.c,v 1.22 2020/12/08 15:06:42 tb Exp $ */
 /* ====================================================================
 * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
 *
@ -85,6 +85,7 @@ static ERR_STRING_DATA ASN1_str_reasons[] = {
 	{ERR_REASON(ASN1_R_BAD_OBJECT_HEADER)    , "bad object header"},
 	{ERR_REASON(ASN1_R_BAD_PASSWORD_READ)    , "bad password read"},
 	{ERR_REASON(ASN1_R_BAD_TAG)              , "bad tag"},
 	{ERR_REASON(ASN1_R_BAD_TEMPLATE)         , "bad template"},
 	{ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH), "bmpstring is wrong length"},
 	{ERR_REASON(ASN1_R_BN_LIB)               , "bn lib"},
 	{ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH), "boolean is wrong length"},
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_lib.c,v 1.44 2018/11/17 09:34:11 tb Exp $ */
+/* $OpenBSD: asn1_lib.c,v 1.45 2020/12/08 15:06:42 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -388,6 +388,8 @@ ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
 {
 	int i;
 	if (a == NULL || b == NULL)
 		return -1;
 	i = (a->length - b->length);
 	if (i == 0) {
 		i = memcmp(a->data, b->data, a->length);
--- a/crypto/asn1/t_spki.c
+++ b/crypto/asn1/t_spki.c
@ -1,4 +1,4 @@
-/* $OpenBSD: t_spki.c,v 1.11 2014/07/11 08:44:47 jsing Exp $ */
+/* $OpenBSD: t_spki.c,v 1.12 2021/08/24 15:23:03 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@ -94,7 +94,8 @@ NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki)
 	}
 	chal = spki->spkac->challenge;
 	if (chal->length)
-		BIO_printf(out, "  Challenge String: %s\n", chal->data);
+		BIO_printf(out, "  Challenge String: %.*s\n", chal->length,
 		    chal->data);
 	i = OBJ_obj2nid(spki->sig_algor->algorithm);
 	BIO_printf(out, "  Signature Algorithm: %s",
 	    (i == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(i));
--- a/crypto/asn1/t_x509.c
+++ b/crypto/asn1/t_x509.c
@ -1,4 +1,4 @@
-/* $OpenBSD: t_x509.c,v 1.32 2020/04/10 07:05:24 tb Exp $ */
+/* $OpenBSD: t_x509.c,v 1.34 2021/07/26 16:54:20 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -180,7 +180,7 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
 		if (BIO_printf(bp, "        Issuer:%c", mlch) <= 0)
 			goto err;
 		if (X509_NAME_print_ex(bp, X509_get_issuer_name(x),
-		    nmindent, nmflags) < 0)
+		    nmindent, nmflags) < (nmflags == X509_FLAG_COMPAT ? 1 : 0))
 			goto err;
 		if (BIO_write(bp, "\n", 1) <= 0)
 			goto err;
@ -203,7 +203,7 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
 		if (BIO_printf(bp, "        Subject:%c", mlch) <= 0)
 			goto err;
 		if (X509_NAME_print_ex(bp, X509_get_subject_name(x),
-		    nmindent, nmflags) < 0)
+		    nmindent, nmflags) < (nmflags == X509_FLAG_COMPAT ? 1 : 0))
 			goto err;
 		if (BIO_write(bp, "\n", 1) <= 0)
 			goto err;
@ -261,10 +261,12 @@ X509_ocspid_print(BIO *bp, X509 *x)
 	   in OCSP requests */
 	if (BIO_printf(bp, "        Subject OCSP hash: ") <= 0)
 		goto err;
-	derlen = i2d_X509_NAME(x->cert_info->subject, NULL);
+	if ((derlen = i2d_X509_NAME(x->cert_info->subject, NULL)) <= 0)
 		goto err;
 	if ((der = dertmp = malloc(derlen)) == NULL)
 		goto err;
-	i2d_X509_NAME(x->cert_info->subject, &dertmp);
+	if (i2d_X509_NAME(x->cert_info->subject, &dertmp) <= 0)
 		goto err;
 	if (!EVP_Digest(der, derlen, SHA1md, NULL, EVP_sha1(), NULL))
 		goto err;
--- a/crypto/asn1/t_x509a.c
+++ b/crypto/asn1/t_x509a.c
@ -1,4 +1,4 @@
-/* $OpenBSD: t_x509a.c,v 1.8 2014/07/11 08:44:47 jsing Exp $ */
+/* $OpenBSD: t_x509a.c,v 1.9 2021/07/10 17:45:16 schwarze Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@ -105,8 +105,8 @@ X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent)
 	} else
 		BIO_printf(out, "%*sNo Rejected Uses.\n", indent, "");
 	if (aux->alias)
-		BIO_printf(out, "%*sAlias: %s\n", indent, "",
+		BIO_printf(out, "%*sAlias: %.*s\n", indent, "",
-		    aux->alias->data);
+		    aux->alias->length, aux->alias->data);
 	if (aux->keyid) {
 		BIO_printf(out, "%*sKey Id: ", indent, "");
 		for (i = 0; i < aux->keyid->length; i++)
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_dec.c,v 1.37 2019/04/01 15:48:04 jsing Exp $ */
+/* $OpenBSD: tasn_dec.c,v 1.38 2020/12/08 15:06:42 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@ -210,6 +210,16 @@ asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 		break;
 	case ASN1_ITYPE_MSTRING:
 		/*
 		 * It never makes sense for multi-strings to have implicit
 		 * tagging, so if tag != -1, then this looks like an error in
 		 * the template.
 		 */
 		if (tag != -1) {
 			ASN1error(ASN1_R_BAD_TEMPLATE);
 			goto err;
 		}
 		p = *in;
 		/* Just read in tag and class */
 		ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
@ -245,6 +255,16 @@ asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 		    it, tag, aclass, opt, ctx);
 	case ASN1_ITYPE_CHOICE:
 		/*
 		 * It never makes sense for CHOICE types to have implicit
 		 * tagging, so if tag != -1, then this looks like an error in
 		 * the template.
 		 */
 		if (tag != -1) {
 			ASN1error(ASN1_R_BAD_TEMPLATE);
 			goto err;
 		}
 		if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
 			goto auxerr;
--- a/crypto/asn1/tasn_enc.c
+++ b/crypto/asn1/tasn_enc.c
@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_enc.c,v 1.22 2019/04/01 15:48:04 jsing Exp $ */
+/* $OpenBSD: tasn_enc.c,v 1.23 2020/12/08 15:06:42 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@ -61,6 +61,7 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/err.h>
 #include <openssl/objects.h>
 static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out,
@ -152,9 +153,27 @@ ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it,
 		break;
 	case ASN1_ITYPE_MSTRING:
 		/*
 		 * It never makes sense for multi-strings to have implicit
 		 * tagging, so if tag != -1, then this looks like an error in
 		 * the template.
 		 */
 		if (tag != -1) {
 			ASN1error(ASN1_R_BAD_TEMPLATE);
 			return 0;
 		}
 		return asn1_i2d_ex_primitive(pval, out, it, -1, aclass);
 	case ASN1_ITYPE_CHOICE:
 		/*
 		 * It never makes sense for CHOICE types to have implicit
 		 * tagging, so if tag != -1, then this looks like an error in
 		 * the template.
 		 */
 		if (tag != -1) {
 			ASN1error(ASN1_R_BAD_TEMPLATE);
 			return 0;
 		}
 		if (asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it, NULL))
 			return 0;
 		i = asn1_get_choice_selector(pval, it);
--- a/crypto/asn1/x_name.c
+++ b/crypto/asn1/x_name.c
@ -1,4 +1,4 @@
-/* $OpenBSD: x_name.c,v 1.34 2018/02/20 17:09:20 jsing Exp $ */
+/* $OpenBSD: x_name.c,v 1.35 2021/07/04 11:38:37 schwarze Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -626,19 +626,13 @@ i2d_name_canon(STACK_OF(STACK_OF_X509_NAME_ENTRY) *_intname, unsigned char **in)
 int
 X509_NAME_set(X509_NAME **xn, X509_NAME *name)
 {
-	X509_NAME *in;
+	if (*xn == name)
-
+		return *xn != NULL;
-	if (!xn || !name)
+	if ((name = X509_NAME_dup(name)) == NULL)
-		return (0);
+		return 0;
-
+	X509_NAME_free(*xn);
-	if (*xn != name) {
+	*xn = name;
-		in = X509_NAME_dup(name);
+	return 1;
 		if (in != NULL) {
 			X509_NAME_free(*xn);
 			*xn = in;
 		}
 	}
 	return (*xn != NULL);
 }
 int
--- a/crypto/asn1/x_x509.c
+++ b/crypto/asn1/x_x509.c
@ -1,4 +1,4 @@
-/* $OpenBSD: x_x509.c,v 1.26 2018/02/17 15:50:42 jsing Exp $ */
+/* $OpenBSD: x_x509.c,v 1.27 2021/09/02 12:41:44 job Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -185,6 +185,10 @@ x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
 		ret->akid = NULL;
 		ret->aux = NULL;
 		ret->crldp = NULL;
 #ifndef OPENSSL_NO_RFC3779
 		ret->rfc3779_addr = NULL;
 		ret->rfc3779_asid = NULL;
 #endif
 		CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
 		break;
@ -202,6 +206,10 @@ x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
 		policy_cache_free(ret->policy_cache);
 		GENERAL_NAMES_free(ret->altname);
 		NAME_CONSTRAINTS_free(ret->nc);
 #ifndef OPENSSL_NO_RFC3779
 		sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free);
 		ASIdentifiers_free(ret->rfc3779_asid);
 #endif
 		free(ret->name);
 		ret->name = NULL;
 		break;
--- a/crypto/bio/b_dump.c
+++ b/crypto/bio/b_dump.c
@ -1,10 +1,10 @@
-/* $OpenBSD: b_dump.c,v 1.21 2015/04/23 06:11:19 deraadt Exp $ */
+/* $OpenBSD: b_dump.c,v 1.22 2021/07/11 20:18:07 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
+* The implementation was written so as to conform with Netscapes SSL.
 *
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
@ -82,7 +82,7 @@ BIO_dump_indent_cb(int (*cb)(const void *data, size_t len, void *u),
 {
 	int ret = 0;
 	char buf[288 + 1], tmp[20], str[128 + 1];
-	int i, j, rows, trc;
+	int i, j, rows, trc, written;
 	unsigned char ch;
 	int dump_width;
@ -133,13 +133,18 @@ BIO_dump_indent_cb(int (*cb)(const void *data, size_t len, void *u),
 		/* if this is the last call then update the ddt_dump thing so
 		 * that we will move the selection point in the debug window
 		 */
-		ret += cb((void *)buf, strlen(buf), u);
+		if ((written = cb((void *)buf, strlen(buf), u)) < 0)
 			return -1;
 		ret += written;
 	}
 #ifdef TRUNCATE
 	if (trc > 0) {
 		snprintf(buf, sizeof buf, "%s%04x - <SPACES/NULS>\n",
 		    str, len + trc);
-		ret += cb((void *)buf, strlen(buf), u);
+		if ((written = cb((void *)buf, strlen(buf), u)) < 0)
 			return -1;
 		ret += written;
 	}
 #endif
 	return (ret);
--- a/crypto/bio/bio_cb.c
+++ b/crypto/bio/bio_cb.c
@ -1,4 +1,4 @@
-/* $OpenBSD: bio_cb.c,v 1.16 2014/12/08 03:54:19 bcook Exp $ */
+/* $OpenBSD: bio_cb.c,v 1.17 2021/03/25 09:26:17 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -70,15 +70,22 @@ BIO_debug_callback(BIO *bio, int cmd, const char *argp, int argi, long argl,
 	BIO *b;
 	char buf[256];
 	char *p;
 	int nbuf;
 	long r = 1;
 	size_t p_maxlen;
 	if (BIO_CB_RETURN & cmd)
 		r = ret;
-	snprintf(buf, sizeof buf, "BIO[%p]:", bio);
+	nbuf = snprintf(buf, sizeof(buf), "BIO[%p]: ", bio);
-	p = &(buf[14]);
+	if (nbuf < 0)
-	p_maxlen = sizeof buf - 14;
+		nbuf = 0;	/* Ignore error; continue printing. */
 	if (nbuf >= sizeof(buf))
 		goto out;
 	p = buf + nbuf;
 	p_maxlen = sizeof(buf) - nbuf;
 	switch (cmd) {
 	case BIO_CB_FREE:
 		snprintf(p, p_maxlen, "Free - %s\n", bio->method->name);
@ -136,6 +143,7 @@ BIO_debug_callback(BIO *bio, int cmd, const char *argp, int argi, long argl,
 		break;
 	}
 out:
 	b = (BIO *)bio->cb_arg;
 	if (b != NULL)
 		BIO_write(b, buf, strlen(buf));
--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@ -1,4 +1,4 @@
-/* $OpenBSD: bn_lib.c,v 1.47 2019/06/17 17:11:48 tb Exp $ */
+/* $OpenBSD: bn_lib.c,v 1.48 2021/09/08 12:19:17 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -583,20 +583,143 @@ BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
 	return (ret);
 }
 typedef enum {
 	big,
 	little,
 } endianness_t;
 /* ignore negative */
 static int
 bn2binpad(const BIGNUM *a, unsigned char *to, int tolen, endianness_t endianness)
 {
 	int n;
 	size_t i, lasti, j, atop, mask;
 	BN_ULONG l;
 	/*
 	 * In case |a| is fixed-top, BN_num_bytes can return bogus length,
 	 * but it's assumed that fixed-top inputs ought to be "nominated"
 	 * even for padded output, so it works out...
 	 */
 	n = BN_num_bytes(a);
 	if (tolen == -1)
 		tolen = n;
 	else if (tolen < n) {	/* uncommon/unlike case */
 		BIGNUM temp = *a;
 		bn_correct_top(&temp);
 		n = BN_num_bytes(&temp);
 		if (tolen < n)
 			return -1;
 	}
 	/* Swipe through whole available data and don't give away padded zero. */
 	atop = a->dmax * BN_BYTES;
 	if (atop == 0) {
 		explicit_bzero(to, tolen);
 		return tolen;
 	}
 	lasti = atop - 1;
 	atop = a->top * BN_BYTES;
 	if (endianness == big)
 		to += tolen; /* start from the end of the buffer */
 	for (i = 0, j = 0; j < (size_t)tolen; j++) {
 		unsigned char val;
 		l = a->d[i / BN_BYTES];
 		mask = 0 - ((j - atop) >> (8 * sizeof(i) - 1));
 		val = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask);
 		if (endianness == big)
 			*--to = val;
 		else
 			*to++ = val;
 		i += (i - lasti) >> (8 * sizeof(i) - 1); /* stay on last limb */
 	}
 	return tolen;
 }
 int
 BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
 {
 	if (tolen < 0)
 		return -1;
 	return bn2binpad(a, to, tolen, big);
 }
 int
 BN_bn2bin(const BIGNUM *a, unsigned char *to)
 {
-	int n, i;
+	return bn2binpad(a, to, -1, big);
-	BN_ULONG l;
+}
-	bn_check_top(a);
+BIGNUM *
-	n = i=BN_num_bytes(a);
+BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret)
-	while (i--) {
+{
-		l = a->d[i / BN_BYTES];
+	unsigned int i, m, n;
-		*(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
+	BN_ULONG l;
 	BIGNUM *bn = NULL;
 	if (ret == NULL)
 		ret = bn = BN_new();
 	if (ret == NULL)
 		return NULL;
 	bn_check_top(ret);
 	s += len;
 	/* Skip trailing zeroes. */
 	for (; len > 0 && s[-1] == 0; s--, len--)
 		continue;
 	n = len;
 	if (n == 0) {
 		ret->top = 0;
 		return ret;
 	}
-	return (n);
+
 	i = ((n - 1) / BN_BYTES) + 1;
 	m = (n - 1) % BN_BYTES;
 	if (bn_wexpand(ret, (int)i) == NULL) {
 		BN_free(bn);
 		return NULL;
 	}
 	ret->top = i;
 	ret->neg = 0;
 	l = 0;
 	while (n-- > 0) {
 		s--;
 		l = (l << 8L) | *s;
 		if (m-- == 0) {
 			ret->d[--i] = l;
 			l = 0;
 			m = BN_BYTES - 1;
 		}
 	}
 	/*
 	 * need to call this due to clear byte at top if avoiding having the
 	 * top bit set (-ve number)
 	 */
 	bn_correct_top(ret);
 	return ret;
 }
 int
 BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen)
 {
 	if (tolen < 0)
 		return -1;
 	return bn2binpad(a, to, tolen, little);
 }
 int
--- a/crypto/bn/bn_print.c
+++ b/crypto/bn/bn_print.c
@ -1,4 +1,4 @@
-/* $OpenBSD: bn_print.c,v 1.31 2017/01/29 17:49:22 beck Exp $ */
+/* $OpenBSD: bn_print.c,v 1.32 2021/08/31 11:19:19 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -216,7 +216,7 @@ BN_hex2bn(BIGNUM **bn, const char *a)
 		if ((ret = BN_new()) == NULL)
 			return (0);
 	} else {
-		ret= *bn;
+		ret = *bn;
 		BN_zero(ret);
 	}
@ -228,7 +228,7 @@ BN_hex2bn(BIGNUM **bn, const char *a)
 	m = 0;
 	h = 0;
 	while (j > 0) {
-		m = ((BN_BYTES*2) <= j) ? (BN_BYTES * 2) : j;
+		m = ((BN_BYTES * 2) <= j) ? (BN_BYTES * 2) : j;
 		l = 0;
 		for (;;) {
 			c = a[j - m];
--- a/crypto/bn/bn_rand.c
+++ b/crypto/bn/bn_rand.c
@ -1,4 +1,4 @@
-/* $OpenBSD: bn_rand.c,v 1.24 2020/09/12 17:16:36 tb Exp $ */
+/* $OpenBSD: bn_rand.c,v 1.25 2021/08/31 11:19:19 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -194,20 +194,20 @@ err:
 	return (ret);
 }
-int    
+int
 BN_rand(BIGNUM *rnd, int bits, int top, int bottom)
 {
 	return bnrand(0, rnd, bits, top, bottom);
 }
-int    
+int
 BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom)
 {
 	return bnrand(1, rnd, bits, top, bottom);
 }
 #if 1
-int    
+int
 BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom)
 {
 	return bnrand(2, rnd, bits, top, bottom);
--- a/crypto/cms/cms_env.c
+++ b/crypto/cms/cms_env.c
@ -1,4 +1,4 @@
-/* $OpenBSD: cms_env.c,v 1.23 2019/10/04 18:03:56 tb Exp $ */
+/* $OpenBSD: cms_env.c,v 1.24 2021/09/08 14:33:02 tb Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
@ -792,6 +792,7 @@ cms_RecipientInfo_kekri_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
 		goto err;
 	}
 	freezero(ec->key, ec->keylen);
 	ec->key = ukey;
 	ec->keylen = ukeylen;
--- a/crypto/compat/getentropy_freebsd.c
+++ b/crypto/compat/getentropy_freebsd.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: getentropy_freebsd.c,v 1.3 2016/08/07 03:27:21 tb Exp $	*/
+/*	$OpenBSD: getentropy_freebsd.c,v 1.4 2020/10/12 22:08:33 deraadt Exp $	*/
 /*
 * Copyright (c) 2014 Pawel Jakub Dawidek <pjd@FreeBSD.org>
@ -32,11 +32,9 @@
 static size_t
 getentropy_sysctl(u_char *buf, size_t size)
 {
-	int mib[2];
+	const int mib[2] = { CTL_KERN, KERN_ARND };
 	size_t len, done;
 	mib[0] = CTL_KERN;
 	mib[1] = KERN_ARND;
 	done = 0;
 	do {
--- a/crypto/compat/getentropy_netbsd.c
+++ b/crypto/compat/getentropy_netbsd.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: getentropy_netbsd.c,v 1.3 2016/08/07 03:27:21 tb Exp $	*/
+/*	$OpenBSD: getentropy_netbsd.c,v 1.4 2020/10/12 22:08:33 deraadt Exp $	*/
 /*
 * Copyright (c) 2014 Pawel Jakub Dawidek <pjd@FreeBSD.org>
@ -32,11 +32,9 @@
 static size_t
 getentropy_sysctl(u_char *buf, size_t size)
 {
-	int mib[2];
+	const int mib[2] = { CTL_KERN, KERN_ARND };
 	size_t len, done;
 	mib[0] = CTL_KERN;
 	mib[1] = KERN_ARND;
 	done = 0;
 	do {
--- a/crypto/compat/getentropy_win.c
+++ b/crypto/compat/getentropy_win.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: getentropy_win.c,v 1.5 2016/08/07 03:27:21 tb Exp $	*/
+/*	$OpenBSD: getentropy_win.c,v 1.6 2020/11/11 10:41:24 bcook Exp $	*/
 /*
 * Copyright (c) 2014, Theo de Raadt <deraadt@openbsd.org> 
@ -21,39 +21,30 @@
 */
 #include <windows.h>
 #include <bcrypt.h>
 #include <errno.h>
 #include <stdint.h>
 #include <sys/types.h>
 #include <wincrypt.h>
 #include <process.h>
 int	getentropy(void *buf, size_t len);
 /*
- * On Windows, CryptGenRandom is supposed to be a well-seeded
+ * On Windows, BCryptGenRandom with BCRYPT_USE_SYSTEM_PREFERRED_RNG is supposed
- * cryptographically strong random number generator.
+ * to be a well-seeded, cryptographically strong random number generator.
 * https://docs.microsoft.com/en-us/windows/win32/api/bcrypt/nf-bcrypt-bcryptgenrandom
 */
 int
 getentropy(void *buf, size_t len)
 {
 	HCRYPTPROV provider;
 	if (len > 256) {
 		errno = EIO;
 		return (-1);
 	}
-	if (CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL,
+	if (FAILED(BCryptGenRandom(NULL, buf, len, BCRYPT_USE_SYSTEM_PREFERRED_RNG))) {
-	    CRYPT_VERIFYCONTEXT) == 0)
+		errno = EIO;
-		goto fail;
+		return (-1);
 	if (CryptGenRandom(provider, len, buf) == 0) {
 		CryptReleaseContext(provider, 0);
 		goto fail;
 	}
 	CryptReleaseContext(provider, 0);
 	return (0);
-fail:
+	return (0);
 	errno = EIO;
 	return (-1);
 }
--- a/crypto/compat/recallocarray.c
+++ b/crypto/compat/recallocarray.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: recallocarray.c,v 1.1 2017/03/06 18:44:21 otto Exp $	*/
+/*	$OpenBSD: recallocarray.c,v 1.2 2021/03/18 11:16:58 claudio Exp $	*/
 /*
 * Copyright (c) 2008, 2017 Otto Moerbeek <otto@drijf.net>
 *
@ -57,7 +57,7 @@ recallocarray(void *ptr, size_t oldnmemb, size_t newnmemb, size_t size)
 	if (newsize <= oldsize) {
 		size_t d = oldsize - newsize;
-		if (d < oldsize / 2 && d < getpagesize()) {
+		if (d < oldsize / 2 && d < (size_t)getpagesize()) {
 			memset((char *)ptr + newsize, 0, d);
 			return ptr;
 		}
--- a/crypto/crypto.sym
+++ b/crypto/crypto.sym
@ -425,6 +425,8 @@ BN_add_word
 BN_asc2bn
 BN_bin2bn
 BN_bn2bin
 BN_bn2binpad
 BN_bn2lebinpad
 BN_bn2dec
 BN_bn2hex
 BN_bn2mpi
@ -468,6 +470,7 @@ BN_is_prime_ex
 BN_is_prime_fasttest
 BN_is_prime_fasttest_ex
 BN_kronecker
 BN_lebin2bn
 BN_lshift
 BN_lshift1
 BN_mask_bits
@ -1047,6 +1050,7 @@ EC_GROUP_get0_seed
 EC_GROUP_get_asn1_flag
 EC_GROUP_get_basis_type
 EC_GROUP_get_cofactor
 EC_GROUP_get_curve
 EC_GROUP_get_curve_GF2m
 EC_GROUP_get_curve_GFp
 EC_GROUP_get_curve_name
@ -1062,8 +1066,10 @@ EC_GROUP_new
 EC_GROUP_new_by_curve_name
 EC_GROUP_new_curve_GF2m
 EC_GROUP_new_curve_GFp
 EC_GROUP_order_bits
 EC_GROUP_precompute_mult
 EC_GROUP_set_asn1_flag
 EC_GROUP_set_curve
 EC_GROUP_set_curve_GF2m
 EC_GROUP_set_curve_GFp
 EC_GROUP_set_curve_name
@ -1128,6 +1134,7 @@ EC_POINT_dbl
 EC_POINT_dup
 EC_POINT_free
 EC_POINT_get_Jprojective_coordinates_GFp
 EC_POINT_get_affine_coordinates
 EC_POINT_get_affine_coordinates_GF2m
 EC_POINT_get_affine_coordinates_GFp
 EC_POINT_hex2point
@ -1143,8 +1150,10 @@ EC_POINT_point2bn
 EC_POINT_point2hex
 EC_POINT_point2oct
 EC_POINT_set_Jprojective_coordinates_GFp
 EC_POINT_set_affine_coordinates
 EC_POINT_set_affine_coordinates_GF2m
 EC_POINT_set_affine_coordinates_GFp
 EC_POINT_set_compressed_coordinates
 EC_POINT_set_compressed_coordinates_GF2m
 EC_POINT_set_compressed_coordinates_GFp
 EC_POINT_set_to_infinity
@ -1447,9 +1456,11 @@ EVP_DigestFinal
 EVP_DigestFinal_ex
 EVP_DigestInit
 EVP_DigestInit_ex
 EVP_DigestSign
 EVP_DigestSignFinal
 EVP_DigestSignInit
 EVP_DigestUpdate
 EVP_DigestVerify
 EVP_DigestVerifyFinal
 EVP_DigestVerifyInit
 EVP_ENCODE_CTX_free
@ -1587,6 +1598,7 @@ EVP_PKEY_meth_set_verify_recover
 EVP_PKEY_meth_set_verifyctx
 EVP_PKEY_missing_parameters
 EVP_PKEY_new
 EVP_PKEY_new_CMAC_key
 EVP_PKEY_new_mac_key
 EVP_PKEY_paramgen
 EVP_PKEY_paramgen_init
--- a/crypto/ec/ec2_oct.c
+++ b/crypto/ec/ec2_oct.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ec2_oct.c,v 1.11 2018/07/15 16:27:39 tb Exp $ */
+/* $OpenBSD: ec2_oct.c,v 1.16 2021/05/03 14:42:45 tb Exp $ */
 /* ====================================================================
 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
 *
@ -121,6 +121,10 @@ ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point
 	if (!BN_GF2m_mod_arr(x, x_, group->poly))
 		goto err;
 	if (BN_is_zero(x)) {
 		if (y_bit != 0) {
 			ECerror(EC_R_INVALID_COMPRESSED_POINT);
 			goto err;
 		}
 		if (!BN_GF2m_mod_sqrt_arr(y, &group->b, group->poly, ctx))
 			goto err;
 	} else {
@ -152,7 +156,7 @@ ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point
 		}
 	}
-	if (!EC_POINT_set_affine_coordinates_GF2m(group, point, x, y, ctx))
+	if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx))
 		goto err;
 	ret = 1;
@ -221,7 +225,7 @@ ec_GF2m_simple_point2oct(const EC_GROUP *group, const EC_POINT *point,
 		if ((yxi = BN_CTX_get(ctx)) == NULL)
 			goto err;
-		if (!EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx))
+		if (!EC_POINT_get_affine_coordinates(group, point, x, y, ctx))
 			goto err;
 		buf[0] = form;
@ -280,10 +284,11 @@ ec_GF2m_simple_point2oct(const EC_GROUP *group, const EC_POINT *point,
 }
-/* Converts an octet string representation to an EC_POINT.
+/*
 * Converts an octet string representation to an EC_POINT.
 * Note that the simple implementation only uses affine coordinates.
 */
-int 
+int
 ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
    const unsigned char *buf, size_t len, BN_CTX *ctx)
 {
@ -298,19 +303,35 @@ ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
 		ECerror(EC_R_BUFFER_TOO_SMALL);
 		return 0;
 	}
-	form = buf[0];
+
-	y_bit = form & 1;
+	/*
-	form = form & ~1U;
+	 * The first octet is the point conversion octet PC, see X9.62, page 4
-	if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED) &&
+	 * and section 4.4.2.  It must be:
-	    (form != POINT_CONVERSION_UNCOMPRESSED) &&
+	 *	0x00		for the point at infinity
-	    (form != POINT_CONVERSION_HYBRID)) {
+	 *	0x02 or 0x03	for compressed form
 	 *	0x04		for uncompressed form
 	 *	0x06 or 0x07	for hybrid form.
 	 * For compressed or hybrid forms, we store the last bit of buf[0] as
 	 * y_bit and clear it from buf[0] so as to obtain a POINT_CONVERSION_*.
 	 * We error if buf[0] contains any but the above values.
 	 */
 	y_bit = buf[0] & 1;
 	form = buf[0] & ~1U;
 	if (form != 0 && form != POINT_CONVERSION_COMPRESSED &&
 	    form != POINT_CONVERSION_UNCOMPRESSED &&
 	    form != POINT_CONVERSION_HYBRID) {
 		ECerror(EC_R_INVALID_ENCODING);
 		return 0;
 	}
-	if ((form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) && y_bit) {
+	if (form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) {
-		ECerror(EC_R_INVALID_ENCODING);
+		if (y_bit != 0) {
-		return 0;
+			ECerror(EC_R_INVALID_ENCODING);
 			return 0;
 		}
 	}
 	/* The point at infinity is represented by a single zero octet. */
 	if (form == 0) {
 		if (len != 1) {
 			ECerror(EC_R_INVALID_ENCODING);
@ -318,6 +339,7 @@ ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
 		}
 		return EC_POINT_set_to_infinity(group, point);
 	}
 	field_len = (EC_GROUP_get_degree(group) + 7) / 8;
 	enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len :
 	    1 + 2 * field_len;
@ -326,6 +348,7 @@ ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
 		ECerror(EC_R_INVALID_ENCODING);
 		return 0;
 	}
 	if (ctx == NULL) {
 		ctx = new_ctx = BN_CTX_new();
 		if (ctx == NULL)
@ -346,7 +369,11 @@ ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
 		goto err;
 	}
 	if (form == POINT_CONVERSION_COMPRESSED) {
-		if (!EC_POINT_set_compressed_coordinates_GF2m(group, point, x, y_bit, ctx))
+		/*
 		 * EC_POINT_set_compressed_coordinates checks that the
 		 * point is on the curve as required by X9.62.
 		 */
 		if (!EC_POINT_set_compressed_coordinates(group, point, x, y_bit, ctx))
 			goto err;
 	} else {
 		if (!BN_bin2bn(buf + 1 + field_len, field_len, y))
@ -356,22 +383,34 @@ ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
 			goto err;
 		}
 		if (form == POINT_CONVERSION_HYBRID) {
-			if (!group->meth->field_div(group, yxi, y, x, ctx))
+			/*
-				goto err;
+			 * Check that the form in the encoding was set
-			if (y_bit != BN_is_odd(yxi)) {
+			 * correctly according to X9.62 4.4.2.a, 4(c),
-				ECerror(EC_R_INVALID_ENCODING);
+			 * see also first paragraph of X9.62 4.4.1.b.
-				goto err;
+			 */
 			if (BN_is_zero(x)) {
 				if (y_bit != 0) {
 					ECerror(EC_R_INVALID_ENCODING);
 					goto err;
 				}
 			} else {
 				if (!group->meth->field_div(group, yxi, y, x,
 				    ctx))
 					goto err;
 				if (y_bit != BN_is_odd(yxi)) {
 					ECerror(EC_R_INVALID_ENCODING);
 					goto err;
 				}
 			}
 		}
-		if (!EC_POINT_set_affine_coordinates_GF2m(group, point, x, y, ctx))
+		/*
 		 * EC_POINT_set_affine_coordinates checks that the
 		 * point is on the curve as required by X9.62.
