git: c1ca6b7ba3de - stable/13 - Merge bearssl-20220418

From: Simon J. Gerraty <sjg_at_FreeBSD.org>
Date: Sun, 16 Apr 2023 02:53:22 UTC
The branch stable/13 has been updated by sjg:

URL: https://cgit.FreeBSD.org/src/commit/?id=c1ca6b7ba3de3a9a50f1c53cba79e321fab37990

commit c1ca6b7ba3de3a9a50f1c53cba79e321fab37990
Author:     Simon J. Gerraty <sjg@FreeBSD.org>
AuthorDate: 2022-04-18 21:47:09 +0000
Commit:     Simon J. Gerraty <sjg@FreeBSD.org>
CommitDate: 2023-04-16 02:50:10 +0000

    Merge bearssl-20220418
    
    Main change is a callback for checking validity period of certificates.
    
    Merge commit 'f6acb9b9f81c96ae7c9592bee1bb89c4357cc3e5'
    
    Add -DHAVE_BR_X509_TIME_CHECK to libsecureboot/Makefile.inc
    
    (cherry picked from commit cc9e6590773dba57440750c124173ed531349a06)
---
 contrib/bearssl/.gitignore                     |   6 +
 contrib/bearssl/T0Comp.exe                     | Bin 72704 -> 73216 bytes
 contrib/bearssl/flist                          | 459 +++++++++++++++
 contrib/bearssl/inc/bearssl_ec.h               |   2 +-
 contrib/bearssl/inc/bearssl_hash.h             |   4 +-
 contrib/bearssl/inc/bearssl_ssl.h              |   8 +-
 contrib/bearssl/inc/bearssl_x509.h             |  83 ++-
 contrib/bearssl/src/config.h                   |  22 +-
 contrib/bearssl/src/ec/ec_c25519_m64.c         |   4 -
 contrib/bearssl/src/ec/ec_p256_m15.c           |  22 +-
 contrib/bearssl/src/ec/ec_p256_m31.c           |  22 +-
 contrib/bearssl/src/ec/ec_p256_m62.c           |   2 +-
 contrib/bearssl/src/ec/ec_p256_m64.c           |  67 ++-
 contrib/bearssl/src/ec/ec_prime_i15.c          |  10 +-
 contrib/bearssl/src/ec/ec_prime_i31.c          |  13 +-
 contrib/bearssl/src/inner.h                    |  26 +-
 contrib/bearssl/src/rand/sysrng.c              |  88 ++-
 contrib/bearssl/src/rsa/rsa_i15_keygen.c       |   6 +-
 contrib/bearssl/src/rsa/rsa_i15_modulus.c      |   2 +-
 contrib/bearssl/src/rsa/rsa_i31_keygen_inner.c |   6 +-
 contrib/bearssl/src/rsa/rsa_i31_modulus.c      |   2 +-
 contrib/bearssl/src/ssl/ssl_engine.c           |  15 +
 contrib/bearssl/src/ssl/ssl_rec_cbc.c          |   2 +-
 contrib/bearssl/src/x509/asn1.t0               |   2 +-
 contrib/bearssl/src/x509/skey_decoder.c        |   2 +-
 contrib/bearssl/src/x509/skey_decoder.t0       |   2 +-
 contrib/bearssl/src/x509/x509_minimal.c        | 751 +++++++++++++------------
 contrib/bearssl/src/x509/x509_minimal.t0       |  80 ++-
 contrib/bearssl/test/test_crypto.c             |   4 +-
 contrib/bearssl/test/test_x509.c               | 210 ++++---
 contrib/bearssl/tools/sslio.c                  |   2 +-
 lib/libsecureboot/Makefile.inc                 |   2 +
 lib/libsecureboot/vets.c                       |   2 +-
 33 files changed, 1358 insertions(+), 570 deletions(-)

