Explorar o código

Merge branch 'thirdparty' into thirdparty_dev

Source commit: 4f60e6c0ef96cfebfe2ea686270b113b5c2da032
Martin Prikryl %!s(int64=3) %!d(string=hai) anos
pai
achega
c9efdf45d7
Modificáronse 76 ficheiros con 1139 adicións e 281 borrados
  1. 6 6
      libs/expat/CMake.README
  2. 36 10
      libs/expat/CMakeLists.txt
  3. 53 0
      libs/expat/Changes
  4. 3 1
      libs/expat/Makefile.am
  5. 3 1
      libs/expat/Makefile.in
  6. 1 1
      libs/expat/README.md
  7. 11 11
      libs/expat/configure
  8. 1 1
      libs/expat/configure.ac
  9. 15 5
      libs/expat/doc/reference.html
  10. 1 1
      libs/expat/doc/xmlwf.1
  11. 1 1
      libs/expat/doc/xmlwf.xml
  12. 2 1
      libs/expat/expat.pc.cmake
  13. 2 1
      libs/expat/expat.pc.in
  14. 3 3
      libs/expat/expat_config.h
  15. 18 4
      libs/expat/lib/expat.h
  16. 137 10
      libs/expat/lib/xmlparse.c
  17. 18 7
      libs/expat/tests/runtests.c
  18. 3 1
      libs/expat/win32/expat.iss
  19. 17 0
      libs/expat/win32/version.rc
  20. 37 0
      libs/openssl/CHANGES
  21. 8 1
      libs/openssl/Configurations/10-main.conf
  22. 2 1
      libs/openssl/Configurations/descrip.mms.tmpl
  23. 11 11
      libs/openssl/Configure
  24. 5 0
      libs/openssl/NEWS
  25. 1 1
      libs/openssl/README
  26. 7 3
      libs/openssl/apps/apps.c
  27. 2 4
      libs/openssl/apps/openssl.c
  28. 5 5
      libs/openssl/apps/passwd.c
  29. 11 0
      libs/openssl/apps/s_client.c
  30. 2 2
      libs/openssl/apps/s_socket.c
  31. 66 0
      libs/openssl/apps/vms_decc_argv.c
  32. 1 39
      libs/openssl/apps/vms_decc_init.c
  33. 1 0
      libs/openssl/config
  34. 1 1
      libs/openssl/crypto/asn1/charmap.h
  35. 2 2
      libs/openssl/crypto/bio/b_addr.c
  36. 2 2
      libs/openssl/crypto/bn/bn_exp2.c
  37. 1 1
      libs/openssl/crypto/bn/bn_prime.h
  38. 1 1
      libs/openssl/crypto/bn/bn_print.c
  39. 19 13
      libs/openssl/crypto/bn/bn_sqrt.c
  40. 1 1
      libs/openssl/crypto/conf/conf_def.h
  41. 1 4
      libs/openssl/crypto/engine/eng_all.c
  42. 11 2
      libs/openssl/crypto/engine/eng_dyn.c
  43. 22 12
      libs/openssl/crypto/evp/digest.c
  44. 5 3
      libs/openssl/crypto/lhash/lhash.c
  45. 4 3
      libs/openssl/crypto/objects/obj_dat.c
  46. 1 1
      libs/openssl/crypto/objects/obj_dat.h
  47. 1 1
      libs/openssl/crypto/objects/obj_xref.h
  48. 5 3
      libs/openssl/crypto/ui/ui_openssl.c
  49. 7 6
      libs/openssl/crypto/x509/x509_vfy.c
  50. 15 4
      libs/openssl/crypto/x509v3/v3_utl.c
  51. 4 1
      libs/openssl/doc/man1/cms.pod
  52. 2 2
      libs/openssl/doc/man3/BIO_ctrl.pod
  53. 17 4
      libs/openssl/doc/man3/BIO_f_base64.pod
  54. 14 3
      libs/openssl/doc/man3/BN_add.pod
  55. 2 1
      libs/openssl/doc/man3/DEFINE_STACK_OF.pod
  56. 17 17
      libs/openssl/doc/man3/OBJ_nid2obj.pod
  57. 2 2
      libs/openssl/doc/man3/SSL_CONF_cmd.pod
  58. 69 2
      libs/openssl/doc/man3/X509_STORE_CTX_new.pod
  59. 3 1
      libs/openssl/include/internal/sockets.h
  60. 2 1
      libs/openssl/include/openssl/engine.h
  61. 1 1
      libs/openssl/include/openssl/obj_mac.h
  62. 2 2
      libs/openssl/include/openssl/opensslv.h
  63. 7 7
      libs/openssl/ssl/s3_lib.c
  64. 4 3
      libs/openssl/ssl/ssl_cert.c
  65. 28 1
      libs/openssl/test/asn1_internal_test.c
  66. 56 2
      libs/openssl/test/bntest.c
  67. 1 1
      libs/openssl/test/build.info
  68. 79 1
      libs/openssl/test/evp_extra_test.c
  69. 13 1
      libs/openssl/test/recipes/10-test_bn_data/bnmod.txt
  70. 7 2
      libs/openssl/test/recipes/15-test_genrsa.t
  71. 4 4
      libs/openssl/test/recipes/20-test_dgst.t
  72. 4 4
      libs/openssl/test/recipes/30-test_evp_data/evpkdf.txt
  73. 3 6
      libs/openssl/test/recipes/70-test_verify_extra.t
  74. 39 2
      libs/openssl/test/recipes/80-test_ssl_old.t
  75. 64 8
      libs/openssl/test/ssltest_old.c
  76. 106 10
      libs/openssl/test/verify_extra_test.c

+ 6 - 6
libs/expat/CMake.README

@@ -3,25 +3,25 @@
 The cmake based buildsystem for expat works on Windows (cygwin, mingw, Visual
 The cmake based buildsystem for expat works on Windows (cygwin, mingw, Visual
 Studio) and should work on all other platform cmake supports.
 Studio) and should work on all other platform cmake supports.
 
 
-Assuming ~/expat-2.4.6 is the source directory of expat, add a subdirectory
+Assuming ~/expat-2.4.8 is the source directory of expat, add a subdirectory
 build and change into that directory:
 build and change into that directory:
-~/expat-2.4.6$ mkdir build && cd build
-~/expat-2.4.6/build$
+~/expat-2.4.8$ mkdir build && cd build
+~/expat-2.4.8/build$
 
 
 From that directory, call cmake first, then call make, make test and
 From that directory, call cmake first, then call make, make test and
 make install in the usual way:
 make install in the usual way:
-~/expat-2.4.6/build$ cmake ..
+~/expat-2.4.8/build$ cmake ..
 -- The C compiler identification is GNU
 -- The C compiler identification is GNU
 -- The CXX compiler identification is GNU
 -- The CXX compiler identification is GNU
 ....
 ....
 -- Configuring done
 -- Configuring done
 -- Generating done
 -- Generating done
--- Build files have been written to: /home/patrick/expat-2.4.6/build
+-- Build files have been written to: /home/patrick/expat-2.4.8/build
 
 
 If you want to specify the install location for your files, append
 If you want to specify the install location for your files, append
 -DCMAKE_INSTALL_PREFIX=/your/install/path to the cmake call.
 -DCMAKE_INSTALL_PREFIX=/your/install/path to the cmake call.
 
 
-~/expat-2.4.6/build$ make && make test && make install
+~/expat-2.4.8/build$ make && make test && make install
 Scanning dependencies of target expat
 Scanning dependencies of target expat
 [  5%] Building C object CMakeFiles/expat.dir/lib/xmlparse.c.o
 [  5%] Building C object CMakeFiles/expat.dir/lib/xmlparse.c.o
 [ 11%] Building C object CMakeFiles/expat.dir/lib/xmlrole.c.o
 [ 11%] Building C object CMakeFiles/expat.dir/lib/xmlrole.c.o

+ 36 - 10
libs/expat/CMakeLists.txt

@@ -29,6 +29,7 @@
 # Copyright (c) 2020      Gulliver <[email protected]>
 # Copyright (c) 2020      Gulliver <[email protected]>
 # Copyright (c) 2020      Thomas Beutlich <[email protected]>
 # Copyright (c) 2020      Thomas Beutlich <[email protected]>
 # Copyright (c) 2021      Alex Richardson <[email protected]>
 # Copyright (c) 2021      Alex Richardson <[email protected]>
+# Copyright (c) 2022      Johnny Jazeix <[email protected]>
 # Unlike most of Expat,
 # Unlike most of Expat,
 # this file is copyrighted under the BSD-license for buildsystem files of KDE.
 # this file is copyrighted under the BSD-license for buildsystem files of KDE.
 
 
@@ -64,7 +65,7 @@ endif()
 
 
 project(expat
 project(expat
     VERSION
     VERSION
-        2.4.6
+        2.4.8
     LANGUAGES
     LANGUAGES
         C
         C
 )
 )
@@ -381,7 +382,7 @@ endforeach()
 #
 #
 # C library
 # C library
 #
 #
-set(expat_SRCS
+set(_EXPAT_C_SOURCES
     lib/xmlparse.c
     lib/xmlparse.c
     lib/xmlrole.c
     lib/xmlrole.c
     lib/xmltok.c
     lib/xmltok.c
@@ -393,13 +394,18 @@ set(expat_SRCS
 if(EXPAT_SHARED_LIBS)
 if(EXPAT_SHARED_LIBS)
     set(_SHARED SHARED)
     set(_SHARED SHARED)
     if(MSVC)
     if(MSVC)
-        set(expat_SRCS ${expat_SRCS} lib/libexpat.def)
+        set(_EXPAT_EXTRA_SOURCES ${_EXPAT_EXTRA_SOURCES} lib/libexpat.def)
+    endif()
+    if(WIN32)
+        # Add DLL version
+        string(REPLACE "." "," _EXPAT_DLL_VERSION ${PROJECT_VERSION}.0)
+        set(_EXPAT_EXTRA_SOURCES ${_EXPAT_EXTRA_SOURCES} win32/version.rc)
     endif()
     endif()
 else()
 else()
     set(_SHARED STATIC)
     set(_SHARED STATIC)
 endif()
 endif()
 
 
-add_library(expat ${_SHARED} ${expat_SRCS})
+add_library(expat ${_SHARED} ${_EXPAT_C_SOURCES} ${_EXPAT_EXTRA_SOURCES})
 if(_EXPAT_LIBM_FOUND)
 if(_EXPAT_LIBM_FOUND)
     target_link_libraries(expat m)
     target_link_libraries(expat m)
 endif()
 endif()
@@ -408,7 +414,7 @@ if(EXPAT_WITH_LIBBSD)
 endif()
 endif()
 
 
 set(LIBCURRENT 9)   # sync
 set(LIBCURRENT 9)   # sync
-set(LIBREVISION 6)  # with
+set(LIBREVISION 8)  # with
 set(LIBAGE 8)       # configure.ac!
 set(LIBAGE 8)       # configure.ac!
 math(EXPR LIBCURRENT_MINUS_AGE "${LIBCURRENT} - ${LIBAGE}")
 math(EXPR LIBCURRENT_MINUS_AGE "${LIBCURRENT} - ${LIBAGE}")
 
 
@@ -416,6 +422,18 @@ if(NOT WIN32)
     set_property(TARGET expat PROPERTY VERSION ${LIBCURRENT_MINUS_AGE}.${LIBAGE}.${LIBREVISION})
     set_property(TARGET expat PROPERTY VERSION ${LIBCURRENT_MINUS_AGE}.${LIBAGE}.${LIBREVISION})
     set_property(TARGET expat PROPERTY SOVERSION ${LIBCURRENT_MINUS_AGE})
     set_property(TARGET expat PROPERTY SOVERSION ${LIBCURRENT_MINUS_AGE})
     set_property(TARGET expat PROPERTY NO_SONAME ${NO_SONAME})
     set_property(TARGET expat PROPERTY NO_SONAME ${NO_SONAME})
+
+    if(APPLE)
+        if(NOT CMAKE_VERSION VERSION_GREATER_EQUAL 3.17)
+            message(FATAL_ERROR "Expat requires CMake >=3.17 on platform \"APPLE\".")
+        endif()
+
+        # NOTE: This intends to talk CMake into compatiblity with GNU Libtool
+        math(EXPR _EXPAT_MACHO_COMPATIBILITY_VERSION "${LIBCURRENT} + 1")
+        set(_EXPAT_MACHO_CURRENT_VERSION "${_EXPAT_MACHO_COMPATIBILITY_VERSION}.${LIBREVISION}")
+        set_property(TARGET expat PROPERTY MACHO_COMPATIBILITY_VERSION ${_EXPAT_MACHO_COMPATIBILITY_VERSION})
+        set_property(TARGET expat PROPERTY MACHO_CURRENT_VERSION ${_EXPAT_MACHO_CURRENT_VERSION})
+    endif()
 endif()
 endif()
 if(WIN32 AND NOT MINGW)
 if(WIN32 AND NOT MINGW)
     # NOTE: This avoids a name collision with Expat.dll of Perl's XML::Parser::Expat
     # NOTE: This avoids a name collision with Expat.dll of Perl's XML::Parser::Expat
@@ -424,7 +442,10 @@ if(WIN32 AND NOT MINGW)
     # NOTE: "set_property(TARGET expat PROPERTY PREFIX lib)" would only affect *.dll
     # NOTE: "set_property(TARGET expat PROPERTY PREFIX lib)" would only affect *.dll
     #       files but not *.lib files, so we have to rely on property OUTPUT_NAME, instead.
     #       files but not *.lib files, so we have to rely on property OUTPUT_NAME, instead.
     #       Property CMAKE_*_POSTFIX still applies.
     #       Property CMAKE_*_POSTFIX still applies.
-    set_property(TARGET expat PROPERTY OUTPUT_NAME libexpat)
+    set(_EXPAT_OUTPUT_NAME libexpat)
+    set_property(TARGET expat PROPERTY OUTPUT_NAME ${_EXPAT_OUTPUT_NAME})
+else()
+    set(_EXPAT_OUTPUT_NAME expat)
 endif()
 endif()
 
 
 target_include_directories(expat
 target_include_directories(expat
@@ -434,8 +455,12 @@ target_include_directories(expat
         $<INSTALL_INTERFACE:${CMAKE_INSTALL_INCLUDEDIR}>
         $<INSTALL_INTERFACE:${CMAKE_INSTALL_INCLUDEDIR}>
 )
 )
 
 
-if(NOT EXPAT_SHARED_LIBS AND WIN32)
-    target_compile_definitions(expat PUBLIC -DXML_STATIC)
+if(WIN32)
+    if(EXPAT_SHARED_LIBS)
+        target_compile_definitions(expat PRIVATE VER_FILEVERSION=${_EXPAT_DLL_VERSION})
+    else()
+        target_compile_definitions(expat PUBLIC -DXML_STATIC)
+    endif()
 endif()
 endif()
 
 
 expat_install(TARGETS expat EXPORT expat
 expat_install(TARGETS expat EXPORT expat
@@ -472,6 +497,7 @@ if(EXPAT_BUILD_PKGCONFIG)
         string(TOLOWER "${_build_type}" _build_type_lower)
         string(TOLOWER "${_build_type}" _build_type_lower)
         string(TOUPPER "${_build_type}" _build_type_upper)
         string(TOUPPER "${_build_type}" _build_type_upper)
         set_property(TARGET expat PROPERTY "pkgconfig_${_build_type_lower}_name" "expat${CMAKE_${_build_type_upper}_POSTFIX}")
         set_property(TARGET expat PROPERTY "pkgconfig_${_build_type_lower}_name" "expat${CMAKE_${_build_type_upper}_POSTFIX}")
+        set_property(TARGET expat PROPERTY "pkgconfig_${_build_type_lower}_output_name" "${_EXPAT_OUTPUT_NAME}${CMAKE_${_build_type_upper}_POSTFIX}")
         if(_EXPAT_LIBM_FOUND)
         if(_EXPAT_LIBM_FOUND)
             set_property(TARGET expat PROPERTY "pkgconfig_libm" "-lm")
             set_property(TARGET expat PROPERTY "pkgconfig_libm" "-lm")
         else()
         else()
@@ -550,7 +576,7 @@ if(EXPAT_BUILD_TESTS)
         tests/memcheck.c
         tests/memcheck.c
         tests/minicheck.c
         tests/minicheck.c
         tests/structdata.c
         tests/structdata.c
-        ${expat_SRCS}
+        ${_EXPAT_C_SOURCES}
     )
     )
 
 
     if(NOT MSVC)
     if(NOT MSVC)
@@ -619,7 +645,7 @@ if(EXPAT_BUILD_FUZZERS)
     set(encoding_types UTF-16 UTF-8 ISO-8859-1 US-ASCII UTF-16BE UTF-16LE)
     set(encoding_types UTF-16 UTF-8 ISO-8859-1 US-ASCII UTF-16BE UTF-16LE)
     set(fuzz_targets xml_parse_fuzzer xml_parsebuffer_fuzzer)
     set(fuzz_targets xml_parse_fuzzer xml_parsebuffer_fuzzer)
 
 
-    add_library(fuzzpat STATIC ${expat_SRCS})
+    add_library(fuzzpat STATIC ${_EXPAT_C_SOURCES})
     if(NOT EXPAT_OSSFUZZ_BUILD)
     if(NOT EXPAT_OSSFUZZ_BUILD)
         target_compile_options(fuzzpat PRIVATE -fsanitize=fuzzer-no-link)
         target_compile_options(fuzzpat PRIVATE -fsanitize=fuzzer-no-link)
     endif()
     endif()

+ 53 - 0
libs/expat/Changes

@@ -2,6 +2,59 @@ NOTE: We are looking for help with a few things:
       https://github.com/libexpat/libexpat/labels/help%20wanted
       https://github.com/libexpat/libexpat/labels/help%20wanted
       If you can help, please get in touch.  Thanks!
       If you can help, please get in touch.  Thanks!
 