 		 */
 		if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx))
 			goto err;
 	}
 	/* test required by X9.62 */
 	if (EC_POINT_is_on_curve(group, point, ctx) <= 0) {
 		ECerror(EC_R_POINT_IS_NOT_ON_CURVE);
 		goto err;
 	}
 	ret = 1;
 err:
--- a/crypto/ec/ec2_smpl.c
+++ b/crypto/ec/ec2_smpl.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ec2_smpl.c,v 1.21 2018/11/05 20:18:21 tb Exp $ */
+/* $OpenBSD: ec2_smpl.c,v 1.23 2021/09/08 17:29:21 tb Exp $ */
 /* ====================================================================
 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
 *
@ -88,17 +88,18 @@ EC_GF2m_simple_method(void)
 		.group_set_curve = ec_GF2m_simple_group_set_curve,
 		.group_get_curve = ec_GF2m_simple_group_get_curve,
 		.group_get_degree = ec_GF2m_simple_group_get_degree,
 		.group_order_bits = ec_group_simple_order_bits,
 		.group_check_discriminant =
-		ec_GF2m_simple_group_check_discriminant,
+		    ec_GF2m_simple_group_check_discriminant,
 		.point_init = ec_GF2m_simple_point_init,
 		.point_finish = ec_GF2m_simple_point_finish,
 		.point_clear_finish = ec_GF2m_simple_point_clear_finish,
 		.point_copy = ec_GF2m_simple_point_copy,
 		.point_set_to_infinity = ec_GF2m_simple_point_set_to_infinity,
 		.point_set_affine_coordinates =
-		ec_GF2m_simple_point_set_affine_coordinates,
+		    ec_GF2m_simple_point_set_affine_coordinates,
 		.point_get_affine_coordinates =
-		ec_GF2m_simple_point_get_affine_coordinates,
+		    ec_GF2m_simple_point_get_affine_coordinates,
 		.add = ec_GF2m_simple_add,
 		.dbl = ec_GF2m_simple_dbl,
 		.invert = ec_GF2m_simple_invert,
@ -483,7 +484,7 @@ ec_GF2m_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
 		if (!BN_copy(y0, &a->Y))
 			goto err;
 	} else {
-		if (!EC_POINT_get_affine_coordinates_GF2m(group, a, x0, y0, ctx))
+		if (!EC_POINT_get_affine_coordinates(group, a, x0, y0, ctx))
 			goto err;
 	}
 	if (b->Z_is_one) {
@ -492,7 +493,7 @@ ec_GF2m_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
 		if (!BN_copy(y1, &b->Y))
 			goto err;
 	} else {
-		if (!EC_POINT_get_affine_coordinates_GF2m(group, b, x1, y1, ctx))
+		if (!EC_POINT_get_affine_coordinates(group, b, x1, y1, ctx))
 			goto err;
 	}
@ -541,7 +542,7 @@ ec_GF2m_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
 	if (!BN_GF2m_add(y2, y2, y1))
 		goto err;
-	if (!EC_POINT_set_affine_coordinates_GF2m(group, r, x2, y2, ctx))
+	if (!EC_POINT_set_affine_coordinates(group, r, x2, y2, ctx))
 		goto err;
 	ret = 1;
@ -684,9 +685,9 @@ ec_GF2m_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
 	if ((bY = BN_CTX_get(ctx)) == NULL)
 		goto err;
-	if (!EC_POINT_get_affine_coordinates_GF2m(group, a, aX, aY, ctx))
+	if (!EC_POINT_get_affine_coordinates(group, a, aX, aY, ctx))
 		goto err;
-	if (!EC_POINT_get_affine_coordinates_GF2m(group, b, bX, bY, ctx))
+	if (!EC_POINT_get_affine_coordinates(group, b, bX, bY, ctx))
 		goto err;
 	ret = ((BN_cmp(aX, bX) == 0) && BN_cmp(aY, bY) == 0) ? 0 : 1;
@ -720,7 +721,7 @@ ec_GF2m_simple_make_affine(const EC_GROUP * group, EC_POINT * point, BN_CTX * ct
 	if ((y = BN_CTX_get(ctx)) == NULL)
 		goto err;
-	if (!EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx))
+	if (!EC_POINT_get_affine_coordinates(group, point, x, y, ctx))
 		goto err;
 	if (!BN_copy(&point->X, x))
 		goto err;
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ec_asn1.c,v 1.31 2018/09/01 16:23:15 tb Exp $ */
+/* $OpenBSD: ec_asn1.c,v 1.34 2021/08/31 20:14:40 tb Exp $ */
 /*
 * Written by Nils Larsch for the OpenSSL project.
 */
@ -709,7 +709,7 @@ ec_asn1_group2fieldid(const EC_GROUP * group, X9_62_FIELDID * field)
 			goto err;
 		}
 		/* the parameters are specified by the prime number p */
-		if (!EC_GROUP_get_curve_GFp(group, tmp, NULL, NULL, NULL)) {
+		if (!EC_GROUP_get_curve(group, tmp, NULL, NULL, NULL)) {
 			ECerror(ERR_R_EC_LIB);
 			goto err;
 		}
@ -801,12 +801,12 @@ ec_asn1_group2fieldid(const EC_GROUP * group, X9_62_FIELDID * field)
 static int 
 ec_asn1_group2curve(const EC_GROUP * group, X9_62_CURVE * curve)
 {
 	int ok = 0, nid;
 	BIGNUM *tmp_1 = NULL, *tmp_2 = NULL;
 	unsigned char *buffer_1 = NULL, *buffer_2 = NULL, *a_buf = NULL,
 	*b_buf = NULL;
 	size_t len_1, len_2;
 	unsigned char char_zero = 0;
 	int ok = 0;
 	if (!group || !curve || !curve->a || !curve->b)
 		return 0;
@ -815,23 +815,12 @@ ec_asn1_group2curve(const EC_GROUP * group, X9_62_CURVE * curve)
 		ECerror(ERR_R_MALLOC_FAILURE);
 		goto err;
 	}
 	nid = EC_METHOD_get_field_type(EC_GROUP_method_of(group));
 	/* get a and b */
-	if (nid == NID_X9_62_prime_field) {
+	if (!EC_GROUP_get_curve(group, NULL, tmp_1, tmp_2, NULL)) {
-		if (!EC_GROUP_get_curve_GFp(group, NULL, tmp_1, tmp_2, NULL)) {
+		ECerror(ERR_R_EC_LIB);
-			ECerror(ERR_R_EC_LIB);
+		goto err;
 			goto err;
 		}
 	}
 #ifndef OPENSSL_NO_EC2M
 	else {			/* nid == NID_X9_62_characteristic_two_field */
 		if (!EC_GROUP_get_curve_GF2m(group, NULL, tmp_1, tmp_2, NULL)) {
 			ECerror(ERR_R_EC_LIB);
 			goto err;
 		}
 	}
 #endif
 	len_1 = (size_t) BN_num_bytes(tmp_1);
 	len_2 = (size_t) BN_num_bytes(tmp_2);
@ -1028,7 +1017,7 @@ ec_asn1_group2pkparameters(const EC_GROUP * group, ECPKPARAMETERS * params)
 			if ((ret->value.named_curve = OBJ_nid2obj(tmp)) == NULL)
 				ok = 0;
 		} else
-			/* we don't kmow the nid => ERROR */
+			/* we don't know the group => ERROR */
 			ok = 0;
 	} else {
 		/* use the ECPARAMETERS structure */
--- a/crypto/ec/ec_curve.c
+++ b/crypto/ec/ec_curve.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ec_curve.c,v 1.20 2020/06/05 17:12:09 jsing Exp $ */
+/* $OpenBSD: ec_curve.c,v 1.21 2021/04/20 17:16:37 tb Exp $ */
 /*
 * Written by Nils Larsch for the OpenSSL project.
 */
@ -3373,7 +3373,7 @@ ec_group_new_from_data(const ec_list_element curve)
 		ECerror(ERR_R_BN_LIB);
 		goto err;
 	}
-	if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) {
+	if (!EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) {
 		ECerror(ERR_R_EC_LIB);
 		goto err;
 	}
--- a/crypto/ec/ec_cvt.c
+++ b/crypto/ec/ec_cvt.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ec_cvt.c,v 1.6 2014/07/10 22:45:57 jsing Exp $ */
+/* $OpenBSD: ec_cvt.c,v 1.7 2021/04/20 17:04:13 tb Exp $ */
 /*
 * Originally written by Bodo Moeller for the OpenSSL project.
 */
@ -112,7 +112,7 @@ EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b,
 	if (ret == NULL)
 		return NULL;
-	if (!EC_GROUP_set_curve_GFp(ret, p, a, b, ctx)) {
+	if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
 		unsigned long err;
 		err = ERR_peek_last_error();
@ -136,7 +136,7 @@ EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b,
 		if (ret == NULL)
 			return NULL;
-		if (!EC_GROUP_set_curve_GFp(ret, p, a, b, ctx)) {
+		if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
 			EC_GROUP_clear_free(ret);
 			return NULL;
 		}
@ -158,7 +158,7 @@ EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b,
 	if (ret == NULL)
 		return NULL;
-	if (!EC_GROUP_set_curve_GF2m(ret, p, a, b, ctx)) {
+	if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) {
 		EC_GROUP_clear_free(ret);
 		return NULL;
 	}
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ec_key.c,v 1.24 2019/01/19 01:12:48 tb Exp $ */
+/* $OpenBSD: ec_key.c,v 1.26 2021/04/20 17:23:37 tb Exp $ */
 /*
 * Written by Nils Larsch for the OpenSSL project.
 */
@ -381,7 +381,7 @@ EC_KEY_set_public_key_affine_coordinates(EC_KEY * key, BIGNUM * x, BIGNUM * y)
 	BN_CTX *ctx = NULL;
 	BIGNUM *tx, *ty;
 	EC_POINT *point = NULL;
-	int ok = 0, tmp_nid, is_char_two = 0;
+	int ok = 0;
 	if (!key || !key->group || !x || !y) {
 		ECerror(ERR_R_PASSED_NULL_PARAMETER);
@ -396,34 +396,15 @@ EC_KEY_set_public_key_affine_coordinates(EC_KEY * key, BIGNUM * x, BIGNUM * y)
 	if (!point)
 		goto err;
 	tmp_nid = EC_METHOD_get_field_type(EC_GROUP_method_of(key->group));
 	if (tmp_nid == NID_X9_62_characteristic_two_field)
 		is_char_two = 1;
 	if ((tx = BN_CTX_get(ctx)) == NULL)
 		goto err;
 	if ((ty = BN_CTX_get(ctx)) == NULL)
 		goto err;
-#ifndef OPENSSL_NO_EC2M
+	if (!EC_POINT_set_affine_coordinates(key->group, point, x, y, ctx))
-	if (is_char_two) {
+		goto err;
-		if (!EC_POINT_set_affine_coordinates_GF2m(key->group, point,
+	if (!EC_POINT_get_affine_coordinates(key->group, point, tx, ty, ctx))
-			x, y, ctx))
+		goto err;
 			goto err;
 		if (!EC_POINT_get_affine_coordinates_GF2m(key->group, point,
 			tx, ty, ctx))
 			goto err;
 	} else
 #endif
 	{
 		if (!EC_POINT_set_affine_coordinates_GFp(key->group, point,
 			x, y, ctx))
 			goto err;
 		if (!EC_POINT_get_affine_coordinates_GFp(key->group, point,
 			tx, ty, ctx))
 			goto err;
 	}
 	/*
 	 * Check if retrieved coordinates match originals: if not values are
 	 * out of range.
--- a/crypto/ec/ec_lcl.h
+++ b/crypto/ec/ec_lcl.h
@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lcl.h,v 1.13 2019/01/19 01:12:48 tb Exp $ */
+/* $OpenBSD: ec_lcl.h,v 1.18 2021/09/08 17:29:21 tb Exp $ */
 /*
 * Originally written by Bodo Moeller for the OpenSSL project.
 */
@ -105,14 +105,14 @@ struct ec_method_st {
 	void (*group_clear_finish)(EC_GROUP *);
 	int (*group_copy)(EC_GROUP *, const EC_GROUP *);
-	/* used by EC_GROUP_set_curve_GFp, EC_GROUP_get_curve_GFp, */
+	/* used by EC_GROUP_{get,set}_curve */
 	/* EC_GROUP_set_curve_GF2m, and EC_GROUP_get_curve_GF2m: */
 	int (*group_set_curve)(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
 	int (*group_get_curve)(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *);
 	/* used by EC_GROUP_get_degree: */
 	int (*group_get_degree)(const EC_GROUP *);
-
+	/* used by EC_GROUP_order_bits: */
 	int (*group_order_bits)(const EC_GROUP *);
 	/* used by EC_GROUP_check: */
 	int (*group_check_discriminant)(const EC_GROUP *, BN_CTX *);
@ -122,17 +122,18 @@ struct ec_method_st {
 	void (*point_clear_finish)(EC_POINT *);
 	int (*point_copy)(EC_POINT *, const EC_POINT *);
-	/* used by EC_POINT_set_to_infinity,
+	/*
-	 * EC_POINT_set_Jprojective_coordinates_GFp,
+	 * used by EC_POINT_set_to_infinity,
-	 * EC_POINT_get_Jprojective_coordinates_GFp,
+	 * EC_POINT_set_Jprojective_coordinates,
-	 * EC_POINT_set_affine_coordinates_GFp,     ..._GF2m,
+	 * EC_POINT_get_Jprojective_coordinates,
-	 * EC_POINT_get_affine_coordinates_GFp,     ..._GF2m,
+	 * EC_POINT_set_affine_coordinates,
-	 * EC_POINT_set_compressed_coordinates_GFp, ..._GF2m:
+	 * EC_POINT_get_affine_coordinates,
 	 * EC_POINT_set_compressed_coordinates:
 	 */
 	int (*point_set_to_infinity)(const EC_GROUP *, EC_POINT *);
-	int (*point_set_Jprojective_coordinates_GFp)(const EC_GROUP *, EC_POINT *,
+	int (*point_set_Jprojective_coordinates)(const EC_GROUP *, EC_POINT *,
 		const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *);
-	int (*point_get_Jprojective_coordinates_GFp)(const EC_GROUP *, const EC_POINT *,
+	int (*point_get_Jprojective_coordinates)(const EC_GROUP *, const EC_POINT *,
 		BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *);
 	int (*point_set_affine_coordinates)(const EC_GROUP *, EC_POINT *,
 		const BIGNUM *x, const BIGNUM *y, BN_CTX *);
@ -282,7 +283,7 @@ void EC_EX_DATA_clear_free_data(EC_EXTRA_DATA **,
 void EC_EX_DATA_free_all_data(EC_EXTRA_DATA **);
 void EC_EX_DATA_clear_free_all_data(EC_EXTRA_DATA **);
-
+int ec_group_simple_order_bits(const EC_GROUP *group);
 struct ec_point_st {
 	const EC_METHOD *meth;
@ -297,8 +298,6 @@ struct ec_point_st {
 	int Z_is_one; /* enable optimized point arithmetics for special case */
 } /* EC_POINT */;
 /* method functions in ec_mult.c
 * (ec_lib.c uses these as defaults if group->method->mul is 0) */
 int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
@ -321,10 +320,10 @@ void ec_GFp_simple_point_finish(EC_POINT *);
 void ec_GFp_simple_point_clear_finish(EC_POINT *);
 int ec_GFp_simple_point_copy(EC_POINT *, const EC_POINT *);
 int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *);
-int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *, EC_POINT *,
+int ec_GFp_simple_set_Jprojective_coordinates(const EC_GROUP *, EC_POINT *,
-	const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *);
+    const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *);
-int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *, const EC_POINT *,
+int ec_GFp_simple_get_Jprojective_coordinates(const EC_GROUP *,
-	BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *);
+    const EC_POINT *, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *);
 int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *,
 	const BIGNUM *x, const BIGNUM *y, BN_CTX *);
 int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *, const EC_POINT *,
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lib.c,v 1.32 2019/09/29 10:09:09 tb Exp $ */
+/* $OpenBSD: ec_lib.c,v 1.41 2021/09/12 16:23:19 tb Exp $ */
 /*
 * Originally written by Bodo Moeller for the OpenSSL project.
 */
@ -100,7 +100,7 @@ EC_GROUP_new(const EC_METHOD * meth)
 	BN_init(&ret->cofactor);
 	ret->curve_name = 0;
-	ret->asn1_flag = 0;
+	ret->asn1_flag = OPENSSL_EC_NAMED_CURVE;
 	ret->asn1_form = POINT_CONVERSION_UNCOMPRESSED;
 	ret->seed = NULL;
@ -401,6 +401,11 @@ EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx)
 	return !BN_is_zero(order);
 }
 int
 EC_GROUP_order_bits(const EC_GROUP *group)
 {
 	return group->meth->group_order_bits(group);
 }
 int 
 EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx)
@ -488,52 +493,55 @@ EC_GROUP_get_seed_len(const EC_GROUP * group)
 	return group->seed_len;
 }
-
+int
-int 
+EC_GROUP_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a,
-EC_GROUP_set_curve_GFp(EC_GROUP * group, const BIGNUM * p, const BIGNUM * a,
+    const BIGNUM *b, BN_CTX *ctx)
    const BIGNUM * b, BN_CTX * ctx)
 {
-	if (group->meth->group_set_curve == 0) {
+	if (group->meth->group_set_curve == NULL) {
 		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
 	}
 	return group->meth->group_set_curve(group, p, a, b, ctx);
 }
-
+int
-int 
+EC_GROUP_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b,
-EC_GROUP_get_curve_GFp(const EC_GROUP * group, BIGNUM * p, BIGNUM * a,
+    BN_CTX *ctx)
    BIGNUM * b, BN_CTX * ctx)
 {
-	if (group->meth->group_get_curve == 0) {
+	if (group->meth->group_get_curve == NULL) {
 		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
 	}
 	return group->meth->group_get_curve(group, p, a, b, ctx);
 }
 int
 EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a,
    const BIGNUM *b, BN_CTX *ctx)
 {
 	return EC_GROUP_set_curve(group, p, a, b, ctx);
 }
 int
 EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b,
    BN_CTX *ctx)
 {
 	return EC_GROUP_get_curve(group, p, a, b, ctx);
 }
 #ifndef OPENSSL_NO_EC2M
-int 
+int
-EC_GROUP_set_curve_GF2m(EC_GROUP * group, const BIGNUM * p, const BIGNUM * a,
+EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a,
-    const BIGNUM * b, BN_CTX * ctx)
+    const BIGNUM *b, BN_CTX *ctx)
 {
-	if (group->meth->group_set_curve == 0) {
+	return EC_GROUP_set_curve(group, p, a, b, ctx);
 		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
 	}
 	return group->meth->group_set_curve(group, p, a, b, ctx);
 }
-
+int
-int 
+EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,
-EC_GROUP_get_curve_GF2m(const EC_GROUP * group, BIGNUM * p, BIGNUM * a,
+    BIGNUM *b, BN_CTX *ctx)
    BIGNUM * b, BN_CTX * ctx)
 {
-	if (group->meth->group_get_curve == 0) {
+	return EC_GROUP_get_curve(group, p, a, b, ctx);
 		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
 	}
 	return group->meth->group_get_curve(group, p, a, b, ctx);
 }
 #endif
@ -919,28 +927,57 @@ EC_POINT_set_to_infinity(const EC_GROUP * group, EC_POINT * point)
 	return group->meth->point_set_to_infinity(group, point);
 }
 int
 EC_POINT_set_Jprojective_coordinates(const EC_GROUP *group, EC_POINT *point,
    const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx)
 {
 	if (group->meth->point_set_Jprojective_coordinates == NULL) {
 		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
 	}
 	if (group->meth != point->meth) {
 		ECerror(EC_R_INCOMPATIBLE_OBJECTS);
 		return 0;
 	}
 	return group->meth->point_set_Jprojective_coordinates(group, point,
 	    x, y, z, ctx);
 }
-int 
+int
 EC_POINT_get_Jprojective_coordinates(const EC_GROUP *group,
    const EC_POINT *point, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx)
 {
 	if (group->meth->point_get_Jprojective_coordinates == NULL) {
 		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
 	}
 	if (group->meth != point->meth) {
 		ECerror(EC_R_INCOMPATIBLE_OBJECTS);
 		return 0;
 	}
 	return group->meth->point_get_Jprojective_coordinates(group, point,
 	    x, y, z, ctx);
 }
 int
 EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
    const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx)
 {
-	if (group->meth->point_set_Jprojective_coordinates_GFp == 0) {
+	return EC_POINT_set_Jprojective_coordinates(group, point, x, y, z, ctx);
 		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
 	}
 	if (group->meth != point->meth) {
 		ECerror(EC_R_INCOMPATIBLE_OBJECTS);
 		return 0;
 	}
 	return group->meth->point_set_Jprojective_coordinates_GFp(group, point, x, y, z, ctx);
 }
-
+int
 int 
 EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group,
    const EC_POINT *point, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx)
 {
-	if (group->meth->point_get_Jprojective_coordinates_GFp == 0) {
+	return EC_POINT_get_Jprojective_coordinates(group, point, x, y, z, ctx);
 }
 int
 EC_POINT_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point,
    const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
 {
 	if (group->meth->point_set_affine_coordinates == NULL) {
 		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
 	}
@ -948,47 +985,36 @@ EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group,
 		ECerror(EC_R_INCOMPATIBLE_OBJECTS);
 		return 0;
 	}
-	return group->meth->point_get_Jprojective_coordinates_GFp(group, point, x, y, z, ctx);
+	if (!group->meth->point_set_affine_coordinates(group, point, x, y, ctx))
 		return 0;
 	if (EC_POINT_is_on_curve(group, point, ctx) <= 0) {
 		ECerror(EC_R_POINT_IS_NOT_ON_CURVE);
 		return 0;
 	}
 	return 1;
 }
-
+int
 int 
 EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
    const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
 {
-	if (group->meth->point_set_affine_coordinates == 0) {
+	return EC_POINT_set_affine_coordinates(group, point, x, y, ctx);
 		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
 	}
 	if (group->meth != point->meth) {
 		ECerror(EC_R_INCOMPATIBLE_OBJECTS);
 		return 0;
 	}
 	return group->meth->point_set_affine_coordinates(group, point, x, y, ctx);
 }
 #ifndef OPENSSL_NO_EC2M
-int 
+int
 EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *point,
    const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
 {
-	if (group->meth->point_set_affine_coordinates == 0) {
+	return EC_POINT_set_affine_coordinates(group, point, x, y, ctx);
 		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
 	}
 	if (group->meth != point->meth) {
 		ECerror(EC_R_INCOMPATIBLE_OBJECTS);
 		return 0;
 	}
 	return group->meth->point_set_affine_coordinates(group, point, x, y, ctx);
 }
 #endif
-int 
+int
-EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
+EC_POINT_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point,
    BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
 {
-	if (group->meth->point_get_affine_coordinates == 0) {
+	if (group->meth->point_get_affine_coordinates == NULL) {
 		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
 	}
@ -999,20 +1025,19 @@ EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point
 	return group->meth->point_get_affine_coordinates(group, point, x, y, ctx);
 }
 int
 EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
    BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
 {
 	return EC_POINT_get_affine_coordinates(group, point, x, y, ctx);
 }
 #ifndef OPENSSL_NO_EC2M
-int 
+int
 EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group, const EC_POINT *point,
    BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
 {
-	if (group->meth->point_get_affine_coordinates == 0) {
+	return EC_POINT_get_affine_coordinates(group, point, x, y, ctx);
 		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
 	}
 	if (group->meth != point->meth) {
 		ECerror(EC_R_INCOMPATIBLE_OBJECTS);
 		return 0;
 	}
 	return group->meth->point_get_affine_coordinates(group, point, x, y, ctx);
 }
 #endif
@ -1241,6 +1266,17 @@ EC_GROUP_have_precompute_mult(const EC_GROUP * group)
 				 * been performed */
 }
 int
 ec_group_simple_order_bits(const EC_GROUP *group)
 {
 	/* XXX change group->order to a pointer? */
 #if 0
 	if (group->order == NULL)
 		return 0;
 #endif
 	return BN_num_bits(&group->order);
 }
 EC_KEY *
 ECParameters_dup(EC_KEY *key)
 {
--- a/crypto/ec/ec_oct.c
+++ b/crypto/ec/ec_oct.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ec_oct.c,v 1.5 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: ec_oct.c,v 1.8 2021/04/20 17:34:33 tb Exp $ */
 /*
 * Originally written by Bodo Moeller for the OpenSSL project.
 */
@ -70,12 +70,12 @@
 #include "ec_lcl.h"
-int 
+int
-EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP * group, EC_POINT * point,
+EC_POINT_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point,
-    const BIGNUM * x, int y_bit, BN_CTX * ctx)
+    const BIGNUM *x, int y_bit, BN_CTX *ctx)
 {
-	if (group->meth->point_set_compressed_coordinates == 0
+	if (group->meth->point_set_compressed_coordinates == NULL &&
-	    && !(group->meth->flags & EC_FLAGS_DEFAULT_OCT)) {
+	    !(group->meth->flags & EC_FLAGS_DEFAULT_OCT)) {
 		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
 	}
@ -98,36 +98,33 @@ EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP * group, EC_POINT * point
 			    group, point, x, y_bit, ctx);
 #endif
 	}
-	return group->meth->point_set_compressed_coordinates(group, point, x, y_bit, ctx);
+	if (!group->meth->point_set_compressed_coordinates(group, point, x,
 	    y_bit, ctx))
 		return 0;
 	if (EC_POINT_is_on_curve(group, point, ctx) <= 0) {
 		ECerror(EC_R_POINT_IS_NOT_ON_CURVE);
 		return 0;
 	}
 	return 1;
 }
 int
 EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
    const BIGNUM *x, int y_bit, BN_CTX *ctx)
 {
 	return EC_POINT_set_compressed_coordinates(group, point, x, y_bit, ctx);
 }
 #ifndef OPENSSL_NO_EC2M
-int 
+int
-EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP * group, EC_POINT * point,
+EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, EC_POINT *point,
-    const BIGNUM * x, int y_bit, BN_CTX * ctx)
+    const BIGNUM *x, int y_bit, BN_CTX *ctx)
 {
-	if (group->meth->point_set_compressed_coordinates == 0
+	return EC_POINT_set_compressed_coordinates(group, point, x, y_bit, ctx);
 	    && !(group->meth->flags & EC_FLAGS_DEFAULT_OCT)) {
 		ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
 	}
 	if (group->meth != point->meth) {
 		ECerror(EC_R_INCOMPATIBLE_OBJECTS);
 		return 0;
 	}
 	if (group->meth->flags & EC_FLAGS_DEFAULT_OCT) {
 		if (group->meth->field_type == NID_X9_62_prime_field)
 			return ec_GFp_simple_set_compressed_coordinates(
 			    group, point, x, y_bit, ctx);
 		else
 			return ec_GF2m_simple_set_compressed_coordinates(
 			    group, point, x, y_bit, ctx);
 	}
 	return group->meth->point_set_compressed_coordinates(group, point, x, y_bit, ctx);
 }
 #endif
-size_t 
+size_t
 EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point,
    point_conversion_form_t form,
    unsigned char *buf, size_t len, BN_CTX *ctx)
@ -159,8 +156,7 @@ EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point,
 	return group->meth->point2oct(group, point, form, buf, len, ctx);
 }
-
+int
 int 
 EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *point,
    const unsigned char *buf, size_t len, BN_CTX *ctx)
 {
--- a/crypto/ec/eck_prn.c
+++ b/crypto/ec/eck_prn.c
@ -1,4 +1,4 @@
-/* $OpenBSD: eck_prn.c,v 1.15 2018/07/15 16:27:39 tb Exp $ */
+/* $OpenBSD: eck_prn.c,v 1.17 2021/04/20 17:12:43 tb Exp $ */
 /*
 * Written by Nils Larsch for the OpenSSL project.
 */
@ -64,8 +64,6 @@
 #include <stdio.h>
 #include <string.h>
 #include <openssl/opensslconf.h>
 #include <openssl/bn.h>
 #include <openssl/ec.h>
 #include <openssl/err.h>
@ -214,19 +212,9 @@ ECPKParameters_print(BIO * bp, const EC_GROUP * x, int off)
 			reason = ERR_R_MALLOC_FAILURE;
 			goto err;
 		}
-#ifndef OPENSSL_NO_EC2M
+		if (!EC_GROUP_get_curve(x, p, a, b, ctx)) {
-		if (is_char_two) {
+			reason = ERR_R_EC_LIB;
-			if (!EC_GROUP_get_curve_GF2m(x, p, a, b, ctx)) {
+			goto err;
 				reason = ERR_R_EC_LIB;
 				goto err;
 			}
 		} else		/* prime field */
 #endif
 		{
 			if (!EC_GROUP_get_curve_GFp(x, p, a, b, ctx)) {
 				reason = ERR_R_EC_LIB;
 				goto err;
 			}
 		}
 		if ((point = EC_GROUP_get0_generator(x)) == NULL) {
--- a/crypto/ec/ecp_mont.c
+++ b/crypto/ec/ecp_mont.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_mont.c,v 1.17 2018/11/05 20:18:21 tb Exp $ */
+/* $OpenBSD: ecp_mont.c,v 1.20 2021/09/08 17:29:21 tb Exp $ */
 /*
 * Originally written by Bodo Moeller for the OpenSSL project.
 */
@ -79,21 +79,22 @@ EC_GFp_mont_method(void)
 		.group_set_curve = ec_GFp_mont_group_set_curve,
 		.group_get_curve = ec_GFp_simple_group_get_curve,
 		.group_get_degree = ec_GFp_simple_group_get_degree,
 		.group_order_bits = ec_group_simple_order_bits,
 		.group_check_discriminant =
-		ec_GFp_simple_group_check_discriminant,
+		    ec_GFp_simple_group_check_discriminant,
 		.point_init = ec_GFp_simple_point_init,
 		.point_finish = ec_GFp_simple_point_finish,
 		.point_clear_finish = ec_GFp_simple_point_clear_finish,
 		.point_copy = ec_GFp_simple_point_copy,
 		.point_set_to_infinity = ec_GFp_simple_point_set_to_infinity,
-		.point_set_Jprojective_coordinates_GFp =
+		.point_set_Jprojective_coordinates =
-		ec_GFp_simple_set_Jprojective_coordinates_GFp,
+		    ec_GFp_simple_set_Jprojective_coordinates,
-		.point_get_Jprojective_coordinates_GFp =
+		.point_get_Jprojective_coordinates =
-		ec_GFp_simple_get_Jprojective_coordinates_GFp,
+		    ec_GFp_simple_get_Jprojective_coordinates,
 		.point_set_affine_coordinates =
-		ec_GFp_simple_point_set_affine_coordinates,
+		    ec_GFp_simple_point_set_affine_coordinates,
 		.point_get_affine_coordinates =
-		ec_GFp_simple_point_get_affine_coordinates,
+		    ec_GFp_simple_point_get_affine_coordinates,
 		.add = ec_GFp_simple_add,
 		.dbl = ec_GFp_simple_dbl,
 		.invert = ec_GFp_simple_invert,
@ -117,7 +118,7 @@ EC_GFp_mont_method(void)
 }
-int 
+int
 ec_GFp_mont_group_init(EC_GROUP * group)
 {
 	int ok;
@ -129,7 +130,7 @@ ec_GFp_mont_group_init(EC_GROUP * group)
 }
-void 
+void
 ec_GFp_mont_group_finish(EC_GROUP * group)
 {
 	BN_MONT_CTX_free(group->field_data1);
@ -140,7 +141,7 @@ ec_GFp_mont_group_finish(EC_GROUP * group)
 }
-void 
+void
 ec_GFp_mont_group_clear_finish(EC_GROUP * group)
 {
 	BN_MONT_CTX_free(group->field_data1);
@ -151,7 +152,7 @@ ec_GFp_mont_group_clear_finish(EC_GROUP * group)
 }
-int 
+int
 ec_GFp_mont_group_copy(EC_GROUP * dest, const EC_GROUP * src)
 {
 	BN_MONT_CTX_free(dest->field_data1);
@ -185,7 +186,7 @@ ec_GFp_mont_group_copy(EC_GROUP * dest, const EC_GROUP * src)
 }
-int 
+int
 ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a,
    const BIGNUM *b, BN_CTX *ctx)
 {
@ -237,7 +238,7 @@ ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a,
 }
-int 
+int
 ec_GFp_mont_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
    const BIGNUM *b, BN_CTX *ctx)
 {
@ -249,7 +250,7 @@ ec_GFp_mont_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
 }
-int 
+int
 ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
    BN_CTX *ctx)
 {
@ -261,7 +262,7 @@ ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
 }
-int 
+int
 ec_GFp_mont_field_encode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
    BN_CTX *ctx)
 {
@ -273,7 +274,7 @@ ec_GFp_mont_field_encode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
 }
-int 
+int
 ec_GFp_mont_field_decode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
    BN_CTX *ctx)
 {
@ -285,7 +286,7 @@ ec_GFp_mont_field_decode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
 }
-int 
+int
 ec_GFp_mont_field_set_to_one(const EC_GROUP *group, BIGNUM *r, BN_CTX *ctx)
 {
 	if (group->field_data2 == NULL) {
--- a/crypto/ec/ecp_nist.c
+++ b/crypto/ec/ecp_nist.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_nist.c,v 1.15 2018/11/05 20:18:21 tb Exp $ */
+/* $OpenBSD: ecp_nist.c,v 1.18 2021/09/08 17:29:21 tb Exp $ */
 /*
 * Written by Nils Larsch for the OpenSSL project.
 */
@ -80,21 +80,22 @@ EC_GFp_nist_method(void)
 		.group_set_curve = ec_GFp_nist_group_set_curve,
 		.group_get_curve = ec_GFp_simple_group_get_curve,
 		.group_get_degree = ec_GFp_simple_group_get_degree,
 		.group_order_bits = ec_group_simple_order_bits,
 		.group_check_discriminant =
-		ec_GFp_simple_group_check_discriminant,
+		    ec_GFp_simple_group_check_discriminant,
 		.point_init = ec_GFp_simple_point_init,
 		.point_finish = ec_GFp_simple_point_finish,
 		.point_clear_finish = ec_GFp_simple_point_clear_finish,
 		.point_copy = ec_GFp_simple_point_copy,
 		.point_set_to_infinity = ec_GFp_simple_point_set_to_infinity,
-		.point_set_Jprojective_coordinates_GFp =
+		.point_set_Jprojective_coordinates =
-		ec_GFp_simple_set_Jprojective_coordinates_GFp,
+		    ec_GFp_simple_set_Jprojective_coordinates,
-		.point_get_Jprojective_coordinates_GFp =
+		.point_get_Jprojective_coordinates =
-		ec_GFp_simple_get_Jprojective_coordinates_GFp,
+		    ec_GFp_simple_get_Jprojective_coordinates,
 		.point_set_affine_coordinates =
-		ec_GFp_simple_point_set_affine_coordinates,
+		    ec_GFp_simple_point_set_affine_coordinates,
 		.point_get_affine_coordinates =
-		ec_GFp_simple_point_get_affine_coordinates,
+		    ec_GFp_simple_point_get_affine_coordinates,
 		.add = ec_GFp_simple_add,
 		.dbl = ec_GFp_simple_dbl,
 		.invert = ec_GFp_simple_invert,
@ -114,7 +115,7 @@ EC_GFp_nist_method(void)
 	return &ret;
 }
-int 
+int
 ec_GFp_nist_group_copy(EC_GROUP * dest, const EC_GROUP * src)
 {
 	dest->field_mod_func = src->field_mod_func;
@ -122,7 +123,7 @@ ec_GFp_nist_group_copy(EC_GROUP * dest, const EC_GROUP * src)
 	return ec_GFp_simple_group_copy(dest, src);
 }
-int 
+int
 ec_GFp_nist_group_set_curve(EC_GROUP *group, const BIGNUM *p,
    const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 {
@ -162,7 +163,7 @@ ec_GFp_nist_group_set_curve(EC_GROUP *group, const BIGNUM *p,
 }
-int 
+int
 ec_GFp_nist_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
    const BIGNUM *b, BN_CTX *ctx)
 {
@ -189,7 +190,7 @@ ec_GFp_nist_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
 }
-int 
+int
 ec_GFp_nist_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a,
    BN_CTX * ctx)
 {
--- a/crypto/ec/ecp_oct.c
+++ b/crypto/ec/ecp_oct.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_oct.c,v 1.11 2018/07/15 16:27:39 tb Exp $ */
+/* $OpenBSD: ecp_oct.c,v 1.14 2021/04/20 17:32:57 tb Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
 * for the OpenSSL project.