diff --git a/contrib/bearssl/.gitignore b/contrib/bearssl/.gitignore
new file mode 100644
index 000000000000..7da362eddc00
--- /dev/null
+++ b/contrib/bearssl/.gitignore
@@ -0,0 +1,6 @@
+/build/
+/libbearssl.a
+/brssl
+/testcrypto
+/testspeed
+/testx509
diff --git a/contrib/bearssl/T0Comp.exe b/contrib/bearssl/T0Comp.exe
index 67eba109800e..de2364d69e07 100755
Binary files a/contrib/bearssl/T0Comp.exe and b/contrib/bearssl/T0Comp.exe differ
diff --git a/contrib/bearssl/flist b/contrib/bearssl/flist
new file mode 100644
index 000000000000..9751ad231065
--- /dev/null
+++ b/contrib/bearssl/flist
@@ -0,0 +1,459 @@
+T0/BlobWriter.cs
+T0/CPU.cs
+T0/CodeElement.cs
+T0/CodeElementJump.cs
+T0/CodeElementUInt.cs
+T0/CodeElementUIntExpr.cs
+T0/CodeElementUIntInt.cs
+T0/CodeElementUIntUInt.cs
+T0/ConstData.cs
+T0/Opcode.cs
+T0/OpcodeCall.cs
+T0/OpcodeConst.cs
+T0/OpcodeGetLocal.cs
+T0/OpcodeJump.cs
+T0/OpcodeJumpIf.cs
+T0/OpcodeJumpIfNot.cs
+T0/OpcodeJumpUncond.cs
+T0/OpcodePutLocal.cs
+T0/OpcodeRet.cs
+T0/SType.cs
+T0/T0Comp.cs
+T0/TPointerBase.cs
+T0/TPointerBlob.cs
+T0/TPointerExpr.cs
+T0/TPointerNull.cs
+T0/TPointerXT.cs
+T0/TValue.cs
+T0/Word.cs
+T0/WordBuilder.cs
+T0/WordData.cs
+T0/WordInterpreted.cs
+T0/WordNative.cs
+T0/kern.t0
+conf/Unix.mk
+conf/Unix32.mk
+conf/UnixClang.mk
+conf/Win.mk
+conf/samd20.mk
+inc/bearssl.h
+inc/bearssl_aead.h
+inc/bearssl_block.h
+inc/bearssl_ec.h
+inc/bearssl_hash.h
+inc/bearssl_hmac.h
+inc/bearssl_kdf.h
+inc/bearssl_pem.h
+inc/bearssl_prf.h
+inc/bearssl_rand.h
+inc/bearssl_rsa.h
+inc/bearssl_ssl.h
+inc/bearssl_x509.h
+mk/Defaults.mk
+mk/NMake.mk
+mk/Rules.mk
+mk/SingleUnix.mk
+mk/mkT0.cmd
+mk/mkT0.sh
+mk/mkrules.sh
+samples/README.txt
+samples/cert-ee-ec+rsa.pem
+samples/cert-ee-ec.pem
+samples/cert-ee-rsa.pem
+samples/cert-ica-ec.pem
+samples/cert-ica-rsa.pem
+samples/cert-root-ec.pem
+samples/cert-root-rsa.pem
+samples/chain-ec+rsa.h
+samples/chain-ec.h
+samples/chain-rsa.h
+samples/client_basic.c
+samples/custom_profile.c
+samples/key-ec.h
+samples/key-ee-ec.pem
+samples/key-ee-rsa.pem
+samples/key-ica-ec.pem
+samples/key-ica-rsa.pem
+samples/key-root-ec.pem
+samples/key-root-rsa.pem
+samples/key-rsa.h
+samples/server_basic.c
+src/aead/ccm.c
+src/aead/eax.c
+src/aead/gcm.c
+src/codec/ccopy.c
+src/codec/dec16be.c
+src/codec/dec16le.c
+src/codec/dec32be.c
+src/codec/dec32le.c
+src/codec/dec64be.c
+src/codec/dec64le.c
+src/codec/enc16be.c
+src/codec/enc16le.c
+src/codec/enc32be.c
+src/codec/enc32le.c
+src/codec/enc64be.c
+src/codec/enc64le.c
+src/codec/pemdec.c
+src/codec/pemdec.t0
+src/codec/pemenc.c
+src/config.h
+src/ec/ec_all_m15.c
+src/ec/ec_all_m31.c
+src/ec/ec_c25519_i15.c
+src/ec/ec_c25519_i31.c
+src/ec/ec_c25519_m15.c
+src/ec/ec_c25519_m31.c
+src/ec/ec_c25519_m62.c
+src/ec/ec_c25519_m64.c
+src/ec/ec_curve25519.c
+src/ec/ec_default.c
+src/ec/ec_keygen.c
+src/ec/ec_p256_m15.c
+src/ec/ec_p256_m31.c
+src/ec/ec_p256_m62.c
+src/ec/ec_p256_m64.c
+src/ec/ec_prime_i15.c
+src/ec/ec_prime_i31.c
+src/ec/ec_pubkey.c
+src/ec/ec_secp256r1.c
+src/ec/ec_secp384r1.c
+src/ec/ec_secp521r1.c
+src/ec/ecdsa_atr.c
+src/ec/ecdsa_default_sign_asn1.c
+src/ec/ecdsa_default_sign_raw.c
+src/ec/ecdsa_default_vrfy_asn1.c
+src/ec/ecdsa_default_vrfy_raw.c
+src/ec/ecdsa_i15_bits.c
+src/ec/ecdsa_i15_sign_asn1.c
+src/ec/ecdsa_i15_sign_raw.c
+src/ec/ecdsa_i15_vrfy_asn1.c
+src/ec/ecdsa_i15_vrfy_raw.c
+src/ec/ecdsa_i31_bits.c
+src/ec/ecdsa_i31_sign_asn1.c
+src/ec/ecdsa_i31_sign_raw.c
+src/ec/ecdsa_i31_vrfy_asn1.c
+src/ec/ecdsa_i31_vrfy_raw.c
+src/ec/ecdsa_rta.c
+src/hash/dig_oid.c
+src/hash/dig_size.c
+src/hash/ghash_ctmul.c
+src/hash/ghash_ctmul32.c
+src/hash/ghash_ctmul64.c
+src/hash/ghash_pclmul.c
+src/hash/ghash_pwr8.c
+src/hash/md5.c
+src/hash/md5sha1.c
+src/hash/mgf1.c
+src/hash/multihash.c
+src/hash/sha1.c
+src/hash/sha2big.c
+src/hash/sha2small.c
+src/inner.h
+src/int/i15_add.c
+src/int/i15_bitlen.c
+src/int/i15_decmod.c
+src/int/i15_decode.c
+src/int/i15_decred.c
+src/int/i15_encode.c
+src/int/i15_fmont.c
+src/int/i15_iszero.c
+src/int/i15_moddiv.c
+src/int/i15_modpow.c
+src/int/i15_modpow2.c
+src/int/i15_montmul.c
+src/int/i15_mulacc.c
+src/int/i15_muladd.c
+src/int/i15_ninv15.c
+src/int/i15_reduce.c