 
+Release 2.4.8 Mon March 28 2022
+        Other changes:
+            #587  pkg-config: Move "-lm" to section "Libs.private"
+            #587  CMake|MSVC: Fix pkg-config section "Libs"
+        #55 #582  CMake|macOS: Start using linker arguments
+                    "-compatibility_version <version>" and
+                    "-current_version <version>" in a way compatible with
+                    GNU Libtool
+       #590 #591  Version info bumped from 9:7:8 to 9:8:8;
+                    see https://verbump.de/ for what these numbers do
+
+        Infrastructure:
+            #589  CI: Upgrade Clang from 13 to 14
+
+        Special thanks to:
+            evpobr
+            Kai Pastor
+            Sam James
+
+Release 2.4.7 Fri March 4 2022
+        Bug fixes:
+       #572 #577  Relax fix to CVE-2022-25236 (introduced with release 2.4.5)
+                    with regard to all valid URI characters (RFC 3986),
+                    i.e. the following set (excluding whitespace):
+                    ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz
+                    0123456789 % -._~ :/?#[]@ !$&'()*+,;=
+
+        Other changes:
+  #555 #570 #581  CMake|Windows: Store Expat version in the DLL
+            #577  Document consequences of namespace separator choices not just
+                    in doc/reference.html but also in header <expat.h>
+            #577  Document Expat's lack of validation of namespace URIs against
+                    RFC 3986, and that the XML 1.0r4 specification doesn't
+                    require Expat to validate namespace URIs, and that Expat
+                    may do more in that regard in future releases.
+                    If you find need for strict RFC 3986 URI validation on
+                    application level today, https://uriparser.github.io/ may
+                    be of interest.
+            #579  Fix documentation of XML_EndDoctypeDeclHandler in <expat.h>
+            #575  Document that a call to XML_FreeContentModel can be done at
+                    a later time from outside the element declaration handler
+            #574  Make hardcoded namespace URIs easier to find in code
+            #573  Update documentation on use of XML_POOR_ENTOPY on Solaris
+       #569 #571  tests: Resolve use of macros NAN and INFINITY for GNU G++
+                    4.8.2 on Solaris.
+       #578 #580  Version info bumped from 9:6:8 to 9:7:8;
+                    see https://verbump.de/ for what these numbers do
+
+        Special thanks to:
+            Jeffrey Walton
+            Johnny Jazeix
+            Thijs Schreijer
+
 Release 2.4.6 Sun February 20 2022
 Release 2.4.6 Sun February 20 2022
         Bug fixes:
         Bug fixes:
             #566  Fix a regression introduced by the fix for CVE-2022-25313
             #566  Fix a regression introduced by the fix for CVE-2022-25313

+ 3 - 1
libs/expat/Makefile.am

@@ -8,6 +8,7 @@
 #
 #
 # Copyright (c) 2017-2021 Sebastian Pipping <[email protected]>
 # Copyright (c) 2017-2021 Sebastian Pipping <[email protected]>
 # Copyright (c) 2018      KangLin <[email protected]>
 # Copyright (c) 2018      KangLin <[email protected]>
+# Copyright (c) 2022      Johnny Jazeix <[email protected]>
 # Licensed under the MIT license:
 # Licensed under the MIT license:
 #
 #
 # Permission is  hereby granted,  free of charge,  to any  person obtaining
 # Permission is  hereby granted,  free of charge,  to any  person obtaining
@@ -82,7 +83,8 @@ _EXTRA_DIST_WINDOWS = \
     win32/build_expat_iss.bat \
     win32/build_expat_iss.bat \
     win32/expat.iss \
     win32/expat.iss \
     win32/MANIFEST.txt \
     win32/MANIFEST.txt \
-    win32/README.txt
+    win32/README.txt \
+    win32/version.rc
 
 
 EXTRA_DIST = \
 EXTRA_DIST = \
     $(_EXTRA_DIST_CMAKE) \
     $(_EXTRA_DIST_CMAKE) \

+ 3 - 1
libs/expat/Makefile.in

@@ -24,6 +24,7 @@
 #
 #
 # Copyright (c) 2017-2021 Sebastian Pipping <[email protected]>
 # Copyright (c) 2017-2021 Sebastian Pipping <[email protected]>
 # Copyright (c) 2018      KangLin <[email protected]>
 # Copyright (c) 2018      KangLin <[email protected]>
+# Copyright (c) 2022      Johnny Jazeix <[email protected]>
 # Licensed under the MIT license:
 # Licensed under the MIT license:
 #
 #
 # Permission is  hereby granted,  free of charge,  to any  person obtaining
 # Permission is  hereby granted,  free of charge,  to any  person obtaining
@@ -475,7 +476,8 @@ _EXTRA_DIST_WINDOWS = \
     win32/build_expat_iss.bat \
     win32/build_expat_iss.bat \
     win32/expat.iss \
     win32/expat.iss \
     win32/MANIFEST.txt \
     win32/MANIFEST.txt \
-    win32/README.txt
+    win32/README.txt \
+    win32/version.rc
 
 
 EXTRA_DIST = \
 EXTRA_DIST = \
     $(_EXTRA_DIST_CMAKE) \
     $(_EXTRA_DIST_CMAKE) \

+ 1 - 1
libs/expat/README.md

@@ -5,7 +5,7 @@
 [![Downloads GitHub](https://img.shields.io/github/downloads/libexpat/libexpat/total?label=Downloads%20GitHub)](https://github.com/libexpat/libexpat/releases)
 [![Downloads GitHub](https://img.shields.io/github/downloads/libexpat/libexpat/total?label=Downloads%20GitHub)](https://github.com/libexpat/libexpat/releases)
 
 
 
 
-# Expat, Release 2.4.6
+# Expat, Release 2.4.8
 
 
 This is Expat, a C library for parsing XML, started by
 This is Expat, a C library for parsing XML, started by
 [James Clark](https://en.wikipedia.org/wiki/James_Clark_%28programmer%29) in 1997.
 [James Clark](https://en.wikipedia.org/wiki/James_Clark_%28programmer%29) in 1997.

+ 11 - 11
libs/expat/configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for expat 2.4.6.
+# Generated by GNU Autoconf 2.71 for expat 2.4.8.
 #
 #
 # Report bugs to <[email protected]>.
 # Report bugs to <[email protected]>.
 #
 #
@@ -621,8 +621,8 @@ MAKEFLAGS=
 # Identity of this package.
 # Identity of this package.
 PACKAGE_NAME='expat'
 PACKAGE_NAME='expat'
 PACKAGE_TARNAME='expat'
 PACKAGE_TARNAME='expat'
-PACKAGE_VERSION='2.4.6'
-PACKAGE_STRING='expat 2.4.6'
+PACKAGE_VERSION='2.4.8'
+PACKAGE_STRING='expat 2.4.8'
 PACKAGE_BUGREPORT='[email protected]'
 PACKAGE_BUGREPORT='[email protected]'
 PACKAGE_URL=''
 PACKAGE_URL=''
 
 
@@ -1414,7 +1414,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
   cat <<_ACEOF
-\`configure' configures expat 2.4.6 to adapt to many kinds of systems.
+\`configure' configures expat 2.4.8 to adapt to many kinds of systems.
 
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
 
@@ -1485,7 +1485,7 @@ fi
 
 
 if test -n "$ac_init_help"; then
 if test -n "$ac_init_help"; then
   case $ac_init_help in
   case $ac_init_help in
-     short | recursive ) echo "Configuration of expat 2.4.6:";;
+     short | recursive ) echo "Configuration of expat 2.4.8:";;
    esac
    esac
   cat <<\_ACEOF
   cat <<\_ACEOF
 
 
@@ -1619,7 +1619,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
 if $ac_init_version; then
   cat <<\_ACEOF
   cat <<\_ACEOF
-expat configure 2.4.6
+expat configure 2.4.8
 generated by GNU Autoconf 2.71
 generated by GNU Autoconf 2.71
 
 
 Copyright (C) 2021 Free Software Foundation, Inc.
 Copyright (C) 2021 Free Software Foundation, Inc.
@@ -2250,7 +2250,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 running configure, to aid debugging if configure makes a mistake.
 
 
-It was created by expat $as_me 2.4.6, which was
+It was created by expat $as_me 2.4.8, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
 
   $ $0$ac_configure_args_raw
   $ $0$ac_configure_args_raw
@@ -3817,7 +3817,7 @@ fi
 
 
 # Define the identity of the package.
 # Define the identity of the package.
  PACKAGE='expat'
  PACKAGE='expat'
- VERSION='2.4.6'
+ VERSION='2.4.8'
 
 
 
 
 printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
 printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -3924,7 +3924,7 @@ fi
 
 
 
 
 LIBCURRENT=9   # sync
 LIBCURRENT=9   # sync
-LIBREVISION=6  # with
+LIBREVISION=8  # with
 LIBAGE=8       # CMakeLists.txt!
 LIBAGE=8       # CMakeLists.txt!
 
 
 ac_config_headers="$ac_config_headers expat_config.h"
 ac_config_headers="$ac_config_headers expat_config.h"
@@ -20227,7 +20227,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 # values after options handling.
 ac_log="
 ac_log="
-This file was extended by expat $as_me 2.4.6, which was
+This file was extended by expat $as_me 2.4.8, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
 
   CONFIG_FILES    = $CONFIG_FILES
   CONFIG_FILES    = $CONFIG_FILES
@@ -20295,7 +20295,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_version="\\
 ac_cs_version="\\
-expat config.status 2.4.6
+expat config.status 2.4.8
 configured by $0, generated by GNU Autoconf 2.71,
 configured by $0, generated by GNU Autoconf 2.71,
   with options \\"\$ac_cs_config\\"
   with options \\"\$ac_cs_config\\"
 
 

+ 1 - 1
libs/expat/configure.ac

@@ -82,7 +82,7 @@ dnl If the API changes incompatibly set LIBAGE back to 0
 dnl
 dnl
 
 
 LIBCURRENT=9   # sync
 LIBCURRENT=9   # sync
-LIBREVISION=6  # with
+LIBREVISION=8  # with
 LIBAGE=8       # CMakeLists.txt!
 LIBAGE=8       # CMakeLists.txt!
 
 
 AC_CONFIG_HEADERS([expat_config.h])
 AC_CONFIG_HEADERS([expat_config.h])

+ 15 - 5
libs/expat/doc/reference.html

@@ -18,6 +18,7 @@
    Copyright (c) 2017      Jakub Wilk <[email protected]>
    Copyright (c) 2017      Jakub Wilk <[email protected]>
    Copyright (c) 2021      Tomas Korbar <[email protected]>
    Copyright (c) 2021      Tomas Korbar <[email protected]>
    Copyright (c) 2021      Nicolas Cavallari <[email protected]>
    Copyright (c) 2021      Nicolas Cavallari <[email protected]>
+   Copyright (c) 2022      Thijs Schreijer <[email protected]>
    Licensed under the MIT license:
    Licensed under the MIT license:
 
 
    Permission is  hereby granted,  free of charge,  to any  person obtaining
    Permission is  hereby granted,  free of charge,  to any  person obtaining
@@ -49,7 +50,7 @@
   <div>
   <div>
     <h1>
     <h1>
       The Expat XML Parser
       The Expat XML Parser
-      <small>Release 2.4.6</small>
+      <small>Release 2.4.8</small>
     </h1>
     </h1>
   </div>
   </div>
 <div class="content">
 <div class="content">
@@ -974,6 +975,14 @@ the local part will be concatenated without any separator - this is intended
 to support RDF processors. It is a programming error to use the null separator
 to support RDF processors. It is a programming error to use the null separator
 with <a href= "#XML_SetReturnNSTriplet">namespace triplets</a>.</div>
 with <a href= "#XML_SetReturnNSTriplet">namespace triplets</a>.</div>
 
 
+<p><strong>Note:</strong>
+Expat does not validate namespace URIs (beyond encoding)
+against RFC 3986 today (and is not required to do so with regard to
+the XML 1.0 namespaces specification) but it may start doing that
+in future releases.  Before that, an application using Expat must
+be ready to receive namespace URIs containing non-URI characters.
+</p>
+
 <h4 id="XML_ParserCreate_MM">XML_ParserCreate_MM</h4>
 <h4 id="XML_ParserCreate_MM">XML_ParserCreate_MM</h4>
 <pre class="fcndec">
 <pre class="fcndec">
 XML_Parser XMLCALL
 XML_Parser XMLCALL
@@ -1808,10 +1817,11 @@ struct XML_cp {
 </pre>
 </pre>
 <p>Sets a handler for element declarations in a DTD. The handler gets
 <p>Sets a handler for element declarations in a DTD. The handler gets
 called with the name of the element in the declaration and a pointer
 called with the name of the element in the declaration and a pointer
-to a structure that contains the element model. It is the
-application's responsibility to free this data structure using
-<code><a href="#XML_FreeContentModel"
->XML_FreeContentModel</a></code>.</p>
+to a structure that contains the element model. It's the user code's 
+responsibility to free model when finished with it. See <code>
+<a href="#XML_FreeContentModel">XML_FreeContentModel</a></code>.
+There is no need to free the model from the handler, it can be kept
+around and freed at a later stage.</p>
 
 
 <p>The <code>model</code> argument is the root of a tree of
 <p>The <code>model</code> argument is the root of a tree of
 <code>XML_Content</code> nodes. If <code>type</code> equals
 <code>XML_Content</code> nodes. If <code>type</code> equals

+ 1 - 1
libs/expat/doc/xmlwf.1

@@ -5,7 +5,7 @@
 \\$2 \(la\\$1\(ra\\$3
 \\$2 \(la\\$1\(ra\\$3
 ..
 ..
 .if \n(.g .mso www.tmac
 .if \n(.g .mso www.tmac
-.TH XMLWF 1 "February 20, 2022" "" ""
+.TH XMLWF 1 "March 28, 2022" "" ""
 .SH NAME
 .SH NAME
 xmlwf \- Determines if an XML document is well-formed
 xmlwf \- Determines if an XML document is well-formed
 .SH SYNOPSIS
 .SH SYNOPSIS

+ 1 - 1
libs/expat/doc/xmlwf.xml

@@ -21,7 +21,7 @@
           "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
           "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
   <!ENTITY dhfirstname "<firstname>Scott</firstname>">
   <!ENTITY dhfirstname "<firstname>Scott</firstname>">
   <!ENTITY dhsurname   "<surname>Bronson</surname>">
   <!ENTITY dhsurname   "<surname>Bronson</surname>">
-  <!ENTITY dhdate      "<date>February 20, 2022</date>">
+  <!ENTITY dhdate      "<date>March 28, 2022</date>">
   <!-- Please adjust this^^ date whenever cutting a new release. -->
   <!-- Please adjust this^^ date whenever cutting a new release. -->
   <!ENTITY dhsection   "<manvolnum>1</manvolnum>">
   <!ENTITY dhsection   "<manvolnum>1</manvolnum>">
   <!ENTITY dhemail     "<email>[email protected]</email>">
   <!ENTITY dhemail     "<email>[email protected]</email>">

+ 2 - 1
libs/expat/expat.pc.cmake

@@ -7,5 +7,6 @@ Name: $<TARGET_PROPERTY:expat,pkgconfig_$<LOWER_CASE:$<CONFIG>>_name>
 Version: $<TARGET_PROPERTY:expat,pkgconfig_version>
 Version: $<TARGET_PROPERTY:expat,pkgconfig_version>
 Description: expat XML parser
 Description: expat XML parser
 URL: https://libexpat.github.io/
 URL: https://libexpat.github.io/
-Libs: -L${libdir} -l$<TARGET_PROPERTY:expat,pkgconfig_$<LOWER_CASE:$<CONFIG>>_name> $<TARGET_PROPERTY:expat,pkgconfig_libm>
+Libs: -L${libdir} -l$<TARGET_PROPERTY:expat,pkgconfig_$<LOWER_CASE:$<CONFIG>>_output_name>
+Libs.private: $<TARGET_PROPERTY:expat,pkgconfig_libm>
 Cflags: -I${includedir}
 Cflags: -I${includedir}

+ 2 - 1
libs/expat/expat.pc.in

@@ -7,5 +7,6 @@ Name: @PACKAGE_NAME@
 Version: @PACKAGE_VERSION@
 Version: @PACKAGE_VERSION@
 Description: expat XML parser
 Description: expat XML parser
 URL: https://libexpat.github.io/
 URL: https://libexpat.github.io/
-Libs: -L${libdir} -l@PACKAGE_NAME@ @LIBM@
+Libs: -L${libdir} -l@PACKAGE_NAME@
+Libs.private: @LIBM@
 Cflags: -I${includedir}
 Cflags: -I${includedir}

+ 3 - 3
libs/expat/expat_config.h

@@ -77,7 +77,7 @@
 #define PACKAGE_NAME "expat"
 #define PACKAGE_NAME "expat"
 
 
 /* Define to the full name and version of this package. */
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "expat 2.4.6"
+#define PACKAGE_STRING "expat 2.4.8"
 
 
 /* Define to the one symbol short name of this package. */
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "expat"
 #define PACKAGE_TARNAME "expat"
@@ -86,7 +86,7 @@
 #define PACKAGE_URL ""
 #define PACKAGE_URL ""
 
 
 /* Define to the version of this package. */
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "2.4.6"
+#define PACKAGE_VERSION "2.4.8"
 
 
 /* Define to 1 if all of the C90 standard headers exist (not just the ones
 /* Define to 1 if all of the C90 standard headers exist (not just the ones
    required in a freestanding environment). This macro is provided for
    required in a freestanding environment). This macro is provided for
@@ -94,7 +94,7 @@
 #define STDC_HEADERS 1
 #define STDC_HEADERS 1
 
 
 /* Version number of package */
 /* Version number of package */
-#define VERSION "2.4.6"
+#define VERSION "2.4.8"
 
 
 /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
 /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
    significant byte first (like Motorola and SPARC, unlike Intel). */
    significant byte first (like Motorola and SPARC, unlike Intel). */

+ 18 - 4
libs/expat/lib/expat.h

@@ -15,6 +15,7 @@
    Copyright (c) 2016      Cristian Rodríguez <[email protected]>
    Copyright (c) 2016      Cristian Rodríguez <[email protected]>
    Copyright (c) 2016      Thomas Beutlich <[email protected]>
    Copyright (c) 2016      Thomas Beutlich <[email protected]>
    Copyright (c) 2017      Rhodri James <[email protected]>
    Copyright (c) 2017      Rhodri James <[email protected]>
+   Copyright (c) 2022      Thijs Schreijer <[email protected]>
    Licensed under the MIT license:
    Licensed under the MIT license:
 
 
    Permission is  hereby granted,  free of charge,  to any  person obtaining
    Permission is  hereby granted,  free of charge,  to any  person obtaining
@@ -174,8 +175,10 @@ struct XML_cp {
 };
 };
 
 
 /* This is called for an element declaration. See above for
 /* This is called for an element declaration. See above for
-   description of the model argument. It's the caller's responsibility
-   to free model when finished with it.
+   description of the model argument. It's the user code's responsibility
+   to free model when finished with it. See XML_FreeContentModel.
+   There is no need to free the model from the handler, it can be kept
+   around and freed at a later stage.
 */
 */
 typedef void(XMLCALL *XML_ElementDeclHandler)(void *userData,
 typedef void(XMLCALL *XML_ElementDeclHandler)(void *userData,
                                               const XML_Char *name,
                                               const XML_Char *name,
@@ -237,6 +240,17 @@ XML_ParserCreate(const XML_Char *encoding);
    and the local part will be concatenated without any separator.
    and the local part will be concatenated without any separator.
    It is a programming error to use the separator '\0' with namespace
    It is a programming error to use the separator '\0' with namespace
    triplets (see XML_SetReturnNSTriplet).
    triplets (see XML_SetReturnNSTriplet).
+   If a namespace separator is chosen that can be part of a URI or
+   part of an XML name, splitting an expanded name back into its
+   1, 2 or 3 original parts on application level in the element handler
+   may end up vulnerable, so these are advised against;  sane choices for
+   a namespace separator are e.g. '\n' (line feed) and '|' (pipe).
+
+   Note that Expat does not validate namespace URIs (beyond encoding)
+   against RFC 3986 today (and is not required to do so with regard to
+   the XML 1.0 namespaces specification) but it may start doing that
+   in future releases.  Before that, an application using Expat must
+   be ready to receive namespace URIs containing non-URI characters.
 */
 */
 XMLPARSEAPI(XML_Parser)
 XMLPARSEAPI(XML_Parser)
 XML_ParserCreateNS(const XML_Char *encoding, XML_Char namespaceSeparator);
 XML_ParserCreateNS(const XML_Char *encoding, XML_Char namespaceSeparator);
@@ -317,7 +331,7 @@ typedef void(XMLCALL *XML_StartDoctypeDeclHandler)(void *userData,
                                                    const XML_Char *pubid,
                                                    const XML_Char *pubid,
                                                    int has_internal_subset);
                                                    int has_internal_subset);
 
