From owner-svn-src-releng@freebsd.org  Mon Sep 21 00:31:07 2020
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6EF153F7AE7;
 Mon, 21 Sep 2020 00:31:07 +0000 (UTC)
 (envelope-from markj@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BvljR2KTZz4kqY;
 Mon, 21 Sep 2020 00:31:07 +0000 (UTC)
 (envelope-from markj@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3322A25D6D;
 Mon, 21 Sep 2020 00:31:07 +0000 (UTC)
 (envelope-from markj@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 08L0V7nQ036957;
 Mon, 21 Sep 2020 00:31:07 GMT (envelope-from markj@FreeBSD.org)
Received: (from markj@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 08L0V7iA036956;
 Mon, 21 Sep 2020 00:31:07 GMT (envelope-from markj@FreeBSD.org)
Message-Id: <202009210031.08L0V7iA036956@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: markj set sender to
 markj@FreeBSD.org using -f
From: Mark Johnston <markj@FreeBSD.org>
Date: Mon, 21 Sep 2020 00:31:07 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r365933 - releng/12.2/sys/vm
X-SVN-Group: releng
X-SVN-Commit-Author: markj
X-SVN-Commit-Paths: releng/12.2/sys/vm
X-SVN-Commit-Revision: 365933
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Sep 2020 00:31:07 -0000

Author: markj
Date: Mon Sep 21 00:31:06 2020
New Revision: 365933
URL: https://svnweb.freebsd.org/changeset/base/365933

Log:
  MFS r365928:
  MFC r365841:
  Increase the default vm.max_user_wired value.
  
  Approved by:	re (gjb)

Modified:
  releng/12.2/sys/vm/vm_pageout.c
Directory Properties:
  releng/12.2/   (props changed)

Modified: releng/12.2/sys/vm/vm_pageout.c
==============================================================================
--- releng/12.2/sys/vm/vm_pageout.c	Sun Sep 20 23:20:18 2020	(r365932)
+++ releng/12.2/sys/vm/vm_pageout.c	Mon Sep 21 00:31:06 2020	(r365933)
@@ -2040,7 +2040,7 @@ vm_pageout_init_domain(int domain)
 static void
 vm_pageout_init(void)
 {
-	u_int freecount;
+	u_long freecount;
 	int i;
 
 	/*
@@ -2073,8 +2073,13 @@ vm_pageout_init(void)
 	if (vm_pageout_update_period == 0)
 		vm_pageout_update_period = 600;
 
+	/*
+	 * Set the maximum number of user-wired virtual pages.  Historically the
+	 * main source of such pages was mlock(2) and mlockall(2).  Hypervisors
+	 * may also request user-wired memory.
+	 */
 	if (vm_page_max_user_wired == 0)
-		vm_page_max_user_wired = freecount / 3;
+		vm_page_max_user_wired = 4 * freecount / 5;
 }
 
 /*

From owner-svn-src-releng@freebsd.org  Mon Sep 21 12:37:42 2020
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9A4403F0E22;
 Mon, 21 Sep 2020 12:37:42 +0000 (UTC)
 (envelope-from eugen@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4Bw3qp3Zz5z4F21;
 Mon, 21 Sep 2020 12:37:42 +0000 (UTC)
 (envelope-from eugen@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5A976E626;
 Mon, 21 Sep 2020 12:37:42 +0000 (UTC)
 (envelope-from eugen@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 08LCbgL7086172;
 Mon, 21 Sep 2020 12:37:42 GMT (envelope-from eugen@FreeBSD.org)
Received: (from eugen@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 08LCbfXi086170;
 Mon, 21 Sep 2020 12:37:41 GMT (envelope-from eugen@FreeBSD.org)
Message-Id: <202009211237.08LCbfXi086170@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: eugen set sender to
 eugen@FreeBSD.org using -f
From: Eugene Grosbein <eugen@FreeBSD.org>
Date: Mon, 21 Sep 2020 12:37:41 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r365944 - releng/12.2/sys/geom/part
X-SVN-Group: releng
X-SVN-Commit-Author: eugen
X-SVN-Commit-Paths: releng/12.2/sys/geom/part
X-SVN-Commit-Revision: 365944
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Sep 2020 12:37:42 -0000

Author: eugen
Date: Mon Sep 21 12:37:41 2020
New Revision: 365944
URL: https://svnweb.freebsd.org/changeset/base/365944

Log:
  MFS r365667,r365920: extend kern.geom.part.check_integrity to work on GPT
  
  There are multiple USB/SATA bridges on the market that unconditionally
  cut some LBAs off connected media. This could be a problem
  for pre-partitioned drives so GEOM complains and does not create
  devices in /dev for slices/partitions preventing access to existing data.
  
  We have a knob kern.geom.part.check_integrity that allows us to correct
  partitioning if changed from default 1 to 0 but it works for MBR only.
  If backup copy of GPT is unavailable due to decreased number of LBAs,
  the kernel does not give access to partitions still and prints to dmesg:
  
  GEOM: md0: corrupt or invalid GPT detected.
  GEOM: md0: GPT rejected -- may not be recoverable.
  
  This change makes it work for GPT too, so it created partitions in /dev
  and prints to dmesg this instead:
  
  GEOM: md0: the secondary GPT table is corrupt or invalid.
  GEOM: md0: using the primary only -- recovery suggested.
  
  Then "gpart recover" re-creates backup copy of GPT
  and allows further manipulations with partitions.
  
  This change is no-op for default configuration having
  kern.geom.part.check_integrity=1
  
  Reported by:	Alex Korchmar
  Approved by:	re (gjb)

Modified:
  releng/12.2/sys/geom/part/g_part.c
  releng/12.2/sys/geom/part/g_part_gpt.c
Directory Properties:
  releng/12.2/   (props changed)

Modified: releng/12.2/sys/geom/part/g_part.c
==============================================================================
--- releng/12.2/sys/geom/part/g_part.c	Mon Sep 21 10:02:11 2020	(r365943)
+++ releng/12.2/sys/geom/part/g_part.c	Mon Sep 21 12:37:41 2020	(r365944)
@@ -135,9 +135,9 @@ struct g_part_alias_list {
 SYSCTL_DECL(_kern_geom);
 SYSCTL_NODE(_kern_geom, OID_AUTO, part, CTLFLAG_RW, 0,
     "GEOM_PART stuff");
-static u_int check_integrity = 1;
+u_int geom_part_check_integrity = 1;
 SYSCTL_UINT(_kern_geom_part, OID_AUTO, check_integrity,
-    CTLFLAG_RWTUN, &check_integrity, 1,
+    CTLFLAG_RWTUN, &geom_part_check_integrity, 1,
     "Enable integrity checking");
 static u_int auto_resize = 1;
 SYSCTL_UINT(_kern_geom_part, OID_AUTO, auto_resize,
@@ -420,7 +420,7 @@ g_part_check_integrity(struct g_part_table *table, str
 	if (failed != 0) {
 		printf("GEOM_PART: integrity check failed (%s, %s)\n",
 		    pp->name, table->gpt_scheme->name);
-		if (check_integrity != 0)
+		if (geom_part_check_integrity != 0)
 			return (EINVAL);
 		table->gpt_corrupt = 1;
 	}
@@ -1846,7 +1846,8 @@ g_part_ctlreq(struct gctl_req *req, struct g_class *mp
 		table = gpp.gpp_geom->softc;
 		if (table != NULL && table->gpt_corrupt &&
 		    ctlreq != G_PART_CTL_DESTROY &&
-		    ctlreq != G_PART_CTL_RECOVER) {
+		    ctlreq != G_PART_CTL_RECOVER &&
+		    geom_part_check_integrity) {
 			gctl_error(req, "%d table '%s' is corrupt",
 			    EPERM, gpp.gpp_geom->name);
 			return;

Modified: releng/12.2/sys/geom/part/g_part_gpt.c
==============================================================================
--- releng/12.2/sys/geom/part/g_part_gpt.c	Mon Sep 21 10:02:11 2020	(r365943)
+++ releng/12.2/sys/geom/part/g_part_gpt.c	Mon Sep 21 12:37:41 2020	(r365944)
@@ -64,6 +64,8 @@ SYSCTL_UINT(_kern_geom_part_gpt, OID_AUTO, allow_nesti
 CTASSERT(offsetof(struct gpt_hdr, padding) == 92);
 CTASSERT(sizeof(struct gpt_ent) == 128);
 
+extern u_int geom_part_check_integrity;
+
 #define	EQUUID(a,b)	(memcmp(a, b, sizeof(struct uuid)) == 0)
 
 #define	MBRSIZE		512
@@ -460,8 +462,9 @@ gpt_read_hdr(struct g_part_gpt_table *table, struct g_
 	if (hdr->hdr_lba_self != table->lba[elt])
 		goto fail;
 	hdr->hdr_lba_alt = le64toh(buf->hdr_lba_alt);
-	if (hdr->hdr_lba_alt == hdr->hdr_lba_self ||
-	    hdr->hdr_lba_alt > last)
+	if (hdr->hdr_lba_alt == hdr->hdr_lba_self)
+		goto fail;
+	if (hdr->hdr_lba_alt > last && geom_part_check_integrity)
 		goto fail;
 
 	/* Check the managed area. */

From owner-svn-src-releng@freebsd.org  Mon Sep 21 18:19:50 2020
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4242A3F82EA;
 Mon, 21 Sep 2020 18:19:50 +0000 (UTC) (envelope-from np@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BwCQZ13qZz4cbt;
 Mon, 21 Sep 2020 18:19:50 +0000 (UTC) (envelope-from np@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 087091252F;
 Mon, 21 Sep 2020 18:19:50 +0000 (UTC) (envelope-from np@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 08LIJnir099670;
 Mon, 21 Sep 2020 18:19:49 GMT (envelope-from np@FreeBSD.org)
Received: (from np@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 08LIJmOv099663;
 Mon, 21 Sep 2020 18:19:48 GMT (envelope-from np@FreeBSD.org)
Message-Id: <202009211819.08LIJmOv099663@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: np set sender to np@FreeBSD.org
 using -f
From: Navdeep Parhar <np@FreeBSD.org>
Date: Mon, 21 Sep 2020 18:19:48 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r365961 - in releng/12.2/sys: conf dev/cxgbe/firmware
 modules/cxgbe/t4_firmware modules/cxgbe/t5_firmware modules/cxgbe/t6_firmware
X-SVN-Group: releng
X-SVN-Commit-Author: np
X-SVN-Commit-Paths: in releng/12.2/sys: conf dev/cxgbe/firmware
 modules/cxgbe/t4_firmware modules/cxgbe/t5_firmware modules/cxgbe/t6_firmware
X-SVN-Commit-Revision: 365961
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Sep 2020 18:19:50 -0000

Author: np
Date: Mon Sep 21 18:19:48 2020
New Revision: 365961
URL: https://svnweb.freebsd.org/changeset/base/365961

Log:
  MFS r365937, which merged r365861 and r365872 from head to stable/12.
  
  r365861:
  cxgbe(4): Update T4/5/6 firmwares to 1.25.0.0.
  
  r365872:
  cxgbe(4): add the firmware binaries instead of the empty files that were added
  in r365861.
  
  Approved by:	re@ (gjb@)

Added:
  releng/12.2/sys/dev/cxgbe/firmware/t4fw-1.25.0.0.bin
     - copied unchanged from r365937, stable/12/sys/dev/cxgbe/firmware/t4fw-1.25.0.0.bin
  releng/12.2/sys/dev/cxgbe/firmware/t5fw-1.25.0.0.bin
     - copied unchanged from r365937, stable/12/sys/dev/cxgbe/firmware/t5fw-1.25.0.0.bin
  releng/12.2/sys/dev/cxgbe/firmware/t6fw-1.25.0.0.bin
     - copied unchanged from r365937, stable/12/sys/dev/cxgbe/firmware/t6fw-1.25.0.0.bin
Deleted:
  releng/12.2/sys/dev/cxgbe/firmware/t4fw-1.24.12.0.bin
  releng/12.2/sys/dev/cxgbe/firmware/t5fw-1.24.12.0.bin
  releng/12.2/sys/dev/cxgbe/firmware/t6fw-1.24.12.0.bin
Modified:
  releng/12.2/sys/conf/files
  releng/12.2/sys/dev/cxgbe/firmware/t4fw_interface.h
  releng/12.2/sys/dev/cxgbe/firmware/t6fw_cfg.txt
  releng/12.2/sys/dev/cxgbe/firmware/t6fw_cfg_uwire.txt
  releng/12.2/sys/modules/cxgbe/t4_firmware/Makefile
  releng/12.2/sys/modules/cxgbe/t5_firmware/Makefile
  releng/12.2/sys/modules/cxgbe/t6_firmware/Makefile
Directory Properties:
  releng/12.2/   (props changed)

Modified: releng/12.2/sys/conf/files
==============================================================================
--- releng/12.2/sys/conf/files	Mon Sep 21 18:19:35 2020	(r365960)
+++ releng/12.2/sys/conf/files	Mon Sep 21 18:19:48 2020	(r365961)
@@ -1476,7 +1476,7 @@ t4fw.fwo		optional cxgbe					\
 	no-implicit-rule						\
 	clean		"t4fw.fwo"
 t4fw.fw			optional cxgbe					\
-	dependency	"$S/dev/cxgbe/firmware/t4fw-1.24.12.0.bin"	\
+	dependency	"$S/dev/cxgbe/firmware/t4fw-1.25.0.0.bin"	\
 	compile-with	"${CP} ${.ALLSRC} ${.TARGET}"			\
 	no-obj no-implicit-rule						\
 	clean		"t4fw.fw"
@@ -1510,7 +1510,7 @@ t5fw.fwo		optional cxgbe					\
 	no-implicit-rule						\
 	clean		"t5fw.fwo"
 t5fw.fw			optional cxgbe					\
-	dependency	"$S/dev/cxgbe/firmware/t5fw-1.24.12.0.bin"	\
+	dependency	"$S/dev/cxgbe/firmware/t5fw-1.25.0.0.bin"	\
 	compile-with	"${CP} ${.ALLSRC} ${.TARGET}"			\
 	no-obj no-implicit-rule						\
 	clean		"t5fw.fw"
@@ -1544,7 +1544,7 @@ t6fw.fwo		optional cxgbe					\
 	no-implicit-rule						\
 	clean		"t6fw.fwo"
 t6fw.fw			optional cxgbe					\
-	dependency	"$S/dev/cxgbe/firmware/t6fw-1.24.12.0.bin"	\
+	dependency	"$S/dev/cxgbe/firmware/t6fw-1.25.0.0.bin"	\
 	compile-with	"${CP} ${.ALLSRC} ${.TARGET}"			\
 	no-obj no-implicit-rule						\
 	clean		"t6fw.fw"

Copied: releng/12.2/sys/dev/cxgbe/firmware/t4fw-1.25.0.0.bin (from r365937, stable/12/sys/dev/cxgbe/firmware/t4fw-1.25.0.0.bin)
==============================================================================
Binary file (source and/or target). No diff available.

Modified: releng/12.2/sys/dev/cxgbe/firmware/t4fw_interface.h
==============================================================================
--- releng/12.2/sys/dev/cxgbe/firmware/t4fw_interface.h	Mon Sep 21 18:19:35 2020	(r365960)
+++ releng/12.2/sys/dev/cxgbe/firmware/t4fw_interface.h	Mon Sep 21 18:19:48 2020	(r365961)
@@ -4690,6 +4690,7 @@ enum fw_caps_config_crypto {
 	FW_CAPS_CONFIG_CRYPTO_LOOKASIDE = 0x00000001,
 	FW_CAPS_CONFIG_TLSKEYS = 0x00000002,
 	FW_CAPS_CONFIG_IPSEC_INLINE = 0x00000004,
+	FW_CAPS_CONFIG_TLS_HW = 0x00000008,
 };
 
 enum fw_caps_config_fcoe {
@@ -4838,6 +4839,7 @@ enum fw_params_param_dev {
 	FW_PARAMS_PARAM_DEV_TCB_CACHE_FLUSH = 0x2D,
 	FW_PARAMS_PARAM_DEV_FILTER = 0x2E,
 	FW_PARAMS_PARAM_DEV_CLIP2_CMD = 0x2F,
+	FW_PARAMS_PARAM_DEV_KTLS_HW = 0x31,
 };
 
 /*
@@ -4874,6 +4876,13 @@ enum fw_params_param_dev_filter{
 	FW_PARAM_DEV_FILTER_MODE_MASK	= 0x01,
 };
 
+enum fw_params_param_dev_ktls_hw {
+	FW_PARAMS_PARAM_DEV_KTLS_HW_DISABLE = 0x00,
+	FW_PARAMS_PARAM_DEV_KTLS_HW_ENABLE  = 0x01,
+	FW_PARAMS_PARAM_DEV_KTLS_HW_USER_DISABLE = 0x00,
+	FW_PARAMS_PARAM_DEV_KTLS_HW_USER_ENABLE  = 0x01,
+};
+
 enum fw_params_param_dev_fwcache {
 	FW_PARAM_DEV_FWCACHE_FLUSH	= 0x00,
 	FW_PARAM_DEV_FWCACHE_FLUSHINV	= 0x01,
@@ -9638,6 +9647,7 @@ struct fw_debug_cmd {
 
 enum fw_diag_cmd_type {
 	FW_DIAG_CMD_TYPE_OFLDIAG = 0,
+	FW_DIAG_CMD_TYPE_MEM_TEST_DIAG,
 };
 
 enum fw_diag_cmd_ofldiag_op {
@@ -9654,6 +9664,22 @@ enum fw_diag_cmd_ofldiag_status {
 	FW_DIAG_CMD_OFLDIAG_STATUS_PASSED,
 };
 
+enum fw_diag_cmd_memdiag_op {
+	FW_DIAG_CMD_MEMDIAG_TEST_START=1,
+	FW_DIAG_CMD_MEMDIAG_TEST_STOP,
+	FW_DIAG_CMD_MEMDIAG_TEST_STATUS,
+	FW_DIAG_CMD_MEMDIAG_TEST_INIT,
+};
+
+
+enum fw_diag_cmd_memdiag_status {
+	FW_DIAG_CMD_MEMDIAG_STATUS_NONE,
+	FW_DIAG_CMD_MEMDIAG_STATUS_RUNNING,
+	FW_DIAG_CMD_MEMDIAG_STATUS_FAILED,
+	FW_DIAG_CMD_MEMDIAG_STATUS_PASSED
+};
+
+
 struct fw_diag_cmd {
 	__be32 op_type;
 	__be32 len16_pkd;
@@ -9664,15 +9690,33 @@ struct fw_diag_cmd {
 			__be16 test_status;
 			__be32 duration;
 		} ofldiag;
+		struct fw_diag_test_memtest_diag {
+			__u8   test_op;
+			__u8   test_status;
+			__be16 size;  /* in KB */
+			__be32 duration; /* in seconds */
+		} memdiag;
 	} u;
 };
 
-#define S_FW_DIAG_CMD_TYPE		0
-#define M_FW_DIAG_CMD_TYPE		0xff
-#define V_FW_DIAG_CMD_TYPE(x)		((x) << S_FW_DIAG_CMD_TYPE)
-#define G_FW_DIAG_CMD_TYPE(x)		\
-    (((x) >> S_FW_DIAG_CMD_TYPE) & M_FW_DIAG_CMD_TYPE)
+#define S_FW_DIAG_CMD_OPCODE        24
+#define M_FW_DIAG_CMD_OPCODE        0xff
+#define V_FW_DIAG_CMD_OPCODE(x)     ((x) << S_FW_DIAG_CMD_OPCODE)
+#define G_FW_DIAG_CMD_OPCODE(x)     \
+	    (((x) >> S_FW_DIAG_CMD_OPCODE) & M_FW_DIAG_CMD_OPCODE)
 
+#define S_FW_DIAG_CMD_TYPE      0
+#define M_FW_DIAG_CMD_TYPE      0xff
+#define V_FW_DIAG_CMD_TYPE(x)       ((x) << S_FW_DIAG_CMD_TYPE)
+#define G_FW_DIAG_CMD_TYPE(x)       \
+	    (((x) >> S_FW_DIAG_CMD_TYPE) & M_FW_DIAG_CMD_TYPE)
+
+#define S_FW_DIAG_CMD_LEN16     0
+#define M_FW_DIAG_CMD_LEN16     0xff
+#define V_FW_DIAG_CMD_LEN16(x)      ((x) << S_FW_DIAG_CMD_LEN16)
+#define G_FW_DIAG_CMD_LEN16(x)      \
+	    (((x) >> S_FW_DIAG_CMD_LEN16) & M_FW_DIAG_CMD_LEN16)
+
 struct fw_hma_cmd {
 	__be32 op_pkd;
 	__be32 retval_len16;
@@ -9939,18 +9983,18 @@ enum fw_hdr_chip {
 
 enum {
 	T4FW_VERSION_MAJOR	= 1,
-	T4FW_VERSION_MINOR	= 24,
-	T4FW_VERSION_MICRO	= 12,
+	T4FW_VERSION_MINOR	= 25,
+	T4FW_VERSION_MICRO	= 0,
 	T4FW_VERSION_BUILD	= 0,
 
 	T5FW_VERSION_MAJOR	= 1,
-	T5FW_VERSION_MINOR	= 24,
-	T5FW_VERSION_MICRO	= 12,
+	T5FW_VERSION_MINOR	= 25,
+	T5FW_VERSION_MICRO	= 0,
 	T5FW_VERSION_BUILD	= 0,
 
 	T6FW_VERSION_MAJOR	= 1,
-	T6FW_VERSION_MINOR	= 24,
-	T6FW_VERSION_MICRO	= 12,
+	T6FW_VERSION_MINOR	= 25,
+	T6FW_VERSION_MICRO	= 0,
 	T6FW_VERSION_BUILD	= 0,
 };
 

Copied: releng/12.2/sys/dev/cxgbe/firmware/t5fw-1.25.0.0.bin (from r365937, stable/12/sys/dev/cxgbe/firmware/t5fw-1.25.0.0.bin)
==============================================================================
Binary file (source and/or target). No diff available.

Copied: releng/12.2/sys/dev/cxgbe/firmware/t6fw-1.25.0.0.bin (from r365937, stable/12/sys/dev/cxgbe/firmware/t6fw-1.25.0.0.bin)
==============================================================================
Binary file (source and/or target). No diff available.

