git: 1b7b799f9eba - stable/13 - OpenSSL: Merge OpenSSL 1.1.1o

From: Jung-uk Kim <jkim_at_FreeBSD.org>
Date: Tue, 03 May 2022 19:57:42 UTC
The branch stable/13 has been updated by jkim:

URL: https://cgit.FreeBSD.org/src/commit/?id=1b7b799f9ebaa6d558523498005ca0e698051274

commit 1b7b799f9ebaa6d558523498005ca0e698051274
Author:     Jung-uk Kim <jkim@FreeBSD.org>
AuthorDate: 2022-05-03 19:07:06 +0000
Commit:     Jung-uk Kim <jkim@FreeBSD.org>
CommitDate: 2022-05-03 19:55:01 +0000

    OpenSSL: Merge OpenSSL 1.1.1o
    
    (cherry picked from commit 34252e89a96c8d498d7537ade16d20602bf2106a)
---
 crypto/openssl/CHANGES                          | 13 +++++++
 crypto/openssl/NEWS                             |  7 +++-
 crypto/openssl/README                           |  4 +--
 crypto/openssl/apps/apps.c                      |  2 ++
 crypto/openssl/apps/x509.c                      |  6 ++--
 crypto/openssl/crypto/bn/bn_div.c               |  8 +++--
 crypto/openssl/crypto/bn/bn_exp.c               |  5 +--
 crypto/openssl/crypto/ec/curve448/curve448.c    |  3 +-
 crypto/openssl/crypto/ec/ecp_nistz256.c         |  3 +-
 crypto/openssl/crypto/engine/eng_dyn.c          | 33 ++++++++++++------
 crypto/openssl/crypto/err/err.c                 | 45 +++++++++++++++++++++----
 crypto/openssl/crypto/evp/evp_enc.c             | 10 +++---
 crypto/openssl/crypto/evp/evp_local.h           |  4 +--
 crypto/openssl/crypto/init.c                    | 13 ++-----
 crypto/openssl/crypto/s390x_arch.h              |  5 ++-
 crypto/openssl/crypto/s390xcap.c                |  5 ++-
 crypto/openssl/doc/fingerprints.txt             | 10 ++++++
 crypto/openssl/doc/man3/SSL_CTX_set_timeout.pod | 12 ++++++-
 crypto/openssl/include/openssl/opensslv.h       |  6 ++--
 crypto/openssl/ssl/s3_enc.c                     |  4 ++-
 crypto/openssl/ssl/ssl_init.c                   | 19 ++---------
 crypto/openssl/ssl/ssl_lib.c                    |  4 ++-
 crypto/openssl/ssl/ssl_txt.c                    |  6 ++--
 crypto/openssl/ssl/statem/statem_clnt.c         |  7 +++-
 crypto/openssl/ssl/statem/statem_dtls.c         |  8 ++---
 crypto/openssl/ssl/statem/statem_srvr.c         | 23 +++++++++----
 crypto/openssl/ssl/t1_enc.c                     |  4 ++-
 27 files changed, 180 insertions(+), 89 deletions(-)

diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES
index f6e01b982581..98961effc058 100644
--- a/crypto/openssl/CHANGES
+++ b/crypto/openssl/CHANGES
@@ -7,6 +7,19 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+ Changes between 1.1.1n and 1.1.1o [3 May 2022]
+
+  *) Fixed a bug in the c_rehash script which was not properly sanitising shell
+    metacharacters to prevent command injection.  This script is distributed by
+    some operating systems in a manner where it is automatically executed.  On
+    such operating systems, an attacker could execute arbitrary commands with the
+    privileges of the script.
+
+    Use of the c_rehash script is considered obsolete and should be replaced
+    by the OpenSSL rehash command line tool.
+    (CVE-2022-1292)
+    [Tomáš Mráz]
+
  Changes between 1.1.1m and 1.1.1n [15 Mar 2022]
 
   *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
diff --git a/crypto/openssl/NEWS b/crypto/openssl/NEWS
index f4ac262888ad..d32cf5bb48dd 100644
--- a/crypto/openssl/NEWS
+++ b/crypto/openssl/NEWS
@@ -5,10 +5,15 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.1.1n and OpenSSL 1.1.1o [3 May 2022]
+
+      o Fixed a bug in the c_rehash script which was not properly sanitising
+        shell metacharacters to prevent command injection (CVE-2022-1292)
+
   Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022]
 
       o Fixed a bug in the BN_mod_sqrt() function that can cause it to loop
-        forever for non-prime moduli ([CVE-2022-0778])
+        forever for non-prime moduli (CVE-2022-0778)
 
   Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021]
 
diff --git a/crypto/openssl/README b/crypto/openssl/README
index 3e100933f388..a56311a4d186 100644
--- a/crypto/openssl/README
+++ b/crypto/openssl/README
@@ -1,7 +1,7 @@
 
- OpenSSL 1.1.1n 15 Mar 2022
+ OpenSSL 1.1.1o 3 May 2022
 
- Copyright (c) 1998-2021 The OpenSSL Project
+ Copyright (c) 1998-2022 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
  All rights reserved.
 
diff --git a/crypto/openssl/apps/apps.c b/crypto/openssl/apps/apps.c
index 1a92271595f1..db5b48e4cf2f 100644
--- a/crypto/openssl/apps/apps.c
+++ b/crypto/openssl/apps/apps.c
@@ -307,6 +307,8 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
         if (cb_data != NULL && cb_data->password != NULL
                 && *(const char*)cb_data->password != '\0')
             pw_min_len = 1;
+        else if (!verify)
+            pw_min_len = 0;
         prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
         if (!prompt) {
             BIO_printf(bio_err, "Out of memory\n");
diff --git a/crypto/openssl/apps/x509.c b/crypto/openssl/apps/x509.c
index 1043eba0c8a0..1f53504209de 100644
--- a/crypto/openssl/apps/x509.c
+++ b/crypto/openssl/apps/x509.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -590,6 +590,8 @@ int x509_main(int argc, char **argv)
         xca = load_cert(CAfile, CAformat, "CA Certificate");
         if (xca == NULL)
             goto end;
+        if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))
+            goto end;
     }
 
     out = bio_open_default(outfile, 'w', outformat);
@@ -987,8 +989,6 @@ static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *diges
         goto end;
     }
 
-    if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))
-        goto end;
     if (!X509_set_serialNumber(x, bs))
         goto end;
 
diff --git a/crypto/openssl/crypto/bn/bn_div.c b/crypto/openssl/crypto/bn/bn_div.c
index 0da9f39b31a9..4273618825cc 100644
--- a/crypto/openssl/crypto/bn/bn_div.c
+++ b/crypto/openssl/crypto/bn/bn_div.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -446,8 +446,10 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
     snum->neg = num_neg;
     snum->top = div_n;
     snum->flags |= BN_FLG_FIXED_TOP;
-    if (rm != NULL)
-        bn_rshift_fixed_top(rm, snum, norm_shift);
+
+    if (rm != NULL && bn_rshift_fixed_top(rm, snum, norm_shift) == 0)
+        goto err;
+
     BN_CTX_end(ctx);
     return 1;
  err:
diff --git a/crypto/openssl/crypto/bn/bn_exp.c b/crypto/openssl/crypto/bn/bn_exp.c
index 9531acfc3c94..8c54ab005ca6 100644
--- a/crypto/openssl/crypto/bn/bn_exp.c
+++ b/crypto/openssl/crypto/bn/bn_exp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -188,13 +188,14 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
         return ret;
     }
 
+    BN_RECP_CTX_init(&recp);
+
     BN_CTX_start(ctx);
     aa = BN_CTX_get(ctx);
     val[0] = BN_CTX_get(ctx);
     if (val[0] == NULL)
         goto err;
 
-    BN_RECP_CTX_init(&recp);
     if (m->neg) {
         /* ignore sign of 'm' */
         if (!BN_copy(aa, m))
diff --git a/crypto/openssl/crypto/ec/curve448/curve448.c b/crypto/openssl/crypto/ec/curve448/curve448.c
index 12d97f06795b..3d4db44564e9 100644
--- a/crypto/openssl/crypto/ec/curve448/curve448.c
+++ b/crypto/openssl/crypto/ec/curve448/curve448.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright 2015-2016 Cryptography Research, Inc.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
@@ -577,6 +577,7 @@ static int recode_wnaf(struct smvt_control *control,
             int32_t delta = odd & mask;
 
             assert(position >= 0);
+            assert(pos < 32);       /* can't fail since current & 0xFFFF != 0 */
             if (odd & (1 << (table_bits + 1)))
                 delta -= (1 << (table_bits + 1));
             current -= delta * (1 << pos);
diff --git a/crypto/openssl/crypto/ec/ecp_nistz256.c b/crypto/openssl/crypto/ec/ecp_nistz256.c
index 5005249b05ea..cfad3e15b0bf 100644
--- a/crypto/openssl/crypto/ec/ecp_nistz256.c
+++ b/crypto/openssl/crypto/ec/ecp_nistz256.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2014, Intel Corporation. All Rights Reserved.
  * Copyright (c) 2015, CloudFlare, Inc.
  *
@@ -973,6 +973,7 @@ __owur static int ecp_nistz256_points_mul(const EC_GROUP *group,
         return 0;
     }
 