 
-/* This is called for the start of the DOCTYPE declaration when the
+/* This is called for the end of the DOCTYPE declaration when the
    closing > is encountered, but after processing any external
    closing > is encountered, but after processing any external
    subset.
    subset.
 */
 */
@@ -1041,7 +1055,7 @@ XML_SetBillionLaughsAttackProtectionActivationThreshold(
 */
 */
 #define XML_MAJOR_VERSION 2
 #define XML_MAJOR_VERSION 2
 #define XML_MINOR_VERSION 4
 #define XML_MINOR_VERSION 4
-#define XML_MICRO_VERSION 6
+#define XML_MICRO_VERSION 8
 
 
 #ifdef __cplusplus
 #ifdef __cplusplus
 }
 }

+ 137 - 10
libs/expat/lib/xmlparse.c

@@ -1,4 +1,4 @@
-/* a30d2613dcfdef81475a9d1a349134d2d42722172fdaa7d5bb12ed2aa74b9596 (2.4.6+)
+/* 2722de33b8d95adcfb16db05afdec6ed1d40d51565cda2176c61806b5350eafe (2.4.8+)
                             __  __            _
                             __  __            _
                          ___\ \/ /_ __   __ _| |_
                          ___\ \/ /_ __   __ _| |_
                         / _ \\  /| '_ \ / _` | __|
                         / _ \\  /| '_ \ / _` | __|
@@ -34,6 +34,7 @@
    Copyright (c) 2019      Vadim Zeitlin <[email protected]>
    Copyright (c) 2019      Vadim Zeitlin <[email protected]>
    Copyright (c) 2021      Dong-hee Na <[email protected]>
    Copyright (c) 2021      Dong-hee Na <[email protected]>
    Copyright (c) 2022      Samanta Navarro <[email protected]>
    Copyright (c) 2022      Samanta Navarro <[email protected]>
+   Copyright (c) 2022      Jeffrey Walton <[email protected]>
    Licensed under the MIT license:
    Licensed under the MIT license:
 
 
    Permission is  hereby granted,  free of charge,  to any  person obtaining
    Permission is  hereby granted,  free of charge,  to any  person obtaining
@@ -133,7 +134,7 @@
       * BSD / macOS (including <10.7) (arc4random): HAVE_ARC4RANDOM, \
       * BSD / macOS (including <10.7) (arc4random): HAVE_ARC4RANDOM, \
       * libbsd (arc4random_buf): HAVE_ARC4RANDOM_BUF + HAVE_LIBBSD, \
       * libbsd (arc4random_buf): HAVE_ARC4RANDOM_BUF + HAVE_LIBBSD, \
       * libbsd (arc4random): HAVE_ARC4RANDOM + HAVE_LIBBSD, \
       * libbsd (arc4random): HAVE_ARC4RANDOM + HAVE_LIBBSD, \
-      * Linux (including <3.17) / BSD / macOS (including <10.7) (/dev/urandom): XML_DEV_URANDOM, \
+      * Linux (including <3.17) / BSD / macOS (including <10.7) / Solaris >=8 (/dev/urandom): XML_DEV_URANDOM, \
       * Windows >=Vista (rand_s): _WIN32. \
       * Windows >=Vista (rand_s): _WIN32. \
     \
     \
     If insist on not using any of these, bypass this error by defining \
     If insist on not using any of these, bypass this error by defining \
@@ -722,6 +723,7 @@ XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep) {
   return XML_ParserCreate_MM(encodingName, NULL, tmp);
   return XML_ParserCreate_MM(encodingName, NULL, tmp);
 }
 }
 
 
+// "xml=http://www.w3.org/XML/1998/namespace"
 static const XML_Char implicitContext[]
 static const XML_Char implicitContext[]
     = {ASCII_x,     ASCII_m,     ASCII_l,      ASCII_EQUALS, ASCII_h,
     = {ASCII_x,     ASCII_m,     ASCII_l,      ASCII_EQUALS, ASCII_h,
        ASCII_t,     ASCII_t,     ASCII_p,      ASCII_COLON,  ASCII_SLASH,
        ASCII_t,     ASCII_t,     ASCII_p,      ASCII_COLON,  ASCII_SLASH,
@@ -3704,12 +3706,124 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
   return XML_ERROR_NONE;
   return XML_ERROR_NONE;
 }
 }
 
 
+static XML_Bool
+is_rfc3986_uri_char(XML_Char candidate) {
+  // For the RFC 3986 ANBF grammar see
+  // https://datatracker.ietf.org/doc/html/rfc3986#appendix-A
+
+  switch (candidate) {
+  // From rule "ALPHA" (uppercase half)
+  case 'A':
+  case 'B':
+  case 'C':
+  case 'D':
+  case 'E':
+  case 'F':
+  case 'G':
+  case 'H':
+  case 'I':
+  case 'J':
+  case 'K':
+  case 'L':
+  case 'M':
+  case 'N':
+  case 'O':
+  case 'P':
+  case 'Q':
+  case 'R':
+  case 'S':
+  case 'T':
+  case 'U':
+  case 'V':
+  case 'W':
+  case 'X':
+  case 'Y':
+  case 'Z':
+
+  // From rule "ALPHA" (lowercase half)
+  case 'a':
+  case 'b':
+  case 'c':
+  case 'd':
+  case 'e':
+  case 'f':
+  case 'g':
+  case 'h':
+  case 'i':
+  case 'j':
+  case 'k':
+  case 'l':
+  case 'm':
+  case 'n':
+  case 'o':
+  case 'p':
+  case 'q':
+  case 'r':
+  case 's':
+  case 't':
+  case 'u':
+  case 'v':
+  case 'w':
+  case 'x':
+  case 'y':
+  case 'z':
+
+  // From rule "DIGIT"
+  case '0':
+  case '1':
+  case '2':
+  case '3':
+  case '4':
+  case '5':
+  case '6':
+  case '7':
+  case '8':
+  case '9':
+
+  // From rule "pct-encoded"
+  case '%':
+
+  // From rule "unreserved"
+  case '-':
+  case '.':
+  case '_':
+  case '~':
+
+  // From rule "gen-delims"
+  case ':':
+  case '/':
+  case '?':
+  case '#':
+  case '[':
+  case ']':
+  case '@':
+
+  // From rule "sub-delims"
+  case '!':
+  case '$':
+  case '&':
+  case '\'':
+  case '(':
+  case ')':
+  case '*':
+  case '+':
+  case ',':
+  case ';':
+  case '=':
+    return XML_TRUE;
+
+  default:
+    return XML_FALSE;
+  }
+}
+
 /* addBinding() overwrites the value of prefix->binding without checking.
 /* addBinding() overwrites the value of prefix->binding without checking.
    Therefore one must keep track of the old value outside of addBinding().
    Therefore one must keep track of the old value outside of addBinding().
 */
 */
 static enum XML_Error
 static enum XML_Error
 addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
 addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
            const XML_Char *uri, BINDING **bindingsPtr) {
            const XML_Char *uri, BINDING **bindingsPtr) {
+  // "http://www.w3.org/XML/1998/namespace"
   static const XML_Char xmlNamespace[]
   static const XML_Char xmlNamespace[]
       = {ASCII_h,      ASCII_t,     ASCII_t,     ASCII_p,      ASCII_COLON,
       = {ASCII_h,      ASCII_t,     ASCII_t,     ASCII_p,      ASCII_COLON,
          ASCII_SLASH,  ASCII_SLASH, ASCII_w,     ASCII_w,      ASCII_w,
          ASCII_SLASH,  ASCII_SLASH, ASCII_w,     ASCII_w,      ASCII_w,
@@ -3720,6 +3834,7 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
          ASCII_e,      ASCII_s,     ASCII_p,     ASCII_a,      ASCII_c,
          ASCII_e,      ASCII_s,     ASCII_p,     ASCII_a,      ASCII_c,
          ASCII_e,      '\0'};
          ASCII_e,      '\0'};
   static const int xmlLen = (int)sizeof(xmlNamespace) / sizeof(XML_Char) - 1;
   static const int xmlLen = (int)sizeof(xmlNamespace) / sizeof(XML_Char) - 1;
+  // "http://www.w3.org/2000/xmlns/"
   static const XML_Char xmlnsNamespace[]
   static const XML_Char xmlnsNamespace[]
       = {ASCII_h,     ASCII_t,      ASCII_t, ASCII_p, ASCII_COLON,  ASCII_SLASH,
       = {ASCII_h,     ASCII_t,      ASCII_t, ASCII_p, ASCII_COLON,  ASCII_SLASH,
          ASCII_SLASH, ASCII_w,      ASCII_w, ASCII_w, ASCII_PERIOD, ASCII_w,
          ASCII_SLASH, ASCII_w,      ASCII_w, ASCII_w, ASCII_PERIOD, ASCII_w,
@@ -3760,14 +3875,26 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
         && (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
         && (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
       isXMLNS = XML_FALSE;
       isXMLNS = XML_FALSE;
 
 
-    // NOTE: While Expat does not validate namespace URIs against RFC 3986,
-    //       we have to at least make sure that the XML processor on top of
-    //       Expat (that is splitting tag names by namespace separator into
-    //       2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
-    //       by an attacker putting additional namespace separator characters
-    //       into namespace declarations.  That would be ambiguous and not to
-    //       be expected.
-    if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
+    // NOTE: While Expat does not validate namespace URIs against RFC 3986
+    //       today (and is not REQUIRED to do so with regard to the XML 1.0
+    //       namespaces specification) we have to at least make sure, that
+    //       the application on top of Expat (that is likely splitting expanded
+    //       element names ("qualified names") of form
+    //       "[uri sep] local [sep prefix] '\0'" back into 1, 2 or 3 pieces
+    //       in its element handler code) cannot be confused by an attacker
+    //       putting additional namespace separator characters into namespace
+    //       declarations.  That would be ambiguous and not to be expected.
+    //
+    //       While the HTML API docs of function XML_ParserCreateNS have been
+    //       advising against use of a namespace separator character that can
+    //       appear in a URI for >20 years now, some widespread applications
+    //       are using URI characters (':' (colon) in particular) for a
+    //       namespace separator, in practice.  To keep these applications
+    //       functional, we only reject namespaces URIs containing the
+    //       application-chosen namespace separator if the chosen separator
+    //       is a non-URI character with regard to RFC 3986.
+    if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)
+        && ! is_rfc3986_uri_char(uri[len])) {
       return XML_ERROR_SYNTAX;
       return XML_ERROR_SYNTAX;
     }
     }
   }
   }

+ 18 - 7
libs/expat/tests/runtests.c

@@ -54,7 +54,6 @@
 #include <ctype.h>
 #include <ctype.h>
 #include <limits.h>
 #include <limits.h>
 #include <stdint.h> /* intptr_t uint64_t */
 #include <stdint.h> /* intptr_t uint64_t */
-#include <math.h>   /* NAN, INFINITY, isnan */
 
 
 #if ! defined(__cplusplus)
 #if ! defined(__cplusplus)
 #  include <stdbool.h>
 #  include <stdbool.h>
@@ -7407,16 +7406,18 @@ START_TEST(test_ns_separator_in_uri) {
   struct test_case {
   struct test_case {
     enum XML_Status expectedStatus;
     enum XML_Status expectedStatus;
     const char *doc;
     const char *doc;
+    XML_Char namesep;
   };
   };
   struct test_case cases[] = {
   struct test_case cases[] = {
-      {XML_STATUS_OK, "<doc xmlns='one_two' />"},
-      {XML_STATUS_ERROR, "<doc xmlns='one&#x0A;two' />"},
+      {XML_STATUS_OK, "<doc xmlns='one_two' />", XCS('\n')},
+      {XML_STATUS_ERROR, "<doc xmlns='one&#x0A;two' />", XCS('\n')},
+      {XML_STATUS_OK, "<doc xmlns='one:two' />", XCS(':')},
   };
   };
 
 
   size_t i = 0;
   size_t i = 0;
   size_t failCount = 0;
   size_t failCount = 0;
   for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
   for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
-    XML_Parser parser = XML_ParserCreateNS(NULL, '\n');
+    XML_Parser parser = XML_ParserCreateNS(NULL, cases[i].namesep);
     XML_SetElementHandler(parser, dummy_start_element, dummy_end_element);
     XML_SetElementHandler(parser, dummy_start_element, dummy_end_element);
     if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc),
     if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc),
                   /*isFinal*/ XML_TRUE)
                   /*isFinal*/ XML_TRUE)
@@ -7588,7 +7589,7 @@ START_TEST(test_misc_version) {
     fail("Version mismatch");
     fail("Version mismatch");
 
 
 #if ! defined(XML_UNICODE) || defined(XML_UNICODE_WCHAR_T)
 #if ! defined(XML_UNICODE) || defined(XML_UNICODE_WCHAR_T)
-  if (xcstrcmp(version_text, XCS("expat_2.4.6"))) /* needs bump on releases */
+  if (xcstrcmp(version_text, XCS("expat_2.4.8"))) /* needs bump on releases */
     fail("XML_*_VERSION in expat.h out of sync?\n");
     fail("XML_*_VERSION in expat.h out of sync?\n");
 #else
 #else
   /* If we have XML_UNICODE defined but not XML_UNICODE_WCHAR_T
   /* If we have XML_UNICODE defined but not XML_UNICODE_WCHAR_T
@@ -11762,6 +11763,16 @@ START_TEST(test_accounting_precision) {
 }
 }
 END_TEST
 END_TEST
 
 
+static float
+portableNAN() {
+  return strtof("nan", NULL);
+}
+
+static float
+portableINFINITY() {
+  return strtof("infinity", NULL);
+}
+
 START_TEST(test_billion_laughs_attack_protection_api) {
 START_TEST(test_billion_laughs_attack_protection_api) {
   XML_Parser parserWithoutParent = XML_ParserCreate(NULL);
   XML_Parser parserWithoutParent = XML_ParserCreate(NULL);
   XML_Parser parserWithParent
   XML_Parser parserWithParent
@@ -11780,7 +11791,7 @@ START_TEST(test_billion_laughs_attack_protection_api) {
       == XML_TRUE)
       == XML_TRUE)
     fail("Call with non-root parser is NOT supposed to succeed");
     fail("Call with non-root parser is NOT supposed to succeed");
   if (XML_SetBillionLaughsAttackProtectionMaximumAmplification(
   if (XML_SetBillionLaughsAttackProtectionMaximumAmplification(
-          parserWithoutParent, NAN)
+          parserWithoutParent, portableNAN())
       == XML_TRUE)
       == XML_TRUE)
     fail("Call with NaN limit is NOT supposed to succeed");
     fail("Call with NaN limit is NOT supposed to succeed");
   if (XML_SetBillionLaughsAttackProtectionMaximumAmplification(
   if (XML_SetBillionLaughsAttackProtectionMaximumAmplification(
@@ -11802,7 +11813,7 @@ START_TEST(test_billion_laughs_attack_protection_api) {
       == XML_FALSE)
       == XML_FALSE)
     fail("Call with positive limit >=1.0 is supposed to succeed");
     fail("Call with positive limit >=1.0 is supposed to succeed");
   if (XML_SetBillionLaughsAttackProtectionMaximumAmplification(
   if (XML_SetBillionLaughsAttackProtectionMaximumAmplification(
-          parserWithoutParent, INFINITY)
+          parserWithoutParent, portableINFINITY())
       == XML_FALSE)
       == XML_FALSE)
     fail("Call with positive limit >=1.0 is supposed to succeed");
     fail("Call with positive limit >=1.0 is supposed to succeed");
 
 

+ 3 - 1
libs/expat/win32/expat.iss

@@ -15,6 +15,7 @@
 ; Copyright (c) 2001-2005 Fred L. Drake, Jr. <[email protected]>
 ; Copyright (c) 2001-2005 Fred L. Drake, Jr. <[email protected]>
 ; Copyright (c) 2006-2017 Karl Waclawek <[email protected]>
 ; Copyright (c) 2006-2017 Karl Waclawek <[email protected]>
 ; Copyright (c) 2007-2022 Sebastian Pipping <[email protected]>
 ; Copyright (c) 2007-2022 Sebastian Pipping <[email protected]>
+; Copyright (c) 2022      Johnny Jazeix <[email protected]>
 ; Licensed under the MIT license:
 ; Licensed under the MIT license:
 ;
 ;
 ; Permission is  hereby granted,  free of charge,  to any  person obtaining
 ; Permission is  hereby granted,  free of charge,  to any  person obtaining
@@ -36,7 +37,7 @@
 ; OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
 ; OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
 ; USE OR OTHER DEALINGS IN THE SOFTWARE.
 ; USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 
-#define expatVer "2.4.6"
+#define expatVer "2.4.8"
 
 
 [Setup]
 [Setup]
 AppName=Expat
 AppName=Expat
@@ -76,6 +77,7 @@ Flags: ignoreversion; Source: doc\*.css;                    DestDir: "{app}\Doc"
 Flags: ignoreversion; Source: doc\*.xml;                    DestDir: "{app}\Doc"
 Flags: ignoreversion; Source: doc\*.xml;                    DestDir: "{app}\Doc"
 Flags: ignoreversion; Source: win32\bin\Release\*.dll;      DestDir: "{app}\Bin"
 Flags: ignoreversion; Source: win32\bin\Release\*.dll;      DestDir: "{app}\Bin"
 Flags: ignoreversion; Source: win32\bin\Release\*.lib;      DestDir: "{app}\Bin"
 Flags: ignoreversion; Source: win32\bin\Release\*.lib;      DestDir: "{app}\Bin"
+Flags: ignoreversion; Source: win32\version.rc;             DestDir: "{app}\Source\win32"
 Flags: ignoreversion; Source: win32\README.txt;             DestDir: "{app}\Source"
 Flags: ignoreversion; Source: win32\README.txt;             DestDir: "{app}\Source"
 Flags: ignoreversion; Source: AUTHORS;                      DestDir: "{app}\Source"
 Flags: ignoreversion; Source: AUTHORS;                      DestDir: "{app}\Source"
 Flags: ignoreversion; Source: Changes;                      DestDir: "{app}\Source"
 Flags: ignoreversion; Source: Changes;                      DestDir: "{app}\Source"

+ 17 - 0
libs/expat/win32/version.rc

@@ -0,0 +1,17 @@
+1 VERSIONINFO
+FILEVERSION VER_FILEVERSION
+PRODUCTVERSION VER_FILEVERSION
+BEGIN
+  BLOCK "StringFileInfo"
+  BEGIN
+    BLOCK "040904E4"
+    BEGIN
+      VALUE "FileVersion", "VER_FILEVERSION"
+      VALUE "ProductVersion", "VER_FILEVERSION"
+    END
+  END
+  BLOCK "VarFileInfo"
+  BEGIN
+    VALUE "Translation", 0x0409, 1252
+  END
+END

+ 37 - 0
libs/openssl/CHANGES

@@ -7,6 +7,43 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
  release branch.
 