+src/int/i15_rshift.c
+src/int/i15_sub.c
+src/int/i15_tmont.c
+src/int/i31_add.c
+src/int/i31_bitlen.c
+src/int/i31_decmod.c
+src/int/i31_decode.c
+src/int/i31_decred.c
+src/int/i31_encode.c
+src/int/i31_fmont.c
+src/int/i31_iszero.c
+src/int/i31_moddiv.c
+src/int/i31_modpow.c
+src/int/i31_modpow2.c
+src/int/i31_montmul.c
+src/int/i31_mulacc.c
+src/int/i31_muladd.c
+src/int/i31_ninv31.c
+src/int/i31_reduce.c
+src/int/i31_rshift.c
+src/int/i31_sub.c
+src/int/i31_tmont.c
+src/int/i32_add.c
+src/int/i32_bitlen.c
+src/int/i32_decmod.c
+src/int/i32_decode.c
+src/int/i32_decred.c
+src/int/i32_div32.c
+src/int/i32_encode.c
+src/int/i32_fmont.c
+src/int/i32_iszero.c
+src/int/i32_modpow.c
+src/int/i32_montmul.c
+src/int/i32_mulacc.c
+src/int/i32_muladd.c
+src/int/i32_ninv32.c
+src/int/i32_reduce.c
+src/int/i32_sub.c
+src/int/i32_tmont.c
+src/int/i62_modpow2.c
+src/kdf/hkdf.c
+src/kdf/shake.c
+src/mac/hmac.c
+src/mac/hmac_ct.c
+src/rand/aesctr_drbg.c
+src/rand/hmac_drbg.c
+src/rand/sysrng.c
+src/rsa/rsa_default_keygen.c
+src/rsa/rsa_default_modulus.c
+src/rsa/rsa_default_oaep_decrypt.c
+src/rsa/rsa_default_oaep_encrypt.c
+src/rsa/rsa_default_pkcs1_sign.c
+src/rsa/rsa_default_pkcs1_vrfy.c
+src/rsa/rsa_default_priv.c
+src/rsa/rsa_default_privexp.c
+src/rsa/rsa_default_pss_sign.c
+src/rsa/rsa_default_pss_vrfy.c
+src/rsa/rsa_default_pub.c
+src/rsa/rsa_default_pubexp.c
+src/rsa/rsa_i15_keygen.c
+src/rsa/rsa_i15_modulus.c
+src/rsa/rsa_i15_oaep_decrypt.c
+src/rsa/rsa_i15_oaep_encrypt.c
+src/rsa/rsa_i15_pkcs1_sign.c
+src/rsa/rsa_i15_pkcs1_vrfy.c
+src/rsa/rsa_i15_priv.c
+src/rsa/rsa_i15_privexp.c
+src/rsa/rsa_i15_pss_sign.c
+src/rsa/rsa_i15_pss_vrfy.c
+src/rsa/rsa_i15_pub.c
+src/rsa/rsa_i15_pubexp.c
+src/rsa/rsa_i31_keygen.c
+src/rsa/rsa_i31_keygen_inner.c
+src/rsa/rsa_i31_modulus.c
+src/rsa/rsa_i31_oaep_decrypt.c
+src/rsa/rsa_i31_oaep_encrypt.c
+src/rsa/rsa_i31_pkcs1_sign.c
+src/rsa/rsa_i31_pkcs1_vrfy.c
+src/rsa/rsa_i31_priv.c
+src/rsa/rsa_i31_privexp.c
+src/rsa/rsa_i31_pss_sign.c
+src/rsa/rsa_i31_pss_vrfy.c
+src/rsa/rsa_i31_pub.c
+src/rsa/rsa_i31_pubexp.c
+src/rsa/rsa_i32_oaep_decrypt.c
+src/rsa/rsa_i32_oaep_encrypt.c
+src/rsa/rsa_i32_pkcs1_sign.c
+src/rsa/rsa_i32_pkcs1_vrfy.c
+src/rsa/rsa_i32_priv.c
+src/rsa/rsa_i32_pss_sign.c
+src/rsa/rsa_i32_pss_vrfy.c
+src/rsa/rsa_i32_pub.c
+src/rsa/rsa_i62_keygen.c
+src/rsa/rsa_i62_oaep_decrypt.c
+src/rsa/rsa_i62_oaep_encrypt.c
+src/rsa/rsa_i62_pkcs1_sign.c
+src/rsa/rsa_i62_pkcs1_vrfy.c
+src/rsa/rsa_i62_priv.c
+src/rsa/rsa_i62_pss_sign.c
+src/rsa/rsa_i62_pss_vrfy.c
+src/rsa/rsa_i62_pub.c
+src/rsa/rsa_oaep_pad.c
+src/rsa/rsa_oaep_unpad.c
+src/rsa/rsa_pkcs1_sig_pad.c
+src/rsa/rsa_pkcs1_sig_unpad.c
+src/rsa/rsa_pss_sig_pad.c
+src/rsa/rsa_pss_sig_unpad.c
+src/rsa/rsa_ssl_decrypt.c
+src/settings.c
+src/ssl/prf.c
+src/ssl/prf_md5sha1.c
+src/ssl/prf_sha256.c
+src/ssl/prf_sha384.c
+src/ssl/ssl_ccert_single_ec.c
+src/ssl/ssl_ccert_single_rsa.c
+src/ssl/ssl_client.c
+src/ssl/ssl_client_default_rsapub.c
+src/ssl/ssl_client_full.c
+src/ssl/ssl_engine.c
+src/ssl/ssl_engine_default_aescbc.c
+src/ssl/ssl_engine_default_aesccm.c
+src/ssl/ssl_engine_default_aesgcm.c
+src/ssl/ssl_engine_default_chapol.c
+src/ssl/ssl_engine_default_descbc.c
+src/ssl/ssl_engine_default_ec.c
+src/ssl/ssl_engine_default_ecdsa.c
+src/ssl/ssl_engine_default_rsavrfy.c
+src/ssl/ssl_hashes.c
+src/ssl/ssl_hs_client.c
+src/ssl/ssl_hs_client.t0
+src/ssl/ssl_hs_common.t0
+src/ssl/ssl_hs_server.c
+src/ssl/ssl_hs_server.t0
+src/ssl/ssl_io.c
+src/ssl/ssl_keyexport.c
+src/ssl/ssl_lru.c
+src/ssl/ssl_rec_cbc.c
+src/ssl/ssl_rec_ccm.c
+src/ssl/ssl_rec_chapol.c
+src/ssl/ssl_rec_gcm.c
+src/ssl/ssl_scert_single_ec.c
+src/ssl/ssl_scert_single_rsa.c
+src/ssl/ssl_server.c
+src/ssl/ssl_server_full_ec.c
+src/ssl/ssl_server_full_rsa.c
+src/ssl/ssl_server_mine2c.c
+src/ssl/ssl_server_mine2g.c
+src/ssl/ssl_server_minf2c.c
+src/ssl/ssl_server_minf2g.c
+src/ssl/ssl_server_minr2g.c
+src/ssl/ssl_server_minu2g.c
+src/ssl/ssl_server_minv2g.c
+src/symcipher/aes_big_cbcdec.c
+src/symcipher/aes_big_cbcenc.c
+src/symcipher/aes_big_ctr.c
+src/symcipher/aes_big_ctrcbc.c
+src/symcipher/aes_big_dec.c
+src/symcipher/aes_big_enc.c
+src/symcipher/aes_common.c
+src/symcipher/aes_ct.c