+    memset(&p, 0, sizeof(p));
     BN_CTX_start(ctx);
 
     if (scalar) {
diff --git a/crypto/openssl/crypto/engine/eng_dyn.c b/crypto/openssl/crypto/engine/eng_dyn.c
index 6a0ddc162d00..27d7b893cdad 100644
--- a/crypto/openssl/crypto/engine/eng_dyn.c
+++ b/crypto/openssl/crypto/engine/eng_dyn.c
@@ -393,6 +393,26 @@ static int int_load(dynamic_data_ctx *ctx)
     return 0;
 }
 
+/*
+ * Unfortunately the version checker does not distinguish between
+ * engines built for openssl 1.1.x and openssl 3.x, but loading
+ * an engine that is built for openssl 3.x will cause a fatal
+ * error.  Detect such engines, since EVP_PKEY_get_base_id is exported
+ * as a function in openssl 3.x, while it is named EVP_PKEY_base_id
+ * in openssl 1.1.x.  Therefore we take the presence of that symbol
+ * as an indication that the engine will be incompatible.
+ */
+static int using_libcrypto_3(dynamic_data_ctx *ctx)
+{
+    int ret;
+
+    ERR_set_mark();
+    ret = DSO_bind_func(ctx->dynamic_dso, "EVP_PKEY_get_base_id") != NULL;
+    ERR_pop_to_mark();
+
+    return ret;
+}
+
 static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
 {
     ENGINE cpy;
@@ -442,18 +462,9 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
         /*
          * We fail if the version checker veto'd the load *or* if it is
          * deferring to us (by returning its version) and we think it is too
-         * old.
-         * Unfortunately the version checker does not distinguish between
-         * engines built for openssl 1.1.x and openssl 3.x, but loading
-         * an engine that is built for openssl 3.x will cause a fatal
-         * error.  Detect such engines, since EVP_PKEY_get_base_id is exported
-         * as a function in openssl 3.x, while it is named EVP_PKEY_base_id
-         * in openssl 1.1.x.  Therefore we take the presence of that symbol
-         * as an indication that the engine will be incompatible.
+         * old. Also fail if this is engine for openssl 3.x.
          */
-        if (vcheck_res < OSSL_DYNAMIC_OLDEST
-                || DSO_bind_func(ctx->dynamic_dso,
-                                 "EVP_PKEY_get_base_id") != NULL) {
+        if (vcheck_res < OSSL_DYNAMIC_OLDEST || using_libcrypto_3(ctx)) {
             /* Fail */
             ctx->bind_engine = NULL;
             ctx->v_check = NULL;
diff --git a/crypto/openssl/crypto/err/err.c b/crypto/openssl/crypto/err/err.c
index bd116e249acb..239a3cea9cc2 100644
--- a/crypto/openssl/crypto/err/err.c
+++ b/crypto/openssl/crypto/err/err.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -23,7 +23,9 @@
 #include "internal/constant_time.h"
 #include "e_os.h"
 
+#ifndef OPENSSL_NO_ERR
 static int err_load_strings(const ERR_STRING_DATA *str);
+#endif
 
 static void ERR_STATE_free(ERR_STATE *s);
 #ifndef OPENSSL_NO_ERR
@@ -76,9 +78,9 @@ static ERR_STRING_DATA ERR_str_functs[] = {
     {ERR_PACK(0, SYS_F_BIND, 0), "bind"},
     {ERR_PACK(0, SYS_F_LISTEN, 0), "listen"},
     {ERR_PACK(0, SYS_F_ACCEPT, 0), "accept"},
-# ifdef OPENSSL_SYS_WINDOWS
+#ifdef OPENSSL_SYS_WINDOWS
     {ERR_PACK(0, SYS_F_WSASTARTUP, 0), "WSAstartup"},
-# endif
+#endif
     {ERR_PACK(0, SYS_F_OPENDIR, 0), "opendir"},
     {ERR_PACK(0, SYS_F_FREAD, 0), "fread"},
     {ERR_PACK(0, SYS_F_GETADDRINFO, 0), "getaddrinfo"},
@@ -141,21 +143,26 @@ static int set_err_thread_local;
 static CRYPTO_THREAD_LOCAL err_thread_local;
 