 
+ Changes between 1.1.1m and 1.1.1n [15 Mar 2022]
+
+  *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
+     for non-prime moduli.
+
+     Internally this function is used when parsing certificates that contain
+     elliptic curve public keys in compressed form or explicit elliptic curve
+     parameters with a base point encoded in compressed form.
+
+     It is possible to trigger the infinite loop by crafting a certificate that
+     has invalid explicit curve parameters.
+
+     Since certificate parsing happens prior to verification of the certificate
+     signature, any process that parses an externally supplied certificate may
+     thus be subject to a denial of service attack. The infinite loop can also
+     be reached when parsing crafted private keys as they can contain explicit
+     elliptic curve parameters.
+
+     Thus vulnerable situations include:
+
+      - TLS clients consuming server certificates
+      - TLS servers consuming client certificates
+      - Hosting providers taking certificates or private keys from customers
+      - Certificate authorities parsing certification requests from subscribers
+      - Anything else which parses ASN.1 elliptic curve parameters
+
+     Also any other applications that use the BN_mod_sqrt() where the attacker
+     can control the parameter values are vulnerable to this DoS issue.
+     (CVE-2022-0778)
+     [Tomáš Mráz]
+
+  *) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489)
+     to the list of ciphersuites providing Perfect Forward Secrecy as
+     required by SECLEVEL >= 3.
+
+     [Dmitry Belyavskiy, Nicola Tuveri]
+
  Changes between 1.1.1l and 1.1.1m [14 Dec 2021]
  Changes between 1.1.1l and 1.1.1m [14 Dec 2021]
 
 
   *) Avoid loading of a dynamic engine twice.
   *) Avoid loading of a dynamic engine twice.

+ 8 - 1
libs/openssl/Configurations/10-main.conf

@@ -988,6 +988,13 @@ my %targets = (
         perlasm_scheme   => "elf",
         perlasm_scheme   => "elf",
     },
     },
 
 
+    # riscv64 below refers to contemporary RISCV Architecture
+    # specifications,
+    "BSD-riscv64" => {
+        inherit_from     => [ "BSD-generic64"],
+        perlasm_scheme   => "linux64",
+    },
+
     "bsdi-elf-gcc" => {
     "bsdi-elf-gcc" => {
         inherit_from     => [ "BASE_unix", asm("x86_elf_asm") ],
         inherit_from     => [ "BASE_unix", asm("x86_elf_asm") ],
         CC               => "gcc",
         CC               => "gcc",
@@ -1765,7 +1772,7 @@ my %targets = (
 
 
         disable          => add('pinshared'),
         disable          => add('pinshared'),
 
 
-        apps_aux_src     => "vms_term_sock.c",
+        apps_aux_src     => "vms_term_sock.c vms_decc_argv.c",
         apps_init_src    => "vms_decc_init.c",
         apps_init_src    => "vms_decc_init.c",
     },
     },
 
 

+ 2 - 1
libs/openssl/Configurations/descrip.mms.tmpl

@@ -438,7 +438,8 @@ test : tests
         DEFINE SRCTOP {- sourcedir() -}
         DEFINE SRCTOP {- sourcedir() -}
         DEFINE BLDTOP {- builddir() -}
         DEFINE BLDTOP {- builddir() -}
         DEFINE RESULT_D {- builddir(qw(test test-runs)) -}
         DEFINE RESULT_D {- builddir(qw(test test-runs)) -}
-        DEFINE OPENSSL_ENGINES {- builddir("engines") -}
+        engines = F$PARSE("{- builddir("engines") -}","A.;",,,"syntax_only") - "A.;"
+        DEFINE OPENSSL_ENGINES 'engines'
         DEFINE OPENSSL_DEBUG_MEMORY "on"
         DEFINE OPENSSL_DEBUG_MEMORY "on"
         IF "$(VERBOSE)" .NES. "" THEN DEFINE VERBOSE "$(VERBOSE)"
         IF "$(VERBOSE)" .NES. "" THEN DEFINE VERBOSE "$(VERBOSE)"
         $(PERL) {- sourcefile("test", "run_tests.pl") -} $(TESTS)
         $(PERL) {- sourcefile("test", "run_tests.pl") -} $(TESTS)

+ 11 - 11
libs/openssl/Configure

@@ -3161,25 +3161,25 @@ sub resolve_config {
         }
         }
     }
     }
 
 
-    foreach (sort keys %all_keys) {
-        my $previous = $combined_inheritance{$_};
+    foreach my $key (sort keys %all_keys) {
+        my $previous = $combined_inheritance{$key};
 
 
         # Current target doesn't have a value for the current key?
         # Current target doesn't have a value for the current key?
         # Assign it the default combiner, the rest of this loop body
         # Assign it the default combiner, the rest of this loop body
         # will handle it just like any other coderef.
         # will handle it just like any other coderef.
-        if (!exists $table{$target}->{$_}) {
-            $table{$target}->{$_} = $default_combiner;
+        if (!exists $table{$target}->{$key}) {
+            $table{$target}->{$key} = $default_combiner;
         }
         }
 
 
-        $table{$target}->{$_} = process_values($table{$target}->{$_},
-                                               $combined_inheritance{$_},
-                                               $target, $_);
-        unless(defined($table{$target}->{$_})) {
-            delete $table{$target}->{$_};
+        $table{$target}->{$key} = process_values($table{$target}->{$key},
+                                               $combined_inheritance{$key},
+                                               $target, $key);
+        unless(defined($table{$target}->{$key})) {
+            delete $table{$target}->{$key};
         }
         }
 #        if ($extra_checks &&
 #        if ($extra_checks &&
-#            $previous && !($add_called ||  $previous ~~ $table{$target}->{$_})) {
-#            warn "$_ got replaced in $target\n";
+#            $previous && !($add_called ||  $previous ~~ $table{$target}->{$key})) {
+#            warn "$key got replaced in $target\n";
 #        }
 #        }
     }
     }
 
 

+ 5 - 0
libs/openssl/NEWS

@@ -5,6 +5,11 @@
   This file gives a brief overview of the major changes between each OpenSSL
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
   release. For more details please read the CHANGES file.
 
 
+  Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022]
+
+      o Fixed a bug in the BN_mod_sqrt() function that can cause it to loop
+        forever for non-prime moduli ([CVE-2022-0778])
+
   Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021]
   Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021]
 
 
       o None
       o None

+ 1 - 1
libs/openssl/README

@@ -1,5 +1,5 @@
 
 
- OpenSSL 1.1.1m 14 Dec 2021
+ OpenSSL 1.1.1n 15 Mar 2022
 
 
  Copyright (c) 1998-2021 The OpenSSL Project
  Copyright (c) 1998-2021 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

+ 7 - 3
libs/openssl/apps/apps.c

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy
@@ -300,9 +300,13 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
         int ui_flags = 0;
         int ui_flags = 0;
         const char *prompt_info = NULL;
         const char *prompt_info = NULL;
         char *prompt;
         char *prompt;
+        int pw_min_len = PW_MIN_LENGTH;
 
 
         if (cb_data != NULL && cb_data->prompt_info != NULL)
         if (cb_data != NULL && cb_data->prompt_info != NULL)
             prompt_info = cb_data->prompt_info;
             prompt_info = cb_data->prompt_info;
+        if (cb_data != NULL && cb_data->password != NULL
+                && *(const char*)cb_data->password != '\0')
+            pw_min_len = 1;
         prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
         prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
         if (!prompt) {
         if (!prompt) {
             BIO_printf(bio_err, "Out of memory\n");
             BIO_printf(bio_err, "Out of memory\n");
@@ -317,12 +321,12 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
         (void)UI_add_user_data(ui, cb_data);
         (void)UI_add_user_data(ui, cb_data);
 
 
         ok = UI_add_input_string(ui, prompt, ui_flags, buf,
         ok = UI_add_input_string(ui, prompt, ui_flags, buf,
-                                 PW_MIN_LENGTH, bufsiz - 1);
+                                 pw_min_len, bufsiz - 1);
 
 
         if (ok >= 0 && verify) {
         if (ok >= 0 && verify) {
             buff = app_malloc(bufsiz, "password buffer");
             buff = app_malloc(bufsiz, "password buffer");
             ok = UI_add_verify_string(ui, prompt, ui_flags, buff,
             ok = UI_add_verify_string(ui, prompt, ui_flags, buff,
-                                      PW_MIN_LENGTH, bufsiz - 1, buf);
+                                      pw_min_len, bufsiz - 1, buf);
         }
         }
         if (ok >= 0)
         if (ok >= 0)
             do {
             do {

+ 2 - 4
libs/openssl/apps/openssl.c

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy
@@ -120,7 +120,6 @@ int main(int argc, char *argv[])
 {
 {
     FUNCTION f, *fp;
     FUNCTION f, *fp;
     LHASH_OF(FUNCTION) *prog = NULL;
     LHASH_OF(FUNCTION) *prog = NULL;
-    char **copied_argv = NULL;
     char *p, *pname;
     char *p, *pname;
     char buf[1024];
     char buf[1024];
     const char *prompt;
     const char *prompt;
@@ -137,7 +136,7 @@ int main(int argc, char *argv[])
     bio_err = dup_bio_err(FORMAT_TEXT);
     bio_err = dup_bio_err(FORMAT_TEXT);
 
 
 #if defined(OPENSSL_SYS_VMS) && defined(__DECC)
 #if defined(OPENSSL_SYS_VMS) && defined(__DECC)
-    copied_argv = argv = copy_argv(&argc, argv);
+    argv = copy_argv(&argc, argv);
 #elif defined(_WIN32)
 #elif defined(_WIN32)
     /*
     /*
      * Replace argv[] with UTF-8 encoded strings.
      * Replace argv[] with UTF-8 encoded strings.
@@ -258,7 +257,6 @@ int main(int argc, char *argv[])
     }
     }
     ret = 1;
     ret = 1;
  end:
  end:
-    OPENSSL_free(copied_argv);
     OPENSSL_free(default_config_file);
     OPENSSL_free(default_config_file);
     lh_FUNCTION_free(prog);
     lh_FUNCTION_free(prog);
     OPENSSL_free(arg.argv);
     OPENSSL_free(arg.argv);

+ 5 - 5
libs/openssl/apps/passwd.c

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy
@@ -407,7 +407,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
         n >>= 1;
         n >>= 1;
     }
     }
     if (!EVP_DigestFinal_ex(md, buf, NULL))
     if (!EVP_DigestFinal_ex(md, buf, NULL))
-        return NULL;
+        goto err;
 
 
     for (i = 0; i < 1000; i++) {
     for (i = 0; i < 1000; i++) {
         if (!EVP_DigestInit_ex(md2, EVP_md5(), NULL))
         if (!EVP_DigestInit_ex(md2, EVP_md5(), NULL))
@@ -633,7 +633,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
         n >>= 1;
         n >>= 1;
     }
     }
     if (!EVP_DigestFinal_ex(md, buf, NULL))
     if (!EVP_DigestFinal_ex(md, buf, NULL))
-        return NULL;
+        goto err;
 
 
     /* P sequence */
     /* P sequence */
     if (!EVP_DigestInit_ex(md2, sha, NULL))
     if (!EVP_DigestInit_ex(md2, sha, NULL))
@@ -644,7 +644,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
             goto err;
             goto err;
 
 
     if (!EVP_DigestFinal_ex(md2, temp_buf, NULL))
     if (!EVP_DigestFinal_ex(md2, temp_buf, NULL))
-        return NULL;
+        goto err;
 
 
     if ((p_bytes = OPENSSL_zalloc(passwd_len)) == NULL)
     if ((p_bytes = OPENSSL_zalloc(passwd_len)) == NULL)
         goto err;
         goto err;
@@ -661,7 +661,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt)
             goto err;
             goto err;
 
 
     if (!EVP_DigestFinal_ex(md2, temp_buf, NULL))
     if (!EVP_DigestFinal_ex(md2, temp_buf, NULL))
-        return NULL;
+        goto err;
 
 
     if ((s_bytes = OPENSSL_zalloc(salt_len)) == NULL)
     if ((s_bytes = OPENSSL_zalloc(salt_len)) == NULL)
         goto err;
         goto err;

+ 11 - 0
libs/openssl/apps/s_client.c

@@ -938,6 +938,7 @@ int s_client_main(int argc, char **argv)
     struct timeval tv;
     struct timeval tv;
 #endif
 #endif
     const char *servername = NULL;
     const char *servername = NULL;
+    char *sname_alloc = NULL;
     int noservername = 0;
     int noservername = 0;
     const char *alpn_in = NULL;
     const char *alpn_in = NULL;
     tlsextctx tlsextcbp = { NULL, 0 };
     tlsextctx tlsextcbp = { NULL, 0 };
@@ -1588,6 +1589,15 @@ int s_client_main(int argc, char **argv)
                        "%s: -proxy argument malformed or ambiguous\n", prog);
                        "%s: -proxy argument malformed or ambiguous\n", prog);
             goto end;
             goto end;
         }
         }
+        if (servername == NULL && !noservername) {
+            res = BIO_parse_hostserv(connectstr, &sname_alloc, NULL, BIO_PARSE_PRIO_HOST);
+            if (!res) {
+                BIO_printf(bio_err,
+                        "%s: -connect argument malformed or ambiguous\n", prog);
+                goto end;
+            }
+            servername = sname_alloc;
+        }
     } else {
     } else {
         int res = 1;
         int res = 1;
         char *tmp_host = host, *tmp_port = port;
         char *tmp_host = host, *tmp_port = port;
@@ -3149,6 +3159,7 @@ int s_client_main(int argc, char **argv)
 #ifndef OPENSSL_NO_SRP
 #ifndef OPENSSL_NO_SRP
     OPENSSL_free(srp_arg.srppassin);
     OPENSSL_free(srp_arg.srppassin);
 #endif
 #endif
+    OPENSSL_free(sname_alloc);
     OPENSSL_free(connectstr);
     OPENSSL_free(connectstr);
     OPENSSL_free(bindstr);
     OPENSSL_free(bindstr);
     OPENSSL_free(bindhost);
     OPENSSL_free(bindhost);

+ 2 - 2
libs/openssl/apps/s_socket.c

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy
@@ -147,7 +147,7 @@ int init_client(int *sock, const char *host, const char *port,
 #endif
 #endif
 
 
         if (!BIO_connect(*sock, BIO_ADDRINFO_address(ai),
         if (!BIO_connect(*sock, BIO_ADDRINFO_address(ai),
-                         protocol == IPPROTO_TCP ? BIO_SOCK_NODELAY : 0)) {
+                         BIO_ADDRINFO_protocol(ai) == IPPROTO_TCP ? BIO_SOCK_NODELAY : 0)) {
             BIO_closesocket(*sock);
             BIO_closesocket(*sock);
             *sock = INVALID_SOCKET;
             *sock = INVALID_SOCKET;
             continue;
             continue;

+ 66 - 0
libs/openssl/apps/vms_decc_argv.c

@@ -0,0 +1,66 @@
+/*
+ * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdlib.h>
+#include <openssl/crypto.h>
+#include "apps.h"                /* for app_malloc() and copy_argv() */
+
+char **newargv = NULL;
+
+static void cleanup_argv(void)
+{
+    OPENSSL_free(newargv);
+    newargv = NULL;
+}
+
+char **copy_argv(int *argc, char *argv[])
+{
+    /*-
+     * The note below is for historical purpose.  On VMS now we always
+     * copy argv "safely."
+     *
+     * 2011-03-22 SMS.
+     * If we have 32-bit pointers everywhere, then we're safe, and
+     * we bypass this mess, as on non-VMS systems.
+     * Problem 1: Compaq/HP C before V7.3 always used 32-bit
+     * pointers for argv[].
+     * Fix 1: For a 32-bit argv[], when we're using 64-bit pointers
+     * everywhere else, we always allocate and use a 64-bit
+     * duplicate of argv[].
+     * Problem 2: Compaq/HP C V7.3 (Alpha, IA64) before ECO1 failed
+     * to NULL-terminate a 64-bit argv[].  (As this was written, the
+     * compiler ECO was available only on IA64.)
+     * Fix 2: Unless advised not to (VMS_TRUST_ARGV), we test a
+     * 64-bit argv[argc] for NULL, and, if necessary, use a
+     * (properly) NULL-terminated (64-bit) duplicate of argv[].
+     * The same code is used in either case to duplicate argv[].
+     * Some of these decisions could be handled in preprocessing,
+     * but the code tends to get even uglier, and the penalty for
+     * deciding at compile- or run-time is tiny.
+     */
+
+    int i, count = *argc;
+    char **p = newargv;
+
+    cleanup_argv();
+
+    newargv = app_malloc(sizeof(*newargv) * (count + 1), "argv copy");
+    if (newargv == NULL)
+        return NULL;
+
+    /* Register automatic cleanup on first use */
+    if (p == NULL)
+        OPENSSL_atexit(cleanup_argv);
+
+    for (i = 0; i < count; i++)
+        newargv[i] = argv[i];
+    newargv[i] = NULL;
+    *argc = i;
+    return newargv;
+}

+ 1 - 39
libs/openssl/apps/vms_decc_init.c

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2010-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy
@@ -25,8 +25,6 @@
 # include <stdlib.h>
 # include <stdlib.h>
 # include <unixlib.h>
 # include <unixlib.h>
 
 
-# include "apps.h"
-
 /* Global storage. */
 /* Global storage. */
 
 
 /* Flag to sense if decc_init() was called. */
 /* Flag to sense if decc_init() was called. */
@@ -63,42 +61,6 @@ decc_feat_t decc_feat_array[] = {
 };
 };
 
 
 
 
-char **copy_argv(int *argc, char *argv[])
-{
-    /*-
-     * The note below is for historical purpose.  On VMS now we always
-     * copy argv "safely."
-     *
-     * 2011-03-22 SMS.
-     * If we have 32-bit pointers everywhere, then we're safe, and
-     * we bypass this mess, as on non-VMS systems.
-     * Problem 1: Compaq/HP C before V7.3 always used 32-bit
-     * pointers for argv[].
-     * Fix 1: For a 32-bit argv[], when we're using 64-bit pointers
-     * everywhere else, we always allocate and use a 64-bit
-     * duplicate of argv[].
-     * Problem 2: Compaq/HP C V7.3 (Alpha, IA64) before ECO1 failed
-     * to NULL-terminate a 64-bit argv[].  (As this was written, the
-     * compiler ECO was available only on IA64.)
-     * Fix 2: Unless advised not to (VMS_TRUST_ARGV), we test a
-     * 64-bit argv[argc] for NULL, and, if necessary, use a
-     * (properly) NULL-terminated (64-bit) duplicate of argv[].
-     * The same code is used in either case to duplicate argv[].
-     * Some of these decisions could be handled in preprocessing,
-     * but the code tends to get even uglier, and the penalty for
-     * deciding at compile- or run-time is tiny.
-     */
-
-    int i, count = *argc;
-    char **newargv = app_malloc(sizeof(*newargv) * (count + 1), "argv copy");
-
-    for (i = 0; i < count; i++)
-        newargv[i] = argv[i];
-    newargv[i] = NULL;
-    *argc = i;
-    return newargv;
-}
-
 /* LIB$INITIALIZE initialization function. */
 /* LIB$INITIALIZE initialization function. */
 
 
 static void decc_init(void)
 static void decc_init(void)

