Merge branch 'master' into dev

Source commit: 0474c02ee9094ce6098e2bdd415a887f0991da1f

libs/openssl/crypto/asn1/a_print.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -18,12 +18,13 @@ int ASN1_PRINTABLE_type(const unsigned char *s, int len)
     int ia5 = 0;
     int t61 = 0;
 
-    if (len <= 0)
-        len = -1;
     if (s == NULL)
         return V_ASN1_PRINTABLESTRING;
 
-    while ((*s) && (len-- != 0)) {
+    if (len < 0)
+        len = strlen((const char *)s);
+
+    while (len-- > 0) {
         c = *(s++);
         if (!ossl_isasn1print(c))
             ia5 = 1;

libs/openssl/crypto/asn1/asn1_lib.c

@@ -294,7 +294,7 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len_in)
         c = str->data;
 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
         /* No NUL terminator in fuzzing builds */
-        str->data = OPENSSL_realloc(c, len);
+        str->data = OPENSSL_realloc(c, len != 0 ? len : 1);
 #else
         str->data = OPENSSL_realloc(c, len + 1);
 #endif
@@ -307,7 +307,11 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len_in)
     str->length = len;
     if (data != NULL) {
         memcpy(str->data, data, len);
-#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+        /* Set the unused byte to something non NUL and printable. */
+        if (len == 0)
+            str->data[len] = '~';
+#else
         /*
          * Add a NUL terminator. This should not be necessary - but we add it as
          * a safety precaution
@@ -375,7 +379,8 @@ int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
 
     i = (a->length - b->length);
     if (i == 0) {
-        i = memcmp(a->data, b->data, a->length);
+        if (a->length != 0)
+            i = memcmp(a->data, b->data, a->length);
         if (i == 0)
             return a->type - b->type;
         else

libs/openssl/crypto/bio/bss_mem.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -280,7 +280,7 @@ static long mem_ctrl(BIO *b, int cmd, long num, void *ptr)
         ret = (long)bm->length;
         if (ptr != NULL) {
             pptr = (char **)ptr;
-            *pptr = (char *)&(bm->data[0]);
+            *pptr = (char *)bm->data;
         }
         break;
     case BIO_C_SET_BUF_MEM:

libs/openssl/crypto/cms/cms_env.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -737,6 +737,7 @@ static int cms_RecipientInfo_kekri_decrypt(CMS_ContentInfo *cms,
         goto err;
     }
 
+    OPENSSL_clear_free(ec->key, ec->keylen);
     ec->key = ukey;
     ec->keylen = ukeylen;
 

libs/openssl/crypto/dh/dh_ameth.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -629,16 +629,18 @@ static int dh_cms_set_peerkey(EVP_PKEY_CTX *pctx,
         goto err;
 
     pk = EVP_PKEY_CTX_get0_pkey(pctx);
-    if (!pk)
-        goto err;
-    if (pk->type != EVP_PKEY_DHX)
+    if (pk == NULL || pk->type != EVP_PKEY_DHX)
         goto err;
+
     /* Get parameters from parent key */
     dhpeer = DHparams_dup(pk->pkey.dh);
+    if (dhpeer == NULL)
+        goto err;
+
     /* We have parameters now set public key */
     plen = ASN1_STRING_length(pubkey);
     p = ASN1_STRING_get0_data(pubkey);
-    if (!p || !plen)
+    if (p == NULL || plen == 0)
         goto err;
 
     if ((public_key = d2i_ASN1_INTEGER(NULL, &p, plen)) == NULL) {
@@ -655,6 +657,7 @@ static int dh_cms_set_peerkey(EVP_PKEY_CTX *pctx,
     pkpeer = EVP_PKEY_new();
     if (pkpeer == NULL)
         goto err;
+
     EVP_PKEY_assign(pkpeer, pk->ameth->pkey_id, dhpeer);
     dhpeer = NULL;
     if (EVP_PKEY_derive_set_peer(pctx, pkpeer) > 0)

libs/openssl/crypto/ec/curve448/field.h

@@ -1,5 +1,5 @@
 /*
- * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright 2014 Cryptography Research, Inc.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
@@ -62,7 +62,7 @@ mask_t gf_eq(const gf x, const gf y);
 mask_t gf_lobit(const gf x);
 mask_t gf_hibit(const gf x);
 
-void gf_serialize(uint8_t *serial, const gf x, int with_highbit);
+void gf_serialize(uint8_t serial[SER_BYTES], const gf x, int with_highbit);
 mask_t gf_deserialize(gf x, const uint8_t serial[SER_BYTES], int with_hibit,
                       uint8_t hi_nmask);
 

libs/openssl/crypto/ec/ec_asn1.c

@@ -548,7 +548,7 @@ ECPKPARAMETERS *EC_GROUP_get_ecpkparameters(const EC_GROUP *group,
             ECPARAMETERS_free(ret->value.parameters);
     }
 
-    if (EC_GROUP_get_asn1_flag(group)) {
+    if (EC_GROUP_get_asn1_flag(group) == OPENSSL_EC_NAMED_CURVE) {
         /*
          * use the asn1 OID to describe the elliptic curve parameters
          */

libs/openssl/crypto/ec/ec_curve.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
@@ -12,6 +12,7 @@
 #include "ec_local.h"
 #include <openssl/err.h>
 #include <openssl/obj_mac.h>
+#include <openssl/objects.h>
 #include <openssl/opensslconf.h>
 #include "internal/nelem.h"
 