 static CRYPTO_ONCE err_string_init = CRYPTO_ONCE_STATIC_INIT;
-static CRYPTO_RWLOCK *err_string_lock;
+static CRYPTO_RWLOCK *err_string_lock = NULL;
 
+#ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *);
+#endif
 
 /*
  * The internal state
  */
 
+#ifndef OPENSSL_NO_ERR
 static LHASH_OF(ERR_STRING_DATA) *int_error_hash = NULL;
+#endif
 static int int_err_library_number = ERR_LIB_USER;
 
 static unsigned long get_error_values(int inc, int top, const char **file,
                                       int *line, const char **data,
                                       int *flags);
 
+#ifndef OPENSSL_NO_ERR
 static unsigned long err_string_data_hash(const ERR_STRING_DATA *a)
 {
     unsigned long ret, l;
@@ -184,7 +191,6 @@ static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *d)
     return p;
 }
 
-#ifndef OPENSSL_NO_ERR
 /* 2019-05-21: Russian and Ukrainian locales on Linux require more than 6,5 kB */
 # define SPACE_SYS_STR_REASONS 8 * 1024
 # define NUM_SYS_STR_REASONS 127
@@ -299,6 +305,7 @@ DEFINE_RUN_ONCE_STATIC(do_err_strings_init)
     err_string_lock = CRYPTO_THREAD_lock_new();
     if (err_string_lock == NULL)
         return 0;
+#ifndef OPENSSL_NO_ERR
     int_error_hash = lh_ERR_STRING_DATA_new(err_string_data_hash,
                                             err_string_data_cmp);
     if (int_error_hash == NULL) {
@@ -306,6 +313,7 @@ DEFINE_RUN_ONCE_STATIC(do_err_strings_init)
         err_string_lock = NULL;
         return 0;
     }
+#endif
     return 1;
 }
 
@@ -315,10 +323,13 @@ void err_cleanup(void)
         CRYPTO_THREAD_cleanup_local(&err_thread_local);
     CRYPTO_THREAD_lock_free(err_string_lock);
     err_string_lock = NULL;
+#ifndef OPENSSL_NO_ERR
     lh_ERR_STRING_DATA_free(int_error_hash);
     int_error_hash = NULL;
+#endif
 }
 
+#ifndef OPENSSL_NO_ERR
 /*
  * Legacy; pack in the library.
  */
@@ -342,6 +353,7 @@ static int err_load_strings(const ERR_STRING_DATA *str)
     CRYPTO_THREAD_unlock(err_string_lock);
     return 1;
 }
+#endif
 
 int ERR_load_ERR_strings(void)
 {
@@ -360,24 +372,31 @@ int ERR_load_ERR_strings(void)
 
 int ERR_load_strings(int lib, ERR_STRING_DATA *str)
 {
+#ifndef OPENSSL_NO_ERR
     if (ERR_load_ERR_strings() == 0)
         return 0;
 
     err_patch(lib, str);
     err_load_strings(str);
+#endif
+
     return 1;
 }
 
 int ERR_load_strings_const(const ERR_STRING_DATA *str)
 {
+#ifndef OPENSSL_NO_ERR
     if (ERR_load_ERR_strings() == 0)
         return 0;
     err_load_strings(str);
+#endif
+
     return 1;
 }
 
 int ERR_unload_strings(int lib, ERR_STRING_DATA *str)
 {
+#ifndef OPENSSL_NO_ERR
     if (!RUN_ONCE(&err_string_init, do_err_strings_init))
         return 0;
 
@@ -389,14 +408,14 @@ int ERR_unload_strings(int lib, ERR_STRING_DATA *str)
     for (; str->error; str++)
         (void)lh_ERR_STRING_DATA_delete(int_error_hash, str);
     CRYPTO_THREAD_unlock(err_string_lock);
+#endif
 
     return 1;
 }
 
 void err_free_strings_int(void)
 {
-    if (!RUN_ONCE(&err_string_init, do_err_strings_init))
-        return;
+    /* obsolete */
 }
 