+src/symcipher/aes_ct64.c
+src/symcipher/aes_ct64_cbcdec.c
+src/symcipher/aes_ct64_cbcenc.c
+src/symcipher/aes_ct64_ctr.c
+src/symcipher/aes_ct64_ctrcbc.c
+src/symcipher/aes_ct64_dec.c
+src/symcipher/aes_ct64_enc.c
+src/symcipher/aes_ct_cbcdec.c
+src/symcipher/aes_ct_cbcenc.c
+src/symcipher/aes_ct_ctr.c
+src/symcipher/aes_ct_ctrcbc.c
+src/symcipher/aes_ct_dec.c
+src/symcipher/aes_ct_enc.c
+src/symcipher/aes_pwr8.c
+src/symcipher/aes_pwr8_cbcdec.c
+src/symcipher/aes_pwr8_cbcenc.c
+src/symcipher/aes_pwr8_ctr.c
+src/symcipher/aes_pwr8_ctrcbc.c
+src/symcipher/aes_small_cbcdec.c
+src/symcipher/aes_small_cbcenc.c
+src/symcipher/aes_small_ctr.c
+src/symcipher/aes_small_ctrcbc.c
+src/symcipher/aes_small_dec.c
+src/symcipher/aes_small_enc.c
+src/symcipher/aes_x86ni.c
+src/symcipher/aes_x86ni_cbcdec.c
+src/symcipher/aes_x86ni_cbcenc.c
+src/symcipher/aes_x86ni_ctr.c
+src/symcipher/aes_x86ni_ctrcbc.c
+src/symcipher/chacha20_ct.c
+src/symcipher/chacha20_sse2.c
+src/symcipher/des_ct.c
+src/symcipher/des_ct_cbcdec.c
+src/symcipher/des_ct_cbcenc.c
+src/symcipher/des_support.c
+src/symcipher/des_tab.c
+src/symcipher/des_tab_cbcdec.c
+src/symcipher/des_tab_cbcenc.c
+src/symcipher/poly1305_ctmul.c
+src/symcipher/poly1305_ctmul32.c
+src/symcipher/poly1305_ctmulq.c
+src/symcipher/poly1305_i15.c
+src/x509/asn1.t0
+src/x509/asn1enc.c
+src/x509/encode_ec_pk8der.c
+src/x509/encode_ec_rawder.c
+src/x509/encode_rsa_pk8der.c
+src/x509/encode_rsa_rawder.c
+src/x509/skey_decoder.c
+src/x509/skey_decoder.t0
+src/x509/x509_decoder.c
+src/x509/x509_decoder.t0
+src/x509/x509_knownkey.c
+src/x509/x509_minimal.c
+src/x509/x509_minimal.t0
+src/x509/x509_minimal_full.c
+test/test_crypto.c
+test/test_math.c
+test/test_speed.c
+test/test_x509.c
+test/x509/alltests.txt
+test/x509/dn-ee.der
+test/x509/dn-ica1.der
+test/x509/dn-ica2.der
+test/x509/dn-root-new.der
+test/x509/dn-root.der
+test/x509/ee-badsig1.crt
+test/x509/ee-badsig2.crt
+test/x509/ee-cp1.crt
+test/x509/ee-cp2.crt
+test/x509/ee-cp3.crt
+test/x509/ee-cp4.crt
+test/x509/ee-dates.crt
+test/x509/ee-md5.crt
+test/x509/ee-names.crt
+test/x509/ee-names2.crt
+test/x509/ee-names3.crt
+test/x509/ee-names4.crt
+test/x509/ee-p256-sha1.crt
+test/x509/ee-p256-sha224.crt
+test/x509/ee-p256-sha256.crt
+test/x509/ee-p256-sha384.crt
+test/x509/ee-p256-sha512.crt
+test/x509/ee-p256.crt
+test/x509/ee-p384.crt
+test/x509/ee-p521.crt
+test/x509/ee-sha1.crt
+test/x509/ee-sha224.crt
+test/x509/ee-sha384.crt
+test/x509/ee-sha512.crt
+test/x509/ee-trailing.crt
+test/x509/ee.crt
+test/x509/ica1-1016.crt
+test/x509/ica1-1017.crt
+test/x509/ica1-4096.crt
+test/x509/ica1-p256.crt
+test/x509/ica1-p384.crt
+test/x509/ica1-p521.crt
+test/x509/ica1.crt
+test/x509/ica2-1016.crt
+test/x509/ica2-1017.crt
+test/x509/ica2-4096.crt
+test/x509/ica2-notCA.crt
+test/x509/ica2-p256.crt
+test/x509/ica2-p384.crt
+test/x509/ica2-p521.crt
+test/x509/ica2.crt
+test/x509/junk.crt
+test/x509/names.crt
+test/x509/root-p256.crt
+test/x509/root-p384.crt
+test/x509/root-p521.crt
+test/x509/root.crt
+tools/brssl.c
+tools/brssl.h
+tools/certs.c
+tools/chain.c
+tools/client.c
+tools/errors.c
+tools/files.c
+tools/impl.c
+tools/keys.c
+tools/names.c
+tools/server.c
+tools/skey.c
+tools/sslio.c
+tools/ta.c
+tools/twrch.c
+tools/vector.c
+tools/verify.c
+tools/xmem.c
diff --git a/contrib/bearssl/inc/bearssl_ec.h b/contrib/bearssl/inc/bearssl_ec.h
index f954309eb6c1..acd3a2bf5a55 100644
--- a/contrib/bearssl/inc/bearssl_ec.h
+++ b/contrib/bearssl/inc/bearssl_ec.h
@@ -108,7 +108,7 @@ extern "C" {
  *
  *   - The multipliers (integers) MUST be lower than the subgroup order.
  *     If this property is not met, then the result is indeterminate,
- *     but an error value is not ncessearily returned.
+ *     but an error value is not necessarily returned.
  * 
  *
  * ## ECDSA
diff --git a/contrib/bearssl/inc/bearssl_hash.h b/contrib/bearssl/inc/bearssl_hash.h
index 3b15ba7ca487..ca4fa26cc4aa 100644
--- a/contrib/bearssl/inc/bearssl_hash.h
+++ b/contrib/bearssl/inc/bearssl_hash.h
@@ -724,7 +724,7 @@ void br_sha256_update(br_sha256_context *ctx, const void *data, size_t len);
  */
 void br_sha256_out(const br_sha256_context *ctx, void *out);
 