@@ -3097,6 +3098,32 @@ static EC_GROUP *ec_group_new_from_data(const ec_list_element curve)
             goto err;
         }
     }
+
+    if (EC_GROUP_get_asn1_flag(group) == OPENSSL_EC_NAMED_CURVE) {
+        /*
+         * Some curves don't have an associated OID: for those we should not
+         * default to `OPENSSL_EC_NAMED_CURVE` encoding of parameters and
+         * instead set the ASN1 flag to `OPENSSL_EC_EXPLICIT_CURVE`.
+         *
+         * Note that `OPENSSL_EC_NAMED_CURVE` is set as the default ASN1 flag on
+         * `EC_GROUP_new()`, when we don't have enough elements to determine if
+         * an OID for the curve name actually exists.
+         * We could implement this check on `EC_GROUP_set_curve_name()` but
+         * overloading the simple setter with this lookup could have a negative
+         * performance impact and unexpected consequences.
+         */
+        ASN1_OBJECT *asn1obj = OBJ_nid2obj(curve.nid);
+
+        if (asn1obj == NULL) {
+            ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_OBJ_LIB);
+            goto err;
+        }
+        if (OBJ_length(asn1obj) == 0)
+            EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
+
+        ASN1_OBJECT_free(asn1obj);
+    }
+
     ok = 1;
  err:
     if (!ok) {

libs/openssl/crypto/err/err.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -129,6 +129,7 @@ static ERR_STRING_DATA ERR_str_reasons[] = {
     {ERR_R_INTERNAL_ERROR, "internal error"},
     {ERR_R_DISABLED, "called a function that was disabled at compile-time"},
     {ERR_R_INIT_FAIL, "init fail"},
+    {ERR_R_PASSED_INVALID_ARGUMENT, "passed invalid argument"},
     {ERR_R_OPERATION_FAIL, "operation fail"},
 
     {0, NULL},

libs/openssl/crypto/evp/evp_enc.c

@@ -85,7 +85,11 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
          * previous check attempted to avoid this if the same ENGINE and
          * EVP_CIPHER could be used).
          */
-        if (ctx->cipher) {
+        if (ctx->cipher
+#ifndef OPENSSL_NO_ENGINE
+                || ctx->engine
+#endif
+                || ctx->cipher_data) {
             unsigned long flags = ctx->flags;
             EVP_CIPHER_CTX_reset(ctx);
             /* Restore encrypt and flags */
@@ -105,11 +109,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
             /* There's an ENGINE for this job ... (apparently) */
             const EVP_CIPHER *c = ENGINE_get_cipher(impl, cipher->nid);
             if (!c) {
-                /*
-                 * One positive side-effect of US's export control history,
-                 * is that we should at least be able to avoid using US
-                 * misspellings of "initialisation"?
-                 */
+                ENGINE_finish(impl);
                 EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
                 return 0;
             }

libs/openssl/crypto/evp/p_lib.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -212,10 +212,15 @@ static int pkey_set_type(EVP_PKEY *pkey, ENGINE *e, int type, const char *str,
     }
     if (pkey) {
         pkey->ameth = ameth;
-        pkey->engine = e;
-
         pkey->type = pkey->ameth->pkey_id;
         pkey->save_type = type;
+# ifndef OPENSSL_NO_ENGINE
+        if (eptr == NULL && e != NULL && !ENGINE_init(e)) {
+            EVPerr(EVP_F_PKEY_SET_TYPE, EVP_R_INITIALIZATION_ERROR);
+            return 0;
+        }
+# endif
+        pkey->engine = e;
     }
     return 1;
 }
@@ -520,7 +525,7 @@ int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key)
 
 EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)
 {
-    if (pkey->type != EVP_PKEY_EC) {
+    if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) {
         EVPerr(EVP_F_EVP_PKEY_GET0_EC_KEY, EVP_R_EXPECTING_A_EC_KEY);
         return NULL;
     }

libs/openssl/crypto/objects/o_names.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -67,8 +67,14 @@ static CRYPTO_ONCE init = CRYPTO_ONCE_STATIC_INIT;
 DEFINE_RUN_ONCE_STATIC(o_names_init)
 {
     CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE);
-    names_lh = lh_OBJ_NAME_new(obj_name_hash, obj_name_cmp);
+    names_lh = NULL;
     obj_lock = CRYPTO_THREAD_lock_new();
+    if (obj_lock != NULL)
+        names_lh = lh_OBJ_NAME_new(obj_name_hash, obj_name_cmp);
+    if (names_lh == NULL) {
+        CRYPTO_THREAD_lock_free(obj_lock);
+        obj_lock = NULL;
+    }
     CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);
     return names_lh != NULL && obj_lock != NULL;
 }
@@ -217,10 +223,8 @@ int OBJ_NAME_add(const char *name, int type, const char *data)
     type &= ~OBJ_NAME_ALIAS;
 
     onp = OPENSSL_malloc(sizeof(*onp));
-    if (onp == NULL) {
-        /* ERROR */
-        goto unlock;
-    }
+    if (onp == NULL)
+        return 0;
 
     onp->name = name;
     onp->alias = alias;

libs/openssl/crypto/pem/pem_lib.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -899,18 +899,13 @@ err:
 int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
                     unsigned char **data, long *len_out, unsigned int flags)
 {
-    EVP_ENCODE_CTX *ctx = EVP_ENCODE_CTX_new();
+    EVP_ENCODE_CTX *ctx = NULL;
     const BIO_METHOD *bmeth;
     BIO *headerB = NULL, *dataB = NULL;
     char *name = NULL;
     int len, taillen, headerlen, ret = 0;
     BUF_MEM * buf_mem;
 
