[openssl] openssl-3.0 update

Matt Caswell matt at openssl.org
Tue Dec 14 16:31:17 UTC 2021


The branch openssl-3.0 has been updated
       via  b11183f68658cf625a3befd6d245923d588638f5 (commit)
       via  b4e83ed7cd99c12d27e0e220c3afa1745a68f921 (commit)
       via  d33d8e55bccf90d3b6fdcb803dc571b6634f40a7 (commit)
       via  7ea8127214cbe36417ab15d9030e759c8cac0967 (commit)
       via  f4bb498a5196f470ea6748f09b6c8b0c0326321c (commit)
       via  26ac3f630a4be31deb4d4dee7f988fe3dabbe887 (commit)
       via  ce6902e5823aa7e85ef19712c6f925eb7ad27df9 (commit)
       via  d69ae8a93bfc0f2489c008fcf303a98d77a6df4d (commit)
       via  758754966791c537ea95241438454aa86f91f256 (commit)
       via  8e78289c4e6f4c9f2fec073b78443736e689854d (commit)
      from  944efc1afc344f45e56f861d987a0a6ac1fca174 (commit)


- Log -----------------------------------------------------------------
commit b11183f68658cf625a3befd6d245923d588638f5
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Dec 14 16:16:32 2021 +0000

    Prepare for 3.0.2
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit b4e83ed7cd99c12d27e0e220c3afa1745a68f921
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Dec 14 16:16:25 2021 +0000

    Prepare for release of 3.0.1
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit d33d8e55bccf90d3b6fdcb803dc571b6634f40a7
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Dec 14 16:16:25 2021 +0000

    make update
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 7ea8127214cbe36417ab15d9030e759c8cac0967
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Dec 14 14:41:27 2021 +0000

    Update copyright year
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit f4bb498a5196f470ea6748f09b6c8b0c0326321c
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Dec 3 15:28:31 2021 +0000

    Add a test case for the name constraints bug
    
    Where a chain has name constraints but a certificate does not have a SAN
    extension but the CN meets the constraints, then this should be acceptable.
    However, and OpenSSL bug meant that an internal error was being reported.
    This adds a test case for that scenario.
    
    Test for CVE-2021-4044
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>

commit 26ac3f630a4be31deb4d4dee7f988fe3dabbe887
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Dec 3 15:18:27 2021 +0000

    Add a TLS test for name constraints with an EE cert without a SAN
    
    It is valid for name constraints to be in force but for there to be no
    SAN extension in a certificate. Previous versions of OpenSSL mishandled
    this.
    
    Test for CVE-2021-4044
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>

commit ce6902e5823aa7e85ef19712c6f925eb7ad27df9
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Dec 2 17:26:15 2021 +0000

    Add a new Name Constraints test cert
    
    Add a cert which complies with the name constraints but has no
    SAN extension
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>

commit d69ae8a93bfc0f2489c008fcf303a98d77a6df4d
Author: Tobias Nießen <tniessen at tnie.de>
Date:   Mon Nov 29 03:41:20 2021 +0000

    Fix infinite verification loops due to has_san_id
    
    Where name constraints apply, X509_verify() would incorrectly report an
    internal error in the event that a certificate has no SAN extension.
    
    CVE-2021-4044
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 758754966791c537ea95241438454aa86f91f256
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Dec 3 15:56:58 2021 +0000

    Fix invalid handling of verify errors in libssl
    
    In the event that X509_verify() returned an internal error result then
    libssl would mishandle this and set rwstate to SSL_RETRY_VERIFY. This
    subsequently causes SSL_get_error() to return SSL_ERROR_WANT_RETRY_VERIFY.
    That return code is supposed to only ever be returned if an application
    is using an app verify callback to complete replace the use of
    X509_verify(). Applications may not be written to expect that return code
    and could therefore crash (or misbehave in some other way) as a result.
    
    CVE-2021-4044
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>

commit 8e78289c4e6f4c9f2fec073b78443736e689854d
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Dec 14 13:15:58 2021 +0000

    Update CHANGES and NEWS for new release
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 CHANGES.md                                       |  31 +++++-
 NEWS.md                                          |  12 ++-
 VERSION.dat                                      |   4 +-
 apps/lib/engine_loader.c                         |   2 +-
 apps/tsget.in                                    |   2 +-
 crypto/bn/asm/mips.pl                            |   2 +-
 crypto/bn/bn_lib.c                               |   2 +-
 crypto/des/set_key.c                             |   2 +-
 crypto/dso/dso_lib.c                             |   2 +-
 crypto/ec/ec_deprecated.c                        |   2 +-
 crypto/x509/x509_vfy.c                           |   2 +-
 doc/internal/man3/cms_add1_signing_cert.pod      |   2 +-
 doc/internal/man3/ossl_punycode_decode.pod       |   2 +-
 doc/internal/man7/DERlib.pod                     |   2 +-
 doc/man3/ASN1_INTEGER_get_int64.pod              |   2 +-
 doc/man3/ASN1_TYPE_get.pod                       |   2 +-
 doc/man3/BF_encrypt.pod                          |   2 +-
 doc/man3/BIO_f_buffer.pod                        |   2 +-
 doc/man3/BIO_f_cipher.pod                        |   2 +-
 doc/man3/BIO_f_prefix.pod                        |   2 +-
 doc/man3/BIO_s_file.pod                          |   2 +-
 doc/man3/BN_BLINDING_new.pod                     |   2 +-
 doc/man3/BN_bn2bin.pod                           |   2 +-
 doc/man3/BN_mod_mul_reciprocal.pod               |   2 +-
 doc/man3/CMS_add1_recipient_cert.pod             |   2 +-
 doc/man3/CMS_get0_RecipientInfos.pod             |   2 +-
 doc/man3/CONF_modules_free.pod                   |   2 +-
 doc/man3/DES_random_key.pod                      |   2 +-
 doc/man3/DH_generate_parameters.pod              |   2 +-
 doc/man3/DH_meth_new.pod                         |   2 +-
 doc/man3/DH_new_by_nid.pod                       |   2 +-
 doc/man3/DH_set_method.pod                       |   2 +-
 doc/man3/DSA_dup_DH.pod                          |   2 +-
 doc/man3/DSA_get0_pqg.pod                        |   2 +-
 doc/man3/DSA_meth_new.pod                        |   2 +-
 doc/man3/DSA_new.pod                             |   2 +-
 doc/man3/EC_GFp_simple_method.pod                |   2 +-
 doc/man3/EC_POINT_add.pod                        |   2 +-
 doc/man3/EC_POINT_new.pod                        |   2 +-
 doc/man3/ERR_get_error.pod                       |   2 +-
 doc/man3/ERR_load_crypto_strings.pod             |   2 +-
 doc/man3/ERR_load_strings.pod                    |   2 +-
 doc/man3/ERR_put_error.pod                       |   2 +-
 doc/man3/ERR_remove_state.pod                    |   2 +-
 doc/man3/EVP_CIPHER_meth_new.pod                 |   2 +-
 doc/man3/EVP_PKEY_meth_get_count.pod             |   2 +-
 doc/man3/EVP_PKEY_set1_encoded_public_key.pod    |   2 +-
 doc/man3/MD5.pod                                 |   2 +-
 doc/man3/MDC2_Init.pod                           |   2 +-
 doc/man3/OPENSSL_config.pod                      |   2 +-
 doc/man3/OPENSSL_fork_prepare.pod                |   2 +-
 doc/man3/OPENSSL_instrument_bus.pod              |   2 +-
 doc/man3/OSSL_DECODER_CTX.pod                    |   2 +-
 doc/man3/OpenSSL_add_all_algorithms.pod          |   2 +-
 doc/man3/PKCS12_SAFEBAG_get0_attrs.pod           |   2 +-
 doc/man3/PKCS12_SAFEBAG_get1_cert.pod            |   2 +-
 doc/man3/RAND_add.pod                            |   2 +-
 doc/man3/RAND_cleanup.pod                        |   2 +-
 doc/man3/RC4_set_key.pod                         |   2 +-
 doc/man3/RIPEMD160_Init.pod                      |   2 +-
 doc/man3/RSA_check_key.pod                       |   2 +-
 doc/man3/RSA_meth_new.pod                        |   2 +-
 doc/man3/RSA_print.pod                           |   2 +-
 doc/man3/RSA_set_method.pod                      |   2 +-
 doc/man3/RSA_sign.pod                            |   2 +-
 doc/man3/RSA_sign_ASN1_OCTET_STRING.pod          |   2 +-
 doc/man3/SCT_print.pod                           |   2 +-
 doc/man3/SSL_CIPHER_get_name.pod                 |   2 +-
 doc/man3/SSL_COMP_add_compression_method.pod     |   2 +-
 doc/man3/SSL_CTX_set_client_hello_cb.pod         |   2 +-
 doc/man3/SSL_CTX_set_keylog_callback.pod         |   2 +-
 doc/man3/SSL_CTX_set_psk_client_callback.pod     |   2 +-
 doc/man3/SSL_CTX_set_security_level.pod          |   2 +-
 doc/man3/SSL_CTX_set_split_send_fragment.pod     |   2 +-
 doc/man3/SSL_CTX_set_tmp_dh_callback.pod         |   2 +-
 doc/man3/SSL_CTX_use_certificate.pod             |   2 +-
 doc/man3/SSL_get_session.pod                     |   2 +-
 doc/man3/SSL_set_async_callback.pod              |   2 +-
 doc/man3/SSL_set_bio.pod                         |   2 +-
 doc/man3/SSL_set_fd.pod                          |   2 +-
 doc/man3/X509_get0_signature.pod                 |   2 +-
 doc/man3/X509_get_pubkey.pod                     |   2 +-
 doc/man3/i2d_re_X509_tbs.pod                     |   2 +-
 doc/man7/EVP_SIGNATURE-DSA.pod                   |   2 +-
 doc/man7/EVP_SIGNATURE-ECDSA.pod                 |   2 +-
 doc/man7/ossl_store.pod                          |   2 +-
 doc/man7/property.pod                            |   2 +-
 doc/man7/proxy-certificates.pod                  |   2 +-
 providers/fips-sources.checksums                 | 124 +++++++++++------------
 providers/fips.checksum                          |   2 +-
 ssl/ssl_cert.c                                   |  15 ++-
 ssl/statem/statem_clnt.c                         |   2 +-
 test/bio_enc_test.c                              |   2 +-
 test/bio_prefix_text.c                           |   2 +-
 test/certs/goodcn2-cert.pem                      |  19 ++++
 test/certs/{ncca1-cert.pem => goodcn2-chain.pem} |  19 ++++
 test/certs/goodcn2-key.pem                       |  28 +++++
 test/certs/mkcert.sh                             |  29 ++++--
 test/certs/setup.sh                              |   6 ++
 test/packettest.c                                |   2 +-
 test/recipes/05-test_rand.t                      |   2 +-
 test/recipes/25-test_verify.t                    |   5 +-
 test/recipes/30-test_engine.t                    |   2 +-
 test/recipes/80-test_dane.t                      |   2 +-
 test/ssl-tests/01-simple.cnf                     |  26 ++++-
 test/ssl-tests/01-simple.cnf.in                  |  14 ++-
 test/testutil/tests.c                            |   2 +-
 test/testutil/testutil_init.c                    |   2 +-
 util/mkpod2html.pl                               |   2 +-
 109 files changed, 347 insertions(+), 177 deletions(-)
 create mode 100644 test/certs/goodcn2-cert.pem
 copy test/certs/{ncca1-cert.pem => goodcn2-chain.pem} (52%)
 create mode 100644 test/certs/goodcn2-key.pem

diff --git a/CHANGES.md b/CHANGES.md
index 0a0f563954..a4799e3b63 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -28,7 +28,36 @@ breaking changes, and mappings for the large list of deprecated functions.
 