-#if BR_DOXYGEN_IGNORE
+#ifdef BR_DOXYGEN_IGNORE
 /**
  * \brief Save SHA-256 running state.
  *
@@ -742,7 +742,7 @@ uint64_t br_sha256_state(const br_sha256_context *ctx, void *out);
 #define br_sha256_state       br_sha224_state
 #endif
 
-#if BR_DOXYGEN_IGNORE
+#ifdef BR_DOXYGEN_IGNORE
 /**
  * \brief Restore SHA-256 running state.
  *
diff --git a/contrib/bearssl/inc/bearssl_ssl.h b/contrib/bearssl/inc/bearssl_ssl.h
index 8c8c86bdb50a..e91df4755690 100644
--- a/contrib/bearssl/inc/bearssl_ssl.h
+++ b/contrib/bearssl/inc/bearssl_ssl.h
@@ -1250,8 +1250,8 @@ static inline void
 br_ssl_engine_set_versions(br_ssl_engine_context *cc,
 	unsigned version_min, unsigned version_max)
 {
-	cc->version_min = version_min;
-	cc->version_max = version_max;
+	cc->version_min = (uint16_t)version_min;
+	cc->version_max = (uint16_t)version_max;
 }
 
 /**
@@ -1324,7 +1324,7 @@ br_ssl_engine_set_protocol_names(br_ssl_engine_context *ctx,
 	const char **names, size_t num)
 {
 	ctx->protocol_names = names;
-	ctx->protocol_names_num = num;
+	ctx->protocol_names_num = (uint16_t)num;
 }
 
 /**
@@ -2102,7 +2102,7 @@ void br_ssl_engine_sendapp_ack(br_ssl_engine_context *cc, size_t len);
 /**
  * \brief Get buffer for received application data.
  *
- * If the engine has received application data from the peer, hen this
+ * If the engine has received application data from the peer, then this
  * call returns a pointer to the buffer from where such data shall be
  * read, and its length is written in `*len`. Otherwise, `*len` is set
  * to 0 and `NULL` is returned.
diff --git a/contrib/bearssl/inc/bearssl_x509.h b/contrib/bearssl/inc/bearssl_x509.h
index 49d2fba0d5bc..7668e1de53a2 100644
--- a/contrib/bearssl/inc/bearssl_x509.h
+++ b/contrib/bearssl/inc/bearssl_x509.h
@@ -625,6 +625,52 @@ typedef struct {
 
 } br_name_element;
 