+ 1 - 0
libs/openssl/config

@@ -704,6 +704,7 @@ case "$GUESSOS" in
 			__CNF_CPPFLAGS="$__CNF_CPPFLAGS -DL_ENDIAN" ;;
 			__CNF_CPPFLAGS="$__CNF_CPPFLAGS -DL_ENDIAN" ;;
   powerpc64-*-*bsd*)	OUT="BSD-generic64";
   powerpc64-*-*bsd*)	OUT="BSD-generic64";
 			__CNF_CPPFLAGS="$__CNF_CPPFLAGS -DB_ENDIAN" ;;
 			__CNF_CPPFLAGS="$__CNF_CPPFLAGS -DB_ENDIAN" ;;
+  riscv64-*-*bsd*)	OUT="BSD-riscv64" ;;
   sparc64-*-*bsd*)	OUT="BSD-sparc64" ;;
   sparc64-*-*bsd*)	OUT="BSD-sparc64" ;;
   ia64-*-*bsd*)		OUT="BSD-ia64" ;;
   ia64-*-*bsd*)		OUT="BSD-ia64" ;;
   x86_64-*-dragonfly*)  OUT="BSD-x86_64" ;;
   x86_64-*-dragonfly*)  OUT="BSD-x86_64" ;;

+ 1 - 1
libs/openssl/crypto/asn1/charmap.h

@@ -2,7 +2,7 @@
  * WARNING: do not edit!
  * WARNING: do not edit!
  * Generated by crypto/asn1/charmap.pl
  * Generated by crypto/asn1/charmap.pl
  *
  *
- * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy

+ 2 - 2
libs/openssl/crypto/bio/b_addr.c

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy
@@ -744,7 +744,7 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type,
 # pragma pointer_size 32
 # pragma pointer_size 32
 #endif
 #endif
         /* Windows doesn't seem to have in_addr_t */
         /* Windows doesn't seem to have in_addr_t */
-#ifdef OPENSSL_SYS_WINDOWS
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
         static uint32_t he_fallback_address;
         static uint32_t he_fallback_address;
         static const char *he_fallback_addresses[] =
         static const char *he_fallback_addresses[] =
             { (char *)&he_fallback_address, NULL };
             { (char *)&he_fallback_address, NULL };

+ 2 - 2
libs/openssl/crypto/bn/bn_exp2.c

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy
@@ -32,7 +32,7 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
     bn_check_top(p2);
     bn_check_top(p2);
     bn_check_top(m);
     bn_check_top(m);
 
 
-    if (!(m->d[0] & 1)) {
+    if (!BN_is_odd(m)) {
         BNerr(BN_F_BN_MOD_EXP2_MONT, BN_R_CALLED_WITH_EVEN_MODULUS);
         BNerr(BN_F_BN_MOD_EXP2_MONT, BN_R_CALLED_WITH_EVEN_MODULUS);
         return 0;
         return 0;
     }
     }

+ 1 - 1
libs/openssl/crypto/bn/bn_prime.h

@@ -2,7 +2,7 @@
  * WARNING: do not edit!
  * WARNING: do not edit!
  * Generated by crypto/bn/bn_prime.pl
  * Generated by crypto/bn/bn_prime.pl
  *
  *
- * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy

+ 1 - 1
libs/openssl/crypto/bn/bn_print.c

@@ -142,7 +142,7 @@ int BN_hex2bn(BIGNUM **bn, const char *a)
         continue;
         continue;
 
 
     if (i == 0 || i > INT_MAX / 4)
     if (i == 0 || i > INT_MAX / 4)
-        goto err;
+        return 0;
 
 
     num = i + neg;
     num = i + neg;
     if (bn == NULL)
     if (bn == NULL)

+ 19 - 13
libs/openssl/crypto/bn/bn_sqrt.c

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy
@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 /*
 /*
  * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
  * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
  * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
  * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
- * Theory", algorithm 1.5.1). 'p' must be prime!
+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
+ * an incorrect "result" will be returned.
  */
  */
 {
 {
     BIGNUM *ret = in;
     BIGNUM *ret = in;
@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
             goto vrfy;
             goto vrfy;
         }
         }
 
 
-        /* find smallest  i  such that  b^(2^i) = 1 */
-        i = 1;
-        if (!BN_mod_sqr(t, b, p, ctx))
-            goto end;
-        while (!BN_is_one(t)) {
-            i++;
-            if (i == e) {
-                BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
-                goto end;
+        /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
+        for (i = 1; i < e; i++) {
+            if (i == 1) {
+                if (!BN_mod_sqr(t, b, p, ctx))
+                    goto end;
+
+            } else {
+                if (!BN_mod_mul(t, t, t, p, ctx))
+                    goto end;
             }
             }
-            if (!BN_mod_mul(t, t, t, p, ctx))
-                goto end;
+            if (BN_is_one(t))
+                break;
+        }
+        /* If not found, a is not a square or p is not prime. */
+        if (i >= e) {
+            BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
+            goto end;
         }
         }
 
 
         /* t := y^2^(e - i - 1) */
         /* t := y^2^(e - i - 1) */

+ 1 - 1
libs/openssl/crypto/conf/conf_def.h

@@ -2,7 +2,7 @@
  * WARNING: do not edit!
  * WARNING: do not edit!
  * Generated by crypto/conf/keysets.pl
  * Generated by crypto/conf/keysets.pl
  *
  *
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy
  * in the file LICENSE in the source distribution or at
  * in the file LICENSE in the source distribution or at

+ 1 - 4
libs/openssl/crypto/engine/eng_all.c

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy
@@ -12,9 +12,6 @@
 
 
 void ENGINE_load_builtin_engines(void)
 void ENGINE_load_builtin_engines(void)
 {
 {
-    /* Some ENGINEs need this */
-    OPENSSL_cpuid_setup();
-
     OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
     OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
 }
 }
 
 

+ 11 - 2
libs/openssl/crypto/engine/eng_dyn.c

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy
@@ -443,8 +443,17 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
          * We fail if the version checker veto'd the load *or* if it is
          * We fail if the version checker veto'd the load *or* if it is
          * deferring to us (by returning its version) and we think it is too
          * deferring to us (by returning its version) and we think it is too
          * old.
          * old.
+         * Unfortunately the version checker does not distinguish between
+         * engines built for openssl 1.1.x and openssl 3.x, but loading
+         * an engine that is built for openssl 3.x will cause a fatal
+         * error.  Detect such engines, since EVP_PKEY_get_base_id is exported
+         * as a function in openssl 3.x, while it is named EVP_PKEY_base_id
+         * in openssl 1.1.x.  Therefore we take the presence of that symbol
+         * as an indication that the engine will be incompatible.
          */
          */
-        if (vcheck_res < OSSL_DYNAMIC_OLDEST) {
+        if (vcheck_res < OSSL_DYNAMIC_OLDEST
+                || DSO_bind_func(ctx->dynamic_dso,
+                                 "EVP_PKEY_get_base_id") != NULL) {
             /* Fail */
             /* Fail */
             ctx->bind_engine = NULL;
             ctx->bind_engine = NULL;
             ctx->v_check = NULL;
             ctx->v_check = NULL;

+ 22 - 12
libs/openssl/crypto/evp/digest.c

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy
@@ -15,6 +15,22 @@
 #include "crypto/evp.h"
 #include "crypto/evp.h"
 #include "evp_local.h"
 #include "evp_local.h"
 
 
+
+static void cleanup_old_md_data(EVP_MD_CTX *ctx, int force)
+{
+    if (ctx->digest != NULL) {
+        if (ctx->digest->cleanup != NULL
+                && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_CLEANED))
+            ctx->digest->cleanup(ctx);
+        if (ctx->md_data != NULL && ctx->digest->ctx_size > 0
+                && (!EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE)
+                    || force)) {
+            OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
+            ctx->md_data = NULL;
+        }
+    }
+}
+
 /* This call frees resources associated with the context */
 /* This call frees resources associated with the context */
 int EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
 int EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
 {
 {
@@ -25,13 +41,8 @@ int EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
      * Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because
      * Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because
      * sometimes only copies of the context are ever finalised.
      * sometimes only copies of the context are ever finalised.
      */
      */
-    if (ctx->digest && ctx->digest->cleanup
-        && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_CLEANED))
-        ctx->digest->cleanup(ctx);
-    if (ctx->digest && ctx->digest->ctx_size && ctx->md_data
-        && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE)) {
-        OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
-    }
+    cleanup_old_md_data(ctx, 0);
+
     /*
     /*
      * pctx should be freed by the user of EVP_MD_CTX
      * pctx should be freed by the user of EVP_MD_CTX
      * if EVP_MD_CTX_FLAG_KEEP_PKEY_CTX is set
      * if EVP_MD_CTX_FLAG_KEEP_PKEY_CTX is set
@@ -76,6 +87,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
     if (ctx->engine && ctx->digest &&
     if (ctx->engine && ctx->digest &&
         (type == NULL || (type->type == ctx->digest->type)))
         (type == NULL || (type->type == ctx->digest->type)))
         goto skip_to_init;
         goto skip_to_init;
+
     if (type) {
     if (type) {
         /*
         /*
          * Ensure an ENGINE left lying around from last time is cleared (the
          * Ensure an ENGINE left lying around from last time is cleared (the
@@ -119,10 +131,8 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
     }
     }
 #endif
 #endif
     if (ctx->digest != type) {
     if (ctx->digest != type) {
-        if (ctx->digest && ctx->digest->ctx_size) {
-            OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
-            ctx->md_data = NULL;
-        }
+        cleanup_old_md_data(ctx, 1);
+
         ctx->digest = type;
         ctx->digest = type;
         if (!(ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) && type->ctx_size) {
         if (!(ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) && type->ctx_size) {
             ctx->update = type->update;
             ctx->update = type->update;

+ 5 - 3
libs/openssl/crypto/lhash/lhash.c

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy
@@ -343,7 +343,8 @@ unsigned long OPENSSL_LH_strhash(const char *c)
         v = n | (*c);
         v = n | (*c);
         n += 0x100;
         n += 0x100;
         r = (int)((v >> 2) ^ v) & 0x0f;
         r = (int)((v >> 2) ^ v) & 0x0f;
-        ret = (ret << r) | (ret >> (32 - r));
+        /* cast to uint64_t to avoid 32 bit shift of 32 bit value */
+        ret = (ret << r) | (unsigned long)((uint64_t)ret >> (32 - r));
         ret &= 0xFFFFFFFFL;
         ret &= 0xFFFFFFFFL;
         ret ^= v * v;
         ret ^= v * v;
         c++;
         c++;
@@ -364,7 +365,8 @@ unsigned long openssl_lh_strcasehash(const char *c)
     for (n = 0x100; *c != '\0'; n += 0x100) {
     for (n = 0x100; *c != '\0'; n += 0x100) {
         v = n | ossl_tolower(*c);
         v = n | ossl_tolower(*c);
         r = (int)((v >> 2) ^ v) & 0x0f;
         r = (int)((v >> 2) ^ v) & 0x0f;
-        ret = (ret << r) | (ret >> (32 - r));
+        /* cast to uint64_t to avoid 32 bit shift of 32 bit value */
+        ret = (ret << r) | (unsigned long)((uint64_t)ret >> (32 - r));
         ret &= 0xFFFFFFFFL;
         ret &= 0xFFFFFFFFL;
         ret ^= v * v;
         ret ^= v * v;
         c++;
         c++;

+ 4 - 3
libs/openssl/crypto/objects/obj_dat.c

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy
@@ -228,9 +228,10 @@ ASN1_OBJECT *OBJ_nid2obj(int n)
             return NULL;
             return NULL;
         }
         }
         return (ASN1_OBJECT *)&(nid_objs[n]);
         return (ASN1_OBJECT *)&(nid_objs[n]);
-    } else if (added == NULL)
+    } else if (added == NULL) {
+        OBJerr(OBJ_F_OBJ_NID2OBJ, OBJ_R_UNKNOWN_NID);
         return NULL;
         return NULL;
-    else {
+    } else {
         ad.type = ADDED_NID;
         ad.type = ADDED_NID;
         ad.obj = &ob;
         ad.obj = &ob;
         ob.nid = n;
         ob.nid = n;

+ 1 - 1
libs/openssl/crypto/objects/obj_dat.h

@@ -2,7 +2,7 @@
  * WARNING: do not edit!
  * WARNING: do not edit!
  * Generated by crypto/objects/obj_dat.pl
  * Generated by crypto/objects/obj_dat.pl
  *
  *
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy
  * in the file LICENSE in the source distribution or at
  * in the file LICENSE in the source distribution or at

+ 1 - 1
libs/openssl/crypto/objects/obj_xref.h

@@ -2,7 +2,7 @@
  * WARNING: do not edit!
  * WARNING: do not edit!
  * Generated by objxref.pl
  * Generated by objxref.pl
  *
  *
- * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy

+ 5 - 3
libs/openssl/crypto/ui/ui_openssl.c

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy
@@ -572,6 +572,8 @@ static int echo_console(UI *ui)
 
 
 static int close_console(UI *ui)
 static int close_console(UI *ui)
 {
 {
+    int ret = 1;
+
     if (tty_in != stdin)
     if (tty_in != stdin)
         fclose(tty_in);
         fclose(tty_in);
     if (tty_out != stderr)
     if (tty_out != stderr)
@@ -584,12 +586,12 @@ static int close_console(UI *ui)
         BIO_snprintf(tmp_num, sizeof(tmp_num) - 1, "%%X%08X", status);
         BIO_snprintf(tmp_num, sizeof(tmp_num) - 1, "%%X%08X", status);
         UIerr(UI_F_CLOSE_CONSOLE, UI_R_SYSDASSGN_ERROR);
         UIerr(UI_F_CLOSE_CONSOLE, UI_R_SYSDASSGN_ERROR);
         ERR_add_error_data(2, "status=", tmp_num);
         ERR_add_error_data(2, "status=", tmp_num);
-        return 0;
+        ret = 0;
     }
     }
 # endif
 # endif
     CRYPTO_THREAD_unlock(ui->lock);
     CRYPTO_THREAD_unlock(ui->lock);
 
 
-    return 1;
+    return ret;
 }
 }
 
 
 # if !defined(OPENSSL_SYS_WINCE)
 # if !defined(OPENSSL_SYS_WINCE)

+ 7 - 6
libs/openssl/crypto/x509/x509_vfy.c

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy
@@ -2201,6 +2201,12 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
     /* If purpose not set use default */
     /* If purpose not set use default */
     if (!purpose)
     if (!purpose)
         purpose = def_purpose;
         purpose = def_purpose;
+    /*
+     * If purpose is set but we don't have a default then set the default to
+     * the current purpose
+     */
+    else if (def_purpose == 0)
+        def_purpose = purpose;
     /* If we have a purpose then check it is valid */
     /* If we have a purpose then check it is valid */
     if (purpose) {
     if (purpose) {
         X509_PURPOSE *ptmp;
         X509_PURPOSE *ptmp;
@@ -2213,11 +2219,6 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
         ptmp = X509_PURPOSE_get0(idx);
         ptmp = X509_PURPOSE_get0(idx);
         if (ptmp->trust == X509_TRUST_DEFAULT) {
         if (ptmp->trust == X509_TRUST_DEFAULT) {
             idx = X509_PURPOSE_get_by_id(def_purpose);
             idx = X509_PURPOSE_get_by_id(def_purpose);
-            /*
-             * XXX: In the two callers above def_purpose is always 0, which is
-             * not a known value, so idx will always be -1.  How is the
-             * X509_TRUST_DEFAULT case actually supposed to be handled?
-             */
             if (idx == -1) {
             if (idx == -1) {
                 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
                 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
                         X509_R_UNKNOWN_PURPOSE_ID);
                         X509_R_UNKNOWN_PURPOSE_ID);

+ 15 - 4
libs/openssl/crypto/x509v3/v3_utl.c

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy
@@ -538,8 +538,11 @@ static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, const ASN1_IA5STRING *email
         return 0;
         return 0;
 
 
     emtmp = OPENSSL_strndup((char *)email->data, email->length);
     emtmp = OPENSSL_strndup((char *)email->data, email->length);
-    if (emtmp == NULL)
+    if (emtmp == NULL) {
+        X509_email_free(*sk);
+        *sk = NULL;
         return 0;
         return 0;
+    }
 
 
     /* Don't add duplicates */
     /* Don't add duplicates */
     if (sk_OPENSSL_STRING_find(*sk, emtmp) != -1) {
     if (sk_OPENSSL_STRING_find(*sk, emtmp) != -1) {
@@ -828,8 +831,11 @@ static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal,
             rv = equal(a->data, a->length, (unsigned char *)b, blen, flags);
             rv = equal(a->data, a->length, (unsigned char *)b, blen, flags);
         else if (a->length == (int)blen && !memcmp(a->data, b, blen))
         else if (a->length == (int)blen && !memcmp(a->data, b, blen))
             rv = 1;
             rv = 1;
-        if (rv > 0 && peername)
+        if (rv > 0 && peername != NULL) {
             *peername = OPENSSL_strndup((char *)a->data, a->length);
             *peername = OPENSSL_strndup((char *)a->data, a->length);
+            if (*peername == NULL)
+                return -1;
+        }
     } else {
     } else {
         int astrlen;
         int astrlen;
         unsigned char *astr;
         unsigned char *astr;
@@ -842,8 +848,13 @@ static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal,
             return -1;
             return -1;
         }
         }
         rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
         rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
-        if (rv > 0 && peername)
+        if (rv > 0 && peername != NULL) {
             *peername = OPENSSL_strndup((char *)astr, astrlen);
             *peername = OPENSSL_strndup((char *)astr, astrlen);
+            if (*peername == NULL) {
+                OPENSSL_free(astr);
+                return -1;
+            }
+        }
         OPENSSL_free(astr);
         OPENSSL_free(astr);
     }
     }
     return rv;
     return rv;

+ 4 - 1
libs/openssl/doc/man1/cms.pod

@@ -719,6 +719,9 @@ the list of permitted ciphers in a database and only use those.
 
 
 No revocation checking is done on the signer's certificate.
 No revocation checking is done on the signer's certificate.
 
 
+The B<-binary> option does not work correctly when processing text input which
+(contrary to the S/MIME specification) uses LF rather than CRLF line endings.
+
 =head1 HISTORY
 =head1 HISTORY
 
 
 The use of multiple B<-signer> options and the B<-resign> command were first
 The use of multiple B<-signer> options and the B<-resign> command were first
@@ -735,7 +738,7 @@ The -no_alt_chains option was added in OpenSSL 1.0.2b.
 
 
 =head1 COPYRIGHT
 =head1 COPYRIGHT
 
 
-Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved.
 