 [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
 
-### Changes between 3.0.0 and 3.0.1 [xx XXX xxxx]
+### Changes between 3.0.1 and 3.0.2 [xx XXX xxxx]
+
+ * 
+
+### Changes between 3.0.0 and 3.0.1 [14 Dec 2021]
+
+ * Fixed invalid handling of X509_verify_cert() internal errors in libssl
+   Internally libssl in OpenSSL calls X509_verify_cert() on the client side to
+   verify a certificate supplied by a server. That function may return a
+   negative return value to indicate an internal error (for example out of
+   memory). Such a negative return value is mishandled by OpenSSL and will cause
+   an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate
+   success and a subsequent call to SSL_get_error() to return the value
+   SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be
+   returned by OpenSSL if the application has previously called
+   SSL_CTX_set_cert_verify_callback(). Since most applications do not do this
+   the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be
+   totally unexpected and applications may not behave correctly as a result. The
+   exact behaviour will depend on the application but it could result in
+   crashes, infinite loops or other similar incorrect responses.
+
+   This issue is made more serious in combination with a separate bug in OpenSSL
+   3.0 that will cause X509_verify_cert() to indicate an internal error when
+   processing a certificate chain. This will occur where a certificate does not
+   include the Subject Alternative Name extension but where a Certificate
+   Authority has enforced name constraints. This issue can occur even with valid
+   chains.
+   ([CVE-2021-4044])
+
+   *Matt Caswell*
 
  * Corrected a few file name and file reference bugs in the build,
    installation and setup scripts, which lead to installation verification
diff --git a/NEWS.md b/NEWS.md
index 047b38dd88..61d66d9aac 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -18,10 +18,16 @@ OpenSSL Releases
 OpenSSL 3.0
 -----------
 
-### Major changes between OpenSSL 3.0.0 and OpenSSL 3.0.1 [under development]
+### Major changes between OpenSSL 3.0.1 and OpenSSL 3.0.2 [under development]
 
- * Allow fetching an operation from the provider that owns an unexportable key
-   as a fallback if that is still allowed by the property query.
+ * 
+
+### Major changes between OpenSSL 3.0.0 and OpenSSL 3.0.1 [14 Dec 2021]
+
+  * Fixed invalid handling of X509_verify_cert() internal errors in libssl
+    ([CVE-2021-4044])
+  * Allow fetching an operation from the provider that owns an unexportable key
+    as a fallback if that is still allowed by the property query.
 
 ### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0.0 [7 sep 2021]
 
diff --git a/VERSION.dat b/VERSION.dat
index ec88dfb703..7c3989e20e 100644
--- a/VERSION.dat
+++ b/VERSION.dat
@@ -1,7 +1,7 @@
 MAJOR=3
 MINOR=0
-PATCH=1
+PATCH=2
 PRE_RELEASE_TAG=dev
 BUILD_METADATA=
-RELEASE_DATE=""
+RELEASE_DATE="14 Dec 2021"
 SHLIB_VERSION=3
diff --git a/apps/lib/engine_loader.c b/apps/lib/engine_loader.c
index 573af76024..b2a11d438d 100644
--- a/apps/lib/engine_loader.c
+++ b/apps/lib/engine_loader.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/apps/tsget.in b/apps/tsget.in
index 8eab6a8f1f..3b5f83cf9b 100644
--- a/apps/tsget.in
+++ b/apps/tsget.in
@@ -1,5 +1,5 @@
 #!{- $config{HASHBANGPERL} -}
-# Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
 # Copyright (c) 2002 The OpenTSA Project. All rights reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
diff --git a/crypto/bn/asm/mips.pl b/crypto/bn/asm/mips.pl
index 91b7aac6e7..bc18826d08 100644
--- a/crypto/bn/asm/mips.pl
+++ b/crypto/bn/asm/mips.pl
@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2010-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2010-2021 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c
index d37b89c2a6..7ad6842560 100644
--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/crypto/des/set_key.c b/crypto/des/set_key.c
index 068fb9133b..adcfb7f124 100644
--- a/crypto/des/set_key.c
+++ b/crypto/des/set_key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/crypto/dso/dso_lib.c b/crypto/dso/dso_lib.c
index e093b77a27..9d755986d7 100644
--- a/crypto/dso/dso_lib.c
+++ b/crypto/dso/dso_lib.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/crypto/ec/ec_deprecated.c b/crypto/ec/ec_deprecated.c
index 22ddb3660c..765894c329 100644
--- a/crypto/ec/ec_deprecated.c
+++ b/crypto/ec/ec_deprecated.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index d66b10950c..ff3ca83de6 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -630,7 +630,7 @@ static int has_san_id(X509 *x, int gtype)
     GENERAL_NAMES *gs = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
 
     if (gs == NULL)
-        return -1;
+        return 0;
 
     for (i = 0; i < sk_GENERAL_NAME_num(gs); i++) {
         GENERAL_NAME *g = sk_GENERAL_NAME_value(gs, i);
diff --git a/doc/internal/man3/cms_add1_signing_cert.pod b/doc/internal/man3/cms_add1_signing_cert.pod
index 1f5f681c64..cc2747dcde 100644
--- a/doc/internal/man3/cms_add1_signing_cert.pod
+++ b/doc/internal/man3/cms_add1_signing_cert.pod
@@ -36,7 +36,7 @@ is added or 0 if an error occurred.
 
 =head1 COPYRIGHT
 
-Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/internal/man3/ossl_punycode_decode.pod b/doc/internal/man3/ossl_punycode_decode.pod
index 61240f724e..652626159e 100644
--- a/doc/internal/man3/ossl_punycode_decode.pod
+++ b/doc/internal/man3/ossl_punycode_decode.pod
@@ -49,7 +49,7 @@ The functions described here were all added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/internal/man7/DERlib.pod b/doc/internal/man7/DERlib.pod
index 3129a9b74d..8dd5d6cec7 100644
--- a/doc/internal/man7/DERlib.pod
+++ b/doc/internal/man7/DERlib.pod
@@ -139,7 +139,7 @@ L<ossl_DER_w_precompiled(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/ASN1_INTEGER_get_int64.pod b/doc/man3/ASN1_INTEGER_get_int64.pod
index 4ba6c4c0d7..3bde0b20e6 100644
--- a/doc/man3/ASN1_INTEGER_get_int64.pod
+++ b/doc/man3/ASN1_INTEGER_get_int64.pod
@@ -123,7 +123,7 @@ were added in OpenSSL 1.1.0.
 
 =head1 COPYRIGHT
 
-Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/ASN1_TYPE_get.pod b/doc/man3/ASN1_TYPE_get.pod
index 1d87f676f4..9bfb5a76d4 100644
--- a/doc/man3/ASN1_TYPE_get.pod
+++ b/doc/man3/ASN1_TYPE_get.pod
@@ -91,7 +91,7 @@ NULL on failure.
 
 =head1 COPYRIGHT
 
-Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/BF_encrypt.pod b/doc/man3/BF_encrypt.pod
index b6df43efc2..509dd22c63 100644
--- a/doc/man3/BF_encrypt.pod
+++ b/doc/man3/BF_encrypt.pod
@@ -121,7 +121,7 @@ All of these functions were deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/BIO_f_buffer.pod b/doc/man3/BIO_f_buffer.pod
index 2eb6e8eab1..9a1d5b4b33 100644
--- a/doc/man3/BIO_f_buffer.pod
+++ b/doc/man3/BIO_f_buffer.pod
@@ -93,7 +93,7 @@ L<BIO_ctrl(3)>.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/BIO_f_cipher.pod b/doc/man3/BIO_f_cipher.pod
index cb6b14a0c0..3a11cabd3c 100644
--- a/doc/man3/BIO_f_cipher.pod
+++ b/doc/man3/BIO_f_cipher.pod
@@ -71,7 +71,7 @@ BIO_get_cipher_ctx() returns 1 for success and <=0 for failure.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/BIO_f_prefix.pod b/doc/man3/BIO_f_prefix.pod
index 8c7953f472..3c98ef311b 100644
--- a/doc/man3/BIO_f_prefix.pod
+++ b/doc/man3/BIO_f_prefix.pod
@@ -60,7 +60,7 @@ L<bio(7)>
 
 =head1 COPYRIGHT
 
-Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/BIO_s_file.pod b/doc/man3/BIO_s_file.pod
index b60a9d8f7a..60e68dba1c 100644
--- a/doc/man3/BIO_s_file.pod
+++ b/doc/man3/BIO_s_file.pod
@@ -157,7 +157,7 @@ L<BIO_set_close(3)>, L<BIO_get_close(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/BN_BLINDING_new.pod b/doc/man3/BN_BLINDING_new.pod
index f8c6329192..210fad709c 100644
--- a/doc/man3/BN_BLINDING_new.pod
+++ b/doc/man3/BN_BLINDING_new.pod
@@ -116,7 +116,7 @@ deprecates BN_BLINDING_set_thread_id() and BN_BLINDING_get_thread_id().
 
 =head1 COPYRIGHT
 
-Copyright 2005-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/BN_bn2bin.pod b/doc/man3/BN_bn2bin.pod
index e75b9fffb5..92cb7d74f1 100644
--- a/doc/man3/BN_bn2bin.pod
+++ b/doc/man3/BN_bn2bin.pod
@@ -114,7 +114,7 @@ L<BN_num_bytes(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/BN_mod_mul_reciprocal.pod b/doc/man3/BN_mod_mul_reciprocal.pod
index a2f4ebc79d..28d5f1131d 100644
--- a/doc/man3/BN_mod_mul_reciprocal.pod
+++ b/doc/man3/BN_mod_mul_reciprocal.pod
@@ -66,7 +66,7 @@ BN_RECP_CTX_init() was removed in OpenSSL 1.1.0
 
 =head1 COPYRIGHT
 
-Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/CMS_add1_recipient_cert.pod b/doc/man3/CMS_add1_recipient_cert.pod
index 0855d5321b..e1fc34303b 100644
--- a/doc/man3/CMS_add1_recipient_cert.pod
+++ b/doc/man3/CMS_add1_recipient_cert.pod
@@ -76,7 +76,7 @@ OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/CMS_get0_RecipientInfos.pod b/doc/man3/CMS_get0_RecipientInfos.pod
index eb755f5243..8f4593538d 100644
--- a/doc/man3/CMS_get0_RecipientInfos.pod
+++ b/doc/man3/CMS_get0_RecipientInfos.pod
@@ -145,7 +145,7 @@ were added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/CONF_modules_free.pod b/doc/man3/CONF_modules_free.pod
index fd22d82899..81b10ebc3b 100644
--- a/doc/man3/CONF_modules_free.pod
+++ b/doc/man3/CONF_modules_free.pod
@@ -48,7 +48,7 @@ For more information see L<OPENSSL_init_crypto(3)>.
 
 =head1 COPYRIGHT
 
-Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/DES_random_key.pod b/doc/man3/DES_random_key.pod
index 1f0020eae6..0887453f27 100644
--- a/doc/man3/DES_random_key.pod
+++ b/doc/man3/DES_random_key.pod
@@ -320,7 +320,7 @@ on some platforms.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/DH_generate_parameters.pod b/doc/man3/DH_generate_parameters.pod
index bbcfe24ae6..1098a161ea 100644
--- a/doc/man3/DH_generate_parameters.pod
+++ b/doc/man3/DH_generate_parameters.pod
@@ -160,7 +160,7 @@ DH_generate_parameters_ex() instead.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/DH_meth_new.pod b/doc/man3/DH_meth_new.pod
index 779a695167..43827f55ef 100644
--- a/doc/man3/DH_meth_new.pod
+++ b/doc/man3/DH_meth_new.pod
@@ -166,7 +166,7 @@ The functions described here were added in OpenSSL 1.1.0.
 