 * Includes code written by Bodo Moeller for the OpenSSL project.
@ -185,7 +185,7 @@ ec_GFp_simple_set_compressed_coordinates(const EC_GROUP * group,
 		ECerror(ERR_R_INTERNAL_ERROR);
 		goto err;
 	}
-	if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
+	if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx))
 		goto err;
 	ret = 1;
@ -246,7 +246,7 @@ ec_GFp_simple_point2oct(const EC_GROUP * group, const EC_POINT * point, point_co
 		if ((y = BN_CTX_get(ctx)) == NULL)
 			goto err;
-		if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx))
+		if (!EC_POINT_get_affine_coordinates(group, point, x, y, ctx))
 			goto err;
 		if ((form == POINT_CONVERSION_COMPRESSED || form == POINT_CONVERSION_HYBRID) && BN_is_odd(y))
@ -362,7 +362,11 @@ ec_GFp_simple_oct2point(const EC_GROUP * group, EC_POINT * point,
 		goto err;
 	}
 	if (form == POINT_CONVERSION_COMPRESSED) {
-		if (!EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx))
+		/*
 		 * EC_POINT_set_compressed_coordinates checks that the point
 		 * is on the curve as required by X9.62.
 		 */
 		if (!EC_POINT_set_compressed_coordinates(group, point, x, y_bit, ctx))
 			goto err;
 	} else {
 		if (!BN_bin2bn(buf + 1 + field_len, field_len, y))
@ -377,15 +381,14 @@ ec_GFp_simple_oct2point(const EC_GROUP * group, EC_POINT * point,
 				goto err;
 			}
 		}
-		if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
+		/*
 		 * EC_POINT_set_affine_coordinates checks that the point is
 		 * on the curve as required by X9.62.
 		 */
 		if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx))
 			goto err;
 	}
 	/* test required by X9.62 */
 	if (EC_POINT_is_on_curve(group, point, ctx) <= 0) {
 		ECerror(EC_R_POINT_IS_NOT_ON_CURVE);
 		goto err;
 	}
 	ret = 1;
 err:
--- a/crypto/ec/ecp_smpl.c
+++ b/crypto/ec/ecp_smpl.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_smpl.c,v 1.29 2018/11/15 05:53:31 tb Exp $ */
+/* $OpenBSD: ecp_smpl.c,v 1.33 2021/09/08 17:29:21 tb Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
 * for the OpenSSL project.
 * Includes code written by Bodo Moeller for the OpenSSL project.
@ -80,21 +80,22 @@ EC_GFp_simple_method(void)
 		.group_set_curve = ec_GFp_simple_group_set_curve,
 		.group_get_curve = ec_GFp_simple_group_get_curve,
 		.group_get_degree = ec_GFp_simple_group_get_degree,
 		.group_order_bits = ec_group_simple_order_bits,
 		.group_check_discriminant =
-		ec_GFp_simple_group_check_discriminant,
+		    ec_GFp_simple_group_check_discriminant,
 		.point_init = ec_GFp_simple_point_init,
 		.point_finish = ec_GFp_simple_point_finish,
 		.point_clear_finish = ec_GFp_simple_point_clear_finish,
 		.point_copy = ec_GFp_simple_point_copy,
 		.point_set_to_infinity = ec_GFp_simple_point_set_to_infinity,
-		.point_set_Jprojective_coordinates_GFp =
+		.point_set_Jprojective_coordinates =
-		ec_GFp_simple_set_Jprojective_coordinates_GFp,
+		    ec_GFp_simple_set_Jprojective_coordinates,
-		.point_get_Jprojective_coordinates_GFp =
+		.point_get_Jprojective_coordinates =
-		ec_GFp_simple_get_Jprojective_coordinates_GFp,
+		    ec_GFp_simple_get_Jprojective_coordinates,
 		.point_set_affine_coordinates =
-		ec_GFp_simple_point_set_affine_coordinates,
+		    ec_GFp_simple_point_set_affine_coordinates,
 		.point_get_affine_coordinates =
-		ec_GFp_simple_point_get_affine_coordinates,
+		    ec_GFp_simple_point_get_affine_coordinates,
 		.add = ec_GFp_simple_add,
 		.dbl = ec_GFp_simple_dbl,
 		.invert = ec_GFp_simple_invert,
@ -129,7 +130,7 @@ EC_GFp_simple_method(void)
 */
-int 
+int
 ec_GFp_simple_group_init(EC_GROUP * group)
 {
 	BN_init(&group->field);
@ -140,7 +141,7 @@ ec_GFp_simple_group_init(EC_GROUP * group)
 }
-void 
+void
 ec_GFp_simple_group_finish(EC_GROUP * group)
 {
 	BN_free(&group->field);
@ -149,7 +150,7 @@ ec_GFp_simple_group_finish(EC_GROUP * group)
 }
-void 
+void
 ec_GFp_simple_group_clear_finish(EC_GROUP * group)
 {
 	BN_clear_free(&group->field);
@ -158,7 +159,7 @@ ec_GFp_simple_group_clear_finish(EC_GROUP * group)
 }
-int 
+int
 ec_GFp_simple_group_copy(EC_GROUP * dest, const EC_GROUP * src)
 {
 	if (!BN_copy(&dest->field, &src->field))
@ -174,7 +175,7 @@ ec_GFp_simple_group_copy(EC_GROUP * dest, const EC_GROUP * src)
 }
-int 
+int
 ec_GFp_simple_group_set_curve(EC_GROUP * group,
    const BIGNUM * p, const BIGNUM * a, const BIGNUM * b, BN_CTX * ctx)
 {
@ -231,7 +232,7 @@ ec_GFp_simple_group_set_curve(EC_GROUP * group,
 }
-int 
+int
 ec_GFp_simple_group_get_curve(const EC_GROUP * group, BIGNUM * p, BIGNUM * a, BIGNUM * b, BN_CTX * ctx)
 {
 	int ret = 0;
@ -275,14 +276,14 @@ ec_GFp_simple_group_get_curve(const EC_GROUP * group, BIGNUM * p, BIGNUM * a, BI
 }
-int 
+int
 ec_GFp_simple_group_get_degree(const EC_GROUP * group)
 {
 	return BN_num_bits(&group->field);
 }
-int 
+int
 ec_GFp_simple_group_check_discriminant(const EC_GROUP * group, BN_CTX * ctx)
 {
 	int ret = 0;
@ -358,7 +359,7 @@ ec_GFp_simple_group_check_discriminant(const EC_GROUP * group, BN_CTX * ctx)
 }
-int 
+int
 ec_GFp_simple_point_init(EC_POINT * point)
 {
 	BN_init(&point->X);
@ -370,7 +371,7 @@ ec_GFp_simple_point_init(EC_POINT * point)
 }
-void 
+void
 ec_GFp_simple_point_finish(EC_POINT * point)
 {
 	BN_free(&point->X);
@ -379,7 +380,7 @@ ec_GFp_simple_point_finish(EC_POINT * point)
 }
-void 
+void
 ec_GFp_simple_point_clear_finish(EC_POINT * point)
 {
 	BN_clear_free(&point->X);
@ -389,7 +390,7 @@ ec_GFp_simple_point_clear_finish(EC_POINT * point)
 }
-int 
+int
 ec_GFp_simple_point_copy(EC_POINT * dest, const EC_POINT * src)
 {
 	if (!BN_copy(&dest->X, &src->X))
@ -404,7 +405,7 @@ ec_GFp_simple_point_copy(EC_POINT * dest, const EC_POINT * src)
 }
-int 
+int
 ec_GFp_simple_point_set_to_infinity(const EC_GROUP * group, EC_POINT * point)
 {
 	point->Z_is_one = 0;
@ -413,9 +414,10 @@ ec_GFp_simple_point_set_to_infinity(const EC_GROUP * group, EC_POINT * point)
 }
-int 
+int
-ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP * group, EC_POINT * point,
+ec_GFp_simple_set_Jprojective_coordinates(const EC_GROUP *group,
-    const BIGNUM * x, const BIGNUM * y, const BIGNUM * z, BN_CTX * ctx)
+    EC_POINT *point, const BIGNUM *x, const BIGNUM *y, const BIGNUM *z,
    BN_CTX *ctx)
 {
 	BN_CTX *new_ctx = NULL;
 	int ret = 0;
@ -465,10 +467,9 @@ ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP * group, EC_POINT *
 	return ret;
 }
-
+int
-int 
+ec_GFp_simple_get_Jprojective_coordinates(const EC_GROUP *group,
-ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP * group, const EC_POINT * point,
+    const EC_POINT *point, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx)
    BIGNUM * x, BIGNUM * y, BIGNUM * z, BN_CTX * ctx)
 {
 	BN_CTX *new_ctx = NULL;
 	int ret = 0;
@ -513,8 +514,7 @@ ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP * group, const EC_P
 	return ret;
 }
-
+int
 int 
 ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP * group, EC_POINT * point,
    const BIGNUM * x, const BIGNUM * y, BN_CTX * ctx)
 {
@ -523,11 +523,11 @@ ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP * group, EC_POINT * po
 		ECerror(ERR_R_PASSED_NULL_PARAMETER);
 		return 0;
 	}
-	return EC_POINT_set_Jprojective_coordinates_GFp(group, point, x, y, BN_value_one(), ctx);
+	return EC_POINT_set_Jprojective_coordinates(group, point, x, y,
 	    BN_value_one(), ctx);
 }
-
+int
 int 
 ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP * group, const EC_POINT * point,
    BIGNUM * x, BIGNUM * y, BN_CTX * ctx)
 {
@ -634,7 +634,7 @@ ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP * group, const EC_POIN
 	return ret;
 }
-int 
+int
 ec_GFp_simple_add(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, const EC_POINT * b, BN_CTX * ctx)
 {
 	int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
@ -823,7 +823,7 @@ ec_GFp_simple_add(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, cons
 }
-int 
+int
 ec_GFp_simple_dbl(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, BN_CTX * ctx)
 {
 	int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
@ -965,7 +965,7 @@ ec_GFp_simple_dbl(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, BN_C
 }
-int 
+int
 ec_GFp_simple_invert(const EC_GROUP * group, EC_POINT * point, BN_CTX * ctx)
 {
 	if (EC_POINT_is_at_infinity(group, point) > 0 || BN_is_zero(&point->Y))
@ -976,14 +976,14 @@ ec_GFp_simple_invert(const EC_GROUP * group, EC_POINT * point, BN_CTX * ctx)
 }
-int 
+int
 ec_GFp_simple_is_at_infinity(const EC_GROUP * group, const EC_POINT * point)
 {
 	return BN_is_zero(&point->Z);
 }
-int 
+int
 ec_GFp_simple_is_on_curve(const EC_GROUP * group, const EC_POINT * point, BN_CTX * ctx)
 {
 	int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
@ -1086,7 +1086,7 @@ ec_GFp_simple_is_on_curve(const EC_GROUP * group, const EC_POINT * point, BN_CTX
 }
-int 
+int
 ec_GFp_simple_cmp(const EC_GROUP * group, const EC_POINT * a, const EC_POINT * b, BN_CTX * ctx)
 {
 	/*
@ -1188,7 +1188,7 @@ ec_GFp_simple_cmp(const EC_GROUP * group, const EC_POINT * a, const EC_POINT * b
 }
-int 
+int
 ec_GFp_simple_make_affine(const EC_GROUP * group, EC_POINT * point, BN_CTX * ctx)
 {
 	BN_CTX *new_ctx = NULL;
@ -1209,9 +1209,9 @@ ec_GFp_simple_make_affine(const EC_GROUP * group, EC_POINT * point, BN_CTX * ctx
 	if ((y = BN_CTX_get(ctx)) == NULL)
 		goto err;
-	if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx))
+	if (!EC_POINT_get_affine_coordinates(group, point, x, y, ctx))
 		goto err;
-	if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
+	if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx))
 		goto err;
 	if (!point->Z_is_one) {
 		ECerror(ERR_R_INTERNAL_ERROR);
@ -1226,7 +1226,7 @@ ec_GFp_simple_make_affine(const EC_GROUP * group, EC_POINT * point, BN_CTX * ctx
 }
-int 
+int
 ec_GFp_simple_points_make_affine(const EC_GROUP * group, size_t num, EC_POINT * points[], BN_CTX * ctx)
 {
 	BN_CTX *new_ctx = NULL;
@ -1272,11 +1272,11 @@ ec_GFp_simple_points_make_affine(const EC_GROUP * group, size_t num, EC_POINT *
 	/*
 	 * The array is used as a binary tree, exactly as in heapsort:
-	 * 
+	 *
 	 * heap[1] heap[2]                     heap[3] heap[4]       heap[5]
 	 * heap[6]       heap[7] heap[8]heap[9] heap[10]heap[11]
 	 * heap[12]heap[13] heap[14] heap[15]
-	 * 
+	 *
 	 * We put the Z's in the last line; then we set each other node to the
 	 * product of its two child-nodes (where empty or 0 entries are
 	 * treated as ones); then we invert heap[1]; then we invert each
@ -1401,13 +1401,13 @@ ec_GFp_simple_points_make_affine(const EC_GROUP * group, size_t num, EC_POINT *
 }
-int 
+int
 ec_GFp_simple_field_mul(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, const BIGNUM * b, BN_CTX * ctx)
 {
 	return BN_mod_mul(r, a, b, &group->field, ctx);
 }
-int 
+int
 ec_GFp_simple_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, BN_CTX * ctx)
 {
 	return BN_mod_sqr(r, a, &group->field, ctx);
@ -1417,7 +1417,7 @@ ec_GFp_simple_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, BN
 * Apply randomization of EC point projective coordinates:
 *
 * 	(X, Y, Z) = (lambda^2 * X, lambda^3 * Y, lambda * Z)
- * 
+ *
 * where lambda is in the interval [1, group->field).
 */
 int
@ -1687,7 +1687,7 @@ ec_GFp_simple_mul_ct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 	}
 	/* one final cswap to move the right value into r */
 	EC_POINT_CSWAP(pbit, r, s, group_top, Z_is_one);
-	
+
 	ret = 1;
 err:
--- a/crypto/ecdh/ech_key.c
+++ b/crypto/ecdh/ech_key.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ech_key.c,v 1.9 2019/01/19 01:12:48 tb Exp $ */
+/* $OpenBSD: ech_key.c,v 1.11 2021/04/20 17:23:37 tb Exp $ */
 /* ====================================================================
 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
 *
@ -140,23 +140,10 @@ ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
 		goto err;
 	}
-	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
+	if (!EC_POINT_get_affine_coordinates(group, tmp, x, y, ctx)) {
-	    NID_X9_62_prime_field) {
+		ECDHerror(ECDH_R_POINT_ARITHMETIC_FAILURE);
-		if (!EC_POINT_get_affine_coordinates_GFp(group, tmp, x, y,
+		goto err;
 		    ctx)) {
 			ECDHerror(ECDH_R_POINT_ARITHMETIC_FAILURE);
 			goto err;
 		}
 	}
 #ifndef OPENSSL_NO_EC2M
 	else {
 		if (!EC_POINT_get_affine_coordinates_GF2m(group, tmp, x, y,
 		    ctx)) {
 			ECDHerror(ECDH_R_POINT_ARITHMETIC_FAILURE);
 			goto err;
 		}
 	}
 #endif
 	buflen = ECDH_size(ecdh);
 	len = BN_num_bytes(x);
--- a/crypto/ecdsa/ecs_ossl.c
+++ b/crypto/ecdsa/ecs_ossl.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ecs_ossl.c,v 1.20 2019/06/04 18:15:27 tb Exp $ */
+/* $OpenBSD: ecs_ossl.c,v 1.22 2021/04/20 17:23:37 tb Exp $ */
 /*
 * Written by Nils Larsch for the OpenSSL project
 */
@ -205,23 +205,11 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 			ECDSAerror(ERR_R_EC_LIB);
 			goto err;
 		}
-		if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
+		if (!EC_POINT_get_affine_coordinates(group, point, X, NULL,
-		    NID_X9_62_prime_field) {
+		    ctx)) {
-			if (!EC_POINT_get_affine_coordinates_GFp(group, point,
+			ECDSAerror(ERR_R_EC_LIB);
-			    X, NULL, ctx)) {
+			goto err;
 				ECDSAerror(ERR_R_EC_LIB);
 				goto err;
 			}
 		}
 #ifndef OPENSSL_NO_EC2M
 		else {	/* NID_X9_62_characteristic_two_field */
 			if (!EC_POINT_get_affine_coordinates_GF2m(group, point,
 			    X, NULL, ctx)) {
 				ECDSAerror(ERR_R_EC_LIB);
 				goto err;
 			}
 		}
 #endif
 		if (!BN_nnmod(r, X, order, ctx)) {
 			ECDSAerror(ERR_R_BN_LIB);
 			goto err;
@ -521,23 +509,10 @@ ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig,
 		ECDSAerror(ERR_R_EC_LIB);
 		goto err;
 	}
-	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) ==
+	if (!EC_POINT_get_affine_coordinates(group, point, X, NULL, ctx)) {
-	    NID_X9_62_prime_field) {
+		ECDSAerror(ERR_R_EC_LIB);
-		if (!EC_POINT_get_affine_coordinates_GFp(group, point, X, NULL,
+		goto err;
 		    ctx)) {
 			ECDSAerror(ERR_R_EC_LIB);
 			goto err;
 		}
 	}
 #ifndef OPENSSL_NO_EC2M
 	else { /* NID_X9_62_characteristic_two_field */
 		if (!EC_POINT_get_affine_coordinates_GF2m(group, point, X, NULL,
 		    ctx)) {
 			ECDSAerror(ERR_R_EC_LIB);
 			goto err;
 		}
 	}
 #endif
 	if (!BN_nnmod(u1, X, order, ctx)) {
 		ECDSAerror(ERR_R_BN_LIB);
 		goto err;
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@ -1,4 +1,4 @@
-/* $OpenBSD: evp_enc.c,v 1.43 2019/04/14 17:16:57 jsing Exp $ */
+/* $OpenBSD: evp_enc.c,v 1.44 2021/02/18 19:12:29 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -56,6 +56,7 @@
 * [including the GNU Public Licence.]
 */
 #include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@ -337,6 +338,17 @@ EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
 			return 1;
 		} else {
 			j = bl - i;
 			/*
 			 * Once we've processed the first j bytes from in, the
 			 * amount of data left that is a multiple of the block
 			 * length is (inl - j) & ~(bl - 1).  Ensure this plus
 			 * the block processed from ctx-buf doesn't overflow.
 			 */
 			if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) {
 				EVPerror(EVP_R_TOO_LARGE);
 				return 0;
 			}
 			memcpy(&(ctx->buf[i]), in, j);
 			if (!M_do_cipher(ctx, out, ctx->buf, bl))
 				return 0;
@ -451,6 +463,16 @@ EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
 	}
 	if (ctx->final_used) {
 		/*
 		 * final_used is only ever set if buf_len is 0. Therefore the
 		 * maximum length output we will ever see from EVP_EncryptUpdate
 		 * is inl & ~(b - 1). Since final_used is set, the final output
 		 * length is (inl & ~(b - 1)) + b. Ensure it doesn't overflow.
 		 */
 		if ((inl & ~(b - 1)) > INT_MAX - b) {
 			EVPerror(EVP_R_TOO_LARGE);
 			return 0;
 		}
 		memcpy(out, ctx->final, b);
 		out += b;
 		fix_len = 1;
--- a/crypto/evp/evp_err.c
+++ b/crypto/evp/evp_err.c
@ -1,4 +1,4 @@
-/* $OpenBSD: evp_err.c,v 1.26 2020/04/27 19:31:02 tb Exp $ */
+/* $OpenBSD: evp_err.c,v 1.27 2021/03/29 15:57:23 tb Exp $ */
 /* ====================================================================
 * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
 *
@ -116,6 +116,7 @@ static ERR_STRING_DATA EVP_str_reasons[] = {
 	{ERR_REASON(EVP_R_INVALID_OPERATION)     , "invalid operation"},
 	{ERR_REASON(EVP_R_IV_TOO_LARGE)          , "iv too large"},
 	{ERR_REASON(EVP_R_KEYGEN_FAILURE)        , "keygen failure"},
 	{ERR_REASON(EVP_R_KEY_SETUP_FAILED)      , "key setup failed"},
 	{ERR_REASON(EVP_R_MESSAGE_DIGEST_IS_NULL), "message digest is null"},
 	{ERR_REASON(EVP_R_METHOD_NOT_SUPPORTED)  , "method not supported"},
 	{ERR_REASON(EVP_R_MISSING_PARAMETERS)    , "missing parameters"},
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@ -1,4 +1,4 @@
-/* $OpenBSD: m_sigver.c,v 1.7 2018/05/13 06:35:10 tb Exp $ */
+/* $OpenBSD: m_sigver.c,v 1.9 2021/05/09 14:25:40 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@ -74,15 +74,17 @@ do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type,
 	if (ctx->pctx == NULL)
 		return 0;
-	if (type == NULL) {
+	if (!(ctx->pctx->pmeth->flags & EVP_PKEY_FLAG_SIGCTX_CUSTOM)) {
-		int def_nid;
+		if (type == NULL) {
-		if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) > 0)
+			int def_nid;
-			type = EVP_get_digestbynid(def_nid);
+			if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) > 0)
-	}
+				type = EVP_get_digestbynid(def_nid);
 		}
-	if (type == NULL) {
+		if (type == NULL) {
-		EVPerror(EVP_R_NO_DEFAULT_DIGEST);
+			EVPerror(EVP_R_NO_DEFAULT_DIGEST);
-		return 0;
+			return 0;
 		}
 	}
 	if (ver) {
@ -105,6 +107,8 @@ do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type,
 		return 0;
 	if (pctx)
 		*pctx = ctx->pctx;
 	if (ctx->pctx->pmeth->flags & EVP_PKEY_FLAG_SIGCTX_CUSTOM)
 		return 1;
 	if (!EVP_DigestInit_ex(ctx, type, e))
 		return 0;
 	return 1;
@ -127,7 +131,24 @@ EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type,
 int
 EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen)
 {
-	int sctx, r = 0;
+	EVP_PKEY_CTX *pctx = ctx->pctx;
 	int sctx;
 	int r = 0;
 	if (pctx->pmeth->flags & EVP_PKEY_FLAG_SIGCTX_CUSTOM) {
 		EVP_PKEY_CTX *dctx;
 		if (sigret == NULL)
 			return pctx->pmeth->signctx(pctx, sigret, siglen, ctx);
 		/* XXX - support EVP_MD_CTX_FLAG_FINALISE? */
 		if ((dctx = EVP_PKEY_CTX_dup(ctx->pctx)) == NULL)
 			return 0;
 		r = dctx->pmeth->signctx(dctx, sigret, siglen, ctx);
 		EVP_PKEY_CTX_free(dctx);
 		return r;
 	}
 	if (ctx->pctx->pmeth->signctx)
 		sctx = 1;
@ -165,6 +186,18 @@ EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen)
 	return 1;
 }
 int
 EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
    const unsigned char *tbs, size_t tbslen)
 {
 	if (sigret != NULL) {
 		if (EVP_DigestSignUpdate(ctx, tbs, tbslen) <= 0)
 			return 0;
 	}
 	return EVP_DigestSignFinal(ctx, sigret, siglen);
 }
 int
 EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, size_t siglen)
 {
@ -191,3 +224,13 @@ EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, size_t siglen)
 		return r;
 	return EVP_PKEY_verify(ctx->pctx, sig, siglen, md, mdlen);
 }
 int
 EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, size_t siglen,
    const unsigned char *tbs, size_t tbslen)
 {
 	if (EVP_DigestVerifyUpdate(ctx, tbs, tbslen) <= 0)
 		return -1;
 	return EVP_DigestVerifyFinal(ctx, sigret, siglen);
 }
--- a/crypto/evp/p_lib.c
+++ b/crypto/evp/p_lib.c
@ -1,4 +1,4 @@
-/* $OpenBSD: p_lib.c,v 1.25 2019/03/17 18:17:45 tb Exp $ */
+/* $OpenBSD: p_lib.c,v 1.26 2021/03/29 15:57:23 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -61,6 +61,7 @@
 #include <openssl/opensslconf.h>
 #include <openssl/bn.h>
 #include <openssl/cmac.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
@ -216,10 +217,14 @@ EVP_PKEY_up_ref(EVP_PKEY *pkey)
 */
 static int
-pkey_set_type(EVP_PKEY *pkey, int type, const char *str, int len)
+pkey_set_type(EVP_PKEY *pkey, ENGINE *e, int type, const char *str, int len)
 {
 	const EVP_PKEY_ASN1_METHOD *ameth;
-	ENGINE *e = NULL;
+	ENGINE **eptr = NULL;
 	if (e == NULL)
 		eptr = &e;
 	if (pkey) {
 		if (pkey->pkey.ptr)
 			EVP_PKEY_free_it(pkey);
@ -234,11 +239,11 @@ pkey_set_type(EVP_PKEY *pkey, int type, const char *str, int len)
 #endif
 	}
 	if (str)
-		ameth = EVP_PKEY_asn1_find_str(&e, str, len);
+		ameth = EVP_PKEY_asn1_find_str(eptr, str, len);
 	else
-		ameth = EVP_PKEY_asn1_find(&e, type);
+		ameth = EVP_PKEY_asn1_find(eptr, type);
 #ifndef OPENSSL_NO_ENGINE
-	if (pkey == NULL)
+	if (pkey == NULL && eptr != NULL)
 		ENGINE_finish(e);
 #endif
 	if (!ameth) {
@ -258,13 +263,43 @@ pkey_set_type(EVP_PKEY *pkey, int type, const char *str, int len)
 int
 EVP_PKEY_set_type(EVP_PKEY *pkey, int type)
 {
-	return pkey_set_type(pkey, type, NULL, -1);
+	return pkey_set_type(pkey, NULL, type, NULL, -1);
 }
 EVP_PKEY *
 EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv, size_t len,
    const EVP_CIPHER *cipher)
 {
 	EVP_PKEY *ret = NULL;
 	CMAC_CTX *cmctx = NULL;
 	if ((ret = EVP_PKEY_new()) == NULL)
 		goto err;
 	if ((cmctx = CMAC_CTX_new()) == NULL)
 		goto err;
 	if (!pkey_set_type(ret, e, EVP_PKEY_CMAC, NULL, -1))
 		goto err;
 	if (!CMAC_Init(cmctx, priv, len, cipher, e)) {
 		EVPerror(EVP_R_KEY_SETUP_FAILED);
 		goto err;
 	}
 	ret->pkey.ptr = (char *)cmctx;
 	return ret;
 err:
 	EVP_PKEY_free(ret);
 	CMAC_CTX_free(cmctx);
 	return NULL;
 }
 int
 EVP_PKEY_set_type_str(EVP_PKEY *pkey, const char *str, int len)
 {
-	return pkey_set_type(pkey, EVP_PKEY_NONE, str, len);
+	return pkey_set_type(pkey, NULL, EVP_PKEY_NONE, str, len);
 }
 int
--- a/crypto/gost/gostr341001.c
+++ b/crypto/gost/gostr341001.c
@ -1,4 +1,4 @@
-/* $OpenBSD: gostr341001.c,v 1.7 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: gostr341001.c,v 1.8 2021/04/20 17:16:38 tb Exp $ */
 /*
 * Copyright (c) 2014 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
 * Copyright (c) 2005-2006 Cryptocom LTD
@ -206,7 +206,7 @@ gost2001_do_sign(BIGNUM *md, GOST_KEY *eckey)
 				GOSTerror(ERR_R_EC_LIB);
 				goto err;
 			}
-			if (EC_POINT_get_affine_coordinates_GFp(group, C, X,
+			if (EC_POINT_get_affine_coordinates(group, C, X,
 			    NULL, ctx) == 0) {
 				GOSTerror(ERR_R_EC_LIB);
 				goto err;
@ -304,7 +304,7 @@ gost2001_do_verify(BIGNUM *md, ECDSA_SIG *sig, GOST_KEY *ec)
 		GOSTerror(ERR_R_EC_LIB);
 		goto err;
 	}
-	if (EC_POINT_get_affine_coordinates_GFp(group, C, X, NULL, ctx) == 0) {
+	if (EC_POINT_get_affine_coordinates(group, C, X, NULL, ctx) == 0) {
 		GOSTerror(ERR_R_EC_LIB);
 		goto err;
 	}
@ -354,7 +354,7 @@ VKO_compute_key(BIGNUM *X, BIGNUM *Y, const GOST_KEY *pkey, GOST_KEY *priv_key,
 		goto err;
 	if (EC_POINT_mul(group, pnt, NULL, pub_key, p, ctx) == 0)
 		goto err;
-	if (EC_POINT_get_affine_coordinates_GFp(group, pnt, X, Y, ctx) == 0)
+	if (EC_POINT_get_affine_coordinates(group, pnt, X, Y, ctx) == 0)
 		goto err;
 	ok = 1;
--- a/crypto/gost/gostr341001_ameth.c
+++ b/crypto/gost/gostr341001_ameth.c
@ -1,4 +1,4 @@
-/* $OpenBSD: gostr341001_ameth.c,v 1.16 2020/06/05 17:17:22 jsing Exp $ */
+/* $OpenBSD: gostr341001_ameth.c,v 1.17 2021/04/20 17:16:38 tb Exp $ */
 /*
 * Copyright (c) 2014 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
 * Copyright (c) 2005-2006 Cryptocom LTD
@ -290,7 +290,7 @@ pub_encode_gost01(X509_PUBKEY *pub, const EVP_PKEY *pk)
 		goto err;
 	}
-	if (EC_POINT_get_affine_coordinates_GFp(GOST_KEY_get0_group(ec),
+	if (EC_POINT_get_affine_coordinates(GOST_KEY_get0_group(ec),
 	    pub_key, X, Y, NULL) == 0) {
 		GOSTerror(ERR_R_EC_LIB);
 		goto err;
@ -352,8 +352,7 @@ pub_print_gost01(BIO *out, const EVP_PKEY *pkey, int indent, ASN1_PCTX *pctx)
 		goto err;
 	pubkey = GOST_KEY_get0_public_key(pkey->pkey.gost);
 	group = GOST_KEY_get0_group(pkey->pkey.gost);
-	if (EC_POINT_get_affine_coordinates_GFp(group, pubkey, X, Y,
+	if (EC_POINT_get_affine_coordinates(group, pubkey, X, Y, ctx) == 0) {
 	    ctx) == 0) {
 		GOSTerror(ERR_R_EC_LIB);
 		goto err;
 	}
--- a/crypto/gost/gostr341001_key.c
+++ b/crypto/gost/gostr341001_key.c
@ -1,4 +1,4 @@
-/* $OpenBSD: gostr341001_key.c,v 1.8 2017/05/02 03:59:44 deraadt Exp $ */
+/* $OpenBSD: gostr341001_key.c,v 1.9 2021/04/20 17:16:38 tb Exp $ */
 /*
 * Copyright (c) 2014 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
 * Copyright (c) 2005-2006 Cryptocom LTD
@ -201,10 +201,10 @@ GOST_KEY_set_public_key_affine_coordinates(GOST_KEY *key, BIGNUM *x, BIGNUM *y)
 		goto err;
 	if ((ty = BN_CTX_get(ctx)) == NULL)
 		goto err;
-	if (EC_POINT_set_affine_coordinates_GFp(key->group, point, x, y,
+	if (EC_POINT_set_affine_coordinates(key->group, point, x, y,
 	    ctx) == 0)
 		goto err;
-	if (EC_POINT_get_affine_coordinates_GFp(key->group, point, tx, ty,
+	if (EC_POINT_get_affine_coordinates(key->group, point, tx, ty,
 	    ctx) == 0)
 		goto err;
 	/*
--- a/crypto/hkdf/hkdf.c
+++ b/crypto/hkdf/hkdf.c
@ -1,4 +1,4 @@
-/* $OpenBSD: hkdf.c,v 1.4 2019/11/21 20:02:20 tim Exp $ */
+/* $OpenBSD: hkdf.c,v 1.5 2021/08/27 16:12:33 tb Exp $ */
 /* Copyright (c) 2014, Google Inc.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@ -16,7 +16,6 @@
 #include <openssl/hkdf.h>
 #include <assert.h>
 #include <string.h>
 #include <openssl/err.h>
--- a/crypto/objects/obj_dat.c
+++ b/crypto/objects/obj_dat.c
@ -1,4 +1,4 @@
-/* $OpenBSD: obj_dat.c,v 1.42 2019/07/03 03:24:04 deraadt Exp $ */
+/* $OpenBSD: obj_dat.c,v 1.43 2021/09/01 09:42:28 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -628,7 +628,6 @@ OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
 				buf_len -= i;
 			}
 			ret += i;
 			l = 0;
 		}
 	}
--- a/crypto/objects/obj_dat.h
+++ b/crypto/objects/obj_dat.h
@ -62,12 +62,12 @@
 * [including the GNU Public Licence.]