-    if (ctx == NULL) {
-        PEMerr(PEM_F_PEM_READ_BIO_EX, ERR_R_MALLOC_FAILURE);
-        return 0;
-    }
-
     *len_out = 0;
     *name_out = *header = NULL;
     *data = NULL;
@@ -933,9 +928,20 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
     if (!get_header_and_data(bp, &headerB, &dataB, name, flags))
         goto end;
 
-    EVP_DecodeInit(ctx);
     BIO_get_mem_ptr(dataB, &buf_mem);
     len = buf_mem->length;
+
+    /* There was no data in the PEM file */
+    if (len == 0)
+        goto end;
+
+    ctx = EVP_ENCODE_CTX_new();
+    if (ctx == NULL) {
+        PEMerr(PEM_F_PEM_READ_BIO_EX, ERR_R_MALLOC_FAILURE);
+        goto end;
+    }
+
+    EVP_DecodeInit(ctx);
     if (EVP_DecodeUpdate(ctx, (unsigned char*)buf_mem->data, &len,
                          (unsigned char*)buf_mem->data, len) < 0
             || EVP_DecodeFinal(ctx, (unsigned char*)&(buf_mem->data[len]),
@@ -946,9 +952,6 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
     len += taillen;
     buf_mem->length = len;
 
-    /* There was no data in the PEM file; avoid malloc(0). */
-    if (len == 0)
-        goto end;
     headerlen = BIO_get_mem_data(headerB, NULL);
     *header = pem_malloc(headerlen + 1, flags);
     *data = pem_malloc(len, flags);

libs/openssl/crypto/uid.c

@@ -17,7 +17,7 @@ int OPENSSL_issetugid(void)
     return 0;
 }
 
-#elif defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) || defined(__DragonFly__)
+#elif defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) || defined(__DragonFly__) || (defined(__GLIBC__) && defined(__FreeBSD_kernel__))
 
 # include OPENSSL_UNISTD
 

libs/openssl/crypto/x509/x509_vfy.c

@@ -2924,6 +2924,26 @@ static int get_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *cert)
     return ok;
 }
 
+static int augment_stack(STACK_OF(X509) *src, STACK_OF(X509) **dstPtr)
+{
+    if (src) {
+        STACK_OF(X509) *dst;
+        int i;
+
+        if (*dstPtr == NULL)
+            return ((*dstPtr = sk_X509_dup(src)) != NULL);
+
+        for (dst = *dstPtr, i = 0; i < sk_X509_num(src); ++i) {
+            if (!sk_X509_push(dst, sk_X509_value(src, i))) {
+                sk_X509_free(dst);
+                *dstPtr = NULL;
+                return 0;
+            }
+        }
+    }
+    return 1;
+}
+
 static int build_chain(X509_STORE_CTX *ctx)
 {
     SSL_DANE *dane = ctx->dane;
@@ -2967,18 +2987,7 @@ static int build_chain(X509_STORE_CTX *ctx)
     }
 
     /*
-     * Shallow-copy the stack of untrusted certificates (with TLS, this is
-     * typically the content of the peer's certificate message) so can make
-     * multiple passes over it, while free to remove elements as we go.
-     */
-    if (ctx->untrusted && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
-        X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
-        ctx->error = X509_V_ERR_OUT_OF_MEM;
-        return 0;
-    }
-
-    /*
-     * If we got any "DANE-TA(2) Cert(0) Full(0)" trust-anchors from DNS, add
+     * If we got any "Cert(0) Full(0)" issuer certificates from DNS, *prepend*
      * them to our working copy of the untrusted certificate stack.  Since the
      * caller of X509_STORE_CTX_init() may have provided only a leaf cert with
      * no corresponding stack of untrusted certificates, we may need to create
@@ -2987,20 +2996,21 @@ static int build_chain(X509_STORE_CTX *ctx)
      * containing at least the leaf certificate, but we must be prepared for
      * this to change. ]
      */
-    if (DANETLS_ENABLED(dane) && dane->certs != NULL) {
-        if (sktmp == NULL && (sktmp = sk_X509_new_null()) == NULL) {
-            X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
-            ctx->error = X509_V_ERR_OUT_OF_MEM;
-            return 0;
-        }
-        for (i = 0; i < sk_X509_num(dane->certs); ++i) {
-            if (!sk_X509_push(sktmp, sk_X509_value(dane->certs, i))) {
-                sk_X509_free(sktmp);
-                X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
-                ctx->error = X509_V_ERR_OUT_OF_MEM;
-                return 0;
-            }
-        }
+    if (DANETLS_ENABLED(dane) && !augment_stack(dane->certs, &sktmp)) {
+        X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
+        ctx->error = X509_V_ERR_OUT_OF_MEM;
+        return 0;
+    }
+
+    /*
+     * Shallow-copy the stack of untrusted certificates (with TLS, this is
+     * typically the content of the peer's certificate message) so can make
+     * multiple passes over it, while free to remove elements as we go.
+     */
+    if (!augment_stack(ctx->untrusted, &sktmp)) {
+        X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
+        ctx->error = X509_V_ERR_OUT_OF_MEM;
+        return 0;
     }
 