 =head1 COPYRIGHT
 
-Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/DH_new_by_nid.pod b/doc/man3/DH_new_by_nid.pod
index 6876e239aa..d5ad0ff6ce 100644
--- a/doc/man3/DH_new_by_nid.pod
+++ b/doc/man3/DH_new_by_nid.pod
@@ -41,7 +41,7 @@ The DH_get_nid() function was deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/DH_set_method.pod b/doc/man3/DH_set_method.pod
index d6da381001..88dffab26c 100644
--- a/doc/man3/DH_set_method.pod
+++ b/doc/man3/DH_set_method.pod
@@ -89,7 +89,7 @@ All of these functions were deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/DSA_dup_DH.pod b/doc/man3/DSA_dup_DH.pod
index f8a4815cd5..b2a1529ac8 100644
--- a/doc/man3/DSA_dup_DH.pod
+++ b/doc/man3/DSA_dup_DH.pod
@@ -43,7 +43,7 @@ This function was deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/DSA_get0_pqg.pod b/doc/man3/DSA_get0_pqg.pod
index fc2a967cfa..7b2f132a99 100644
--- a/doc/man3/DSA_get0_pqg.pod
+++ b/doc/man3/DSA_get0_pqg.pod
@@ -113,7 +113,7 @@ OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/DSA_meth_new.pod b/doc/man3/DSA_meth_new.pod
index f8f5a1f022..c00747cfc4 100644
--- a/doc/man3/DSA_meth_new.pod
+++ b/doc/man3/DSA_meth_new.pod
@@ -214,7 +214,7 @@ The functions described here were added in OpenSSL 1.1.0.
 
 =head1 COPYRIGHT
 
-Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/DSA_new.pod b/doc/man3/DSA_new.pod
index 01be4e842d..60b3d50dfa 100644
--- a/doc/man3/DSA_new.pod
+++ b/doc/man3/DSA_new.pod
@@ -50,7 +50,7 @@ All of these functions were deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/EC_GFp_simple_method.pod b/doc/man3/EC_GFp_simple_method.pod
index 6e3e9b708a..8c4acd28e0 100644
--- a/doc/man3/EC_GFp_simple_method.pod
+++ b/doc/man3/EC_GFp_simple_method.pod
@@ -73,7 +73,7 @@ were deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2013-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/EC_POINT_add.pod b/doc/man3/EC_POINT_add.pod
index 10036c9596..97bd34c393 100644
--- a/doc/man3/EC_POINT_add.pod
+++ b/doc/man3/EC_POINT_add.pod
@@ -90,7 +90,7 @@ were deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2013-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/EC_POINT_new.pod b/doc/man3/EC_POINT_new.pod
index e2e2c129eb..f92cc2c8e2 100644
--- a/doc/man3/EC_POINT_new.pod
+++ b/doc/man3/EC_POINT_new.pod
@@ -269,7 +269,7 @@ added in OpenSSL 1.1.1.
 
 =head1 COPYRIGHT
 
-Copyright 2013-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/ERR_get_error.pod b/doc/man3/ERR_get_error.pod
index b5374e7652..6518458907 100644
--- a/doc/man3/ERR_get_error.pod
+++ b/doc/man3/ERR_get_error.pod
@@ -132,7 +132,7 @@ and ERR_peek_last_error_line_data() became deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/ERR_load_crypto_strings.pod b/doc/man3/ERR_load_crypto_strings.pod
index dc3b5292b1..ef87189649 100644
--- a/doc/man3/ERR_load_crypto_strings.pod
+++ b/doc/man3/ERR_load_crypto_strings.pod
@@ -46,7 +46,7 @@ OPENSSL_init_crypto() and OPENSSL_init_ssl() and should not be used.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/ERR_load_strings.pod b/doc/man3/ERR_load_strings.pod
index 55f4cb244e..f291644bb3 100644
--- a/doc/man3/ERR_load_strings.pod
+++ b/doc/man3/ERR_load_strings.pod
@@ -48,7 +48,7 @@ L<ERR_load_strings(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/ERR_put_error.pod b/doc/man3/ERR_put_error.pod
index 56c73c13ef..1078c31b63 100644
--- a/doc/man3/ERR_put_error.pod
+++ b/doc/man3/ERR_put_error.pod
@@ -179,7 +179,7 @@ were added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/ERR_remove_state.pod b/doc/man3/ERR_remove_state.pod
index 2ef34c7c34..f5f6ffbb49 100644
--- a/doc/man3/ERR_remove_state.pod
+++ b/doc/man3/ERR_remove_state.pod
@@ -41,7 +41,7 @@ and should not be used.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/EVP_CIPHER_meth_new.pod b/doc/man3/EVP_CIPHER_meth_new.pod
index 35d4db2a66..8b862d9d99 100644
--- a/doc/man3/EVP_CIPHER_meth_new.pod
+++ b/doc/man3/EVP_CIPHER_meth_new.pod
@@ -249,7 +249,7 @@ counted in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/EVP_PKEY_meth_get_count.pod b/doc/man3/EVP_PKEY_meth_get_count.pod
index 4950a58b24..2e2a3fc13e 100644
--- a/doc/man3/EVP_PKEY_meth_get_count.pod
+++ b/doc/man3/EVP_PKEY_meth_get_count.pod
@@ -51,7 +51,7 @@ All of these functions were deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/EVP_PKEY_set1_encoded_public_key.pod b/doc/man3/EVP_PKEY_set1_encoded_public_key.pod
index 5ed6b20a06..20ae767dd6 100644
--- a/doc/man3/EVP_PKEY_set1_encoded_public_key.pod
+++ b/doc/man3/EVP_PKEY_set1_encoded_public_key.pod
@@ -131,7 +131,7 @@ deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/MD5.pod b/doc/man3/MD5.pod
index 81e220fe42..5d1a8eb7da 100644
--- a/doc/man3/MD5.pod
+++ b/doc/man3/MD5.pod
@@ -105,7 +105,7 @@ All of these functions were deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/MDC2_Init.pod b/doc/man3/MDC2_Init.pod
index 37b2ba3815..f29c9b78dc 100644
--- a/doc/man3/MDC2_Init.pod
+++ b/doc/man3/MDC2_Init.pod
@@ -70,7 +70,7 @@ All of these functions were deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/OPENSSL_config.pod b/doc/man3/OPENSSL_config.pod
index 60f1c5a658..3fe6dd0e49 100644
--- a/doc/man3/OPENSSL_config.pod
+++ b/doc/man3/OPENSSL_config.pod
@@ -77,7 +77,7 @@ deprecated in OpenSSL 1.1.0 by OPENSSL_init_crypto().
 
 =head1 COPYRIGHT
 
-Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/OPENSSL_fork_prepare.pod b/doc/man3/OPENSSL_fork_prepare.pod
index 646c093207..6f8277c110 100644
--- a/doc/man3/OPENSSL_fork_prepare.pod
+++ b/doc/man3/OPENSSL_fork_prepare.pod
@@ -60,7 +60,7 @@ These functions were added in OpenSSL 1.1.1.
 
 =head1 COPYRIGHT
 
-Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/OPENSSL_instrument_bus.pod b/doc/man3/OPENSSL_instrument_bus.pod
index c5e3d3fca4..1af07b29c7 100644
--- a/doc/man3/OPENSSL_instrument_bus.pod
+++ b/doc/man3/OPENSSL_instrument_bus.pod
@@ -43,7 +43,7 @@ Otherwise number of recorded values is returned.
 
 =head1 COPYRIGHT
 
-Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/OSSL_DECODER_CTX.pod b/doc/man3/OSSL_DECODER_CTX.pod
index a15902da08..3ffd794cf0 100644
--- a/doc/man3/OSSL_DECODER_CTX.pod
+++ b/doc/man3/OSSL_DECODER_CTX.pod
@@ -249,7 +249,7 @@ The functions described here were added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/OpenSSL_add_all_algorithms.pod b/doc/man3/OpenSSL_add_all_algorithms.pod
index 750acdeab5..07403a32d5 100644
--- a/doc/man3/OpenSSL_add_all_algorithms.pod
+++ b/doc/man3/OpenSSL_add_all_algorithms.pod
@@ -53,7 +53,7 @@ not be used.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/PKCS12_SAFEBAG_get0_attrs.pod b/doc/man3/PKCS12_SAFEBAG_get0_attrs.pod
index 8ed67fbdf7..7073c0d5ce 100644
--- a/doc/man3/PKCS12_SAFEBAG_get0_attrs.pod
+++ b/doc/man3/PKCS12_SAFEBAG_get0_attrs.pod
@@ -40,7 +40,7 @@ L<PKCS12_add_friendlyname_asc(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/PKCS12_SAFEBAG_get1_cert.pod b/doc/man3/PKCS12_SAFEBAG_get1_cert.pod
index 13f1263fe6..ecd212c775 100644
--- a/doc/man3/PKCS12_SAFEBAG_get1_cert.pod
+++ b/doc/man3/PKCS12_SAFEBAG_get1_cert.pod
@@ -64,7 +64,7 @@ L<PKCS12_add_safes(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/RAND_add.pod b/doc/man3/RAND_add.pod
index dd39b8ca43..10a6811433 100644
--- a/doc/man3/RAND_add.pod
+++ b/doc/man3/RAND_add.pod
@@ -101,7 +101,7 @@ not be used.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/RAND_cleanup.pod b/doc/man3/RAND_cleanup.pod
index 5b84615988..ce61a9f2b1 100644
--- a/doc/man3/RAND_cleanup.pod
+++ b/doc/man3/RAND_cleanup.pod
@@ -36,7 +36,7 @@ See L<OPENSSL_init_crypto(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/RC4_set_key.pod b/doc/man3/RC4_set_key.pod
index 3f6e362f76..296f88eb6f 100644
--- a/doc/man3/RC4_set_key.pod
+++ b/doc/man3/RC4_set_key.pod
@@ -68,7 +68,7 @@ All of these functions were deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/RIPEMD160_Init.pod b/doc/man3/RIPEMD160_Init.pod
index 7339bd480a..48937a647f 100644
--- a/doc/man3/RIPEMD160_Init.pod
+++ b/doc/man3/RIPEMD160_Init.pod
@@ -73,7 +73,7 @@ All of these functions were deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/RSA_check_key.pod b/doc/man3/RSA_check_key.pod
index a9e3d36aa6..d9c0097772 100644
--- a/doc/man3/RSA_check_key.pod
+++ b/doc/man3/RSA_check_key.pod
@@ -84,7 +84,7 @@ RSA_check_key_ex() appeared after OpenSSL 1.0.2.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/RSA_meth_new.pod b/doc/man3/RSA_meth_new.pod
index 6c8eda1615..29ea4161b0 100644
--- a/doc/man3/RSA_meth_new.pod
+++ b/doc/man3/RSA_meth_new.pod
@@ -260,7 +260,7 @@ Other functions described here were added in OpenSSL 1.1.0.
 
 =head1 COPYRIGHT
 
-Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/RSA_print.pod b/doc/man3/RSA_print.pod
index 96ca3df113..27495b2241 100644
--- a/doc/man3/RSA_print.pod
+++ b/doc/man3/RSA_print.pod
@@ -67,7 +67,7 @@ All of these functions were deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/RSA_set_method.pod b/doc/man3/RSA_set_method.pod
index 21cfeed27b..6e45d6b60b 100644
--- a/doc/man3/RSA_set_method.pod
+++ b/doc/man3/RSA_set_method.pod
@@ -185,7 +185,7 @@ was replaced to always return NULL in OpenSSL 1.1.1.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/RSA_sign.pod b/doc/man3/RSA_sign.pod
index ed5885d48b..1917d97784 100644
--- a/doc/man3/RSA_sign.pod
+++ b/doc/man3/RSA_sign.pod
@@ -67,7 +67,7 @@ All of these functions were deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/RSA_sign_ASN1_OCTET_STRING.pod b/doc/man3/RSA_sign_ASN1_OCTET_STRING.pod
index 77c8a202a7..6548bdb78a 100644
--- a/doc/man3/RSA_sign_ASN1_OCTET_STRING.pod
+++ b/doc/man3/RSA_sign_ASN1_OCTET_STRING.pod
@@ -68,7 +68,7 @@ All of these functions were deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/SCT_print.pod b/doc/man3/SCT_print.pod
index 97dd58f7bc..fbcbce2760 100644
--- a/doc/man3/SCT_print.pod
+++ b/doc/man3/SCT_print.pod
@@ -47,7 +47,7 @@ These functions were added in OpenSSL 1.1.0.
 