 */
-#define NUM_NID 1001
+#define NUM_NID 1016
-#define NUM_SN 994
+#define NUM_SN 1009
-#define NUM_LN 994
+#define NUM_LN 1009
-#define NUM_OBJ 924
+#define NUM_OBJ 939
-static const unsigned char lvalues[6481]={
+static const unsigned char lvalues[6618]={
 0x2A,0x86,0x48,0x86,0xF7,0x0D,               /* [  0] OBJ_rsadsi */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,          /* [  6] OBJ_pkcs */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02,     /* [ 13] OBJ_md2 */
@ -986,6 +986,21 @@ static const unsigned char lvalues[6481]={
 0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,0x03,/* [6455] OBJ_id_tc26_gost_3410_12_512_paramSetC */
 0x2A,0x85,0x03,0x07,0x01,0x01,0x04,0x01,     /* [6464] OBJ_id_tc26_hmac_gost_3411_12_256 */
 0x2A,0x85,0x03,0x07,0x01,0x01,0x04,0x02,     /* [6472] OBJ_id_tc26_hmac_gost_3411_12_512 */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x18,/* [6480] OBJ_id_ct_routeOriginAuthz */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x1A,/* [6491] OBJ_id_ct_rpkiManifest */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x23,/* [6502] OBJ_id_ct_rpkiGhostbusters */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x24,/* [6513] OBJ_id_ct_resourceTaggedAttest */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x0E,          /* [6524] OBJ_id_cp */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x1C,     /* [6531] OBJ_sbgp_ipAddrBlockv2 */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x1D,     /* [6539] OBJ_sbgp_autonomousSysNumv2 */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x0E,0x02,     /* [6547] OBJ_ipAddr_asNumber */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x0E,0x03,     /* [6555] OBJ_ipAddr_asNumberv2 */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x0A,     /* [6563] OBJ_rpkiManifest */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x0B,     /* [6571] OBJ_signedObject */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x0D,     /* [6579] OBJ_rpkiNotify */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x2F,/* [6587] OBJ_id_ct_geofeedCSVwithCRLF */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x30,/* [6598] OBJ_id_ct_signedChecklist */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x1E,     /* [6609] OBJ_id_kp_bgpsec_router */
 };
 static const ASN1_OBJECT nid_objs[NUM_NID]={
@ -2612,6 +2627,32 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
 	NID_id_tc26_hmac_gost_3411_12_256,8,&(lvalues[6464]),0},
 {"id-tc26-hmac-gost-3411-12-512","HMAC STREEBOG 512",
 	NID_id_tc26_hmac_gost_3411_12_512,8,&(lvalues[6472]),0},
 {"id-ct-routeOriginAuthz","id-ct-routeOriginAuthz",
 	NID_id_ct_routeOriginAuthz,11,&(lvalues[6480]),0},
 {"id-ct-rpkiManifest","id-ct-rpkiManifest",NID_id_ct_rpkiManifest,11,
 	&(lvalues[6491]),0},
 {"id-ct-rpkiGhostbusters","id-ct-rpkiGhostbusters",
 	NID_id_ct_rpkiGhostbusters,11,&(lvalues[6502]),0},
 {"id-ct-resourceTaggedAttest","id-ct-resourceTaggedAttest",
 	NID_id_ct_resourceTaggedAttest,11,&(lvalues[6513]),0},
 {"id-cp","id-cp",NID_id_cp,7,&(lvalues[6524]),0},
 {"sbgp-ipAddrBlockv2","sbgp-ipAddrBlockv2",NID_sbgp_ipAddrBlockv2,8,
 	&(lvalues[6531]),0},
 {"sbgp-autonomousSysNumv2","sbgp-autonomousSysNumv2",
 	NID_sbgp_autonomousSysNumv2,8,&(lvalues[6539]),0},
 {"ipAddr-asNumber","ipAddr-asNumber",NID_ipAddr_asNumber,8,
 	&(lvalues[6547]),0},
 {"ipAddr-asNumberv2","ipAddr-asNumberv2",NID_ipAddr_asNumberv2,8,
 	&(lvalues[6555]),0},
 {"rpkiManifest","RPKI Manifest",NID_rpkiManifest,8,&(lvalues[6563]),0},
 {"signedObject","Signed Object",NID_signedObject,8,&(lvalues[6571]),0},
 {"rpkiNotify","RPKI Notify",NID_rpkiNotify,8,&(lvalues[6579]),0},
 {"id-ct-geofeedCSVwithCRLF","id-ct-geofeedCSVwithCRLF",
 	NID_id_ct_geofeedCSVwithCRLF,11,&(lvalues[6587]),0},
 {"id-ct-signedChecklist","id-ct-signedChecklist",
 	NID_id_ct_signedChecklist,11,&(lvalues[6598]),0},
 {"id-kp-bgpsec-router","BGPsec Router",NID_id_kp_bgpsec_router,8,
 	&(lvalues[6609]),0},
 };
 static const unsigned int sn_objs[NUM_SN]={
@ -3096,7 +3137,14 @@ static const unsigned int sn_objs[NUM_SN]={
 332,	/* "id-cmc-senderNonce" */
 327,	/* "id-cmc-statusInfo" */
 331,	/* "id-cmc-transactionId" */
 1005,	/* "id-cp" */
 787,	/* "id-ct-asciiTextWithCRLF" */
 1013,	/* "id-ct-geofeedCSVwithCRLF" */
 1004,	/* "id-ct-resourceTaggedAttest" */
 1001,	/* "id-ct-routeOriginAuthz" */
 1003,	/* "id-ct-rpkiGhostbusters" */
 1002,	/* "id-ct-rpkiManifest" */
 1014,	/* "id-ct-signedChecklist" */
 408,	/* "id-ecPublicKey" */
 508,	/* "id-hex-multipart-message" */
 507,	/* "id-hex-partial-message" */
@ -3118,6 +3166,7 @@ static const unsigned int sn_objs[NUM_SN]={
 784,	/* "id-it-suppLangTags" */
 304,	/* "id-it-unsupportedOIDs" */
 128,	/* "id-kp" */
 1015,	/* "id-kp-bgpsec-router" */
 280,	/* "id-mod-attribute-cert" */
 274,	/* "id-mod-cmc" */
 277,	/* "id-mod-cmp" */
@ -3257,6 +3306,8 @@ static const unsigned int sn_objs[NUM_SN]={
 647,	/* "international-organizations" */
 869,	/* "internationaliSDNNumber" */
 142,	/* "invalidityDate" */
 1008,	/* "ipAddr-asNumber" */
 1009,	/* "ipAddr-asNumberv2" */
 294,	/* "ipsecEndSystem" */
 295,	/* "ipsecTunnel" */
 296,	/* "ipsecUser" */
@ -3375,6 +3426,8 @@ static const unsigned int sn_objs[NUM_SN]={
 877,	/* "roleOccupant" */
 448,	/* "room" */
 463,	/* "roomNumber" */
 1010,	/* "rpkiManifest" */
 1012,	/* "rpkiNotify" */
 6,	/* "rsaEncryption" */
 644,	/* "rsaOAEPEncryptionSET" */
 377,	/* "rsaSignature" */
@ -3382,7 +3435,9 @@ static const unsigned int sn_objs[NUM_SN]={
 482,	/* "sOARecord" */
 155,	/* "safeContentsBag" */
 291,	/* "sbgp-autonomousSysNum" */
 1007,	/* "sbgp-autonomousSysNumv2" */
 290,	/* "sbgp-ipAddrBlock" */
 1006,	/* "sbgp-ipAddrBlockv2" */
 292,	/* "sbgp-routerIdentifier" */
 159,	/* "sdsiCertificate" */
 859,	/* "searchGuide" */
@ -3555,6 +3610,7 @@ static const unsigned int sn_objs[NUM_SN]={
 604,	/* "setext-pinAny" */
 603,	/* "setext-pinSecure" */
 605,	/* "setext-track2" */
 1011,	/* "signedObject" */
 52,	/* "signingTime" */
 454,	/* "simpleSecurityObject" */
 496,	/* "singleLevelQuality" */
@ -3618,6 +3674,7 @@ static const unsigned int ln_objs[NUM_LN]={
 910,	/* "Any Extended Key Usage" */
 664,	/* "Any language" */
 177,	/* "Authority Information Access" */
 1015,	/* "BGPsec Router" */
 365,	/* "Basic OCSP Response" */
 285,	/* "Biometric Info" */
 179,	/* "CA Issuers" */
@ -3728,6 +3785,8 @@ static const unsigned int ln_objs[NUM_LN]={
 165,	/* "Policy Qualifier User Notice" */
 385,	/* "Private" */
 663,	/* "Proxy Certificate Information" */
 1010,	/* "RPKI Manifest" */
 1012,	/* "RPKI Notify" */
 1,	/* "RSA Data Security, Inc." */
 2,	/* "RSA Data Security, Inc. PKCS" */
 188,	/* "S/MIME" */
@ -3736,6 +3795,7 @@ static const unsigned int ln_objs[NUM_LN]={
 512,	/* "Secure Electronic Transactions" */
 386,	/* "Security" */
 394,	/* "Selected Attribute Types" */
 1011,	/* "Signed Object" */
 143,	/* "Strong Extranet ID" */
 398,	/* "Subject Information Access" */
 130,	/* "TLS Web Client Authentication" */
@ -4087,7 +4147,14 @@ static const unsigned int ln_objs[NUM_LN]={
 332,	/* "id-cmc-senderNonce" */
 327,	/* "id-cmc-statusInfo" */
 331,	/* "id-cmc-transactionId" */
 1005,	/* "id-cp" */
 787,	/* "id-ct-asciiTextWithCRLF" */
 1013,	/* "id-ct-geofeedCSVwithCRLF" */
 1004,	/* "id-ct-resourceTaggedAttest" */
 1001,	/* "id-ct-routeOriginAuthz" */
 1003,	/* "id-ct-rpkiGhostbusters" */
 1002,	/* "id-ct-rpkiManifest" */
 1014,	/* "id-ct-signedChecklist" */
 408,	/* "id-ecPublicKey" */
 508,	/* "id-hex-multipart-message" */
 507,	/* "id-hex-partial-message" */
@ -4228,6 +4295,8 @@ static const unsigned int ln_objs[NUM_LN]={
 461,	/* "info" */
 101,	/* "initials" */
 869,	/* "internationaliSDNNumber" */
 1008,	/* "ipAddr-asNumber" */
 1009,	/* "ipAddr-asNumberv2" */
 749,	/* "ipsec3" */
 750,	/* "ipsec4" */
 181,	/* "iso" */
@ -4374,7 +4443,9 @@ static const unsigned int ln_objs[NUM_LN]={
 482,	/* "sOARecord" */
 155,	/* "safeContentsBag" */
 291,	/* "sbgp-autonomousSysNum" */
 1007,	/* "sbgp-autonomousSysNumv2" */
 290,	/* "sbgp-ipAddrBlock" */
 1006,	/* "sbgp-ipAddrBlockv2" */
 292,	/* "sbgp-routerIdentifier" */
 159,	/* "sdsiCertificate" */
 859,	/* "searchGuide" */
@ -5015,6 +5086,7 @@ static const unsigned int obj_objs[NUM_OBJ]={
 266,	/* OBJ_id_aca                       1 3 6 1 5 5 7 10 */
 267,	/* OBJ_id_qcs                       1 3 6 1 5 5 7 11 */
 268,	/* OBJ_id_cct                       1 3 6 1 5 5 7 12 */
 1005,	/* OBJ_id_cp                        1 3 6 1 5 5 7 14 */
 662,	/* OBJ_id_ppl                       1 3 6 1 5 5 7 21 */
 176,	/* OBJ_id_ad                        1 3 6 1 5 5 7 48 */
 507,	/* OBJ_id_hex_partial_message       1 3 6 1 7 1 1 1 */
@ -5137,6 +5209,8 @@ static const unsigned int obj_objs[NUM_OBJ]={
 397,	/* OBJ_ac_proxying                  1 3 6 1 5 5 7 1 10 */
 398,	/* OBJ_sinfo_access                 1 3 6 1 5 5 7 1 11 */
 663,	/* OBJ_proxyCertInfo                1 3 6 1 5 5 7 1 14 */
 1006,	/* OBJ_sbgp_ipAddrBlockv2           1 3 6 1 5 5 7 1 28 */
 1007,	/* OBJ_sbgp_autonomousSysNumv2      1 3 6 1 5 5 7 1 29 */
 164,	/* OBJ_id_qt_cps                    1 3 6 1 5 5 7 2 1 */
 165,	/* OBJ_id_qt_unotice                1 3 6 1 5 5 7 2 2 */
 293,	/* OBJ_textNotice                   1 3 6 1 5 5 7 2 3 */
@ -5150,6 +5224,7 @@ static const unsigned int obj_objs[NUM_OBJ]={
 133,	/* OBJ_time_stamp                   1 3 6 1 5 5 7 3 8 */
 180,	/* OBJ_OCSP_sign                    1 3 6 1 5 5 7 3 9 */
 297,	/* OBJ_dvcs                         1 3 6 1 5 5 7 3 10 */
 1015,	/* OBJ_id_kp_bgpsec_router          1 3 6 1 5 5 7 3 30 */
 298,	/* OBJ_id_it_caProtEncCert          1 3 6 1 5 5 7 4 1 */
 299,	/* OBJ_id_it_signKeyPairTypes       1 3 6 1 5 5 7 4 2 */
 300,	/* OBJ_id_it_encKeyPairTypes        1 3 6 1 5 5 7 4 3 */
@ -5209,6 +5284,8 @@ static const unsigned int obj_objs[NUM_OBJ]={
 360,	/* OBJ_id_cct_crs                   1 3 6 1 5 5 7 12 1 */
 361,	/* OBJ_id_cct_PKIData               1 3 6 1 5 5 7 12 2 */
 362,	/* OBJ_id_cct_PKIResponse           1 3 6 1 5 5 7 12 3 */
 1008,	/* OBJ_ipAddr_asNumber              1 3 6 1 5 5 7 14 2 */
 1009,	/* OBJ_ipAddr_asNumberv2            1 3 6 1 5 5 7 14 3 */
 664,	/* OBJ_id_ppl_anyLanguage           1 3 6 1 5 5 7 21 0 */
 665,	/* OBJ_id_ppl_inheritAll            1 3 6 1 5 5 7 21 1 */
 667,	/* OBJ_Independent                  1 3 6 1 5 5 7 21 2 */
@ -5217,6 +5294,9 @@ static const unsigned int obj_objs[NUM_OBJ]={
 363,	/* OBJ_ad_timeStamping              1 3 6 1 5 5 7 48 3 */
 364,	/* OBJ_ad_dvcs                      1 3 6 1 5 5 7 48 4 */
 785,	/* OBJ_caRepository                 1 3 6 1 5 5 7 48 5 */
 1010,	/* OBJ_rpkiManifest                 1 3 6 1 5 5 7 48 10 */
 1011,	/* OBJ_signedObject                 1 3 6 1 5 5 7 48 11 */
 1012,	/* OBJ_rpkiNotify                   1 3 6 1 5 5 7 48 13 */
 780,	/* OBJ_hmac_md5                     1 3 6 1 5 5 8 1 1 */
 781,	/* OBJ_hmac_sha1                    1 3 6 1 5 5 8 1 2 */
 58,	/* OBJ_netscape_cert_extension      2 16 840 1 113730 1 */
@ -5475,7 +5555,13 @@ static const unsigned int obj_objs[NUM_OBJ]={
 210,	/* OBJ_id_smime_ct_DVCSRequestData  1 2 840 113549 1 9 16 1 7 */
 211,	/* OBJ_id_smime_ct_DVCSResponseData 1 2 840 113549 1 9 16 1 8 */
 786,	/* OBJ_id_smime_ct_compressedData   1 2 840 113549 1 9 16 1 9 */
 1001,	/* OBJ_id_ct_routeOriginAuthz       1 2 840 113549 1 9 16 1 24 */
 1002,	/* OBJ_id_ct_rpkiManifest           1 2 840 113549 1 9 16 1 26 */
 787,	/* OBJ_id_ct_asciiTextWithCRLF      1 2 840 113549 1 9 16 1 27 */
 1003,	/* OBJ_id_ct_rpkiGhostbusters       1 2 840 113549 1 9 16 1 35 */
 1004,	/* OBJ_id_ct_resourceTaggedAttest   1 2 840 113549 1 9 16 1 36 */
 1013,	/* OBJ_id_ct_geofeedCSVwithCRLF     1 2 840 113549 1 9 16 1 47 */
 1014,	/* OBJ_id_ct_signedChecklist        1 2 840 113549 1 9 16 1 48 */
 212,	/* OBJ_id_smime_aa_receiptRequest   1 2 840 113549 1 9 16 2 1 */
 213,	/* OBJ_id_smime_aa_securityLabel    1 2 840 113549 1 9 16 2 2 */
 214,	/* OBJ_id_smime_aa_mlExpandHistory  1 2 840 113549 1 9 16 2 3 */
--- a/crypto/objects/obj_xref.h
+++ b/crypto/objects/obj_xref.h
@ -1,4 +1,4 @@
-/* $OpenBSD: obj_xref.h,v 1.4 2016/12/21 15:49:29 jsing Exp $ */
+/* $OpenBSD: obj_xref.h,v 1.5 2021/05/12 10:24:39 inoguchi Exp $ */
 /* AUTOGENERATED BY objxref.pl, DO NOT EDIT */
 __BEGIN_HIDDEN_DECLS
@ -44,6 +44,16 @@ static const nid_triple sigoid_srt[] =
 	{NID_rsassaPss, NID_undef, NID_rsaEncryption},
 	{NID_id_tc26_signwithdigest_gost3410_2012_256, NID_id_tc26_gost3411_2012_256, NID_id_GostR3410_2001},
 	{NID_id_tc26_signwithdigest_gost3410_2012_512, NID_id_tc26_gost3411_2012_512, NID_id_GostR3410_2001},
 	{NID_dhSinglePass_stdDH_sha1kdf_scheme, NID_sha1, NID_dh_std_kdf},
 	{NID_dhSinglePass_stdDH_sha224kdf_scheme, NID_sha224, NID_dh_std_kdf},
 	{NID_dhSinglePass_stdDH_sha256kdf_scheme, NID_sha256, NID_dh_std_kdf},
 	{NID_dhSinglePass_stdDH_sha384kdf_scheme, NID_sha384, NID_dh_std_kdf},
 	{NID_dhSinglePass_stdDH_sha512kdf_scheme, NID_sha512, NID_dh_std_kdf},
 	{NID_dhSinglePass_cofactorDH_sha1kdf_scheme, NID_sha1, NID_dh_cofactor_kdf},
 	{NID_dhSinglePass_cofactorDH_sha224kdf_scheme, NID_sha224, NID_dh_cofactor_kdf},
 	{NID_dhSinglePass_cofactorDH_sha256kdf_scheme, NID_sha256, NID_dh_cofactor_kdf},
 	{NID_dhSinglePass_cofactorDH_sha384kdf_scheme, NID_sha384, NID_dh_cofactor_kdf},
 	{NID_dhSinglePass_cofactorDH_sha512kdf_scheme, NID_sha512, NID_dh_cofactor_kdf},
 	};
 static const nid_triple * const sigoid_srt_xref[] =
@ -61,19 +71,29 @@ static const nid_triple * const sigoid_srt_xref[] =
 	&sigoid_srt[5],
 	&sigoid_srt[8],
 	&sigoid_srt[12],
 	&sigoid_srt[32],
 	&sigoid_srt[37],
 	&sigoid_srt[6],
 	&sigoid_srt[10],
 	&sigoid_srt[11],
 	&sigoid_srt[13],
 	&sigoid_srt[24],
 	&sigoid_srt[20],
 	&sigoid_srt[34],
 	&sigoid_srt[39],
 	&sigoid_srt[14],
 	&sigoid_srt[21],
 	&sigoid_srt[35],
 	&sigoid_srt[40],
 	&sigoid_srt[15],
 	&sigoid_srt[22],
 	&sigoid_srt[36],
 	&sigoid_srt[41],
 	&sigoid_srt[16],
 	&sigoid_srt[23],
 	&sigoid_srt[19],
 	&sigoid_srt[33],
 	&sigoid_srt[38],
 	&sigoid_srt[25],
 	&sigoid_srt[26],
 	&sigoid_srt[27],
--- a/crypto/ocsp/ocsp_cl.c
+++ b/crypto/ocsp/ocsp_cl.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_cl.c,v 1.16 2018/11/25 19:48:43 jmc Exp $ */
+/* $OpenBSD: ocsp_cl.c,v 1.17 2020/10/09 17:19:35 tb Exp $ */
 /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
 * project. */
@ -81,18 +81,19 @@
 OCSP_ONEREQ *
 OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
 {
-	OCSP_ONEREQ *one = NULL;
+	OCSP_ONEREQ *one;
-	if (!(one = OCSP_ONEREQ_new()))
+	if ((one = OCSP_ONEREQ_new()) == NULL)
 		goto err;
-	if (one->reqCert)
+	if (req != NULL) {
-		OCSP_CERTID_free(one->reqCert);
+	       	if (!sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))
 			goto err;
 	}
 	OCSP_CERTID_free(one->reqCert);
 	one->reqCert = cid;
 	if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))
 		goto err;
 	return one;
-err:
+ err:
 	OCSP_ONEREQ_free(one);
 	return NULL;
 }
--- a/crypto/pkcs12/p12_attr.c
+++ b/crypto/pkcs12/p12_attr.c
@ -1,4 +1,4 @@
-/* $OpenBSD: p12_attr.c,v 1.12 2018/08/24 20:07:41 tb Exp $ */
+/* $OpenBSD: p12_attr.c,v 1.13 2021/07/09 14:07:59 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@ -125,10 +125,10 @@ PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid)
 	if (!attrs)
 		return NULL;
-	for (i = 0; i < sk_X509_ATTRIBUTE_num (attrs); i++) {
+	for (i = 0; i < sk_X509_ATTRIBUTE_num(attrs); i++) {
-		attrib = sk_X509_ATTRIBUTE_value (attrs, i);
+		attrib = sk_X509_ATTRIBUTE_value(attrs, i);
-		if (OBJ_obj2nid (attrib->object) == attr_nid) {
+		if (OBJ_obj2nid(attrib->object) == attr_nid) {
-			if (sk_ASN1_TYPE_num (attrib->value.set))
+			if (sk_ASN1_TYPE_num(attrib->value.set))
 				return sk_ASN1_TYPE_value(attrib->value.set, 0);
 			else
 				return NULL;
--- a/crypto/pkcs12/p12_crpt.c
+++ b/crypto/pkcs12/p12_crpt.c
@ -1,4 +1,4 @@
-/* $OpenBSD: p12_crpt.c,v 1.14 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: p12_crpt.c,v 1.15 2021/07/09 14:07:59 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@ -101,13 +101,13 @@ PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 	}
 	salt = pbe->salt->data;
 	saltlen = pbe->salt->length;
-	if (!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_KEY_ID,
+	if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_KEY_ID,
 	    iter, EVP_CIPHER_key_length(cipher), key, md)) {
 		PKCS12error(PKCS12_R_KEY_GEN_ERROR);
 		PBEPARAM_free(pbe);
 		return 0;
 	}
-	if (!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_IV_ID,
+	if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_IV_ID,
 	    iter, EVP_CIPHER_iv_length(cipher), iv, md)) {
 		PKCS12error(PKCS12_R_IV_GEN_ERROR);
 		PBEPARAM_free(pbe);
--- a/crypto/pkcs12/p12_decr.c
+++ b/crypto/pkcs12/p12_decr.c
@ -1,4 +1,4 @@
-/* $OpenBSD: p12_decr.c,v 1.19 2018/05/13 14:22:34 tb Exp $ */
+/* $OpenBSD: p12_decr.c,v 1.20 2021/07/09 14:08:00 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@ -156,7 +156,7 @@ PKCS12_item_i2d_encrypt(X509_ALGOR *algor, const ASN1_ITEM *it,
 	unsigned char *in = NULL;
 	int inlen;
-	if (!(oct = ASN1_OCTET_STRING_new ())) {
+	if (!(oct = ASN1_OCTET_STRING_new())) {
 		PKCS12error(ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
--- a/crypto/pkcs12/p12_key.c
+++ b/crypto/pkcs12/p12_key.c
@ -1,4 +1,4 @@
-/* $OpenBSD: p12_key.c,v 1.26 2017/05/02 03:59:45 deraadt Exp $ */
+/* $OpenBSD: p12_key.c,v 1.27 2021/07/09 14:08:00 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@ -143,7 +143,7 @@ PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
 			    !EVP_DigestFinal_ex(&ctx, Ai, NULL))
 				goto err;
 		}
-		memcpy (out, Ai, min (n, u));
+		memcpy(out, Ai, min(n, u));
 		if (u >= n) {
 			ret = 1;
 			goto end;
@ -153,9 +153,9 @@ PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
 		for (j = 0; j < v; j++)
 			B[j] = Ai[j % u];
 		/* Work out B + 1 first then can use B as tmp space */
-		if (!BN_bin2bn (B, v, Bpl1))
+		if (!BN_bin2bn(B, v, Bpl1))
 			goto err;
-		if (!BN_add_word (Bpl1, 1))
+		if (!BN_add_word(Bpl1, 1))
 			goto err;
 		for (j = 0; j < Ilen; j += v) {
 			if (!BN_bin2bn(I + j, v, Ij))
@ -164,12 +164,12 @@ PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
 				goto err;
 			if (!BN_bn2bin(Ij, B))
 				goto err;
-			Ijlen = BN_num_bytes (Ij);
+			Ijlen = BN_num_bytes(Ij);
 			/* If more than 2^(v*8) - 1 cut off MSB */
 			if (Ijlen > v) {
-				if (!BN_bn2bin (Ij, B))
+				if (!BN_bn2bin(Ij, B))
 					goto err;
-				memcpy (I + j, B + 1, v);
+				memcpy(I + j, B + 1, v);
 #ifndef PKCS12_BROKEN_KEYGEN
 				/* If less than v bytes pad with zeroes */
 			} else if (Ijlen < v) {
@ -177,7 +177,7 @@ PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
 				if (!BN_bn2bin(Ij, I + j + v - Ijlen))
 					goto err;
 #endif
-			} else if (!BN_bn2bin (Ij, I + j))
+			} else if (!BN_bn2bin(Ij, I + j))
 				goto err;
 		}
 	}
--- a/crypto/pkcs12/p12_kiss.c
+++ b/crypto/pkcs12/p12_kiss.c
@ -1,4 +1,4 @@
-/* $OpenBSD: p12_kiss.c,v 1.19 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: p12_kiss.c,v 1.21 2021/07/09 14:08:00 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@ -125,17 +125,19 @@ PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
 		return 0;
 	}
-	if (!parse_pk12 (p12, pass, -1, pkey, ocerts)) {
+	if (!parse_pk12(p12, pass, -1, pkey, ocerts)) {
 		PKCS12error(PKCS12_R_PARSE_ERROR);
 		goto err;
 	}
 	while ((x = sk_X509_pop(ocerts))) {
 		if (pkey && *pkey && cert && !*cert) {
 			ERR_set_mark();
 			if (X509_check_private_key(x, *pkey)) {
 				*cert = x;
 				x = NULL;
 			}
 			ERR_pop_to_mark();
 		}
 		if (ca && x) {
@ -177,11 +179,11 @@ parse_pk12(PKCS12 *p12, const char *pass, int passlen, EVP_PKEY **pkey,
 	int i, bagnid;
 	PKCS7 *p7;
-	if (!(asafes = PKCS12_unpack_authsafes (p12)))
+	if (!(asafes = PKCS12_unpack_authsafes(p12)))
 		return 0;
-	for (i = 0; i < sk_PKCS7_num (asafes); i++) {
+	for (i = 0; i < sk_PKCS7_num(asafes); i++) {
-		p7 = sk_PKCS7_value (asafes, i);
+		p7 = sk_PKCS7_value(asafes, i);
-		bagnid = OBJ_obj2nid (p7->type);
+		bagnid = OBJ_obj2nid(p7->type);
 		if (bagnid == NID_pkcs7_data) {
 			bags = PKCS12_unpack_p7data(p7);
 		} else if (bagnid == NID_pkcs7_encrypted) {
@ -227,10 +229,10 @@ parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, EVP_PKEY **pkey,
 	ASN1_BMPSTRING *fname = NULL;
 	ASN1_OCTET_STRING *lkid = NULL;
-	if ((attrib = PKCS12_get_attr (bag, NID_friendlyName)))
+	if ((attrib = PKCS12_get_attr(bag, NID_friendlyName)))
 		fname = attrib->value.bmpstring;
-	if ((attrib = PKCS12_get_attr (bag, NID_localKeyID)))
+	if ((attrib = PKCS12_get_attr(bag, NID_localKeyID)))
 		lkid = attrib->value.octet_string;
 	switch (OBJ_obj2nid(bag->type)) {
--- a/crypto/pkcs12/p12_mutl.c
+++ b/crypto/pkcs12/p12_mutl.c
@ -1,4 +1,4 @@
-/* $OpenBSD: p12_mutl.c,v 1.23 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: p12_mutl.c,v 1.24 2021/07/09 14:08:00 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@ -192,7 +192,7 @@ PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
 	if (!salt)
 		arc4random_buf(p12->mac->salt->data, saltlen);
 	else
-		memcpy (p12->mac->salt->data, salt, saltlen);
+		memcpy(p12->mac->salt->data, salt, saltlen);
 	p12->mac->dinfo->algor->algorithm = OBJ_nid2obj(EVP_MD_type(md_type));
 	if (!(p12->mac->dinfo->algor->parameter = ASN1_TYPE_new())) {
 		PKCS12error(ERR_R_MALLOC_FAILURE);
--- a/crypto/rsa/rsa_sign.c
+++ b/crypto/rsa/rsa_sign.c
@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_sign.c,v 1.31 2018/09/05 00:55:33 djm Exp $ */
+/* $OpenBSD: rsa_sign.c,v 1.32 2021/05/14 18:03:42 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -108,7 +108,7 @@ encode_pkcs1(unsigned char **out, int *out_len, int type,
 	sig.algor->parameter = &parameter;
 	sig.digest = &digest;
-	sig.digest->data = (unsigned char*)m; /* TMP UGLY CAST */
+	sig.digest->data = (unsigned char *)m; /* TMP UGLY CAST */
 	sig.digest->length = m_len;
 	if ((len = i2d_X509_SIG(&sig, &der)) < 0)
@ -194,7 +194,7 @@ int_rsa_verify(int type, const unsigned char *m, unsigned int m_len,
 	if ((decrypt_len = RSA_public_decrypt((int)siglen, sigbuf, decrypt_buf,
 	    rsa, RSA_PKCS1_PADDING)) <= 0)
 		goto err;
-	   
+
 	if (type == NID_md5_sha1) {
 		/*
 		 * NID_md5_sha1 corresponds to the MD5/SHA1 combination in
@ -229,7 +229,7 @@ int_rsa_verify(int type, const unsigned char *m, unsigned int m_len,
 		if (rm != NULL) {
 			const EVP_MD *md;
-		       	if ((md = EVP_get_digestbynid(type)) == NULL) {
+			if ((md = EVP_get_digestbynid(type)) == NULL) {
 				RSAerror(RSA_R_UNKNOWN_ALGORITHM_TYPE);
 				goto err;
 			}
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_verify.c,v 1.18 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: ts_rsp_verify.c,v 1.21 2021/07/02 11:15:08 schwarze Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2002.