     /*

libs/openssl/crypto/x509/x_name.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -217,8 +217,8 @@ static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out,
         if (ret < 0)
             return ret;
         ret = x509_name_canon(a);
-        if (ret < 0)
-            return ret;
+        if (!ret)
+            return -1;
     }
     ret = a->bytes->length;
     if (out != NULL) {

libs/openssl/crypto/x509v3/v3_ncons.c

@@ -602,6 +602,9 @@ static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
         if (baseat != baseptr) {
             if ((baseat - baseptr) != (emlat - emlptr))
                 return X509_V_ERR_PERMITTED_VIOLATION;
+            if (memchr(baseptr, 0, baseat - baseptr) ||
+                memchr(emlptr, 0, emlat - emlptr))
+                return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
             /* Case sensitive match of local part */
             if (strncmp(baseptr, emlptr, emlat - emlptr))
                 return X509_V_ERR_PERMITTED_VIOLATION;

libs/openssl/include/crypto/rand.h

@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -20,6 +20,16 @@
 
 # include <openssl/rand.h>
 
+# if defined(__APPLE__) && !defined(OPENSSL_NO_APPLE_CRYPTO_RANDOM)
+#  include <Availability.h>
+#  if (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200) || \
+     (defined(__IPHONE_OS_VERSION_MIN_REQUIRED) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 80000)
+#   define OPENSSL_APPLE_CRYPTO_RANDOM 1
+#   include <CommonCrypto/CommonCryptoError.h>
+#   include <CommonCrypto/CommonRandom.h>
+#  endif
+# endif
+
 /* forward declaration */
 typedef struct rand_pool_st RAND_POOL;
 

libs/openssl/include/openssl/ec.h

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
@@ -793,12 +793,15 @@ int EC_GROUP_get_pentanomial_basis(const EC_GROUP *, unsigned int *k1,
 EC_GROUP *d2i_ECPKParameters(EC_GROUP **, const unsigned char **in, long len);
 int i2d_ECPKParameters(const EC_GROUP *, unsigned char **out);
 
-# define d2i_ECPKParameters_bio(bp,x) ASN1_d2i_bio_of(EC_GROUP,NULL,d2i_ECPKParameters,bp,x)
-# define i2d_ECPKParameters_bio(bp,x) ASN1_i2d_bio_of_const(EC_GROUP,i2d_ECPKParameters,bp,x)
-# define d2i_ECPKParameters_fp(fp,x) (EC_GROUP *)ASN1_d2i_fp(NULL, \
-                (char *(*)())d2i_ECPKParameters,(fp),(unsigned char **)(x))
-# define i2d_ECPKParameters_fp(fp,x) ASN1_i2d_fp(i2d_ECPKParameters,(fp), \
-                (unsigned char *)(x))
+# define d2i_ECPKParameters_bio(bp,x) \
+    ASN1_d2i_bio_of(EC_GROUP, NULL, d2i_ECPKParameters, bp, x)
+# define i2d_ECPKParameters_bio(bp,x) \
+    ASN1_i2d_bio_of_const(EC_GROUP, i2d_ECPKParameters, bp, x)
+# define d2i_ECPKParameters_fp(fp,x) \
+    (EC_GROUP *)ASN1_d2i_fp(NULL, (d2i_of_void *)d2i_ECPKParameters, (fp), \
+                            (void **)(x))
+# define i2d_ECPKParameters_fp(fp,x) \
+    ASN1_i2d_fp((i2d_of_void *)i2d_ECPKParameters, (fp), (void *)(x))
 
 int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off);
 # ifndef OPENSSL_NO_STDIO

libs/openssl/include/openssl/opensslv.h

@@ -39,8 +39,8 @@ extern "C" {
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-# define OPENSSL_VERSION_NUMBER  0x101010cfL
-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1l  24 Aug 2021"
+# define OPENSSL_VERSION_NUMBER  0x101010dfL
+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1m  14 Dec 2021"
 
 /*-
  * The macros below are to be used for shared library (.so, .dll, ...)

libs/openssl/ssl/bio_ssl.c

@@ -76,13 +76,12 @@ static int ssl_free(BIO *a)
     if (a == NULL)
         return 0;
     bs = BIO_get_data(a);
-    if (bs->ssl != NULL)
-        SSL_shutdown(bs->ssl);
     if (BIO_get_shutdown(a)) {
+        if (bs->ssl != NULL)
+            SSL_shutdown(bs->ssl);
         if (BIO_get_init(a))
             SSL_free(bs->ssl);
-        /* Clear all flags */
-        BIO_clear_flags(a, ~0);
+        BIO_clear_flags(a, ~0); /* Clear all flags */
         BIO_set_init(a, 0);
     }
     OPENSSL_free(bs);

libs/openssl/ssl/record/ssl3_record.c

@@ -1039,7 +1039,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending)
 
                 if (SSL_IS_DTLS(s)) {
                     /* DTLS does not support pipelining */
-                    unsigned char dtlsseq[9], *p = dtlsseq;
+                    unsigned char dtlsseq[8], *p = dtlsseq;
 
                     s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer) :
                         DTLS_RECORD_LAYER_get_r_epoch(&s->rlayer), p);

libs/openssl/ssl/s3_cbc.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -128,7 +128,7 @@ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
 int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
                            unsigned char *md_out,
                            size_t *md_out_size,
-                           const unsigned char header[13],
+                           const unsigned char *header,
                            const unsigned char *data,
                            size_t data_plus_mac_size,
                            size_t data_plus_mac_plus_padding_size,