 /********************************************************/
@@ -636,6 +655,7 @@ char *ERR_error_string(unsigned long e, char *ret)
 
 const char *ERR_lib_error_string(unsigned long e)
 {
+#ifndef OPENSSL_NO_ERR
     ERR_STRING_DATA d, *p;
     unsigned long l;
 
@@ -647,10 +667,14 @@ const char *ERR_lib_error_string(unsigned long e)
     d.error = ERR_PACK(l, 0, 0);
     p = int_err_get_item(&d);
     return ((p == NULL) ? NULL : p->string);
+#else
+    return NULL;
+#endif
 }
 
 const char *ERR_func_error_string(unsigned long e)
 {
+#ifndef OPENSSL_NO_ERR
     ERR_STRING_DATA d, *p;
     unsigned long l, f;
 
@@ -663,10 +687,14 @@ const char *ERR_func_error_string(unsigned long e)
     d.error = ERR_PACK(l, f, 0);
     p = int_err_get_item(&d);
     return ((p == NULL) ? NULL : p->string);
+#else
+    return NULL;
+#endif
 }
 
 const char *ERR_reason_error_string(unsigned long e)
 {
+#ifndef OPENSSL_NO_ERR
     ERR_STRING_DATA d, *p = NULL;
     unsigned long l, r;
 
@@ -683,6 +711,9 @@ const char *ERR_reason_error_string(unsigned long e)
         p = int_err_get_item(&d);
     }
     return ((p == NULL) ? NULL : p->string);
+#else
+    return NULL;
+#endif
 }
 
 void err_delete_thread_state(void)
diff --git a/crypto/openssl/crypto/evp/evp_enc.c b/crypto/openssl/crypto/evp/evp_enc.c
index d835968f253c..e756624b2cdf 100644
--- a/crypto/openssl/crypto/evp/evp_enc.c
+++ b/crypto/openssl/crypto/evp/evp_enc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -281,7 +281,7 @@ int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
 # define PTRDIFF_T size_t
 #endif
 
-int is_partially_overlapping(const void *ptr1, const void *ptr2, int len)
+int is_partially_overlapping(const void *ptr1, const void *ptr2, size_t len)
 {
     PTRDIFF_T diff = (PTRDIFF_T)ptr1-(PTRDIFF_T)ptr2;
     /*
@@ -299,7 +299,8 @@ static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx,
                                     unsigned char *out, int *outl,
                                     const unsigned char *in, int inl)
 {
-    int i, j, bl, cmpl = inl;
+    int i, j, bl;
+    size_t cmpl = (size_t)inl;
 
     if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
         cmpl = (cmpl + 7) / 8;
@@ -464,8 +465,9 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
                       const unsigned char *in, int inl)
 {
-    int fix_len, cmpl = inl;
+    int fix_len;
     unsigned int b;
+    size_t cmpl = (size_t)inl;
 
     /* Prevent accidental use of encryption context when decrypting */
     if (ctx->encrypt) {
diff --git a/crypto/openssl/crypto/evp/evp_local.h b/crypto/openssl/crypto/evp/evp_local.h
index f1589d682894..b59beee49fa8 100644
--- a/crypto/openssl/crypto/evp/evp_local.h
+++ b/crypto/openssl/crypto/evp/evp_local.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -65,4 +65,4 @@ struct evp_Encode_Ctx_st {
 typedef struct evp_pbe_st EVP_PBE_CTL;
 DEFINE_STACK_OF(EVP_PBE_CTL)
 
-int is_partially_overlapping(const void *ptr1, const void *ptr2, int len);
+int is_partially_overlapping(const void *ptr1, const void *ptr2, size_t len);
diff --git a/crypto/openssl/crypto/init.c b/crypto/openssl/crypto/init.c
index 1b0d523beae0..b23af7977cd2 100644
--- a/crypto/openssl/crypto/init.c
+++ b/crypto/openssl/crypto/init.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -211,7 +211,7 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_nodelete)
 }
 
 static CRYPTO_ONCE load_crypto_strings = CRYPTO_ONCE_STATIC_INIT;
-static int load_crypto_strings_inited = 0;
+
 DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_strings)
 {
     int ret = 1;
@@ -225,7 +225,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_strings)
                     "err_load_crypto_strings_int()\n");
 # endif
     ret = err_load_crypto_strings_int();
-    load_crypto_strings_inited = 1;
 #endif
     return ret;
 }
@@ -549,14 +548,6 @@ void OPENSSL_cleanup(void)
         async_deinit();
     }
 