+/**
+ * \brief Callback for validity date checks.
+ *
+ * The function receives as parameter an arbitrary user-provided context,
+ * and the notBefore and notAfter dates specified in an X.509 certificate,
+ * both expressed as a number of days and a number of seconds:
+ *
+ *   - Days are counted in a proleptic Gregorian calendar since
+ *     January 1st, 0 AD. Year "0 AD" is the one that preceded "1 AD";
+ *     it is also traditionally known as "1 BC".
+ *
+ *   - Seconds are counted since midnight, from 0 to 86400 (a count of
+ *     86400 is possible only if a leap second happened).
+ *
+ * Each date and time is understood in the UTC time zone. The "Unix
+ * Epoch" (January 1st, 1970, 00:00 UTC) corresponds to days=719528 and
+ * seconds=0; the "Windows Epoch" (January 1st, 1601, 00:00 UTC) is
+ * days=584754, seconds=0.
+ *
+ * This function must return -1 if the current date is strictly before
+ * the "notBefore" time, or +1 if the current date is strictly after the
+ * "notAfter" time. If neither condition holds, then the function returns
+ * 0, which means that the current date falls within the validity range of
+ * the certificate. If the function returns a value distinct from -1, 0
+ * and +1, then this is interpreted as an unavailability of the current
+ * time, which normally ends the validation process with a
+ * `BR_ERR_X509_TIME_UNKNOWN` error.
+ *
+ * During path validation, this callback will be invoked for each
+ * considered X.509 certificate. Validation fails if any of the calls
+ * returns a non-zero value.
+ *
+ * The context value is an abritrary pointer set by the caller when
+ * configuring this callback.
+ *
+ * \param tctx                 context pointer.
+ * \param not_before_days      notBefore date (days since Jan 1st, 0 AD).
+ * \param not_before_seconds   notBefore time (seconds, at most 86400).
+ * \param not_after_days       notAfter date (days since Jan 1st, 0 AD).
+ * \param not_after_seconds    notAfter time (seconds, at most 86400).
+ * \return  -1, 0 or +1.
+ */
+typedef int (*br_x509_time_check)(void *tctx,
+	uint32_t not_before_days, uint32_t not_before_seconds,
+	uint32_t not_after_days, uint32_t not_after_seconds);
+
 /**
  * \brief The "minimal" X.509 engine structure.
  *
@@ -647,8 +693,8 @@ typedef struct {
 		uint32_t *rp;
 		const unsigned char *ip;
 	} cpu;
-	uint32_t dp_stack[32];
-	uint32_t rp_stack[32];
+	uint32_t dp_stack[31];
+	uint32_t rp_stack[31];
 	int err;
 
 	/* Server name to match with the SAN / CN of the EE certificate. */
@@ -723,6 +769,12 @@ typedef struct {
 	br_name_element *name_elts;
 	size_t num_name_elts;
 
+	/*
+	 * Callback function (and context) to get the current date.
+	 */
+	void *itime_ctx;
+	br_x509_time_check itime;
+
 	/*
 	 * Public key cryptography implementations (signature verification).
 	 */
@@ -853,7 +905,10 @@ void br_x509_minimal_init_full(br_x509_minimal_context *ctx,
  *   - Seconds are counted since midnight, from 0 to 86400 (a count of
  *     86400 is possible only if a leap second happened).
  *
- * The validation date and time is understood in the UTC time zone.
+ * The validation date and time is understood in the UTC time zone. The
+ * "Unix Epoch" (January 1st, 1970, 00:00 UTC) corresponds to days=719528
+ * and seconds=0; the "Windows Epoch" (January 1st, 1601, 00:00 UTC) is
+ * days=584754, seconds=0.
  *
  * If the validation date and time are not explicitly set, but BearSSL
  * was compiled with support for the system clock on the underlying
@@ -871,6 +926,28 @@ br_x509_minimal_set_time(br_x509_minimal_context *ctx,
 {
 	ctx->days = days;
 	ctx->seconds = seconds;
+	ctx->itime = 0;
+}
+
+/**
+ * \brief Set the validity range callback function for the X.509
+ * "minimal" engine.
+ *
+ * The provided function will be invoked to check whether the validation
+ * date is within the validity range for a given X.509 certificate; a
+ * call will be issued for each considered certificate. The provided
+ * context pointer (itime_ctx) will be passed as first parameter to the
+ * callback.
+ *
+ * \param tctx   context for callback invocation.
+ * \param cb     callback function.
+ */
+static inline void
+br_x509_minimal_set_time_callback(br_x509_minimal_context *ctx,
+	void *itime_ctx, br_x509_time_check itime)
+{
+	ctx->itime_ctx = itime_ctx;
+	ctx->itime = itime;
 }
 
 /**
diff --git a/contrib/bearssl/src/config.h b/contrib/bearssl/src/config.h
index 8ea4d8af8d61..94627a23c038 100644
--- a/contrib/bearssl/src/config.h
+++ b/contrib/bearssl/src/config.h
@@ -109,9 +109,27 @@
 #define BR_RDRAND   1
  */
 