 =head1 COPYRIGHT
 
-Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/SSL_CIPHER_get_name.pod b/doc/man3/SSL_CIPHER_get_name.pod
index 44af9d6dfe..e22a85a063 100644
--- a/doc/man3/SSL_CIPHER_get_name.pod
+++ b/doc/man3/SSL_CIPHER_get_name.pod
@@ -203,7 +203,7 @@ The OPENSSL_cipher_name() function was added in OpenSSL 1.1.1.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/SSL_COMP_add_compression_method.pod b/doc/man3/SSL_COMP_add_compression_method.pod
index 9e3dc560c4..924553805e 100644
--- a/doc/man3/SSL_COMP_add_compression_method.pod
+++ b/doc/man3/SSL_COMP_add_compression_method.pod
@@ -96,7 +96,7 @@ The SSL_COMP_get0_name() and SSL_comp_get_id() functions were added in OpenSSL 1
 
 =head1 COPYRIGHT
 
-Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/SSL_CTX_set_client_hello_cb.pod b/doc/man3/SSL_CTX_set_client_hello_cb.pod
index f324647abc..d592102028 100644
--- a/doc/man3/SSL_CTX_set_client_hello_cb.pod
+++ b/doc/man3/SSL_CTX_set_client_hello_cb.pod
@@ -122,7 +122,7 @@ were added in OpenSSL 1.1.1.
 
 =head1 COPYRIGHT
 
-Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/SSL_CTX_set_keylog_callback.pod b/doc/man3/SSL_CTX_set_keylog_callback.pod
index 1fa71d00f5..27dfb3419e 100644
--- a/doc/man3/SSL_CTX_set_keylog_callback.pod
+++ b/doc/man3/SSL_CTX_set_keylog_callback.pod
@@ -42,7 +42,7 @@ L<ssl(7)>
 
 =head1 COPYRIGHT
 
-Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/SSL_CTX_set_psk_client_callback.pod b/doc/man3/SSL_CTX_set_psk_client_callback.pod
index dd302983fd..7ccea7273f 100644
--- a/doc/man3/SSL_CTX_set_psk_client_callback.pod
+++ b/doc/man3/SSL_CTX_set_psk_client_callback.pod
@@ -169,7 +169,7 @@ were added in OpenSSL 1.1.1.
 
 =head1 COPYRIGHT
 
-Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/SSL_CTX_set_security_level.pod b/doc/man3/SSL_CTX_set_security_level.pod
index fc1ff39246..a459549001 100644
--- a/doc/man3/SSL_CTX_set_security_level.pod
+++ b/doc/man3/SSL_CTX_set_security_level.pod
@@ -181,7 +181,7 @@ These functions were added in OpenSSL 1.1.0.
 
 =head1 COPYRIGHT
 
-Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2014-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/SSL_CTX_set_split_send_fragment.pod b/doc/man3/SSL_CTX_set_split_send_fragment.pod
index 97ef0fde51..5097404398 100644
--- a/doc/man3/SSL_CTX_set_split_send_fragment.pod
+++ b/doc/man3/SSL_CTX_set_split_send_fragment.pod
@@ -179,7 +179,7 @@ and SSL_SESSION_get_max_fragment_length() functions were added in OpenSSL 1.1.1.
 
 =head1 COPYRIGHT
 
-Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod
index c415935d91..aacf82a80f 100644
--- a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod
+++ b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod
@@ -112,7 +112,7 @@ L<openssl-ciphers(1)>, L<openssl-dhparam(1)>
 
 =head1 COPYRIGHT
 
-Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/SSL_CTX_use_certificate.pod b/doc/man3/SSL_CTX_use_certificate.pod
index ec9ea4205d..f08656bb85 100644
--- a/doc/man3/SSL_CTX_use_certificate.pod
+++ b/doc/man3/SSL_CTX_use_certificate.pod
@@ -194,7 +194,7 @@ L<SSL_CTX_add_extra_chain_cert(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/SSL_get_session.pod b/doc/man3/SSL_get_session.pod
index 6631bdf324..8d5d1f6b47 100644
--- a/doc/man3/SSL_get_session.pod
+++ b/doc/man3/SSL_get_session.pod
@@ -103,7 +103,7 @@ L<SSL_SESSION_free(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/SSL_set_async_callback.pod b/doc/man3/SSL_set_async_callback.pod
index db858a00ce..e0a665dc45 100644
--- a/doc/man3/SSL_set_async_callback.pod
+++ b/doc/man3/SSL_set_async_callback.pod
@@ -121,7 +121,7 @@ SSL_get_async_status() were first added to OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/SSL_set_bio.pod b/doc/man3/SSL_set_bio.pod
index 44c69ef21e..c666dc466e 100644
--- a/doc/man3/SSL_set_bio.pod
+++ b/doc/man3/SSL_set_bio.pod
@@ -102,7 +102,7 @@ SSL_set0_rbio() and SSL_set0_wbio() were added in OpenSSL 1.1.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/SSL_set_fd.pod b/doc/man3/SSL_set_fd.pod
index f519630752..691b068d73 100644
--- a/doc/man3/SSL_set_fd.pod
+++ b/doc/man3/SSL_set_fd.pod
@@ -64,7 +64,7 @@ L<SSL_shutdown(3)>, L<ssl(7)> , L<bio(7)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/X509_get0_signature.pod b/doc/man3/X509_get0_signature.pod
index a49a70038e..e37a04fe8b 100644
--- a/doc/man3/X509_get0_signature.pod
+++ b/doc/man3/X509_get0_signature.pod
@@ -132,7 +132,7 @@ were added in OpenSSL 1.1.1e.
 
 =head1 COPYRIGHT
 
-Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/X509_get_pubkey.pod b/doc/man3/X509_get_pubkey.pod
index c292cd3d2b..fea0064b9b 100644
--- a/doc/man3/X509_get_pubkey.pod
+++ b/doc/man3/X509_get_pubkey.pod
@@ -77,7 +77,7 @@ L<X509_verify_cert(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/i2d_re_X509_tbs.pod b/doc/man3/i2d_re_X509_tbs.pod
index 76d46eab7a..97208a9222 100644
--- a/doc/man3/i2d_re_X509_tbs.pod
+++ b/doc/man3/i2d_re_X509_tbs.pod
@@ -78,7 +78,7 @@ L<X509_verify_cert(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man7/EVP_SIGNATURE-DSA.pod b/doc/man7/EVP_SIGNATURE-DSA.pod
index 4801cf9994..5a42d6b1cd 100644
--- a/doc/man7/EVP_SIGNATURE-DSA.pod
+++ b/doc/man7/EVP_SIGNATURE-DSA.pod
@@ -48,7 +48,7 @@ L<provider-signature(7)>,
 
 =head1 COPYRIGHT
 
-Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man7/EVP_SIGNATURE-ECDSA.pod b/doc/man7/EVP_SIGNATURE-ECDSA.pod
index 0ac3f78461..0f6aa13c4a 100644
--- a/doc/man7/EVP_SIGNATURE-ECDSA.pod
+++ b/doc/man7/EVP_SIGNATURE-ECDSA.pod
@@ -47,7 +47,7 @@ L<provider-signature(7)>,
 
 =head1 COPYRIGHT
 
-Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man7/ossl_store.pod b/doc/man7/ossl_store.pod
index a2c6260061..3152cff104 100644
--- a/doc/man7/ossl_store.pod
+++ b/doc/man7/ossl_store.pod
@@ -77,7 +77,7 @@ L<OSSL_STORE_SEARCH(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man7/property.pod b/doc/man7/property.pod
index 109336ba47..7b89d1823b 100644
--- a/doc/man7/property.pod
+++ b/doc/man7/property.pod
@@ -164,7 +164,7 @@ Properties were added in OpenSSL 3.0
 
 =head1 COPYRIGHT
 
-Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man7/proxy-certificates.pod b/doc/man7/proxy-certificates.pod
index 89cd3eea80..0a637f25df 100644
--- a/doc/man7/proxy-certificates.pod
+++ b/doc/man7/proxy-certificates.pod
@@ -351,7 +351,7 @@ L<RFC 3820|https://tools.ietf.org/html/rfc3820>
 