-    if (load_crypto_strings_inited) {
-#ifdef OPENSSL_INIT_DEBUG
-        fprintf(stderr, "OPENSSL_INIT: OPENSSL_cleanup: "
-                        "err_free_strings_int()\n");
-#endif
-        err_free_strings_int();
-    }
-
     key = destructor_key.value;
     destructor_key.sane = -1;
     CRYPTO_THREAD_cleanup_local(&key);
diff --git a/crypto/openssl/crypto/s390x_arch.h b/crypto/openssl/crypto/s390x_arch.h
index 4d2cc02eb3d3..64e7ebb5662e 100644
--- a/crypto/openssl/crypto/s390x_arch.h
+++ b/crypto/openssl/crypto/s390x_arch.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -47,6 +47,9 @@ struct OPENSSL_s390xcap_st {
     unsigned long long kma[2];
 };
 
+#if defined(__GNUC__) && defined(__linux)
+__attribute__ ((visibility("hidden")))
+#endif
 extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
 
 /* convert facility bit number or function code to bit mask */
diff --git a/crypto/openssl/crypto/s390xcap.c b/crypto/openssl/crypto/s390xcap.c
index 5d58b2d807b4..1097c703b4fb 100644
--- a/crypto/openssl/crypto/s390xcap.c
+++ b/crypto/openssl/crypto/s390xcap.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2010-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2010-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -26,6 +26,9 @@ void OPENSSL_vx_probe(void);
 
 struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
 
+#if defined(__GNUC__) && defined(__linux)
+__attribute__ ((visibility("hidden")))
+#endif
 void OPENSSL_cpuid_setup(void)
 {
     sigset_t oset;
diff --git a/crypto/openssl/doc/fingerprints.txt b/crypto/openssl/doc/fingerprints.txt
index 51e76c8f71b9..3604fbdc658c 100644
--- a/crypto/openssl/doc/fingerprints.txt
+++ b/crypto/openssl/doc/fingerprints.txt
@@ -22,3 +22,13 @@ pub   2048R/0E604491 2013-04-30
       Key fingerprint = 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491
 uid                  Matt Caswell <matt@openssl.org>
 uid                  Matt Caswell <frodo@baggins.org>
+
+pub   rsa4096 2021-02-14
+      B7C1 C143 60F3 53A3 6862  E4D5 231C 84CD DCC6 9C45
+uid                  Paul Dale <pauli@openssl.org>
+
+pub   rsa4096 2021-07-16
+      A21F AB74 B008 8AA3 6115  2586 B8EF 1A6B A9DA 2D5C
+uid                  Tomáš Mráz <tm@t8m.info>
+uid                  Tomáš Mráz <tomas@arleto.cz>
+uid                  Tomáš Mráz <tomas@openssl.org>
diff --git a/crypto/openssl/doc/man3/SSL_CTX_set_timeout.pod b/crypto/openssl/doc/man3/SSL_CTX_set_timeout.pod
index c32585e45f92..e76353cfd4b9 100644
--- a/crypto/openssl/doc/man3/SSL_CTX_set_timeout.pod
+++ b/crypto/openssl/doc/man3/SSL_CTX_set_timeout.pod
@@ -42,6 +42,16 @@ basis, see L<SSL_get_default_timeout(3)>.
 All currently supported protocols have the same default timeout value
 of 300 seconds.
 
+This timeout value is used as the ticket lifetime hint for stateless session
+tickets. It is also used as the timeout value within the ticket itself.
+
+For TLSv1.3, RFC8446 limits transmission of this value to 1 week (604800
+seconds).
+
+For TLSv1.2, tickets generated during an initial handshake use the value
+as specified. Tickets generated during a resumed handshake have a value
+of 0 for the ticket lifetime hint.
+
 =head1 RETURN VALUES
 
 SSL_CTX_set_timeout() returns the previously set timeout value.
@@ -58,7 +68,7 @@ L<SSL_get_default_timeout(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/crypto/openssl/include/openssl/opensslv.h b/crypto/openssl/include/openssl/opensslv.h
index cef157da5f64..7acc112982c7 100644
--- a/crypto/openssl/include/openssl/opensslv.h
+++ b/crypto/openssl/include/openssl/opensslv.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -39,8 +39,8 @@ extern "C" {
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-# define OPENSSL_VERSION_NUMBER  0x101010efL
-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1n-freebsd  15 Mar 2022"
+# define OPENSSL_VERSION_NUMBER  0x101010ffL
+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1o-freebsd  3 May 2022"
 