Modified: releng/12.2/sys/dev/cxgbe/firmware/t6fw_cfg.txt
==============================================================================
--- releng/12.2/sys/dev/cxgbe/firmware/t6fw_cfg.txt	Mon Sep 21 18:19:35 2020	(r365960)
+++ releng/12.2/sys/dev/cxgbe/firmware/t6fw_cfg.txt	Mon Sep 21 18:19:48 2020	(r365961)
@@ -41,8 +41,8 @@
 	# TP OFLD MTUs
 	tp_mtus = 88, 256, 512, 576, 808, 1024, 1280, 1488, 1500, 2002, 2048, 4096, 4352, 8192, 9000, 9600
 
-	# enable TP_OUT_CONFIG.IPIDSPLITMODE and CRXPKTENC
-	reg[0x7d04] = 0x00010008/0x00010008
+	# enable TP_OUT_CONFIG.IPIDSplitMode, CRxPktEnc, and CCplAckMode.
+	reg[0x7d04] = 0x00012008/0x00012008
 
 	# TP_GLOBAL_CONFIG
 	reg[0x7d08] = 0x00000800/0x00000800 # set IssFromCplEnable
@@ -272,7 +272,7 @@
 
 [fini]
 	version = 0x1
-	checksum = 0x4528a6ac
+	checksum = 0x13640470
 #
 # $FreeBSD$
 #

Modified: releng/12.2/sys/dev/cxgbe/firmware/t6fw_cfg_uwire.txt
==============================================================================
--- releng/12.2/sys/dev/cxgbe/firmware/t6fw_cfg_uwire.txt	Mon Sep 21 18:19:35 2020	(r365960)
+++ releng/12.2/sys/dev/cxgbe/firmware/t6fw_cfg_uwire.txt	Mon Sep 21 18:19:48 2020	(r365961)
@@ -110,7 +110,8 @@
 	sge_dbq_timer = 3, 2, 1, 5, 7, 9, 12, 16
 
 	# enable TP_OUT_CONFIG.IPIDSPLITMODE
-	reg[0x7d04] = 0x00010000/0x00010000
+	# Set TP_OUT_CONFIG.CCplAckMode to get srtt/rttvar
+	reg[0x7d04] = 0x00012000/0x00012000
 
 	reg[0x7dc0] = 0x0e2f8849	# TP_SHIFT_CNT
 
@@ -200,6 +201,9 @@
 	hma_size = 92 			# Size (in MBs) of host memory expected
 	hma_regions = stag,pbl,rq	# What all regions to place in host memory
 
+	#enable bottleneck-bw congestion control mode
+	#ofld_flags = 4
+
 # Some "definitions" to make the rest of this a bit more readable.  We support
 # 4 ports, 3 functions (NIC, FCoE and iSCSI), scaling up to 8 "CPU Queue Sets"
 # per function per port ...
@@ -426,7 +430,7 @@
 	nserver = 496		# number of server region entries
 	nhash = 12288		# number of hash region entries
 	nhpfilter = 64		# number of high priority filter region entries
-	protocol = nic_vm, ofld, rddp, rdmac, iscsi_initiator_pdu, iscsi_target_pdu, iscsi_t10dif, tlskeys, crypto_lookaside, ipsec_inline, nic_hashfilter
+	protocol = nic_vm, ofld, rddp, rdmac, iscsi_initiator_pdu, iscsi_target_pdu, iscsi_t10dif, tlskeys, crypto_lookaside, ipsec_inline, nic_hashfilter, nic_ktls_ofld
 	tp_l2t = 3072
 	tp_ddp = 2
 	tp_ddp_iscsi = 2
@@ -588,7 +592,7 @@
 
 [fini]
 	version = 0x1425001d
-	checksum = 0x14a022cd
+	checksum = 0xa1403d73
 
 # Total resources used by above allocations:
 #   Virtual Interfaces: 104
@@ -599,4 +603,4 @@
 #   Virtual Functions: 64
 #
 # $FreeBSD$
-#
\ No newline at end of file
+#

Modified: releng/12.2/sys/modules/cxgbe/t4_firmware/Makefile
==============================================================================
--- releng/12.2/sys/modules/cxgbe/t4_firmware/Makefile	Mon Sep 21 18:19:35 2020	(r365960)
+++ releng/12.2/sys/modules/cxgbe/t4_firmware/Makefile	Mon Sep 21 18:19:48 2020	(r365961)
@@ -17,7 +17,7 @@ FIRMWS+=	${F}:${F:C/.txt//}:1.0.0.0
 .endif
 .endfor
 
-T4FW_VER=	1.24.12.0
+T4FW_VER=	1.25.0.0
 FIRMWS+=	t4fw-${T4FW_VER}.bin:t4fw:${T4FW_VER}
 
 .include <bsd.kmod.mk>

Modified: releng/12.2/sys/modules/cxgbe/t5_firmware/Makefile
==============================================================================
--- releng/12.2/sys/modules/cxgbe/t5_firmware/Makefile	Mon Sep 21 18:19:35 2020	(r365960)
+++ releng/12.2/sys/modules/cxgbe/t5_firmware/Makefile	Mon Sep 21 18:19:48 2020	(r365961)
@@ -17,7 +17,7 @@ FIRMWS+=	${F}:${F:C/.txt//}:1.0.0.0
 .endif
 .endfor
 
-T5FW_VER=	1.24.12.0
+T5FW_VER=	1.25.0.0
 FIRMWS+=	t5fw-${T5FW_VER}.bin:t5fw:${T5FW_VER}
 
 .include <bsd.kmod.mk>

Modified: releng/12.2/sys/modules/cxgbe/t6_firmware/Makefile
==============================================================================
--- releng/12.2/sys/modules/cxgbe/t6_firmware/Makefile	Mon Sep 21 18:19:35 2020	(r365960)
+++ releng/12.2/sys/modules/cxgbe/t6_firmware/Makefile	Mon Sep 21 18:19:48 2020	(r365961)
@@ -17,7 +17,7 @@ FIRMWS+=	${F}:${F:C/.txt//}:1.0.0.0
 .endif
 .endfor
 
-T6FW_VER=	1.24.12.0
+T6FW_VER=	1.25.0.0
 FIRMWS+=	t6fw-${T6FW_VER}.bin:t6fw:${T6FW_VER}
 
 .include <bsd.kmod.mk>

From owner-svn-src-releng@freebsd.org  Tue Sep 22 01:35:55 2020
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id F204D4250A8;
 Tue, 22 Sep 2020 01:35:55 +0000 (UTC)
 (envelope-from markj@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BwP5l6BPzz4HP1;
 Tue, 22 Sep 2020 01:35:55 +0000 (UTC)
 (envelope-from markj@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B88181795E;
 Tue, 22 Sep 2020 01:35:55 +0000 (UTC)
 (envelope-from markj@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 08M1ZtJM078392;
 Tue, 22 Sep 2020 01:35:55 GMT (envelope-from markj@FreeBSD.org)
Received: (from markj@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 08M1Ztcf078391;
 Tue, 22 Sep 2020 01:35:55 GMT (envelope-from markj@FreeBSD.org)
Message-Id: <202009220135.08M1Ztcf078391@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: markj set sender to
 markj@FreeBSD.org using -f
From: Mark Johnston <markj@FreeBSD.org>
Date: Tue, 22 Sep 2020 01:35:55 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r365985 - releng/12.2/sys/cddl/compat/opensolaris/kern
X-SVN-Group: releng
X-SVN-Commit-Author: markj
X-SVN-Commit-Paths: releng/12.2/sys/cddl/compat/opensolaris/kern
X-SVN-Commit-Revision: 365985
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2020 01:35:56 -0000

Author: markj
Date: Tue Sep 22 01:35:55 2020
New Revision: 365985
URL: https://svnweb.freebsd.org/changeset/base/365985

Log:
  MFS r365979:
  Mark sysctls added in r365689 as MPSAFE.
  
  Approved by:	re (gjb)

Modified:
  releng/12.2/sys/cddl/compat/opensolaris/kern/opensolaris_kstat.c
Directory Properties:
  releng/12.2/   (props changed)

Modified: releng/12.2/sys/cddl/compat/opensolaris/kern/opensolaris_kstat.c
==============================================================================
--- releng/12.2/sys/cddl/compat/opensolaris/kern/opensolaris_kstat.c	Mon Sep 21 22:55:51 2020	(r365984)
+++ releng/12.2/sys/cddl/compat/opensolaris/kern/opensolaris_kstat.c	Tue Sep 22 01:35:55 2020	(r365985)
@@ -184,16 +184,16 @@ kstat_install(kstat_t *ksp)
 			SYSCTL_ADD_PROC(&ksp->ks_sysctl_ctx,
 			    SYSCTL_CHILDREN(ksp->ks_sysctl_root),
 			    OID_AUTO, ksent->name,
-			    CTLTYPE_STRING | CTLFLAG_RD, ksp, i,
-			    kstat_sysctl_string, "A", ksent->desc);
+			    CTLTYPE_STRING | CTLFLAG_RD | CTLFLAG_MPSAFE,
+			    ksp, i, kstat_sysctl_string, "A", ksent->desc);
 			continue;
 		}
 		KASSERT(ksent->data_type == KSTAT_DATA_UINT64,
 		    ("data_type=%d", ksent->data_type));
 		SYSCTL_ADD_PROC(&ksp->ks_sysctl_ctx,
 		    SYSCTL_CHILDREN(ksp->ks_sysctl_root), OID_AUTO, ksent->name,
-		    CTLTYPE_U64 | CTLFLAG_RD, ksp, i,
-		    kstat_sysctl, "QU", ksent->desc);
+		    CTLTYPE_U64 | CTLFLAG_RD | CTLFLAG_MPSAFE,
+		    ksp, i, kstat_sysctl, "QU", ksent->desc);
 	}
 }
 

From owner-svn-src-releng@freebsd.org  Wed Sep 23 17:42:21 2020
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 147F3421403;
 Wed, 23 Sep 2020 17:42:21 +0000 (UTC)
 (envelope-from kevans@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BxQVP03kRz3gM2;
 Wed, 23 Sep 2020 17:42:21 +0000 (UTC)
 (envelope-from kevans@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BF29C144B3;
 Wed, 23 Sep 2020 17:42:20 +0000 (UTC)
 (envelope-from kevans@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 08NHgKYr078890;
 Wed, 23 Sep 2020 17:42:20 GMT (envelope-from kevans@FreeBSD.org)
Received: (from kevans@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 08NHgJOi078886;
 Wed, 23 Sep 2020 17:42:19 GMT (envelope-from kevans@FreeBSD.org)
Message-Id: <202009231742.08NHgJOi078886@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: kevans set sender to
 kevans@FreeBSD.org using -f
From: Kyle Evans <kevans@FreeBSD.org>
Date: Wed, 23 Sep 2020 17:42:19 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r366084 - in releng/12.2/secure/caroot: blacklisted
 trusted
X-SVN-Group: releng
X-SVN-Commit-Author: kevans
X-SVN-Commit-Paths: in releng/12.2/secure/caroot: blacklisted trusted
X-SVN-Commit-Revision: 366084
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2020 17:42:21 -0000

Author: kevans
Date: Wed Sep 23 17:42:19 2020
New Revision: 366084
URL: https://svnweb.freebsd.org/changeset/base/366084

Log:
  MFS r365986: caroot: update base store
  
  Count:
  - Two (2) removed
  - Three (3) added
  
  Approved by:	re (gjb)

Added:
  releng/12.2/secure/caroot/blacklisted/EE_Certification_Centre_Root_CA.pem
     - copied unchanged from r365986, stable/12/secure/caroot/blacklisted/EE_Certification_Centre_Root_CA.pem
  releng/12.2/secure/caroot/blacklisted/Taiwan_GRCA.pem
     - copied unchanged from r365986, stable/12/secure/caroot/blacklisted/Taiwan_GRCA.pem
  releng/12.2/secure/caroot/trusted/Trustwave_Global_Certification_Authority.pem
     - copied unchanged from r365986, stable/12/secure/caroot/trusted/Trustwave_Global_Certification_Authority.pem
  releng/12.2/secure/caroot/trusted/Trustwave_Global_ECC_P256_Certification_Authority.pem
     - copied unchanged from r365986, stable/12/secure/caroot/trusted/Trustwave_Global_ECC_P256_Certification_Authority.pem
  releng/12.2/secure/caroot/trusted/Trustwave_Global_ECC_P384_Certification_Authority.pem
     - copied unchanged from r365986, stable/12/secure/caroot/trusted/Trustwave_Global_ECC_P384_Certification_Authority.pem
Deleted:
  releng/12.2/secure/caroot/trusted/EE_Certification_Centre_Root_CA.pem
  releng/12.2/secure/caroot/trusted/Taiwan_GRCA.pem
Modified:
Directory Properties:
  releng/12.2/   (props changed)

Copied: releng/12.2/secure/caroot/blacklisted/EE_Certification_Centre_Root_CA.pem (from r365986, stable/12/secure/caroot/blacklisted/EE_Certification_Centre_Root_CA.pem)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ releng/12.2/secure/caroot/blacklisted/EE_Certification_Centre_Root_CA.pem	Wed Sep 23 17:42:19 2020	(r366084, copy of r365986, stable/12/secure/caroot/blacklisted/EE_Certification_Centre_Root_CA.pem)
@@ -0,0 +1,96 @@
+##
+##  EE Certification Centre Root CA
+##
+##  This is a single X.509 certificate for a public Certificate
+##  Authority (CA). It was automatically extracted from Mozilla's
+##  root CA list (the file `certdata.txt' in security/nss).
+##
+##  Extracted from nss
+##  with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+##
+##  @generated
+##
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            54:80:f9:a0:73:ed:3f:00:4c:ca:89:d8:e3:71:e6:4a
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C = EE, O = AS Sertifitseerimiskeskus, CN = EE Certification Centre Root CA, emailAddress = pki@sk.ee
+        Validity
+            Not Before: Oct 30 10:10:30 2010 GMT
+            Not After : Dec 17 23:59:59 2030 GMT
+        Subject: C = EE, O = AS Sertifitseerimiskeskus, CN = EE Certification Centre Root CA, emailAddress = pki@sk.ee
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:c8:20:c0:ec:e0:c5:4b:ab:07:78:95:f3:44:ee:
+                    fb:0b:0c:ff:74:8e:61:bb:b1:62:ea:23:d8:ab:a1:
+                    65:32:7a:eb:8e:17:4f:96:d8:0a:7b:91:a2:63:6c:
+                    c7:8c:4c:2e:79:bf:a9:05:fc:69:5c:95:8d:62:f9:
+                    b9:70:ed:c3:51:7d:d0:93:e6:6c:eb:30:4b:e1:bc:
+                    7d:bf:52:9b:ce:6e:7b:65:f2:38:b1:c0:a2:32:ef:
+                    62:b2:68:e0:61:53:c1:36:95:ff:ec:94:ba:36:ae:
+                    9c:1c:a7:32:0f:e5:7c:b4:c6:6f:74:fd:7b:18:e8:
+                    ac:57:ed:06:20:4b:32:30:58:5b:fd:cd:a8:e6:a1:
+                    fc:70:bc:8e:92:73:db:97:a7:7c:21:ae:3d:c1:f5:
+                    48:87:6c:27:bd:9f:25:74:81:55:b0:f7:75:f6:3d:
+                    a4:64:6b:d6:4f:e7:ce:40:ad:0f:dd:32:d3:bc:8a:
+                    12:53:98:c9:89:fb:10:1d:4d:7e:cd:7e:1f:56:0d:
+                    21:70:85:f6:20:83:1f:f6:ba:1f:04:8f:ea:77:88:
+                    35:c4:ff:ea:4e:a1:8b:4d:3f:63:1b:44:c3:44:d4:
+                    25:76:ca:b7:8d:d7:1e:4a:66:64:cd:5c:c5:9c:83:
+                    e1:c2:08:88:9a:ec:4e:a3:f1:3e:1c:2c:d9:6c:1d:
+                    a1:4b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Subject Key Identifier: 
+                12:F2:5A:3E:EA:56:1C:BF:CD:06:AC:F1:F1:25:C9:A9:4B:D4:14:99
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, TLS Web Server Authentication, Code Signing, E-mail Protection, Time Stamping, OCSP Signing
+    Signature Algorithm: sha1WithRSAEncryption
+         7b:f6:e4:c0:0d:aa:19:47:b7:4d:57:a3:fe:ad:bb:b1:6a:d5:
+         0f:9e:db:e4:63:c5:8e:a1:50:56:93:96:b8:38:c0:24:22:66:
+         bc:53:14:61:95:bf:d0:c7:2a:96:39:3f:7d:28:b3:10:40:21:
+         6a:c4:af:b0:52:77:18:e1:96:d8:56:5d:e3:dd:36:5e:1d:a7:
+         50:54:a0:c5:2a:e4:aa:8c:94:8a:4f:9d:35:ff:76:a4:06:13:
+         91:a2:a2:7d:00:44:3f:55:d3:82:3c:1a:d5:5b:bc:56:4c:22:
+         2e:46:43:8a:24:40:2d:f3:12:b8:3b:70:1a:a4:96:b9:1a:af:
+         87:41:1a:6a:18:0d:06:4f:c7:3e:6e:b9:29:4d:0d:49:89:11:
+         87:32:5b:e6:4b:04:c8:e4:5c:e6:74:73:94:5d:16:98:13:95:
+         fe:fb:db:b1:44:e5:3a:70:ac:37:6b:e6:b3:33:72:28:c9:b3:
+         57:a0:f6:02:16:88:06:0b:b6:a6:4b:20:28:d4:de:3d:8b:ad:
+         37:05:53:74:fe:6e:cc:bc:43:17:71:5e:f9:c5:cc:1a:a9:61:
+         ee:f7:76:0c:f3:72:f4:72:ad:cf:72:02:36:07:47:cf:ef:19:
+         50:89:60:cc:e9:24:95:0f:c2:cb:1d:f2:6f:76:90:c7:cc:75:
+         c1:96:c5:9d
+SHA1 Fingerprint=C9:A8:B9:E7:55:80:5E:58:E3:53:77:A7:25:EB:AF:C3:7B:27:CC:D7
+-----BEGIN CERTIFICATE-----
+MIIEAzCCAuugAwIBAgIQVID5oHPtPwBMyonY43HmSjANBgkqhkiG9w0BAQUFADB1
+MQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1
+czEoMCYGA1UEAwwfRUUgQ2VydGlmaWNhdGlvbiBDZW50cmUgUm9vdCBDQTEYMBYG
+CSqGSIb3DQEJARYJcGtpQHNrLmVlMCIYDzIwMTAxMDMwMTAxMDMwWhgPMjAzMDEy
+MTcyMzU5NTlaMHUxCzAJBgNVBAYTAkVFMSIwIAYDVQQKDBlBUyBTZXJ0aWZpdHNl
+ZXJpbWlza2Vza3VzMSgwJgYDVQQDDB9FRSBDZXJ0aWZpY2F0aW9uIENlbnRyZSBS
+b290IENBMRgwFgYJKoZIhvcNAQkBFglwa2lAc2suZWUwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDIIMDs4MVLqwd4lfNE7vsLDP90jmG7sWLqI9iroWUy
+euuOF0+W2Ap7kaJjbMeMTC55v6kF/GlclY1i+blw7cNRfdCT5mzrMEvhvH2/UpvO
+bntl8jixwKIy72KyaOBhU8E2lf/slLo2rpwcpzIP5Xy0xm90/XsY6KxX7QYgSzIw
+WFv9zajmofxwvI6Sc9uXp3whrj3B9UiHbCe9nyV0gVWw93X2PaRka9ZP585ArQ/d
+MtO8ihJTmMmJ+xAdTX7Nfh9WDSFwhfYggx/2uh8Ej+p3iDXE/+pOoYtNP2MbRMNE
+1CV2yreN1x5KZmTNXMWcg+HCCIia7E6j8T4cLNlsHaFLAgMBAAGjgYowgYcwDwYD
+VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBLyWj7qVhy/
+zQas8fElyalL1BSZMEUGA1UdJQQ+MDwGCCsGAQUFBwMCBggrBgEFBQcDAQYIKwYB
+BQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkwDQYJKoZIhvcNAQEF
+BQADggEBAHv25MANqhlHt01Xo/6tu7Fq1Q+e2+RjxY6hUFaTlrg4wCQiZrxTFGGV
+v9DHKpY5P30osxBAIWrEr7BSdxjhlthWXePdNl4dp1BUoMUq5KqMlIpPnTX/dqQG
+E5Gion0ARD9V04I8GtVbvFZMIi5GQ4okQC3zErg7cBqklrkar4dBGmoYDQZPxz5u
+uSlNDUmJEYcyW+ZLBMjkXOZ0c5RdFpgTlf7727FE5TpwrDdr5rMzcijJs1eg9gIW
+iAYLtqZLICjU3j2LrTcFU3T+bsy8QxdxXvnFzBqpYe73dgzzcvRyrc9yAjYHR8/v
+GVCJYMzpJJUPwssd8m92kMfMdcGWxZ0=
+-----END CERTIFICATE-----