libs/openssl/ssl/ssl_asn1.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright 2005 Nokia. All rights reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
@@ -225,7 +225,7 @@ static int ssl_session_strndup(char **pdst, ASN1_OCTET_STRING *src)
 static int ssl_session_memcpy(unsigned char *dst, size_t *pdstlen,
                               ASN1_OCTET_STRING *src, size_t maxlen)
 {
-    if (src == NULL) {
+    if (src == NULL || src->length == 0) {
         *pdstlen = 0;
         return 1;
     }

libs/openssl/ssl/ssl_ciph.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  *
@@ -1601,6 +1601,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
     for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
         if (!sk_SSL_CIPHER_push(cipherstack,
                                 sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
+            OPENSSL_free(co_list);
             sk_SSL_CIPHER_free(cipherstack);
             return NULL;
         }

libs/openssl/ssl/ssl_lib.c

@@ -1684,6 +1684,8 @@ static int ssl_start_async_job(SSL *s, struct ssl_async_args *args,
         if (s->waitctx == NULL)
             return -1;
     }
+
+    s->rwstate = SSL_NOTHING;
     switch (ASYNC_start_job(&s->job, s->waitctx, &ret, func, args,
                             sizeof(struct ssl_async_args))) {
     case ASYNC_ERR:

libs/openssl/ssl/ssl_local.h

@@ -2622,7 +2622,7 @@ __owur char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
 __owur int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
                                   unsigned char *md_out,
                                   size_t *md_out_size,
-                                  const unsigned char header[13],
+                                  const unsigned char *header,
                                   const unsigned char *data,
                                   size_t data_plus_mac_size,
                                   size_t data_plus_mac_plus_padding_size,

libs/openssl/ssl/statem/README

@@ -55,7 +55,7 @@ Conceptually the state machine component is designed as follows:
                |       |                   |      |
    ____________V_______V________   ________V______V_______________
   |                             | |                               |
-  | statem_both.c               | | statem_dtls.c                 |
+  | statem_lib.c                | | statem_dtls.c                 |
   |                             | |                               |
   | Non core functions common   | | Non core functions common to  |
   | to both servers and clients | | both DTLS servers and clients |

libs/openssl/ssl/statem/extensions_clnt.c

@@ -1741,7 +1741,9 @@ int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
     /* Ignore if inappropriate ciphersuite */
     if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
             && s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
-            && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
+            && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4
+            && s->s3->tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT
+            && s->s3->tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12)
         s->ext.use_etm = 1;
 
     return 1;
@@ -1872,6 +1874,7 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
     if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
                  ERR_R_MALLOC_FAILURE);
+        EVP_PKEY_free(skey);
         return 0;
     }
     if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(&encoded_pt),

libs/openssl/ssl/statem/extensions_cust.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2014-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -146,11 +146,12 @@ int custom_ext_parse(SSL *s, unsigned int context, unsigned int ext_type,
     }
 
     /*
-     * Extensions received in the ClientHello are marked with the
-     * SSL_EXT_FLAG_RECEIVED. This is so we know to add the equivalent
-     * extensions in the ServerHello/EncryptedExtensions message
+     * Extensions received in the ClientHello or CertificateRequest are marked
+     * with the SSL_EXT_FLAG_RECEIVED. This is so we know to add the equivalent
+     * extensions in the response messages
      */
-    if ((context & SSL_EXT_CLIENT_HELLO) != 0)
+    if ((context & (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST))
+            != 0)
         meth->ext_flags |= SSL_EXT_FLAG_RECEIVED;
 
     /* If no parse function set return success */
@@ -192,7 +193,7 @@ int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 *x, size_t chainidx,
                         | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
                         | SSL_EXT_TLS1_3_CERTIFICATE
                         | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)) != 0) {
-            /* Only send extensions present in ClientHello. */
+            /* Only send extensions present in ClientHello/CertificateRequest */
             if (!(meth->ext_flags & SSL_EXT_FLAG_RECEIVED))
                 continue;
         }

libs/openssl/ssl/statem/statem_lib.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
@@ -2410,6 +2410,8 @@ int tls13_save_handshake_digest_for_pha(SSL *s)
             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                      SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
                      ERR_R_INTERNAL_ERROR);
+            EVP_MD_CTX_free(s->pha_dgst);
+            s->pha_dgst = NULL;
             return 0;
         }
     }