 /*-
  * The macros below are to be used for shared library (.so, .dll, ...)
diff --git a/crypto/openssl/ssl/s3_enc.c b/crypto/openssl/ssl/s3_enc.c
index 8a89f512fe60..7b119b452fd7 100644
--- a/crypto/openssl/ssl/s3_enc.c
+++ b/crypto/openssl/ssl/s3_enc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright 2005 Nokia. All rights reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
@@ -589,6 +589,8 @@ int ssl3_alert_code(int code)
         return TLS1_AD_NO_APPLICATION_PROTOCOL;
     case SSL_AD_CERTIFICATE_REQUIRED:
         return SSL_AD_HANDSHAKE_FAILURE;
+    case SSL_AD_MISSING_EXTENSION:
+        return SSL_AD_HANDSHAKE_FAILURE;
     default:
         return -1;
     }
diff --git a/crypto/openssl/ssl/ssl_init.c b/crypto/openssl/ssl/ssl_init.c
index d083d9597091..a5d45480c9e0 100644
--- a/crypto/openssl/ssl/ssl_init.c
+++ b/crypto/openssl/ssl/ssl_init.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -116,7 +116,7 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_base)
 }
 
 static CRYPTO_ONCE ssl_strings = CRYPTO_ONCE_STATIC_INIT;
-static int ssl_strings_inited = 0;
+
 DEFINE_RUN_ONCE_STATIC(ossl_init_load_ssl_strings)
 {
     /*
@@ -129,7 +129,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_ssl_strings)
             "ERR_load_SSL_strings()\n");
 # endif
     ERR_load_SSL_strings();
-    ssl_strings_inited = 1;
 #endif
     return 1;
 }
@@ -157,20 +156,6 @@ static void ssl_library_stop(void)
         ssl_comp_free_compression_methods_int();
 #endif
     }
-
-    if (ssl_strings_inited) {
-#ifdef OPENSSL_INIT_DEBUG
-        fprintf(stderr, "OPENSSL_INIT: ssl_library_stop: "
-                "err_free_strings_int()\n");
-#endif
-        /*
-         * If both crypto and ssl error strings are inited we will end up
-         * calling err_free_strings_int() twice - but that's ok. The second
-         * time will be a no-op. It's easier to do that than to try and track
-         * between the two libraries whether they have both been inited.
-         */
-        err_free_strings_int();
-    }
 }
 
 /*
diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c
index ff5a9e05660b..1fbad29b233c 100644
--- a/crypto/openssl/ssl/ssl_lib.c
+++ b/crypto/openssl/ssl/ssl_lib.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  *
@@ -2170,6 +2170,7 @@ int SSL_shutdown(SSL *s)
         if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
             struct ssl_async_args args;
 
+            memset(&args, 0, sizeof(args));
             args.s = s;
             args.type = OTHERFUNC;
             args.f.func_other = s->method->ssl_shutdown;
@@ -3799,6 +3800,7 @@ int SSL_do_handshake(SSL *s)
         if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
             struct ssl_async_args args;
 
+            memset(&args, 0, sizeof(args));
             args.s = s;
 