Copied: releng/12.2/secure/caroot/blacklisted/Taiwan_GRCA.pem (from r365986, stable/12/secure/caroot/blacklisted/Taiwan_GRCA.pem)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ releng/12.2/secure/caroot/blacklisted/Taiwan_GRCA.pem	Wed Sep 23 17:42:19 2020	(r366084, copy of r365986, stable/12/secure/caroot/blacklisted/Taiwan_GRCA.pem)
@@ -0,0 +1,133 @@
+##
+##  Taiwan GRCA
+##
+##  This is a single X.509 certificate for a public Certificate
+##  Authority (CA). It was automatically extracted from Mozilla's
+##  root CA list (the file `certdata.txt' in security/nss).
+##
+##  Extracted from nss
+##  with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+##
+##  @generated
+##
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            1f:9d:59:5a:d7:2f:c2:06:44:a5:80:08:69:e3:5e:f6
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C = TW, O = Government Root Certification Authority
+        Validity
+            Not Before: Dec  5 13:23:33 2002 GMT
+            Not After : Dec  5 13:23:33 2032 GMT
+        Subject: C = TW, O = Government Root Certification Authority
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (4096 bit)
+                Modulus:
+                    00:9a:25:b8:ec:cc:a2:75:a8:7b:f7:ce:5b:59:8a:
+                    c9:d1:86:12:08:54:ec:9c:f2:e7:46:f6:88:f3:7c:
+                    e9:a5:df:4c:47:36:a4:1b:01:1c:7f:1e:57:8a:8d:
+                    c3:c5:d1:21:e3:da:24:3f:48:2b:fb:9f:2e:a1:94:
+                    e7:2c:1c:93:d1:bf:1b:01:87:53:99:ce:a7:f5:0a:
+                    21:76:77:ff:a9:b7:c6:73:94:4f:46:f7:10:49:37:
+                    fa:a8:59:49:5d:6a:81:07:56:f2:8a:f9:06:d0:f7:
+                    70:22:4d:b4:b7:41:b9:32:b8:b1:f0:b1:c3:9c:3f:
+                    70:fd:53:dd:81:aa:d8:63:78:f6:d8:53:6e:a1:ac:
+                    6a:84:24:72:54:86:c6:d2:b2:ca:1c:0e:79:81:d6:
+                    b5:70:62:08:01:2e:4e:4f:0e:d5:11:af:a9:af:e5:
+                    9a:bf:dc:cc:87:6d:26:e4:c9:57:a2:fb:96:f9:cc:
+                    e1:3f:53:8c:6c:4c:7e:9b:53:08:0b:6c:17:fb:67:
+                    c8:c2:ad:b1:cd:80:b4:97:dc:76:01:16:15:e9:6a:
+                    d7:a4:e1:78:47:ce:86:d5:fb:31:f3:fa:31:be:34:
+                    aa:28:fb:70:4c:1d:49:c7:af:2c:9d:6d:66:a6:b6:
+                    8d:64:7e:b5:20:6a:9d:3b:81:b6:8f:40:00:67:4b:
+                    89:86:b8:cc:65:fe:15:53:e9:04:c1:d6:5f:1d:44:
+                    d7:0a:2f:27:9a:46:7d:a1:0d:75:ad:54:86:15:dc:
+                    49:3b:f1:96:ce:0f:9b:a0:ec:a3:7a:5d:be:d5:2a:
+                    75:42:e5:7b:de:a5:b6:aa:af:28:ac:ac:90:ac:38:
+                    b7:d5:68:35:26:7a:dc:f7:3b:f3:fd:45:9b:d1:bb:
+                    43:78:6e:6f:f1:42:54:6a:98:f0:0d:ad:97:e9:52:
+                    5e:e9:d5:6a:72:de:6a:f7:1b:60:14:f4:a5:e4:b6:
+                    71:67:aa:1f:ea:e2:4d:c1:42:40:fe:67:46:17:38:
+                    2f:47:3f:71:9c:ae:e5:21:ca:61:2d:6d:07:a8:84:
+                    7c:2d:ee:51:25:f1:63:90:9e:fd:e1:57:88:6b:ef:
+                    8a:23:6d:b1:e6:bd:3f:ad:d1:3d:96:0b:85:8d:cd:
+                    6b:27:bb:b7:05:9b:ec:bb:91:a9:0a:07:12:02:97:
+                    4e:20:90:f0:ff:0d:1e:e2:41:3b:d3:40:3a:e7:8d:
+                    5d:da:66:e4:02:b0:07:52:98:5c:0e:8e:33:9c:c2:
+                    a6:95:fb:55:19:6e:4c:8e:ae:4b:0f:bd:c1:38:4d:
+                    5e:8f:84:1d:66:cd:c5:60:96:b4:52:5a:05:89:8e:
+                    95:7a:98:c1:91:3c:95:23:b2:0e:f4:79:b4:c9:7c:
+                    c1:4a:21
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                CC:CC:EF:CC:29:60:A4:3B:B1:92:B6:3C:FA:32:62:8F:AC:25:15:3B
+            X509v3 Basic Constraints: 
+                CA:TRUE
+            setCext-hashedRoot: 
+                0/0-...0...+......0...g*........"...(6....2.1:.Qe
+    Signature Algorithm: sha1WithRSAEncryption
+         40:80:4a:fa:26:c9:ce:5e:30:dd:4f:86:74:76:58:f5:ae:b3:
+         83:33:78:a4:7a:74:17:19:4e:e9:52:b5:b9:e0:0a:74:62:aa:
+         68:ca:78:a0:4c:9a:8e:2c:23:2e:d5:6a:12:24:bf:d4:68:d3:
+         8a:d0:d8:9c:9f:b4:1f:0c:de:38:7e:57:38:fc:8d:e2:4f:5e:
+         0c:9f:ab:3b:d2:ff:75:97:cb:a4:e3:67:08:ff:e5:c0:16:b5:
+         48:01:7d:e9:f9:0a:ff:1b:e5:6a:69:bf:78:21:a8:c2:a7:23:
+         a9:86:ab:76:56:e8:0e:0c:f6:13:dd:2a:66:8a:64:49:3d:1a:
+         18:87:90:04:9f:42:52:b7:4f:cb:fe:47:41:76:35:ef:ff:00:
+         76:36:45:32:9b:c6:46:85:5d:e2:24:b0:1e:e3:48:96:98:57:
+         47:94:55:7a:0f:41:b1:44:24:f3:c1:fe:1a:6b:bf:88:fd:c1:
+         a6:da:93:60:5e:81:4a:99:20:9c:48:66:19:b5:00:79:54:0f:
+         b8:2c:2f:4b:bc:a9:5d:5b:60:7f:8c:87:a5:e0:52:63:2a:be:
+         d8:3b:85:40:15:fe:1e:b6:65:3f:c5:4b:da:7e:b5:7a:35:29:
+         a3:2e:7a:98:60:22:a3:f4:7d:27:4e:2d:ea:b4:74:3c:e9:0f:
+         a4:33:0f:10:11:bc:13:01:d6:e5:0e:d3:bf:b5:12:a2:e1:45:
+         23:c0:cc:08:6e:61:b7:89:ab:83:e3:24:1e:e6:5d:07:e7:1f:
+         20:3e:cf:67:c8:e7:ac:30:6d:27:4b:68:6e:4b:2a:5c:02:08:
+         34:db:f8:76:e4:67:a3:26:9c:3f:a2:32:c2:4a:c5:81:18:31:
+         10:56:aa:84:ef:2d:0a:ff:b8:1f:77:d2:bf:a5:58:a0:62:e4:
+         d7:4b:91:75:8d:89:80:98:7e:6d:cb:53:4e:5e:af:f6:b2:97:
+         85:97:b9:da:55:06:b9:24:ee:d7:c6:38:1e:63:1b:12:3b:95:
+         e1:58:ac:f2:df:84:d5:5f:99:2f:0d:55:5b:e6:38:db:2e:3f:
+         72:e9:48:85:cb:bb:29:13:8f:1e:38:55:b9:f3:b2:c4:30:99:
+         23:4e:5d:f2:48:a1:12:0c:dc:12:90:09:90:54:91:03:3c:47:
+         e5:d5:c9:65:e0:b7:4b:7d:ec:47:d3:b3:0b:3e:ad:9e:d0:74:
+         00:0e:eb:bd:51:ad:c0:de:2c:c0:c3:6a:fe:ef:dc:0b:a7:fa:
+         46:df:60:db:9c:a6:59:50:75:23:69:73:93:b2:f9:fc:02:d3:
+         47:e6:71:ce:10:02:ee:27:8c:84:ff:ac:45:0d:13:5c:83:32:
+         e0:25:a5:86:2c:7c:f4:12
+SHA1 Fingerprint=F4:8B:11:BF:DE:AB:BE:94:54:20:71:E6:41:DE:6B:BE:88:2B:40:B9
+-----BEGIN CERTIFICATE-----
+MIIFcjCCA1qgAwIBAgIQH51ZWtcvwgZEpYAIaeNe9jANBgkqhkiG9w0BAQUFADA/
+MQswCQYDVQQGEwJUVzEwMC4GA1UECgwnR292ZXJubWVudCBSb290IENlcnRpZmlj
+YXRpb24gQXV0aG9yaXR5MB4XDTAyMTIwNTEzMjMzM1oXDTMyMTIwNTEzMjMzM1ow
+PzELMAkGA1UEBhMCVFcxMDAuBgNVBAoMJ0dvdmVybm1lbnQgUm9vdCBDZXJ0aWZp
+Y2F0aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+AJoluOzMonWoe/fOW1mKydGGEghU7Jzy50b2iPN86aXfTEc2pBsBHH8eV4qNw8XR
+IePaJD9IK/ufLqGU5ywck9G/GwGHU5nOp/UKIXZ3/6m3xnOUT0b3EEk3+qhZSV1q
+gQdW8or5BtD3cCJNtLdBuTK4sfCxw5w/cP1T3YGq2GN49thTbqGsaoQkclSGxtKy
+yhwOeYHWtXBiCAEuTk8O1RGvqa/lmr/czIdtJuTJV6L7lvnM4T9TjGxMfptTCAts
+F/tnyMKtsc2AtJfcdgEWFelq16TheEfOhtX7MfP6Mb40qij7cEwdScevLJ1tZqa2
+jWR+tSBqnTuBto9AAGdLiYa4zGX+FVPpBMHWXx1E1wovJ5pGfaENda1UhhXcSTvx
+ls4Pm6Dso3pdvtUqdULle96ltqqvKKyskKw4t9VoNSZ63Pc78/1Fm9G7Q3hub/FC
+VGqY8A2tl+lSXunVanLeavcbYBT0peS2cWeqH+riTcFCQP5nRhc4L0c/cZyu5SHK
+YS1tB6iEfC3uUSXxY5Ce/eFXiGvviiNtsea9P63RPZYLhY3Naye7twWb7LuRqQoH
+EgKXTiCQ8P8NHuJBO9NAOueNXdpm5AKwB1KYXA6OM5zCppX7VRluTI6uSw+9wThN
+Xo+EHWbNxWCWtFJaBYmOlXqYwZE8lSOyDvR5tMl8wUohAgMBAAGjajBoMB0GA1Ud
+DgQWBBTMzO/MKWCkO7GStjz6MmKPrCUVOzAMBgNVHRMEBTADAQH/MDkGBGcqBwAE
+MTAvMC0CAQAwCQYFKw4DAhoFADAHBgVnKgMAAAQUA5vwIhP/lSg209yewDL7MTqK
+UWUwDQYJKoZIhvcNAQEFBQADggIBAECASvomyc5eMN1PhnR2WPWus4MzeKR6dBcZ
+TulStbngCnRiqmjKeKBMmo4sIy7VahIkv9Ro04rQ2JyftB8M3jh+Vzj8jeJPXgyf
+qzvS/3WXy6TjZwj/5cAWtUgBfen5Cv8b5Wppv3ghqMKnI6mGq3ZW6A4M9hPdKmaK
+ZEk9GhiHkASfQlK3T8v+R0F2Ne//AHY2RTKbxkaFXeIksB7jSJaYV0eUVXoPQbFE
+JPPB/hprv4j9wabak2BegUqZIJxIZhm1AHlUD7gsL0u8qV1bYH+Mh6XgUmMqvtg7
+hUAV/h62ZT/FS9p+tXo1KaMuephgIqP0fSdOLeq0dDzpD6QzDxARvBMB1uUO07+1
+EqLhRSPAzAhuYbeJq4PjJB7mXQfnHyA+z2fI56wwbSdLaG5LKlwCCDTb+HbkZ6Mm
+nD+iMsJKxYEYMRBWqoTvLQr/uB930r+lWKBi5NdLkXWNiYCYfm3LU05er/ayl4WX
+udpVBrkk7tfGOB5jGxI7leFYrPLfhNVfmS8NVVvmONsuP3LpSIXLuykTjx44Vbnz
+ssQwmSNOXfJIoRIM3BKQCZBUkQM8R+XVyWXgt0t97EfTsws+rZ7QdAAO671RrcDe
+LMDDav7v3Aun+kbfYNucpllQdSNpc5Oy+fwC00fmcc4QAu4njIT/rEUNE1yDMuAl
+pYYsfPQS
+-----END CERTIFICATE-----

Copied: releng/12.2/secure/caroot/trusted/Trustwave_Global_Certification_Authority.pem (from r365986, stable/12/secure/caroot/trusted/Trustwave_Global_Certification_Authority.pem)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ releng/12.2/secure/caroot/trusted/Trustwave_Global_Certification_Authority.pem	Wed Sep 23 17:42:19 2020	(r366084, copy of r365986, stable/12/secure/caroot/trusted/Trustwave_Global_Certification_Authority.pem)
@@ -0,0 +1,135 @@
+##
+##  Trustwave Global Certification Authority
+##
+##  This is a single X.509 certificate for a public Certificate
+##  Authority (CA). It was automatically extracted from Mozilla's
+##  root CA list (the file `certdata.txt' in security/nss).
+##
+##  Extracted from nss
+##  with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+##
+##  @generated
+##
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            05:f7:0e:86:da:49:f3:46:35:2e:ba:b2
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN = Trustwave Global Certification Authority
+        Validity
+            Not Before: Aug 23 19:34:12 2017 GMT
+            Not After : Aug 23 19:34:12 2042 GMT
+        Subject: C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN = Trustwave Global Certification Authority
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (4096 bit)
+                Modulus:
+                    00:b9:5d:51:28:4b:3c:37:92:d1:82:ce:bd:1d:bd:
+                    cd:dd:b8:ab:cf:0a:3e:e1:5d:e5:dc:aa:09:b9:57:
+                    02:3e:e6:63:61:df:f2:0f:82:63:ae:a3:f7:ac:73:
+                    d1:7c:e7:b3:0b:af:08:00:09:59:7f:cd:29:2a:88:
+                    93:87:17:18:80:ed:88:b2:b4:b6:10:1f:2d:d6:5f:
+                    55:a2:13:5d:d1:c6:eb:06:56:89:88:fe:ac:32:9d:
+                    fd:5c:c3:05:c7:6e:ee:86:89:ba:88:03:9d:72:21:
+                    86:90:ae:8f:03:a5:dc:9f:88:28:cb:a3:92:49:0f:
+                    ec:d0:0f:e2:6d:44:4f:80:6a:b2:d4:e7:a0:0a:53:
+                    01:ba:8e:97:91:76:6e:bc:fc:d5:6b:36:e6:40:88:
+                    d6:7b:2f:5f:05:e8:2c:6d:11:f3:e7:b2:be:92:44:
+                    4c:d2:97:a4:fe:d2:72:81:43:07:9c:e9:11:3e:f5:
+                    8b:1a:59:7d:1f:68:58:dd:04:00:2c:96:f3:43:b3:
+                    7e:98:19:74:d9:9c:73:d9:18:be:41:c7:34:79:d9:
+                    f4:62:c2:43:b9:b3:27:b0:22:cb:f9:3d:52:c7:30:
+                    47:b3:c9:3e:b8:6a:e2:e7:e8:81:70:5e:42:8b:4f:
+                    26:a5:fe:3a:c2:20:6e:bb:f8:16:8e:cd:0c:a9:b4:
+                    1b:6c:76:10:e1:58:79:46:3e:54:ce:80:a8:57:09:
+                    37:29:1b:99:13:8f:0c:c8:d6:2c:1c:fb:05:e8:08:
+                    95:3d:65:46:dc:ee:cd:69:e2:4d:8f:87:28:4e:34:
+                    0b:3e:cf:14:d9:bb:dd:b6:50:9a:ad:77:d4:19:d6:
+                    da:1a:88:c8:4e:1b:27:75:d8:b2:08:f1:ae:83:30:
+                    b9:11:0e:cd:87:f0:84:8d:15:72:7c:a1:ef:cc:f2:
+                    88:61:ba:f4:69:bb:0c:8c:0b:75:57:04:b8:4e:2a:
+                    14:2e:3d:0f:1c:1e:32:a6:62:36:ee:66:e2:22:b8:
+                    05:40:63:10:22:f3:33:1d:74:72:8a:2c:f5:39:29:
+                    a0:d3:e7:1b:80:84:2d:c5:3d:e3:4d:b1:fd:1a:6f:
+                    ba:65:07:3b:58:ec:42:45:26:fb:d8:da:25:72:c4:
+                    f6:00:b1:22:79:bd:e3:7c:59:62:4a:9c:05:6f:3d:
+                    ce:e6:d6:47:63:99:c6:24:6f:72:12:c8:ac:7f:90:
+                    b4:0b:91:70:e8:b7:e6:16:10:71:17:ce:de:06:4f:
+                    48:41:7d:35:4a:a3:89:f2:c9:4b:7b:41:11:6d:67:
+                    b7:08:98:4c:e5:11:19:ae:42:80:dc:fb:90:05:d4:
+                    f8:50:ca:be:e4:ad:c7:c2:94:d7:16:9d:e6:17:8f:
+                    af:36:fb
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                99:E0:19:67:0D:62:DB:76:B3:DA:3D:B8:5B:E8:FD:42:D2:31:0E:87
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+    Signature Algorithm: sha256WithRSAEncryption
+         98:73:70:e2:b0:d3:ed:39:ec:4c:60:d9:a9:12:86:17:1e:96:
+         d0:e8:54:28:3b:64:2d:21:a6:f8:9d:56:13:6a:48:3d:4f:c7:
+         3e:29:db:6d:58:83:54:3d:87:7d:23:05:d4:e4:1c:dc:e8:38:
+         65:86:c5:75:a7:5a:db:35:05:bd:77:de:bb:29:37:40:05:07:
+         c3:94:52:9f:ca:64:dd:f1:1b:2b:dc:46:0a:10:02:31:fd:4a:
+         68:0d:07:64:90:e6:1e:f5:2a:a1:a8:bb:3c:5d:f9:a3:08:0b:
+         11:0c:f1:3f:2d:10:94:6f:fe:e2:34:87:83:d6:cf:e5:1b:35:
+         6d:d2:03:e1:b0:0d:a8:a0:aa:46:27:82:36:a7:15:b6:08:a6:
+         42:54:57:b6:99:5a:e2:0b:79:90:d7:57:12:51:35:19:88:41:
+         68:25:d4:37:17:84:15:fb:01:72:dc:95:de:52:26:20:98:26:
+         e2:76:f5:27:6f:fa:00:3b:4a:61:d9:0d:cb:51:93:2a:fd:16:
+         06:96:a7:23:9a:23:48:fe:51:bd:b6:c4:b0:b1:54:ce:de:6c:
+         41:ad:16:67:7e:db:fd:38:cd:b9:38:4e:b2:c1:60:cb:9d:17:
+         df:58:9e:7a:62:b2:26:8f:74:95:9b:e4:5b:1d:d2:0f:dd:98:
+         1c:9b:59:b9:23:d3:31:a0:a6:ff:38:dd:cf:20:4f:e9:58:56:
+         3a:67:c3:d1:f6:99:99:9d:ba:36:b6:80:2f:88:47:4f:86:bf:
+         44:3a:80:e4:37:1c:a6:ba:ea:97:98:11:d0:84:62:47:64:1e:
+         aa:ee:40:bf:34:b1:9c:8f:4e:e1:f2:92:4f:1f:8e:f3:9e:97:
+         de:f3:a6:79:6a:89:71:4f:4b:27:17:48:fe:ec:f4:50:0f:4f:
+         49:7d:cc:45:e3:bd:7a:40:c5:41:dc:61:56:27:06:69:e5:72:
+         41:81:d3:b6:01:89:a0:2f:3a:72:79:fe:3a:30:bf:41:ec:c7:
+         62:3e:91:4b:c7:d9:31:76:42:f9:f7:3c:63:ec:26:8c:73:0c:
+         7d:1a:1d:ea:a8:7c:87:a8:c2:27:7c:e1:33:41:0f:cf:cf:fc:
+         00:a0:22:80:9e:4a:a7:6f:00:b0:41:45:b7:22:ca:68:48:c5:
+         42:a2:ae:dd:1d:f2:e0:6e:4e:05:58:b1:c0:90:16:2a:a4:3d:
+         10:40:be:8f:62:63:83:a9:9c:82:7d:2d:02:e9:83:30:7c:cb:
+         27:c9:fd:1e:66:00:b0:2e:d3:21:2f:8e:33:16:6c:98:ed:10:
+         a8:07:d6:cc:93:cf:db:d1:69:1c:e4:ca:c9:e0:b6:9c:e9:ce:
+         71:71:de:6c:3f:16:a4:79
+SHA1 Fingerprint=2F:8F:36:4F:E1:58:97:44:21:59:87:A5:2A:9A:D0:69:95:26:7F:B5
+-----BEGIN CERTIFICATE-----
+MIIF2jCCA8KgAwIBAgIMBfcOhtpJ80Y1LrqyMA0GCSqGSIb3DQEBCwUAMIGIMQsw
+CQYDVQQGEwJVUzERMA8GA1UECAwISWxsaW5vaXMxEDAOBgNVBAcMB0NoaWNhZ28x
+ITAfBgNVBAoMGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjExMC8GA1UEAwwoVHJ1
+c3R3YXZlIEdsb2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNzA4MjMx
+OTM0MTJaFw00MjA4MjMxOTM0MTJaMIGIMQswCQYDVQQGEwJVUzERMA8GA1UECAwI
+SWxsaW5vaXMxEDAOBgNVBAcMB0NoaWNhZ28xITAfBgNVBAoMGFRydXN0d2F2ZSBI
+b2xkaW5ncywgSW5jLjExMC8GA1UEAwwoVHJ1c3R3YXZlIEdsb2JhbCBDZXJ0aWZp
+Y2F0aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+ALldUShLPDeS0YLOvR29zd24q88KPuFd5dyqCblXAj7mY2Hf8g+CY66j96xz0Xzn
+swuvCAAJWX/NKSqIk4cXGIDtiLK0thAfLdZfVaITXdHG6wZWiYj+rDKd/VzDBcdu
+7oaJuogDnXIhhpCujwOl3J+IKMujkkkP7NAP4m1ET4BqstTnoApTAbqOl5F2brz8
+1Ws25kCI1nsvXwXoLG0R8+eyvpJETNKXpP7ScoFDB5zpET71ixpZfR9oWN0EACyW
+80OzfpgZdNmcc9kYvkHHNHnZ9GLCQ7mzJ7Aiy/k9UscwR7PJPrhq4ufogXBeQotP
+JqX+OsIgbrv4Fo7NDKm0G2x2EOFYeUY+VM6AqFcJNykbmROPDMjWLBz7BegIlT1l
+RtzuzWniTY+HKE40Cz7PFNm73bZQmq131BnW2hqIyE4bJ3XYsgjxroMwuREOzYfw
+hI0Vcnyh78zyiGG69Gm7DIwLdVcEuE4qFC49DxweMqZiNu5m4iK4BUBjECLzMx10
+coos9TkpoNPnG4CELcU9402x/RpvumUHO1jsQkUm+9jaJXLE9gCxInm943xZYkqc
+BW89zubWR2OZxiRvchLIrH+QtAuRcOi35hYQcRfO3gZPSEF9NUqjifLJS3tBEW1n
+twiYTOURGa5CgNz7kAXU+FDKvuStx8KU1xad5hePrzb7AgMBAAGjQjBAMA8GA1Ud
+EwEB/wQFMAMBAf8wHQYDVR0OBBYEFJngGWcNYtt2s9o9uFvo/ULSMQ6HMA4GA1Ud
+DwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAmHNw4rDT7TnsTGDZqRKGFx6W
+0OhUKDtkLSGm+J1WE2pIPU/HPinbbViDVD2HfSMF1OQc3Og4ZYbFdada2zUFvXfe
+uyk3QAUHw5RSn8pk3fEbK9xGChACMf1KaA0HZJDmHvUqoai7PF35owgLEQzxPy0Q
+lG/+4jSHg9bP5Rs1bdID4bANqKCqRieCNqcVtgimQlRXtpla4gt5kNdXElE1GYhB
+aCXUNxeEFfsBctyV3lImIJgm4nb1J2/6ADtKYdkNy1GTKv0WBpanI5ojSP5RvbbE
+sLFUzt5sQa0WZ37b/TjNuThOssFgy50X31ieemKyJo90lZvkWx3SD92YHJtZuSPT
+MaCm/zjdzyBP6VhWOmfD0faZmZ26NraAL4hHT4a/RDqA5Dccprrql5gR0IRiR2Qe
+qu5AvzSxnI9O4fKSTx+O856X3vOmeWqJcU9LJxdI/uz0UA9PSX3MReO9ekDFQdxh
+VicGaeVyQYHTtgGJoC86cnn+OjC/QezHYj6RS8fZMXZC+fc8Y+wmjHMMfRod6qh8
+h6jCJ3zhM0EPz8/8AKAigJ5Kp28AsEFFtyLKaEjFQqKu3R3y4G5OBVixwJAWKqQ9
+EEC+j2Jjg6mcgn0tAumDMHzLJ8n9HmYAsC7TIS+OMxZsmO0QqAfWzJPP29FpHOTK
+yeC2nOnOcXHebD8WpHk=
+-----END CERTIFICATE-----

Copied: releng/12.2/secure/caroot/trusted/Trustwave_Global_ECC_P256_Certification_Authority.pem (from r365986, stable/12/secure/caroot/trusted/Trustwave_Global_ECC_P256_Certification_Authority.pem)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ releng/12.2/secure/caroot/trusted/Trustwave_Global_ECC_P256_Certification_Authority.pem	Wed Sep 23 17:42:19 2020	(r366084, copy of r365986, stable/12/secure/caroot/trusted/Trustwave_Global_ECC_P256_Certification_Authority.pem)
@@ -0,0 +1,62 @@
+##
+##  Trustwave Global ECC P256 Certification Authority
+##
+##  This is a single X.509 certificate for a public Certificate
+##  Authority (CA). It was automatically extracted from Mozilla's
+##  root CA list (the file `certdata.txt' in security/nss).
+##
+##  Extracted from nss
+##  with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+##
+##  @generated
+##
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            0d:6a:5f:08:3f:28:5c:3e:51:95:df:5d
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN = Trustwave Global ECC P256 Certification Authority
+        Validity
+            Not Before: Aug 23 19:35:10 2017 GMT
+            Not After : Aug 23 19:35:10 2042 GMT
+        Subject: C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN = Trustwave Global ECC P256 Certification Authority
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:7e:fb:6c:e6:23:e3:73:32:08:ca:60:e6:53:9c:
+                    ba:74:8d:18:b0:78:90:52:80:dd:38:c0:4a:1d:d1:
+                    a8:cc:93:a4:97:06:38:ca:0d:15:62:c6:8e:01:2a:
+                    65:9d:aa:df:34:91:2e:81:c1:e4:33:92:31:c4:fd:
+                    09:3a:a6:3f:ad
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Subject Key Identifier: 
+                A3:41:06:AC:90:6D:D1:4A:EB:75:A5:4A:10:99:B3:B1:A1:8B:4A:F7
+    Signature Algorithm: ecdsa-with-SHA256
+         30:44:02:20:07:e6:54:da:0e:a0:5a:b2:ae:11:9f:87:c5:b6:
+         ff:69:de:25:be:f8:a0:b7:08:f3:44:ce:2a:df:08:21:0c:37:
+         02:20:2d:26:03:a0:05:bd:6b:d1:f6:5c:f8:65:cc:86:6d:b3:
+         9c:34:48:63:84:09:c5:8d:77:1a:e2:cc:9c:e1:74:7b
+SHA1 Fingerprint=B4:90:82:DD:45:0C:BE:8B:5B:B1:66:D3:E2:A4:08:26:CD:ED:42:CF
+-----BEGIN CERTIFICATE-----
+MIICYDCCAgegAwIBAgIMDWpfCD8oXD5Rld9dMAoGCCqGSM49BAMCMIGRMQswCQYD
+VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAf
+BgNVBAoTGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3
+YXZlIEdsb2JhbCBFQ0MgUDI1NiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0x
+NzA4MjMxOTM1MTBaFw00MjA4MjMxOTM1MTBaMIGRMQswCQYDVQQGEwJVUzERMA8G
+A1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRydXN0
+d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3YXZlIEdsb2JhbCBF
+Q0MgUDI1NiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTBZMBMGByqGSM49AgEGCCqG
+SM49AwEHA0IABH77bOYj43MyCMpg5lOcunSNGLB4kFKA3TjASh3RqMyTpJcGOMoN
+FWLGjgEqZZ2q3zSRLoHB5DOSMcT9CTqmP62jQzBBMA8GA1UdEwEB/wQFMAMBAf8w
+DwYDVR0PAQH/BAUDAwcGADAdBgNVHQ4EFgQUo0EGrJBt0UrrdaVKEJmzsaGLSvcw
+CgYIKoZIzj0EAwIDRwAwRAIgB+ZU2g6gWrKuEZ+Hxbb/ad4lvvigtwjzRM4q3wgh
+DDcCIC0mA6AFvWvR9lz4ZcyGbbOcNEhjhAnFjXca4syc4XR7
+-----END CERTIFICATE-----