libs/openssl/test/certs/cross-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCSkfwkYXTJFL4I
+ICRQFXji6eX9I1NI97GBu2Yk8ejwctMttcJTlBLYpYRFQnZgsLwVEhA25KKlSNPz
+PPrEVipT5Ll5J6uhWEBGLHETh8Qx4sI508B2zUP+2tnDapYtk5MNSVdQZXVt6wJu
+sXY8vd58nHPLo4zr61MTwrj3Ld0lU18YHtxnGSMMYPPTxecE0mjYU038ELxZMdlT
++VSC0KOBJddj64+kXRdiDtQGVWE58MtX5/18LgSY3J/hvNhmcWuY611pgXcmwDPr
+Sn1fDeRqG87Qs8KniS1dtWHDCVW/5KZOQeLcK6VTaEdnwdPYQ7BiJp4+3ypKmErd
+T9TYBs8XAgMBAAECggEABIxdeGpm8DjGRgSQLjLg88CNPWG89sBrQk0SbvQ1HJfq
+dJXRDxgMFtBsFTfX6kla3xfyHpQ/dY4qJZvmQNBXIQ/oiqumw9Ah153qlGJJmXdG
+PEQDEz7+2lExawwmjgk6Uvs58LMHmCNUibUdzHgsdZcwudq8R6FWZ8lvIIo6GOJg
+1gOoPbeAQtNAx8LPr+eDvpXoWJrCKJKuZCSRLV2CDmEH/+KH123cD4Lg+MsPNBJd
+DsOitnVczlqnKDf5gSUXy3cwQlKFtOBa/0pN9wZvZDEWa30RmJmXI2bLo/h6GxGB
+JXK57mTJG3UboWFIgNBU9IudPOdzDfJE1ul/Jon/AQKBgQC7/mmZg31a/8zlPLji
+oWoEEutyNu0O28BCbBrw9t1SqtPFLm53AzIzB4RFVjn9i5dnxljh618KQiY4FbKM
+mz1Yuzf7zCV7n8c1NakGwmW9Ezl8ZoLE44Nu7Pccukorl6uEY7kZa2vGa7krmIcI
+6kFbvVbl4scbXlDL88hGHezhoQKBgQDHl3O8kOvOhIwfVH6qIjIO+0oR57Tqtwaw
+A3oq6Ppdp65GK9G4f+/5L0z/Ay69MyauBLRA6+9LlW6SmAACSK69juvPMK6gd5uS
+yWQ8imh6l304BAryjOHiNXHtpnmiaPAGNgFZKPsPbWlOo4ZexTEBq23i4JM1TUph
+xpCmGY1ltwKBgEuYyPo0iAo55zkfq/Fmm2079nYdZEKfV7beJg9UFjgR/crDGyS8
+okkm8qe3PuaYZbATcNaYgcVsSFYxU3V7T7YIw0B8HW6TF9Zr16aiMatQucMurdNi
+8g1/OPfSadURzqUUPPDd458M3o+LbHHHUbUEdJdJFGwLB06cn6KikglBAoGAMz8M
+xV7EXOsleynbt9090yDsPLqsdhN2UR0jcf8NwZw7H+NCXsfimq1tbJCpoISQqt+k
+VIL/lv2QPW1vmyaET0FyBGmwfJ0ZQdAZv32eI9Pfn9FR6kMIAGfOj8FNu8iL0Fxv
+bjAafjSOdFWCO7UPxyj39ufIhEgLEB3GqA8pgfMCgYEAn/1Ov1Lu4MWq+72LygqG
+78rxk6rIGGET64grG1CSjkylQ9mo14jG6O1lM4fwTjlbGQrKGtzQtL785dW+t5uH
+zC2lDRDp8of+ErC31e+N4YDMdUHWeRBgHDYgsx4EgI0jNb02/UlziL1eARBpnfz6
+tw1erVdMmlA3LRBR5Mj+xso=
+-----END PRIVATE KEY-----

libs/openssl/test/certs/cross-root.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+jCCAeKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApDcm9z
+cyBSb290MCAXDTIxMDgzMDE4MzMyNloYDzIxMjEwODMxMTgzMzI2WjAVMRMwEQYD
+VQQDDApDcm9zcyBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+kpH8JGF0yRS+CCAkUBV44unl/SNTSPexgbtmJPHo8HLTLbXCU5QS2KWERUJ2YLC8
+FRIQNuSipUjT8zz6xFYqU+S5eSeroVhARixxE4fEMeLCOdPAds1D/trZw2qWLZOT
+DUlXUGV1besCbrF2PL3efJxzy6OM6+tTE8K49y3dJVNfGB7cZxkjDGDz08XnBNJo
+2FNN/BC8WTHZU/lUgtCjgSXXY+uPpF0XYg7UBlVhOfDLV+f9fC4EmNyf4bzYZnFr
+mOtdaYF3JsAz60p9Xw3kahvO0LPCp4ktXbVhwwlVv+SmTkHi3CulU2hHZ8HT2EOw
+YiaePt8qSphK3U/U2AbPFwIDAQABo1MwUTAdBgNVHQ4EFgQUL16/ihJvr2w9I5k6
+3jjZ13SPW20wHwYDVR0jBBgwFoAUL16/ihJvr2w9I5k63jjZ13SPW20wDwYDVR0T
+AQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAUiqf8oQaPX3aW6I+dcRhsq5g
+bpYF0X5jePk6UqWu86YcmpoRtGLH7e5aHGJYqrVrkOoo0q4eTL3Pm1/sB3omPRMb
+ey/i7Z70wwd5yI8iz/WBmQDahYxq5wSDsUSdZDL0kSyoU2jCwXUPtuC6F1kMZBFI
+uUeaFcF8oKVGuOHvZgj/FMBpT7tyjdPpDG4uo6AT04AKGhf5xO5UY2N+uqmEsXHK
+HsKAEMrVhdeU5mbrfifvSkMYcYgJOX1KFP+t4U+ogqCHy1/Nfhq+WG1XN5GwhtuO
+ze25NqI6ZvA2og4AoeIzvJ/+Nfl5PNtClm0IjbGvR77oOBMs71lO4GjUYj9eiw==
+-----END CERTIFICATE-----