 =head1 COPYRIGHT
 
-Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/providers/fips-sources.checksums b/providers/fips-sources.checksums
index afa31bf80c..383e923f73 100644
--- a/providers/fips-sources.checksums
+++ b/providers/fips-sources.checksums
@@ -39,7 +39,7 @@ c86664fb974362ee52a454c83c2c4b23fd5b7d64b3c9e23ef1e0dfd130a46ee5  crypto/bn/asm/
 199b9b100f194a2a128c14f2a71be5a04d50d069666d90ca5b69baee1318ccb7  crypto/bn/asm/ia64-mont.pl
 a511aafbf76647a0c83705d4491c898a5584d300aa449fa6166c8803372946eb  crypto/bn/asm/ia64.S
 687c5d6606fdfd0e242005972d15db74a9cbac2b8a9a54a56fcb1e99d3880ff3  crypto/bn/asm/mips-mont.pl
-eb240c1f72063048abe026ab7fab340361a329d5cd355276a25950be446cc091  crypto/bn/asm/mips.pl
+8aca83d2ec45a40af15e59cff1ac2dc33737a3d25f0a0b74d401fa778a5c5eb8  crypto/bn/asm/mips.pl
 b27ec5181e387e812925bb26823b830f49d7a6e4971b6d11ea583f5632a1504b  crypto/bn/asm/parisc-mont.pl
 9973523b361db963eea4938a7a8a3adc692e1a4e1aec4fa1f1e57dc93da37921  crypto/bn/asm/ppc-mont.pl
 59cd27e1e10c4984b7fb684b27f491e7634473b1bcff197a07e0ca653124aa9a  crypto/bn/asm/ppc.pl
@@ -79,7 +79,7 @@ b32d83cee8c00d837a7e4fb8af3f5cf17cb8d2419302e8f5fbcf62119092e874  crypto/bn/bn_g
 4d6cc7ed36978247a191df1eea0120f8ee97b639ba228793dabe5a8355a1a609  crypto/bn/bn_gf2m.c
 081e8a6abc23599307dab3b1a92113a65e0bf8717cbc40c970c7469350bc4581  crypto/bn/bn_intern.c
 602ed46fbfe12c899dfb7d9d99ff0dbfff96b454fce3cd02817f3e2488dd9192  crypto/bn/bn_kron.c
-7e8f6e8bfc0958fc73d163f8139194a71385d98868e6ed51f4d52198b0649acf  crypto/bn/bn_lib.c
+b33295765dc6d3843e3571007e2d6dbe75564645ebf181191a91464706d9fadb  crypto/bn/bn_lib.c
 64bce599181c45d999f0c5bda9ce36b2820f0e91ec6590cc8cba77e2760f8287  crypto/bn/bn_local.h
 07247dc2ccc55f3be525baed92fd20031bbaa80fd0bc56155e80ee0da3fc943d  crypto/bn/bn_mod.c
 4f8763847752d570ef95dc0d06e51240829ab55c3529301214d3c2b613c6a18b  crypto/bn/bn_mont.c
@@ -88,22 +88,22 @@ b32d83cee8c00d837a7e4fb8af3f5cf17cb8d2419302e8f5fbcf62119092e874  crypto/bn/bn_g
 40d04d1bc722bef0d6392e8a9061af8305552f955478fa782230a0b8bf2288b5  crypto/bn/bn_nist.c
 0d85203a3bd9ba7ebf711885cfb621eefb27002f5cb4ef2adfe4f49c7dd7b4a6  crypto/bn/bn_prime.c
 c56ad3073108a0de21c5820a48beae2bccdbf5aa8075ec21738878222eb9adc3  crypto/bn/bn_prime.h
-3a0f76ec95802d15d0f7b299e36a3aed2c96414363c20a74a4ad2c410be600dc  crypto/bn/bn_rand.c
+18779263932eb2bf50728b9758fc83b1e721a1d22aa75d6443c80591ccd9bb79  crypto/bn/bn_rand.c
 1f6e13da1d9965b341f81bc0842a987a7db9b7de0fa7f7040d49be01b92d282b  crypto/bn/bn_recp.c
-b180881a08942e99e9a6b7714b98e8ce3d7958e1e0be8524966ad859c6d2be39  crypto/bn/bn_rsa_fips186_4.c
+9d8c10645db51c3baedf57d5f0f32b67fc7eba223c192bc1ae7d87af40307e59  crypto/bn/bn_rsa_fips186_4.c
 704b0b4723e5c9e9bae5f3e35f9ae8ae8dca3383929e954de9e5169845abfdb2  crypto/bn/bn_shift.c
 622e90766b29e0d25f46474429aebda8eba2246835b9e85dc26da7cdbd49334f  crypto/bn/bn_sqr.c
 8e397a44eefa00ecb85fafc11fe8c883b3bb1572d6ac136373946d472fbe2490  crypto/bn/bn_sqrt.c
 24e62baa56e02f2db6454e10168b7c7fa7638db9221b9acda1803d43f38f36e0  crypto/bn/bn_word.c
 3a85d20f80c4d96b3704e58b173fc876ec81f19eac805ae2b125c138c91c86c4  crypto/bn/rsaz_exp.c
 affabb87861653b216e746d6c2fce5c2ac395b0ca570d439508e9f5e102ee340  crypto/bn/rsaz_exp.h
-35d5b375e857743403762f759d43a48416652554636e6700d84372cd9ee1b731  crypto/bn/rsaz_exp_x2.c
+e18b943bfc1623597d6233421c358f3453bb0f026f28ae11cfd3b3c484c0bc4b  crypto/bn/rsaz_exp_x2.c
 834db8ff36006e5cb53e09ca6c44290124bd23692f4341ea6563b66fcade4cea  crypto/bsearch.c
 c39334b70e1394e43f378ae8d31b6e6dc125e4d9181e6536d38e649c4eaadb75  crypto/buffer/buffer.c
-490681100f1cbaf629a7cc89f1785689d7ecef8791af4b8aae1e26da86de1b98  crypto/cmac/cmac.c
+23d46ae37a8d9452c0c88418d2cb8350153f8c2c6060234130a2e429da2370e0  crypto/cmac/cmac.c
 b352903e60908dc7287051983e2068508715b4d9f3f46575540295010908bfa0  crypto/context.c
-018a6c130a15cbcd6ed40b4253eacfba42f02e958d06d6a3d77d3c2ee506f7d0  crypto/core_algorithm.c
-0b27e62cf5e635c2e8cfeb478d716640dd38fa38aca695861439b30e247dd2d6  crypto/core_fetch.c
+83b8912fb01bacfe0b5269c7afa69db7e1718530cce1ed27870abef1407951d6  crypto/core_algorithm.c
+60321d1af7bf9697d969438f6b319fbcb4fdc1a47a0b056d02b971973a8550ca  crypto/core_fetch.c
 4982395fa843f62c83b95f81e1f5622d799a2fe17108bde44cdab935b77e8ae1  crypto/core_namemap.c
 469e2f53b5f76cd487a60d3d4c44c8fc3a6c4d08405597ba664661ba485508d3  crypto/cpuid.c
 71f0fff881eb4c5505fb17662f0ea4bbff24c6858c045a013ad8f786b07da5c4  crypto/cryptlib.c
@@ -114,7 +114,7 @@ fea3ba4225df97aee90690adf387625b746d8edfdc5af2357ee65151a3d236ac  crypto/des/des
 eeef5722ad56bf1af2ff71681bcc8b8525bc7077e973c98cee920ce9bcc66c81  crypto/des/ecb3_enc.c
 04d4cc355200b57f1e7d265a2cebdf094df1eb6e96621b533adddc3d60d31fbe  crypto/des/fcrypt_b.c
 499513b3ad386fe694c4e04b3c8a9fd4c4e18fc44bb6c4f94d6bf2d9362a3a5a  crypto/des/ncbc_enc.c
-5771c2e517df1dfa35e0cc06ce1d9808e3a5ab21110020d4bdf77284fedb41e1  crypto/des/set_key.c
+61926e30dd940616e80936d1c94c5f522daf0d475fb3a40a9e589e78f322901e  crypto/des/set_key.c
 8344811b14d151f6cd40a7bc45c8f4a1106252b119c1d5e6a589a023f39b107d  crypto/des/spr.h
 0209b1ff430e2c237bf96e2e283c24df4b6708014c5a7005b295c28733d2a8ce  crypto/dh/dh_backend.c
 832e5a1caf9cb0dacfd937fc59252aaac7c5c1bf0ae1a9ebf3c3af6e59dcf4c0  crypto/dh/dh_check.c
@@ -131,7 +131,7 @@ b1de1624e590dbf76f76953802ff162cc8de7c5e2eaba897313c866424d6902b  crypto/dsa/dsa
 9e436a2e0867920c3a5ac58bc14300cad4ab2c4c8fe5e40b355dfd21bfdfe146  crypto/dsa/dsa_lib.c
 f4d52d3897219786c6046bf76abb2f174655c584caa50272bf5d281720df5022  crypto/dsa/dsa_local.h
 f88db9fd73a78e66967e56df442b55230f405b4cd804f31f8696324f0b702f15  crypto/dsa/dsa_ossl.c
-b57b648524bc7dd98f8e2737f4e87b5578c7921df59b1df4a03a34e23e977e8a  crypto/dsa/dsa_sign.c
+6222aa8f60d7451d974dd87c66995033919f36d7f858cbe609cf731ad1eee34e  crypto/dsa/dsa_sign.c
 53fa10cc87ac63e35df661882852dc46ae68e6fee83b842f1aeefe00b8900ee1  crypto/dsa/dsa_vrf.c
 0a206e4c4de4702808cba7c9304bedb66abcbc33e513bc25574a795cd5fa3db0  crypto/ec/asm/ecp_nistp521-ppc64.pl
 78ad06b88fcc8689a3a846b82f9ee01546e5734acd1bccf2494e523b71dc74d1  crypto/ec/asm/ecp_nistz256-armv4.pl
@@ -160,7 +160,7 @@ f6447921a0031fa5beddedd298e82096fb3fdb189b712fab328b61f6beae0c23  crypto/ec/curv
 3052a044afae2e91b677542fc8b34b3ec9d033e0c6562b0d43098cfb34ab3c9d  crypto/ec/curve448/word.h
 ae1637d89287c9d22a34bdc0d67f6e01262a2f8dcef9b61369dba8c334f5a80d  crypto/ec/ec2_oct.c
 6bbbf570ce31f5b579f7e03ec9f8a774663c7c1eb5e475bd31f8fee94a021ffc  crypto/ec/ec2_smpl.c
-69d64accd498583e65df2dc43730eee2922217a7bfefda2cd1a9da176e3d1dcd  crypto/ec/ec_asn1.c
+2a71bd8dbe4f427c117d990581709a4ddce07fa8e530794b5a9574fef7c48a0c  crypto/ec/ec_asn1.c
 c07fa05c6885e59913e2ce345ff52ef9dfb0418842de3affa6163ad3e71f9c1b  crypto/ec/ec_backend.c
 86e2becf9b3870979e2abefa1bd318e1a31820d275e2b50e03b17fc287abb20a  crypto/ec/ec_check.c
 265f911b9d4aada326a2d52cd8a589b556935c8b641598dcd36c6f85d29ce655  crypto/ec/ec_curve.c
@@ -181,33 +181,33 @@ f686cea8c8a3259d95c1e6142813d9da47b6d624c62f26c7e4a16d5607cddb35  crypto/ec/ecds
 c016eb9412aad8cd1213a2f5b1083df1a1a9cb734dc6cc19d99e706935c81ef2  crypto/ec/ecp_nistz256.c
 51cb98e7e9c241e33261589f0d74103238baaa850e333c61ff1da360e127518a  crypto/ec/ecp_oct.c
 b4b7c683279454ba41438f50a015cb63ef056ccb9be0168918dfbae00313dc68  crypto/ec/ecp_smpl.c
-4d9e693c64709a9359ac724a767a85566849373231e314b8d8127b707dd5e83d  crypto/ec/ecx_backend.c
+2096e13aa2fbcb0d4b10faca3e3f5359cf66098b0397a6d74c6fca14f5dee659  crypto/ec/ecx_backend.c
 5ee19c357c318b2948ff5d9118a626a6207af2b2eade7d8536051d4a522668d3  crypto/ec/ecx_backend.h
 22c44f561ab42d1bd7fd3a3c538ebaba375a704f98056b035e7949d73963c580  crypto/ec/ecx_key.c
-6618159105f23d5b2aa03d806d66f9c7a0b97298fe1e8ec7d503b066d627b31d  crypto/evp/asymcipher.c
+28abc295dad8888b5482eb61d31cd78dd80545ecb67dc6f9446a36deb8c40a5e  crypto/evp/asymcipher.c
 0e75a058dcbbb62cfe39fec6c4a85385dc1a8fce794e4278ce6cebb29763b82b  crypto/evp/dh_support.c
-847e039a249a1f9af42dfc6427de2ad4925f1116f86619dd420cf8cec9d3bbfe  crypto/evp/digest.c
+e696c10cc2ed2fc5552e659b343af751b9edc3b4dbce1a2108d21e8b10424657  crypto/evp/digest.c
 5e2c5d865029ae86855f15e162360d091f28ca0d4c67260700c90aa25faf308b  crypto/evp/ec_support.c
 37b5e0bdb30a24c925a26f818828fd3b4ab4c1725f84797260556c0f47f2b76d  crypto/evp/evp_enc.c
-363dda606a23f1cbb6eefc713903bb353b8fc8661dee0e853366c7798f050483  crypto/evp/evp_fetch.c
-6e0a2b11440a3cfd80d5539aa6a4b133dbfefc6a646736980dbbd504b3f16ac8  crypto/evp/evp_lib.c
-34574e474d3f5daf24981200cae9e24a427d165cd43d8fb738844fa9b0fc991f  crypto/evp/evp_local.h
+d8162b57e041e83da55efe6f073d156a00b8d7a3b2fb7782b05295f2c0ea3c14  crypto/evp/evp_fetch.c
+029df8bb80a2fb45c22765234b9041ffce82735108e0b11580fd3fbd805362dd  crypto/evp/evp_lib.c
+9ac3d97d756ec008db16dd1952115b551f32b2d0590d9a85e1c87d1c78620257  crypto/evp/evp_local.h
 e822c16fc4dc30f2c86e8598c721a9ddfe46d318ce78f4e8e883cdcf8b936221  crypto/evp/evp_rand.c
 2a128617ec0178e9eeacbe41d75a5530755f41ea524cd124607543cf73456a0c  crypto/evp/evp_utils.c
-befe4e1ec273973748a9fff49d8510873737ea04d86eac70c2e11bbb0d874ca1  crypto/evp/exchange.c
+5496cf34a1643923ff434e4ae16ee203a626b36685e98201dec30547857847d8  crypto/evp/exchange.c
 a3164e3247e2a38f4f9a20db463779b5260e4e6639ac8eec6e960b265fc8cce5  crypto/evp/kdf_lib.c
 1d72f5506984df1df8606e8c7045f041cf517223e2e1b50c4da8ba8bf1c6c186  crypto/evp/kdf_meth.c
-f88b3d178f0d5e7bcd250fd2b3d2fabb19f05f3ecc0627c100c5418e9fdd0ade  crypto/evp/kem.c