 */
@ -593,35 +593,40 @@ TS_check_policy(ASN1_OBJECT *req_oid, TS_TST_INFO *tst_info)
 }
 static int
-TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, X509_ALGOR **md_alg,
+TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, X509_ALGOR **out_md_alg,
-    unsigned char **imprint, unsigned *imprint_len)
+    unsigned char **out_imprint, unsigned int *out_imprint_len)
 {
-	TS_MSG_IMPRINT *msg_imprint = TS_TST_INFO_get_msg_imprint(tst_info);
+	TS_MSG_IMPRINT *msg_imprint;
-	X509_ALGOR *md_alg_resp = TS_MSG_IMPRINT_get_algo(msg_imprint);
+	X509_ALGOR *md_alg_resp;
 	X509_ALGOR *md_alg = NULL;
 	unsigned char *imprint = NULL;
 	unsigned int imprint_len = 0;
 	const EVP_MD *md;
 	EVP_MD_CTX md_ctx;
 	unsigned char buffer[4096];
 	int length;
-	*md_alg = NULL;
+	*out_md_alg = NULL;
-	*imprint = NULL;
+	*out_imprint = NULL;
 	*out_imprint_len = 0;
-	/* Return the MD algorithm of the response. */
+	/* Retrieve the MD algorithm of the response. */
-	if (!(*md_alg = X509_ALGOR_dup(md_alg_resp)))
+	msg_imprint = TS_TST_INFO_get_msg_imprint(tst_info);
 	md_alg_resp = TS_MSG_IMPRINT_get_algo(msg_imprint);
 	if ((md_alg = X509_ALGOR_dup(md_alg_resp)) == NULL)
 		goto err;
 	/* Getting the MD object. */
-	if (!(md = EVP_get_digestbyobj((*md_alg)->algorithm))) {
+	if ((md = EVP_get_digestbyobj((md_alg)->algorithm)) == NULL) {
 		TSerror(TS_R_UNSUPPORTED_MD_ALGORITHM);
 		goto err;
 	}
 	/* Compute message digest. */
-	length = EVP_MD_size(md);
+	if ((length = EVP_MD_size(md)) < 0)
 	if (length < 0)
 		goto err;
-	*imprint_len = length;
+	imprint_len = length;
-	if (!(*imprint = malloc(*imprint_len))) {
+	if ((imprint = malloc(imprint_len)) == NULL) {
 		TSerror(ERR_R_MALLOC_FAILURE);
 		goto err;
 	}
@ -632,16 +637,20 @@ TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, X509_ALGOR **md_alg,
 		if (!EVP_DigestUpdate(&md_ctx, buffer, length))
 			goto err;
 	}
-	if (!EVP_DigestFinal(&md_ctx, *imprint, NULL))
+	if (!EVP_DigestFinal(&md_ctx, imprint, NULL))
 		goto err;
 	*out_md_alg = md_alg;
 	md_alg = NULL;
 	*out_imprint = imprint;
 	imprint = NULL;
 	*out_imprint_len = imprint_len;
 	return 1;
 err:
-	X509_ALGOR_free(*md_alg);
+	X509_ALGOR_free(md_alg);
-	free(*imprint);
+	free(imprint);
 	*imprint = NULL;
 	*imprint_len = 0;
 	return 0;
 }
@ -711,7 +720,7 @@ TS_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer)
 	/* Check the subject name first. */
 	if (tsa_name->type == GEN_DIRNAME &&
-	    X509_name_cmp(tsa_name->d.dirn, signer->cert_info->subject) == 0)
+	    X509_NAME_cmp(tsa_name->d.dirn, signer->cert_info->subject) == 0)
 		return 1;
 	/* Check all the alternative names. */
--- a/crypto/x509/ext_dat.h
+++ b/crypto/x509/ext_dat.h
@ -1,4 +1,4 @@
-/* $OpenBSD: ext_dat.h,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* $OpenBSD: ext_dat.h,v 1.3 2021/09/02 21:27:26 job Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@ -72,7 +72,7 @@ extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
 extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
 extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
 extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
-extern X509V3_EXT_METHOD v3_addr, v3_asid;
+extern const X509V3_EXT_METHOD v3_addr, v3_asid;
 /* This table will be searched using OBJ_bsearch so it *must* kept in
 * order of the ext_nid values.
@ -105,6 +105,10 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
 #endif
 	&v3_sxnet,
 	&v3_info,
 #ifndef OPENSSL_NO_RFC3779
 	&v3_addr,
 	&v3_asid,
 #endif
 #ifndef OPENSSL_NO_OCSP
 	&v3_ocsp_nonce,
 	&v3_ocsp_crlid,
--- a/crypto/x509/x509_addr.c
+++ b/crypto/x509/x509_addr.c
--- a/crypto/x509/x509_alt.c
+++ b/crypto/x509/x509_alt.c
@ -1,4 +1,4 @@
-/* $OpenBSD: x509_alt.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* $OpenBSD: x509_alt.c,v 1.2 2021/08/24 15:23:03 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@ -264,15 +264,18 @@ GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
 		break;
 	case GEN_EMAIL:
-		BIO_printf(out, "email:%s", gen->d.ia5->data);
+		BIO_printf(out, "email:%.*s", gen->d.ia5->length,
 		    gen->d.ia5->data);
 		break;
 	case GEN_DNS:
-		BIO_printf(out, "DNS:%s", gen->d.ia5->data);
+		BIO_printf(out, "DNS:%.*s", gen->d.ia5->length,
 		    gen->d.ia5->data);
 		break;
 	case GEN_URI:
-		BIO_printf(out, "URI:%s", gen->d.ia5->data);
+		BIO_printf(out, "URI:%.*s", gen->d.ia5->length,
 		    gen->d.ia5->data);
 		break;
 	case GEN_DIRNAME:
--- a/crypto/x509/x509_asid.c
+++ b/crypto/x509/x509_asid.c
--- a/crypto/x509/x509_constraints.c
+++ b/crypto/x509/x509_constraints.c
@ -1,4 +1,4 @@
-/* $OpenBSD: x509_constraints.c,v 1.10 2020/09/21 05:41:43 tb Exp $ */
+/* $OpenBSD: x509_constraints.c,v 1.17 2021/09/23 15:49:48 jsing Exp $ */
 /*
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
 *
@ -36,7 +36,7 @@
 #define DOMAIN_PART_MAX_LEN 255
 struct x509_constraints_name *
-x509_constraints_name_new()
+x509_constraints_name_new(void)
 {
 	return (calloc(1, sizeof(struct x509_constraints_name)));
 }
@ -69,9 +69,11 @@ x509_constraints_name_dup(struct x509_constraints_name *name)
 	new->type = name->type;
 	new->af = name->af;
 	new->der_len = name->der_len;
-	if (name->der_len > 0 && (new->der = malloc(name->der_len)) == NULL)
+	if (name->der_len > 0) {
-		goto err;
+		if ((new->der = malloc(name->der_len)) == NULL)
-	memcpy(new->der, name->der, name->der_len);
+			goto err;
 		memcpy(new->der, name->der, name->der_len);
 	}
 	if (name->name != NULL && (new->name = strdup(name->name)) == NULL)
 		goto err;
 	if (name->local != NULL && (new->local = strdup(name->local)) == NULL)
@ -84,9 +86,16 @@ x509_constraints_name_dup(struct x509_constraints_name *name)
 }
 struct x509_constraints_names *
-x509_constraints_names_new()
+x509_constraints_names_new(size_t names_max)
 {
-	return (calloc(1, sizeof(struct x509_constraints_names)));
+	struct x509_constraints_names *new;
 	if ((new = calloc(1, sizeof(struct x509_constraints_names))) == NULL)
 		return NULL;
 	new->names_max = names_max;
 	return new;
 }
 void
@ -114,8 +123,8 @@ int
 x509_constraints_names_add(struct x509_constraints_names *names,
    struct x509_constraints_name *name)
 {
-	size_t i = names->names_count;
+	if (names->names_count >= names->names_max)
-
+		return 0;
 	if (names->names_count == names->names_len) {
 		struct x509_constraints_name **tmp;
 		if ((tmp = recallocarray(names->names, names->names_len,
@ -124,7 +133,7 @@ x509_constraints_names_add(struct x509_constraints_names *names,
 		names->names_len += 32;
 		names->names = tmp;
 	}
-	names->names[i] = name;
+	names->names[names->names_count] = name;
 	names->names_count++;
 	return 1;
 }
@ -139,14 +148,16 @@ x509_constraints_names_dup(struct x509_constraints_names *names)
 	if (names == NULL)
 		return NULL;
-	if ((new = x509_constraints_names_new()) == NULL)
+	if ((new = x509_constraints_names_new(names->names_max)) == NULL)
 		goto err;
 	for (i = 0; i < names->names_count; i++) {
 		if ((name = x509_constraints_name_dup(names->names[i])) == NULL)
 			goto err;
 		if (!x509_constraints_names_add(new, name))
 			goto err;
 	}
 	return new;
 err:
 	x509_constraints_names_free(new);
@ -158,13 +169,15 @@ x509_constraints_names_dup(struct x509_constraints_names *names)
 /*
 * Validate that the name contains only a hostname consisting of RFC
 * 5890 compliant A-labels (see RFC 6066 section 3). This is more
- * permissive to allow for a leading '*' for a SAN DNSname wildcard,
+ * permissive to allow for a leading '.'  for a subdomain based
- * or a leading '.'  for a subdomain based constraint, as well as
+ * constraint, as well as allowing for '_' which is commonly accepted
- * allowing for '_' which is commonly accepted by nonconformant
+ * by nonconformant DNS implementaitons.
- * DNS implementaitons.
+ *
 * if "wildcards" is set it allows '*' to occur in the string at the end of a
 * component.
 */
 static int
-x509_constraints_valid_domain_internal(uint8_t *name, size_t len)
+x509_constraints_valid_domain_internal(uint8_t *name, size_t len, int wildcards)
 {
 	uint8_t prev, c = 0;
 	int component = 0;
@ -187,8 +200,8 @@ x509_constraints_valid_domain_internal(uint8_t *name, size_t len)
 		if (!isalnum(c) && c != '-' && c != '.' && c != '_' && c != '*')
 			return 0;
-		/* '*' can only be the first thing. */
+		/* if it is a '*', fail if not wildcards */
-		if (c == '*' && !first)
+		if (!wildcards && c == '*')
 			return 0;
 		/* '-' must not start a component or be at the end. */
@ -210,6 +223,13 @@ x509_constraints_valid_domain_internal(uint8_t *name, size_t len)
 			component = 0;
 			continue;
 		}
 		/*
 		 * Wildcards can only occur at the end of a component.
 		 * c*.com is valid, c*c.com is not.
 		 */
 		if (prev == '*')
 			return 0;
 		/* Components must be 63 chars or less. */
 		if (++component > 63)
 			return 0;
@ -222,15 +242,13 @@ x509_constraints_valid_domain(uint8_t *name, size_t len)
 {
 	if (len == 0)
 		return 0;
 	if (name[0] == '*') /* wildcard not allowed in a domain name */
 		return 0;
 	/*
 	 * A domain may not be less than two characters, so you can't
 	 * have a require subdomain name with less than that.
 	 */
 	if (len < 3 && name[0] == '.')
 		return 0;
-	return x509_constraints_valid_domain_internal(name, len);
+	return x509_constraints_valid_domain_internal(name, len, 0);
 }
 int
@ -241,15 +259,13 @@ x509_constraints_valid_host(uint8_t *name, size_t len)
 	if (len == 0)
 		return 0;
 	if (name[0] == '*') /* wildcard not allowed in a host name */
 		return 0;
 	if (name[0] == '.') /* leading . not allowed in a host name*/
 		return 0;
 	if (inet_pton(AF_INET, name, &sin4) == 1)
 		return 0;
 	if (inet_pton(AF_INET6, name, &sin6) == 1)
 		return 0;
-	return x509_constraints_valid_domain_internal(name, len);
+	return x509_constraints_valid_domain_internal(name, len, 0);
 }
 int
@ -272,7 +288,7 @@ x509_constraints_valid_sandns(uint8_t *name, size_t len)
 	if (len >= 4 && name[0] == '*' && name[1] != '.')
 		return 0;
-	return x509_constraints_valid_domain_internal(name, len);
+	return x509_constraints_valid_domain_internal(name, len, 1);
 }
 static inline int
@ -323,16 +339,16 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len,
 			if (c == '.')
 				goto bad;
 		}
 		if (wi > DOMAIN_PART_MAX_LEN)
 			goto bad;
 		if (accept) {
 			if (wi >= DOMAIN_PART_MAX_LEN)
 				goto bad;
 			working[wi++] = c;
 			accept = 0;
 			continue;
 		}
 		if (candidate_local != NULL) {
 			/* We are looking for the domain part */
-			if (wi > DOMAIN_PART_MAX_LEN)
+			if (wi >= DOMAIN_PART_MAX_LEN)
 				goto bad;
 			working[wi++] = c;
 			if (i == len - 1) {
@ -347,7 +363,7 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len,
 			continue;
 		}
 		/* We are looking for the local part */
-		if (wi > LOCAL_PART_MAX_LEN)
+		if (wi >= LOCAL_PART_MAX_LEN)
 			break;
 		if (quoted) {
@ -367,6 +383,8 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len,
 			 */
 			if (c == 9)
 				goto bad;
 			if (wi >= LOCAL_PART_MAX_LEN)
 				goto bad;
 			working[wi++] = c;
 			continue; /* all's good inside our quoted string */
 		}
@ -396,6 +414,8 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len,
 		}
 		if (!local_part_ok(c))
 			goto bad;
 		if (wi >= LOCAL_PART_MAX_LEN)
 			goto bad;
 		working[wi++] = c;
 	}
 	if (candidate_local == NULL || candidate_domain == NULL)
@ -420,16 +440,13 @@ x509_constraints_valid_domain_constraint(uint8_t *constraint, size_t len)
 	if (len == 0)
 		return 1;	/* empty constraints match */
 	if (constraint[0] == '*') /* wildcard not allowed in a constraint */
 		return 0;
 	/*
 	 * A domain may not be less than two characters, so you
 	 * can't match a single domain of less than that
 	 */
 	if (len < 3 && constraint[0] == '.')
 		return 0;
-	return x509_constraints_valid_domain_internal(constraint, len);
+	return x509_constraints_valid_domain_internal(constraint, len, 0);
 }
 /*
@ -700,7 +717,7 @@ x509_constraints_extract_names(struct x509_constraints_names *names,
 				*error = X509_V_ERR_OUT_OF_MEM;
 				goto err;
 			}
-			vname->type=GEN_DNS;
+			vname->type = GEN_DNS;
 			include_cn = 0; /* don't use cn from subject */
 			break;
 		case GEN_EMAIL:
@ -1115,7 +1132,8 @@ x509_constraints_chain(STACK_OF(X509) *chain, int *error, int *depth)
 		goto err;
 	if (chain_length == 1)
 		return 1;
-	if ((names = x509_constraints_names_new()) == NULL) {
+	if ((names = x509_constraints_names_new(
 	    X509_VERIFY_MAX_CHAIN_NAMES)) == NULL) {
 		verify_err = X509_V_ERR_OUT_OF_MEM;
 		goto err;
 	}
@ -1128,13 +1146,13 @@ x509_constraints_chain(STACK_OF(X509) *chain, int *error, int *depth)
 		if ((cert = sk_X509_value(chain, i)) == NULL)
 			goto err;
 		if (cert->nc != NULL) {
-			if ((permitted =
+			if ((permitted = x509_constraints_names_new(
-			    x509_constraints_names_new()) == NULL) {
+			    X509_VERIFY_MAX_CHAIN_CONSTRAINTS)) == NULL) {
 				verify_err = X509_V_ERR_OUT_OF_MEM;
 				goto err;
 			}
-			if ((excluded =
+			if ((excluded = x509_constraints_names_new(
-			    x509_constraints_names_new()) == NULL) {
+			    X509_VERIFY_MAX_CHAIN_CONSTRAINTS)) == NULL) {
 				verify_err = X509_V_ERR_OUT_OF_MEM;
 				goto err;
 			}
@ -1159,10 +1177,6 @@ x509_constraints_chain(STACK_OF(X509) *chain, int *error, int *depth)
 		if (!x509_constraints_extract_names(names, cert, 0,
 		    &verify_err))
 			goto err;
 		if (names->names_count > X509_VERIFY_MAX_CHAIN_NAMES) {
 			verify_err = X509_V_ERR_OUT_OF_MEM;
 			goto err;
 		}
 	}
 	x509_constraints_names_free(names);
--- a/crypto/x509/x509_cpols.c
+++ b/crypto/x509/x509_cpols.c
@ -1,4 +1,4 @@
-/* $OpenBSD: x509_cpols.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* $OpenBSD: x509_cpols.c,v 1.2 2021/08/24 15:23:03 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@ -696,7 +696,8 @@ print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, int indent)
 		qualinfo = sk_POLICYQUALINFO_value(quals, i);
 		switch (OBJ_obj2nid(qualinfo->pqualid)) {
 		case NID_id_qt_cps:
-			BIO_printf(out, "%*sCPS: %s\n", indent, "",
+			BIO_printf(out, "%*sCPS: %.*s\n", indent, "",
 			    qualinfo->d.cpsuri->length,
 			    qualinfo->d.cpsuri->data);
 			break;
@ -724,8 +725,8 @@ print_notice(BIO *out, USERNOTICE *notice, int indent)
 	if (notice->noticeref) {
 		NOTICEREF *ref;
 		ref = notice->noticeref;
-		BIO_printf(out, "%*sOrganization: %s\n", indent, "",
+		BIO_printf(out, "%*sOrganization: %.*s\n", indent, "",
-		    ref->organization->data);
+		    ref->organization->length, ref->organization->data);
 		BIO_printf(out, "%*sNumber%s: ", indent, "",
 		    sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "");
 		for (i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) {
@ -741,8 +742,8 @@ print_notice(BIO *out, USERNOTICE *notice, int indent)
 		BIO_puts(out, "\n");
 	}
 	if (notice->exptext)
-		BIO_printf(out, "%*sExplicit Text: %s\n", indent, "",
+		BIO_printf(out, "%*sExplicit Text: %.*s\n", indent, "",
-		    notice->exptext->data);
+		    notice->exptext->length, notice->exptext->data);
 }
 void
--- a/crypto/x509/x509_genn.c
+++ b/crypto/x509/x509_genn.c
@ -1,4 +1,4 @@
-/* $OpenBSD: x509_genn.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* $OpenBSD: x509_genn.c,v 1.2 2020/12/08 15:06:42 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@ -117,16 +117,17 @@ OTHERNAME_free(OTHERNAME *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OTHERNAME_it);
 }
 /* Uses explicit tagging since DIRECTORYSTRING is a CHOICE type */
 static const ASN1_TEMPLATE EDIPARTYNAME_seq_tt[] = {
 	{
-		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
 		.tag = 0,
 		.offset = offsetof(EDIPARTYNAME, nameAssigner),
 		.field_name = "nameAssigner",
 		.item = &DIRECTORYSTRING_it,
 	},
 	{
-		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
+		.flags = ASN1_TFLG_EXPLICIT,
 		.tag = 1,
 		.offset = offsetof(EDIPARTYNAME, partyName),
 		.field_name = "partyName",
@ -324,6 +325,37 @@ GENERAL_NAME_dup(GENERAL_NAME *a)
 	return ASN1_item_dup(&GENERAL_NAME_it, a);
 }
 static int
 EDIPARTYNAME_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b)
 {
 	int res;
 	/*
 	 * Shouldn't be possible in a valid GENERAL_NAME, but we handle it
 	 * anyway. OTHERNAME_cmp treats NULL != NULL, so we do the same here.
 	 */
 	if (a == NULL || b == NULL)
 		return -1;
 	if (a->nameAssigner == NULL && b->nameAssigner != NULL)
 		return -1;
 	if (a->nameAssigner != NULL && b->nameAssigner == NULL)
 		return 1;
 	/* If we get here, both have nameAssigner set or both unset. */
 	if (a->nameAssigner != NULL) {
 		res = ASN1_STRING_cmp(a->nameAssigner, b->nameAssigner);
 		if (res != 0)
 			return res;
 	}
 	/*
 	 * partyName is required, so these should never be NULL. We treat it in
 	 * the same way as the a == NULL || b == NULL case above.
 	 */
 	if (a->partyName == NULL || b->partyName == NULL)
 		return -1;
 	return ASN1_STRING_cmp(a->partyName, b->partyName);
 }
 /* Returns 0 if they are equal, != 0 otherwise. */
 int
 GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
@ -334,8 +366,11 @@ GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
 		return -1;
 	switch (a->type) {
 	case GEN_X400:
 		result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
 		break;
 	case GEN_EDIPARTY:
-		result = ASN1_TYPE_cmp(a->d.other, b->d.other);
+		result = EDIPARTYNAME_cmp(a->d.ediPartyName, b->d.ediPartyName);
 		break;
 	case GEN_OTHERNAME:
@ -384,8 +419,11 @@ GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value)
 {
 	switch (type) {
 	case GEN_X400:
 		a->d.x400Address = value;
 		break;
 	case GEN_EDIPARTY:
-		a->d.other = value;
+		a->d.ediPartyName = value;
 		break;
 	case GEN_OTHERNAME:
@ -420,8 +458,10 @@ GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype)
 		*ptype = a->type;
 	switch (a->type) {
 	case GEN_X400:
 		return a->d.x400Address;
 	case GEN_EDIPARTY:
-		return a->d.other;
+		return a->d.ediPartyName;
 	case GEN_OTHERNAME:
 		return a->d.otherName;
--- a/crypto/x509/x509_internal.h
+++ b/crypto/x509/x509_internal.h
@ -1,4 +1,4 @@
-/* $OpenBSD: x509_internal.h,v 1.3 2020/09/15 11:55:14 beck Exp $ */
+/* $OpenBSD: x509_internal.h,v 1.12.2.1 2021/11/24 09:28:55 tb Exp $ */
 /*
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
 *
@ -51,18 +51,23 @@ struct x509_constraints_name {
 struct x509_constraints_names {
 	struct x509_constraints_name **names;
 	size_t names_len;
 	size_t names_count;
 	size_t names_len;
 	size_t names_max;
 };
 struct x509_verify_chain {
 	STACK_OF(X509) *certs;		/* Kept in chain order, includes leaf */
 	int *cert_errors;		/* Verify error for each cert in chain. */
 	struct x509_constraints_names *names;	/* All names from all certs */
 };
 struct x509_verify_ctx {
 	X509_STORE_CTX *xsc;
 	struct x509_verify_chain **chains;	/* Validated chains */
 	STACK_OF(X509) *saved_error_chain;
 	int saved_error;
 	int saved_error_depth;
 	size_t chains_count;
 	STACK_OF(X509) *roots;		/* Trusted roots for this validation */
 	STACK_OF(X509) *intermediates;	/* Intermediates provided by peer */
@ -72,8 +77,8 @@ struct x509_verify_ctx {
 	size_t max_depth;		/* Max chain depth for validation */
 	size_t max_sigs;		/* Max number of signature checks */
 	size_t sig_checks;		/* Number of signature checks done */
-	size_t error_depth; 		/* Depth of last error seen */
+	size_t error_depth;		/* Depth of last error seen */
-	int error; 			/* Last error seen */
+	int error;			/* Last error seen */
 };
 int ASN1_time_tm_clamp_notafter(struct tm *tm);
@ -85,13 +90,14 @@ int x509_vfy_check_revocation(X509_STORE_CTX *ctx);
 int x509_vfy_check_policy(X509_STORE_CTX *ctx);
 int x509_vfy_check_trust(X509_STORE_CTX *ctx);
 int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx);
 int x509_vfy_callback_indicate_completion(X509_STORE_CTX *ctx);
 void x509v3_cache_extensions(X509 *x);
 X509 *x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x);
 int x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm,
    int notafter);
-struct x509_verify_ctx *x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc,
+struct x509_verify_ctx *x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc);
    STACK_OF(X509) *roots);
 void x509_constraints_name_clear(struct x509_constraints_name *name);
 int x509_constraints_names_add(struct x509_constraints_names *names,
@ -99,7 +105,7 @@ int x509_constraints_names_add(struct x509_constraints_names *names,
 struct x509_constraints_names *x509_constraints_names_dup(
    struct x509_constraints_names *names);
 void x509_constraints_names_clear(struct x509_constraints_names *names);
-struct x509_constraints_names *x509_constraints_names_new(void);
+struct x509_constraints_names *x509_constraints_names_new(size_t names_max);
 void x509_constraints_names_free(struct x509_constraints_names *names);
 int x509_constraints_valid_host(uint8_t *name, size_t len);
 int x509_constraints_valid_sandns(uint8_t *name, size_t len);
--- a/crypto/x509/x509_issuer_cache.c
+++ b/crypto/x509/x509_issuer_cache.c
@ -1,4 +1,4 @@
-/* $OpenBSD: x509_issuer_cache.c,v 1.1 2020/09/11 14:30:51 beck Exp $ */
+/* $OpenBSD: x509_issuer_cache.c,v 1.2 2020/11/18 17:00:59 tb Exp $ */
 /*
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
 *
@ -77,9 +77,9 @@ x509_issuer_cache_set_max(size_t max)
 * Find a previous result of checking if parent signed child
 *
 * Returns:
- * 	-1 : No entry exists in the cache. signature must be checked.
+ *	-1 : No entry exists in the cache. signature must be checked.
- * 	0 : The signature of parent signing child is invalid.
+ *	0 : The signature of parent signing child is invalid.
- * 	1 : The signature of parent signing child is valid.
+ *	1 : The signature of parent signing child is valid.
 */
 int
 x509_issuer_cache_find(unsigned char *parent_md, unsigned char *child_md)
@ -98,7 +98,7 @@ x509_issuer_cache_find(unsigned char *parent_md, unsigned char *child_md)
 		return -1;
 	if ((found = RB_FIND(x509_issuer_tree, &x509_issuer_cache,
 	    &candidate)) != NULL) {
-	 	TAILQ_REMOVE(&x509_issuer_lru, found, queue);
+		TAILQ_REMOVE(&x509_issuer_lru, found, queue);
 		TAILQ_INSERT_HEAD(&x509_issuer_lru, found, queue);
 		ret = found->valid;
 	}
@ -111,7 +111,7 @@ x509_issuer_cache_find(unsigned char *parent_md, unsigned char *child_md)
 * Attempt to add a validation result to the cache.
 *
 * valid must be:
- * 	0: The signature of parent signing child is invalid.
+ *	0: The signature of parent signing child is invalid.
 *	1: The signature of parent signing child is valid.
 *
 * Previously added entries for the same parent and child are *not* replaced.
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@ -1,4 +1,4 @@
-/* $OpenBSD: x509_lu.c,v 1.30 2018/08/24 19:21:09 tb Exp $ */
+/* $OpenBSD: x509_lu.c,v 1.31 2021/10/06 08:29:41 claudio Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -312,6 +312,9 @@ X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
 	X509_OBJECT stmp, *tmp;
 	int i, j;
 	if (ctx == NULL)
 		return 0;
 	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
 	tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name);
 	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
@ -561,6 +564,8 @@ X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
 	X509 *x;
 	X509_OBJECT *obj;
 	if (ctx->ctx == NULL)
 		return NULL;
 	sk = sk_X509_new_null();
 	if (sk == NULL)
 		return NULL;
@ -610,6 +615,8 @@ X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
 	X509_CRL *x;
 	X509_OBJECT *obj, xobj;
 	if (ctx->ctx == NULL)
 		return NULL;
 	sk = sk_X509_CRL_new_null();
 	if (sk == NULL)
 		return NULL;
@ -718,6 +725,9 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
 	}
 	X509_OBJECT_free_contents(&obj);
 	if (ctx->ctx == NULL)
 		return 0;
 	/* Else find index of first cert accepted by 'check_issued' */
 	ret = 0;
 	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
--- a/crypto/x509/x509_pci.c
+++ b/crypto/x509/x509_pci.c
@ -1,4 +1,4 @@
-/* $OpenBSD: x509_pci.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* $OpenBSD: x509_pci.c,v 1.2 2021/08/24 15:23:03 tb Exp $ */
 /* Contributed to the OpenSSL Project 2004
 * by Richard Levitte (richard@levitte.org)
 */
@ -77,7 +77,8 @@ i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, BIO *out,
 	i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
 	BIO_puts(out, "\n");
 	if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
-		BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
+		BIO_printf(out, "%*sPolicy Text: %.*s\n", indent, "",
 		    pci->proxyPolicy->policy->length,
 		    pci->proxyPolicy->policy->data);
 	return 1;
 }
--- a/crypto/x509/x509_purp.c
+++ b/crypto/x509/x509_purp.c
@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.2 2020/09/13 15:06:17 beck Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.7 2021/09/13 15:26:53 claudio Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2001.
 */
@ -132,6 +132,8 @@ X509_check_purpose(X509 *x, int id, int ca)
 		CRYPTO_w_lock(CRYPTO_LOCK_X509);
 		x509v3_cache_extensions(x);
 		CRYPTO_w_unlock(CRYPTO_LOCK_X509);
 		if (x->ex_flags & EXFLAG_INVALID)
 			return X509_V_ERR_UNSPECIFIED;
 	}
 	if (id == -1)
 		return 1;
@ -293,11 +295,7 @@ xptable_free(X509_PURPOSE *p)
 void
 X509_PURPOSE_cleanup(void)
 {
 	unsigned int i;
 	sk_X509_PURPOSE_pop_free(xptable, xptable_free);
 	for(i = 0; i < X509_PURPOSE_COUNT; i++)
 		xptable_free(xstandard + i);
 	xptable = NULL;
 }
@ -368,6 +366,10 @@ X509_supported_extension(X509_EXTENSION *ex)
 		NID_basic_constraints,	/* 87 */
 		NID_certificate_policies, /* 89 */
 		NID_ext_key_usage,	/* 126 */
 #ifndef OPENSSL_NO_RFC3779
 		NID_sbgp_ipAddrBlock,   /* 290 */
 		NID_sbgp_autonomousSysNum, /* 291 */
 #endif
 		NID_policy_constraints,	/* 401 */
 		NID_proxyCertInfo,	/* 663 */
 		NID_name_constraints,	/* 666 */
@ -421,7 +423,12 @@ setup_crldp(X509 *x)
 {
 	int i;
-	x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
+	x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, &i, NULL);
 	if (x->crldp == NULL && i != -1) {
 		x->ex_flags |= EXFLAG_INVALID;
 		return;
 	}
 	for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
 		setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
 }
@ -449,7 +456,7 @@ x509v3_cache_extensions(X509 *x)
 		x->ex_flags |= EXFLAG_V1;
 	/* Handle basic constraints */
-	if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
+	if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, &i, NULL))) {
 		if (bs->ca)
 			x->ex_flags |= EXFLAG_CA;
 		if (bs->pathlen) {
@ -463,10 +470,12 @@ x509v3_cache_extensions(X509 *x)
 			x->ex_pathlen = -1;
 		BASIC_CONSTRAINTS_free(bs);
 		x->ex_flags |= EXFLAG_BCONS;
 	} else if (i != -1) {
 		x->ex_flags |= EXFLAG_INVALID;
 	}
 	/* Handle proxy certificates */
-	if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
+	if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, &i, NULL))) {
 		if (x->ex_flags & EXFLAG_CA ||
 		    X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 ||
 		    X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
@ -485,10 +494,12 @@ x509v3_cache_extensions(X509 *x)
 			x->ex_pcpathlen = -1;
 		PROXY_CERT_INFO_EXTENSION_free(pci);
 		x->ex_flags |= EXFLAG_PROXY;
 	} else if (i != -1) {
 		x->ex_flags |= EXFLAG_INVALID;
 	}
 	/* Handle key usage */
-	if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
+	if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL))) {
 		if (usage->length > 0) {
 			x->ex_kusage = usage->data[0];
 			if (usage->length > 1)
@ -497,9 +508,12 @@ x509v3_cache_extensions(X509 *x)
 			x->ex_kusage = 0;
 		x->ex_flags |= EXFLAG_KUSAGE;
 		ASN1_BIT_STRING_free(usage);
 	} else if (i != -1) {
 		x->ex_flags |= EXFLAG_INVALID;
 	}
 	x->ex_xkusage = 0;
-	if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
+	if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, &i, NULL))) {
 		x->ex_flags |= EXFLAG_XKUSAGE;
 		for (i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
 			switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage, i))) {
@ -538,19 +552,27 @@ x509v3_cache_extensions(X509 *x)
 			}
 		}
 		sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
 	} else if (i != -1) {
 		x->ex_flags |= EXFLAG_INVALID;
 	}
-	if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
+	if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, &i, NULL))) {
 		if (ns->length > 0)
 			x->ex_nscert = ns->data[0];
 		else
 			x->ex_nscert = 0;
 		x->ex_flags |= EXFLAG_NSCERT;
 		ASN1_BIT_STRING_free(ns);
 	} else if (i != -1) {
 		x->ex_flags |= EXFLAG_INVALID;
 	}
-	x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
+	x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, &i, NULL);
-	x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
+	if (x->skid == NULL && i != -1)
 		x->ex_flags |= EXFLAG_INVALID;
 	x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, &i, NULL);
 	if (x->akid == NULL && i != -1)
 		x->ex_flags |= EXFLAG_INVALID;
 	/* Does subject name match issuer? */
 	if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) {
@ -561,12 +583,23 @@ x509v3_cache_extensions(X509 *x)
 			x->ex_flags |= EXFLAG_SS;
 	}
-	x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
+	x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, &i, NULL);
 	if (x->altname == NULL && i != -1)
 		x->ex_flags |= EXFLAG_INVALID;
 	x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
 	if (!x->nc && (i != -1))
 		x->ex_flags |= EXFLAG_INVALID;
 	setup_crldp(x);
 #ifndef OPENSSL_NO_RFC3779
 	x->rfc3779_addr = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, &i, NULL);
 	if (x->rfc3779_addr == NULL && i != -1)
 		x->ex_flags |= EXFLAG_INVALID;
 	x->rfc3779_asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, &i, NULL);
 	if (x->rfc3779_asid == NULL && i != -1)
 		x->ex_flags |= EXFLAG_INVALID;
 #endif
 	for (i = 0; i < X509_get_ext_count(x); i++) {
 		ex = X509_get_ext(x, i);
 		if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) ==
@ -626,6 +659,8 @@ X509_check_ca(X509 *x)
 		CRYPTO_w_lock(CRYPTO_LOCK_X509);
 		x509v3_cache_extensions(x);
 		CRYPTO_w_unlock(CRYPTO_LOCK_X509);
 		if (x->ex_flags & EXFLAG_INVALID)
 			return X509_V_ERR_UNSPECIFIED;
 	}
 	return check_ca(x);
@ -836,8 +871,20 @@ X509_check_issued(X509 *issuer, X509 *subject)
 	if (X509_NAME_cmp(X509_get_subject_name(issuer),
 	    X509_get_issuer_name(subject)))
 		return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
-	x509v3_cache_extensions(issuer);
+	if (!(issuer->ex_flags & EXFLAG_SET)) {
-	x509v3_cache_extensions(subject);
+		CRYPTO_w_lock(CRYPTO_LOCK_X509);
 		x509v3_cache_extensions(issuer);
 		CRYPTO_w_unlock(CRYPTO_LOCK_X509);
 	}
 	if (issuer->ex_flags & EXFLAG_INVALID)
 		return X509_V_ERR_UNSPECIFIED;
 	if (!(subject->ex_flags & EXFLAG_SET)) {
 		CRYPTO_w_lock(CRYPTO_LOCK_X509);
 		x509v3_cache_extensions(subject);
 		CRYPTO_w_unlock(CRYPTO_LOCK_X509);
 	}
 	if (subject->ex_flags & EXFLAG_INVALID)
 		return X509_V_ERR_UNSPECIFIED;
 	if (subject->akid) {
 		int ret = X509_check_akid(issuer, subject->akid);
--- a/crypto/x509/x509_trs.c
+++ b/crypto/x509/x509_trs.c
@ -1,4 +1,4 @@
-/* $OpenBSD: x509_trs.c,v 1.23 2018/05/18 18:40:38 tb Exp $ */
+/* $OpenBSD: x509_trs.c,v 1.24 2021/07/23 20:50:28 schwarze Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@ -265,10 +265,6 @@ trtable_free(X509_TRUST *p)
 void
 X509_TRUST_cleanup(void)
 {
 	unsigned int i;
 	for (i = 0; i < X509_TRUST_COUNT; i++)
 		trtable_free(trstandard + i);
 	sk_X509_TRUST_pop_free(trtable, trtable_free);
 	trtable = NULL;
 }
--- a/crypto/x509/x509_verify.c
+++ b/crypto/x509/x509_verify.c
@ -1,6 +1,6 @@
-/* $OpenBSD: x509_verify.c,v 1.13 2020/09/26 15:44:06 jsing Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.49.2.1 2021/11/24 09:28:56 tb Exp $ */
 /*
- * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
+ * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@ -15,7 +15,7 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
-/* x509_verify - inspired by golang's crypto/x509/Verify */
+/* x509_verify - inspired by golang's crypto/x509.Verify */
 #include <errno.h>
 #include <stdio.h>
@ -33,7 +33,7 @@
 static int x509_verify_cert_valid(struct x509_verify_ctx *ctx, X509 *cert,
    struct x509_verify_chain *current_chain);
 static void x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
-    struct x509_verify_chain *current_chain);
+    struct x509_verify_chain *current_chain, int full_chain);
 static int x509_verify_cert_error(struct x509_verify_ctx *ctx, X509 *cert,
    size_t depth, int error, int ok);
 static void x509_verify_chain_free(struct x509_verify_chain *chain);
@ -49,7 +49,11 @@ x509_verify_chain_new(void)
 		goto err;
 	if ((chain->certs = sk_X509_new_null()) == NULL)
 		goto err;
-	if ((chain->names = x509_constraints_names_new()) == NULL)
+	if ((chain->cert_errors = calloc(X509_VERIFY_MAX_CHAIN_CERTS,
 	    sizeof(int))) == NULL)
 		goto err;
 	if ((chain->names =
 	    x509_constraints_names_new(X509_VERIFY_MAX_CHAIN_NAMES)) == NULL)
 		goto err;
 	return chain;
@ -63,6 +67,8 @@ x509_verify_chain_clear(struct x509_verify_chain *chain)
 {
 	sk_X509_pop_free(chain->certs, X509_free);
 	chain->certs = NULL;
 	free(chain->cert_errors);
 	chain->cert_errors = NULL;
 	x509_constraints_names_free(chain->names);
 	chain->names = NULL;
 }
@ -81,10 +87,15 @@ x509_verify_chain_dup(struct x509_verify_chain *chain)
 {
 	struct x509_verify_chain *new_chain;
-	if ((new_chain = x509_verify_chain_new()) == NULL)
+	if ((new_chain = calloc(1, sizeof(*chain))) == NULL)
 		goto err;
 	if ((new_chain->certs = X509_chain_up_ref(chain->certs)) == NULL)
 		goto err;
 	if ((new_chain->cert_errors = calloc(X509_VERIFY_MAX_CHAIN_CERTS,
 	    sizeof(int))) == NULL)
 		goto err;
 	memcpy(new_chain->cert_errors, chain->cert_errors,
 	    X509_VERIFY_MAX_CHAIN_CERTS * sizeof(int));
 	if ((new_chain->names =
 	    x509_constraints_names_dup(chain->names)) == NULL)
 		goto err;
@ -99,18 +110,32 @@ x509_verify_chain_append(struct x509_verify_chain *chain, X509 *cert,
    int *error)
 {
 	int verify_err = X509_V_ERR_UNSPECIFIED;
 	size_t idx;
 	if (!x509_constraints_extract_names(chain->names, cert,
 	    sk_X509_num(chain->certs) == 0, &verify_err)) {
 		*error = verify_err;
 		return 0;
 	}
 	X509_up_ref(cert);
 	if (!sk_X509_push(chain->certs, cert)) {
 		X509_free(cert);
 		*error = X509_V_ERR_OUT_OF_MEM;
 		return 0;
 	}
 	idx = sk_X509_num(chain->certs) - 1;
 	chain->cert_errors[idx] = *error;
 	/*
 	 * We've just added the issuer for the previous certificate,
 	 * clear its error if appropriate.