Copied: releng/12.2/secure/caroot/trusted/Trustwave_Global_ECC_P384_Certification_Authority.pem (from r365986, stable/12/secure/caroot/trusted/Trustwave_Global_ECC_P384_Certification_Authority.pem)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ releng/12.2/secure/caroot/trusted/Trustwave_Global_ECC_P384_Certification_Authority.pem	Wed Sep 23 17:42:19 2020	(r366084, copy of r365986, stable/12/secure/caroot/trusted/Trustwave_Global_ECC_P384_Certification_Authority.pem)
@@ -0,0 +1,68 @@
+##
+##  Trustwave Global ECC P384 Certification Authority
+##
+##  This is a single X.509 certificate for a public Certificate
+##  Authority (CA). It was automatically extracted from Mozilla's
+##  root CA list (the file `certdata.txt' in security/nss).
+##
+##  Extracted from nss
+##  with $FreeBSD: head/secure/caroot/MAca-bundle.pl 352951 2019-10-02 01:27:50Z kevans $
+##
+##  @generated
+##
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            08:bd:85:97:6c:99:27:a4:80:68:47:3b
+        Signature Algorithm: ecdsa-with-SHA384
+        Issuer: C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN = Trustwave Global ECC P384 Certification Authority
+        Validity
+            Not Before: Aug 23 19:36:43 2017 GMT
+            Not After : Aug 23 19:36:43 2042 GMT
+        Subject: C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN = Trustwave Global ECC P384 Certification Authority
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (384 bit)
+                pub:
+                    04:6b:da:0d:75:35:08:31:47:05:ae:45:99:55:f1:
+                    11:13:2e:4a:f8:10:31:23:a3:7e:83:d3:7f:28:08:
+                    3a:26:1a:3a:cf:97:82:1f:80:b7:27:09:8f:d1:8e:
+                    30:c4:0a:9b:0e:ac:58:04:ab:f7:36:7d:94:23:a4:
+                    9b:0a:8a:8b:ab:eb:fd:39:25:66:f1:5e:fe:8c:ae:
+                    8d:41:79:9d:09:60:ce:28:a9:d3:8a:6d:f3:d6:45:
+                    d4:f2:98:84:38:65:a0
+                ASN1 OID: secp384r1
+                NIST CURVE: P-384
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Subject Key Identifier: 
+                55:A9:84:89:D2:C1:32:BD:18:CB:6C:A6:07:4E:C8:E7:9D:BE:82:90
+    Signature Algorithm: ecdsa-with-SHA384
+         30:64:02:30:37:01:92:97:45:12:7e:a0:f3:3e:ad:19:3a:72:
+         dd:f4:50:93:03:12:be:44:d2:4f:41:a4:8c:9c:9d:1f:a3:f6:
+         c2:92:e7:48:14:fe:4e:9b:a5:91:57:ae:c6:37:72:bb:02:30:
+         67:25:0a:b1:0c:5e:ee:a9:63:92:6f:e5:90:0b:fe:66:22:ca:
+         47:fd:8a:31:f7:83:fe:7a:bf:10:be:18:2b:1e:8f:f6:29:1e:
+         94:59:ef:8e:21:37:cb:51:98:a5:6e:4b
+SHA1 Fingerprint=E7:F3:A3:C8:CF:6F:C3:04:2E:6D:0E:67:32:C5:9E:68:95:0D:5E:D2
+-----BEGIN CERTIFICATE-----
+MIICnTCCAiSgAwIBAgIMCL2Fl2yZJ6SAaEc7MAoGCCqGSM49BAMDMIGRMQswCQYD
+VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAf
+BgNVBAoTGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3
+YXZlIEdsb2JhbCBFQ0MgUDM4NCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0x
+NzA4MjMxOTM2NDNaFw00MjA4MjMxOTM2NDNaMIGRMQswCQYDVQQGEwJVUzERMA8G
+A1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRydXN0
+d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3YXZlIEdsb2JhbCBF
+Q0MgUDM4NCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTB2MBAGByqGSM49AgEGBSuB
+BAAiA2IABGvaDXU1CDFHBa5FmVXxERMuSvgQMSOjfoPTfygIOiYaOs+Xgh+AtycJ
+j9GOMMQKmw6sWASr9zZ9lCOkmwqKi6vr/TklZvFe/oyujUF5nQlgziip04pt89ZF
+1PKYhDhloKNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwYAMB0G
+A1UdDgQWBBRVqYSJ0sEyvRjLbKYHTsjnnb6CkDAKBggqhkjOPQQDAwNnADBkAjA3
+AZKXRRJ+oPM+rRk6ct30UJMDEr5E0k9BpIycnR+j9sKS50gU/k6bpZFXrsY3crsC
+MGclCrEMXu6pY5Jv5ZAL/mYiykf9ijH3g/56vxC+GCsej/YpHpRZ744hN8tRmKVu
+Sw==
+-----END CERTIFICATE-----

From owner-svn-src-releng@freebsd.org  Wed Sep 23 23:56:50 2020
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id BEE6E3E2C8A;
 Wed, 23 Sep 2020 23:56:50 +0000 (UTC) (envelope-from erj@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BxZpV4fPYz4Y4Y;
 Wed, 23 Sep 2020 23:56:50 +0000 (UTC) (envelope-from erj@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 82C611908D;
 Wed, 23 Sep 2020 23:56:50 +0000 (UTC) (envelope-from erj@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 08NNuoOA017154;
 Wed, 23 Sep 2020 23:56:50 GMT (envelope-from erj@FreeBSD.org)
Received: (from erj@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 08NNuoaO017152;
 Wed, 23 Sep 2020 23:56:50 GMT (envelope-from erj@FreeBSD.org)
Message-Id: <202009232356.08NNuoaO017152@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: erj set sender to erj@FreeBSD.org
 using -f
From: Eric Joyner <erj@FreeBSD.org>
Date: Wed, 23 Sep 2020 23:56:50 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r366097 - releng/12.2/sys/dev/e1000
X-SVN-Group: releng
X-SVN-Commit-Author: erj
X-SVN-Commit-Paths: releng/12.2/sys/dev/e1000
X-SVN-Commit-Revision: 366097
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2020 23:56:50 -0000

Author: erj
Date: Wed Sep 23 23:56:49 2020
New Revision: 366097
URL: https://svnweb.freebsd.org/changeset/base/366097

Log:
  MFS r365983
  
  Contains fixes for issues in em(4)/igb(4):
  - Fix define and includes with RSS option enabled
  - Properly retain promisc flag in init
  
  PR:		249191, 248869
  Approved by:	re (gjb@)

Modified:
  releng/12.2/sys/dev/e1000/if_em.c
  releng/12.2/sys/dev/e1000/if_em.h
Directory Properties:
  releng/12.2/   (props changed)

Modified: releng/12.2/sys/dev/e1000/if_em.c
==============================================================================
--- releng/12.2/sys/dev/e1000/if_em.c	Wed Sep 23 22:49:27 2020	(r366096)
+++ releng/12.2/sys/dev/e1000/if_em.c	Wed Sep 23 23:56:49 2020	(r366097)
@@ -1338,7 +1338,7 @@ em_if_init(if_ctx_t ctx)
 	}
 
 	/* Don't lose promiscuous settings */
-	em_if_set_promisc(ctx, IFF_PROMISC);
+	em_if_set_promisc(ctx, if_getflags(ifp));
 	e1000_clear_hw_cntrs_base_generic(&adapter->hw);
 
 	/* MSI-X configuration for 82574 */

Modified: releng/12.2/sys/dev/e1000/if_em.h
==============================================================================
--- releng/12.2/sys/dev/e1000/if_em.h	Wed Sep 23 22:49:27 2020	(r366096)
+++ releng/12.2/sys/dev/e1000/if_em.h	Wed Sep 23 23:56:49 2020	(r366097)
@@ -30,6 +30,7 @@
 #include "opt_ddb.h"
 #include "opt_inet.h"
 #include "opt_inet6.h"
+#include "opt_rss.h"
 
 #ifdef HAVE_KERNEL_OPTION_HEADERS
 #include "opt_device_polling.h"
@@ -69,6 +70,10 @@
 #include <net/if_dl.h>
 #include <net/if_media.h>
 #include <net/iflib.h>
+#ifdef	RSS
+#include <net/rss_config.h>
+#include <netinet/in_rss.h>
+#endif
 
 #include <net/if_types.h>
 #include <net/if_vlan_var.h>

From owner-svn-src-releng@freebsd.org  Thu Sep 24 14:59:11 2020
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1240E3F9A1E;
 Thu, 24 Sep 2020 14:59:11 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4Bxyqf6PPpz4X9f;
 Thu, 24 Sep 2020 14:59:10 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BB042231E9;
 Thu, 24 Sep 2020 14:59:10 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 08OExAeU075881;
 Thu, 24 Sep 2020 14:59:10 GMT (envelope-from rmacklem@FreeBSD.org)
Received: (from rmacklem@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 08OExAaL075880;
 Thu, 24 Sep 2020 14:59:10 GMT (envelope-from rmacklem@FreeBSD.org)
Message-Id: <202009241459.08OExAaL075880@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to
 rmacklem@FreeBSD.org using -f
From: Rick Macklem <rmacklem@FreeBSD.org>
Date: Thu, 24 Sep 2020 14:59:10 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r366116 - releng/12.2/sys/fs/nfsserver
X-SVN-Group: releng
X-SVN-Commit-Author: rmacklem
X-SVN-Commit-Paths: releng/12.2/sys/fs/nfsserver
X-SVN-Commit-Revision: 366116
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Sep 2020 14:59:11 -0000

Author: rmacklem
Date: Thu Sep 24 14:59:10 2020
New Revision: 366116
URL: https://svnweb.freebsd.org/changeset/base/366116

Log:
  MFS: r365703
  Fix a case where the NFSv4.0 server might crash if delegations are enabled.
  
  asomers@ reported a crash on an NFSv4.0 server with a backtrace of:
  kdb_backtrace
  vpanic
  panic
  nfsrv_docallback
  nfsrv_checkgetattr
  nfsrvd_getattr
  nfsrvd_dorpc
  nfssvc_program
  svc_run_internal
  svc_thread_start
  fork_exit
  fork_trampoline
  where the panic message was "docallb", which indicates that a callback
  was attempted when the ClientID is unconfirmed.
  This would not normally occur, but it is possible to have an unconfirmed
  ClientID structure with delegation structure(s) chained off it if the
  client were to issue a SetClientID with the same "id" but different
  "verifier" after acquiring delegations on the previously confirmed ClientID.
  
  The bug appears to be that nfsrv_checkgetattr() failed to check for
  this uncommon case of an unconfirmed ClientID with a delegation structure
  that no longer refers to a delegation the client knows about.
  
  This patch adds a check for this case, handling it as if no delegation
  exists, which is the case when the above occurs.
  Although difficult to reproduce, this change should avoid the panic().
  
  PR:		249127
  Approved by:	re (gjb)

Modified:
  releng/12.2/sys/fs/nfsserver/nfs_nfsdstate.c
Directory Properties:
  releng/12.2/   (props changed)

Modified: releng/12.2/sys/fs/nfsserver/nfs_nfsdstate.c
==============================================================================
--- releng/12.2/sys/fs/nfsserver/nfs_nfsdstate.c	Thu Sep 24 14:42:22 2020	(r366115)
+++ releng/12.2/sys/fs/nfsserver/nfs_nfsdstate.c	Thu Sep 24 14:59:10 2020	(r366116)
@@ -5692,8 +5692,14 @@ nfsrv_checkgetattr(struct nfsrv_descript *nd, vnode_t 
 		goto out;
 	}
 	clp = stp->ls_clp;
-	delegfilerev = stp->ls_filerev;
 
+	/* If the clientid is not confirmed, ignore the delegation. */
+	if (clp->lc_flags & LCL_NEEDSCONFIRM) {
+		NFSUNLOCKSTATE();
+		goto out;
+	}
+
+	delegfilerev = stp->ls_filerev;
 	/*
 	 * If the Write delegation was issued as a part of this Compound RPC
 	 * or if we have an Implied Clientid (used in a previous Op in this

From owner-svn-src-releng@freebsd.org  Thu Sep 24 16:21:32 2020
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id ED43B3FC407;
 Thu, 24 Sep 2020 16:21:31 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4By0fg4cMFz4dYH;
 Thu, 24 Sep 2020 16:21:31 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3979924C85;
 Thu, 24 Sep 2020 16:21:31 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 08OGLVYU030661;
 Thu, 24 Sep 2020 16:21:31 GMT (envelope-from rmacklem@FreeBSD.org)
Received: (from rmacklem@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 08OGLVik030660;
 Thu, 24 Sep 2020 16:21:31 GMT (envelope-from rmacklem@FreeBSD.org)
Message-Id: <202009241621.08OGLVik030660@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to
 rmacklem@FreeBSD.org using -f
From: Rick Macklem <rmacklem@FreeBSD.org>
Date: Thu, 24 Sep 2020 16:21:31 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r366120 - releng/12.2/sys/fs/nfsserver
X-SVN-Group: releng
X-SVN-Commit-Author: rmacklem
X-SVN-Commit-Paths: releng/12.2/sys/fs/nfsserver
X-SVN-Commit-Revision: 366120
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Sep 2020 16:21:32 -0000

Author: rmacklem
Date: Thu Sep 24 16:21:30 2020
New Revision: 366120
URL: https://svnweb.freebsd.org/changeset/base/366120

Log:
  MFS: r366050, r366117
  Fix a LOR between the NFS server and server side krpc.
  
  Recent testing of the NFS-over-TLS code found a LOR between the mutex lock
  used for sessions and the sleep lock used for server side krpc socket
  structures.
  The code in nfsrv_checksequence() and nfsrv_bindconnsess() would call
  SVC_RELEASE() with mutex(es) held.  Normally this is ok, since
  all that happens is SVC_RELEASE() decrements the reference count.
  However, if the socket has just been shut
  down, SVC_RELEASE() drops the reference count to 0 and acquires a sleep
  lock during destruction of the server side krpc structure.
  
  This patch fixes the problem by moving the SVC_RELEASE() call in
  nfsrv_checksequence() and nfsrv_bindconnsess() down a few lines to
  below where the mutex(es) are released.
  
  Approved by:	re (gjb)

Modified:
  releng/12.2/sys/fs/nfsserver/nfs_nfsdstate.c
Directory Properties:
  releng/12.2/   (props changed)

Modified: releng/12.2/sys/fs/nfsserver/nfs_nfsdstate.c
==============================================================================
--- releng/12.2/sys/fs/nfsserver/nfs_nfsdstate.c	Thu Sep 24 16:11:53 2020	(r366119)
+++ releng/12.2/sys/fs/nfsserver/nfs_nfsdstate.c	Thu Sep 24 16:21:30 2020	(r366120)
@@ -6214,6 +6214,7 @@ nfsrv_checksequence(struct nfsrv_descript *nd, uint32_
 	 * bound as well, do the implicit binding unless a
 	 * BindConnectiontoSession has already been done on the session.
 	 */
+	savxprt = NULL;
 	if (sep->sess_clp->lc_req.nr_client != NULL &&
 	    sep->sess_cbsess.nfsess_xprt != nd->nd_xprt &&
 	    (sep->sess_crflags & NFSV4CRSESS_CONNBACKCHAN) != 0 &&
@@ -6226,14 +6227,14 @@ nfsrv_checksequence(struct nfsrv_descript *nd, uint32_
 		    sep->sess_clp->lc_req.nr_client->cl_private;
 		nd->nd_xprt->xp_idletimeout = 0;	/* Disable timeout. */
 		sep->sess_cbsess.nfsess_xprt = nd->nd_xprt;
-		if (savxprt != NULL)
-			SVC_RELEASE(savxprt);
 	}
 
 	*sflagsp = 0;
 	if (sep->sess_clp->lc_req.nr_client == NULL)
 		*sflagsp |= NFSV4SEQ_CBPATHDOWN;
 	NFSUNLOCKSESSION(shp);
+	if (savxprt != NULL)
+		SVC_RELEASE(savxprt);
 	if (error == NFSERR_EXPIRED) {
 		*sflagsp |= NFSV4SEQ_EXPIREDALLSTATEREVOKED;
 		error = 0;
@@ -6404,6 +6405,7 @@ nfsrv_bindconnsess(struct nfsrv_descript *nd, uint8_t 
 	int error;
 
 	error = 0;
+	savxprt = NULL;
 	shp = NFSSESSIONHASH(sessionid);
 	NFSLOCKSTATE();
 	NFSLOCKSESSION(shp);
@@ -6431,8 +6433,6 @@ nfsrv_bindconnsess(struct nfsrv_descript *nd, uint8_t 
 				/* Disable idle timeout. */
 				nd->nd_xprt->xp_idletimeout = 0;
 				sep->sess_cbsess.nfsess_xprt = nd->nd_xprt;
-				if (savxprt != NULL)
-					SVC_RELEASE(savxprt);
 				sep->sess_crflags |= NFSV4CRSESS_CONNBACKCHAN;
 				clp->lc_flags |= LCL_DONEBINDCONN;
 				if (*foreaftp == NFSCDFS4_BACK)
@@ -6459,6 +6459,8 @@ nfsrv_bindconnsess(struct nfsrv_descript *nd, uint8_t 
 		error = NFSERR_BADSESSION;
 	NFSUNLOCKSESSION(shp);
 	NFSUNLOCKSTATE();
+	if (savxprt != NULL)
+		SVC_RELEASE(savxprt);
 	return (error);
 }
 

From owner-svn-src-releng@freebsd.org  Thu Sep 24 18:36:32 2020
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id A52D7424B85;
 Thu, 24 Sep 2020 18:36:32 +0000 (UTC)
 (envelope-from kevans@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4By3fS3wrcz40r4;
 Thu, 24 Sep 2020 18:36:32 +0000 (UTC)
 (envelope-from kevans@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6A11B2681C;
 Thu, 24 Sep 2020 18:36:32 +0000 (UTC)
 (envelope-from kevans@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 08OIaW9e012696;
 Thu, 24 Sep 2020 18:36:32 GMT (envelope-from kevans@FreeBSD.org)
Received: (from kevans@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 08OIaWwW012695;
 Thu, 24 Sep 2020 18:36:32 GMT (envelope-from kevans@FreeBSD.org)
Message-Id: <202009241836.08OIaWwW012695@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: kevans set sender to
 kevans@FreeBSD.org using -f
From: Kyle Evans <kevans@FreeBSD.org>
Date: Thu, 24 Sep 2020 18:36:32 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r366125 - in releng/12.2: . usr.sbin/bsdinstall/scripts
X-SVN-Group: releng
X-SVN-Commit-Author: kevans
X-SVN-Commit-Paths: in releng/12.2: . usr.sbin/bsdinstall/scripts
X-SVN-Commit-Revision: 366125
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Sep 2020 18:36:32 -0000

Author: kevans
Date: Thu Sep 24 18:36:31 2020
New Revision: 366125
URL: https://svnweb.freebsd.org/changeset/base/366125

Log:
  MFS r365987: certctl rehash upon install/distribute
  
  r365829:
  installworld: run `certctl rehash` after installation completes
  
  This was originally introduced back in r360833, and subsequently reverted
  because it was broken for -DNO_ROOT builds and it may not have been the
  correct place for it.
  
  While debatably this may still not be 'the correct place,' it's much cleaner
  than scattering rehashes all throughout the tree. brooks has fixed the issue
  with -DNO_ROOT by properly writing to the METALOG in r361397.
  
  Do note that this is different than what was originally committed; brooks
  had revisions in D24932 that made it actually use the revised unprivileged
  mode and write to METALOG, along with being a little more friendly to
  foreign crossbuilds and just using the certctl in-tree.
  
  With this change, I believe we should now have a populated /etc/ssl/certs in
  the VM images.
  
  r365837:
  Promote the installworld `certctl rehash` to distributeworld
  
  Contrary to my belief, installworld is not sufficient for getting certs
  installed into VM images. Promote the rehash to both installworld and
  distributeworld (notably: not stageworld) and rehash the base distdir so we
  end up with /etc/ssl/certs populated in the base dist archive. A future
  commit will remove the rehash from bsdinstall, which doesn't really need to
  happen if they're installed into base.txz.
  
  While here, fix a minor typo: s/CERTCLTFLAGS/CERTCTLFLAGS/
  
  r365852:
  Revert r361257: bsdinstall: do a `certctl rehash` upon installation [...]
  
  As of r365829, any given base distribution set will now include the /etc/ssl
  symlinks that this rehash would've otherwise installed. This extra step is
  no longer required.
  
  Approved by:	re (gjb)

Modified:
  releng/12.2/Makefile.inc1
  releng/12.2/usr.sbin/bsdinstall/scripts/config
Directory Properties:
  releng/12.2/   (props changed)

Modified: releng/12.2/Makefile.inc1
==============================================================================
--- releng/12.2/Makefile.inc1	Thu Sep 24 18:22:46 2020	(r366124)
+++ releng/12.2/Makefile.inc1	Thu Sep 24 18:36:31 2020	(r366125)
@@ -849,7 +849,9 @@ INSTALL_DDIR=	${_INSTALL_DDIR:S://:/:g:C:/$::}
 METALOG?=	${DESTDIR}/${DISTDIR}/METALOG
 METALOG:=	${METALOG:C,//+,/,g}
 IMAKE+=		-DNO_ROOT METALOG=${METALOG}
-INSTALLFLAGS+=	-U -M ${METALOG} -D ${INSTALL_DDIR}
+METALOG_INSTALLFLAGS=	-U -M ${METALOG} -D ${INSTALL_DDIR}
+INSTALLFLAGS+=	${METALOG_INSTALLFLAGS}
+CERTCTLFLAGS=	${METALOG_INSTALLFLAGS}
 MTREEFLAGS+=	-W
 .endif
 .if defined(BUILD_PKGS)
@@ -859,6 +861,11 @@ INSTALLFLAGS+=	-h sha256
 IMAKE_INSTALL=	INSTALL="install ${INSTALLFLAGS}"
 IMAKE_MTREE=	MTREE_CMD="mtree ${MTREEFLAGS}"
 .endif
+.if make(distributeworld)
+CERTCTLDESTDIR=	${DESTDIR}/${DISTDIR}/base
+.else
+CERTCTLDESTDIR=	${DESTDIR}
+.endif
 
 DESTDIR_MTREEFLAGS=	-deU
 # When creating worldtmp we don't need to set the directories as owned by root
@@ -1419,6 +1426,14 @@ distributeworld installworld stageworld: _installcheck
 	${DESTDIR}/${DISTDIR}/${dist}.debug.meta
 .endfor
 .endif
+.endif # make(distributeworld)
+.if !make(packageworld) && ${MK_CAROOT} != "no"
+	@if which openssl>/dev/null; then \
+		DESTDIR=${CERTCTLDESTDIR} \
+		    sh ${SRCTOP}/usr.sbin/certctl/certctl.sh ${CERTCTLFLAGS} rehash \
+	else \
+		echo "No openssl on the host, not rehashing certificates target -- /etc/ssl may not be populated."; \
+	fi
 .endif
 
 packageworld: .PHONY

Modified: releng/12.2/usr.sbin/bsdinstall/scripts/config
==============================================================================
--- releng/12.2/usr.sbin/bsdinstall/scripts/config	Thu Sep 24 18:22:46 2020	(r366124)
+++ releng/12.2/usr.sbin/bsdinstall/scripts/config	Thu Sep 24 18:36:31 2020	(r366125)
@@ -55,9 +55,6 @@ cp $BSDINSTALL_TMPBOOT/* $BSDINSTALL_CHROOT/boot
 
 # Set up other things from installed config
 chroot $BSDINSTALL_CHROOT /usr/bin/newaliases > /dev/null 2>&1
-if [ -x $BSDINSTALL_CHROOT/usr/sbin/certctl ]; then
-	chroot $BSDINSTALL_CHROOT /usr/sbin/certctl rehash
-fi
 
 exit 0
 

From owner-svn-src-releng@freebsd.org  Fri Sep 25 00:36:59 2020
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id C48253E58D6;
 Fri, 25 Sep 2020 00:36:59 +0000 (UTC) (envelope-from gjb@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4ByCfM4pRrz4RnK;
 Fri, 25 Sep 2020 00:36:59 +0000 (UTC) (envelope-from gjb@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 83CF9AE3B;
 Fri, 25 Sep 2020 00:36:59 +0000 (UTC) (envelope-from gjb@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 08P0axNt037244;
 Fri, 25 Sep 2020 00:36:59 GMT (envelope-from gjb@FreeBSD.org)
Received: (from gjb@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 08P0axsQ037243;
 Fri, 25 Sep 2020 00:36:59 GMT (envelope-from gjb@FreeBSD.org)
Message-Id: <202009250036.08P0axsQ037243@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: gjb set sender to gjb@FreeBSD.org
 using -f
From: Glen Barber <gjb@FreeBSD.org>
Date: Fri, 25 Sep 2020 00:36:59 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r366133 - releng/12.2/sys/conf
X-SVN-Group: releng
X-SVN-Commit-Author: gjb
X-SVN-Commit-Paths: releng/12.2/sys/conf
X-SVN-Commit-Revision: 366133
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Sep 2020 00:36:59 -0000

Author: gjb
Date: Fri Sep 25 00:36:59 2020
New Revision: 366133
URL: https://svnweb.freebsd.org/changeset/base/366133

Log:
  Update releng/12.2 to BETA3 as part of the 12.2-RELEASE cycle.
  