 
 Licensed under the OpenSSL license (the "License").  You may not use
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 this file except in compliance with the License.  You can obtain a copy

+ 2 - 2
libs/openssl/doc/man3/BIO_ctrl.pod

@@ -16,7 +16,7 @@ BIO_get_info_callback, BIO_set_info_callback, BIO_info_cb
 
 
  long BIO_ctrl(BIO *bp, int cmd, long larg, void *parg);
  long BIO_ctrl(BIO *bp, int cmd, long larg, void *parg);
  long BIO_callback_ctrl(BIO *b, int cmd, BIO_info_cb *cb);
  long BIO_callback_ctrl(BIO *b, int cmd, BIO_info_cb *cb);
- char *BIO_ptr_ctrl(BIO *bp, int cmd, long larg);
+ void *BIO_ptr_ctrl(BIO *bp, int cmd, long larg);
  long BIO_int_ctrl(BIO *bp, int cmd, long larg, int iarg);
  long BIO_int_ctrl(BIO *bp, int cmd, long larg, int iarg);
 
 
  int BIO_reset(BIO *b);
  int BIO_reset(BIO *b);
@@ -126,7 +126,7 @@ the case of BIO_seek() on a file BIO for a successful operation.
 
 
 =head1 COPYRIGHT
 =head1 COPYRIGHT
 
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
 
 
 Licensed under the OpenSSL license (the "License").  You may not use
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 this file except in compliance with the License.  You can obtain a copy

+ 17 - 4
libs/openssl/doc/man3/BIO_f_base64.pod

@@ -21,13 +21,26 @@ any data read through it.
 
 
 Base64 BIOs do not support BIO_gets() or BIO_puts().
 Base64 BIOs do not support BIO_gets() or BIO_puts().
 
 
+For writing, output is by default divided to lines of length 64
+characters and there is always a newline at the end of output.
+
+For reading, first line should be at most 1024
+characters long. If it is longer then it is ignored completely.
+Other input lines can be of any length. There must be a newline
+at the end of input.
+
+This behavior can be changed with BIO_FLAGS_BASE64_NO_NL flag.
+
 BIO_flush() on a base64 BIO that is being written through is
 BIO_flush() on a base64 BIO that is being written through is
 used to signal that no more data is to be encoded: this is used
 used to signal that no more data is to be encoded: this is used
 to flush the final block through the BIO.
 to flush the final block through the BIO.
 
 
-The flag BIO_FLAGS_BASE64_NO_NL can be set with BIO_set_flags()
-to encode the data all on one line or expect the data to be all
-on one line.
+The flag BIO_FLAGS_BASE64_NO_NL can be set with BIO_set_flags().
+For writing, it causes all data to be written on one line without
+newline at the end.
+For reading, it forces the decoder to process the data regardless
+of newlines. All newlines are ignored and the input does not need
+to contain any newline at all.
 
 
 =head1 NOTES
 =head1 NOTES
 
 
@@ -81,7 +94,7 @@ to reliably determine EOF (for example a MIME boundary).
 
 
 =head1 COPYRIGHT
 =head1 COPYRIGHT
 
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
 
 
 Licensed under the OpenSSL license (the "License").  You may not use
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 this file except in compliance with the License.  You can obtain a copy

+ 14 - 3
libs/openssl/doc/man3/BN_add.pod

@@ -3,7 +3,7 @@
 =head1 NAME
 =head1 NAME
 
 
 BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add,
 BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add,
-BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd -
+BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_mod_sqrt, BN_exp, BN_mod_exp, BN_gcd -
 arithmetic operations on BIGNUMs
 arithmetic operations on BIGNUMs
 
 
 =head1 SYNOPSIS
 =head1 SYNOPSIS
@@ -36,6 +36,8 @@ arithmetic operations on BIGNUMs
 
 
  int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
  int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
 
 
+ BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+
  int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
  int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
 
 
  int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
  int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
@@ -87,6 +89,12 @@ L<BN_mod_mul_reciprocal(3)>.
 BN_mod_sqr() takes the square of I<a> modulo B<m> and places the
 BN_mod_sqr() takes the square of I<a> modulo B<m> and places the
 result in I<r>.
 result in I<r>.
 
 
+BN_mod_sqrt() returns the modular square root of I<a> such that
+C<in^2 = a (mod p)>. The modulus I<p> must be a
+prime, otherwise an error or an incorrect "result" will be returned.
+The result is stored into I<in> which can be NULL. The result will be
+newly allocated in that case.
+
 BN_exp() raises I<a> to the I<p>-th power and places the result in I<r>
 BN_exp() raises I<a> to the I<p>-th power and places the result in I<r>
 (C<r=a^p>). This function is faster than repeated applications of
 (C<r=a^p>). This function is faster than repeated applications of
 BN_mul().
 BN_mul().
@@ -108,7 +116,10 @@ the arguments.
 
 
 =head1 RETURN VALUES
 =head1 RETURN VALUES
 
 
-For all functions, 1 is returned for success, 0 on error. The return
+The BN_mod_sqrt() returns the result (possibly incorrect if I<p> is
+not a prime), or NULL.
+
+For all remaining functions, 1 is returned for success, 0 on error. The return
 value should always be checked (e.g., C<if (!BN_add(r,a,b)) goto err;>).
 value should always be checked (e.g., C<if (!BN_add(r,a,b)) goto err;>).
 The error codes can be obtained by L<ERR_get_error(3)>.
 The error codes can be obtained by L<ERR_get_error(3)>.
 
 
@@ -119,7 +130,7 @@ L<BN_add_word(3)>, L<BN_set_bit(3)>
 
 
 =head1 COPYRIGHT
 =head1 COPYRIGHT
 
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
 
 
 Licensed under the OpenSSL license (the "License").  You may not use
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 this file except in compliance with the License.  You can obtain a copy

+ 2 - 1
libs/openssl/doc/man3/DEFINE_STACK_OF.pod

@@ -238,7 +238,8 @@ sk_TYPE_pop(), sk_TYPE_shift(), sk_TYPE_delete() and sk_TYPE_delete_ptr()
 return a pointer to the deleted element or B<NULL> on error.
 return a pointer to the deleted element or B<NULL> on error.
 
 
 sk_TYPE_insert(), sk_TYPE_push() and sk_TYPE_unshift() return the total
 sk_TYPE_insert(), sk_TYPE_push() and sk_TYPE_unshift() return the total
-number of elements in the stack and 0 if an error occurred.
+number of elements in the stack and 0 if an error occurred. sk_TYPE_push()
+further returns -1 if B<sk> is B<NULL>.
 
 
 sk_TYPE_set() returns a pointer to the replacement element or B<NULL> on
 sk_TYPE_set() returns a pointer to the replacement element or B<NULL> on
 error.
 error.

+ 17 - 17
libs/openssl/doc/man3/OBJ_nid2obj.pod

@@ -68,13 +68,15 @@ If I<no_name> is 0 then long names and short names will be interpreted
 as well as numerical forms. If I<no_name> is 1 only the numerical form
 as well as numerical forms. If I<no_name> is 1 only the numerical form
 is acceptable.
 is acceptable.
 
 
-OBJ_obj2txt() converts the B<ASN1_OBJECT> B<a> into a textual representation.
-The representation is written as a null terminated string to B<buf>
-at most B<buf_len> bytes are written, truncating the result if necessary.
-The total amount of space required is returned. If B<no_name> is 0 then
-if the object has a long or short name then that will be used, otherwise
-the numerical form will be used. If B<no_name> is 1 then the numerical
-form will always be used.
+OBJ_obj2txt() converts the B<ASN1_OBJECT> I<a> into a textual representation.
+Unless I<buf> is NULL,
+the representation is written as a NUL-terminated string to I<buf>, where
+at most I<buf_len> bytes are written, truncating the result if necessary.
+In any case it returns the total string length, excluding the NUL character,
+required for non-truncated representation, or -1 on error.
+If I<no_name> is 0 then if the object has a long or short name
+then that will be used, otherwise the numerical form will be used.
+If I<no_name> is 1 then the numerical form will always be used.
 
 
 i2t_ASN1_OBJECT() is the same as OBJ_obj2txt() with the I<no_name> set to zero.
 i2t_ASN1_OBJECT() is the same as OBJ_obj2txt() with the I<no_name> set to zero.
 
 
@@ -141,6 +143,13 @@ on error.
 OBJ_obj2nid(), OBJ_ln2nid(), OBJ_sn2nid() and OBJ_txt2nid() return
 OBJ_obj2nid(), OBJ_ln2nid(), OBJ_sn2nid() and OBJ_txt2nid() return
 a NID or B<NID_undef> on error.
 a NID or B<NID_undef> on error.
 
 
+OBJ_add_sigid() returns 1 on success or 0 on error.
+
+i2t_ASN1_OBJECT() an OBJ_obj2txt() return -1 on error.
+On success, they return the length of the string written to I<buf> if I<buf> is
+not NULL and I<buf_len> is big enough, otherwise the total string length.
+Note that this does not count the trailing NUL character.
+
 =head1 EXAMPLES
 =head1 EXAMPLES
 
 
 Create an object for B<commonName>:
 Create an object for B<commonName>:
@@ -161,15 +170,6 @@ Create a new object directly:
 
 
  obj = OBJ_txt2obj("1.2.3.4", 1);
  obj = OBJ_txt2obj("1.2.3.4", 1);
 
 
-=head1 BUGS
-
-OBJ_obj2txt() is awkward and messy to use: it doesn't follow the
-convention of other OpenSSL functions where the buffer can be set
-to B<NULL> to determine the amount of data that should be written.
-Instead B<buf> must point to a valid buffer and B<buf_len> should
-be set to a positive value. A buffer length of 80 should be more
-than enough to handle any OID encountered in practice.
-
 =head1 SEE ALSO
 =head1 SEE ALSO
 
 
 L<ERR_get_error(3)>
 L<ERR_get_error(3)>
@@ -181,7 +181,7 @@ and should not be used.
 
 
 =head1 COPYRIGHT
 =head1 COPYRIGHT
 
 
-Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
 
 
 Licensed under the OpenSSL license (the "License").  You may not use
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 this file except in compliance with the License.  You can obtain a copy

+ 2 - 2
libs/openssl/doc/man3/SSL_CONF_cmd.pod

@@ -434,7 +434,7 @@ B<SessionTicket>: session ticket support, enabled by default. Inverse of
 B<SSL_OP_NO_TICKET>: that is B<-SessionTicket> is the same as setting
 B<SSL_OP_NO_TICKET>: that is B<-SessionTicket> is the same as setting
 B<SSL_OP_NO_TICKET>.
 B<SSL_OP_NO_TICKET>.
 
 
-B<Compression>: SSL/TLS compression support, enabled by default. Inverse
+B<Compression>: SSL/TLS compression support, disabled by default. Inverse
 of B<SSL_OP_NO_COMPRESSION>.
 of B<SSL_OP_NO_COMPRESSION>.
 
 
 B<EmptyFragments>: use empty fragments as a countermeasure against a
 B<EmptyFragments>: use empty fragments as a countermeasure against a
@@ -694,7 +694,7 @@ B<AllowNoDHEKEX> and B<PrioritizeChaCha> were added in OpenSSL 1.1.1.
 
 
 =head1 COPYRIGHT
 =head1 COPYRIGHT
 
 
-Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2012-2022 The OpenSSL Project Authors. All Rights Reserved.
 
 
 Licensed under the OpenSSL license (the "License").  You may not use
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 this file except in compliance with the License.  You can obtain a copy

+ 69 - 2
libs/openssl/doc/man3/X509_STORE_CTX_new.pod

@@ -11,7 +11,10 @@ X509_STORE_CTX_get0_untrusted, X509_STORE_CTX_set0_untrusted,
 X509_STORE_CTX_get_num_untrusted,
 X509_STORE_CTX_get_num_untrusted,
 X509_STORE_CTX_set_default,
 X509_STORE_CTX_set_default,
 X509_STORE_CTX_set_verify,
 X509_STORE_CTX_set_verify,
-X509_STORE_CTX_verify_fn
+X509_STORE_CTX_verify_fn,
+X509_STORE_CTX_set_purpose,
+X509_STORE_CTX_set_trust,
+X509_STORE_CTX_purpose_inherit
 - X509_STORE_CTX initialisation
 - X509_STORE_CTX initialisation
 
 
 =head1 SYNOPSIS
 =head1 SYNOPSIS
@@ -44,6 +47,11 @@ X509_STORE_CTX_verify_fn
  typedef int (*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *);
  typedef int (*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *);
  void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, X509_STORE_CTX_verify_fn verify);
  void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, X509_STORE_CTX_verify_fn verify);
 
 
+ int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
+ int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust);
+ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
+                                    int purpose, int trust);
+
 =head1 DESCRIPTION
 =head1 DESCRIPTION
 
 
 These functions initialise an B<X509_STORE_CTX> structure for subsequent use
 These functions initialise an B<X509_STORE_CTX> structure for subsequent use
@@ -120,6 +128,65 @@ following signature:
 This function should receive the current X509_STORE_CTX as a parameter and
 This function should receive the current X509_STORE_CTX as a parameter and
 return 1 on success or 0 on failure.
 return 1 on success or 0 on failure.
 
 
+X509 certificates may contain information about what purposes keys contained
+within them can be used for. For example "TLS WWW Server Authentication" or
+"Email Protection". This "key usage" information is held internally to the
+certificate itself. In addition the trust store containing trusted certificates
+can declare what purposes we trust different certificates for. This "trust"
+information is not held within the certificate itself but is "meta" information
+held alongside it. This "meta" information is associated with the certificate
+after it is issued and could be determined by a system administrator. For
+example a certificate might declare that it is suitable for use for both
+"TLS WWW Server Authentication" and "TLS Client Authentication", but a system
+administrator might only trust it for the former. An X.509 certificate extension
+exists that can record extended key usage information to supplement the purpose
+information described above. This extended mechanism is arbitrarily extensible
+and not well suited for a generic library API; applications that need to
+validate extended key usage information in certifiates will need to define a
+custom "purpose" (see below) or supply a nondefault verification callback
+(L<X509_STORE_set_verify_cb_func(3)>).
+
+X509_STORE_CTX_set_purpose() sets the purpose for the target certificate being
+verified in the I<ctx>. Built-in available values for the I<purpose> argument
+are B<X509_PURPOSE_SSL_CLIENT>, B<X509_PURPOSE_SSL_SERVER>,
+B<X509_PURPOSE_NS_SSL_SERVER>, B<X509_PURPOSE_SMIME_SIGN>,
+B<X509_PURPOSE_SMIME_ENCRYPT>, B<X509_PURPOSE_CRL_SIGN>, B<X509_PURPOSE_ANY>,
+B<X509_PURPOSE_OCSP_HELPER> and B<X509_PURPOSE_TIMESTAMP_SIGN>. It is also
+possible to create a custom purpose value. Setting a purpose will ensure that
+the key usage declared within certificates in the chain being verified is
+consistent with that purpose as well as, potentially, other checks. Every
+purpose also has an associated default trust value which will also be set at the
+same time. During verification this trust setting will be verified to check it
+is consistent with the trust set by the system administrator for certificates in
+the chain.
+
+X509_STORE_CTX_set_trust() sets the trust value for the target certificate
+being verified in the I<ctx>. Built-in available values for the I<trust>
+argument are B<X509_TRUST_COMPAT>, B<X509_TRUST_SSL_CLIENT>,
+B<X509_TRUST_SSL_SERVER>, B<X509_TRUST_EMAIL>, B<X509_TRUST_OBJECT_SIGN>,
+B<X509_TRUST_OCSP_SIGN>, B<X509_TRUST_OCSP_REQUEST> and B<X509_TRUST_TSA>. It is
+also possible to create a custom trust value. Since X509_STORE_CTX_set_purpose()
+also sets the trust value it is normally sufficient to only call that function.
+If both are called then X509_STORE_CTX_set_trust() should be called after
+X509_STORE_CTX_set_purpose() since the trust setting of the last call will be
+used.
+
+It should not normally be necessary for end user applications to call
+X509_STORE_CTX_purpose_inherit() directly. Typically applications should call
+X509_STORE_CTX_set_purpose() or X509_STORE_CTX_set_trust() instead. Using this
+function it is possible to set the purpose and trust values for the I<ctx> at
+the same time. The I<def_purpose> and I<purpose> arguments can have the same
+purpose values as described for X509_STORE_CTX_set_purpose() above. The I<trust>
+argument can have the same trust values as described in
+X509_STORE_CTX_set_trust() above. Any of the I<def_purpose>, I<purpose> or
+I<trust> values may also have the value 0 to indicate that the supplied
+parameter should be ignored. After calling this function the purpose to be used
+for verification is set from the I<purpose> argument, and the trust is set from
+the I<trust> argument. If I<trust> is 0 then the trust value will be set from
+the default trust value for I<purpose>. If the default trust value for the
+purpose is I<X509_TRUST_DEFAULT> and I<trust> is 0 then the default trust value
+associated with the I<def_purpose> value is used for the trust setting instead.
+
 =head1 NOTES
 =head1 NOTES
 
 
 The certificates and CRLs in a store are used internally and should B<not>
 The certificates and CRLs in a store are used internally and should B<not>
@@ -164,7 +231,7 @@ The X509_STORE_CTX_get_num_untrusted() function was added in OpenSSL 1.1.0.
 
 
 =head1 COPYRIGHT
 =head1 COPYRIGHT
 
 
-Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved.
 
 
 Licensed under the OpenSSL license (the "License").  You may not use
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 this file except in compliance with the License.  You can obtain a copy

+ 3 - 1
libs/openssl/include/internal/sockets.h

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy
@@ -30,6 +30,8 @@
 #   include <sys/un.h>
 #   include <sys/un.h>
 #   include <tcp.h>
 #   include <tcp.h>
 #   include <netdb.h>
 #   include <netdb.h>
+#   include <arpa/inet.h>
+#   include <netinet/tcp.h>
 #  elif defined(_WIN32_WCE) && _WIN32_WCE<410
 #  elif defined(_WIN32_WCE) && _WIN32_WCE<410
 #   define getservbyname _masked_declaration_getservbyname
 #   define getservbyname _masked_declaration_getservbyname
 #  endif
 #  endif

+ 2 - 1
libs/openssl/include/openssl/engine.h

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
@@ -722,6 +722,7 @@ typedef int (*dynamic_bind_engine) (ENGINE *e, const char *id,
             CRYPTO_set_mem_functions(fns->mem_fns.malloc_fn, \
             CRYPTO_set_mem_functions(fns->mem_fns.malloc_fn, \
                                      fns->mem_fns.realloc_fn, \
                                      fns->mem_fns.realloc_fn, \
                                      fns->mem_fns.free_fn); \
                                      fns->mem_fns.free_fn); \
+            OPENSSL_init_crypto(OPENSSL_INIT_NO_ATEXIT, NULL); \
         skip_cbs: \
         skip_cbs: \
             if (!fn(e, id)) return 0; \
             if (!fn(e, id)) return 0; \
             return 1; }
             return 1; }

+ 1 - 1
libs/openssl/include/openssl/obj_mac.h

@@ -2,7 +2,7 @@
  * WARNING: do not edit!
  * WARNING: do not edit!
  * Generated by crypto/objects/objects.pl
  * Generated by crypto/objects/objects.pl
  *
  *
- * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy
  * in the file LICENSE in the source distribution or at
  * in the file LICENSE in the source distribution or at

+ 2 - 2
libs/openssl/include/openssl/opensslv.h

@@ -39,8 +39,8 @@ extern "C" {
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  *  major minor fix final patch/beta)
  */
  */
-# define OPENSSL_VERSION_NUMBER  0x101010dfL
-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1m  14 Dec 2021"
+# define OPENSSL_VERSION_NUMBER  0x101010efL
+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1n  15 Mar 2022"
 
 
 /*-
 /*-
  * The macros below are to be used for shared library (.so, .dll, ...)
  * The macros below are to be used for shared library (.so, .dll, ...)