 	 */
 	if (idx > 1 && chain->cert_errors[idx - 1] ==
 	    X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
 		chain->cert_errors[idx - 1] = X509_V_OK;
 	return 1;
 }
@ -141,6 +166,9 @@ x509_verify_ctx_reset(struct x509_verify_ctx *ctx)
 	for (i = 0; i < ctx->chains_count; i++)
 		x509_verify_chain_free(ctx->chains[i]);
 	sk_X509_pop_free(ctx->saved_error_chain, X509_free);
 	ctx->saved_error = 0;
 	ctx->saved_error_depth = 0;
 	ctx->error = 0;
 	ctx->error_depth = 0;
 	ctx->chains_count = 0;
@ -158,40 +186,209 @@ x509_verify_ctx_clear(struct x509_verify_ctx *ctx)
 }
 static int
-x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert)
+x509_verify_cert_cache_extensions(X509 *cert) {
 	if (!(cert->ex_flags & EXFLAG_SET)) {
 		CRYPTO_w_lock(CRYPTO_LOCK_X509);
 		x509v3_cache_extensions(cert);
 		CRYPTO_w_unlock(CRYPTO_LOCK_X509);
 	}
 	if (cert->ex_flags & EXFLAG_INVALID)
 		return 0;
 	return (cert->ex_flags & EXFLAG_SET);
 }
 static int
 x509_verify_cert_self_signed(X509 *cert)
 {
 	return (cert->ex_flags & EXFLAG_SS) ? 1 : 0;
 }
 static int
 x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert,
    int full_chain)
 {
 	X509 *match = NULL;
 	int i;
-	for (i = 0; i < sk_X509_num(ctx->roots); i++) {
+	if (!x509_verify_cert_cache_extensions(cert))
-		if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0)
+		return 0;
-			return 1;
+
 	/* Check by lookup if we have a legacy xsc */
 	if (ctx->xsc != NULL) {
 		if ((match = x509_vfy_lookup_cert_match(ctx->xsc,
 		    cert)) != NULL) {
 			X509_free(match);
 			return !full_chain ||
 			    x509_verify_cert_self_signed(cert);
 		}
 	} else {
 		/* Check the provided roots */
 		for (i = 0; i < sk_X509_num(ctx->roots); i++) {
 			if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0)
 				return !full_chain ||
 				    x509_verify_cert_self_signed(cert);
 		}
 	}
 	return 0;
 }
 static int
 x509_verify_ctx_set_xsc_chain(struct x509_verify_ctx *ctx,
-    struct x509_verify_chain *chain)
+    struct x509_verify_chain *chain, int set_error, int is_trusted)
 {
-	size_t depth;
+	size_t num_untrusted;
-	X509 *last = x509_verify_chain_last(chain);
+	int i;
 	if (ctx->xsc == NULL)
 		return 1;
-	depth = sk_X509_num(chain->certs);
+	/*
-	if (depth > 0)
+	 * XXX last_untrusted is actually the number of untrusted certs at the
-		depth--;
+	 * bottom of the chain. This works now since we stop at the first
 	 * trusted cert. This will need fixing once we allow more than one
 	 * trusted certificate.
 	 */
 	num_untrusted = sk_X509_num(chain->certs);
 	if (is_trusted && num_untrusted > 0)
 		num_untrusted--;
 	ctx->xsc->last_untrusted = num_untrusted;
 	ctx->xsc->last_untrusted = depth ? depth - 1 : 0;
 	sk_X509_pop_free(ctx->xsc->chain, X509_free);
 	ctx->xsc->chain = X509_chain_up_ref(chain->certs);
 	if (ctx->xsc->chain == NULL)
-		return x509_verify_cert_error(ctx, last, depth,
+		return x509_verify_cert_error(ctx, NULL, 0,
 		    X509_V_ERR_OUT_OF_MEM, 0);
 	if (set_error) {
 		ctx->xsc->error = X509_V_OK;
 		ctx->xsc->error_depth = 0;
 		for (i = 0; i < sk_X509_num(chain->certs); i++) {
 			if (chain->cert_errors[i] != X509_V_OK) {
 				ctx->xsc->error = chain->cert_errors[i];
 				ctx->xsc->error_depth = i;
 				break;
 			}
 		}
 	}
 	return 1;
 }
 /*
 * Save the error state and unvalidated chain off of the xsc for
 * later.
 */
 static int
 x509_verify_ctx_save_xsc_error(struct x509_verify_ctx *ctx)
 {
 	if (ctx->xsc != NULL && ctx->xsc->chain != NULL) {
 		sk_X509_pop_free(ctx->saved_error_chain, X509_free);
 		ctx->saved_error_chain = X509_chain_up_ref(ctx->xsc->chain);
 		if (ctx->saved_error_chain == NULL)
 			return x509_verify_cert_error(ctx, NULL, 0,
 			    X509_V_ERR_OUT_OF_MEM, 0);
 		ctx->saved_error = ctx->xsc->error;
 		ctx->saved_error_depth = ctx->xsc->error_depth;
 	}
 	return 1;
 }
 /*
 * Restore the saved error state and unvalidated chain to the xsc
 * if we do not have a validated chain.
 */
 static int
 x509_verify_ctx_restore_xsc_error(struct x509_verify_ctx *ctx)
 {
 	if (ctx->xsc != NULL && ctx->chains_count == 0 &&
 	    ctx->saved_error_chain != NULL) {
 		sk_X509_pop_free(ctx->xsc->chain, X509_free);
 		ctx->xsc->chain = X509_chain_up_ref(ctx->saved_error_chain);
 		if (ctx->xsc->chain == NULL)
 			return x509_verify_cert_error(ctx, NULL, 0,
 			    X509_V_ERR_OUT_OF_MEM, 0);
 		ctx->xsc->error = ctx->saved_error;
 		ctx->xsc->error_depth = ctx->saved_error_depth;
 	}
 	return 1;
 }
 /* Perform legacy style validation of a chain */
 static int
 x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx,
    struct x509_verify_chain *chain, size_t depth)
 {
 	int ret = 0, trust;
 	if (ctx->xsc == NULL)
 		return 1;
 	/*
 	 * If we have a legacy xsc, choose a validated chain, and
 	 * apply the extensions, revocation, and policy checks just
 	 * like the legacy code did. We do this here instead of as
 	 * building the chains to more easily support the callback and
 	 * the bewildering array of VERIFY_PARAM knobs that are there
 	 * for the fiddling.
 	 */
 	/* These may be set in one of the following calls. */
 	ctx->xsc->error = X509_V_OK;
 	ctx->xsc->error_depth = 0;
 	trust = x509_vfy_check_trust(ctx->xsc);
 	if (trust == X509_TRUST_REJECTED)
 		goto err;
 	if (!x509_verify_ctx_set_xsc_chain(ctx, chain, 0, 1))
 		goto err;
 	/*
 	 * XXX currently this duplicates some work done in chain
 	 * build, but we keep it here until we have feature parity
 	 */
 	if (!x509_vfy_check_chain_extensions(ctx->xsc))
 		goto err;
 	if (!x509_constraints_chain(ctx->xsc->chain,
 		&ctx->xsc->error, &ctx->xsc->error_depth)) {
 		X509 *cert = sk_X509_value(ctx->xsc->chain, depth);
 		if (!x509_verify_cert_error(ctx, cert,
 			ctx->xsc->error_depth, ctx->xsc->error, 0))
 			goto err;
 	}
 	if (!x509_vfy_check_revocation(ctx->xsc))
 		goto err;
 	if (!x509_vfy_check_policy(ctx->xsc))
 		goto err;
 	if ((!(ctx->xsc->param->flags & X509_V_FLAG_PARTIAL_CHAIN)) &&
 	    trust != X509_TRUST_TRUSTED)
 		goto err;
 	ret = 1;
 err:
 	/*
 	 * The above checks may have set ctx->xsc->error and
 	 * ctx->xsc->error_depth - save these for later on.
 	 */
 	if (ctx->xsc->error != X509_V_OK) {
 		if (ctx->xsc->error_depth < 0 ||
 		    ctx->xsc->error_depth >= X509_VERIFY_MAX_CHAIN_CERTS)
 			return 0;
 		chain->cert_errors[ctx->xsc->error_depth] =
 		    ctx->xsc->error;
 		ctx->error_depth = ctx->xsc->error_depth;
 	}
 	return ret;
 }
 /* Add a validated chain to our list of valid chains */
 static int
 x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx,
@ -208,43 +405,17 @@ x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx,
 		return x509_verify_cert_error(ctx, last, depth,
 		    X509_V_ERR_CERT_CHAIN_TOO_LONG, 0);
 	/* Clear a get issuer failure for a root certificate. */
 	if (chain->cert_errors[depth] ==
 	    X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
 		chain->cert_errors[depth] = X509_V_OK;
 	if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth))
 		return 0;
 	/*
-	 * If we have a legacy xsc, choose a validated chain,
+	 * In the non-legacy code, extensions and purpose are dealt
-	 * and apply the extensions, revocation, and policy checks
+	 * with as the chain is built.
 	 * just like the legacy code did. We do this here instead
 	 * of as building the chains to more easily support the
 	 * callback and the bewildering array of VERIFY_PARAM
 	 * knobs that are there for the fiddling.
 	 */
 	if (ctx->xsc != NULL) {
 		if (!x509_verify_ctx_set_xsc_chain(ctx, chain))
 			return 0;
 		/*
 		 * XXX currently this duplicates some work done
 		 * in chain build, but we keep it here until
 		 * we have feature parity
 		 */
 		if (!x509_vfy_check_chain_extensions(ctx->xsc))
 			return 0;
 		if (!x509_constraints_chain(ctx->xsc->chain,
 		    &ctx->xsc->error, &ctx->xsc->error_depth)) {
 			X509 *cert = sk_X509_value(ctx->xsc->chain, depth);
 			if (!x509_verify_cert_error(ctx, cert,
 			    ctx->xsc->error_depth, ctx->xsc->error, 0))
 				return 0;
 		}
 		if (!x509_vfy_check_revocation(ctx->xsc))
 			return 0;
 		if (!x509_vfy_check_policy(ctx->xsc))
 			return 0;
 	}
 	/*
 	 * no xsc means we are being called from the non-legacy API,
 	 * extensions and purpose are dealt with as the chain is built.
 	 *
 	 * The non-legacy api returns multiple chains but does not do
 	 * any revocation checking (it must be done by the caller on
@ -266,6 +437,8 @@ static int
 x509_verify_potential_parent(struct x509_verify_ctx *ctx, X509 *parent,
    X509 *child)
 {
 	if (!x509_verify_cert_cache_extensions(parent))
 		return 0;
 	if (ctx->xsc != NULL)
 		return (ctx->xsc->check_issued(ctx->xsc, child, parent));
@ -313,7 +486,7 @@ x509_verify_parent_signature(X509 *parent, X509 *child,
 static int
 x509_verify_consider_candidate(struct x509_verify_ctx *ctx, X509 *cert,
    unsigned char *cert_md, int is_root_cert, X509 *candidate,
-    struct x509_verify_chain *current_chain)
+    struct x509_verify_chain *current_chain, int full_chain)
 {
 	int depth = sk_X509_num(current_chain->certs);
 	struct x509_verify_chain *new_chain;
@ -333,12 +506,11 @@ x509_verify_consider_candidate(struct x509_verify_ctx *ctx, X509 *cert,
 		return 0;
 	}
 	if (!x509_verify_parent_signature(candidate, cert, cert_md,
 	    &ctx->error)) {
-		    if (!x509_verify_cert_error(ctx, candidate, depth,
+		if (!x509_verify_cert_error(ctx, candidate, depth,
-			ctx->error, 0))
+		    ctx->error, 0))
-			    return 0;
+			return 0;
 	}
 	if (!x509_verify_cert_valid(ctx, candidate, current_chain))
@ -351,8 +523,7 @@ x509_verify_consider_candidate(struct x509_verify_ctx *ctx, X509 *cert,
 		return 0;
 	}
 	if (!x509_verify_chain_append(new_chain, candidate, &ctx->error)) {
-		x509_verify_cert_error(ctx, candidate, depth,
+		x509_verify_cert_error(ctx, candidate, depth, ctx->error, 0);
 		    ctx->error, 0);
 		x509_verify_chain_free(new_chain);
 		return 0;
 	}
@ -363,17 +534,18 @@ x509_verify_consider_candidate(struct x509_verify_ctx *ctx, X509 *cert,
 	 * give up.
 	 */
 	if (is_root_cert) {
-		if (!x509_verify_ctx_set_xsc_chain(ctx, new_chain)) {
+		if (!x509_verify_ctx_set_xsc_chain(ctx, new_chain, 0, 1)) {
 			x509_verify_chain_free(new_chain);
 			return 0;
 		}
-		if (x509_verify_cert_error(ctx, candidate, depth, X509_V_OK, 1)) {
+		if (!x509_verify_ctx_add_chain(ctx, new_chain)) {
-			(void) x509_verify_ctx_add_chain(ctx, new_chain);
+			x509_verify_chain_free(new_chain);
-			goto done;
+			return 0;
 		}
 		goto done;
 	}
-	x509_verify_build_chains(ctx, candidate, new_chain);
+	x509_verify_build_chains(ctx, candidate, new_chain, full_chain);
 done:
 	x509_verify_chain_free(new_chain);
@ -397,11 +569,19 @@ x509_verify_cert_error(struct x509_verify_ctx *ctx, X509 *cert, size_t depth,
 static void
 x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
-    struct x509_verify_chain *current_chain)
+    struct x509_verify_chain *current_chain, int full_chain)
 {
 	unsigned char cert_md[EVP_MAX_MD_SIZE] = { 0 };
 	X509 *candidate;
-	int i, depth, count;
+	int i, depth, count, ret, is_root;
 	/*
 	 * If we are finding chains with an xsc, just stop after we have
 	 * one chain, there's no point in finding more, it just exercises
 	 * the potentially buggy callback processing in the calling software.
 	 */
 	if (ctx->xsc != NULL && ctx->chains_count > 0)
 		return;
 	depth = sk_X509_num(current_chain->certs);
 	if (depth > 0)
@ -418,36 +598,80 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert,
 		return;
 	count = ctx->chains_count;
 	ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
 	ctx->error_depth = depth;
-	for (i = 0; i < sk_X509_num(ctx->roots); i++) {
+	if (ctx->saved_error != 0)
-		candidate = sk_X509_value(ctx->roots, i);
+		ctx->error = ctx->saved_error;
-		if (x509_verify_potential_parent(ctx, candidate, cert)) {
+	if (ctx->saved_error_depth != 0)
-			x509_verify_consider_candidate(ctx, cert,
+		ctx->error_depth = ctx->saved_error_depth;
-			    cert_md, 1, candidate, current_chain);
+
 	if (ctx->xsc != NULL) {
 		/*
 		 * Long ago experiments at Muppet labs resulted in a
 		 * situation where software not only sees these errors
 		 * but forced developers to expect them in certain cases.
 		 * so we must mimic this awfulness for the legacy case.
 		 */
 		if (cert->ex_flags & EXFLAG_SS)
 			ctx->error = (depth == 0) ?
 			    X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
 			    X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
 	}
 	/* Check for legacy mode roots */
 	if (ctx->xsc != NULL) {
 		if ((ret = ctx->xsc->get_issuer(&candidate, ctx->xsc, cert)) < 0) {
 			x509_verify_cert_error(ctx, cert, depth,
 			    X509_V_ERR_STORE_LOOKUP, 0);
 			return;
 		}
 		if (ret > 0) {
 			if (x509_verify_potential_parent(ctx, candidate, cert)) {
 				is_root = !full_chain ||
 				    x509_verify_cert_self_signed(candidate);
 				x509_verify_consider_candidate(ctx, cert,
 				    cert_md, is_root, candidate, current_chain,
 				    full_chain);
 			}
 			X509_free(candidate);
 		}
 	} else {
 		/* Check to see if we have a trusted root issuer. */
 		for (i = 0; i < sk_X509_num(ctx->roots); i++) {
 			candidate = sk_X509_value(ctx->roots, i);
 			if (x509_verify_potential_parent(ctx, candidate, cert)) {
 				is_root = !full_chain ||
 				    x509_verify_cert_self_signed(candidate);
 				x509_verify_consider_candidate(ctx, cert,
 				    cert_md, is_root, candidate, current_chain,
 				    full_chain);
 			}
 		}
 	}
 	/* Check intermediates after checking roots */
 	if (ctx->intermediates != NULL) {
 		for (i = 0; i < sk_X509_num(ctx->intermediates); i++) {
 			candidate = sk_X509_value(ctx->intermediates, i);
 			if (x509_verify_potential_parent(ctx, candidate, cert)) {
 				x509_verify_consider_candidate(ctx, cert,
-				    cert_md, 0, candidate, current_chain);
+				    cert_md, 0, candidate, current_chain,
 				    full_chain);
 			}
 		}
 	}
 	if (ctx->chains_count > count) {
 		if (ctx->xsc != NULL) {
 			ctx->xsc->error = X509_V_OK;
 			ctx->xsc->error_depth = depth;
 			ctx->xsc->current_cert = cert;
 			(void) ctx->xsc->verify_cb(1, ctx->xsc);
 		}
 	} else if (ctx->error_depth == depth) {
-			(void) x509_verify_cert_error(ctx, cert, depth,
+		if (!x509_verify_ctx_set_xsc_chain(ctx, current_chain, 0, 0))
-			    ctx->error, 0);
+			return;
 	}
 }
@ -458,8 +682,13 @@ x509_verify_cert_hostname(struct x509_verify_ctx *ctx, X509 *cert, char *name)
 	size_t len;
 	if (name == NULL) {
-		if (ctx->xsc != NULL)
+		if (ctx->xsc != NULL) {
-			return x509_vfy_check_id(ctx->xsc);
+			int ret;
 			if ((ret = x509_vfy_check_id(ctx->xsc)) == 0)
 				ctx->error = ctx->xsc->error;
 			return ret;
 		}
 		return 1;
 	}
 	if ((candidate = strdup(name)) == NULL) {
@ -516,8 +745,6 @@ x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm, int notafter)
 {
 	int type;
 	memset(tm, 0, sizeof(*tm));
 	type = ASN1_time_parse(atime->data, atime->length, tm, atime->type);
 	if (type == -1)
 		return 0;
@ -601,11 +828,13 @@ x509_verify_validate_constraints(X509 *cert,
 		return 1;
 	if (cert->nc != NULL) {
-		if ((permitted = x509_constraints_names_new()) == NULL) {
+		if ((permitted = x509_constraints_names_new(
 		    X509_VERIFY_MAX_CHAIN_CONSTRAINTS)) == NULL) {
 			err = X509_V_ERR_OUT_OF_MEM;
 			goto err;
 		}
-		if ((excluded = x509_constraints_names_new()) == NULL) {
+		if ((excluded = x509_constraints_names_new(
 		    X509_VERIFY_MAX_CHAIN_CONSTRAINTS)) == NULL) {
 			err = X509_V_ERR_OUT_OF_MEM;
 			goto err;
 		}
@ -630,10 +859,9 @@ x509_verify_validate_constraints(X509 *cert,
 static int
 x509_verify_cert_extensions(struct x509_verify_ctx *ctx, X509 *cert, int need_ca)
 {
-	if (!(cert->ex_flags & EXFLAG_SET)) {
+	if (!x509_verify_cert_cache_extensions(cert)) {
-		CRYPTO_w_lock(CRYPTO_LOCK_X509);
+		ctx->error = X509_V_ERR_UNSPECIFIED;
-		x509v3_cache_extensions(cert);
+		return 0;
 		CRYPTO_w_unlock(CRYPTO_LOCK_X509);
 	}
 	if (ctx->xsc != NULL)
@ -712,7 +940,7 @@ x509_verify_cert_valid(struct x509_verify_ctx *ctx, X509 *cert,
 }
 struct x509_verify_ctx *
-x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc, STACK_OF(X509) *roots)
+x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc)
 {
 	struct x509_verify_ctx *ctx;
 	size_t max_depth;
@ -720,7 +948,7 @@ x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc, STACK_OF(X509) *roots)
 	if (xsc == NULL)
 		return NULL;
-	if ((ctx = x509_verify_ctx_new(roots)) == NULL)
+	if ((ctx = x509_verify_ctx_new(NULL)) == NULL)
 		return NULL;
 	ctx->xsc = xsc;
@ -748,14 +976,16 @@ x509_verify_ctx_new(STACK_OF(X509) *roots)
 {
 	struct x509_verify_ctx *ctx;
 	if (roots == NULL)
 		return NULL;
 	if ((ctx = calloc(1, sizeof(struct x509_verify_ctx))) == NULL)
 		return NULL;
-	if ((ctx->roots = X509_chain_up_ref(roots)) == NULL)
+	if (roots != NULL) {
-		goto err;
+		if  ((ctx->roots = X509_chain_up_ref(roots)) == NULL)
 			goto err;
 	} else {
 		if ((ctx->roots = sk_X509_new_null()) == NULL)
 			goto err;
 	}
 	ctx->max_depth = X509_VERIFY_MAX_CHAIN_CERTS;
 	ctx->max_chains = X509_VERIFY_MAX_CHAINS;
@ -850,19 +1080,24 @@ size_t
 x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name)
 {
 	struct x509_verify_chain *current_chain;
 	int retry_chain_build, full_chain = 0;
 	if (ctx->roots == NULL || ctx->max_depth == 0) {
 		ctx->error = X509_V_ERR_INVALID_CALL;
-		return 0;
+		goto err;
 	}
 	if (ctx->xsc != NULL) {
 		if (leaf != NULL || name != NULL) {
 			ctx->error = X509_V_ERR_INVALID_CALL;
-			return 0;
+			goto err;
 		}
 		leaf = ctx->xsc->cert;
 		/* XXX */
 		full_chain = 1;
 		if (ctx->xsc->param->flags & X509_V_FLAG_PARTIAL_CHAIN)
 			full_chain = 0;
 		/*
 		 * XXX
 		 * The legacy code expects the top level cert to be
@ -872,57 +1107,163 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name)
 		 */
 		if ((ctx->xsc->chain = sk_X509_new_null()) == NULL) {
 			ctx->error = X509_V_ERR_OUT_OF_MEM;
-			return 0;
+			goto err;
 		}
 		if (!X509_up_ref(leaf)) {
 			ctx->error = X509_V_ERR_OUT_OF_MEM;
-			return 0;
+			goto err;
 		}
 		if (!sk_X509_push(ctx->xsc->chain, leaf)) {
 			X509_free(leaf);
 			ctx->error = X509_V_ERR_OUT_OF_MEM;
-			return 0;
+			goto err;
 		}
 		ctx->xsc->error_depth = 0;
 		ctx->xsc->current_cert = leaf;
 	}
 	if (!x509_verify_cert_valid(ctx, leaf, NULL))
-		return 0;
+		goto err;
 	if (!x509_verify_cert_hostname(ctx, leaf, name))
-		return 0;
+		goto err;
 	if ((current_chain = x509_verify_chain_new()) == NULL) {
 		ctx->error = X509_V_ERR_OUT_OF_MEM;
-		return 0;
+		goto err;
 	}
 	if (!x509_verify_chain_append(current_chain, leaf, &ctx->error)) {
 		x509_verify_chain_free(current_chain);
-		return 0;
+		goto err;
 	}
-	if (x509_verify_ctx_cert_is_root(ctx, leaf))
+	do {
-		x509_verify_ctx_add_chain(ctx, current_chain);
+		retry_chain_build = 0;
-	else
+		if (x509_verify_ctx_cert_is_root(ctx, leaf, full_chain)) {
-		x509_verify_build_chains(ctx, leaf, current_chain);
+			if (!x509_verify_ctx_add_chain(ctx, current_chain)) {
 				x509_verify_chain_free(current_chain);
 				goto err;
 			}
 		} else {
 			x509_verify_build_chains(ctx, leaf, current_chain,
 			    full_chain);
 			if (full_chain && ctx->chains_count == 0) {
 				/*
 				 * Save the error state from the xsc
 				 * at this point to put back on the
 				 * xsc in case we do not find a chain
 				 * that is trusted but not a full
 				 * chain to a self signed root. This
 				 * is because the unvalidated chain is
 				 * used by the autochain batshittery
 				 * on failure and will be needed for
 				 * that.
 				 */
 				if (!x509_verify_ctx_save_xsc_error(ctx)) {
 					x509_verify_chain_free(current_chain);
 					goto err;
 				}
 				full_chain = 0;
 				retry_chain_build = 1;
 			}
 		}
 	} while (retry_chain_build);
 	x509_verify_chain_free(current_chain);
 	/*
-	 * Safety net:
+	 * Do the new verifier style return, where we don't have an xsc
-	 * We could not find a validated chain, and for some reason do not
+	 * that allows a crazy callback to turn invalid things into valid.
 	 * have an error set.
 	 */
-	if (ctx->chains_count == 0 && ctx->error == 0)
+	if (ctx->xsc == NULL) {
 		/*
 		 * Safety net:
 		 * We could not find a validated chain, and for some reason do not
 		 * have an error set.
 		 */
 		if (ctx->chains_count == 0 && ctx->error == X509_V_OK)
 			ctx->error = X509_V_ERR_UNSPECIFIED;
 		/*
 		 * If we are not using an xsc, and have no possibility for the
 		 * crazy OpenSSL callback API changing the results of
 		 * validation steps (because the callback can make validation
 		 * proceed in the presence of invalid certs), any chains we
 		 * have here are correctly built and verified.
 		 */
 		if (ctx->chains_count > 0)
 			ctx->error = X509_V_OK;
 		return ctx->chains_count;
 	}
 	/*
 	 * Otherwise we are doing compatibility with an xsc, which means that we
 	 * will have one chain, which might actually be a bogus chain because
 	 * the callback told us to ignore errors and proceed to build an invalid
 	 * chain. Possible return values from this include returning 1 with an
 	 * invalid chain and a value of xsc->error != X509_V_OK (It's tradition
 	 * that makes it ok).
 	 */
 	if (ctx->chains_count > 0) {
 		/*
 		 * The chain we have using an xsc might not be a verified chain
 		 * if the callback perverted things while we built it to ignore
 		 * failures and proceed with chain building. We put this chain
 		 * and the error associated with it on the xsc.
 		 */
 		if (!x509_verify_ctx_set_xsc_chain(ctx, ctx->chains[0], 1, 1))
 			goto err;
 		/*
 		 * Call the callback for completion up our built
 		 * chain. The callback could still tell us to
 		 * fail. Since this chain might exist as the result of
 		 * callback doing perversions, we could still return
 		 * "success" with something other than X509_V_OK set
 		 * as the error.
 		 */
 		if (!x509_vfy_callback_indicate_completion(ctx->xsc))
 			goto err;
 	} else {
 		/*
 		 * We did not find a chain. Bring back the failure
 		 * case we wanted to the xsc if we saved one. If we
 		 * did not we should have just the leaf on the xsc.
 		 */
 		if (!x509_verify_ctx_restore_xsc_error(ctx))
 			goto err;
 		/*
 		 * Safety net, ensure we have an error set in the
 		 * failing case.
 		 */
 		if (ctx->xsc->error == X509_V_OK) {
 			if (ctx->error == X509_V_OK)
 				ctx->error = X509_V_ERR_UNSPECIFIED;
 			ctx->xsc->error = ctx->error;
 		}
 		/*
 		 * Let the callback override the return value
 		 * at depth 0 if it chooses to
 		 */
 		return ctx->xsc->verify_cb(0, ctx->xsc);
 	}
 	/* We only ever find one chain in compat mode with an xsc. */
 	return 1;
 err:
 	if (ctx->error == X509_V_OK)
 		ctx->error = X509_V_ERR_UNSPECIFIED;
 	/* Clear whatever errors happened if we have any validated chain */
 	if (ctx->chains_count > 0)
 		ctx->error = X509_V_OK;
 	if (ctx->xsc != NULL) {
-		ctx->xsc->error = ctx->error;
+		if (ctx->xsc->error == X509_V_OK)
-		return ctx->xsc->verify_cb(ctx->chains_count, ctx->xsc);
+			ctx->xsc->error = X509_V_ERR_UNSPECIFIED;
 		ctx->error = ctx->xsc->error;
 	}
-	return (ctx->chains_count);
+
 	return 0;
 }
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.81 2020/09/26 02:06:28 deraadt Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.89.2.1 2021/11/24 09:28:56 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -240,12 +240,13 @@ x509_vfy_check_id(X509_STORE_CTX *ctx) {
 * Oooooooh..