+/*
+ * When BR_USE_GETENTROPY is enabled, the SSL engine will use the
+ * getentropy() function to obtain quality randomness for seeding its
+ * internal PRNG. On Linux and FreeBSD, getentropy() is implemented by
+ * the standard library with the system call getrandom(); on OpenBSD,
+ * getentropy() is the system call, and there is no getrandom() wrapper,
+ * hence the use of the getentropy() function for maximum portability.
+ *
+ * If the getentropy() call fails, and BR_USE_URANDOM is not explicitly
+ * disabled, then /dev/urandom will be used as a fallback mechanism. On
+ * FreeBSD and OpenBSD, this does not change much, since /dev/urandom
+ * will block if not enough entropy has been obtained since last boot.
+ * On Linux, /dev/urandom might not block, which can be troublesome in
+ * early boot stages, which is why getentropy() is preferred.
+ *
+#define BR_USE_GETENTROPY   1
+ */
+
 /*
  * When BR_USE_URANDOM is enabled, the SSL engine will use /dev/urandom
- * to automatically obtain quality randomness for seedings its internal
+ * to automatically obtain quality randomness for seeding its internal
  * PRNG.
  *
 #define BR_USE_URANDOM   1
@@ -120,7 +138,7 @@
 /*
  * When BR_USE_WIN32_RAND is enabled, the SSL engine will use the Win32
  * (CryptoAPI) functions (CryptAcquireContext(), CryptGenRandom()...) to
- * automatically obtain quality randomness for seedings its internal PRNG.
+ * automatically obtain quality randomness for seeding its internal PRNG.
  *
  * Note: if both BR_USE_URANDOM and BR_USE_WIN32_RAND are defined, the
  * former takes precedence.
diff --git a/contrib/bearssl/src/ec/ec_c25519_m64.c b/contrib/bearssl/src/ec/ec_c25519_m64.c
index 7e7f12f7e3ad..df4883467d4a 100644
--- a/contrib/bearssl/src/ec/ec_c25519_m64.c
+++ b/contrib/bearssl/src/ec/ec_c25519_m64.c
@@ -158,10 +158,6 @@ f255_add(uint64_t *d, const uint64_t *a, const uint64_t *b)
 
 /*
  * Subtraction.
- * On input, limbs must fit on 60 bits each. On output, result is
- * partially reduced, with max value 2^255+19456; moreover, all
- * limbs will fit on 51 bits, except the low limb, which may have
- * value up to 2^51+19455.
  */
 static inline void
 f255_sub(uint64_t *d, const uint64_t *a, const uint64_t *b)
diff --git a/contrib/bearssl/src/ec/ec_p256_m15.c b/contrib/bearssl/src/ec/ec_p256_m15.c
index 8d68d1d21bdb..05800d87f46a 100644
--- a/contrib/bearssl/src/ec/ec_p256_m15.c
+++ b/contrib/bearssl/src/ec/ec_p256_m15.c
@@ -2039,12 +2039,13 @@ api_mul(unsigned char *G, size_t Glen,
 	p256_jacobian P;
 
 	(void)curve;
+	if (Glen != 65) {
+		return 0;
+	}
 	r = p256_decode(&P, G, Glen);
 	p256_mul(&P, x, xlen);
-	if (Glen >= 65) {
-		p256_to_affine(&P);
-		p256_encode(G, &P);
-	}
+	p256_to_affine(&P);
+	p256_encode(G, &P);
 	return r;
 }
 
@@ -2059,16 +2060,6 @@ api_mulgen(unsigned char *R,
 	p256_to_affine(&P);
 	p256_encode(R, &P);
 	return 65;
-
-	/*
-	const unsigned char *G;
-	size_t Glen;
-
-	G = api_generator(curve, &Glen);
-	memcpy(R, G, Glen);
-	api_mul(R, Glen, x, xlen, curve);
-	return Glen;
-	*/
 }
 
 static uint32_t
@@ -2081,6 +2072,9 @@ api_muladd(unsigned char *A, const unsigned char *B, size_t len,
 	int i;
 
 	(void)curve;
+	if (len != 65) {
+		return 0;
+	}
 	r = p256_decode(&P, A, len);
 	p256_mul(&P, x, xlen);
 	if (B == NULL) {
diff --git a/contrib/bearssl/src/ec/ec_p256_m31.c b/contrib/bearssl/src/ec/ec_p256_m31.c
index d57ef7b097ff..b185937e1606 100644
--- a/contrib/bearssl/src/ec/ec_p256_m31.c
+++ b/contrib/bearssl/src/ec/ec_p256_m31.c
@@ -1384,12 +1384,13 @@ api_mul(unsigned char *G, size_t Glen,
 	p256_jacobian P;
 
 	(void)curve;
+	if (Glen != 65) {
+		return 0;
+	}
 	r = p256_decode(&P, G, Glen);
 	p256_mul(&P, x, xlen);
-	if (Glen >= 65) {
-		p256_to_affine(&P);
-		p256_encode(G, &P);
-	}
+	p256_to_affine(&P);
+	p256_encode(G, &P);
 	return r;
 }
 
@@ -1404,16 +1405,6 @@ api_mulgen(unsigned char *R,
 	p256_to_affine(&P);
 	p256_encode(R, &P);
 	return 65;
-
-	/*
-	const unsigned char *G;
-	size_t Glen;
-
-	G = api_generator(curve, &Glen);
-	memcpy(R, G, Glen);
-	api_mul(R, Glen, x, xlen, curve);
-	return Glen;
-	*/
 }
 
 static uint32_t
@@ -1426,6 +1417,9 @@ api_muladd(unsigned char *A, const unsigned char *B, size_t len,
 	int i;
 