             ret = ssl_start_async_job(s, &args, ssl_do_handshake_intern);
diff --git a/crypto/openssl/ssl/ssl_txt.c b/crypto/openssl/ssl/ssl_txt.c
index 457bc8b3c20a..759e1873e6b1 100644
--- a/crypto/openssl/ssl/ssl_txt.c
+++ b/crypto/openssl/ssl/ssl_txt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright 2005 Nokia. All rights reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
@@ -130,11 +130,11 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
     }
 #endif
     if (x->time != 0L) {
-        if (BIO_printf(bp, "\n    Start Time: %ld", x->time) <= 0)
+        if (BIO_printf(bp, "\n    Start Time: %lld", (long long)x->time) <= 0)
             goto err;
     }
     if (x->timeout != 0L) {
-        if (BIO_printf(bp, "\n    Timeout   : %ld (sec)", x->timeout) <= 0)
+        if (BIO_printf(bp, "\n    Timeout   : %lld (sec)", (long long)x->timeout) <= 0)
             goto err;
     }
     if (BIO_puts(bp, "\n") <= 0)
diff --git a/crypto/openssl/ssl/statem/statem_clnt.c b/crypto/openssl/ssl/statem/statem_clnt.c
index d1a39698124b..d19c44e8d984 100644
--- a/crypto/openssl/ssl/statem/statem_clnt.c
+++ b/crypto/openssl/ssl/statem/statem_clnt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  *
@@ -1422,6 +1422,11 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
             && sversion == TLS1_2_VERSION
             && PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE
             && memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) {
+        if (s->hello_retry_request != SSL_HRR_NONE) {
+            SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
+                     SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_UNEXPECTED_MESSAGE);
+            goto err;
+        }
         s->hello_retry_request = SSL_HRR_PENDING;
         hrr = 1;
         if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE)) {
diff --git a/crypto/openssl/ssl/statem/statem_dtls.c b/crypto/openssl/ssl/statem/statem_dtls.c
index 8e3fb686ee27..8fe6cea72359 100644
--- a/crypto/openssl/ssl/statem/statem_dtls.c
+++ b/crypto/openssl/ssl/statem/statem_dtls.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2005-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -218,8 +218,8 @@ int dtls1_do_write(SSL *s, int type)
         else
             len = s->init_num;
 
-        if (len > s->max_send_fragment)
-            len = s->max_send_fragment;
+        if (len > ssl_get_max_send_fragment(s))
+            len = ssl_get_max_send_fragment(s);
 
         /*
          * XDTLS: this function is too long.  split out the CCS part
@@ -241,7 +241,7 @@ int dtls1_do_write(SSL *s, int type)
 
         ret = dtls1_write_bytes(s, type, &s->init_buf->data[s->init_off], len,
                                 &written);
-        if (ret < 0) {
+        if (ret <= 0) {
             /*
              * might need to update MTU here, but we don't know which
              * previous packet caused the failure -- so can't really
diff --git a/crypto/openssl/ssl/statem/statem_srvr.c b/crypto/openssl/ssl/statem/statem_srvr.c
index d701c46b43b5..43f77a58992f 100644
--- a/crypto/openssl/ssl/statem/statem_srvr.c
+++ b/crypto/openssl/ssl/statem/statem_srvr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  *
@@ -3820,15 +3820,24 @@ int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
 static int create_ticket_prequel(SSL *s, WPACKET *pkt, uint32_t age_add,
                                  unsigned char *tick_nonce)
 {
+    uint32_t timeout = (uint32_t)s->session->timeout;
+
     /*
-     * Ticket lifetime hint: For TLSv1.2 this is advisory only and we leave this
-     * unspecified for resumed session (for simplicity).
+     * Ticket lifetime hint:
      * In TLSv1.3 we reset the "time" field above, and always specify the
-     * timeout.
+     * timeout, limited to a 1 week period per RFC8446.
+     * For TLSv1.2 this is advisory only and we leave this unspecified for
+     * resumed session (for simplicity).
      */
-    if (!WPACKET_put_bytes_u32(pkt,
-                               (s->hit && !SSL_IS_TLS13(s))
-                               ? 0 : s->session->timeout)) {
+#define ONE_WEEK_SEC (7 * 24 * 60 * 60)
+
+    if (SSL_IS_TLS13(s)) {
+        if (s->session->timeout > ONE_WEEK_SEC)
+            timeout = ONE_WEEK_SEC;
+    } else if (s->hit)
+        timeout = 0;
+
+    if (!WPACKET_put_bytes_u32(pkt, timeout)) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CREATE_TICKET_PREQUEL,
                  ERR_R_INTERNAL_ERROR);
         return 0;
diff --git a/crypto/openssl/ssl/t1_enc.c b/crypto/openssl/ssl/t1_enc.c
index 7d2eb381af1a..422dde31262a 100644
--- a/crypto/openssl/ssl/t1_enc.c
+++ b/crypto/openssl/ssl/t1_enc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright 2005 Nokia. All rights reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
@@ -796,6 +796,8 @@ int tls1_alert_code(int code)
         return TLS1_AD_NO_APPLICATION_PROTOCOL;
     case SSL_AD_CERTIFICATE_REQUIRED:
         return SSL_AD_HANDSHAKE_FAILURE;
+    case SSL_AD_MISSING_EXTENSION:
+        return SSL_AD_HANDSHAKE_FAILURE;
     default:
         return -1;
     }