 */
 static int
-X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad)
+X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad, int *out_ok)
 {
 	X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
 	int bad_chain = 0;
 	X509_VERIFY_PARAM *param = ctx->param;
-	int depth, i, ok = 0;
+	int ok = 0, ret = 0;
 	int depth, i;
 	int num, j, retry, trust;
 	int (*cb) (int xok, X509_STORE_CTX *xctx);
 	STACK_OF(X509) *sktmp = NULL;
@ -517,11 +518,15 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad)
 		if (!ok)
 			goto end;
 	}
 	ret = 1;
 end:
 	sk_X509_free(sktmp);
 	X509_free(chain_ss);
 	*bad = bad_chain;
-	return ok;
+	*out_ok = ok;
 	return ret;
 }
 static int
@ -531,8 +536,7 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx)
 	ctx->error = X509_V_OK; /* Initialize to OK */
-	ok = X509_verify_cert_legacy_build_chain(ctx, &bad_chain);
+	if (!X509_verify_cert_legacy_build_chain(ctx, &bad_chain, &ok))
 	if (!ok)
 		goto end;
 	/* We have the chain complete: now we need to check its purpose */
@ -630,60 +634,13 @@ X509_verify_cert(X509_STORE_CTX *ctx)
 	/* Use the modern multi-chain verifier from x509_verify_cert */
-	/* Find our trusted roots */
+	if ((vctx = x509_verify_ctx_new_from_xsc(ctx)) != NULL) {
 	ctx->error = X509_V_ERR_OUT_OF_MEM;
 	if (ctx->get_issuer == get_issuer_sk) {
 		/*
 		 * We are using the trusted stack method. so
 		 * the roots are in the aptly named "ctx->other_ctx"
 		 * pointer. (It could have been called "al")
 		 */
 		if ((roots = X509_chain_up_ref(ctx->other_ctx)) == NULL)
 			return -1;
 	} else {
 		/*
 		 * We have a X509_STORE and need to pull out the roots.
 		 * Don't look Ethel...
 		 */
 		STACK_OF(X509_OBJECT) *objs;
 		size_t i, good = 1;
 		if ((roots = sk_X509_new_null()) == NULL)
 			return -1;
 		CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
 		if ((objs = X509_STORE_get0_objects(ctx->ctx)) == NULL)
 				good = 0;
 		for (i = 0; good && i < sk_X509_OBJECT_num(objs); i++) {
 			X509_OBJECT *obj;
 			X509 *root;
 			obj = sk_X509_OBJECT_value(objs, i);
 			if (obj->type != X509_LU_X509)
 				continue;
 			root = obj->data.x509;
 			if (X509_up_ref(root) == 0)
 				good = 0;
 			if (sk_X509_push(roots, root) == 0) {
 				X509_free(root);
 				good = 0;
 			}
 		}
 		CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
 		if (!good) {
 			sk_X509_pop_free(roots, X509_free);
 			return -1;
 		}
 	}
 	if ((vctx = x509_verify_ctx_new_from_xsc(ctx, roots)) != NULL) {
 		ctx->error = X509_V_OK; /* Initialize to OK */
 		chain_count = x509_verify(vctx, NULL, NULL);
 	}
 	x509_verify_ctx_free(vctx);
 	sk_X509_pop_free(roots, X509_free);
 	x509_verify_ctx_free(vctx);
 	/* if we succeed we have a chain in ctx->chain */
 	return (chain_count > 0 && ctx->chain != NULL);
@ -910,7 +867,8 @@ check_name_constraints(X509_STORE_CTX *ctx)
 /* Given a certificate try and find an exact match in the store */
-static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
+static X509 *
 lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
 {
 	STACK_OF(X509) *certs;
 	X509 *xtmp = NULL;
@ -937,7 +895,17 @@ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
 	return xtmp;
 }
-static int check_trust(X509_STORE_CTX *ctx)
+X509 *
 x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
 {
 	if (ctx->lookup_certs == NULL || ctx->ctx == NULL ||
 	    ctx->ctx->objs == NULL)
 		return NULL;
 	return lookup_cert_match(ctx, x);
 }
 static int
 check_trust(X509_STORE_CTX *ctx)
 {
 	size_t i;
 	int ok;
@ -991,7 +959,8 @@ static int check_trust(X509_STORE_CTX *ctx)
 	return X509_TRUST_UNTRUSTED;
 }
-int x509_vfy_check_trust(X509_STORE_CTX *ctx)
+int
 x509_vfy_check_trust(X509_STORE_CTX *ctx)
 {
 	return check_trust(ctx);
 }
@ -1794,6 +1763,11 @@ x509_vfy_check_policy(X509_STORE_CTX *ctx)
 	if (ctx->parent)
 		return 1;
 	/* X509_policy_check always allocates a new tree. */
 	X509_policy_tree_free(ctx->tree);
 	ctx->tree = NULL;
 	ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
 	    ctx->param->policies, ctx->param->flags);
 	if (ret == 0) {
@ -1905,7 +1879,7 @@ x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
 }
 static int
-internal_verify(X509_STORE_CTX *ctx)
+x509_vfy_internal_verify(X509_STORE_CTX *ctx, int chain_verified)
 {
 	int n = sk_X509_num(ctx->chain) - 1;
 	X509 *xi = sk_X509_value(ctx->chain, n);
@ -1941,8 +1915,8 @@ internal_verify(X509_STORE_CTX *ctx)
 		 * certificate and its depth (rather than the depth of
 		 * the subject).
 		 */
-		if (xs != xi ||
+		if (!chain_verified && ( xs != xi ||
-		    (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {
+		    (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) {
 			EVP_PKEY *pkey;
 			if ((pkey = X509_get_pubkey(xi)) == NULL) {
 				if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n,
@ -1959,7 +1933,7 @@ internal_verify(X509_STORE_CTX *ctx)
 		}
 check_cert:
 		/* Calls verify callback as needed */
-		if (!x509_check_cert_time(ctx, xs, n))
+		if (!chain_verified && !x509_check_cert_time(ctx, xs, n))
 			return 0;
 		/*
@ -1980,6 +1954,22 @@ check_cert:
 	return 1;
 }
 static int
 internal_verify(X509_STORE_CTX *ctx)
 {
 	return x509_vfy_internal_verify(ctx, 0);
 }
 /*
 * Internal verify, but with a chain where the verification
 * math has already been performed.
 */
 int
 x509_vfy_callback_indicate_completion(X509_STORE_CTX *ctx)
 {
 	return x509_vfy_internal_verify(ctx, 1);
 }
 int
 X509_cmp_current_time(const ASN1_TIME *ctm)
 {
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vpm.c,v 1.22 2020/09/14 08:10:04 beck Exp $ */
+/* $OpenBSD: x509_vpm.c,v 1.27 2021/09/30 18:23:46 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2004.
 */
@ -172,6 +172,7 @@ x509_verify_param_zero(X509_VERIFY_PARAM *param)
 	X509_VERIFY_PARAM_ID *paramid;
 	if (!param)
 		return;
 	free(param->name);
 	param->name = NULL;
 	param->purpose = 0;
 	param->trust = 0;
@ -207,7 +208,7 @@ X509_VERIFY_PARAM_new(void)
 	param = calloc(1, sizeof(X509_VERIFY_PARAM));
 	if (param == NULL)
 		return NULL;
-	paramid = calloc (1, sizeof(X509_VERIFY_PARAM_ID));
+	paramid = calloc(1, sizeof(X509_VERIFY_PARAM_ID));
 	if (paramid == NULL) {
 		free(param);
 		return NULL;
@ -227,7 +228,8 @@ X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
 	free(param);
 }
-/* This function determines how parameters are "inherited" from one structure
+/*
 * This function determines how parameters are "inherited" from one structure
 * to another. There are several different ways this can happen.
 *
 * 1. If a child structure needs to have its values initialized from a parent
@ -596,6 +598,7 @@ static const X509_VERIFY_PARAM_ID _empty_id = { NULL };
 static const X509_VERIFY_PARAM default_table[] = {
 	{
 		.name = "default",
 		.flags = X509_V_FLAG_TRUSTED_FIRST,
 		.depth = 100,
 		.trust = 0,  /* XXX This is not the default trust value */
 		.id = vpm_empty_id
@ -673,8 +676,8 @@ X509_VERIFY_PARAM_get_count(void)
 	return num;
 }
-const
+const X509_VERIFY_PARAM *
-X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id)
+X509_VERIFY_PARAM_get0(int id)
 {
 	int num = sizeof(default_table) / sizeof(X509_VERIFY_PARAM);
 	if (id < num)
@ -682,8 +685,8 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id)
 	return sk_X509_VERIFY_PARAM_value(param_table, id - num);
 }
-const
+const X509_VERIFY_PARAM *
-X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name)
+X509_VERIFY_PARAM_lookup(const char *name)
 {
 	X509_VERIFY_PARAM pm;
 	unsigned int i, limit;
--- a/include/compat/pthread.h
+++ b/include/compat/pthread.h
@ -102,6 +102,14 @@ pthread_mutex_unlock(pthread_mutex_t *mutex)
 	return 0;
 }
 static inline int
 pthread_mutex_destroy(pthread_mutex_t *mutex)
 {
 	DeleteCriticalSection(mutex->lock);
 	free(mutex->lock);
 	return 0;
 }
 #else
 #include_next <pthread.h>
 #endif
--- a/include/openssl/asn1.h
+++ b/include/openssl/asn1.h
@ -1,4 +1,4 @@
-/* $OpenBSD: asn1.h,v 1.53 2018/11/30 04:51:19 jeremy Exp $ */
+/* $OpenBSD: asn1.h,v 1.54 2020/12/08 15:06:42 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -1137,6 +1137,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_BAD_OBJECT_HEADER			 102
 #define ASN1_R_BAD_PASSWORD_READ			 103
 #define ASN1_R_BAD_TAG					 104
 #define ASN1_R_BAD_TEMPLATE				 230
 #define ASN1_R_BMPSTRING_IS_WRONG_LENGTH		 214
 #define ASN1_R_BN_LIB					 105
 #define ASN1_R_BOOLEAN_IS_WRONG_LENGTH			 106
--- a/include/openssl/bn.h
+++ b/include/openssl/bn.h
@ -1,4 +1,4 @@
-/* $OpenBSD: bn.h,v 1.39 2019/08/25 19:23:59 schwarze Exp $ */
+/* $OpenBSD: bn.h,v 1.43 2021/09/10 14:33:44 tb Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -231,6 +231,15 @@ extern "C" {
 #define BN_set_flags(b,n)	((b)->flags|=(n))
 #define BN_get_flags(b,n)	((b)->flags&(n))
 /* Values for |top| in BN_rand() */
 #define BN_RAND_TOP_ANY    -1
 #define BN_RAND_TOP_ONE     0
 #define BN_RAND_TOP_TWO     1
 /* Values for |bottom| in BN_rand() */
 #define BN_RAND_BOTTOM_ANY  0
 #define BN_RAND_BOTTOM_ODD  1
 /* get a clone of a BIGNUM with changed flags, for *temporary* use only
 * (the two BIGNUMs cannot not be used in parallel!) */
 #define BN_with_flags(dest,b,n)  ((dest)->d=(b)->d, \
@ -428,6 +437,9 @@ BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b);
 void	BN_swap(BIGNUM *a, BIGNUM *b);
 BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
 int	BN_bn2bin(const BIGNUM *a, unsigned char *to);
 int	BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen);
 BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret);
 int	BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen);
 BIGNUM *BN_mpi2bn(const unsigned char *s, int len, BIGNUM *ret);
 int	BN_bn2mpi(const BIGNUM *a, unsigned char *to);
 int	BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
--- a/include/openssl/dtls1.h
+++ b/include/openssl/dtls1.h
@ -1,4 +1,4 @@
-/* $OpenBSD: dtls1.h,v 1.23 2020/03/12 17:01:53 jsing Exp $ */
+/* $OpenBSD: dtls1.h,v 1.27 2021/05/16 13:56:30 jsing Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@ -78,6 +78,8 @@ extern "C" {
 #endif
 #define DTLS1_VERSION			0xFEFF
 #define DTLS1_2_VERSION			0xFEFD
 #define DTLS1_VERSION_MAJOR		0xFE
 /* lengths of messages */
 #define DTLS1_COOKIE_LENGTH                     256
@ -93,91 +95,6 @@ extern "C" {
 #define DTLS1_AL_HEADER_LENGTH                   2
 #ifndef OPENSSL_NO_SSL_INTERN
 typedef struct dtls1_bitmap_st {
 	unsigned long map;		/* track 32 packets on 32-bit systems
 					   and 64 - on 64-bit systems */
 	unsigned char max_seq_num[8];	/* max record number seen so far,
 					   64-bit value in big-endian
 					   encoding */
 } DTLS1_BITMAP;
 struct dtls1_retransmit_state {
 	EVP_CIPHER_CTX *enc_write_ctx;	/* cryptographic state */
 	EVP_MD_CTX *write_hash;		/* used for mac generation */
 	SSL_SESSION *session;
 	unsigned short epoch;
 };
 struct hm_header_st {
 	unsigned char type;
 	unsigned long msg_len;
 	unsigned short seq;
 	unsigned long frag_off;
 	unsigned long frag_len;
 	unsigned int is_ccs;
 	struct dtls1_retransmit_state saved_retransmit_state;
 };
 struct ccs_header_st {
 	unsigned char type;
 	unsigned short seq;
 };
 struct dtls1_timeout_st {
 	/* Number of read timeouts so far */
 	unsigned int read_timeouts;
 	/* Number of write timeouts so far */
 	unsigned int write_timeouts;
 	/* Number of alerts received so far */
 	unsigned int num_alerts;
 };
 struct _pqueue;
 typedef struct record_pqueue_st {
 	unsigned short epoch;
 	struct _pqueue *q;
 } record_pqueue;
 typedef struct hm_fragment_st {
 	struct hm_header_st msg_header;
 	unsigned char *fragment;
 	unsigned char *reassembly;
 } hm_fragment;
 struct dtls1_state_internal_st;
 typedef struct dtls1_state_st {
 	/* Buffered (sent) handshake records */
 	struct _pqueue *sent_messages;
 	/* Indicates when the last handshake msg or heartbeat sent will timeout */
 	struct timeval next_timeout;
 	/* Timeout duration */
 	unsigned short timeout_duration;
 	struct dtls1_state_internal_st *internal;
 } DTLS1_STATE;
 #ifndef LIBRESSL_INTERNAL
 typedef struct dtls1_record_data_st {
 	unsigned char *packet;
 	unsigned int   packet_length;
 	SSL3_BUFFER    rbuf;
 	SSL3_RECORD    rrec;
 } DTLS1_RECORD_DATA;
 #endif
 #endif
 /* Timeout multipliers (timeout slice is defined in apps/timeouts.h */
 #define DTLS1_TMO_READ_COUNT                      2
 #define DTLS1_TMO_WRITE_COUNT                     2
--- a/include/openssl/ec.h
+++ b/include/openssl/ec.h
@ -1,4 +1,4 @@
-/* $OpenBSD: ec.h,v 1.18 2019/09/29 10:09:09 tb Exp $ */
+/* $OpenBSD: ec.h,v 1.27 2021/09/12 16:23:19 tb Exp $ */
 /*
 * Originally written by Bodo Moeller for the OpenSSL project.
 */
@ -250,6 +250,8 @@ const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group);
 */
 int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx);
 int EC_GROUP_order_bits(const EC_GROUP *group);
 /** Gets the cofactor of a EC_GROUP
 *  \param  group     EC_GROUP object
 *  \param  cofactor  BIGNUM to which the cofactor is copied
@ -280,6 +282,11 @@ unsigned char *EC_GROUP_get0_seed(const EC_GROUP *x);
 size_t EC_GROUP_get_seed_len(const EC_GROUP *);
 size_t EC_GROUP_set_seed(EC_GROUP *, const unsigned char *, size_t len);
 int EC_GROUP_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a,
    const BIGNUM *b, BN_CTX *ctx);
 int EC_GROUP_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b,
    BN_CTX *ctx);
 #if !defined(LIBRESSL_INTERNAL)
 /** Sets the parameter of a ec over GFp defined by y^2 = x^3 + a*x + b
 *  \param  group  EC_GROUP object
 *  \param  p      BIGNUM with the prime number
@ -321,6 +328,8 @@ int EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, c
 */
 int EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
 #endif
 #endif
 /** Returns the number of bits needed to represent a field element 
 *  \param  group  EC_GROUP object
 *  \return number of bits needed to represent a field element
@ -446,6 +455,22 @@ const EC_METHOD *EC_POINT_method_of(const EC_POINT *point);
 */
 int EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point);
 int EC_POINT_set_affine_coordinates(const EC_GROUP *group, EC_POINT *p,
    const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx);
 int EC_POINT_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *p,
    BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
 int EC_POINT_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *p,
    const BIGNUM *x, int y_bit, BN_CTX *ctx);
 #if defined(LIBRESSL_INTERNAL)
 int EC_POINT_set_Jprojective_coordinates(const EC_GROUP *group, EC_POINT *p,
    const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx);
 int EC_POINT_get_Jprojective_coordinates(const EC_GROUP *group,
    const EC_POINT *p, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx);
 #else
 /** Sets the jacobian projective coordinates of a EC_POINT over GFp
 *  \param  group  underlying EC_GROUP object
 *  \param  p      EC_POINT object
@ -502,6 +527,7 @@ int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,
 */
 int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *p,
 	const BIGNUM *x, int y_bit, BN_CTX *ctx);
 #ifndef OPENSSL_NO_EC2M
 /** Sets the affine coordinates of a EC_POINT over GF2m
 *  \param  group  underlying EC_GROUP object
@ -535,7 +561,9 @@ int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group,
 */
 int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p,
 	const BIGNUM *x, int y_bit, BN_CTX *ctx);
-#endif
+#endif /* OPENSSL_NO_EC2M */
 #endif /* !LIBRESSL_INTERNAL */
 /** Encodes a EC_POINT object to a octet string
 *  \param  group  underlying EC_GROUP object
 *  \param  p      EC_POINT object
@ -680,7 +708,8 @@ int EC_GROUP_get_pentanomial_basis(const EC_GROUP *, unsigned int *k1,
 	unsigned int *k2, unsigned int *k3);
 #endif
-#define OPENSSL_EC_NAMED_CURVE	0x001
+#define OPENSSL_EC_EXPLICIT_CURVE	0x000
 #define OPENSSL_EC_NAMED_CURVE		0x001
 typedef struct ecpk_parameters_st ECPKPARAMETERS;
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@ -1,4 +1,4 @@
-/* $OpenBSD: evp.h,v 1.79 2020/04/27 19:31:02 tb Exp $ */
+/* $OpenBSD: evp.h,v 1.83 2021/05/10 17:00:32 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -617,7 +617,7 @@ int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
 #ifndef LIBRESSL_INTERNAL
 int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
 #endif
-	
+
 int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
    EVP_PKEY *pkey);
@ -628,11 +628,17 @@ int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
    const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey);
 int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen);
 int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
    const unsigned char *tbs, size_t tbslen);
 int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
    const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey);
 int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
    size_t siglen);
 int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
    size_t siglen, const unsigned char *tbs, size_t tbslen);
 int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
    const unsigned char *ek, int ekl, const unsigned char *iv, EVP_PKEY *priv);
 int EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
@ -1149,6 +1155,8 @@ void EVP_PKEY_CTX_set0_keygen_info(EVP_PKEY_CTX *ctx, int *dat, int datlen);
 EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *e, const unsigned char *key,
    int keylen);
 EVP_PKEY *EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv,
    size_t len, const EVP_CIPHER *cipher);
 void EVP_PKEY_CTX_set_data(EVP_PKEY_CTX *ctx, void *data);
 void *EVP_PKEY_CTX_get_data(EVP_PKEY_CTX *ctx);
@ -1512,6 +1520,7 @@ void ERR_load_EVP_strings(void);
 #define EVP_R_INVALID_OPERATION				 148
 #define EVP_R_IV_TOO_LARGE				 102
 #define EVP_R_KEYGEN_FAILURE				 120
 #define EVP_R_KEY_SETUP_FAILED				 180
 #define EVP_R_MESSAGE_DIGEST_IS_NULL			 159
 #define EVP_R_METHOD_NOT_SUPPORTED			 144
 #define EVP_R_MISSING_PARAMETERS			 103
--- a/include/openssl/obj_mac.h
+++ b/include/openssl/obj_mac.h
@ -853,10 +853,34 @@
 #define NID_id_smime_ct_compressedData		786
 #define OBJ_id_smime_ct_compressedData		OBJ_id_smime_ct,9L
 #define SN_id_ct_routeOriginAuthz		"id-ct-routeOriginAuthz"
 #define NID_id_ct_routeOriginAuthz		1001
 #define OBJ_id_ct_routeOriginAuthz		OBJ_id_smime_ct,24L
 #define SN_id_ct_rpkiManifest		"id-ct-rpkiManifest"
 #define NID_id_ct_rpkiManifest		1002
 #define OBJ_id_ct_rpkiManifest		OBJ_id_smime_ct,26L
 #define SN_id_ct_asciiTextWithCRLF		"id-ct-asciiTextWithCRLF"
 #define NID_id_ct_asciiTextWithCRLF		787
 #define OBJ_id_ct_asciiTextWithCRLF		OBJ_id_smime_ct,27L
 #define SN_id_ct_rpkiGhostbusters		"id-ct-rpkiGhostbusters"
 #define NID_id_ct_rpkiGhostbusters		1003
 #define OBJ_id_ct_rpkiGhostbusters		OBJ_id_smime_ct,35L
 #define SN_id_ct_resourceTaggedAttest		"id-ct-resourceTaggedAttest"
 #define NID_id_ct_resourceTaggedAttest		1004
 #define OBJ_id_ct_resourceTaggedAttest		OBJ_id_smime_ct,36L
 #define SN_id_ct_geofeedCSVwithCRLF		"id-ct-geofeedCSVwithCRLF"
 #define NID_id_ct_geofeedCSVwithCRLF		1013
 #define OBJ_id_ct_geofeedCSVwithCRLF		OBJ_id_smime_ct,47L
 #define SN_id_ct_signedChecklist		"id-ct-signedChecklist"
 #define NID_id_ct_signedChecklist		1014
 #define OBJ_id_ct_signedChecklist		OBJ_id_smime_ct,48L
 #define SN_id_smime_aa_receiptRequest		"id-smime-aa-receiptRequest"
 #define NID_id_smime_aa_receiptRequest		212
 #define OBJ_id_smime_aa_receiptRequest		OBJ_id_smime_aa,1L
@ -1366,6 +1390,10 @@
 #define NID_id_cct		268
 #define OBJ_id_cct		OBJ_id_pkix,12L
 #define SN_id_cp		"id-cp"
 #define NID_id_cp		1005
 #define OBJ_id_cp		OBJ_id_pkix,14L
 #define SN_id_ppl		"id-ppl"
 #define NID_id_ppl		662
 #define OBJ_id_ppl		OBJ_id_pkix,21L
@ -1490,6 +1518,14 @@
 #define NID_proxyCertInfo		663
 #define OBJ_proxyCertInfo		OBJ_id_pe,14L
 #define SN_sbgp_ipAddrBlockv2		"sbgp-ipAddrBlockv2"
 #define NID_sbgp_ipAddrBlockv2		1006
 #define OBJ_sbgp_ipAddrBlockv2		OBJ_id_pe,28L
 #define SN_sbgp_autonomousSysNumv2		"sbgp-autonomousSysNumv2"
 #define NID_sbgp_autonomousSysNumv2		1007
 #define OBJ_sbgp_autonomousSysNumv2		OBJ_id_pe,29L
 #define SN_id_qt_cps		"id-qt-cps"
 #define LN_id_qt_cps		"Policy Qualifier CPS"
 #define NID_id_qt_cps		164
@ -1554,6 +1590,11 @@
 #define NID_dvcs		297
 #define OBJ_dvcs		OBJ_id_kp,10L
 #define SN_id_kp_bgpsec_router		"id-kp-bgpsec-router"
 #define LN_id_kp_bgpsec_router		"BGPsec Router"
 #define NID_id_kp_bgpsec_router		1015
 #define OBJ_id_kp_bgpsec_router		OBJ_id_kp,30L
 #define SN_id_it_caProtEncCert		"id-it-caProtEncCert"
 #define NID_id_it_caProtEncCert		298
 #define OBJ_id_it_caProtEncCert		OBJ_id_it,1L
@ -1823,6 +1864,14 @@
 #define NID_id_cct_PKIResponse		362
 #define OBJ_id_cct_PKIResponse		OBJ_id_cct,3L
 #define SN_ipAddr_asNumber		"ipAddr-asNumber"
 #define NID_ipAddr_asNumber		1008
 #define OBJ_ipAddr_asNumber		OBJ_id_cp,2L
 #define SN_ipAddr_asNumberv2		"ipAddr-asNumberv2"
 #define NID_ipAddr_asNumberv2		1009
 #define OBJ_ipAddr_asNumberv2		OBJ_id_cp,3L
 #define SN_id_ppl_anyLanguage		"id-ppl-anyLanguage"
 #define LN_id_ppl_anyLanguage		"Any language"
 #define NID_id_ppl_anyLanguage		664
@ -1863,6 +1912,21 @@
 #define NID_caRepository		785
 #define OBJ_caRepository		OBJ_id_ad,5L
 #define SN_rpkiManifest		"rpkiManifest"
 #define LN_rpkiManifest		"RPKI Manifest"
 #define NID_rpkiManifest		1010
 #define OBJ_rpkiManifest		OBJ_id_ad,10L
 #define SN_signedObject		"signedObject"
 #define LN_signedObject		"Signed Object"
 #define NID_signedObject		1011
 #define OBJ_signedObject		OBJ_id_ad,11L
 #define SN_rpkiNotify		"rpkiNotify"
 #define LN_rpkiNotify		"RPKI Notify"
 #define NID_rpkiNotify		1012
 #define OBJ_rpkiNotify		OBJ_id_ad,13L
 #define OBJ_id_pkix_OCSP		OBJ_ad_OCSP
 #define SN_id_pkix_OCSP_basic		"basicOCSPResponse"
--- a/include/openssl/opensslfeatures.h
+++ b/include/openssl/opensslfeatures.h
@ -3,7 +3,8 @@
 * are enabled, rather than not being able to tell when things are
 * enabled (or possibly not yet not implemented, or removed!).
 */
-/* #define LIBRESSL_HAS_TLS1_3 */
+#define LIBRESSL_HAS_TLS1_3
 #define LIBRESSL_HAS_DTLS1_2
 #define OPENSSL_THREADS
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@ -1,11 +1,11 @@
-/* $OpenBSD: opensslv.h,v 1.61 2020/09/25 11:31:39 bcook Exp $ */
+/* $OpenBSD: opensslv.h,v 1.66 2021/09/15 17:14:26 tb Exp $ */
 #ifndef HEADER_OPENSSLV_H
 #define HEADER_OPENSSLV_H
 /* These will change with each release of LibreSSL-portable */
-#define LIBRESSL_VERSION_NUMBER 0x3020200fL
+#define LIBRESSL_VERSION_NUMBER 0x3040200fL
 /*                                    ^ Patch starts here   */
-#define LIBRESSL_VERSION_TEXT   "LibreSSL 3.2.2"
+#define LIBRESSL_VERSION_TEXT   "LibreSSL 3.4.2"
 /* These will never change */
 #define OPENSSL_VERSION_NUMBER	0x20000000L
--- a/include/openssl/srtp.h
+++ b/include/openssl/srtp.h
@ -1,4 +1,4 @@
-/* $OpenBSD: srtp.h,v 1.6 2015/09/01 15:18:23 jsing Exp $ */
+/* $OpenBSD: srtp.h,v 1.7 2021/06/11 15:28:13 landry Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -129,6 +129,10 @@ extern "C" {
 #define SRTP_NULL_SHA1_80      0x0005
 #define SRTP_NULL_SHA1_32      0x0006
 /* AEAD SRTP protection profiles from RFC 7714 */
 #define SRTP_AEAD_AES_128_GCM  0x0007
 #define SRTP_AEAD_AES_256_GCM  0x0008
 int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles);
 int SSL_set_tlsext_use_srtp(SSL *ctx, const char *profiles);
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.178 2020/09/20 09:42:00 tb Exp $ */
+/* $OpenBSD: ssl.h,v 1.209 2021/09/14 23:07:18 inoguchi Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -301,6 +301,7 @@ extern "C" {
 #define SSL_TXT_STREEBOG512		"STREEBOG512"
 #define SSL_TXT_DTLS1		"DTLSv1"
 #define SSL_TXT_DTLS1_2		"DTLSv1.2"
 #define SSL_TXT_SSLV2		"SSLv2"
 #define SSL_TXT_SSLV3		"SSLv3"
 #define SSL_TXT_TLSV1		"TLSv1"
@ -356,7 +357,9 @@ extern "C" {
 * in SSL_CTX. */
 typedef struct ssl_st *ssl_crock_st;
 #if defined(LIBRESSL_INTERNAL)
 typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT;
 #endif
 typedef struct ssl_method_st SSL_METHOD;
 typedef struct ssl_cipher_st SSL_CIPHER;
 typedef struct ssl_session_st SSL_SESSION;
@ -376,113 +379,6 @@ typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data,
 typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len,
    STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
 #ifndef OPENSSL_NO_SSL_INTERN
 /* used to hold info on the particular ciphers used */
 struct ssl_cipher_st {
 	int valid;
 	const char *name;		/* text name */
 	unsigned long id;		/* id, 4 bytes, first is version */
 	unsigned long algorithm_mkey;	/* key exchange algorithm */
 	unsigned long algorithm_auth;	/* server authentication */
 	unsigned long algorithm_enc;	/* symmetric encryption */
 	unsigned long algorithm_mac;	/* symmetric authentication */
 	unsigned long algorithm_ssl;	/* (major) protocol version */
 	unsigned long algo_strength;	/* strength and export flags */
 	unsigned long algorithm2;	/* Extra flags */
 	int strength_bits;		/* Number of bits really used */
 	int alg_bits;			/* Number of bits for algorithm */
 };
 /* Used to hold functions for SSLv3/TLSv1 functions */
 struct ssl_method_internal_st;
 struct ssl_method_st {
 	int (*ssl_dispatch_alert)(SSL *s);
 	int (*num_ciphers)(void);
 	const SSL_CIPHER *(*get_cipher)(unsigned int ncipher);
 	const SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr);
 	int (*put_cipher_by_char)(const SSL_CIPHER *cipher, unsigned char *ptr);
 	const struct ssl_method_internal_st *internal;
 };
 /* Lets make this into an ASN.1 type structure as follows
 * SSL_SESSION_ID ::= SEQUENCE {
 *	version 		INTEGER,	-- structure version number
 *	SSLversion 		INTEGER,	-- SSL version number
 *	Cipher 			OCTET STRING,	-- the 3 byte cipher ID
 *	Session_ID 		OCTET STRING,	-- the Session ID
 *	Master_key 		OCTET STRING,	-- the master key
 *	KRB5_principal		OCTET STRING	-- optional Kerberos principal
 *	Time [ 1 ] EXPLICIT	INTEGER,	-- optional Start Time
 *	Timeout [ 2 ] EXPLICIT	INTEGER,	-- optional Timeout ins seconds
 *	Peer [ 3 ] EXPLICIT	X509,		-- optional Peer Certificate
 *	Session_ID_context [ 4 ] EXPLICIT OCTET STRING,   -- the Session ID context
 *	Verify_result [ 5 ] EXPLICIT INTEGER,   -- X509_V_... code for `Peer'
 *	HostName [ 6 ] EXPLICIT OCTET STRING,   -- optional HostName from servername TLS extension
 *	PSK_identity_hint [ 7 ] EXPLICIT OCTET STRING, -- optional PSK identity hint
 *	PSK_identity [ 8 ] EXPLICIT OCTET STRING,  -- optional PSK identity
 *	Ticket_lifetime_hint [9] EXPLICIT INTEGER, -- server's lifetime hint for session ticket
 *	Ticket [10]             EXPLICIT OCTET STRING, -- session ticket (clients only)
 *	Compression_meth [11]   EXPLICIT OCTET STRING, -- optional compression method
 *	SRP_username [ 12 ] EXPLICIT OCTET STRING -- optional SRP username
 *	}
 * Look in ssl/ssl_asn1.c for more details
 * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
 */
 struct ssl_session_internal_st;
 struct ssl_session_st {
 	int ssl_version;	/* what ssl version session info is
 				 * being kept in here? */
 	int master_key_length;
 	unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
 	/* session_id - valid? */
 	unsigned int session_id_length;
 	unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
 	/* this is used to determine whether the session is being reused in
 	 * the appropriate context. It is up to the application to set this,
 	 * via SSL_new */
 	unsigned int sid_ctx_length;
 	unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
 	/* This is the cert for the other end. */
 	X509 *peer;
 	/* when app_verify_callback accepts a session where the peer's certificate
 	 * is not ok, we must remember the error for session reuse: */
 	long verify_result; /* only for servers */
 	long timeout;
 	time_t time;
 	int references;
 	const SSL_CIPHER *cipher;
 	unsigned long cipher_id;	/* when ASN.1 loaded, this
 					 * needs to be used to load
 					 * the 'cipher' structure */
 	STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */
 	char *tlsext_hostname;
 	/* RFC4507 info */
 	unsigned char *tlsext_tick;	/* Session ticket */
 	size_t tlsext_ticklen;		/* Session ticket length */
 	long tlsext_tick_lifetime_hint;	/* Session lifetime hint in seconds */
 	struct ssl_session_internal_st *internal;
 };
 #endif
 /* Allow initial connection to servers that don't support RI */
 #define SSL_OP_LEGACY_SERVER_CONNECT			0x00000004L
@ -520,6 +416,9 @@ struct ssl_session_st {
 #define SSL_OP_NO_TLSv1_3				0x20000000L
 #endif
 #define SSL_OP_NO_DTLSv1				0x40000000L
 #define SSL_OP_NO_DTLSv1_2				0x80000000L
 /* SSL_OP_ALL: various bug workarounds that should be rather harmless. */
 #define SSL_OP_ALL \
    (SSL_OP_LEGACY_SERVER_CONNECT)
@ -610,8 +509,10 @@ void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version,
 #define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
 #define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
 #ifndef LIBRESSL_INTERNAL
 struct ssl_aead_ctx_st;
 typedef struct ssl_aead_ctx_st SSL_AEAD_CTX;
 #endif
 #define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */
@ -635,7 +536,7 @@ typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id,
 typedef struct ssl_comp_st SSL_COMP;
-#ifndef OPENSSL_NO_SSL_INTERN
+#ifdef LIBRESSL_INTERNAL
 struct ssl_comp_st {
 	int id;
@ -782,6 +683,12 @@ void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
 void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
    unsigned int *len);
 #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
 typedef int (*SSL_psk_use_session_cb_func)(SSL *ssl, const EVP_MD *md,
    const unsigned char **id, size_t *idlen, SSL_SESSION **sess);
 void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb);
 #endif
 #define SSL_NOTHING	1
 #define SSL_WRITING	2
 #define SSL_READING	3
@ -796,7 +703,7 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
 #define SSL_MAC_FLAG_READ_MAC_STREAM 1
 #define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
-#ifndef OPENSSL_NO_SSL_INTERN
+#if defined(LIBRESSL_INTERNAL)
 struct ssl_internal_st;
 struct ssl_st {
@ -954,6 +861,13 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
 #define SSL_VERIFY_PEER			0x01
 #define SSL_VERIFY_FAIL_IF_NO_PEER_CERT	0x02
 #define SSL_VERIFY_CLIENT_ONCE		0x04
 #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
 #define SSL_VERIFY_POST_HANDSHAKE	0x08
 int SSL_verify_client_post_handshake(SSL *s);
 void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val);
 void SSL_set_post_handshake_auth(SSL *s, int val);
 #endif
 #define OpenSSL_add_ssl_algorithms()	SSL_library_init()
 #define SSLeay_add_ssl_algorithms()	SSL_library_init()
@ -982,40 +896,53 @@ SSL_SESSION *PEM_read_SSL_SESSION(FILE *fp, SSL_SESSION **x,
 int PEM_write_bio_SSL_SESSION(BIO *bp, SSL_SESSION *x);
 int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x);
-#define SSL_AD_REASON_OFFSET		1000 /* offset to get SSL_R_... value from SSL_AD_... */
+/*
 * TLS Alerts.