-df82657d18fb15d4da3218e33e7326248db509443304889b1dbee5810cbcb78b  crypto/evp/keymgmt_lib.c
-7b850a8f7e7c5018546541254cd33da479834c47273b5018fdcb8a9ccf77f522  crypto/evp/keymgmt_meth.c
+38715a14f202e7d24602e5cc19d2f78abbd9f5fa3dde8d7b2bfded907690e18f  crypto/evp/kem.c
+787105780e2aa625bfedfbfd7167be16f743883d02a897969695ad8e637298af  crypto/evp/keymgmt_lib.c
+3d0a2c5fea0d9bb01a09e1eabc041e3bc76ba4ee90bc0af54ef414e7ca3a531f  crypto/evp/keymgmt_meth.c
 e1a052839b8b70dca20dbac1282d61abd1c415bf4fb6afb56b811e8770d8a2e1  crypto/evp/m_sigver.c
-f9988dfed6253c30b08a966496f188763671cb72a2fcb25455f65f8d270027cc  crypto/evp/mac_lib.c
+5b8b0bcd4b720b66ce6bc54090ec333891126bb7f6cce4502daf2333668c3db9  crypto/evp/mac_lib.c
 e7e8eb5683cd3fbd409df888020dc353b65ac291361829cc4131d5bc86c9fcb3  crypto/evp/mac_meth.c
-cd2902a111d200417d04f0422451b3760a67fc21cd1f9ca3b02200dc91b8b916  crypto/evp/p_lib.c
+b976077a1f880768f2f0a1c996a53dfdd363605e4977c56fb37e9c1f84f35aa6  crypto/evp/p_lib.c
 3b4228b92eebd04616ecc3ee58684095313dd5ffd1b43cf698a7d6c202cb4622  crypto/evp/pmeth_check.c
 bbce11755bcc5ba2ee8e9c1eb95905447136f614fdc2b0f74cf785fe81ead6a5  crypto/evp/pmeth_gn.c
-fdaddf5c4b274d83292a5121d9b0541dce82fb83e59d64d48a93964840421f30  crypto/evp/pmeth_lib.c
-c2158cf4f1d149889746665501035f38049dc1cdcea8c61cd377c0c3be6b8a43  crypto/evp/signature.c
+76511fba789089a50ef87774817a5482c33633a76a94ecf7b6e8eb915585575d  crypto/evp/pmeth_lib.c
+f3a5cbbccb1078cf1fafd74c4caa9f30827081832fbe6dfa5579b17ef809776c  crypto/evp/signature.c
 b06cb8fd4bd95aae1f66e1e145269c82169257f1a60ef0f78f80a3d4c5131fac  crypto/ex_data.c
 00ca3b72cd56308aabb2826b6a400c675526afa7efca052d39c74b2ac6d137d8  crypto/ffc/ffc_backend.c
 ead786b4f5689ab69d6cca5d49e513e0f90cb558b67e6c5898255f2671f1393d  crypto/ffc/ffc_dh.c
@@ -245,18 +245,18 @@ e55a816c356b2d526bc6e40c8b81afa02576e4d44c7d7b6bbe444fb8b01aad41  crypto/modes/w
 608a04f387be2a509b4d4ad414b7015ab833e56b85020e692e193160f36883a2  crypto/modes/xts128.c
 ca8f63ee71797f51c2bf5629190897306b3308882feb3d64c982239f18e8b738  crypto/o_str.c
 7b8d9f5dfe00460df5fbcfd4a5f2f36128020ebd2ced85ff5071b91f98740b2e  crypto/packet.c
-e30c9e30e4356621236136caf001ee60d51aac492a5bf0fb7f1022b973aec425  crypto/param_build.c
+cc4483ec9ba7a30908e3a433a6817e2f211d4c1f69c206e6bae24bbd39a68281  crypto/param_build.c
 c2fe815fb3fd5efe9a6544cae55f9469063a0f6fb728361737b927f6182ae0bb  crypto/param_build_set.c
 02dfeb286c85567bb1b6323a53c089ba66447db97695cc78eceb6677fbc76bf9  crypto/params.c
 4f2a8c9acf5898fdc1e4bf98813049947221cd9a1db04faaa490250591f54cb4  crypto/params_dup.c
-d0f6af3e89a693f0327e1bf073666cbec6786220ef3b3688ef0be9539d5ab6bf  crypto/params_from_text.c
+a0097ff2da8955fe15ba204cb54f3fd48a06f846e2b9826f507b26acf65715c3  crypto/params_from_text.c
 2140778d5f35e503e22b173736e18ff84406f6657463e8ff9e7b91a78aa686d3  crypto/property/defn_cache.c
-ed7724ac6350afe2ac49498f894259b40176092ebdfeff9e9afa3e28681442fe  crypto/property/property.c
-726b1102bfffd0b1f18759e6373fc21d491dd001f21a0a4c3d26d6867f39623c  crypto/property/property_local.h
-5d780fd1a656db32a0292d2692690f69aa1b977646282f4884f17dca861fe681  crypto/property/property_parse.c
-43259a466b118d938e4480f4e6f46aaa8eab452f971ff0788e2eb8369ff1b5ec  crypto/property/property_query.c
+b09bfc2cdde7ab703b54630a67cc8d01ca92af402be246e5a9f82d176abd9442  crypto/property/property.c
+a2c69527b60692a8b07cfdfe7e75f654daa092411d5de5e02b446a4ef3752855  crypto/property/property_local.h
+c3217b73871d93d81ab9f15e9f1fc37ea609bbe4bbc0c1b84ec62a99c91f6756  crypto/property/property_parse.c
+a7cefda6a117550e2c76e0f307565ce1e11640b11ba10c80e469a837fd1212a3  crypto/property/property_query.c
 065698c8d88a5facc0cbc02a3bd0c642c94687a8c5dd79901c942138b406067d  crypto/property/property_string.c
-a065691f37df209ce2ab5ce721e6fc45008e2f00edfbad0ceaa5ef2a0cfee23d  crypto/provider_core.c
+c56fb722699e1148dc392bad8069292e6521e7498c8aa9572661af118ff59e16  crypto/provider_core.c
 d0af10d4091b2032aac1b7db80f8c2e14fa7176592716b25b9437ab6b53c0a89  crypto/provider_local.h
 5ba2e1c74ddcd0453d02e32612299d1eef18eff8493a7606c15d0dc3738ad1d9  crypto/provider_predefined.c
 5d16318d3a36b06145af74afa3523109768990a33457c81895c7ab8a830654f8  crypto/rand/rand_lib.c
@@ -333,10 +333,10 @@ b39e5ba863af36e455cc5864fe8c5d0fc05a6aaef0d528a115951d1248e8fa8b  crypto/stack/s
 7b4efa594d8d1f3ecbf4605cf54f72fb296a3b1d951bdc69e415aaa08f34e5c8  crypto/threads_lib.c
 a41ae93a755e2ec89b3cb5b4932e2b508fdda92ace2e025a2650a6da0e9e972c  crypto/threads_none.c
 ebb210a22c280839853920bee245eb769c713ab99cb35a468ed2b1df0d112a7f  crypto/threads_pthread.c
-60bdd9213c67c4d9a287cb57517eca63913c134ef57fcb102b641eb56ddce19a  crypto/threads_win.c
+68e1cdeb948d3a106b5a27b76bcddbae6bb053b2bdc4a21a1fec9797a00cd904  crypto/threads_win.c
 fd6c27cf7c6b5449b17f2b725f4203c4c10207f1973db09fd41571efe5de08fd  crypto/x86_64cpuid.pl
 d13560a5f8a66d7b956d54cd6bf24eade529d686992d243bfb312376a57b475e  e_os.h
-4dab31beb4bbd9275a914839f590eaa328cc8ddec3561acd3e6fae0606758b32  include/crypto/aes_platform.h
+6f353dc7c8c4d8f24f7ffbf920668ccb224ebb5810805a7c80d96770cd858005  include/crypto/aes_platform.h
 8c6f308c1ca774e6127e325c3b80511dbcdc99631f032694d8db53a5c02364ee  include/crypto/asn1_dsa.h
 8ce1b35c6924555ef316c7c51d6c27656869e6da7f513f45b7a7051579e3e54d  include/crypto/bn.h
 1c46818354d42bd1b1c4e5fdae9e019814936e775fd8c918ca49959c2a6416df  include/crypto/bn_conf.h.in
@@ -348,11 +348,11 @@ e69b2b20fb415e24b970941c84a62b752b5d0175bc68126e467f7cc970495504  include/crypto
 7ddd70f02371c7bd190414369d2bbe7c9c6d2de085dfe1e3eab0c4082f803ca1  include/crypto/dsa.h
 2ea47c059e84ce9d14cc31f4faf45f64d631de9e2937aa1d7a83de5571c63574  include/crypto/ec.h
 edbfae8720502a4708983b60eac72aa04f031059f197ada31627cb5e72812858  include/crypto/ecx.h
-1930dcf277bba1f458bcb1b74bba2db0fd28a8e047d8ceef5bf6973075167bdd  include/crypto/evp.h
+782ea27154525789cd49afd36a8056457dfab4ea662481b502363cc0a55ed34e  include/crypto/evp.h
 bbe5e52d84e65449a13e42cd2d6adce59b8ed6e73d6950917aa77dc1f3f5dff6  include/crypto/lhash.h
 162812058c69f65a824906193057cd3edeabc22f51a4220aea7cb9064379a9b6  include/crypto/md32_common.h
 f12bfc145290444bcc7bf408874bded348e742443c145b8b5bc70ae558d96c31  include/crypto/modes.h
-11734df47031edd5fd025313ab10d3cfd777920760c023f0bc7019d0653e73df  include/crypto/rand.h
+0e4472433ca4008aa4fc9234761be70f323a22a4519bb9d62728dc001d606f04  include/crypto/rand.h
 90930fc8788d6e04e57829346e0405293ac7a678c3cef23d0692c742e9586d09  include/crypto/rand_pool.h
 bd5ce686c97a8a3a0e3d7ca1e4f16706fd51df5da9673169303a4428d62da233  include/crypto/rsa.h
 32f0149ab1d82fddbdfbbc44e3078b4a4cc6936d35187e0f8d02cc0bc19f2401  include/crypto/security_bits.h
@@ -361,7 +361,7 @@ bd5ce686c97a8a3a0e3d7ca1e4f16706fd51df5da9673169303a4428d62da233  include/crypto
 5bfeea62d21b7cb43d9a819c5cd2800f02ea019687a8331abf313d615889ad37  include/crypto/types.h
 a1778b610a244f49317a09e1e6c78b5fb68bc6d003ffdea0f6eefe5733ee5b5f  include/internal/bio.h
 92aacb3e49288f91b44f97e41933e88fe455706e1dd21a365683c2ab545db131  include/internal/constant_time.h
-28195bbbe81d831792f07485287fd3ac400e03f1f1733a19e3f7115c0f1828f6  include/internal/core.h
+71ddae419297069056065ab71f32fe88b09ddbe4db2200a759fedd8ad4349628  include/internal/core.h
 d7ddeab97434a21cb2cad1935a3cb130f6cd0b3c75322463d431c5eab3ab1ae1  include/internal/cryptlib.h
 9571cfd3d5666749084b354a6d65adee443deeb5713a58c098c7b03bc69dbc63  include/internal/deprecated.h
 8a2371f964cbb7fc3916583d2a4cee5c56f98595dfa30bd60c71637811a6d9da  include/internal/der.h
@@ -374,9 +374,9 @@ b02701592960eb4608bb83b297eed90184004828c7fc03ea81568062f347623d  include/intern
 ae41a2fb41bf592bbb47e4855cf4efd9ef85fc11f910a7e195ceef78fb4321dc  include/internal/numbers.h
 ea1bec4f1fff37aef8d4a62745bb451baa3e3ad20ba1bc68920a24f5cbb2f0a7  include/internal/packet.h
 dd7ddecf30bef3002313e6b776ce34d660931e783b2f6edacf64c7c6e729e688  include/internal/param_build_set.h
-d10417cb2dc5b9f04d98decc641ffcfd2efd3a23fbf4d7fcf69941812d62487a  include/internal/property.h
+0cee1d5908e8e262b88554e71a0a52fa3a8c2a30a9bf782bdf2b89364840bde6  include/internal/property.h
 727326afb3d33fdffdf26471e313f27892708318c0934089369e4b28267e2635  include/internal/propertyerr.h
-772a7a733103ead30439959f8d06e904af53d738021ff752b234fdded393521a  include/internal/provider.h
+94e90e25183c244b20c344885d2b8386a85475afaa3e7885a84bc64566558f26  include/internal/provider.h
 5af9a40c44def13576fe2c0eb082fb73c3565c5e00f902d51b1ed1593d481ccb  include/internal/refcount.h
 11ee9893f7774c83fcfdee6e0ca593af3d28b779107883553facdbfdae3a68f5  include/internal/sha3.h
 494ab5c802716bf38032986674fb094dde927a21752fe395d82e6044d81801d1  include/internal/sizes.h
@@ -399,11 +399,11 @@ ea344bb0b690d4e47c99e83f6692b970c9b54a4520296bb2d3ddbcbdf0d51653  include/openss
 f20c3c845129a129f5e0b1dae970d86a5c96ab49f2e3f6f364734521e9e1abe3  include/openssl/conferr.h
 02a1baff7b71a298419c6c5dcb43eaa9cc13e9beeb88c03fb14854b4e84e8862  include/openssl/configuration.h.in
 6b3810dac6c9d6f5ee36a10ad6d895a5e4553afdfb9641ce9b7dc5db7eef30b7  include/openssl/conftypes.h
-792488b5d6bb87a5138322d7a6ae011faa279918321af62e76fa018e1a991c93  include/openssl/core.h
+df5e60af861665675e4a00d40d15e36884f940e3379c7b45c9f717eaf1942697  include/openssl/core.h
 00110e80b9b4f621c604ea99f05e7a75d3db4721fc2779224e6fa7e52f06e345  include/openssl/core_dispatch.h
 cbd9d7855ca3ba4240207fc025c22bbfef7411116446ff63511e336a0559bed0  include/openssl/core_names.h
 d165f5c61bfe17ba366a3ba94afb30d3c8ce6b21e9cff59a15f3622f2654ae49  include/openssl/crypto.h.in