  Approved by:	re (implicit)
  Sponsored by:	Rubicon Communications, LLC (netgate.com)

Modified:
  releng/12.2/sys/conf/newvers.sh

Modified: releng/12.2/sys/conf/newvers.sh
==============================================================================
--- releng/12.2/sys/conf/newvers.sh	Thu Sep 24 21:42:44 2020	(r366132)
+++ releng/12.2/sys/conf/newvers.sh	Fri Sep 25 00:36:59 2020	(r366133)
@@ -49,7 +49,7 @@
 
 TYPE="FreeBSD"
 REVISION="12.2"
-BRANCH="BETA2"
+BRANCH="BETA3"
 if [ -n "${BRANCH_OVERRIDE}" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

From owner-svn-src-releng@freebsd.org  Fri Sep 25 16:34:43 2020
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8927E3FBF6E;
 Fri, 25 Sep 2020 16:34:43 +0000 (UTC)
 (envelope-from markj@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BycvR2rmBz4CZn;
 Fri, 25 Sep 2020 16:34:43 +0000 (UTC)
 (envelope-from markj@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 410A2162A2;
 Fri, 25 Sep 2020 16:34:43 +0000 (UTC)
 (envelope-from markj@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 08PGYhV1034943;
 Fri, 25 Sep 2020 16:34:43 GMT (envelope-from markj@FreeBSD.org)
Received: (from markj@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 08PGYhGt034942;
 Fri, 25 Sep 2020 16:34:43 GMT (envelope-from markj@FreeBSD.org)
Message-Id: <202009251634.08PGYhGt034942@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: markj set sender to
 markj@FreeBSD.org using -f
From: Mark Johnston <markj@FreeBSD.org>
Date: Fri, 25 Sep 2020 16:34:43 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r366160 - releng/12.2/sys/fs/udf
X-SVN-Group: releng
X-SVN-Commit-Author: markj
X-SVN-Commit-Paths: releng/12.2/sys/fs/udf
X-SVN-Commit-Revision: 366160
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Sep 2020 16:34:43 -0000

Author: markj
Date: Fri Sep 25 16:34:42 2020
New Revision: 366160
URL: https://svnweb.freebsd.org/changeset/base/366160

Log:
  MFS r366154:
  MFC r366005:
  udf: Validate the full file entry length
  
  PR:		248613
  Approved by:	re (gjb)

Modified:
  releng/12.2/sys/fs/udf/udf_vfsops.c
Directory Properties:
  releng/12.2/   (props changed)

Modified: releng/12.2/sys/fs/udf/udf_vfsops.c
==============================================================================
--- releng/12.2/sys/fs/udf/udf_vfsops.c	Fri Sep 25 16:02:13 2020	(r366159)
+++ releng/12.2/sys/fs/udf/udf_vfsops.c	Fri Sep 25 16:34:42 2020	(r366160)
@@ -590,6 +590,7 @@ udf_vget(struct mount *mp, ino_t ino, int flags, struc
 	struct vnode *vp;
 	struct udf_node *unode;
 	struct file_entry *fe;
+	uint32_t lea, lad;
 	int error, sector, size;
 
 	error = vfs_hash_get(mp, ino, flags, curthread, vpp, NULL, NULL);
@@ -645,31 +646,37 @@ udf_vget(struct mount *mp, ino_t ino, int flags, struc
 	devvp = udfmp->im_devvp;
 	if ((error = RDSECTOR(devvp, sector, udfmp->bsize, &bp)) != 0) {
 		printf("Cannot read sector %d\n", sector);
-		vgone(vp);
-		vput(vp);
-		brelse(bp);
-		*vpp = NULL;
-		return (error);
+		goto error;
 	}
 
+	/*
+	 * File entry length validation.
+	 */
 	fe = (struct file_entry *)bp->b_data;
 	if (udf_checktag(&fe->tag, TAGID_FENTRY)) {
 		printf("Invalid file entry!\n");
-		vgone(vp);
-		vput(vp);
-		brelse(bp);
-		*vpp = NULL;
-		return (ENOMEM);
+		error = ENOMEM;
+		goto error;
 	}
-	size = UDF_FENTRY_SIZE + le32toh(fe->l_ea) + le32toh(fe->l_ad);
+	lea = le32toh(fe->l_ea);
+	lad = le32toh(fe->l_ad);
+	if (lea > udfmp->bsize || lad > udfmp->bsize) {
+		printf("Invalid EA and AD lengths %u, %u\n", lea, lad);
+		error = EIO;
+		goto error;
+	}
+	size = UDF_FENTRY_SIZE + lea + lad;
+	if (size > udfmp->bsize) {
+		printf("Invalid file entry size %u\n", size);
+		error = EIO;
+		goto error;
+	}
+
 	unode->fentry = malloc(size, M_UDFFENTRY, M_NOWAIT | M_ZERO);
 	if (unode->fentry == NULL) {
 		printf("Cannot allocate file entry block\n");
-		vgone(vp);
-		vput(vp);
-		brelse(bp);
-		*vpp = NULL;
-		return (ENOMEM);
+		error = ENOMEM;
+		goto error;
 	}
 
 	bcopy(bp->b_data, unode->fentry, size);
@@ -714,6 +721,13 @@ udf_vget(struct mount *mp, ino_t ino, int flags, struc
 	*vpp = vp;
 
 	return (0);
+
+error:
+	vgone(vp);
+	vput(vp);
+	brelse(bp);
+	*vpp = NULL;
+	return (error);
 }
 
 static int

From owner-svn-src-releng@freebsd.org  Fri Sep 25 22:43:19 2020
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id BF5333E7359;
 Fri, 25 Sep 2020 22:43:19 +0000 (UTC)
 (envelope-from jkim@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4Byn4l47rgz3SD8;
 Fri, 25 Sep 2020 22:43:19 +0000 (UTC)
 (envelope-from jkim@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 56C7C1A647;
 Fri, 25 Sep 2020 22:43:19 +0000 (UTC)
 (envelope-from jkim@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 08PMhJgF066015;
 Fri, 25 Sep 2020 22:43:19 GMT (envelope-from jkim@FreeBSD.org)
Received: (from jkim@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 08PMhFhg065995;
 Fri, 25 Sep 2020 22:43:15 GMT (envelope-from jkim@FreeBSD.org)
Message-Id: <202009252243.08PMhFhg065995@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: jkim set sender to
 jkim@FreeBSD.org using -f
From: Jung-uk Kim <jkim@FreeBSD.org>
Date: Fri, 25 Sep 2020 22:43:15 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r366177 - in releng/12.2: crypto/openssl
 crypto/openssl/apps crypto/openssl/crypto crypto/openssl/crypto/aes
 crypto/openssl/crypto/asn1 crypto/openssl/crypto/bio
 crypto/openssl/crypto/b...
X-SVN-Group: releng
X-SVN-Commit-Author: jkim
X-SVN-Commit-Paths: in releng/12.2: crypto/openssl crypto/openssl/apps
 crypto/openssl/crypto crypto/openssl/crypto/aes crypto/openssl/crypto/asn1
 crypto/openssl/crypto/bio crypto/openssl/crypto/bn crypto/openssl/crypto/c...
X-SVN-Commit-Revision: 366177
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Sep 2020 22:43:19 -0000

Author: jkim
Date: Fri Sep 25 22:43:14 2020
New Revision: 366177
URL: https://svnweb.freebsd.org/changeset/base/366177

Log:
  MFS:	r366176
  
  Merge OpenSSL 1.1.1h.
  
  Approved by:	re (gjb)