 *
 * https://www.iana.org/assignments/tls-parameters/#tls-parameters-6
 */
-/* These alert types are for SSLv3 and TLSv1 */
+/* Obsolete alerts. */
-#define SSL_AD_CLOSE_NOTIFY		SSL3_AD_CLOSE_NOTIFY
+#ifndef LIBRESSL_INTERNAL
-#define SSL_AD_UNEXPECTED_MESSAGE	SSL3_AD_UNEXPECTED_MESSAGE /* fatal */
+#define SSL_AD_DECRYPTION_FAILED		21	/* Removed in TLSv1.1 */
-#define SSL_AD_BAD_RECORD_MAC		SSL3_AD_BAD_RECORD_MAC     /* fatal */
+#define SSL_AD_NO_CERTIFICATE			41	/* Removed in TLSv1.0 */
-#define SSL_AD_DECRYPTION_FAILED	TLS1_AD_DECRYPTION_FAILED
+#define SSL_AD_EXPORT_RESTRICTION		60	/* Removed in TLSv1.1 */
-#define SSL_AD_RECORD_OVERFLOW		TLS1_AD_RECORD_OVERFLOW
+#endif
-#define SSL_AD_DECOMPRESSION_FAILURE	SSL3_AD_DECOMPRESSION_FAILURE/* fatal */
+
-#define SSL_AD_HANDSHAKE_FAILURE	SSL3_AD_HANDSHAKE_FAILURE/* fatal */
+#define SSL_AD_CLOSE_NOTIFY			0
-#define SSL_AD_NO_CERTIFICATE		SSL3_AD_NO_CERTIFICATE /* Not for TLS */
+#define SSL_AD_UNEXPECTED_MESSAGE		10
-#define SSL_AD_BAD_CERTIFICATE		SSL3_AD_BAD_CERTIFICATE
+#define SSL_AD_BAD_RECORD_MAC			20
-#define SSL_AD_UNSUPPORTED_CERTIFICATE	SSL3_AD_UNSUPPORTED_CERTIFICATE
+#define SSL_AD_RECORD_OVERFLOW			22
-#define SSL_AD_CERTIFICATE_REVOKED	SSL3_AD_CERTIFICATE_REVOKED
+#define SSL_AD_DECOMPRESSION_FAILURE		30	/* Removed in TLSv1.3 */
-#define SSL_AD_CERTIFICATE_EXPIRED	SSL3_AD_CERTIFICATE_EXPIRED
+#define SSL_AD_HANDSHAKE_FAILURE		40
-#define SSL_AD_CERTIFICATE_UNKNOWN	SSL3_AD_CERTIFICATE_UNKNOWN
+#define SSL_AD_BAD_CERTIFICATE			42
-#define SSL_AD_ILLEGAL_PARAMETER	SSL3_AD_ILLEGAL_PARAMETER   /* fatal */
+#define SSL_AD_UNSUPPORTED_CERTIFICATE		43
-#define SSL_AD_UNKNOWN_CA		TLS1_AD_UNKNOWN_CA	/* fatal */
+#define SSL_AD_CERTIFICATE_REVOKED		44
-#define SSL_AD_ACCESS_DENIED		TLS1_AD_ACCESS_DENIED	/* fatal */
+#define SSL_AD_CERTIFICATE_EXPIRED		45
-#define SSL_AD_DECODE_ERROR		TLS1_AD_DECODE_ERROR	/* fatal */
+#define SSL_AD_CERTIFICATE_UNKNOWN		46
-#define SSL_AD_DECRYPT_ERROR		TLS1_AD_DECRYPT_ERROR
+#define SSL_AD_ILLEGAL_PARAMETER		47
-#define SSL_AD_EXPORT_RESTRICTION	TLS1_AD_EXPORT_RESTRICTION/* fatal */
+#define SSL_AD_UNKNOWN_CA			48
-#define SSL_AD_PROTOCOL_VERSION		TLS1_AD_PROTOCOL_VERSION /* fatal */
+#define SSL_AD_ACCESS_DENIED			49
-#define SSL_AD_INSUFFICIENT_SECURITY	TLS1_AD_INSUFFICIENT_SECURITY/* fatal */
+#define SSL_AD_DECODE_ERROR			50
-#define SSL_AD_INTERNAL_ERROR		TLS1_AD_INTERNAL_ERROR	/* fatal */
+#define SSL_AD_DECRYPT_ERROR			51
-#define SSL_AD_INAPPROPRIATE_FALLBACK	TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */
+#define SSL_AD_PROTOCOL_VERSION			70
-#define SSL_AD_USER_CANCELLED		TLS1_AD_USER_CANCELLED
+#define SSL_AD_INSUFFICIENT_SECURITY		71
-#define SSL_AD_NO_RENEGOTIATION		TLS1_AD_NO_RENEGOTIATION
+#define SSL_AD_INTERNAL_ERROR			80
-#define SSL_AD_UNSUPPORTED_EXTENSION	TLS1_AD_UNSUPPORTED_EXTENSION
+#define SSL_AD_INAPPROPRIATE_FALLBACK		86
-#define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE
+#define SSL_AD_USER_CANCELLED			90
-#define SSL_AD_UNRECOGNIZED_NAME	TLS1_AD_UNRECOGNIZED_NAME
+#define SSL_AD_NO_RENEGOTIATION			100	/* Removed in TLSv1.3 */
-#define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
+#define SSL_AD_MISSING_EXTENSION		109	/* Added in TLSv1.3. */
-#define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
+#define SSL_AD_UNSUPPORTED_EXTENSION		110
-#define SSL_AD_UNKNOWN_PSK_IDENTITY	TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
+#define SSL_AD_CERTIFICATE_UNOBTAINABLE		111	/* Removed in TLSv1.3 */
 #define SSL_AD_UNRECOGNIZED_NAME		112
 #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE	113
 #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE	114	/* Removed in TLSv1.3 */
 #define SSL_AD_UNKNOWN_PSK_IDENTITY		115
 #define SSL_AD_CERTIFICATE_REQUIRED		116
 #define SSL_AD_NO_APPLICATION_PROTOCOL		120
 /* Offset to get an SSL_R_... value from an SSL_AD_... value. */
 #define SSL_AD_REASON_OFFSET			1000
 #define SSL_ERROR_NONE			0
 #define SSL_ERROR_SSL			1
@ -1088,6 +1015,7 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x);
 #define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB	63
 #define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG	129
 #define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG	64
 #define SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE	127
 #define SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE	65
 #define SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS	66
 #define SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS	67
@ -1127,6 +1055,7 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x);
 #define SSL_CTRL_SET_ECDH_AUTO			94
 #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
 #define SSL_CTRL_GET_PEER_SIGNATURE_NID			108
 #define SSL_CTRL_GET_PEER_TMP_KEY			109
 #define SSL_CTRL_GET_SERVER_TMP_KEY SSL_CTRL_GET_PEER_TMP_KEY
 #else
@ -1142,6 +1071,10 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x);
 #define SSL_CTRL_GET_MIN_PROTO_VERSION			130
 #define SSL_CTRL_GET_MAX_PROTO_VERSION			131
 #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
 #define SSL_CTRL_GET_SIGNATURE_NID			132
 #endif
 #define DTLSv1_get_timeout(ssl, arg) \
 	SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
 #define DTLSv1_handle_timeout(ssl) \
@ -1214,6 +1147,8 @@ int SSL_get_max_proto_version(SSL *ssl);
 int SSL_set_min_proto_version(SSL *ssl, uint16_t version);
 int SSL_set_max_proto_version(SSL *ssl, uint16_t version);
 const SSL_METHOD *SSL_CTX_get_ssl_method(const SSL_CTX *ctx);
 #ifndef LIBRESSL_INTERNAL
 #define SSL_CTRL_SET_CURVES			SSL_CTRL_SET_GROUPS
 #define SSL_CTRL_SET_CURVES_LIST		SSL_CTRL_SET_GROUPS_LIST
@ -1237,8 +1172,17 @@ int SSL_set_max_proto_version(SSL *ssl, uint16_t version);
 	SSL_ctrl(s,SSL_CTRL_GET_SERVER_TMP_KEY,0,pk)
 #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
 #define SSL_get_signature_nid(s, pn) \
 	SSL_ctrl(s, SSL_CTRL_GET_SIGNATURE_NID, 0, pn)
 #define SSL_get_peer_signature_nid(s, pn) \
 	SSL_ctrl(s, SSL_CTRL_GET_PEER_SIGNATURE_NID, 0, pn)
 #define SSL_get_peer_tmp_key(s, pk) \
 	SSL_ctrl(s, SSL_CTRL_GET_PEER_TMP_KEY, 0, pk)
 int SSL_get_signature_type_nid(const SSL *ssl, int *nid);
 int SSL_get_peer_signature_type_nid(const SSL *ssl, int *nid);
 #endif /* LIBRESSL_HAS_TLS1_3 || LIBRESSL_INTERNAL */
 #ifndef LIBRESSL_INTERNAL
@ -1296,6 +1240,7 @@ long SSL_CTX_get_timeout(const SSL_CTX *ctx);
 X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *);
 void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *);
 X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx);
 EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx);
 int SSL_want(const SSL *s);
 int	SSL_clear(SSL *s);
@ -1309,6 +1254,7 @@ const char *	SSL_CIPHER_get_version(const SSL_CIPHER *c);
 const char *	SSL_CIPHER_get_name(const SSL_CIPHER *c);
 unsigned long 	SSL_CIPHER_get_id(const SSL_CIPHER *c);
 uint16_t SSL_CIPHER_get_value(const SSL_CIPHER *c);
 const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr);
 int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c);
 int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c);
 int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c);
@ -1327,6 +1273,7 @@ int	SSL_set_rfd(SSL *s, int fd);
 int	SSL_set_wfd(SSL *s, int fd);
 void	SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio);
 BIO *	SSL_get_rbio(const SSL *s);
 void	SSL_set0_rbio(SSL *s, BIO *rbio);
 BIO *	SSL_get_wbio(const SSL *s);
 int	SSL_set_cipher_list(SSL *s, const char *str);
 #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
@ -1349,6 +1296,7 @@ int	SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len);
 int	SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
 int	SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
 int	SSL_use_certificate_file(SSL *ssl, const char *file, int type);
 int	SSL_use_certificate_chain_file(SSL *ssl, const char *file);
 int	SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type);
 int	SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);
 int	SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);
@ -1365,6 +1313,7 @@ const char *SSL_state_string(const SSL *s);
 const char *SSL_rstate_string(const SSL *s);
 const char *SSL_state_string_long(const SSL *s);
 const char *SSL_rstate_string_long(const SSL *s);
 const SSL_CIPHER *SSL_SESSION_get0_cipher(const SSL_SESSION *ss);
 size_t	SSL_SESSION_get_master_key(const SSL_SESSION *ss,
 	    unsigned char *out, size_t max_out);
 int	SSL_SESSION_get_protocol_version(const SSL_SESSION *s);
@ -1378,6 +1327,9 @@ int	SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid,
 	    unsigned int sid_len);
 int	SSL_SESSION_set1_id_context(SSL_SESSION *s,
 	    const unsigned char *sid_ctx, unsigned int sid_ctx_len);
 #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
 int SSL_SESSION_is_resumable(const SSL_SESSION *s);
 #endif
 SSL_SESSION *SSL_SESSION_new(void);
 void	SSL_SESSION_free(SSL_SESSION *ses);
@ -1443,9 +1395,8 @@ int SSL_set_purpose(SSL *s, int purpose);
 int SSL_CTX_set_trust(SSL_CTX *s, int trust);
 int SSL_set_trust(SSL *s, int trust);
 int SSL_set1_host(SSL *s, const char *hostname);
-#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
+void SSL_set_hostflags(SSL *s, unsigned int flags);
 const char *SSL_get0_peername(SSL *s);
 #endif
 X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx);
 int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm);
@ -1457,6 +1408,7 @@ void	SSL_free(SSL *ssl);
 int	SSL_up_ref(SSL *ssl);
 int 	SSL_accept(SSL *ssl);
 int 	SSL_connect(SSL *ssl);
 int	SSL_is_dtls(const SSL *s);
 int	SSL_is_server(const SSL *s);
 int 	SSL_read(SSL *ssl, void *buf, int num);
 int 	SSL_peek(SSL *ssl, void *buf, int num);
@ -1516,6 +1468,10 @@ const SSL_METHOD *DTLSv1_method(void);		/* DTLSv1.0 */
 const SSL_METHOD *DTLSv1_server_method(void);	/* DTLSv1.0 */
 const SSL_METHOD *DTLSv1_client_method(void);	/* DTLSv1.0 */
 const SSL_METHOD *DTLSv1_2_method(void);	/* DTLSv1.2 */
 const SSL_METHOD *DTLSv1_2_server_method(void);	/* DTLSv1.2 */
 const SSL_METHOD *DTLSv1_2_client_method(void);	/* DTLSv1.2 */
 const SSL_METHOD *DTLS_method(void);		/* DTLS v1.0 or later */
 const SSL_METHOD *DTLS_server_method(void);	/* DTLS v1.0 or later */
 const SSL_METHOD *DTLS_client_method(void);	/* DTLS v1.0 or later */
@ -2035,6 +1991,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_MISSING_VERIFY_MESSAGE			 174
 #define SSL_R_MULTIPLE_SGC_RESTARTS			 346
 #define SSL_R_NON_SSLV2_INITIAL_PACKET			 175
 #define SSL_R_NO_APPLICATION_PROTOCOL			 235
 #define SSL_R_NO_CERTIFICATES_RETURNED			 176
 #define SSL_R_NO_CERTIFICATE_ASSIGNED			 177
 #define SSL_R_NO_CERTIFICATE_RETURNED			 178
--- a/include/openssl/ssl3.h
+++ b/include/openssl/ssl3.h
@ -1,4 +1,4 @@
-/* $OpenBSD: ssl3.h,v 1.51 2020/06/05 18:14:05 jsing Exp $ */
+/* $OpenBSD: ssl3.h,v 1.57 2021/09/10 14:49:13 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -292,11 +292,11 @@ extern "C" {
 #define SSL3_RT_ALERT			21
 #define SSL3_RT_HANDSHAKE		22
 #define SSL3_RT_APPLICATION_DATA	23
 #define TLS1_RT_HEARTBEAT		24
 #define SSL3_AL_WARNING			1
 #define SSL3_AL_FATAL			2
 #ifndef LIBRESSL_INTERNAL
 #define SSL3_AD_CLOSE_NOTIFY		 0
 #define SSL3_AD_UNEXPECTED_MESSAGE	10	/* fatal */
 #define SSL3_AD_BAD_RECORD_MAC		20	/* fatal */
@ -309,34 +309,11 @@ extern "C" {
 #define SSL3_AD_CERTIFICATE_EXPIRED	45
 #define SSL3_AD_CERTIFICATE_UNKNOWN	46
 #define SSL3_AD_ILLEGAL_PARAMETER	47	/* fatal */
 #endif
 #define TLS1_HB_REQUEST		1
 #define TLS1_HB_RESPONSE	2
 #ifndef OPENSSL_NO_SSL_INTERN
 #ifndef LIBRESSL_INTERNAL
 typedef struct ssl3_record_st {
 /*r */	int type;               /* type of record */
 /*rw*/	unsigned int length;    /* How many bytes available */
 /*r */	unsigned int off;       /* read/write offset into 'buf' */
 /*rw*/	unsigned char *data;    /* pointer to the record data */
 /*rw*/	unsigned char *input;   /* where the decode bytes are */
 /*r */  unsigned long epoch;    /* epoch number, needed by DTLS1 */
 /*r */  unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
 } SSL3_RECORD;
 typedef struct ssl3_buffer_st {
 	unsigned char *buf;	/* at least SSL3_RT_MAX_PACKET_SIZE bytes,
 	                         * see ssl3_setup_buffers() */
 	size_t len;		/* buffer size */
 	int offset;		/* where to 'copy from' */
 	int left;		/* how many bytes left */
 } SSL3_BUFFER;
 #endif
 #endif
 #define SSL3_CT_RSA_SIGN			1
 #define SSL3_CT_DSS_SIGN			2
 #define SSL3_CT_RSA_FIXED_DH			3
@ -355,21 +332,6 @@ typedef struct ssl3_buffer_st {
 #define TLS1_FLAGS_FREEZE_TRANSCRIPT		0x0020
 #define SSL3_FLAGS_CCS_OK			0x0080
 #ifndef OPENSSL_NO_SSL_INTERN
 struct ssl3_state_internal_st;
 typedef struct ssl3_state_st {
 	long flags;
 	unsigned char server_random[SSL3_RANDOM_SIZE];
 	unsigned char client_random[SSL3_RANDOM_SIZE];
 	struct ssl3_state_internal_st *internal;
 } SSL3_STATE;
 #endif
 /* SSLv3 */
 /*client */
 /* extra state */
@ -475,6 +437,7 @@ typedef struct ssl3_state_st {
 #define SSL3_MT_CCS				1
 #ifndef LIBRESSL_INTERNAL
 /* These are used when changing over to a new cipher */
 #define SSL3_CC_READ		0x01
 #define SSL3_CC_WRITE		0x02
@ -484,6 +447,7 @@ typedef struct ssl3_state_st {
 #define SSL3_CHANGE_CIPHER_SERVER_READ		(SSL3_CC_SERVER|SSL3_CC_READ)
 #define SSL3_CHANGE_CIPHER_CLIENT_READ		(SSL3_CC_CLIENT|SSL3_CC_READ)
 #define SSL3_CHANGE_CIPHER_SERVER_WRITE		(SSL3_CC_SERVER|SSL3_CC_WRITE)
 #endif
 #ifdef  __cplusplus
 }
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@ -1,4 +1,4 @@
-/* $OpenBSD: tls1.h,v 1.41 2020/06/05 18:14:05 jsing Exp $ */
+/* $OpenBSD: tls1.h,v 1.49 2021/09/10 14:57:31 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -177,18 +177,7 @@ extern "C" {
 #define TLS1_VERSION_MAJOR		0x03
 #define TLS1_VERSION_MINOR		0x01
-#define TLS1_get_version(s) \
+#ifndef LIBRESSL_INTERNAL
 		((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0)
 #define TLS1_get_client_version(s) \
 		((s->client_version >> 8) == TLS1_VERSION_MAJOR ? s->client_version : 0)
 /*
 * TLS Alert codes.
 *
 * https://www.iana.org/assignments/tls-parameters/#tls-parameters-6
 */
 #define TLS1_AD_DECRYPTION_FAILED		21
 #define TLS1_AD_RECORD_OVERFLOW			22
 #define TLS1_AD_UNKNOWN_CA			48	/* fatal */
@ -211,6 +200,7 @@ extern "C" {
 #define TLS1_AD_BAD_CERTIFICATE_HASH_VALUE	114
 /* Code 115 from RFC 4279. */
 #define TLS1_AD_UNKNOWN_PSK_IDENTITY		115	/* fatal */
 #endif
 /*
 * TLS ExtensionType values.
@ -328,6 +318,9 @@ SSL_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_DEBUG_CB,(void (*)(void))cb)
 #define SSL_set_tlsext_debug_arg(ssl, arg) \
 SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_DEBUG_ARG,0, (void *)arg)
 #define SSL_get_tlsext_status_type(ssl) \
 SSL_ctrl(ssl, SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE, 0, NULL)
 #define SSL_set_tlsext_status_type(ssl, type) \
 SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE,type, NULL)
@ -768,11 +761,13 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 #define TLS_MD_MASTER_SECRET_CONST		"master secret"
 #define TLS_MD_MASTER_SECRET_CONST_SIZE		13
 #if defined(LIBRESSL_INTERNAL)
 /* TLS Session Ticket extension struct. */
 struct tls_session_ticket_ext_st {
 	unsigned short length;
 	void *data;
 };
 #endif
 #ifdef  __cplusplus
 }
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@ -1,4 +1,4 @@
-/* $OpenBSD: x509.h,v 1.74 2018/08/24 20:26:03 tb Exp $ */
+/* $OpenBSD: x509.h,v 1.76 2021/09/02 12:41:44 job Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -300,6 +300,10 @@ struct x509_st
 	STACK_OF(DIST_POINT) *crldp;
 	STACK_OF(GENERAL_NAME) *altname;
 	NAME_CONSTRAINTS *nc;
 #ifndef OPENSSL_NO_RFC3779
 	STACK_OF(IPAddressFamily) *rfc3779_addr;
 	struct ASIdentifiers_st *rfc3779_asid;
 #endif
 #ifndef OPENSSL_NO_SHA
 	unsigned char sha1_hash[SHA_DIGEST_LENGTH];
 #endif
@ -692,6 +696,7 @@ int i2d_RSA_PUBKEY_fp(FILE *fp,RSA *rsa);
 #ifndef OPENSSL_NO_DSA
 DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa);
 int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa);
 DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa);
 int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa);
 #endif
 #ifndef OPENSSL_NO_EC
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h
@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.h,v 1.31 2020/09/13 15:06:17 beck Exp $ */
+/* $OpenBSD: x509_vfy.h,v 1.32 2021/02/24 18:01:31 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@ -247,7 +247,7 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 	/* The following is built up */
 	int valid;		/* if 0, rebuild chain */
-	int last_untrusted;	/* index of last untrusted cert */
+	int last_untrusted;	/* XXX: number of untrusted certs in chain!!! */
 	STACK_OF(X509) *chain; 		/* chain of X509s - built up and trusted */
 	X509_POLICY_TREE *tree;	/* Valid policy tree */
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@ -1,4 +1,4 @@
-/* $OpenBSD: x509v3.h,v 1.2 2020/09/13 15:06:17 beck Exp $ */
+/* $OpenBSD: x509v3.h,v 1.5 2021/09/02 13:48:39 job Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@ -842,6 +842,196 @@ int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
 void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
 DECLARE_STACK_OF(X509_POLICY_NODE)
 #if defined(LIBRESSL_INTERNAL)
 #ifndef OPENSSL_NO_RFC3779
 typedef struct ASRange_st {
 	ASN1_INTEGER *min, *max;
 } ASRange;
 # define ASIdOrRange_id          0
 # define ASIdOrRange_range       1
 typedef struct ASIdOrRange_st {
    int type;
    union {
        ASN1_INTEGER *id;
        ASRange *range;
    } u;
 } ASIdOrRange;
 typedef STACK_OF(ASIdOrRange) ASIdOrRanges;
 DECLARE_STACK_OF(ASIdOrRange)
 # define ASIdentifierChoice_inherit              0
 # define ASIdentifierChoice_asIdsOrRanges        1
 typedef struct ASIdentifierChoice_st {
    int type;
    union {
        ASN1_NULL *inherit;
        ASIdOrRanges *asIdsOrRanges;
    } u;
 } ASIdentifierChoice;
 typedef struct ASIdentifiers_st {
    ASIdentifierChoice *asnum, *rdi;
 } ASIdentifiers;
 ASRange *ASRange_new(void);
 void ASRange_free(ASRange *a);
 ASRange *d2i_ASRange(ASRange **a, const unsigned char **in, long len);
 int i2d_ASRange(ASRange *a, unsigned char **out);
 extern const ASN1_ITEM ASRange_it;
 ASIdOrRange *ASIdOrRange_new(void);
 void ASIdOrRange_free(ASIdOrRange *a);
 ASIdOrRange *d2i_ASIdOrRange(ASIdOrRange **a, const unsigned char **in,
    long len);
 int i2d_ASIdOrRange(ASIdOrRange *a, unsigned char **out);
 extern const ASN1_ITEM ASIdOrRange_it;
 ASIdentifierChoice *ASIdentifierChoice_new(void);
 void ASIdentifierChoice_free(ASIdentifierChoice *a);
 ASIdentifierChoice *d2i_ASIdentifierChoice(ASIdentifierChoice **a,
    const unsigned char **in, long len);
 int i2d_ASIdentifierChoice(ASIdentifierChoice *a, unsigned char **out);
 extern const ASN1_ITEM ASIdentifierChoice_it;
 ASIdentifiers *ASIdentifiers_new(void);
 void ASIdentifiers_free(ASIdentifiers *a);
 ASIdentifiers *d2i_ASIdentifiers(ASIdentifiers **a, const unsigned char **in,
    long len);
 int i2d_ASIdentifiers(ASIdentifiers *a, unsigned char **out);
 extern const ASN1_ITEM ASIdentifiers_it;
 typedef struct IPAddressRange_st {
    ASN1_BIT_STRING *min, *max;
 } IPAddressRange;
 # define IPAddressOrRange_addressPrefix  0
 # define IPAddressOrRange_addressRange   1
 typedef struct IPAddressOrRange_st {
    int type;
    union {
        ASN1_BIT_STRING *addressPrefix;
        IPAddressRange *addressRange;
    } u;
 } IPAddressOrRange;
 typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges;
 DECLARE_STACK_OF(IPAddressOrRange)
 # define IPAddressChoice_inherit                 0
 # define IPAddressChoice_addressesOrRanges       1
 typedef struct IPAddressChoice_st {
    int type;
    union {
        ASN1_NULL *inherit;
        IPAddressOrRanges *addressesOrRanges;
    } u;
 } IPAddressChoice;
 typedef struct IPAddressFamily_st {
    ASN1_OCTET_STRING *addressFamily;
    IPAddressChoice *ipAddressChoice;
 } IPAddressFamily;
 typedef STACK_OF(IPAddressFamily) IPAddrBlocks;
 DECLARE_STACK_OF(IPAddressFamily)
 IPAddressRange *IPAddressRange_new(void);
 void IPAddressRange_free(IPAddressRange *a);
 IPAddressRange *d2i_IPAddressRange(IPAddressRange **a,
    const unsigned char **in, long len);
 int i2d_IPAddressRange(IPAddressRange *a, unsigned char **out);
 extern const ASN1_ITEM IPAddressRange_it;
 IPAddressOrRange *IPAddressOrRange_new(void);
 void IPAddressOrRange_free(IPAddressOrRange *a);
 IPAddressOrRange *d2i_IPAddressOrRange(IPAddressOrRange **a,
    const unsigned char **in, long len);
 int i2d_IPAddressOrRange(IPAddressOrRange *a, unsigned char **out);
 extern const ASN1_ITEM IPAddressOrRange_it;
 IPAddressChoice *IPAddressChoice_new(void);
 void IPAddressChoice_free(IPAddressChoice *a);
 IPAddressChoice *d2i_IPAddressChoice(IPAddressChoice **a,
    const unsigned char **in, long len);
 int i2d_IPAddressChoice(IPAddressChoice *a, unsigned char **out);
 extern const ASN1_ITEM IPAddressChoice_it;
 IPAddressFamily *IPAddressFamily_new(void);
 void IPAddressFamily_free(IPAddressFamily *a);
 IPAddressFamily *d2i_IPAddressFamily(IPAddressFamily **a,
    const unsigned char **in, long len);
 int i2d_IPAddressFamily(IPAddressFamily *a, unsigned char **out);
 extern const ASN1_ITEM IPAddressFamily_it;
 /*
 * API tag for elements of the ASIdentifer SEQUENCE.
 */
 # define V3_ASID_ASNUM   0
 # define V3_ASID_RDI     1
 /*
 * AFI values, assigned by IANA.  It'd be nice to make the AFI
 * handling code totally generic, but there are too many little things
 * that would need to be defined for other address families for it to
 * be worth the trouble.
 */
 # define IANA_AFI_IPV4   1
 # define IANA_AFI_IPV6   2
 /*
 * Utilities to construct and extract values from RFC3779 extensions,
 * since some of the encodings (particularly for IP address prefixes
 * and ranges) are a bit tedious to work with directly.
 */
 int X509v3_asid_add_inherit(ASIdentifiers *asid, int which);
 int X509v3_asid_add_id_or_range(ASIdentifiers *asid, int which,
                                ASN1_INTEGER *min, ASN1_INTEGER *max);
 int X509v3_addr_add_inherit(IPAddrBlocks *addr,
                            const unsigned afi, const unsigned *safi);
 int X509v3_addr_add_prefix(IPAddrBlocks *addr,
                           const unsigned afi, const unsigned *safi,
                           unsigned char *a, const int prefixlen);
 int X509v3_addr_add_range(IPAddrBlocks *addr,
                          const unsigned afi, const unsigned *safi,
                          unsigned char *min, unsigned char *max);
 unsigned X509v3_addr_get_afi(const IPAddressFamily *f);
 int X509v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
                          unsigned char *min, unsigned char *max,
                          const int length);
 /*
 * Canonical forms.
 */
 int X509v3_asid_is_canonical(ASIdentifiers *asid);
 int X509v3_addr_is_canonical(IPAddrBlocks *addr);
 int X509v3_asid_canonize(ASIdentifiers *asid);
 int X509v3_addr_canonize(IPAddrBlocks *addr);
 /*
 * Tests for inheritance and containment.
 */
 int X509v3_asid_inherits(ASIdentifiers *asid);
 int X509v3_addr_inherits(IPAddrBlocks *addr);
 int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b);
 int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b);
 /*
 * Check whether RFC 3779 extensions nest properly in chains.
 */
 int X509v3_asid_validate_path(X509_STORE_CTX *);
 int X509v3_addr_validate_path(X509_STORE_CTX *);
 int X509v3_asid_validate_resource_set(STACK_OF(X509) *chain,
                                      ASIdentifiers *ext,
                                      int allow_inheritance);
 int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain,
                                      IPAddrBlocks *ext, int allow_inheritance);
 #endif                         /* OPENSSL_NO_RFC3779 */
 #endif
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
--- a/openssl.cnf
+++ b/openssl.cnf
@ -0,0 +1,24 @@
 [ req ]
 #default_bits		= 2048
 #default_md		= sha256
 #default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
 [ req_distinguished_name ]
 countryName			= Country Name (2 letter code)
 countryName_min			= 2
 countryName_max			= 2
 stateOrProvinceName		= State or Province Name (full name)
 localityName			= Locality Name (eg, city)
 0.organizationName		= Organization Name (eg, company)
 organizationalUnitName		= Organizational Unit Name (eg, section)
 commonName			= Common Name (eg, fully qualified host name)
 commonName_max			= 64
 emailAddress			= Email Address
 emailAddress_max		= 64
 [ req_attributes ]
 challengePassword		= A challenge password
 challengePassword_min		= 4
 challengePassword_max		= 20
--- a/ssl/CMakeLists.txt
+++ b/ssl/CMakeLists.txt
@ -5,11 +5,9 @@ set(
 	bs_cbb.c
 	bs_cbs.c
 	d1_both.c
 	d1_clnt.c
 	d1_lib.c
 	d1_pkt.c
 	d1_srtp.c
 	d1_srvr.c
 	pqueue.c
 	s3_cbc.c
 	s3_lib.c
@ -38,6 +36,9 @@ set(
 	ssl_versions.c
 	t1_enc.c
 	t1_lib.c
 	tls_content.c
 	tls12_key_schedule.c
 	tls12_lib.c
 	tls12_record_layer.c
 	tls13_buffer.c
 	tls13_client.c
@ -53,7 +54,15 @@ set(
 	tls13_server.c
 )
-add_library(ssl ${SSL_SRC})
+add_library(ssl_obj OBJECT ${SSL_SRC})
 target_include_directories(ssl_obj
 	PRIVATE
 		.
 		../include/compat
 	PUBLIC
 		../include)
 add_library(ssl $<TARGET_OBJECTS:ssl_obj>)
 target_include_directories(ssl
 	PRIVATE
 		.
--- a/ssl/VERSION
+++ b/ssl/VERSION
@ -1 +1 @@
-48:1:0
+50:0:0
--- a/Show More
+++ b/Show More