-06e9f521a6e98e104cdf37260ce967d928e25d424e0013f1feb3ff4da18eaec0  include/openssl/cryptoerr.h
+1d1697bd3e35920ff9eaec23c29472d727a7fc4d108150957f41f6f5ecf80f1a  include/openssl/cryptoerr.h
 bbc82260cbcadd406091f39b9e3b5ea63146d9a4822623ead16fa12c43ab9fc6  include/openssl/cryptoerr_legacy.h
 fa3e6b6c2e6222424b9cd7005e3c5499a2334c831cd5d6a29256ce945be8cb1d  include/openssl/des.h
 3a57eceec58ab781d79cb0458c2251a233f45ba0ef8f414d148c55ac2dff1bc8  include/openssl/dh.h
@@ -486,7 +486,7 @@ a4dc9bf2d77e34175737b7b8d28fbe90815ac0e2904e3ac2d9e2a271f345ef20  providers/fips
 fdbaf748044ce54f13e673b92db876e32436e4d5644f443cc43d063112a89676  providers/fips/self_test.c
 f822a03138e8b83ccaa910b89d72f31691da6778bf6638181f993ec7ae1167e3  providers/fips/self_test.h
 7a23cc81ca7542325634891d1982c70e68a27914b088a51ca60249d54031bfc2  providers/fips/self_test_data.inc
-85c068c86363777941e226a37b3cba23c78f963eda2bd848f66af4a7eedc0e21  providers/fips/self_test_kats.c
+2f4f23ebc2c7ed5ef71c98ca71f06b639112a1dea04784c46af58083482c150f  providers/fips/self_test_kats.c
 f054b24ea53ad5db41dd7f37f20f42166ed68b832121a94858cb0173b1aaeb1d  providers/implementations/asymciphers/rsa_enc.c
 4db1826ecce8b60cb641bcd7a61430ec8cef73d2fe3cbc06aa33526afe1c954a  providers/implementations/ciphers/cipher_aes.c
 f9d4b30e7110c90064b990c07430bb79061f4436b06ccaa981b25c306cfbfaa2  providers/implementations/ciphers/cipher_aes.h
@@ -538,45 +538,45 @@ de342d04be6af69037922d5c97bdc40c0c27f6740636e72786a765d0d8ad9173  providers/impl
 6dc876a1a785420e84210f085be6e4c7aca407ffb5433dbca4cd3f1c11bb7f06  providers/implementations/include/prov/ciphercommon_aead.h
 dd07797d61988fd4124cfb920616df672938da80649fac5977bfd061c981edc5  providers/implementations/include/prov/ciphercommon_ccm.h
 0c1e99d70155402a790e4de65923228c8df8ad970741caccfe8b513837457d7f  providers/implementations/include/prov/ciphercommon_gcm.h
-79a5ed6e4a97431233c56eede9d9c9eec27598fff53590c627ea40bd5b871fd5  providers/implementations/include/prov/digestcommon.h
-c47c960398bad27844f837e68d19df3912e2c9497362789b3d5c858ca4f9242b  providers/implementations/include/prov/implementations.h
+b9a61ce951c1904d8315b1bb26c0ab0aaadb47e71d4ead5df0a891608c728c4b  providers/implementations/include/prov/digestcommon.h
+f7017afcde9e5477b0542ca0eff31edfbd8a3488b28bfdd66db56c78c72329c6  providers/implementations/include/prov/implementations.h
 5f09fc71874b00419d71646714f21ebbdcceda277463b6f77d3d3ea6946914e8  providers/implementations/include/prov/kdfexchange.h
 c95ce5498e724b9b3d58e3c2f4723e7e3e4beb07f9bea9422e43182cbadb43af  providers/implementations/include/prov/macsignature.h
 29d1a112b799e1f45fdf8bcee8361c2ed67428c250c1cdf408a9fbb7ebf4cce1  providers/implementations/include/prov/names.h
 2187713b446d8b6d24ee986748b941ac3e24292c71e07ff9fb53a33021decdda  providers/implementations/include/prov/seeding.h
 432e2d5e467a50bd031a6b94b27072f5d66f4fadb6d62c9bfd9453d444c2aedf  providers/implementations/kdfs/hkdf.c
-b2e971a5a5d91da121db468cd8c8501c154643120dae31bb674e758c6403ad14  providers/implementations/kdfs/kbkdf.c
-fb62e76d7d751bf3b4c39157d601aa0a16477bb9335121ec6649ba7176a43f8d  providers/implementations/kdfs/pbkdf2.c
+06c93b62806819ee51f69c899413fda5be2435d43a70ef467b77a7296cd9528a  providers/implementations/kdfs/kbkdf.c
+e0644e727aacfea4da3cf2c4d2602d7ef0626ebb760b6467432ffd54d5fbb24d  providers/implementations/kdfs/pbkdf2.c
 c0778565abff112c0c5257329a7750ec4605e62f26cc36851fa1fbee6e03c70c  providers/implementations/kdfs/pbkdf2.h
 abe2b0f3711eaa34846e155cffc9242e4051c45de896f747afd5ac9d87f637dc  providers/implementations/kdfs/pbkdf2_fips.c
-09efa4d172009398bb9b7256822a32a191bf296297480d1ce3ee6a0fa6eae202  providers/implementations/kdfs/sshkdf.c
-5b30c7a7d0b3e6c511aa876cbec3cf206d67899b5f5116b333857877b79555dc  providers/implementations/kdfs/sskdf.c
+66d30c754c1e16d97a8e989f7f2e89eab59ec40ca3731dea664ba56ec38c4002  providers/implementations/kdfs/sshkdf.c
+7c692170729ab1d648564abdbf9bcbba5071f9a81a25fab9eae66899316bcd4a  providers/implementations/kdfs/sskdf.c
 3c46ec0e14be09a133d709c3a1c3d5ab05a4f1ed5385c3e7a1afb2f0ee47ef7a  providers/implementations/kdfs/tls1_prf.c
 27bb6ee5e2d00c545635c0c29402b10e74a1831adbc9800c159cbe04f2bfa2f7  providers/implementations/kdfs/x942kdf.c
 f419a9f6b17cfba1543a3690326188ac8335db66807c58de211a3d69e18f7d4d  providers/implementations/kem/rsa_kem.c
-b2055b38d436e918a06ccdb095ba888ae4d650f5d57c58cc1ce5f0a367f92852  providers/implementations/keymgmt/dh_kmgmt.c
-a06a0c2ff67772da75f2498ec5390a84a9cb221b70974e687e6e48cdf719004d  providers/implementations/keymgmt/dsa_kmgmt.c
-a388e52f059331a8636c6b73fc7cc03c8d51a585f2a8ae1a5e21bd967db9f9f5  providers/implementations/keymgmt/ec_kmgmt.c
+6878218c16d5c9c308a414af67790e11912ced638ba9e64668912ec98ca20d9d  providers/implementations/keymgmt/dh_kmgmt.c
+4f9e8263d529f619766be73a11223b8a3dfaf46b506c17b44d8a1cd9d2eaee54  providers/implementations/keymgmt/dsa_kmgmt.c
+3e2798d299d6571c973fc75468e2ac025b7c893ae2f15f14e057430325622a69  providers/implementations/keymgmt/ec_kmgmt.c
 258ae17bb2dd87ed1511a8eb3fe99eed9b77f5c2f757215ff6b3d0e8791fc251  providers/implementations/keymgmt/ec_kmgmt_imexport.inc
-75b23aa264e2935794ce5e0420e3815f798c8d6aa82abb1447f0a2c10ce475b5  providers/implementations/keymgmt/ecx_kmgmt.c
+085e1cf54941fa1c1e423b4a75b820945a1c05d1c347d4910d9a772b8c9d9f3a  providers/implementations/keymgmt/ecx_kmgmt.c
 053a2be39a87f50b877ebdbbf799cf5faf8b2de33b04311d819d212ee1ea329b  providers/implementations/keymgmt/kdf_legacy_kmgmt.c
-bcb51fe05014ade575494b44c55b1a0b3dc404e31ff7acee40bb2f63a8f6712f  providers/implementations/keymgmt/mac_legacy_kmgmt.c
-464d6f9236351e7dc3b991f5bba142c7aabcf2db3c236367332a9dd0308ddfac  providers/implementations/keymgmt/rsa_kmgmt.c
+260c560930c5aca61225a40ed49dfbb905f2b1fa50728d1388e946358f9d5e18  providers/implementations/keymgmt/mac_legacy_kmgmt.c
+9c16e76419aeb422d189ff7c5bf9a07f37abb54043dd47e48d450d68329de933  providers/implementations/keymgmt/rsa_kmgmt.c
 79da66d4b696388d7eab6b2126bccc88908915813d79c4305b8b4d545a500469  providers/implementations/macs/cmac_prov.c
 41464d1e640434bb3ff9998f093829d5e2c1963d68033dca7d31e5ab75365fb1  providers/implementations/macs/gmac_prov.c
 282c1065f18c87073529ed1bdc2c0b3a1967701728084de6632ddc72c671d209  providers/implementations/macs/hmac_prov.c
 aa7ba1d39ea4e3347294eb50b4dfcb895ef1a22bd6117d3b076a74e9ff11c242  providers/implementations/macs/kmac_prov.c
 bf30274dd6b528ae913984775bd8f29c6c48c0ef06d464d0f738217727b7aa5c  providers/implementations/rands/crngt.c
-f6c4b38dd1c22d562ef8b172218b688070336dc43550f40af01bb2e77eb3ea4d  providers/implementations/rands/drbg.c
+f8d24c882fda71c117a00bf4e6c7ffb6b88946c16a816249a5a7499dbdff712d  providers/implementations/rands/drbg.c
 b1e7a0b2610aaab5800af7ede0df13a184f4a321a4084652cdb509357c55783b  providers/implementations/rands/drbg_ctr.c
 a05adc3f6d9d6f948e5ead75f0522ed3164cb5b2d301169242f3cb97c4a7fac3  providers/implementations/rands/drbg_hash.c
 0876dfae991028c569631938946e458e6829cacf4cfb673d2b144ae50a3160bb  providers/implementations/rands/drbg_hmac.c
 fc43558964bdf12442d3f6ab6cc3e6849f7adb42f4d0123a1279819befcf71cb  providers/implementations/rands/drbg_local.h
-888a671934abef4225956f9931cff842f245f90660e11f23a55228edca962e16  providers/implementations/rands/test_rng.c
-9b9111a1502badf60c5e93603bb8841e62c6541ff82e356fb8c1ca31bd374b0a  providers/implementations/signature/dsa_sig.c
-bcacc02b7c92a20acf32b3d26b1a8f2bf8d4cab4ef97b91cfaa3e2062a7b839f  providers/implementations/signature/ecdsa_sig.c
-2f2b974819c29112144c1086e61dd6fd7bd3ebd924376f8ebdcff9f477a821c7  providers/implementations/signature/eddsa_sig.c
-762b49aa68fa7cd15c0496c35a23acb85df9588c8bb4ecb54438f86cc06ce13d  providers/implementations/signature/mac_legacy_sig.c
-c35f9ceff14f539526e568afc7e52282d732be9f0ff4bd9fbb9da9c4d3a663ef  providers/implementations/signature/rsa_sig.c
-737b9afe8f03f58797034ae906f982179677f5a9cf42965468f7126cf15e6694  ssl/record/tls_pad.c
+04339b66c10017229ef368cb48077f58a252ebfda9ab12b9f919e4149b1036ed  providers/implementations/rands/test_rng.c
+cafb9e6f54ad15889fcebddac6df61336bff7d78936f7de3bb5aab8aee5728d2  providers/implementations/signature/dsa_sig.c
+a30dc6308de0ca33406e7ce909f3bcf7580fb84d863b0976b275839f866258df  providers/implementations/signature/ecdsa_sig.c
+b057870cf8be1fd28834670fb092f0e6f202424c7ae19282fe9df4e52c9ce036  providers/implementations/signature/eddsa_sig.c
+3bb0f342b4cc1b4594ed0986adc47791c0a7b5c1ae7b1888c1fb5edb268a78d9  providers/implementations/signature/mac_legacy_sig.c
+cee0e3304cc365ef76b422363ef12affc4d03670fd2ab2c8f3babc38f9d5db37  providers/implementations/signature/rsa_sig.c
+c8df17850314b145ca83d4037207d6bf0994f9c34e6e55116860cf575df58e81  ssl/record/tls_pad.c
 3f2e01a98d9e3fda6cc5cb4b44dd43f6cae4ec34994e8f734d11b1e643e58636  ssl/s3_cbc.c
diff --git a/providers/fips.checksum b/providers/fips.checksum
index e9e7ad2ea0..d6a8665160 100644
--- a/providers/fips.checksum
+++ b/providers/fips.checksum
@@ -1 +1 @@
-bbbd640470428086f7a658e7020fa73149e276e594412a83347ca1782c0e0486  providers/fips-sources.checksums
+a59d74b7f6b55bd9d58d55876562fdd00d28dbb3c942ae80ccea859da4624f1d  providers/fips-sources.checksums
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 34351c161c..21ce168481 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -362,6 +362,13 @@ void ssl_cert_set_cert_cb(CERT *c, int (*cb) (SSL *ssl, void *arg), void *arg)
     c->cert_cb_arg = arg;
 }
 