Deleted:
  releng/12.2/crypto/openssl/crypto/ec/asm/ecp_nistz256-avx2.pl
Modified:
  releng/12.2/crypto/openssl/CHANGES
  releng/12.2/crypto/openssl/Configure
  releng/12.2/crypto/openssl/NEWS
  releng/12.2/crypto/openssl/NOTES.PERL
  releng/12.2/crypto/openssl/README
  releng/12.2/crypto/openssl/apps/genpkey.c
  releng/12.2/crypto/openssl/apps/rsa8192.pem
  releng/12.2/crypto/openssl/apps/s_client.c
  releng/12.2/crypto/openssl/apps/x509.c
  releng/12.2/crypto/openssl/appveyor.yml
  releng/12.2/crypto/openssl/crypto/aes/aes_core.c
  releng/12.2/crypto/openssl/crypto/aes/aes_ige.c
  releng/12.2/crypto/openssl/crypto/asn1/d2i_pr.c
  releng/12.2/crypto/openssl/crypto/asn1/x_algor.c
  releng/12.2/crypto/openssl/crypto/bio/b_print.c
  releng/12.2/crypto/openssl/crypto/bio/bss_acpt.c
  releng/12.2/crypto/openssl/crypto/bio/bss_conn.c
  releng/12.2/crypto/openssl/crypto/bn/bn_gcd.c
  releng/12.2/crypto/openssl/crypto/bn/bn_lib.c
  releng/12.2/crypto/openssl/crypto/bn/bn_mpi.c
  releng/12.2/crypto/openssl/crypto/cmac/cmac.c
  releng/12.2/crypto/openssl/crypto/cms/cms_lib.c
  releng/12.2/crypto/openssl/crypto/cms/cms_sd.c
  releng/12.2/crypto/openssl/crypto/conf/conf_def.c
  releng/12.2/crypto/openssl/crypto/ec/asm/ecp_nistz256-armv4.pl
  releng/12.2/crypto/openssl/crypto/ec/ec_ameth.c
  releng/12.2/crypto/openssl/crypto/ec/ec_asn1.c
  releng/12.2/crypto/openssl/crypto/ec/ec_err.c
  releng/12.2/crypto/openssl/crypto/ec/ec_key.c
  releng/12.2/crypto/openssl/crypto/ec/ec_lib.c
  releng/12.2/crypto/openssl/crypto/ec/ec_local.h
  releng/12.2/crypto/openssl/crypto/ec/ecp_nistp224.c
  releng/12.2/crypto/openssl/crypto/ec/ecp_nistp521.c
  releng/12.2/crypto/openssl/crypto/ec/ecp_nistz256.c
  releng/12.2/crypto/openssl/crypto/engine/eng_lib.c
  releng/12.2/crypto/openssl/crypto/err/openssl.txt
  releng/12.2/crypto/openssl/crypto/evp/e_aes.c
  releng/12.2/crypto/openssl/crypto/evp/encode.c
  releng/12.2/crypto/openssl/crypto/mem_sec.c
  releng/12.2/crypto/openssl/crypto/modes/cbc128.c
  releng/12.2/crypto/openssl/crypto/modes/ccm128.c
  releng/12.2/crypto/openssl/crypto/modes/cfb128.c
  releng/12.2/crypto/openssl/crypto/modes/ctr128.c
  releng/12.2/crypto/openssl/crypto/modes/gcm128.c
  releng/12.2/crypto/openssl/crypto/modes/modes_local.h
  releng/12.2/crypto/openssl/crypto/modes/ofb128.c
  releng/12.2/crypto/openssl/crypto/modes/xts128.c
  releng/12.2/crypto/openssl/crypto/o_str.c
  releng/12.2/crypto/openssl/crypto/o_time.c
  releng/12.2/crypto/openssl/crypto/pem/pem_err.c
  releng/12.2/crypto/openssl/crypto/pem/pem_lib.c
  releng/12.2/crypto/openssl/crypto/pem/pem_pkey.c
  releng/12.2/crypto/openssl/crypto/pem/pvkfmt.c
  releng/12.2/crypto/openssl/crypto/rand/drbg_ctr.c
  releng/12.2/crypto/openssl/crypto/rand/drbg_lib.c
  releng/12.2/crypto/openssl/crypto/rand/rand_lib.c
  releng/12.2/crypto/openssl/crypto/rand/rand_local.h
  releng/12.2/crypto/openssl/crypto/rand/rand_unix.c
  releng/12.2/crypto/openssl/crypto/rand/randfile.c
  releng/12.2/crypto/openssl/crypto/rsa/rsa_ameth.c
  releng/12.2/crypto/openssl/crypto/store/loader_file.c
  releng/12.2/crypto/openssl/crypto/store/store_lib.c
  releng/12.2/crypto/openssl/crypto/ts/ts_rsp_sign.c
  releng/12.2/crypto/openssl/crypto/ui/ui_openssl.c
  releng/12.2/crypto/openssl/crypto/whrlpool/wp_block.c
  releng/12.2/crypto/openssl/crypto/x509/x509_err.c
  releng/12.2/crypto/openssl/crypto/x509/x509_local.h
  releng/12.2/crypto/openssl/crypto/x509/x509_req.c
  releng/12.2/crypto/openssl/crypto/x509/x509_txt.c
  releng/12.2/crypto/openssl/crypto/x509/x509_vfy.c
  releng/12.2/crypto/openssl/crypto/x509/x_pubkey.c
  releng/12.2/crypto/openssl/crypto/x509v3/pcy_data.c
  releng/12.2/crypto/openssl/crypto/x509v3/v3_alt.c
  releng/12.2/crypto/openssl/crypto/x509v3/v3_purp.c
  releng/12.2/crypto/openssl/doc/man1/CA.pl.pod
  releng/12.2/crypto/openssl/doc/man1/ca.pod
  releng/12.2/crypto/openssl/doc/man1/dgst.pod
  releng/12.2/crypto/openssl/doc/man1/enc.pod
  releng/12.2/crypto/openssl/doc/man1/ocsp.pod
  releng/12.2/crypto/openssl/doc/man1/pkcs12.pod
  releng/12.2/crypto/openssl/doc/man1/pkcs8.pod
  releng/12.2/crypto/openssl/doc/man1/pkeyutl.pod
  releng/12.2/crypto/openssl/doc/man1/s_client.pod
  releng/12.2/crypto/openssl/doc/man1/s_server.pod
  releng/12.2/crypto/openssl/doc/man1/s_time.pod
  releng/12.2/crypto/openssl/doc/man1/sess_id.pod
  releng/12.2/crypto/openssl/doc/man1/ts.pod
  releng/12.2/crypto/openssl/doc/man1/tsget.pod
  releng/12.2/crypto/openssl/doc/man1/verify.pod
  releng/12.2/crypto/openssl/doc/man1/x509.pod
  releng/12.2/crypto/openssl/doc/man3/ASN1_INTEGER_get_int64.pod
  releng/12.2/crypto/openssl/doc/man3/ASN1_STRING_length.pod
  releng/12.2/crypto/openssl/doc/man3/ASN1_TIME_set.pod
  releng/12.2/crypto/openssl/doc/man3/ASN1_TYPE_get.pod
  releng/12.2/crypto/openssl/doc/man3/ASYNC_WAIT_CTX_new.pod
  releng/12.2/crypto/openssl/doc/man3/ASYNC_start_job.pod
  releng/12.2/crypto/openssl/doc/man3/BF_encrypt.pod
  releng/12.2/crypto/openssl/doc/man3/BIO_ADDR.pod
  releng/12.2/crypto/openssl/doc/man3/BIO_ADDRINFO.pod
  releng/12.2/crypto/openssl/doc/man3/BIO_connect.pod
  releng/12.2/crypto/openssl/doc/man3/BIO_ctrl.pod
  releng/12.2/crypto/openssl/doc/man3/BIO_get_data.pod
  releng/12.2/crypto/openssl/doc/man3/BIO_parse_hostserv.pod
  releng/12.2/crypto/openssl/doc/man3/BIO_read.pod
  releng/12.2/crypto/openssl/doc/man3/BIO_s_accept.pod
  releng/12.2/crypto/openssl/doc/man3/BIO_s_bio.pod
  releng/12.2/crypto/openssl/doc/man3/BIO_s_connect.pod
  releng/12.2/crypto/openssl/doc/man3/BIO_s_file.pod
  releng/12.2/crypto/openssl/doc/man3/BIO_set_callback.pod
  releng/12.2/crypto/openssl/doc/man3/BN_add.pod
  releng/12.2/crypto/openssl/doc/man3/BN_bn2bin.pod
  releng/12.2/crypto/openssl/doc/man3/BN_generate_prime.pod
  releng/12.2/crypto/openssl/doc/man3/BN_mod_mul_montgomery.pod
  releng/12.2/crypto/openssl/doc/man3/BN_set_bit.pod
  releng/12.2/crypto/openssl/doc/man3/CMS_verify.pod
  releng/12.2/crypto/openssl/doc/man3/CRYPTO_THREAD_run_once.pod
  releng/12.2/crypto/openssl/doc/man3/CRYPTO_memcmp.pod
  releng/12.2/crypto/openssl/doc/man3/DES_random_key.pod
  releng/12.2/crypto/openssl/doc/man3/DH_get0_pqg.pod
  releng/12.2/crypto/openssl/doc/man3/DH_set_method.pod
  releng/12.2/crypto/openssl/doc/man3/DSA_set_method.pod
  releng/12.2/crypto/openssl/doc/man3/DTLSv1_listen.pod
  releng/12.2/crypto/openssl/doc/man3/ECDSA_SIG_new.pod
  releng/12.2/crypto/openssl/doc/man3/EC_GROUP_new.pod
  releng/12.2/crypto/openssl/doc/man3/EC_KEY_new.pod
  releng/12.2/crypto/openssl/doc/man3/EC_POINT_new.pod
  releng/12.2/crypto/openssl/doc/man3/ENGINE_add.pod
  releng/12.2/crypto/openssl/doc/man3/ERR_get_error.pod
  releng/12.2/crypto/openssl/doc/man3/ERR_print_errors.pod
  releng/12.2/crypto/openssl/doc/man3/ERR_put_error.pod
  releng/12.2/crypto/openssl/doc/man3/EVP_DigestInit.pod
  releng/12.2/crypto/openssl/doc/man3/EVP_DigestSignInit.pod
  releng/12.2/crypto/openssl/doc/man3/EVP_DigestVerifyInit.pod
  releng/12.2/crypto/openssl/doc/man3/EVP_EncodeInit.pod
  releng/12.2/crypto/openssl/doc/man3/EVP_EncryptInit.pod
  releng/12.2/crypto/openssl/doc/man3/EVP_OpenInit.pod
  releng/12.2/crypto/openssl/doc/man3/EVP_PKEY_CTX_ctrl.pod
  releng/12.2/crypto/openssl/doc/man3/EVP_PKEY_CTX_new.pod
  releng/12.2/crypto/openssl/doc/man3/EVP_PKEY_keygen.pod
  releng/12.2/crypto/openssl/doc/man3/EVP_PKEY_new.pod
  releng/12.2/crypto/openssl/doc/man3/EVP_SealInit.pod
  releng/12.2/crypto/openssl/doc/man3/EVP_SignInit.pod
  releng/12.2/crypto/openssl/doc/man3/EVP_VerifyInit.pod
  releng/12.2/crypto/openssl/doc/man3/HMAC.pod
  releng/12.2/crypto/openssl/doc/man3/OCSP_cert_to_id.pod
  releng/12.2/crypto/openssl/doc/man3/OCSP_request_add1_nonce.pod
  releng/12.2/crypto/openssl/doc/man3/OCSP_resp_find_status.pod
  releng/12.2/crypto/openssl/doc/man3/OCSP_sendreq_new.pod
  releng/12.2/crypto/openssl/doc/man3/OPENSSL_LH_COMPFUNC.pod
  releng/12.2/crypto/openssl/doc/man3/OPENSSL_config.pod
  releng/12.2/crypto/openssl/doc/man3/OPENSSL_ia32cap.pod
  releng/12.2/crypto/openssl/doc/man3/OPENSSL_init_crypto.pod
  releng/12.2/crypto/openssl/doc/man3/OPENSSL_init_ssl.pod
  releng/12.2/crypto/openssl/doc/man3/OSSL_STORE_open.pod
  releng/12.2/crypto/openssl/doc/man3/PEM_read_bio_PrivateKey.pod
  releng/12.2/crypto/openssl/doc/man3/PKCS7_verify.pod
  releng/12.2/crypto/openssl/doc/man3/RAND_DRBG_new.pod
  releng/12.2/crypto/openssl/doc/man3/RAND_DRBG_set_callbacks.pod
  releng/12.2/crypto/openssl/doc/man3/RAND_add.pod
  releng/12.2/crypto/openssl/doc/man3/RAND_load_file.pod
  releng/12.2/crypto/openssl/doc/man3/RSA_blinding_on.pod
  releng/12.2/crypto/openssl/doc/man3/RSA_private_encrypt.pod
  releng/12.2/crypto/openssl/doc/man3/RSA_set_method.pod
  releng/12.2/crypto/openssl/doc/man3/SHA256_Init.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_CONF_cmd.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_CTX_dane_enable.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_CTX_set_alpn_select_cb.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_CTX_set_generate_session_id.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_CTX_set_info_callback.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_CTX_set_max_cert_list.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_CTX_set_mode.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_CTX_set_options.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_CTX_set_psk_client_callback.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_CTX_set_read_ahead.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_CTX_set_security_level.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_CTX_set_session_cache_mode.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_CTX_set_session_id_context.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_CTX_set_session_ticket_cb.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_CTX_set_split_send_fragment.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_CTX_set_tlsext_servername_callback.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_CTX_use_psk_identity_hint.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_accept.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_alloc_buffers.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_connect.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_do_handshake.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_get_all_async_fds.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_get_error.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_new.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_pending.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_read.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_read_early_data.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_set1_host.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_set_bio.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_set_fd.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_set_shutdown.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_shutdown.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_state_string.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_want.pod
  releng/12.2/crypto/openssl/doc/man3/SSL_write.pod
  releng/12.2/crypto/openssl/doc/man3/UI_UTIL_read_pw.pod
  releng/12.2/crypto/openssl/doc/man3/UI_create_method.pod
  releng/12.2/crypto/openssl/doc/man3/UI_new.pod
  releng/12.2/crypto/openssl/doc/man3/X509V3_get_d2i.pod
  releng/12.2/crypto/openssl/doc/man3/X509_ALGOR_dup.pod
  releng/12.2/crypto/openssl/doc/man3/X509_LOOKUP_hash_dir.pod
  releng/12.2/crypto/openssl/doc/man3/X509_LOOKUP_meth_new.pod
  releng/12.2/crypto/openssl/doc/man3/X509_STORE_CTX_get_error.pod
  releng/12.2/crypto/openssl/doc/man3/X509_STORE_CTX_new.pod
  releng/12.2/crypto/openssl/doc/man3/X509_STORE_CTX_set_verify_cb.pod
  releng/12.2/crypto/openssl/doc/man3/X509_STORE_set_verify_cb_func.pod
  releng/12.2/crypto/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod
  releng/12.2/crypto/openssl/doc/man3/X509_check_ca.pod
  releng/12.2/crypto/openssl/doc/man3/X509_check_host.pod
  releng/12.2/crypto/openssl/doc/man3/X509_check_issued.pod
  releng/12.2/crypto/openssl/doc/man3/X509_check_purpose.pod
  releng/12.2/crypto/openssl/doc/man3/X509_get0_signature.pod
  releng/12.2/crypto/openssl/doc/man3/X509v3_get_ext_by_NID.pod
  releng/12.2/crypto/openssl/doc/man3/d2i_DHparams.pod
  releng/12.2/crypto/openssl/doc/man3/d2i_X509.pod
  releng/12.2/crypto/openssl/doc/man5/config.pod
  releng/12.2/crypto/openssl/doc/man5/x509v3_config.pod
  releng/12.2/crypto/openssl/doc/man7/SM2.pod
  releng/12.2/crypto/openssl/doc/man7/evp.pod
  releng/12.2/crypto/openssl/doc/man7/ossl_store.pod
  releng/12.2/crypto/openssl/e_os.h
  releng/12.2/crypto/openssl/include/openssl/bn.h
  releng/12.2/crypto/openssl/include/openssl/e_os2.h
  releng/12.2/crypto/openssl/include/openssl/ec.h
  releng/12.2/crypto/openssl/include/openssl/ecerr.h
  releng/12.2/crypto/openssl/include/openssl/opensslconf.h.in
  releng/12.2/crypto/openssl/include/openssl/opensslv.h
  releng/12.2/crypto/openssl/include/openssl/pemerr.h
  releng/12.2/crypto/openssl/include/openssl/ssl.h
  releng/12.2/crypto/openssl/include/openssl/ssl3.h
  releng/12.2/crypto/openssl/include/openssl/x509.h
  releng/12.2/crypto/openssl/include/openssl/x509_vfy.h
  releng/12.2/crypto/openssl/include/openssl/x509err.h
  releng/12.2/crypto/openssl/ssl/bio_ssl.c
  releng/12.2/crypto/openssl/ssl/record/ssl3_buffer.c
  releng/12.2/crypto/openssl/ssl/ssl_conf.c
  releng/12.2/crypto/openssl/ssl/ssl_lib.c
  releng/12.2/crypto/openssl/ssl/ssl_rsa.c
  releng/12.2/crypto/openssl/ssl/statem/extensions.c
  releng/12.2/crypto/openssl/ssl/statem/extensions_srvr.c
  releng/12.2/crypto/openssl/ssl/statem/statem_lib.c
  releng/12.2/crypto/openssl/ssl/t1_lib.c
  releng/12.2/crypto/openssl/ssl/t1_trce.c
  releng/12.2/crypto/openssl/ssl/tls13_enc.c
  releng/12.2/secure/lib/libcrypto/Makefile.inc
  releng/12.2/secure/lib/libcrypto/arm/ecp_nistz256-armv4.S
  releng/12.2/secure/lib/libcrypto/man/man3/ADMISSIONS.3
  releng/12.2/secure/lib/libcrypto/man/man3/ASN1_INTEGER_get_int64.3
  releng/12.2/secure/lib/libcrypto/man/man3/ASN1_ITEM_lookup.3
  releng/12.2/secure/lib/libcrypto/man/man3/ASN1_OBJECT_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/ASN1_STRING_TABLE_add.3
  releng/12.2/secure/lib/libcrypto/man/man3/ASN1_STRING_length.3
  releng/12.2/secure/lib/libcrypto/man/man3/ASN1_STRING_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/ASN1_STRING_print_ex.3
  releng/12.2/secure/lib/libcrypto/man/man3/ASN1_TIME_set.3
  releng/12.2/secure/lib/libcrypto/man/man3/ASN1_TYPE_get.3
  releng/12.2/secure/lib/libcrypto/man/man3/ASN1_generate_nconf.3
  releng/12.2/secure/lib/libcrypto/man/man3/ASYNC_WAIT_CTX_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/ASYNC_start_job.3
  releng/12.2/secure/lib/libcrypto/man/man3/BF_encrypt.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_ADDR.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_ADDRINFO.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_connect.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_ctrl.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_f_base64.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_f_buffer.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_f_cipher.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_f_md.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_f_null.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_f_ssl.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_find_type.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_get_data.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_get_ex_new_index.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_meth_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_new_CMS.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_parse_hostserv.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_printf.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_push.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_read.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_s_accept.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_s_bio.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_s_connect.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_s_fd.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_s_file.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_s_mem.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_s_null.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_s_socket.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_set_callback.3
  releng/12.2/secure/lib/libcrypto/man/man3/BIO_should_retry.3
  releng/12.2/secure/lib/libcrypto/man/man3/BN_BLINDING_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/BN_CTX_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/BN_CTX_start.3
  releng/12.2/secure/lib/libcrypto/man/man3/BN_add.3
  releng/12.2/secure/lib/libcrypto/man/man3/BN_add_word.3
  releng/12.2/secure/lib/libcrypto/man/man3/BN_bn2bin.3
  releng/12.2/secure/lib/libcrypto/man/man3/BN_cmp.3
  releng/12.2/secure/lib/libcrypto/man/man3/BN_copy.3
  releng/12.2/secure/lib/libcrypto/man/man3/BN_generate_prime.3
  releng/12.2/secure/lib/libcrypto/man/man3/BN_mod_inverse.3
  releng/12.2/secure/lib/libcrypto/man/man3/BN_mod_mul_montgomery.3
  releng/12.2/secure/lib/libcrypto/man/man3/BN_mod_mul_reciprocal.3
  releng/12.2/secure/lib/libcrypto/man/man3/BN_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/BN_num_bytes.3
  releng/12.2/secure/lib/libcrypto/man/man3/BN_rand.3
  releng/12.2/secure/lib/libcrypto/man/man3/BN_security_bits.3
  releng/12.2/secure/lib/libcrypto/man/man3/BN_set_bit.3
  releng/12.2/secure/lib/libcrypto/man/man3/BN_swap.3
  releng/12.2/secure/lib/libcrypto/man/man3/BN_zero.3
  releng/12.2/secure/lib/libcrypto/man/man3/BUF_MEM_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/CMS_add0_cert.3
  releng/12.2/secure/lib/libcrypto/man/man3/CMS_add1_recipient_cert.3
  releng/12.2/secure/lib/libcrypto/man/man3/CMS_add1_signer.3
  releng/12.2/secure/lib/libcrypto/man/man3/CMS_compress.3
  releng/12.2/secure/lib/libcrypto/man/man3/CMS_decrypt.3
  releng/12.2/secure/lib/libcrypto/man/man3/CMS_encrypt.3
  releng/12.2/secure/lib/libcrypto/man/man3/CMS_final.3
  releng/12.2/secure/lib/libcrypto/man/man3/CMS_get0_RecipientInfos.3
  releng/12.2/secure/lib/libcrypto/man/man3/CMS_get0_SignerInfos.3
  releng/12.2/secure/lib/libcrypto/man/man3/CMS_get0_type.3
  releng/12.2/secure/lib/libcrypto/man/man3/CMS_get1_ReceiptRequest.3
  releng/12.2/secure/lib/libcrypto/man/man3/CMS_sign.3
  releng/12.2/secure/lib/libcrypto/man/man3/CMS_sign_receipt.3
  releng/12.2/secure/lib/libcrypto/man/man3/CMS_uncompress.3
  releng/12.2/secure/lib/libcrypto/man/man3/CMS_verify.3
  releng/12.2/secure/lib/libcrypto/man/man3/CMS_verify_receipt.3
  releng/12.2/secure/lib/libcrypto/man/man3/CONF_modules_free.3
  releng/12.2/secure/lib/libcrypto/man/man3/CONF_modules_load_file.3
  releng/12.2/secure/lib/libcrypto/man/man3/CRYPTO_THREAD_run_once.3
  releng/12.2/secure/lib/libcrypto/man/man3/CRYPTO_get_ex_new_index.3
  releng/12.2/secure/lib/libcrypto/man/man3/CRYPTO_memcmp.3
  releng/12.2/secure/lib/libcrypto/man/man3/CTLOG_STORE_get0_log_by_id.3
  releng/12.2/secure/lib/libcrypto/man/man3/CTLOG_STORE_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/CTLOG_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/CT_POLICY_EVAL_CTX_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/DEFINE_STACK_OF.3
  releng/12.2/secure/lib/libcrypto/man/man3/DES_random_key.3
  releng/12.2/secure/lib/libcrypto/man/man3/DH_generate_key.3
  releng/12.2/secure/lib/libcrypto/man/man3/DH_generate_parameters.3
  releng/12.2/secure/lib/libcrypto/man/man3/DH_get0_pqg.3
  releng/12.2/secure/lib/libcrypto/man/man3/DH_get_1024_160.3
  releng/12.2/secure/lib/libcrypto/man/man3/DH_meth_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/DH_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/DH_new_by_nid.3
  releng/12.2/secure/lib/libcrypto/man/man3/DH_set_method.3
  releng/12.2/secure/lib/libcrypto/man/man3/DH_size.3
  releng/12.2/secure/lib/libcrypto/man/man3/DSA_SIG_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/DSA_do_sign.3
  releng/12.2/secure/lib/libcrypto/man/man3/DSA_dup_DH.3
  releng/12.2/secure/lib/libcrypto/man/man3/DSA_generate_key.3
  releng/12.2/secure/lib/libcrypto/man/man3/DSA_generate_parameters.3
  releng/12.2/secure/lib/libcrypto/man/man3/DSA_get0_pqg.3
  releng/12.2/secure/lib/libcrypto/man/man3/DSA_meth_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/DSA_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/DSA_set_method.3
  releng/12.2/secure/lib/libcrypto/man/man3/DSA_sign.3
  releng/12.2/secure/lib/libcrypto/man/man3/DSA_size.3
  releng/12.2/secure/lib/libcrypto/man/man3/DTLS_get_data_mtu.3
  releng/12.2/secure/lib/libcrypto/man/man3/DTLS_set_timer_cb.3
  releng/12.2/secure/lib/libcrypto/man/man3/DTLSv1_listen.3
  releng/12.2/secure/lib/libcrypto/man/man3/ECDSA_SIG_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/ECPKParameters_print.3
  releng/12.2/secure/lib/libcrypto/man/man3/EC_GFp_simple_method.3
  releng/12.2/secure/lib/libcrypto/man/man3/EC_GROUP_copy.3
  releng/12.2/secure/lib/libcrypto/man/man3/EC_GROUP_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/EC_KEY_get_enc_flags.3
  releng/12.2/secure/lib/libcrypto/man/man3/EC_KEY_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/EC_POINT_add.3
  releng/12.2/secure/lib/libcrypto/man/man3/EC_POINT_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/ENGINE_add.3
  releng/12.2/secure/lib/libcrypto/man/man3/ERR_GET_LIB.3
  releng/12.2/secure/lib/libcrypto/man/man3/ERR_clear_error.3
  releng/12.2/secure/lib/libcrypto/man/man3/ERR_error_string.3
  releng/12.2/secure/lib/libcrypto/man/man3/ERR_get_error.3
  releng/12.2/secure/lib/libcrypto/man/man3/ERR_load_crypto_strings.3
  releng/12.2/secure/lib/libcrypto/man/man3/ERR_load_strings.3
  releng/12.2/secure/lib/libcrypto/man/man3/ERR_print_errors.3
  releng/12.2/secure/lib/libcrypto/man/man3/ERR_put_error.3
  releng/12.2/secure/lib/libcrypto/man/man3/ERR_remove_state.3
  releng/12.2/secure/lib/libcrypto/man/man3/ERR_set_mark.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_BytesToKey.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_cipher_data.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_CIPHER_meth_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_DigestInit.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_DigestSignInit.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_DigestVerifyInit.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_EncodeInit.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_EncryptInit.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_MD_meth_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_OpenInit.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_PKEY_ASN1_METHOD.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_ctrl.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set1_pbe_pass.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_hkdf_md.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_scrypt_N.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_tls1_prf_md.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_PKEY_asn1_get_count.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_PKEY_cmp.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_PKEY_decrypt.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_PKEY_derive.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_PKEY_encrypt.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_PKEY_get_default_digest_nid.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_PKEY_keygen.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_get_count.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_PKEY_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_PKEY_print_private.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_RSA.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_PKEY_sign.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_PKEY_size.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_PKEY_verify.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_PKEY_verify_recover.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_SealInit.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_SignInit.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_VerifyInit.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_aes.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_aria.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_bf_cbc.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_blake2b512.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_camellia.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_cast5_cbc.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_chacha20.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_des.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_desx_cbc.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_idea_cbc.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_md2.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_md4.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_md5.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_mdc2.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_rc2_cbc.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_rc4.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_rc5_32_12_16_cbc.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_ripemd160.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_seed_cbc.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_sha1.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_sha224.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_sha3_224.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_sm3.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_sm4_cbc.3
  releng/12.2/secure/lib/libcrypto/man/man3/EVP_whirlpool.3
  releng/12.2/secure/lib/libcrypto/man/man3/HMAC.3
  releng/12.2/secure/lib/libcrypto/man/man3/MD5.3
  releng/12.2/secure/lib/libcrypto/man/man3/MDC2_Init.3
  releng/12.2/secure/lib/libcrypto/man/man3/Makefile
  releng/12.2/secure/lib/libcrypto/man/man3/OBJ_nid2obj.3
  releng/12.2/secure/lib/libcrypto/man/man3/OCSP_REQUEST_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/OCSP_cert_to_id.3
  releng/12.2/secure/lib/libcrypto/man/man3/OCSP_request_add1_nonce.3
  releng/12.2/secure/lib/libcrypto/man/man3/OCSP_resp_find_status.3
  releng/12.2/secure/lib/libcrypto/man/man3/OCSP_response_status.3
  releng/12.2/secure/lib/libcrypto/man/man3/OCSP_sendreq_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/OPENSSL_Applink.3
  releng/12.2/secure/lib/libcrypto/man/man3/OPENSSL_LH_COMPFUNC.3
  releng/12.2/secure/lib/libcrypto/man/man3/OPENSSL_LH_stats.3
  releng/12.2/secure/lib/libcrypto/man/man3/OPENSSL_VERSION_NUMBER.3
  releng/12.2/secure/lib/libcrypto/man/man3/OPENSSL_config.3
  releng/12.2/secure/lib/libcrypto/man/man3/OPENSSL_fork_prepare.3
  releng/12.2/secure/lib/libcrypto/man/man3/OPENSSL_ia32cap.3
  releng/12.2/secure/lib/libcrypto/man/man3/OPENSSL_init_crypto.3
  releng/12.2/secure/lib/libcrypto/man/man3/OPENSSL_init_ssl.3
  releng/12.2/secure/lib/libcrypto/man/man3/OPENSSL_instrument_bus.3
  releng/12.2/secure/lib/libcrypto/man/man3/OPENSSL_load_builtin_modules.3
  releng/12.2/secure/lib/libcrypto/man/man3/OPENSSL_malloc.3
  releng/12.2/secure/lib/libcrypto/man/man3/OPENSSL_secure_malloc.3
  releng/12.2/secure/lib/libcrypto/man/man3/OSSL_STORE_INFO.3
  releng/12.2/secure/lib/libcrypto/man/man3/OSSL_STORE_LOADER.3
  releng/12.2/secure/lib/libcrypto/man/man3/OSSL_STORE_SEARCH.3
  releng/12.2/secure/lib/libcrypto/man/man3/OSSL_STORE_expect.3
  releng/12.2/secure/lib/libcrypto/man/man3/OSSL_STORE_open.3
  releng/12.2/secure/lib/libcrypto/man/man3/OpenSSL_add_all_algorithms.3
  releng/12.2/secure/lib/libcrypto/man/man3/PEM_bytes_read_bio.3
  releng/12.2/secure/lib/libcrypto/man/man3/PEM_read.3
  releng/12.2/secure/lib/libcrypto/man/man3/PEM_read_CMS.3
  releng/12.2/secure/lib/libcrypto/man/man3/PEM_read_bio_PrivateKey.3
  releng/12.2/secure/lib/libcrypto/man/man3/PEM_read_bio_ex.3
  releng/12.2/secure/lib/libcrypto/man/man3/PEM_write_bio_CMS_stream.3
  releng/12.2/secure/lib/libcrypto/man/man3/PEM_write_bio_PKCS7_stream.3
  releng/12.2/secure/lib/libcrypto/man/man3/PKCS12_create.3
  releng/12.2/secure/lib/libcrypto/man/man3/PKCS12_newpass.3
  releng/12.2/secure/lib/libcrypto/man/man3/PKCS12_parse.3
  releng/12.2/secure/lib/libcrypto/man/man3/PKCS5_PBKDF2_HMAC.3
  releng/12.2/secure/lib/libcrypto/man/man3/PKCS7_decrypt.3
  releng/12.2/secure/lib/libcrypto/man/man3/PKCS7_encrypt.3
  releng/12.2/secure/lib/libcrypto/man/man3/PKCS7_sign.3
  releng/12.2/secure/lib/libcrypto/man/man3/PKCS7_sign_add_signer.3
  releng/12.2/secure/lib/libcrypto/man/man3/PKCS7_verify.3
  releng/12.2/secure/lib/libcrypto/man/man3/RAND_DRBG_generate.3
  releng/12.2/secure/lib/libcrypto/man/man3/RAND_DRBG_get0_master.3
  releng/12.2/secure/lib/libcrypto/man/man3/RAND_DRBG_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/RAND_DRBG_reseed.3
  releng/12.2/secure/lib/libcrypto/man/man3/RAND_DRBG_set_callbacks.3
  releng/12.2/secure/lib/libcrypto/man/man3/RAND_DRBG_set_ex_data.3
  releng/12.2/secure/lib/libcrypto/man/man3/RAND_add.3
  releng/12.2/secure/lib/libcrypto/man/man3/RAND_bytes.3
  releng/12.2/secure/lib/libcrypto/man/man3/RAND_cleanup.3
  releng/12.2/secure/lib/libcrypto/man/man3/RAND_egd.3
  releng/12.2/secure/lib/libcrypto/man/man3/RAND_load_file.3
  releng/12.2/secure/lib/libcrypto/man/man3/RAND_set_rand_method.3
  releng/12.2/secure/lib/libcrypto/man/man3/RC4_set_key.3
  releng/12.2/secure/lib/libcrypto/man/man3/RIPEMD160_Init.3
  releng/12.2/secure/lib/libcrypto/man/man3/RSA_blinding_on.3
  releng/12.2/secure/lib/libcrypto/man/man3/RSA_check_key.3
  releng/12.2/secure/lib/libcrypto/man/man3/RSA_generate_key.3
  releng/12.2/secure/lib/libcrypto/man/man3/RSA_get0_key.3
  releng/12.2/secure/lib/libcrypto/man/man3/RSA_meth_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/RSA_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/RSA_padding_add_PKCS1_type_1.3
  releng/12.2/secure/lib/libcrypto/man/man3/RSA_print.3
  releng/12.2/secure/lib/libcrypto/man/man3/RSA_private_encrypt.3
  releng/12.2/secure/lib/libcrypto/man/man3/RSA_public_encrypt.3
  releng/12.2/secure/lib/libcrypto/man/man3/RSA_set_method.3
  releng/12.2/secure/lib/libcrypto/man/man3/RSA_sign.3
  releng/12.2/secure/lib/libcrypto/man/man3/RSA_sign_ASN1_OCTET_STRING.3
  releng/12.2/secure/lib/libcrypto/man/man3/RSA_size.3
  releng/12.2/secure/lib/libcrypto/man/man3/SCT_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/SCT_print.3
  releng/12.2/secure/lib/libcrypto/man/man3/SCT_validate.3
  releng/12.2/secure/lib/libcrypto/man/man3/SHA256_Init.3
  releng/12.2/secure/lib/libcrypto/man/man3/SMIME_read_CMS.3
  releng/12.2/secure/lib/libcrypto/man/man3/SMIME_read_PKCS7.3
  releng/12.2/secure/lib/libcrypto/man/man3/SMIME_write_CMS.3
  releng/12.2/secure/lib/libcrypto/man/man3/SMIME_write_PKCS7.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CIPHER_get_name.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_COMP_add_compression_method.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set1_prefix.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_flags.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_ssl_ctx.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CONF_cmd.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CONF_cmd_argv.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_add1_chain_cert.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_add_extra_chain_cert.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_add_session.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_config.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_ctrl.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_dane_enable.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_flush_sessions.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_free.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_get0_param.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_get_verify_mode.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_has_client_custom_ext.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_load_verify_locations.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_sess_number.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_cache_size.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_get_cb.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_sessions.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set0_CA_list.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set1_curves.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set1_sigalgs.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set1_verify_cert_store.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_alpn_select_cb.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_cb.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_store.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_verify_callback.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_cipher_list.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_cert_cb.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_hello_cb.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_ct_validation_callback.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_ctlog_list_file.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_default_passwd_cb.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_ex_data.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_generate_session_id.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_info_callback.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_keylog_callback.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_max_cert_list.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_min_proto_version.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_mode.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_msg_callback.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_num_tickets.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_options.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_psk_client_callback.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_quiet_shutdown.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_read_ahead.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_record_padding_callback.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_security_level.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_cache_mode.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_id_context.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_ticket_cb.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_split_send_fragment.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_ssl_version.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_stateless_cookie_generate_cb.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_timeout.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_servername_callback.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_status_cb.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_ticket_key_cb.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_use_srtp.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_dh_callback.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_set_verify.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_use_certificate.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_use_psk_identity_hint.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_CTX_use_serverinfo.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_SESSION_free.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_cipher.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_hostname.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_id_context.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_peer.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_SESSION_get_compress_id.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_SESSION_get_ex_data.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_SESSION_get_protocol_version.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_SESSION_get_time.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_SESSION_has_ticket.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_SESSION_is_resumable.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_SESSION_print.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_SESSION_set1_id.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_accept.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_alert_type_string.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_alloc_buffers.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_check_chain.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_clear.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_connect.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_do_handshake.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_export_keying_material.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_extension_supported.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_free.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_get0_peer_scts.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_get_SSL_CTX.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_get_all_async_fds.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_get_ciphers.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_get_client_random.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_get_current_cipher.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_get_default_timeout.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_get_error.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_get_extms_support.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_get_fd.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_get_peer_cert_chain.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_get_peer_certificate.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_get_peer_signature_nid.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_get_peer_tmp_key.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_get_psk_identity.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_get_rbio.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_get_session.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_get_shared_sigalgs.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_get_verify_result.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_get_version.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_in_init.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_key_update.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_library_init.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_load_client_CA_file.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_pending.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_read.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_read_early_data.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_rstate_string.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_session_reused.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_set1_host.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_set_bio.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_set_connect_state.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_set_fd.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_set_session.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_set_shutdown.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_set_verify_result.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_shutdown.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_state_string.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_want.3
  releng/12.2/secure/lib/libcrypto/man/man3/SSL_write.3
  releng/12.2/secure/lib/libcrypto/man/man3/UI_STRING.3
  releng/12.2/secure/lib/libcrypto/man/man3/UI_UTIL_read_pw.3
  releng/12.2/secure/lib/libcrypto/man/man3/UI_create_method.3
  releng/12.2/secure/lib/libcrypto/man/man3/UI_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509V3_get_d2i.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_ALGOR_dup.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_CRL_get0_by_serial.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_EXTENSION_set_object.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_LOOKUP.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_LOOKUP_hash_dir.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_LOOKUP_meth_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_NAME_ENTRY_get_object.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_NAME_add_entry_by_txt.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_NAME_get0_der.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_NAME_get_index_by_NID.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_NAME_print_ex.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_PUBKEY_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_SIG_get0.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_error.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_STORE_CTX_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_STORE_CTX_set_verify_cb.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_STORE_add_cert.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_STORE_get0_param.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_STORE_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_STORE_set_verify_cb_func.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_VERIFY_PARAM_set_flags.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_check_ca.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_check_host.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_check_issued.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_check_private_key.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_check_purpose.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_cmp.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_cmp_time.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_digest.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_dup.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_get0_notBefore.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_get0_signature.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_get0_uids.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_get_extension_flags.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_get_pubkey.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_get_serialNumber.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_get_subject_name.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_get_version.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_new.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_sign.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509_verify_cert.3
  releng/12.2/secure/lib/libcrypto/man/man3/X509v3_get_ext_by_NID.3
  releng/12.2/secure/lib/libcrypto/man/man3/d2i_DHparams.3
  releng/12.2/secure/lib/libcrypto/man/man3/d2i_PKCS8PrivateKey_bio.3
  releng/12.2/secure/lib/libcrypto/man/man3/d2i_PrivateKey.3
  releng/12.2/secure/lib/libcrypto/man/man3/d2i_SSL_SESSION.3
  releng/12.2/secure/lib/libcrypto/man/man3/d2i_X509.3
  releng/12.2/secure/lib/libcrypto/man/man3/i2d_CMS_bio_stream.3
  releng/12.2/secure/lib/libcrypto/man/man3/i2d_PKCS7_bio_stream.3
  releng/12.2/secure/lib/libcrypto/man/man3/i2d_re_X509_tbs.3
  releng/12.2/secure/lib/libcrypto/man/man3/o2i_SCT_LIST.3
  releng/12.2/secure/lib/libcrypto/man/man5/x509v3_config.5
  releng/12.2/secure/lib/libcrypto/man/man7/Ed25519.7
  releng/12.2/secure/lib/libcrypto/man/man7/RAND.7
  releng/12.2/secure/lib/libcrypto/man/man7/RAND_DRBG.7
  releng/12.2/secure/lib/libcrypto/man/man7/RSA-PSS.7
  releng/12.2/secure/lib/libcrypto/man/man7/SM2.7
  releng/12.2/secure/lib/libcrypto/man/man7/X25519.7
  releng/12.2/secure/lib/libcrypto/man/man7/bio.7
  releng/12.2/secure/lib/libcrypto/man/man7/ct.7
  releng/12.2/secure/lib/libcrypto/man/man7/des_modes.7
  releng/12.2/secure/lib/libcrypto/man/man7/evp.7
  releng/12.2/secure/lib/libcrypto/man/man7/ossl_store-file.7
  releng/12.2/secure/lib/libcrypto/man/man7/ossl_store.7
  releng/12.2/secure/lib/libcrypto/man/man7/passphrase-encoding.7
  releng/12.2/secure/lib/libcrypto/man/man7/proxy-certificates.7
  releng/12.2/secure/lib/libcrypto/man/man7/scrypt.7
  releng/12.2/secure/lib/libcrypto/man/man7/ssl.7
  releng/12.2/secure/lib/libcrypto/man/man7/x509.7
  releng/12.2/secure/usr.bin/openssl/man/CA.pl.1
  releng/12.2/secure/usr.bin/openssl/man/asn1parse.1
  releng/12.2/secure/usr.bin/openssl/man/ca.1
  releng/12.2/secure/usr.bin/openssl/man/ciphers.1
  releng/12.2/secure/usr.bin/openssl/man/cms.1
  releng/12.2/secure/usr.bin/openssl/man/crl.1
  releng/12.2/secure/usr.bin/openssl/man/crl2pkcs7.1
  releng/12.2/secure/usr.bin/openssl/man/dgst.1
  releng/12.2/secure/usr.bin/openssl/man/dhparam.1
  releng/12.2/secure/usr.bin/openssl/man/dsa.1
  releng/12.2/secure/usr.bin/openssl/man/dsaparam.1
  releng/12.2/secure/usr.bin/openssl/man/ec.1
  releng/12.2/secure/usr.bin/openssl/man/ecparam.1
  releng/12.2/secure/usr.bin/openssl/man/enc.1
  releng/12.2/secure/usr.bin/openssl/man/engine.1
  releng/12.2/secure/usr.bin/openssl/man/errstr.1
  releng/12.2/secure/usr.bin/openssl/man/gendsa.1
  releng/12.2/secure/usr.bin/openssl/man/genpkey.1
  releng/12.2/secure/usr.bin/openssl/man/genrsa.1
  releng/12.2/secure/usr.bin/openssl/man/list.1
  releng/12.2/secure/usr.bin/openssl/man/nseq.1
  releng/12.2/secure/usr.bin/openssl/man/ocsp.1
  releng/12.2/secure/usr.bin/openssl/man/openssl.1
  releng/12.2/secure/usr.bin/openssl/man/passwd.1
  releng/12.2/secure/usr.bin/openssl/man/pkcs12.1
  releng/12.2/secure/usr.bin/openssl/man/pkcs7.1
  releng/12.2/secure/usr.bin/openssl/man/pkcs8.1
  releng/12.2/secure/usr.bin/openssl/man/pkey.1
  releng/12.2/secure/usr.bin/openssl/man/pkeyparam.1
  releng/12.2/secure/usr.bin/openssl/man/pkeyutl.1
  releng/12.2/secure/usr.bin/openssl/man/prime.1
  releng/12.2/secure/usr.bin/openssl/man/rand.1
  releng/12.2/secure/usr.bin/openssl/man/req.1
  releng/12.2/secure/usr.bin/openssl/man/rsa.1
  releng/12.2/secure/usr.bin/openssl/man/rsautl.1
  releng/12.2/secure/usr.bin/openssl/man/s_client.1
  releng/12.2/secure/usr.bin/openssl/man/s_server.1
  releng/12.2/secure/usr.bin/openssl/man/s_time.1
  releng/12.2/secure/usr.bin/openssl/man/sess_id.1
  releng/12.2/secure/usr.bin/openssl/man/smime.1
  releng/12.2/secure/usr.bin/openssl/man/speed.1
  releng/12.2/secure/usr.bin/openssl/man/spkac.1
  releng/12.2/secure/usr.bin/openssl/man/srp.1
  releng/12.2/secure/usr.bin/openssl/man/storeutl.1
  releng/12.2/secure/usr.bin/openssl/man/ts.1
  releng/12.2/secure/usr.bin/openssl/man/tsget.1
  releng/12.2/secure/usr.bin/openssl/man/verify.1
  releng/12.2/secure/usr.bin/openssl/man/version.1
  releng/12.2/secure/usr.bin/openssl/man/x509.1
Directory Properties:
  releng/12.2/   (props changed)