+ 7 - 7
libs/openssl/ssl/s3_lib.c

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  * Copyright 2005 Nokia. All rights reserved.
  *
  *
@@ -2171,7 +2171,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
      TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
      TLS1_RFC_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
      TLS1_RFC_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
      TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
      TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
-     SSL_kEDH,
+     SSL_kDHE,
      SSL_aDSS,
      SSL_aDSS,
      SSL_CAMELLIA128,
      SSL_CAMELLIA128,
      SSL_SHA256,
      SSL_SHA256,
@@ -2187,7 +2187,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
      TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
      TLS1_RFC_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
      TLS1_RFC_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
      TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
      TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
-     SSL_kEDH,
+     SSL_kDHE,
      SSL_aRSA,
      SSL_aRSA,
      SSL_CAMELLIA128,
      SSL_CAMELLIA128,
      SSL_SHA256,
      SSL_SHA256,
@@ -2203,7 +2203,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256,
      TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256,
      TLS1_RFC_ADH_WITH_CAMELLIA_128_CBC_SHA256,
      TLS1_RFC_ADH_WITH_CAMELLIA_128_CBC_SHA256,
      TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256,
      TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256,
-     SSL_kEDH,
+     SSL_kDHE,
      SSL_aNULL,
      SSL_aNULL,
      SSL_CAMELLIA128,
      SSL_CAMELLIA128,
      SSL_SHA256,
      SSL_SHA256,
@@ -2235,7 +2235,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
      TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
      TLS1_RFC_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
      TLS1_RFC_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
      TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
      TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
-     SSL_kEDH,
+     SSL_kDHE,
      SSL_aDSS,
      SSL_aDSS,
      SSL_CAMELLIA256,
      SSL_CAMELLIA256,
      SSL_SHA256,
      SSL_SHA256,
@@ -2251,7 +2251,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
      TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
      TLS1_RFC_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
      TLS1_RFC_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
      TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
      TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
-     SSL_kEDH,
+     SSL_kDHE,
      SSL_aRSA,
      SSL_aRSA,
      SSL_CAMELLIA256,
      SSL_CAMELLIA256,
      SSL_SHA256,
      SSL_SHA256,
@@ -2267,7 +2267,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256,
      TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256,
      TLS1_RFC_ADH_WITH_CAMELLIA_256_CBC_SHA256,
      TLS1_RFC_ADH_WITH_CAMELLIA_256_CBC_SHA256,
      TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256,
      TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256,
-     SSL_kEDH,
+     SSL_kDHE,
      SSL_aNULL,
      SSL_aNULL,
      SSL_CAMELLIA256,
      SSL_CAMELLIA256,
      SSL_SHA256,
      SSL_SHA256,

+ 4 - 3
libs/openssl/ssl/ssl_cert.c

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
@@ -901,7 +901,7 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
                                          int op, int bits, int nid, void *other,
                                          int op, int bits, int nid, void *other,
                                          void *ex)
                                          void *ex)
 {
 {
-    int level, minbits;
+    int level, minbits, pfs_mask;
 
 
     minbits = ssl_get_security_level_bits(s, ctx, &level);
     minbits = ssl_get_security_level_bits(s, ctx, &level);
 
 
@@ -936,8 +936,9 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
             if (level >= 2 && c->algorithm_enc == SSL_RC4)
             if (level >= 2 && c->algorithm_enc == SSL_RC4)
                 return 0;
                 return 0;
             /* Level 3: forward secure ciphersuites only */
             /* Level 3: forward secure ciphersuites only */
+            pfs_mask = SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK;
             if (level >= 3 && c->min_tls != TLS1_3_VERSION &&
             if (level >= 3 && c->min_tls != TLS1_3_VERSION &&
-                               !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))
+                               !(c->algorithm_mkey & pfs_mask))
                 return 0;
                 return 0;
             break;
             break;
         }
         }

+ 28 - 1
libs/openssl/test/asn1_internal_test.c

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy
@@ -107,9 +107,36 @@ static int test_standard_methods(void)
     return 0;
     return 0;
 }
 }
 
 
+/**********************************************************************
+ *
+ * Regression test for issue where OBJ_nid2obj does not raise
+ * an error when a NID is not registered.
+ *
+ ***/
+static int test_nid2obj_nonexist(void)
+{
+    ASN1_OBJECT *obj;
+    unsigned long err;
+
+    obj = OBJ_nid2obj(INT_MAX);
+    if (!TEST_true(obj == NULL))
+        return 0;
+
+    err = ERR_get_error();
+
+    if (!TEST_int_eq(ERR_GET_FUNC(err), OBJ_F_OBJ_NID2OBJ))
+        return 0;
+
+    if (!TEST_int_eq(ERR_GET_REASON(err), OBJ_R_UNKNOWN_NID))
+        return 0;
+
+    return 1;
+}
+
 int setup_tests(void)
 int setup_tests(void)
 {
 {
     ADD_TEST(test_tbl_standard);
     ADD_TEST(test_tbl_standard);
     ADD_TEST(test_standard_methods);
     ADD_TEST(test_standard_methods);
+    ADD_TEST(test_nid2obj_nonexist);
     return 1;
     return 1;
 }
 }

+ 56 - 2
libs/openssl/test/bntest.c

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy
@@ -1729,8 +1729,17 @@ static int file_modsqrt(STANZA *s)
             || !TEST_ptr(ret2 = BN_new()))
             || !TEST_ptr(ret2 = BN_new()))
         goto err;
         goto err;
 
 
+    if (BN_is_negative(mod_sqrt)) {
+        /* A negative testcase */
+        if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx)))
+            goto err;
+
+        st = 1;
+        goto err;
+    }
+
     /* There are two possible answers. */
     /* There are two possible answers. */
-    if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx))
+    if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx))
             || !TEST_true(BN_sub(ret2, p, ret)))
             || !TEST_true(BN_sub(ret2, p, ret)))
         goto err;
         goto err;
 
 
@@ -2798,6 +2807,50 @@ static int test_mod_exp_consttime(int i)
     return res;
     return res;
 }
 }
 
 
+/*
+ * Regression test to ensure BN_mod_exp2_mont fails safely if argument m is
+ * zero.
+ */
+static int test_mod_exp2_mont(void)
+{
+    int res = 0;
+    BIGNUM *exp_result = NULL;
+    BIGNUM *exp_a1 = NULL, *exp_p1 = NULL, *exp_a2 = NULL, *exp_p2 = NULL,
+           *exp_m = NULL;
+
+    if (!TEST_ptr(exp_result = BN_new())
+            || !TEST_ptr(exp_a1 = BN_new())
+            || !TEST_ptr(exp_p1 = BN_new())
+            || !TEST_ptr(exp_a2 = BN_new())
+            || !TEST_ptr(exp_p2 = BN_new())
+            || !TEST_ptr(exp_m = BN_new()))
+        goto err;
+
+    if (!TEST_true(BN_one(exp_a1))
+            || !TEST_true(BN_one(exp_p1))
+            || !TEST_true(BN_one(exp_a2))
+            || !TEST_true(BN_one(exp_p2)))
+        goto err;
+
+    BN_zero(exp_m);
+
+    /* input of 0 is even, so must fail */
+    if (!TEST_int_eq(BN_mod_exp2_mont(exp_result, exp_a1, exp_p1, exp_a2,
+                exp_p2, exp_m, ctx, NULL), 0))
+        goto err;
+
+    res = 1;
+
+err:
+    BN_free(exp_result);
+    BN_free(exp_a1);
+    BN_free(exp_p1);
+    BN_free(exp_a2);
+    BN_free(exp_p2);
+    BN_free(exp_m);
+    return res;
+}
+
 static int file_test_run(STANZA *s)
 static int file_test_run(STANZA *s)
 {
 {
     static const FILETEST filetests[] = {
     static const FILETEST filetests[] = {
@@ -2906,6 +2959,7 @@ int setup_tests(void)
         ADD_TEST(test_gcd_prime);
         ADD_TEST(test_gcd_prime);
         ADD_ALL_TESTS(test_mod_exp, (int)OSSL_NELEM(ModExpTests));
         ADD_ALL_TESTS(test_mod_exp, (int)OSSL_NELEM(ModExpTests));
         ADD_ALL_TESTS(test_mod_exp_consttime, (int)OSSL_NELEM(ModExpTests));
         ADD_ALL_TESTS(test_mod_exp_consttime, (int)OSSL_NELEM(ModExpTests));
+        ADD_TEST(test_mod_exp2_mont);
     } else {
     } else {
         ADD_ALL_TESTS(run_file_tests, n);
         ADD_ALL_TESTS(run_file_tests, n);
     }
     }

+ 1 - 1
libs/openssl/test/build.info

@@ -519,7 +519,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
                              {- rebase_files("../apps",
                              {- rebase_files("../apps",
                                   split(/\s+/, $target{apps_init_src})) -}
                                   split(/\s+/, $target{apps_init_src})) -}
     INCLUDE[ec_internal_test]=../include ../crypto/ec
     INCLUDE[ec_internal_test]=../include ../crypto/ec
-    DEPEND[ec_internal_test]=../apps/libapps.a ../libcrypto.a libtestutil.a
+    DEPEND[ec_internal_test]=../libcrypto.a libtestutil.a
 
 
     SOURCE[curve448_internal_test]=curve448_internal_test.c
     SOURCE[curve448_internal_test]=curve448_internal_test.c
     INCLUDE[curve448_internal_test]=.. ../include ../crypto/ec/curve448
     INCLUDE[curve448_internal_test]=.. ../include ../crypto/ec/curve448

+ 79 - 1
libs/openssl/test/evp_extra_test.c

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy
@@ -1762,6 +1762,83 @@ static int test_EVP_PKEY_set1_DH(void)
 }
 }
 #endif /* OPENSSL_NO_DH */
 #endif /* OPENSSL_NO_DH */
 
 
+typedef struct {
+        int data;
+} custom_dgst_ctx;
+
+static int custom_md_init_called = 0;
+static int custom_md_cleanup_called = 0;
+
+static int custom_md_init(EVP_MD_CTX *ctx)
+{
+    custom_dgst_ctx *p = EVP_MD_CTX_md_data(ctx);
+
+    if (p == NULL)
+        return 0;
+
+    custom_md_init_called++;
+    return 1;
+}
+
+static int custom_md_cleanup(EVP_MD_CTX *ctx)
+{
+    custom_dgst_ctx *p = EVP_MD_CTX_md_data(ctx);
+
+    if (p == NULL)
+        /* Nothing to do */
+        return 1;
+
+    custom_md_cleanup_called++;
+    return 1;
+}
+
+static int test_custom_md_meth(void)
+{
+    EVP_MD_CTX *mdctx = NULL;
+    EVP_MD *tmp = NULL;
+    char mess[] = "Test Message\n";
+    unsigned char md_value[EVP_MAX_MD_SIZE];
+    unsigned int md_len;
+    int testresult = 0;
+    int nid;
+
+    custom_md_init_called = custom_md_cleanup_called = 0;
+
+    nid = OBJ_create("1.3.6.1.4.1.16604.998866.1", "custom-md", "custom-md");
+    if (!TEST_int_ne(nid, NID_undef))
+        goto err;
+    tmp = EVP_MD_meth_new(nid, NID_undef);
+    if (!TEST_ptr(tmp))
+        goto err;
+
+    if (!TEST_true(EVP_MD_meth_set_init(tmp, custom_md_init))
+            || !TEST_true(EVP_MD_meth_set_cleanup(tmp, custom_md_cleanup))
+            || !TEST_true(EVP_MD_meth_set_app_datasize(tmp,
+                                                       sizeof(custom_dgst_ctx))))
+        goto err;
+
+    mdctx = EVP_MD_CTX_new();
+    if (!TEST_ptr(mdctx)
+               /*
+                * Initing our custom md and then initing another md should
+                * result in the init and cleanup functions of the custom md
+                * from being called.
+                */
+            || !TEST_true(EVP_DigestInit_ex(mdctx, tmp, NULL))
+            || !TEST_true(EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL))
+            || !TEST_true(EVP_DigestUpdate(mdctx, mess, strlen(mess)))
+            || !TEST_true(EVP_DigestFinal_ex(mdctx, md_value, &md_len))
+            || !TEST_int_eq(custom_md_init_called, 1)
+            || !TEST_int_eq(custom_md_cleanup_called, 1))
+        goto err;
+
+    testresult = 1;
+ err:
+    EVP_MD_CTX_free(mdctx);
+    EVP_MD_meth_free(tmp);
+    return testresult;
+}
+
 #if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
 #if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
 /* Test we can create a signature keys with an associated ENGINE */
 /* Test we can create a signature keys with an associated ENGINE */
 static int test_signatures_with_engine(int tst)
 static int test_signatures_with_engine(int tst)
@@ -1965,6 +2042,7 @@ int setup_tests(void)
     ADD_ALL_TESTS(test_gcm_reinit, OSSL_NELEM(gcm_reinit_tests));
     ADD_ALL_TESTS(test_gcm_reinit, OSSL_NELEM(gcm_reinit_tests));
     ADD_ALL_TESTS(test_evp_updated_iv, OSSL_NELEM(evp_updated_iv_tests));
     ADD_ALL_TESTS(test_evp_updated_iv, OSSL_NELEM(evp_updated_iv_tests));
 
 
+    ADD_TEST(test_custom_md_meth);
 #if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
 #if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
 # ifndef OPENSSL_NO_EC
 # ifndef OPENSSL_NO_EC
     ADD_ALL_TESTS(test_signatures_with_engine, 3);
     ADD_ALL_TESTS(test_signatures_with_engine, 3);

+ 13 - 1
libs/openssl/test/recipes/10-test_bn_data/bnmod.txt

@@ -1,4 +1,4 @@
-# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
 #
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
 # this file except in compliance with the License.  You can obtain a copy
@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
 ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186
 ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186
 A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81
 A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81
 P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
 P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
+
+# Negative testcases for BN_mod_sqrt()
+
+# This one triggers an infinite loop with unfixed implementation
+# It should just fail.
+ModSqrt = -1
+A = 20a7ee
+P = 460201
+
+ModSqrt = -1
+A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed
+P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f

+ 7 - 2
libs/openssl/test/recipes/15-test_genrsa.t

@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
 #! /usr/bin/env perl
-# Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
 #
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
 # this file except in compliance with the License.  You can obtain a copy
@@ -16,7 +16,7 @@ use OpenSSL::Test::Utils;
 
 
 setup("test_genrsa");
 setup("test_genrsa");
 
 
-plan tests => 5;
+plan tests => 7;
 
 
 # We want to know that an absurdly small number of bits isn't support
 # We want to know that an absurdly small number of bits isn't support
 is(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', '8'])), 0, "genrsa -3 8");
 is(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', '8'])), 0, "genrsa -3 8");
@@ -52,3 +52,8 @@ ok(run(app([ 'openssl', 'genrsa', '-f4', '-out', 'genrsatest.pem', $good ])),
    "genrsa -f4 $good");
    "genrsa -f4 $good");
 ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout' ])),
 ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout' ])),
    "rsa -check");
    "rsa -check");
+ok(run(app([ 'openssl', 'rsa', '-in', 'genrsatest.pem', '-out', 'genrsatest-enc.pem',
+   '-aes256', '-passout', 'pass:x' ])),
+   "rsa encrypt");
+ok(run(app([ 'openssl', 'rsa', '-in', 'genrsatest-enc.pem', '-passin', 'pass:x' ])),
+   "rsa decrypt");

+ 4 - 4
libs/openssl/test/recipes/20-test_dgst.t

@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
 #! /usr/bin/env perl
-# Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
 #
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
 # this file except in compliance with the License.  You can obtain a copy
@@ -11,7 +11,7 @@ use strict;
 use warnings;
 use warnings;
 
 
 use File::Spec;
 use File::Spec;
-use OpenSSL::Test qw/:DEFAULT with srctop_file bldtop_file/;
+use OpenSSL::Test qw/:DEFAULT with srctop_file bldtop_dir/;
 use OpenSSL::Test::Utils;
 use OpenSSL::Test::Utils;
 
 
 setup("test_dgst");
 setup("test_dgst");
@@ -113,8 +113,8 @@ SKIP: {
         my $testdata = srctop_file('test', 'data.bin');
         my $testdata = srctop_file('test', 'data.bin');
         # intentionally using -engine twice, please do not remove the duplicate line
         # intentionally using -engine twice, please do not remove the duplicate line
         my @macdata = run(app(['openssl', 'dgst', '-sha1',
         my @macdata = run(app(['openssl', 'dgst', '-sha1',
-                               '-engine', $^O eq 'linux' ? bldtop_file("engines", "ossltest.so") : "ossltest",
-                               '-engine', $^O eq 'linux' ? bldtop_file("engines", "ossltest.so") : "ossltest",
+                               '-engine', "ossltest",
+                               '-engine', "ossltest",
                                $testdata]), capture => 1);
                                $testdata]), capture => 1);
         chomp(@macdata);
         chomp(@macdata);
         my $expected = qr/SHA1\(\Q$testdata\E\)= 000102030405060708090a0b0c0d0e0f10111213/;
         my $expected = qr/SHA1\(\Q$testdata\E\)= 000102030405060708090a0b0c0d0e0f10111213/;

+ 4 - 4
libs/openssl/test/recipes/30-test_evp_data/evpkdf.txt

@@ -1,5 +1,5 @@
 #
 #
-# Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
 #
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
 # this file except in compliance with the License.  You can obtain a copy
@@ -294,12 +294,12 @@ Ctrl.r = r:8
 Ctrl.p = p:1
 Ctrl.p = p:1
 Output = 7023bdcb3afd7348461c06cd81fd38ebfda8fbba904f8e3ea9b543f6545da1f2d5432955613f0fcf62d49705242a9af9e61e85dc0d651e40dfcf017b45575887
 Output = 7023bdcb3afd7348461c06cd81fd38ebfda8fbba904f8e3ea9b543f6545da1f2d5432955613f0fcf62d49705242a9af9e61e85dc0d651e40dfcf017b45575887
 
 
-# Out of memory
+# Out of memory - request > 2 GB of memory
 KDF = scrypt
 KDF = scrypt
 Ctrl.pass = pass:pleaseletmein
 Ctrl.pass = pass:pleaseletmein
 Ctrl.salt = salt:SodiumChloride
 Ctrl.salt = salt:SodiumChloride
-Ctrl.N = N:1048576
+Ctrl.N = N:2097152
 Ctrl.r = r:8
 Ctrl.r = r:8
 Ctrl.p = p:1
 Ctrl.p = p:1
-Result = KDF_MISMATCH
+Result = KDF_DERIVE_ERROR
 
 

+ 3 - 6
libs/openssl/test/recipes/70-test_verify_extra.t

@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
 #! /usr/bin/env perl
-# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
 #
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
 # this file except in compliance with the License.  You can obtain a copy
@@ -7,14 +7,11 @@
 # https://www.openssl.org/source/license.html
 # https://www.openssl.org/source/license.html
 
