incorporate diffs from 3.4.1 not tagged in upstream stable.

patches/libcrypto_1.diff

@@ -0,0 +1,34 @@
+commit 43e306df17537f5033b9b61d33f555d19d1bec9d
+Author: jsing <>
+Date:   Thu Sep 30 18:23:46 2021 +0000
+
+    Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.
+    
+    In order to work around the expired DST Root CA X3 certficiate, enable
+    X509_V_FLAG_TRUSTED_FIRST in the legacy verifier. This means that the
+    default chain provided by Let's Encrypt will stop at the ISRG Root X1
+    intermediate, rather than following the DST Root CA X3 intermediate.
+    
+    Note that the new verifier does not suffer from this issue, so only a
+    small number of things will hit this code path.
+    
+    ok millert@ robert@ tb@
+
+diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c
+index aaf0a57dcb..42ea6e72c9 100644
+--- a/src/lib/libcrypto/x509/x509_vpm.c
++++ b/src/lib/libcrypto/x509/x509_vpm.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: x509_vpm.c,v 1.26 2021/04/24 18:10:12 tb Exp $ */
++/* $OpenBSD: x509_vpm.c,v 1.27 2021/09/30 18:23:46 jsing Exp $ */
+ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+  * project 2004.
+  */
+@@ -598,6 +598,7 @@ static const X509_VERIFY_PARAM_ID _empty_id = { NULL };
+ static const X509_VERIFY_PARAM default_table[] = {
+ 	{
+ 		.name = "default",
++		.flags = X509_V_FLAG_TRUSTED_FIRST,
+ 		.depth = 100,
+ 		.trust = 0,  /* XXX This is not the default trust value */
+ 		.id = vpm_empty_id

patches/libcrypto_2.diff

@@ -0,0 +1,59 @@
+commit 5dd3c162296b91c3ec61aec1ad52a10fdde8d142
+Author: claudio <>
+Date:   Wed Oct 6 08:29:41 2021 +0000
+
+    X509_STORE_CTX_init() allows the store to be NULL on init. Add checks
+    for a NULL ctx->ctx in the lookup functions using X509_STORE_CTX.
+    This affects X509_STORE_get1_certs(), X509_STORE_get1_crls(),
+    X509_STORE_CTX_get1_issuer() and X509_STORE_get_by_subject().
+    With this X509_verify_cert() no longer crashes with a NULL store.
+    With and OK tb@
+
+diff --git a/src/lib/libcrypto/x509/x509_lu.c b/src/lib/libcrypto/x509/x509_lu.c
+index f21103c700..315eddf612 100644
+--- a/src/lib/libcrypto/x509/x509_lu.c
++++ b/src/lib/libcrypto/x509/x509_lu.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: x509_lu.c,v 1.30 2018/08/24 19:21:09 tb Exp $ */
++/* $OpenBSD: x509_lu.c,v 1.31 2021/10/06 08:29:41 claudio Exp $ */
+ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+  * All rights reserved.
+  *
+@@ -312,6 +312,9 @@ X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
+ 	X509_OBJECT stmp, *tmp;
+ 	int i, j;
+ 
++	if (ctx == NULL)
++		return 0;
++
+ 	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+ 	tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name);
+ 	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+@@ -561,6 +564,8 @@ X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
+ 	X509 *x;
+ 	X509_OBJECT *obj;
+ 
++	if (ctx->ctx == NULL)
++		return NULL;
+ 	sk = sk_X509_new_null();
+ 	if (sk == NULL)
+ 		return NULL;
+@@ -610,6 +615,8 @@ X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
+ 	X509_CRL *x;
+ 	X509_OBJECT *obj, xobj;
+ 
++	if (ctx->ctx == NULL)
++		return NULL;
+ 	sk = sk_X509_CRL_new_null();
+ 	if (sk == NULL)
+ 		return NULL;
+@@ -718,6 +725,9 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
+ 	}
+ 	X509_OBJECT_free_contents(&obj);
+ 
++	if (ctx->ctx == NULL)
++		return 0;
++
+ 	/* Else find index of first cert accepted by 'check_issued' */
+ 	ret = 0;
+ 	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);

update.sh

@@ -360,6 +360,10 @@ for i in patches/*.patch; do
     $PATCH -p0 < $i
 done
 
+for i in patches/libcrypto*.diff; do
+	(cd crypto; $PATCH -p4 < ../$i)
+done
+
 # copy manpages
 echo "copying manpages"
 echo EXTRA_DIST = CMakeLists.txt > man/Makefile.am