Modified: releng/12.2/crypto/openssl/CHANGES
==============================================================================
--- releng/12.2/crypto/openssl/CHANGES	Fri Sep 25 21:58:43 2020	(r366176)
+++ releng/12.2/crypto/openssl/CHANGES	Fri Sep 25 22:43:14 2020	(r366177)
@@ -7,6 +7,33 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+ Changes between 1.1.1g and 1.1.1h [22 Sep 2020]
+
+  *) Certificates with explicit curve parameters are now disallowed in
+     verification chains if the X509_V_FLAG_X509_STRICT flag is used.
+     [Tomas Mraz]
+
+  *) The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
+     ignore TLS protocol version bounds when configuring DTLS-based contexts, and
+     conversely, silently ignore DTLS protocol version bounds when configuring
+     TLS-based contexts.  The commands can be repeated to set bounds of both
+     types.  The same applies with the corresponding "min_protocol" and
+     "max_protocol" command-line switches, in case some application uses both TLS
+     and DTLS.
+  
+     SSL_CTX instances that are created for a fixed protocol version (e.g.
+     TLSv1_server_method()) also silently ignore version bounds.  Previously
+     attempts to apply bounds to these protocol versions would result in an
+     error.  Now only the "version-flexible" SSL_CTX instances are subject to
+     limits in configuration files in command-line options.
+     [Viktor Dukhovni]
+
+  *) Handshake now fails if Extended Master Secret extension is dropped
+     on renegotiation.
+     [Tomas Mraz]
+
+  *) The Oracle Developer Studio compiler will start reporting deprecated APIs
+
  Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
 
   *) Fixed segmentation fault in SSL_check_chain()

Modified: releng/12.2/crypto/openssl/Configure
==============================================================================
--- releng/12.2/crypto/openssl/Configure	Fri Sep 25 21:58:43 2020	(r366176)
+++ releng/12.2/crypto/openssl/Configure	Fri Sep 25 22:43:14 2020	(r366177)
@@ -217,12 +217,22 @@ sub resolve_config;
 # Unified build supports separate build dir
 my $srcdir = catdir(absolutedir(dirname($0))); # catdir ensures local syntax
 my $blddir = catdir(absolutedir("."));         # catdir ensures local syntax
+
+# File::Spec::Unix doesn't detect case insensitivity, so we make sure to
+# check if the source and build directory are really the same, and make
+# them so.  This avoids all kinds of confusion later on.
+# We must check @File::Spec::ISA rather than using File::Spec->isa() to
+# know if File::Spec ended up loading File::Spec::Unix.
+$srcdir = $blddir
+    if (grep(/::Unix$/, @File::Spec::ISA)
+        && samedir($srcdir, $blddir));
+
 my $dofile = abs2rel(catfile($srcdir, "util/dofile.pl"));
 
 my $local_config_envname = 'OPENSSL_LOCAL_CONFIG_DIR';
 
-$config{sourcedir} = abs2rel($srcdir);
-$config{builddir} = abs2rel($blddir);
+$config{sourcedir} = abs2rel($srcdir, $blddir);
+$config{builddir} = abs2rel($blddir, $blddir);
 
 # Collect reconfiguration information if needed
 my @argvcopy=@ARGV;
@@ -1049,6 +1059,9 @@ if (scalar(@seed_sources) == 0) {
     print "Using os-specific seed configuration\n";
     push @seed_sources, 'os';
 }
+if (scalar(grep { $_ eq 'egd' } @seed_sources) > 0) {
+    delete $disabled{'egd'};
+}
 if (scalar(grep { $_ eq 'none' } @seed_sources) > 0) {
     die "Cannot seed with none and anything else" if scalar(@seed_sources) > 1;
     warn <<_____ if scalar(@seed_sources) == 1;
@@ -3422,6 +3435,27 @@ sub absolutedir {
     use Cwd qw/realpath/;
 
     return realpath($dir);
+}
+
+# Check if all paths are one and the same, using stat.  They must both exist
+# We need this for the cases when File::Spec doesn't detect case insensitivity
+# (File::Spec::Unix assumes case sensitivity)
+sub samedir {
+    die "samedir expects two arguments\n" unless scalar @_ == 2;
+
+    my @stat0 = stat($_[0]);    # First argument
+    my @stat1 = stat($_[1]);    # Second argument
+
+    die "Couldn't stat $_[0]" unless @stat0;
+    die "Couldn't stat $_[1]" unless @stat1;
+
+    # Compare device number
+    return 0 unless ($stat0[0] == $stat1[0]);
+    # Compare "inode".  The perl manual recommends comparing as
+    # string rather than as number.
+    return 0 unless ($stat0[1] eq $stat1[1]);
+
+    return 1;                   # All the same
 }
 
 sub quotify {

Modified: releng/12.2/crypto/openssl/NEWS
==============================================================================
--- releng/12.2/crypto/openssl/NEWS	Fri Sep 25 21:58:43 2020	(r366176)
+++ releng/12.2/crypto/openssl/NEWS	Fri Sep 25 22:43:14 2020	(r366177)
@@ -5,6 +5,14 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.1.1g and OpenSSL 1.1.1h [22 Sep 2020]
+
+      o Disallow explicit curve parameters in verifications chains when
+        X509_V_FLAG_X509_STRICT is used
+      o Enable 'MinProtocol' and 'MaxProtocol' to configure both TLS and DTLS
+        contexts
+      o Oracle Developer Studio will start reporting deprecation warnings
+
   Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [21 Apr 2020]
 
       o Fixed segmentation fault in SSL_check_chain() (CVE-2020-1967)

Modified: releng/12.2/crypto/openssl/NOTES.PERL
==============================================================================
--- releng/12.2/crypto/openssl/NOTES.PERL	Fri Sep 25 21:58:43 2020	(r366176)
+++ releng/12.2/crypto/openssl/NOTES.PERL	Fri Sep 25 22:43:14 2020	(r366177)
@@ -109,7 +109,7 @@
 
         $ cpan -f -i Text::Template
 
-    Note: on VMS, you must quote any argument that contains upper case
+    Note: on VMS, you must quote any argument that contains uppercase
     characters, so the lines above would be:
 
         $ cpan -i "Text::Template"

Modified: releng/12.2/crypto/openssl/README
==============================================================================
--- releng/12.2/crypto/openssl/README	Fri Sep 25 21:58:43 2020	(r366176)
+++ releng/12.2/crypto/openssl/README	Fri Sep 25 22:43:14 2020	(r366177)
@@ -1,5 +1,5 @@
 
- OpenSSL 1.1.1g 21 Apr 2020
+ OpenSSL 1.1.1h 22 Sep 2020
 
  Copyright (c) 1998-2020 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

Modified: releng/12.2/crypto/openssl/apps/genpkey.c
==============================================================================
--- releng/12.2/crypto/openssl/apps/genpkey.c	Fri Sep 25 21:58:43 2020	(r366176)
+++ releng/12.2/crypto/openssl/apps/genpkey.c	Fri Sep 25 22:43:14 2020	(r366177)
@@ -1,5 +1,5 @@
 /*
- * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -177,9 +177,12 @@ int genpkey_main(int argc, char **argv)
         goto end;
     }
 
+    ret = 0;
+
     if (rv <= 0) {
         BIO_puts(bio_err, "Error writing key\n");
         ERR_print_errors(bio_err);
+        ret = 1;
     }
 
     if (text) {
@@ -191,10 +194,9 @@ int genpkey_main(int argc, char **argv)
         if (rv <= 0) {
             BIO_puts(bio_err, "Error printing key\n");
             ERR_print_errors(bio_err);
+            ret = 1;
         }
     }
-
-    ret = 0;
 
  end:
     EVP_PKEY_free(pkey);

Modified: releng/12.2/crypto/openssl/apps/rsa8192.pem
==============================================================================
--- releng/12.2/crypto/openssl/apps/rsa8192.pem	Fri Sep 25 21:58:43 2020	(r366176)
+++ releng/12.2/crypto/openssl/apps/rsa8192.pem	Fri Sep 25 22:43:14 2020	(r366177)
@@ -1,5 +1,4 @@
 -----BEGIN RSA PRIVATE KEY-----
-
 MIISKAIBAAKCBAEAiQ2f1X6Bte1DKD0OoCBKEikzPW+5w3oXk3WwnE97Wxzy6wJZ
 ebbZC3CZKKBnJeBMrysPf+lK+9+fP6Vm8bp1wvbcSIA59BDrX6irFSuM/bdnkbuF
 MFlDjt+uVrxwoyqfPi2IPot1HQg3l5mdyBqcTWvbOnU2L9HZxJfPUCjfzdTMPrMY
@@ -62,7 +61,7 @@ JH1/Qx7C/mTAMRsN5SkOthnGq0djCNWfPv/3JV0H67Uf5krFlnwLeb
 yO7iBUNJzv6Qh22malLp4P8gzACkD7DGlSTnoB5cLwcjmDGg+i9WrUBbOiVTeQfZ
 kOj1o+Tz35ndpq/DDUVlqliB9krcxva+QHeJPH53EGI+YVg1nD+s/vUDZ3mQMGX9
 DQou2L8uU6RnWNv/BihGcL8QvS4Ty6QyPOUPpD3zc70JQAEcQk9BxQNaELgJX0IN
-22cYn22tYvElew9G41OpDqzBRcfbdJmKXQ2HcroShutYJQRGUpAXHk24fy6JVkIU
+2cYUn22tYvElew9G41OpDqzBRcfbdJmKXQ2HcroShutYJQRGUpAXHk24fy6JVkIU
 ojF5U6cwextMja1ZIIZgh9eugIRUeIE7319nQNDzuXWjRCcoBLA25P7wnpHWDRpz
 D9ovXCIvdja74lL5psqobV6L5+fbLPkSgXoImKR0LQKCAgAIC9Jk8kxumCyIVGCP
 PeM5Uby9M3GMuKrfYsn0Y5e97+kSJF1dpojTodBgR2KQar6eVrvXt+8uZCcIjfx8
@@ -98,4 +97,3 @@ TwEgE67iOb2iIoUpon/NyP4LesMzvdpsu2JFlfz13PmmQ34mFI7tWv
 rMlMLtKfp2w8HlMZpsUlToNCx6CI+tJrohzcs3BAVAbjFAXRKWGijB1rxwyDdHPv
 I+/wJTNaRNPQ1M0SwtEL/zJd21y3KSPn4eL+GP3efhlDSjtlDvZqkdAUsU8=
 -----END RSA PRIVATE KEY-----
-

Modified: releng/12.2/crypto/openssl/apps/s_client.c
==============================================================================
--- releng/12.2/crypto/openssl/apps/s_client.c	Fri Sep 25 21:58:43 2020	(r366176)
+++ releng/12.2/crypto/openssl/apps/s_client.c	Fri Sep 25 22:43:14 2020	(r366177)
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright 2005 Nokia. All rights reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
@@ -1283,22 +1283,42 @@ int s_client_main(int argc, char **argv)
         case OPT_SSL3:
             min_version = SSL3_VERSION;
             max_version = SSL3_VERSION;
+            socket_type = SOCK_STREAM;
+#ifndef OPENSSL_NO_DTLS
+            isdtls = 0;
+#endif
             break;
         case OPT_TLS1_3:
             min_version = TLS1_3_VERSION;
             max_version = TLS1_3_VERSION;
+            socket_type = SOCK_STREAM;
+#ifndef OPENSSL_NO_DTLS
+            isdtls = 0;
+#endif
             break;
         case OPT_TLS1_2:
             min_version = TLS1_2_VERSION;
             max_version = TLS1_2_VERSION;
+            socket_type = SOCK_STREAM;
+#ifndef OPENSSL_NO_DTLS
+            isdtls = 0;
+#endif
             break;
         case OPT_TLS1_1:
             min_version = TLS1_1_VERSION;
             max_version = TLS1_1_VERSION;
+            socket_type = SOCK_STREAM;
+#ifndef OPENSSL_NO_DTLS
+            isdtls = 0;
+#endif
             break;
         case OPT_TLS1:
             min_version = TLS1_VERSION;
             max_version = TLS1_VERSION;
+            socket_type = SOCK_STREAM;
+#ifndef OPENSSL_NO_DTLS
+            isdtls = 0;
+#endif
             break;
         case OPT_DTLS:
 #ifndef OPENSSL_NO_DTLS

Modified: releng/12.2/crypto/openssl/apps/x509.c
==============================================================================
--- releng/12.2/crypto/openssl/apps/x509.c	Fri Sep 25 21:58:43 2020	(r366176)
+++ releng/12.2/crypto/openssl/apps/x509.c	Fri Sep 25 22:43:14 2020	(r366177)
@@ -140,9 +140,9 @@ const OPTIONS x509_options[] = {
     {"", OPT_MD, '-', "Any supported digest"},
 #ifndef OPENSSL_NO_MD5
     {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-',
-     "Print old-style (MD5) issuer hash value"},
-    {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
      "Print old-style (MD5) subject hash value"},
+    {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
+     "Print old-style (MD5) issuer hash value"},
 #endif
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},

Modified: releng/12.2/crypto/openssl/appveyor.yml
==============================================================================
--- releng/12.2/crypto/openssl/appveyor.yml	Fri Sep 25 21:58:43 2020	(r366176)
+++ releng/12.2/crypto/openssl/appveyor.yml	Fri Sep 25 22:43:14 2020	(r366177)
@@ -46,7 +46,8 @@ before_build:
     - cd ..
     - ps: >-
         if (-not $env:APPVEYOR_PULL_REQUEST_NUMBER`
-            -or (&git log -2 | Select-String "\[extended tests\]") ) {
+            -or (&git log -1 $env:APPVEYOR_PULL_REQUEST_HEAD_COMMIT |
+                 Select-String "\[extended tests\]") ) {
             $env:EXTENDED_TESTS="yes"
         }
 

Modified: releng/12.2/crypto/openssl/crypto/aes/aes_core.c
==============================================================================
--- releng/12.2/crypto/openssl/crypto/aes/aes_core.c	Fri Sep 25 21:58:43 2020	(r366176)
+++ releng/12.2/crypto/openssl/crypto/aes/aes_core.c	Fri Sep 25 22:43:14 2020	(r366177)
@@ -673,357 +673,6 @@ void AES_decrypt(const unsigned char *in, unsigned cha
 
     InvCipher(in, out, rk, key->rounds);
 }
-
-# ifndef OPENSSL_SMALL_FOOTPRINT
-void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
-                       size_t blocks, const AES_KEY *key,
-                       const unsigned char *ivec);
-
-static void RawToBits(const u8 raw[64], u64 bits[8])
-{
-    int i, j;
-    u64 in, out;
-
-    memset(bits, 0, 64);
-    for (i = 0; i < 8; i++) {
-        in = 0;
-        for (j = 0; j < 8; j++)
-            in |= ((u64)raw[i * 8 + j]) << (8 * j);
-        out = in & 0xF0F0F0F00F0F0F0FuLL;
-        out |= (in & 0x0F0F0F0F00000000uLL) >> 28;
-        out |= (in & 0x00000000F0F0F0F0uLL) << 28;
-        in = out & 0xCCCC3333CCCC3333uLL;
-        in |= (out & 0x3333000033330000uLL) >> 14;
-        in |= (out & 0x0000CCCC0000CCCCuLL) << 14;
-        out = in & 0xAA55AA55AA55AA55uLL;
-        out |= (in & 0x5500550055005500uLL) >> 7;
-        out |= (in & 0x00AA00AA00AA00AAuLL) << 7;
-        for (j = 0; j < 8; j++) {
-            bits[j] |= (out & 0xFFuLL) << (8 * i);
-            out = out >> 8;
-        }
-    }
-}
-
-static void BitsToRaw(const u64 bits[8], u8 raw[64])
-{
-    int i, j;
-    u64 in, out;
-
-    for (i = 0; i < 8; i++) {
-        in = 0;
-        for (j = 0; j < 8; j++)
-            in |= ((bits[j] >> (8 * i)) & 0xFFuLL) << (8 * j);
-        out = in & 0xF0F0F0F00F0F0F0FuLL;
-        out |= (in & 0x0F0F0F0F00000000uLL) >> 28;
-        out |= (in & 0x00000000F0F0F0F0uLL) << 28;
-        in = out & 0xCCCC3333CCCC3333uLL;
-        in |= (out & 0x3333000033330000uLL) >> 14;
-        in |= (out & 0x0000CCCC0000CCCCuLL) << 14;
-        out = in & 0xAA55AA55AA55AA55uLL;
-        out |= (in & 0x5500550055005500uLL) >> 7;
-        out |= (in & 0x00AA00AA00AA00AAuLL) << 7;
-        for (j = 0; j < 8; j++) {
-            raw[i * 8 + j] = (u8)out;
-            out = out >> 8;
-        }
-    }
-}
-
-static void BitsXtime(u64 state[8])
-{
-    u64 b;
-
-    b = state[7];
-    state[7] = state[6];
-    state[6] = state[5];
-    state[5] = state[4];
-    state[4] = state[3] ^ b;
-    state[3] = state[2] ^ b;
-    state[2] = state[1];
-    state[1] = state[0] ^ b;
-    state[0] = b;
-}
-
-/*
- * This S-box implementation follows a circuit described in
- * Boyar and Peralta: "A new combinational logic minimization
- * technique with applications to cryptology."
- * https://eprint.iacr.org/2009/191.pdf
- *
- * The math is similar to above, in that it uses
- * a tower field of GF(2^2^2^2) but with a different
- * basis representation, that is better suited to
- * logic designs.
- */
-static void BitsSub(u64 state[8])
-{
-    u64 x0, x1, x2, x3, x4, x5, x6, x7;
-    u64 y1, y2, y3, y4, y5, y6, y7, y8, y9, y10, y11;
-    u64 y12, y13, y14, y15, y16, y17, y18, y19, y20, y21;
-    u64 t0, t1, t2, t3, t4, t5, t6, t7, t8, t9, t10, t11;
-    u64 t12, t13, t14, t15, t16, t17, t18, t19, t20, t21;
-    u64 t22, t23, t24, t25, t26, t27, t28, t29, t30, t31;
-    u64 t32, t33, t34, t35, t36, t37, t38, t39, t40, t41;
-    u64 t42, t43, t44, t45, t46, t47, t48, t49, t50, t51;
-    u64 t52, t53, t54, t55, t56, t57, t58, t59, t60, t61;
-    u64 t62, t63, t64, t65, t66, t67;
-    u64 z0, z1, z2, z3, z4, z5, z6, z7, z8, z9, z10, z11;
-    u64 z12, z13, z14, z15, z16, z17;
-    u64 s0, s1, s2, s3, s4, s5, s6, s7;
-
-    x7 = state[0];
-    x6 = state[1];
-    x5 = state[2];
-    x4 = state[3];
-    x3 = state[4];
-    x2 = state[5];
-    x1 = state[6];
-    x0 = state[7];
-    y14 = x3 ^ x5;
-    y13 = x0 ^ x6;
-    y9 = x0 ^ x3;
-    y8 = x0 ^ x5;
-    t0 = x1 ^ x2;
-    y1 = t0 ^ x7;
-    y4 = y1 ^ x3;
-    y12 = y13 ^ y14;
-    y2 = y1 ^ x0;
-    y5 = y1 ^ x6;
-    y3 = y5 ^ y8;
-    t1 = x4 ^ y12;
-    y15 = t1 ^ x5;
-    y20 = t1 ^ x1;
-    y6 = y15 ^ x7;
-    y10 = y15 ^ t0;
-    y11 = y20 ^ y9;
-    y7 = x7 ^ y11;
-    y17 = y10 ^ y11;
-    y19 = y10 ^ y8;
-    y16 = t0 ^ y11;
-    y21 = y13 ^ y16;
-    y18 = x0 ^ y16;
-    t2 = y12 & y15;
-    t3 = y3 & y6;
-    t4 = t3 ^ t2;
-    t5 = y4 & x7;
-    t6 = t5 ^ t2;
-    t7 = y13 & y16;
-    t8 = y5 & y1;
-    t9 = t8 ^ t7;
-    t10 = y2 & y7;
-    t11 = t10 ^ t7;
-    t12 = y9 & y11;
-    t13 = y14 & y17;
-    t14 = t13 ^ t12;
-    t15 = y8 & y10;
-    t16 = t15 ^ t12;
-    t17 = t4 ^ t14;
-    t18 = t6 ^ t16;
-    t19 = t9 ^ t14;
-    t20 = t11 ^ t16;
-    t21 = t17 ^ y20;
-    t22 = t18 ^ y19;
-    t23 = t19 ^ y21;
-    t24 = t20 ^ y18;
-    t25 = t21 ^ t22;
-    t26 = t21 & t23;
-    t27 = t24 ^ t26;
-    t28 = t25 & t27;
-    t29 = t28 ^ t22;
-    t30 = t23 ^ t24;
-    t31 = t22 ^ t26;
-    t32 = t31 & t30;
-    t33 = t32 ^ t24;
-    t34 = t23 ^ t33;
-    t35 = t27 ^ t33;
-    t36 = t24 & t35;
-    t37 = t36 ^ t34;
-    t38 = t27 ^ t36;
-    t39 = t29 & t38;
-    t40 = t25 ^ t39;
-    t41 = t40 ^ t37;
-    t42 = t29 ^ t33;
-    t43 = t29 ^ t40;
-    t44 = t33 ^ t37;
-    t45 = t42 ^ t41;
-    z0 = t44 & y15;
-    z1 = t37 & y6;
-    z2 = t33 & x7;
-    z3 = t43 & y16;
-    z4 = t40 & y1;
-    z5 = t29 & y7;
-    z6 = t42 & y11;
-    z7 = t45 & y17;
-    z8 = t41 & y10;
-    z9 = t44 & y12;
-    z10 = t37 & y3;
-    z11 = t33 & y4;
-    z12 = t43 & y13;
-    z13 = t40 & y5;
-    z14 = t29 & y2;
-    z15 = t42 & y9;
-    z16 = t45 & y14;
-    z17 = t41 & y8;
-    t46 = z15 ^ z16;
-    t47 = z10 ^ z11;
-    t48 = z5 ^ z13;
-    t49 = z9 ^ z10;
-    t50 = z2 ^ z12;
-    t51 = z2 ^ z5;
-    t52 = z7 ^ z8;
-    t53 = z0 ^ z3;
-    t54 = z6 ^ z7;
-    t55 = z16 ^ z17;
-    t56 = z12 ^ t48;
-    t57 = t50 ^ t53;
-    t58 = z4 ^ t46;
-    t59 = z3 ^ t54;
-    t60 = t46 ^ t57;
-    t61 = z14 ^ t57;
-    t62 = t52 ^ t58;
-    t63 = t49 ^ t58;
-    t64 = z4 ^ t59;
-    t65 = t61 ^ t62;
-    t66 = z1 ^ t63;
-    s0 = t59 ^ t63;
-    s6 = ~(t56 ^ t62);
-    s7 = ~(t48 ^ t60);
-    t67 = t64 ^ t65;
-    s3 = t53 ^ t66;
-    s4 = t51 ^ t66;
-    s5 = t47 ^ t65;
-    s1 = ~(t64 ^ s3);
-    s2 = ~(t55 ^ t67);
-    state[0] = s7;
-    state[1] = s6;
-    state[2] = s5;
-    state[3] = s4;
-    state[4] = s3;
-    state[5] = s2;
-    state[6] = s1;
-    state[7] = s0;
-}
-
-static void BitsShiftRows(u64 state[8])
-{
-    u64 s, s0;
-    int i;
-
-    for (i = 0; i < 8; i++) {
-        s = state[i];
-        s0 = s & 0x1111111111111111uLL;
-        s0 |= ((s & 0x2220222022202220uLL) >> 4) | ((s & 0x0002000200020002uLL) << 12);
-        s0 |= ((s & 0x4400440044004400uLL) >> 8) | ((s & 0x0044004400440044uLL) << 8);
-        s0 |= ((s & 0x8000800080008000uLL) >> 12) | ((s & 0x0888088808880888uLL) << 4);
-        state[i] = s0;
-    }
-}
-
-static void BitsMixColumns(u64 state[8])
-{
-    u64 s1, s;
-    u64 s0[8];
-    int i;
-
-    for (i = 0; i < 8; i++) {
-        s1 = state[i];
-        s = s1;
-        s ^= ((s & 0xCCCCCCCCCCCCCCCCuLL) >> 2) | ((s & 0x3333333333333333uLL) << 2);
-        s ^= ((s & 0xAAAAAAAAAAAAAAAAuLL) >> 1) | ((s & 0x5555555555555555uLL) << 1);
-        s ^= s1;
-        s0[i] = s;
-    }
-    BitsXtime(state);
-    for (i = 0; i < 8; i++) {
-        s1 = state[i];
-        s = s0[i];
-        s ^= s1;
-        s ^= ((s1 & 0xEEEEEEEEEEEEEEEEuLL) >> 1) | ((s1 & 0x1111111111111111uLL) << 3);
-        state[i] = s;
-    }
-}
-
-static void BitsAddRoundKey(u64 state[8], const u64 key[8])
-{
-    int i;
-
-    for (i = 0; i < 8; i++)
-        state[i] ^= key[i];
-}
-
-void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
-                       size_t blocks, const AES_KEY *key,
-                       const unsigned char *ivec)
-{
-    struct {
-        u8 cipher[64];
-        u64 state[8];
-        u64 rd_key[AES_MAXNR + 1][8];
-    } *bs;
-    u32 ctr32;
-    int i;
-
-    ctr32 = GETU32(ivec + 12);
-    if (blocks >= 4
-            && (bs = OPENSSL_malloc(sizeof(*bs)))) {
-        for (i = 0; i < key->rounds + 1; i++) {
-            memcpy(bs->cipher + 0, &key->rd_key[4 * i], 16);
-            memcpy(bs->cipher + 16, bs->cipher, 16);
-            memcpy(bs->cipher + 32, bs->cipher, 32);
-            RawToBits(bs->cipher, bs->rd_key[i]);
-        }
-        while (blocks) {
-            memcpy(bs->cipher, ivec, 12);
-            PUTU32(bs->cipher + 12, ctr32);
-            ctr32++;
-            memcpy(bs->cipher + 16, ivec, 12);
-            PUTU32(bs->cipher + 28, ctr32);
-            ctr32++;
-            memcpy(bs->cipher + 32, ivec, 12);
-            PUTU32(bs->cipher + 44, ctr32);
-            ctr32++;
-            memcpy(bs->cipher + 48, ivec, 12);
-            PUTU32(bs->cipher + 60, ctr32);
-            ctr32++;
-            RawToBits(bs->cipher, bs->state);
-            BitsAddRoundKey(bs->state, bs->rd_key[0]);
-            for (i = 1; i < key->rounds; i++) {
-                BitsSub(bs->state);
-                BitsShiftRows(bs->state);
-                BitsMixColumns(bs->state);
-                BitsAddRoundKey(bs->state, bs->rd_key[i]);
-            }
-            BitsSub(bs->state);
-            BitsShiftRows(bs->state);
-            BitsAddRoundKey(bs->state, bs->rd_key[key->rounds]);
-            BitsToRaw(bs->state, bs->cipher);
-            for (i = 0; i < 64 && blocks; i++) {
-                out[i] = in[i] ^ bs->cipher[i];
-                if ((i & 15) == 15)
-                    blocks--;
-            }
-            in += i;
-            out += i;
-        }
-        OPENSSL_clear_free(bs, sizeof(*bs));
-    } else {
-        unsigned char cipher[16];
-
-        while (blocks) {
-            memcpy(cipher, ivec, 12);
-            PUTU32(cipher + 12, ctr32);
-            AES_encrypt(cipher, cipher, key);
-            for (i = 0; i < 16; i++)
-                out[i] = in[i] ^ cipher[i];
-            in += 16;
-            out += 16;
-            ctr32++;
-            blocks--;
-        }
-    }
-}
-# endif
 #elif !defined(AES_ASM)
 /*-
 Te0[x] = S [x].[02, 01, 01, 03];