 
 
 
-use OpenSSL::Test qw/:DEFAULT srctop_file/;
+use OpenSSL::Test qw/:DEFAULT srctop_dir/;
 
 
 setup("test_verify_extra");
 setup("test_verify_extra");
 
 
 plan tests => 1;
 plan tests => 1;
 
 
 ok(run(test(["verify_extra_test",
 ok(run(test(["verify_extra_test",
-             srctop_file("test", "certs", "roots.pem"),
-             srctop_file("test", "certs", "untrusted.pem"),
-             srctop_file("test", "certs", "bad.pem"),
-             srctop_file("test", "certs", "rootCA.pem")])));
+             srctop_dir("test", "certs")])));

+ 39 - 2
libs/openssl/test/recipes/80-test_ssl_old.t

@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
 #! /usr/bin/env perl
-# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
 #
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
 # this file except in compliance with the License.  You can obtain a copy
@@ -476,7 +476,7 @@ sub testssl {
     subtest 'RSA/(EC)DHE/PSK tests' => sub {
     subtest 'RSA/(EC)DHE/PSK tests' => sub {
 	######################################################################
 	######################################################################
 
 
-	plan tests => 6;
+	plan tests => 10;
 
 
       SKIP: {
       SKIP: {
 	  skip "TLSv1.0 is not supported by this OpenSSL build", 6
 	  skip "TLSv1.0 is not supported by this OpenSSL build", 6
@@ -524,6 +524,43 @@ sub testssl {
 	  }
 	  }
 	}
 	}
 
 
+      SKIP: {
+            skip "TLSv1.1 is not supported by this OpenSSL build", 4
+                if $no_tls1_1;
+
+        SKIP: {
+            skip "skipping auto DHE PSK test at SECLEVEL 3", 1
+                if ($no_dh || $no_psk);
+
+            ok(run(test(['ssltest_old', '-tls1_1', '-dhe4096', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:DHE-PSK-AES256-CBC-SHA384'])),
+               'test auto DHE PSK meets security strength');
+          }
+
+        SKIP: {
+            skip "skipping auto ECDHE PSK test at SECLEVEL 3", 1
+                if ($no_ec || $no_psk);
+
+            ok(run(test(['ssltest_old', '-tls1_1', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:ECDHE-PSK-AES256-CBC-SHA384'])),
+               'test auto ECDHE PSK meets security strength');
+          }
+
+        SKIP: {
+            skip "skipping no RSA PSK at SECLEVEL 3 test", 1
+                if ($no_rsa || $no_psk);
+
+            ok(!run(test(['ssltest_old', '-tls1_1', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:RSA-PSK-AES256-CBC-SHA384'])),
+               'test auto RSA PSK does not meet security level 3 requirements (PFS)');
+          }
+
+        SKIP: {
+            skip "skipping no PSK at SECLEVEL 3 test", 1
+                if ($no_psk);
+
+            ok(!run(test(['ssltest_old', '-tls1_1', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:PSK-AES256-CBC-SHA384'])),
+               'test auto PSK does not meet security level 3 requirements (PFS)');
+          }
+	}
+
     };
     };
 
 
     subtest 'Custom Extension tests' => sub {
     subtest 'Custom Extension tests' => sub {

+ 64 - 8
libs/openssl/test/ssltest_old.c

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  * Copyright 2005 Nokia. All rights reserved.
  *
  *
@@ -96,6 +96,7 @@ static DH *get_dh512(void);
 static DH *get_dh1024(void);
 static DH *get_dh1024(void);
 static DH *get_dh1024dsa(void);
 static DH *get_dh1024dsa(void);
 static DH *get_dh2048(void);
 static DH *get_dh2048(void);
+static DH *get_dh4096(void);
 #endif
 #endif
 
 
 static char *psk_key = NULL;    /* by default PSK is not used */
 static char *psk_key = NULL;    /* by default PSK is not used */
@@ -643,7 +644,9 @@ static void sv_usage(void)
     fprintf(stderr,
     fprintf(stderr,
             " -dhe1024dsa   - use 1024 bit key (with 160-bit subprime) for DHE\n");
             " -dhe1024dsa   - use 1024 bit key (with 160-bit subprime) for DHE\n");
     fprintf(stderr,
     fprintf(stderr,
-            " -dhe2048      - use 2048 bit key (rfc3526 pime) for DHE\n");
+            " -dhe2048      - use 2048 bit key (rfc3526 prime) for DHE\n");
+    fprintf(stderr,
+            " -dhe4096      - use 4096 bit key (rfc3526 prime) for DHE\n");
     fprintf(stderr, " -no_dhe       - disable DHE\n");
     fprintf(stderr, " -no_dhe       - disable DHE\n");
 #endif
 #endif
 #ifndef OPENSSL_NO_EC
 #ifndef OPENSSL_NO_EC
@@ -658,6 +661,12 @@ static void sv_usage(void)
 #ifndef OPENSSL_NO_TLS1
 #ifndef OPENSSL_NO_TLS1
     fprintf(stderr, " -tls1         - use TLSv1\n");
     fprintf(stderr, " -tls1         - use TLSv1\n");
 #endif
 #endif
+#ifndef OPENSSL_NO_TLS1_1
+    fprintf(stderr, " -tls1_1       - use TLSv1.1\n");
+#endif
+#ifndef OPENSSL_NO_TLS1_2
+    fprintf(stderr, " -tls1_2       - use TLSv1.2\n");
+#endif
 #ifndef OPENSSL_NO_DTLS
 #ifndef OPENSSL_NO_DTLS
     fprintf(stderr, " -dtls         - use DTLS\n");
     fprintf(stderr, " -dtls         - use DTLS\n");
 #ifndef OPENSSL_NO_DTLS1
 #ifndef OPENSSL_NO_DTLS1
@@ -883,7 +892,7 @@ int main(int argc, char *argv[])
     int badop = 0;
     int badop = 0;
     enum { BIO_MEM, BIO_PAIR, BIO_IPV4, BIO_IPV6 } bio_type = BIO_MEM;
     enum { BIO_MEM, BIO_PAIR, BIO_IPV4, BIO_IPV6 } bio_type = BIO_MEM;
     int force = 0;
     int force = 0;
-    int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, tls1_2 = 0, ssl3 = 0;
+    int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, tls1_1 = 0, tls1_2 = 0, ssl3 = 0;
     int ret = EXIT_FAILURE;
     int ret = EXIT_FAILURE;
     int client_auth = 0;
     int client_auth = 0;
     int server_auth = 0, i;
     int server_auth = 0, i;
@@ -900,7 +909,7 @@ int main(int argc, char *argv[])
 #ifndef OPENSSL_NO_DH
 #ifndef OPENSSL_NO_DH
     DH *dh;
     DH *dh;
     int dhe512 = 0, dhe1024dsa = 0;
     int dhe512 = 0, dhe1024dsa = 0;
-    int dhe2048 = 0;
+    int dhe2048 = 0, dhe4096 = 0;
 #endif
 #endif
     int no_dhe = 0;
     int no_dhe = 0;
     int no_psk = 0;
     int no_psk = 0;
@@ -995,6 +1004,13 @@ int main(int argc, char *argv[])
 #else
 #else
             fprintf(stderr,
             fprintf(stderr,
                     "ignoring -dhe512, since I'm compiled without DH\n");
                     "ignoring -dhe512, since I'm compiled without DH\n");
+#endif
+        } else if (strcmp(*argv, "-dhe4096") == 0) {
+#ifndef OPENSSL_NO_DH
+            dhe4096 = 1;
+#else
+            fprintf(stderr,
+                    "ignoring -dhe4096, since I'm compiled without DH\n");
 #endif
 #endif
         } else if (strcmp(*argv, "-dhe2048") == 0) {
         } else if (strcmp(*argv, "-dhe2048") == 0) {
 #ifndef OPENSSL_NO_DH
 #ifndef OPENSSL_NO_DH
@@ -1029,6 +1045,8 @@ int main(int argc, char *argv[])
         }
         }
         else if (strcmp(*argv, "-tls1_2") == 0) {
         else if (strcmp(*argv, "-tls1_2") == 0) {
             tls1_2 = 1;
             tls1_2 = 1;
+        } else if (strcmp(*argv, "-tls1_1") == 0) {
+            tls1_1 = 1;
         } else if (strcmp(*argv, "-tls1") == 0) {
         } else if (strcmp(*argv, "-tls1") == 0) {
             tls1 = 1;
             tls1 = 1;
         } else if (strcmp(*argv, "-ssl3") == 0) {
         } else if (strcmp(*argv, "-ssl3") == 0) {
@@ -1239,8 +1257,8 @@ int main(int argc, char *argv[])
         goto end;
         goto end;
     }
     }
 
 
-    if (ssl3 + tls1 + tls1_2 + dtls + dtls1 + dtls12 > 1) {
-        fprintf(stderr, "At most one of -ssl3, -tls1, -tls1_2, -dtls, -dtls1 or -dtls12 should "
+    if (ssl3 + tls1 + tls1_1 + tls1_2 + dtls + dtls1 + dtls12 > 1) {
+        fprintf(stderr, "At most one of -ssl3, -tls1, -tls1_1, -tls1_2, -dtls, -dtls1 or -dtls12 should "
                 "be requested.\n");
                 "be requested.\n");
         EXIT(1);
         EXIT(1);
     }
     }
@@ -1255,6 +1273,11 @@ int main(int argc, char *argv[])
         no_protocol = 1;
         no_protocol = 1;
     else
     else
 #endif
 #endif
+#ifdef OPENSSL_NO_TLS1_1
+    if (tls1_1)
+        no_protocol = 1;
+    else
+#endif
 #ifdef OPENSSL_NO_TLS1_2
 #ifdef OPENSSL_NO_TLS1_2
     if (tls1_2)
     if (tls1_2)
         no_protocol = 1;
         no_protocol = 1;
@@ -1284,11 +1307,11 @@ int main(int argc, char *argv[])
         goto end;
         goto end;
     }
     }
 
 
-    if (!ssl3 && !tls1 && !tls1_2 && !dtls && !dtls1 && !dtls12 && number > 1
+    if (!ssl3 && !tls1 && !tls1_1 && !tls1_2 && !dtls && !dtls1 && !dtls12 && number > 1
             && !reuse && !force) {
             && !reuse && !force) {
         fprintf(stderr, "This case cannot work.  Use -f to perform "
         fprintf(stderr, "This case cannot work.  Use -f to perform "
                 "the test anyway (and\n-d to see what happens), "
                 "the test anyway (and\n-d to see what happens), "
-                "or add one of -ssl3, -tls1, -tls1_2, -dtls, -dtls1, -dtls12, -reuse\n"
+                "or add one of -ssl3, -tls1, -tls1_1, -tls1_2, -dtls, -dtls1, -dtls12, -reuse\n"
                 "to avoid protocol mismatch.\n");
                 "to avoid protocol mismatch.\n");
         EXIT(1);
         EXIT(1);
     }
     }
@@ -1340,6 +1363,9 @@ int main(int argc, char *argv[])
     } else if (tls1) {
     } else if (tls1) {
         min_version = TLS1_VERSION;
         min_version = TLS1_VERSION;
         max_version = TLS1_VERSION;
         max_version = TLS1_VERSION;
+    } else if (tls1_1) {
+        min_version = TLS1_1_VERSION;
+        max_version = TLS1_1_VERSION;
     } else if (tls1_2) {
     } else if (tls1_2) {
         min_version = TLS1_2_VERSION;
         min_version = TLS1_2_VERSION;
         max_version = TLS1_2_VERSION;
         max_version = TLS1_2_VERSION;
@@ -1497,6 +1523,8 @@ int main(int argc, char *argv[])
             dh = get_dh512();
             dh = get_dh512();
         else if (dhe2048)
         else if (dhe2048)
             dh = get_dh2048();
             dh = get_dh2048();
+        else if (dhe4096)
+            dh = get_dh4096();
         else
         else
             dh = get_dh1024();
             dh = get_dh1024();
         SSL_CTX_set_tmp_dh(s_ctx, dh);
         SSL_CTX_set_tmp_dh(s_ctx, dh);
@@ -3062,6 +3090,34 @@ static DH *get_dh2048(void)
     BN_free(g);
     BN_free(g);
     return NULL;
     return NULL;
 }
 }
+
+static DH *get_dh4096(void)
+{
+    BIGNUM *p = NULL, *g = NULL;
+    DH *dh = NULL;
+
+    if ((dh = DH_new()) == NULL)
+        return NULL;
+
+    g = BN_new();
+    if (g == NULL || !BN_set_word(g, 2))
+        goto err;
+
+    p = BN_get_rfc3526_prime_4096(NULL);
+    if (p == NULL)
+        goto err;
+
+    if (!DH_set0_pqg(dh, p, NULL, g))
+        goto err;
+
+    return dh;
+
+ err:
+    DH_free(dh);
+    BN_free(p);
+    BN_free(g);
+    return NULL;
+}
 #endif
 #endif
 
 
 #ifndef OPENSSL_NO_PSK
 #ifndef OPENSSL_NO_PSK

+ 106 - 10
libs/openssl/test/verify_extra_test.c

@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  * this file except in compliance with the License.  You can obtain a copy
@@ -11,14 +11,19 @@
 #include <openssl/crypto.h>
 #include <openssl/crypto.h>
 #include <openssl/bio.h>
 #include <openssl/bio.h>
 #include <openssl/x509.h>
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>
 #include <openssl/pem.h>
 #include <openssl/pem.h>
 #include <openssl/err.h>
 #include <openssl/err.h>
 #include "testutil.h"
 #include "testutil.h"
 
 
-static const char *roots_f;
-static const char *untrusted_f;
-static const char *bad_f;
-static const char *good_f;
+static const char *certs_dir;
+static char *roots_f = NULL;
+static char *untrusted_f = NULL;
+static char *bad_f = NULL;
+static char *good_f = NULL;
+static char *sroot_cert = NULL;
+static char *ca_cert = NULL;
+static char *ee_cert = NULL;
 
 
 static X509 *load_cert_pem(const char *file)
 static X509 *load_cert_pem(const char *file)
 {
 {
@@ -231,19 +236,110 @@ static int test_self_signed_bad(void)
     return test_self_signed(bad_f, 0);
     return test_self_signed(bad_f, 0);
 }
 }
 
 
+static int do_test_purpose(int purpose, int expected)
+{
+    X509 *eecert = load_cert_pem(ee_cert); /* may result in NULL */
+    X509 *untrcert = load_cert_pem(ca_cert);
+    X509 *trcert = load_cert_pem(sroot_cert);
+    STACK_OF(X509) *trusted = sk_X509_new_null();
+    STACK_OF(X509) *untrusted = sk_X509_new_null();
+    X509_STORE_CTX *ctx = X509_STORE_CTX_new();
+    int testresult = 0;
+
+    if (!TEST_ptr(eecert)
+            || !TEST_ptr(untrcert)
+            || !TEST_ptr(trcert)
+            || !TEST_ptr(trusted)
+            || !TEST_ptr(untrusted)
+            || !TEST_ptr(ctx))
+        goto err;
+
+
+    if (!TEST_true(sk_X509_push(trusted, trcert)))
+        goto err;
+    trcert = NULL;
+    if (!TEST_true(sk_X509_push(untrusted, untrcert)))
+        goto err;
+    untrcert = NULL;
+
+    if (!TEST_true(X509_STORE_CTX_init(ctx, NULL, eecert, untrusted)))
+        goto err;
+
+    if (!TEST_true(X509_STORE_CTX_set_purpose(ctx, purpose)))
+        goto err;
+
+    /*
+     * X509_STORE_CTX_set0_trusted_stack() is bady named. Despite the set0 name
+     * we are still responsible for freeing trusted after we have finished with
+     * it.
+     */
+    X509_STORE_CTX_set0_trusted_stack(ctx, trusted);
+
+    if (!TEST_int_eq(X509_verify_cert(ctx), expected))
+        goto err;
+
+    testresult = 1;
+ err:
+    sk_X509_pop_free(trusted, X509_free);
+    sk_X509_pop_free(untrusted, X509_free);
+    X509_STORE_CTX_free(ctx);
+    X509_free(eecert);
+    X509_free(untrcert);
+    X509_free(trcert);
+    return testresult;
+}
+
+static int test_purpose_ssl_client(void)
+{
+    return do_test_purpose(X509_PURPOSE_SSL_CLIENT, 0);
+}
+
+static int test_purpose_ssl_server(void)
+{
+    return do_test_purpose(X509_PURPOSE_SSL_SERVER, 1);
+}
+
+static int test_purpose_any(void)
+{
+    return do_test_purpose(X509_PURPOSE_ANY, 1);
+}
+
 int setup_tests(void)
 int setup_tests(void)
 {
 {
-    if (!TEST_ptr(roots_f = test_get_argument(0))
-            || !TEST_ptr(untrusted_f = test_get_argument(1))
-            || !TEST_ptr(bad_f = test_get_argument(2))
-            || !TEST_ptr(good_f = test_get_argument(3))) {
-        TEST_error("usage: verify_extra_test roots.pem untrusted.pem bad.pem good.pem\n");
+    if (!TEST_ptr(certs_dir = test_get_argument(0))) {
+        TEST_error("usage: verify_extra_test certs-dir\n");
         return 0;
         return 0;
     }
     }
 
 
+    if (!TEST_ptr(roots_f = test_mk_file_path(certs_dir, "roots.pem"))
+            || !TEST_ptr(untrusted_f = test_mk_file_path(certs_dir, "untrusted.pem"))
+            || !TEST_ptr(bad_f = test_mk_file_path(certs_dir, "bad.pem"))
+            || !TEST_ptr(good_f = test_mk_file_path(certs_dir, "rootCA.pem"))
+            || !TEST_ptr(sroot_cert = test_mk_file_path(certs_dir, "sroot-cert.pem"))
+            || !TEST_ptr(ca_cert = test_mk_file_path(certs_dir, "ca-cert.pem"))
+            || !TEST_ptr(ee_cert = test_mk_file_path(certs_dir, "ee-cert.pem")))
+        goto err;
+
     ADD_TEST(test_alt_chains_cert_forgery);
     ADD_TEST(test_alt_chains_cert_forgery);
     ADD_TEST(test_store_ctx);
     ADD_TEST(test_store_ctx);
     ADD_TEST(test_self_signed_good);
     ADD_TEST(test_self_signed_good);
     ADD_TEST(test_self_signed_bad);
     ADD_TEST(test_self_signed_bad);
+    ADD_TEST(test_purpose_ssl_client);
+    ADD_TEST(test_purpose_ssl_server);
+    ADD_TEST(test_purpose_any);
     return 1;
     return 1;
+ err:
+    cleanup_tests();
+    return 0;
+}
+
+void cleanup_tests(void)
+{
+    OPENSSL_free(roots_f);
+    OPENSSL_free(untrusted_f);
+    OPENSSL_free(bad_f);
+    OPENSSL_free(good_f);
+    OPENSSL_free(sroot_cert);
+    OPENSSL_free(ca_cert);
+    OPENSSL_free(ee_cert);
 }
 }