 	(void)curve;
+	if (len != 65) {
+		return 0;
+	}
 	r = p256_decode(&P, A, len);
 	p256_mul(&P, x, xlen);
 	if (B == NULL) {
diff --git a/contrib/bearssl/src/ec/ec_p256_m62.c b/contrib/bearssl/src/ec/ec_p256_m62.c
index 3bcb95b5b19b..a4317905204d 100644
--- a/contrib/bearssl/src/ec/ec_p256_m62.c
+++ b/contrib/bearssl/src/ec/ec_p256_m62.c
@@ -580,7 +580,7 @@ f256_final_reduce(uint64_t *a)
 	w = t[2] - cc;
 	t[2] = w & MASK52;
 	cc = w >> 63;
-	w = t[3] - BIT(36);
+	w = t[3] - BIT(36) - cc;
 	t[3] = w & MASK52;
 	cc = w >> 63;
 	t[4] -= cc;
diff --git a/contrib/bearssl/src/ec/ec_p256_m64.c b/contrib/bearssl/src/ec/ec_p256_m64.c
index 5a7ea177408b..71a527c36955 100644
--- a/contrib/bearssl/src/ec/ec_p256_m64.c
+++ b/contrib/bearssl/src/ec/ec_p256_m64.c
@@ -99,6 +99,9 @@ f256_add(uint64_t *d, const uint64_t *a, const uint64_t *b)
 	unsigned __int128 w;
 	uint64_t t;
 
+	/*
+	 * Do the addition, with an extra carry in t.
+	 */
 	w = (unsigned __int128)a[0] + b[0];
 	d[0] = (uint64_t)w;
 	w = (unsigned __int128)a[1] + b[1] + (w >> 64);
@@ -110,7 +113,7 @@ f256_add(uint64_t *d, const uint64_t *a, const uint64_t *b)
 	t = (uint64_t)(w >> 64);
 
 	/*
-	 * 2^256 = 2^224 - 2^192 - 2^96 + 1 in the field.
+	 * Fold carry t, using: 2^256 = 2^224 - 2^192 - 2^96 + 1 mod p.
 	 */
 	w = (unsigned __int128)d[0] + t;
 	d[0] = (uint64_t)w;
@@ -119,8 +122,22 @@ f256_add(uint64_t *d, const uint64_t *a, const uint64_t *b)
 	/* Here, carry "w >> 64" can only be 0 or -1 */
 	w = (unsigned __int128)d[2] - ((w >> 64) & 1);
 	d[2] = (uint64_t)w;
-	/* Again, carry is 0 or -1 */
-	d[3] += (uint64_t)(w >> 64) + (t << 32) - t;
+	/* Again, carry is 0 or -1. But there can be carry only if t = 1,
+	   in which case the addition of (t << 32) - t is positive. */
+	w = (unsigned __int128)d[3] - ((w >> 64) & 1) + (t << 32) - t;
+	d[3] = (uint64_t)w;
+	t = (uint64_t)(w >> 64);
+
+	/*
+	 * There can be an extra carry here, which we must fold again.
+	 */
+	w = (unsigned __int128)d[0] + t;
+	d[0] = (uint64_t)w;
+	w = (unsigned __int128)d[1] + (w >> 64) - (t << 32);
+	d[1] = (uint64_t)w;
+	w = (unsigned __int128)d[2] - ((w >> 64) & 1);
+	d[2] = (uint64_t)w;
+	d[3] += (t << 32) - t - (uint64_t)((w >> 64) & 1);
 
 #elif BR_UMUL128
 
@@ -140,6 +157,15 @@ f256_add(uint64_t *d, const uint64_t *a, const uint64_t *b)
 	cc = _addcarry_u64(cc, d[0], 0, &d[0]);
 	cc = _addcarry_u64(cc, d[1], -(t << 32), &d[1]);
 	cc = _addcarry_u64(cc, d[2], -t, &d[2]);
+	cc = _addcarry_u64(cc, d[3], (t << 32) - (t << 1), &d[3]);
+
+	/*
+	 * We have to do it again if there still is a carry.
+	 */
+	t = cc;
+	cc = _addcarry_u64(cc, d[0], 0, &d[0]);
+	cc = _addcarry_u64(cc, d[1], -(t << 32), &d[1]);
+	cc = _addcarry_u64(cc, d[2], -t, &d[2]);
 	(void)_addcarry_u64(cc, d[3], (t << 32) - (t << 1), &d[3]);
 
 #endif
@@ -167,6 +193,7 @@ f256_sub(uint64_t *d, const uint64_t *a, const uint64_t *b)
 	t = (uint64_t)(w >> 64) & 1;
 
 	/*
+	 * If there is a borrow (t = 1), then we must add the modulus
 	 * p = 2^256 - 2^224 + 2^192 + 2^96 - 1.
 	 */
 	w = (unsigned __int128)d[0] - t;
@@ -177,6 +204,20 @@ f256_sub(uint64_t *d, const uint64_t *a, const uint64_t *b)
 	w = (unsigned __int128)d[2] + (w >> 64);
 	d[2] = (uint64_t)w;
 	/* Again, carry is 0 or +1 */
+	w = (unsigned __int128)d[3] + (w >> 64) - (t << 32) + t;
+	d[3] = (uint64_t)w;
+	t = (uint64_t)(w >> 64) & 1;
+
+	/*
+	 * There may be again a borrow, in which case we must add the
+	 * modulus again.
+	 */
+	w = (unsigned __int128)d[0] - t;
+	d[0] = (uint64_t)w;
+	w = (unsigned __int128)d[1] + (t << 32) - ((w >> 64) & 1);
+	d[1] = (uint64_t)w;
+	w = (unsigned __int128)d[2] + (w >> 64);
+	d[2] = (uint64_t)w;
 	d[3] += (uint64_t)(w >> 64) - (t << 32) + t;
 
 #elif BR_UMUL128
@@ -190,13 +231,23 @@ f256_sub(uint64_t *d, const uint64_t *a, const uint64_t *b)
*** 1822 LINES SKIPPED ***