libs/openssl/test/certs/root-cross-cert.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC9zCCAd+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApDcm9z
+cyBSb290MCAXDTIxMDgzMDE4MzYzOFoYDzIxMjEwODMxMTgzNjM4WjASMRAwDgYD
+VQQDDAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA
+9Qa8oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25
+ZyjSfeMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3
+ngfNwCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6L
+fi7gMUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7O
+Jb3uaa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2F
+f3fftWgiQ35mJCOvxQIDAQABo1MwUTAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOc
+TXL3o1IwHwYDVR0jBBgwFoAUL16/ihJvr2w9I5k63jjZ13SPW20wDwYDVR0TAQH/
+BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHi+qdZF/jJrR/F3L60JVLOOUhTpi
+LxFFBksZPVaiVf+6R8pSMy0WtDEkzGT430ji6V4i8O/70HXIG9n9pCye8sLsOl6D
+exXj/MkwwSd3J0Y58zd8ZwMrK9m/jyFrk9TlWokfIFL/eC8VFsu7qmSSRLIjMuxc
+YPPisgR5+WPcus7Jf8auqcYw8eW0GPc1ugJobwucs5e/TinksMfwQrzEydmOPoWI
+Pfur7MjPr5IQXROtQv+CihMigPIHvi73YzSe5zdPCw8JcuZ5vBi2pwquvzvGLtMM
+Btln/SwonyQMks5WV4dOk6NOB73mCMywCir4ybp9ElJMaUGEF9nLO+h8Fg==
+-----END CERTIFICATE-----