Modified: releng/12.2/crypto/openssl/crypto/aes/aes_ige.c
==============================================================================
--- releng/12.2/crypto/openssl/crypto/aes/aes_ige.c	Fri Sep 25 21:58:43 2020	(r366176)
+++ releng/12.2/crypto/openssl/crypto/aes/aes_ige.c	Fri Sep 25 22:43:14 2020	(r366177)
@@ -1,5 +1,5 @@
 /*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -12,16 +12,20 @@
 #include <openssl/aes.h>
 #include "aes_local.h"
 
-#define N_WORDS (AES_BLOCK_SIZE / sizeof(unsigned long))
-typedef struct {
-    unsigned long data[N_WORDS];
-} aes_block_t;
-
 /* XXX: probably some better way to do this */
 #if defined(__i386__) || defined(__x86_64__)
 # define UNALIGNED_MEMOPS_ARE_FAST 1
 #else
 # define UNALIGNED_MEMOPS_ARE_FAST 0
+#endif
+
+#define N_WORDS (AES_BLOCK_SIZE / sizeof(unsigned long))
+typedef struct {
+    unsigned long data[N_WORDS];
+#if defined(__GNUC__) && UNALIGNED_MEMOPS_ARE_FAST
+} aes_block_t __attribute((__aligned__(1)));
+#else
+} aes_block_t;
 #endif
 
 #if UNALIGNED_MEMOPS_ARE_FAST

Modified: releng/12.2/crypto/openssl/crypto/asn1/d2i_pr.c
==============================================================================
--- releng/12.2/crypto/openssl/crypto/asn1/d2i_pr.c	Fri Sep 25 21:58:43 2020	(r366176)
+++ releng/12.2/crypto/openssl/crypto/asn1/d2i_pr.c	Fri Sep 25 22:43:14 2020	(r366177)
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -56,6 +56,8 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const
                 goto err;
             EVP_PKEY_free(ret);
             ret = tmp;
+            if (EVP_PKEY_type(type) != EVP_PKEY_base_id(ret))
+                goto err;
         } else {
             ASN1err(ASN1_F_D2I_PRIVATEKEY, ERR_R_ASN1_LIB);
             goto err;

Modified: releng/12.2/crypto/openssl/crypto/asn1/x_algor.c
==============================================================================
--- releng/12.2/crypto/openssl/crypto/asn1/x_algor.c	Fri Sep 25 21:58:43 2020	(r366176)
+++ releng/12.2/crypto/openssl/crypto/asn1/x_algor.c	Fri Sep 25 22:43:14 2020	(r366177)
@@ -1,5 +1,5 @@
 /*
- * Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1998-2020 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -91,4 +91,36 @@ int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALG
     if (!a->parameter && !b->parameter)
         return 0;
     return ASN1_TYPE_cmp(a->parameter, b->parameter);
+}
+
+int X509_ALGOR_copy(X509_ALGOR *dest, const X509_ALGOR *src)
+{
+    if (src == NULL || dest == NULL)
+	return 0;
+
+    if (dest->algorithm)
+         ASN1_OBJECT_free(dest->algorithm);
+    dest->algorithm = NULL;
+
+    if (dest->parameter)
+        ASN1_TYPE_free(dest->parameter);
+    dest->parameter = NULL;
+
+    if (src->algorithm)
+        if ((dest->algorithm = OBJ_dup(src->algorithm)) == NULL)
+	    return 0;
+
+    if (src->parameter) {
+        dest->parameter = ASN1_TYPE_new();
+        if (dest->parameter == NULL)
+            return 0;
+
+        /* Assuming this is also correct for a BOOL.
+         * set does copy as a side effect.
+         */
+        if (ASN1_TYPE_set1(dest->parameter, 
+                src->parameter->type, src->parameter->value.ptr) == 0)
+            return 0;
+    }
+    return 1;
 }

Modified: releng/12.2/crypto/openssl/crypto/bio/b_print.c
==============================================================================
--- releng/12.2/crypto/openssl/crypto/bio/b_print.c	Fri Sep 25 21:58:43 2020	(r366176)
+++ releng/12.2/crypto/openssl/crypto/bio/b_print.c	Fri Sep 25 22:43:14 2020	(r366177)
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -635,7 +635,11 @@ fmtfp(char **sbuffer,
             fvalue = tmpvalue;
     }
     ufvalue = abs_val(fvalue);
-    if (ufvalue > ULONG_MAX) {
+    /*
+     * By subtracting 65535 (2^16-1) we cancel the low order 15 bits
+     * of ULONG_MAX to avoid using imprecise floating point values.
+     */
+    if (ufvalue >= (double)(ULONG_MAX - 65535) + 65536.0) {
         /* Number too big */
         return 0;
     }

Modified: releng/12.2/crypto/openssl/crypto/bio/bss_acpt.c
==============================================================================
--- releng/12.2/crypto/openssl/crypto/bio/bss_acpt.c	Fri Sep 25 21:58:43 2020	(r366176)
+++ releng/12.2/crypto/openssl/crypto/bio/bss_acpt.c	Fri Sep 25 22:43:14 2020	(r366177)
@@ -434,8 +434,10 @@ static long acpt_ctrl(BIO *b, int cmd, long num, void 
                 b->init = 1;
             } else if (num == 1) {
                 OPENSSL_free(data->param_serv);
-                data->param_serv = BUF_strdup(ptr);
-                b->init = 1;
+                if ((data->param_serv = OPENSSL_strdup(ptr)) == NULL)
+                    ret = 0;
+                else
+                    b->init = 1;
             } else if (num == 2) {
                 data->bind_mode |= BIO_SOCK_NONBLOCK;
             } else if (num == 3) {

Modified: releng/12.2/crypto/openssl/crypto/bio/bss_conn.c
==============================================================================
--- releng/12.2/crypto/openssl/crypto/bio/bss_conn.c	Fri Sep 25 21:58:43 2020	(r366176)
+++ releng/12.2/crypto/openssl/crypto/bio/bss_conn.c	Fri Sep 25 22:43:14 2020	(r366177)
@@ -186,8 +186,17 @@ static int conn_state(BIO *b, BIO_CONNECT *c)
 
         case BIO_CONN_S_BLOCKED_CONNECT:
             i = BIO_sock_error(b->num);
-            if (i) {
+            if (i != 0) {
                 BIO_clear_retry_flags(b);
+                if ((c->addr_iter = BIO_ADDRINFO_next(c->addr_iter)) != NULL) {
+                    /*
+                     * if there are more addresses to try, do that first
+                     */
+                    BIO_closesocket(b->num);
+                    c->state = BIO_CONN_S_CREATE_SOCKET;
+                    ERR_clear_error();
+                    break;
+                }
                 SYSerr(SYS_F_CONNECT, i);
                 ERR_add_error_data(4,
                                    "hostname=", c->param_hostname,
@@ -407,12 +416,13 @@ static long conn_ctrl(BIO *b, int cmd, long num, void 
     case BIO_C_SET_CONNECT:
         if (ptr != NULL) {
             b->init = 1;
-            if (num == 0) {
+            if (num == 0) { /* BIO_set_conn_hostname */
                 char *hold_service = data->param_service;
                 /* We affect the hostname regardless.  However, the input
                  * string might contain a host:service spec, so we must
                  * parse it, which might or might not affect the service
                  */
+
                 OPENSSL_free(data->param_hostname);
                 data->param_hostname = NULL;
                 ret = BIO_parse_hostserv(ptr,
@@ -421,19 +431,29 @@ static long conn_ctrl(BIO *b, int cmd, long num, void 
                                          BIO_PARSE_PRIO_HOST);
                 if (hold_service != data->param_service)
                     OPENSSL_free(hold_service);
-            } else if (num == 1) {
+            } else if (num == 1) { /* BIO_set_conn_port */
                 OPENSSL_free(data->param_service);
-                data->param_service = BUF_strdup(ptr);
-            } else if (num == 2) {
+                if ((data->param_service = OPENSSL_strdup(ptr)) == NULL)
+                    ret = 0;
+            } else if (num == 2) { /* BIO_set_conn_address */
                 const BIO_ADDR *addr = (const BIO_ADDR *)ptr;
+                char *host = BIO_ADDR_hostname_string(addr, 1);
+                char *service = BIO_ADDR_service_string(addr, 1);
+
+                ret = host != NULL && service != NULL;
                 if (ret) {
-                    data->param_hostname = BIO_ADDR_hostname_string(addr, 1);
-                    data->param_service = BIO_ADDR_service_string(addr, 1);
+                    OPENSSL_free(data->param_hostname);
+                    data->param_hostname = host;
+                    OPENSSL_free(data->param_service);
+                    data->param_service = service;
                     BIO_ADDRINFO_free(data->addr_first);
                     data->addr_first = NULL;
                     data->addr_iter = NULL;
+                } else {
+                    OPENSSL_free(host);
+                    OPENSSL_free(service);
                 }
-            } else if (num == 3) {
+            } else if (num == 3) { /* BIO_set_conn_ip_family */
                 data->connect_family = *(int *)ptr;
             } else {
                 ret = 0;

Modified: releng/12.2/crypto/openssl/crypto/bn/bn_gcd.c
==============================================================================
--- releng/12.2/crypto/openssl/crypto/bn/bn_gcd.c	Fri Sep 25 21:58:43 2020	(r366176)
+++ releng/12.2/crypto/openssl/crypto/bn/bn_gcd.c	Fri Sep 25 22:43:14 2020	(r366177)
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -10,22 +10,189 @@
 #include "internal/cryptlib.h"
 #include "bn_local.h"
 
-/* solves ax == 1 (mod n) */
-static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
-                                        const BIGNUM *a, const BIGNUM *n,
-                                        BN_CTX *ctx);
-
-BIGNUM *BN_mod_inverse(BIGNUM *in,
-                       const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
+/*
+ * bn_mod_inverse_no_branch is a special version of BN_mod_inverse. It does
+ * not contain branches that may leak sensitive information.
+ *
+ * This is a static function, we ensure all callers in this file pass valid
+ * arguments: all passed pointers here are non-NULL.
+ */
+static ossl_inline
+BIGNUM *bn_mod_inverse_no_branch(BIGNUM *in,
+                                 const BIGNUM *a, const BIGNUM *n,
+                                 BN_CTX *ctx, int *pnoinv)
 {
-    BIGNUM *rv;
-    int noinv;
-    rv = int_bn_mod_inverse(in, a, n, ctx, &noinv);
-    if (noinv)
-        BNerr(BN_F_BN_MOD_INVERSE, BN_R_NO_INVERSE);
-    return rv;
+    BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL;
+    BIGNUM *ret = NULL;
+    int sign;
+
+    bn_check_top(a);
+    bn_check_top(n);
+
+    BN_CTX_start(ctx);
+    A = BN_CTX_get(ctx);
+    B = BN_CTX_get(ctx);
+    X = BN_CTX_get(ctx);
+    D = BN_CTX_get(ctx);
+    M = BN_CTX_get(ctx);
+    Y = BN_CTX_get(ctx);
+    T = BN_CTX_get(ctx);
+    if (T == NULL)
+        goto err;
+
+    if (in == NULL)
+        R = BN_new();
+    else
+        R = in;
+    if (R == NULL)
+        goto err;
+
+    BN_one(X);
+    BN_zero(Y);
+    if (BN_copy(B, a) == NULL)
+        goto err;
+    if (BN_copy(A, n) == NULL)
+        goto err;
+    A->neg = 0;
+
+    if (B->neg || (BN_ucmp(B, A) >= 0)) {
+        /*
+         * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
+         * BN_div_no_branch will be called eventually.
+         */
+         {
+            BIGNUM local_B;
+            bn_init(&local_B);
+            BN_with_flags(&local_B, B, BN_FLG_CONSTTIME);
+            if (!BN_nnmod(B, &local_B, A, ctx))
+                goto err;
+            /* Ensure local_B goes out of scope before any further use of B */
+        }
+    }
+    sign = -1;
+    /*-
+     * From  B = a mod |n|,  A = |n|  it follows that
+     *
+     *      0 <= B < A,
+     *     -sign*X*a  ==  B   (mod |n|),
+     *      sign*Y*a  ==  A   (mod |n|).
+     */
+
+    while (!BN_is_zero(B)) {
+        BIGNUM *tmp;
+
+        /*-
+         *      0 < B < A,
+         * (*) -sign*X*a  ==  B   (mod |n|),
+         *      sign*Y*a  ==  A   (mod |n|)
+         */
+
+        /*
+         * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
+         * BN_div_no_branch will be called eventually.
+         */
+        {
+            BIGNUM local_A;
+            bn_init(&local_A);
+            BN_with_flags(&local_A, A, BN_FLG_CONSTTIME);
+
+            /* (D, M) := (A/B, A%B) ... */
+            if (!BN_div(D, M, &local_A, B, ctx))
+                goto err;
+            /* Ensure local_A goes out of scope before any further use of A */
+        }
+
+        /*-
+         * Now
+         *      A = D*B + M;
+         * thus we have
+         * (**)  sign*Y*a  ==  D*B + M   (mod |n|).
+         */
+
+        tmp = A;                /* keep the BIGNUM object, the value does not
+                                 * matter */
+
+        /* (A, B) := (B, A mod B) ... */
+        A = B;
+        B = M;
+        /* ... so we have  0 <= B < A  again */
+
+        /*-
+         * Since the former  M  is now  B  and the former  B  is now  A,
+         * (**) translates into
+         *       sign*Y*a  ==  D*A + B    (mod |n|),
+         * i.e.
+         *       sign*Y*a - D*A  ==  B    (mod |n|).
+         * Similarly, (*) translates into
+         *      -sign*X*a  ==  A          (mod |n|).
+         *
+         * Thus,
+         *   sign*Y*a + D*sign*X*a  ==  B  (mod |n|),
+         * i.e.
+         *        sign*(Y + D*X)*a  ==  B  (mod |n|).
+         *
+         * So if we set  (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
+         *      -sign*X*a  ==  B   (mod |n|),
+         *       sign*Y*a  ==  A   (mod |n|).
+         * Note that  X  and  Y  stay non-negative all the time.
+         */
+
+        if (!BN_mul(tmp, D, X, ctx))
+            goto err;
+        if (!BN_add(tmp, tmp, Y))
+            goto err;
+
+        M = Y;                  /* keep the BIGNUM object, the value does not
+                                 * matter */

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***

From owner-svn-src-releng@freebsd.org  Sat Sep 26 21:45:34 2020
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 629CD3E1938;
 Sat, 26 Sep 2020 21:45:34 +0000 (UTC)
 (envelope-from mckusick@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BzMlf1y40z47Cy;
 Sat, 26 Sep 2020 21:45:34 +0000 (UTC)
 (envelope-from mckusick@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 275962A72F;
 Sat, 26 Sep 2020 21:45:34 +0000 (UTC)
 (envelope-from mckusick@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 08QLjXSj031932;
 Sat, 26 Sep 2020 21:45:33 GMT (envelope-from mckusick@FreeBSD.org)
Received: (from mckusick@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 08QLjX1b031931;
 Sat, 26 Sep 2020 21:45:33 GMT (envelope-from mckusick@FreeBSD.org)
Message-Id: <202009262145.08QLjX1b031931@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: mckusick set sender to
 mckusick@FreeBSD.org using -f
From: Kirk McKusick <mckusick@FreeBSD.org>
Date: Sat, 26 Sep 2020 21:45:33 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r366187 - releng/12.2/sbin/growfs
X-SVN-Group: releng
X-SVN-Commit-Author: mckusick
X-SVN-Commit-Paths: releng/12.2/sbin/growfs
X-SVN-Commit-Revision: 366187
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Sep 2020 21:45:34 -0000

Author: mckusick
Date: Sat Sep 26 21:45:33 2020
New Revision: 366187
URL: https://svnweb.freebsd.org/changeset/base/366187

Log:
  MFS of 366163 from stable/12 which is MFC of 365992 from head.
  
  Update check-hash when doing large UFS filesystem expansions.
  
  Approved by:  re@ (Glen Barber)
  Sponsored by: Netflix

Modified:
  releng/12.2/sbin/growfs/growfs.c
Directory Properties:
  releng/12.2/   (props changed)

Modified: releng/12.2/sbin/growfs/growfs.c
==============================================================================
--- releng/12.2/sbin/growfs/growfs.c	Sat Sep 26 16:27:09 2020	(r366186)
+++ releng/12.2/sbin/growfs/growfs.c	Sat Sep 26 21:45:33 2020	(r366187)
@@ -572,6 +572,7 @@ updjcg(int cylno, time_t modtime, int fsi, int fso, un
 		if (sblock.fs_magic == FS_UFS1_MAGIC)
 			acg.cg_old_ncyl = sblock.fs_old_cpg;
 
+		cgckhash(&acg);
 		wtfs(fsbtodb(&sblock, cgtod(&sblock, cylno)),
 		    (size_t)sblock.fs_cgsize, (void *)&acg, fso, Nflag);
 		DBG_PRINT0("jcg written\n");
@@ -947,6 +948,7 @@ updcsloc(time_t modtime, int fsi, int fso, unsigned in
 	 * Now write the former cylinder group containing the cylinder
 	 * summary back to disk.
 	 */
+	cgckhash(&acg);
 	wtfs(fsbtodb(&sblock, cgtod(&sblock, ocscg)),
 	    (size_t)sblock.fs_cgsize, (void *)&acg, fso, Nflag);
 	DBG_PRINT0("oscg written\n");
@@ -1039,6 +1041,7 @@ updcsloc(time_t modtime, int fsi, int fso, unsigned in
 	 * Write the new cylinder group containing the cylinder summary
 	 * back to disk.
 	 */
+	cgckhash(&acg);
 	wtfs(fsbtodb(&sblock, cgtod(&sblock, ncscg)),
 	    (size_t)sblock.fs_cgsize, (void *)&acg, fso, Nflag);
 	DBG_PRINT0("nscg written\n");