libs/openssl/test/dane-cross.in

@@ -0,0 +1,113 @@
+# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+#
+# Blank and comment lines ignored.
+#
+# The first line in each block takes the form:
+#
+#       <TLSA-count> <cert-count> <nonamechecks> <desired-verify-result> <desired-match-depth>
+#
+# It is followed by <TLSA-count> lines of the form:
+#
+#       <usage> <selector> <mtype> <hex-data>
+#
+# and finally, by <cert-count> certificates.
+
+# 1
+# Ensure TLSA with direct root works when peer chain provides a
+# cross-cert.
+1 4 0 0 2
+2 0 0 308202f1308201d9a003020102020101300d06092a864886f70d01010b050030123110300e06035504030c07526f6f742043413020170d3136303131353038313934395a180f32313136303131363038313934395a30123110300e06035504030c07526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e1e600f506bca04638790f3f1e7119136d02df2b9b766bfcacb021edd69108423ba56335ec525ba0a24ac5d6009403975a3db96728d27de3215ca4edc63c8d8e84d19d54c33dd974a296766771f9c61a5077b3fd78ee5be0e38c8923c29a22ec3ed4379e07cdc02b5511173a34421c690d3a18b0ed15945ec6fd9e87c61ce7941a92c05f05c17343e503de0991c924ced88e8b7e2ee03148d1862a6a55267ae80b364e97b1e0a4c9da5c694b0380085683a31fb22ab8c14cfec5b14dd4c001aaedbece25bdee69adf607cd6e2ba18954f568eb9809edc96066cb33624a03b068d60eab5fc135557efd46eebaebdcb6a2a3ed857f77dfb56822437e662423afc50203010001a350304e301d0603551d0e041604148ef525af1e9b6b843d7c809ac9539c4d72f7a352301f0603551d230418301680148ef525af1e9b6b843d7c809ac9539c4d72f7a352300c0603551d13040530030101ff300d06092a864886f70d01010b05000382010100c91449c76ed660ea203d76693df00cb7ca6d6a9affba02d618b9706f32b24a8c8ba68576fd8340bd300607dd2216aeb1fee8e3acae35fc44b4a77bf7f3f41fbb1a36e2071981cfe860b57652a47eb860b1ebca763962d872d06c011b5858e1203e11c56fd695c5c3902b2647b62bc35f4c0b197fa7a99a075fd21899cd2c6e944144ccf146c0a16f30f9adef6467936b8248c0e8327b8d88761a2b4e33aa085370ddf7ea64ddb084905520472f6a37f93e0327aa1f541c6f92d4f8c4e6970f1b9b2ce630e05981d7a0b4ee07b2170130ed39e0a481dd649f04f0ce6c4859d2f9bf970eb74c68bcf3220cb65926714da0d112a979023de86e907aa1f2285de9f0
+subject=CN = server.example
+issuer=CN = CA
+notBefore=Jan 15 08:19:49 2016 GMT
+notAfter=Jan 16 08:19:49 2116 GMT
+-----BEGIN CERTIFICATE-----
+MIIDIDCCAgigAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0xNjAxMTUwODE5NDlaGA8yMTE2MDExNjA4MTk0OVowGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjfTB7MB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi
+l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA
+MBMGA1UdJQQMMAoGCCsGAQUFBwMBMBkGA1UdEQQSMBCCDnNlcnZlci5leGFtcGxl
+MA0GCSqGSIb3DQEBCwUAA4IBAQBBtDxPYULl5b7VFC7/U0NgV8vTJk4zpPnUMMQ4
+QF2AWDFAek8oLKrz18KQ8M/DEhDxgkaoeXEMLT6BJUEVNYuFEYHEDGarl0nMDRXL
+xOgAExfz3Tf/pjsLaha5aWH7NyCSKWC+lYkIOJ/Kb/m/6QsDJoXsEC8AhrPfqJhz
+UzsCoxIlaDWqawH4+S8bdeX0tvs2VtJk/WOJHxMqXra6kgI4fAgyvr2kIZHinQ3y
+cgX40uAC38bwpE95kJ7FhSfQlE1Rt7sOspUj098Dd0RNDn2uKyOTxEqIELHfw4AX
+O3XAzt8qDyho8nEd/xiQ6qgsQnvXa+hSRJw42g3/czVskxRx
+-----END CERTIFICATE-----
+subject=CN = CA
+issuer=CN = Root CA
+notBefore=Jan 15 08:19:49 2016 GMT
+notAfter=Jan 16 08:19:49 2116 GMT
+-----BEGIN CERTIFICATE-----
+MIIC7DCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
+IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjANMQswCQYDVQQD
+DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd
+j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz
+n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W
+l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l
+YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc
+ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9
+CLNNsUcCAwEAAaNQME4wHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G
+A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ
+KoZIhvcNAQELBQADggEBADnZ9uXGAdwfNC3xuERIlBwgLROeBRGgcfHWdXZB/tWk
+IM9ox88wYKWynanPbra4n0zhepooKt+naeY2HLR8UgwT6sTi0Yfld9mjytA8/DP6
+AcqtIDDf60vNI00sgxjgZqofVayA9KShzIPzjBec4zI1sg5YzoSNyH28VXFstEpi
+8CVtmRYQHhc2gDI9MGge4sHRYwaIFkegzpwcEUnp6tTVe9ZvHawgsXF/rCGfH4M6
+uNO0D+9Md1bdW7382yOtWbkyibsugqnfBYCUH6hAhDlfYzpba2Smb0roc6Crq7HR
+5HpEYY6qEir9wFMkD5MZsWrNRGRuzd5am82J+aaHz/4=
+-----END CERTIFICATE-----
+subject=CN = Root CA
+issuer=CN = Cross Root
+notBefore=Aug 30 18:36:38 2021 GMT
+notAfter=Aug 31 18:36:38 2121 GMT
+-----BEGIN CERTIFICATE-----
+MIIC9zCCAd+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApDcm9z
+cyBSb290MCAXDTIxMDgzMDE4MzYzOFoYDzIxMjEwODMxMTgzNjM4WjASMRAwDgYD
+VQQDDAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA
+9Qa8oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25
+ZyjSfeMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3
+ngfNwCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6L
+fi7gMUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7O
+Jb3uaa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2F
+f3fftWgiQ35mJCOvxQIDAQABo1MwUTAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOc
+TXL3o1IwHwYDVR0jBBgwFoAUL16/ihJvr2w9I5k63jjZ13SPW20wDwYDVR0TAQH/
+BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHi+qdZF/jJrR/F3L60JVLOOUhTpi
+LxFFBksZPVaiVf+6R8pSMy0WtDEkzGT430ji6V4i8O/70HXIG9n9pCye8sLsOl6D
+exXj/MkwwSd3J0Y58zd8ZwMrK9m/jyFrk9TlWokfIFL/eC8VFsu7qmSSRLIjMuxc
+YPPisgR5+WPcus7Jf8auqcYw8eW0GPc1ugJobwucs5e/TinksMfwQrzEydmOPoWI
+Pfur7MjPr5IQXROtQv+CihMigPIHvi73YzSe5zdPCw8JcuZ5vBi2pwquvzvGLtMM
+Btln/SwonyQMks5WV4dOk6NOB73mCMywCir4ybp9ElJMaUGEF9nLO+h8Fg==
+-----END CERTIFICATE-----
+subject=CN = Cross Root
+issuer=CN = Cross Root
+notBefore=Aug 30 18:33:26 2021 GMT
+notAfter=Aug 31 18:33:26 2121 GMT
+-----BEGIN CERTIFICATE-----
+MIIC+jCCAeKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApDcm9z
+cyBSb290MCAXDTIxMDgzMDE4MzMyNloYDzIxMjEwODMxMTgzMzI2WjAVMRMwEQYD
+VQQDDApDcm9zcyBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+kpH8JGF0yRS+CCAkUBV44unl/SNTSPexgbtmJPHo8HLTLbXCU5QS2KWERUJ2YLC8
+FRIQNuSipUjT8zz6xFYqU+S5eSeroVhARixxE4fEMeLCOdPAds1D/trZw2qWLZOT
+DUlXUGV1besCbrF2PL3efJxzy6OM6+tTE8K49y3dJVNfGB7cZxkjDGDz08XnBNJo
+2FNN/BC8WTHZU/lUgtCjgSXXY+uPpF0XYg7UBlVhOfDLV+f9fC4EmNyf4bzYZnFr
+mOtdaYF3JsAz60p9Xw3kahvO0LPCp4ktXbVhwwlVv+SmTkHi3CulU2hHZ8HT2EOw
+YiaePt8qSphK3U/U2AbPFwIDAQABo1MwUTAdBgNVHQ4EFgQUL16/ihJvr2w9I5k6
+3jjZ13SPW20wHwYDVR0jBBgwFoAUL16/ihJvr2w9I5k63jjZ13SPW20wDwYDVR0T
+AQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAUiqf8oQaPX3aW6I+dcRhsq5g
+bpYF0X5jePk6UqWu86YcmpoRtGLH7e5aHGJYqrVrkOoo0q4eTL3Pm1/sB3omPRMb
+ey/i7Z70wwd5yI8iz/WBmQDahYxq5wSDsUSdZDL0kSyoU2jCwXUPtuC6F1kMZBFI
+uUeaFcF8oKVGuOHvZgj/FMBpT7tyjdPpDG4uo6AT04AKGhf5xO5UY2N+uqmEsXHK
+HsKAEMrVhdeU5mbrfifvSkMYcYgJOX1KFP+t4U+ogqCHy1/Nfhq+WG1XN5GwhtuO
+ze25NqI6ZvA2og4AoeIzvJ/+Nfl5PNtClm0IjbGvR77oOBMs71lO4GjUYj9eiw==
+-----END CERTIFICATE-----

libs/openssl/test/data.bin

@@ -0,0 +1,4 @@
+TEST DATA
+
+Please note that if a test involves a new testing executable,
+you will need to do some additions in test/build.info.