+/*
+ * Verify a certificate chain
+ * Return codes:
+ *  1: Verify success
+ *  0: Verify failure or error
+ * -1: Retry required
+ */
 int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
 {
     X509 *x;
@@ -423,10 +430,14 @@ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
     if (s->verify_callback)
         X509_STORE_CTX_set_verify_cb(ctx, s->verify_callback);
 
-    if (s->ctx->app_verify_callback != NULL)
+    if (s->ctx->app_verify_callback != NULL) {
         i = s->ctx->app_verify_callback(ctx, s->ctx->app_verify_arg);
-    else
+    } else {
         i = X509_verify_cert(ctx);
+        /* We treat an error in the same way as a failure to verify */
+        if (i < 0)
+            i = 0;
+    }
 
     s->verify_result = X509_STORE_CTX_get_error(ctx);
     sk_X509_pop_free(s->verified_chain, X509_free);
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index d12d1e947e..c93c6b1f21 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1878,7 +1878,7 @@ WORK_STATE tls_post_process_server_certificate(SSL *s, WORK_STATE wst)
      * (less clean) historic behaviour of performing validation if any flag is
      * set. The *documented* interface remains the same.
      */
-    if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) {
+    if (s->verify_mode != SSL_VERIFY_NONE && i == 0) {
         SSLfatal(s, ssl_x509err2alert(s->verify_result),
                  SSL_R_CERTIFICATE_VERIFY_FAILED);
         return WORK_ERROR;
diff --git a/test/bio_enc_test.c b/test/bio_enc_test.c
index ec02628f84..b383cdce1c 100644
--- a/test/bio_enc_test.c
+++ b/test/bio_enc_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/test/bio_prefix_text.c b/test/bio_prefix_text.c
index 79ff8ec4a2..d31b71b4ce 100644
--- a/test/bio_prefix_text.c
+++ b/test/bio_prefix_text.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/test/certs/goodcn2-cert.pem b/test/certs/goodcn2-cert.pem
new file mode 100644
index 0000000000..d22f899636
--- /dev/null
+++ b/test/certs/goodcn2-cert.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHTCCAgWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IE5DIENBIDEwIBcNMjExMjAyMTcyNTAyWhgPMjEyMTEyMDMxNzI1MDJaMDwxIzAh
+BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRUwEwYDVQQDDAx3d3cu
+Z29vZC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqx1t7HiPe
+kRAWdiGUt4pklKGZ7338An6R7/y0e/8Grx2jeUfyc19BAB7MW1p8L+zdMjbclNE0
+UZ6RZZNexfgMksNI/nW+4Lzu8qu2wFx1MjbTpMT8w/vnsGBMthxLu6+2wdnpdD1B
+0led8xu7PSBgVULqyHcUvoLeRGEsB14yGx7dbIsokYxno1nr4u3BK5ic9KTTSxJR
+Ig93qwo2pAZR7mfnOo33B9alhzvSwmEKJ9v7pERDnIP5ED0HaWFAeXl7GFgoH2y9
+QDyJVuwWsoSWIx4Mr8UIr0IbVJU6KsqEiqqc5P5rX/y4tYMkpHZd9U1EONd2uwmX
+dwSp0LEmQb/DAgMBAAGjTTBLMB0GA1UdDgQWBBSfJPZqs1tk+xjjDrovr13ORDWn
+ojAfBgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa3fVQQzAJBgNVHRMEAjAAMA0G
+CSqGSIb3DQEBCwUAA4IBAQAEKXs56hB4DOO1vJe7pByfCHU33ij/ux7u68BdkDQ8
+S9SNaoD7h1XNSmC8kKULvpoKctJzJxh1IH4wtvGGGXsUt1By0a6Y5SnKW9/mG4NM
+D4fGea0G2AeI8BHFs6vl8voYK9wgx9Ygus3Kj/8h6V7t2zB8ZhhVqpZkAQEjj0C2
+1IV273wD0VdZl7uB+MEKk+7eTjNMeo6JzlBBf5GhtA1WbLNdszMfI0ljo7HAX+9L
+yco0xKSKkZQ+v7VdJBfC6odp+epPMZqfyHrkFzUr8XRJfriP1lydPK7AbXLVrLJg
+fIXCvUdxQx4B1LaclUDORL5r2tRhRYdAEKtUz7RpQzJK
+-----END CERTIFICATE-----
diff --git a/test/certs/ncca1-cert.pem b/test/certs/goodcn2-chain.pem
similarity index 52%
copy from test/certs/ncca1-cert.pem
copy to test/certs/goodcn2-chain.pem
index 68cb870f18..01b7f47f7d 100644
--- a/test/certs/ncca1-cert.pem
+++ b/test/certs/goodcn2-chain.pem
@@ -1,4 +1,23 @@
 -----BEGIN CERTIFICATE-----
+MIIDHTCCAgWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0
+IE5DIENBIDEwIBcNMjExMjAyMTcyNTAyWhgPMjEyMTEyMDMxNzI1MDJaMDwxIzAh
+BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRUwEwYDVQQDDAx3d3cu
+Z29vZC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqx1t7HiPe
+kRAWdiGUt4pklKGZ7338An6R7/y0e/8Grx2jeUfyc19BAB7MW1p8L+zdMjbclNE0
+UZ6RZZNexfgMksNI/nW+4Lzu8qu2wFx1MjbTpMT8w/vnsGBMthxLu6+2wdnpdD1B
+0led8xu7PSBgVULqyHcUvoLeRGEsB14yGx7dbIsokYxno1nr4u3BK5ic9KTTSxJR
+Ig93qwo2pAZR7mfnOo33B9alhzvSwmEKJ9v7pERDnIP5ED0HaWFAeXl7GFgoH2y9
+QDyJVuwWsoSWIx4Mr8UIr0IbVJU6KsqEiqqc5P5rX/y4tYMkpHZd9U1EONd2uwmX
+dwSp0LEmQb/DAgMBAAGjTTBLMB0GA1UdDgQWBBSfJPZqs1tk+xjjDrovr13ORDWn
+ojAfBgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa3fVQQzAJBgNVHRMEAjAAMA0G
+CSqGSIb3DQEBCwUAA4IBAQAEKXs56hB4DOO1vJe7pByfCHU33ij/ux7u68BdkDQ8
+S9SNaoD7h1XNSmC8kKULvpoKctJzJxh1IH4wtvGGGXsUt1By0a6Y5SnKW9/mG4NM
+D4fGea0G2AeI8BHFs6vl8voYK9wgx9Ygus3Kj/8h6V7t2zB8ZhhVqpZkAQEjj0C2
+1IV273wD0VdZl7uB+MEKk+7eTjNMeo6JzlBBf5GhtA1WbLNdszMfI0ljo7HAX+9L
+yco0xKSKkZQ+v7VdJBfC6odp+epPMZqfyHrkFzUr8XRJfriP1lydPK7AbXLVrLJg
+fIXCvUdxQx4B1LaclUDORL5r2tRhRYdAEKtUz7RpQzJK
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
 MIIDZjCCAk6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
 IENBMCAXDTIwMTIxMjIwMTk0NFoYDzIxMjAxMjEzMjAxOTQ0WjAXMRUwEwYDVQQD
 DAxUZXN0IE5DIENBIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC
diff --git a/test/certs/goodcn2-key.pem b/test/certs/goodcn2-key.pem
new file mode 100644
index 0000000000..09337552a7
--- /dev/null
+++ b/test/certs/goodcn2-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDqx1t7HiPekRAW
+diGUt4pklKGZ7338An6R7/y0e/8Grx2jeUfyc19BAB7MW1p8L+zdMjbclNE0UZ6R
+ZZNexfgMksNI/nW+4Lzu8qu2wFx1MjbTpMT8w/vnsGBMthxLu6+2wdnpdD1B0led
+8xu7PSBgVULqyHcUvoLeRGEsB14yGx7dbIsokYxno1nr4u3BK5ic9KTTSxJRIg93
+qwo2pAZR7mfnOo33B9alhzvSwmEKJ9v7pERDnIP5ED0HaWFAeXl7GFgoH2y9QDyJ
+VuwWsoSWIx4Mr8UIr0IbVJU6KsqEiqqc5P5rX/y4tYMkpHZd9U1EONd2uwmXdwSp
+0LEmQb/DAgMBAAECggEAIdXrXDoCx1+2ptYNjuZIvqghBhNa38foP9YLYGOCZI82
+QUoIUWvJLY/74E3GI6GwjExhVbbo05ZzuNafv4fecMlx9YIerAytje5RSvw8FvPO
+rP/RF/CSzFhB+KxCNbPt5fPYGOoUrfjHgc74jyqHEPsYsseDSe0O5UOLkZHaRHQX
+bOhj/lXCN1KKsK+UXscRO55T5SRmHAe4RWaXX3Z4H6FGabKY+AVkT5GWq814PIFU
+amoch4TwAKgAY8h7kpkfVgLNe3hLddLU0roakfM1cZdpf9n0EGGi21KluNvSa09a
+tiDifv5WDkIQ/Ca2fUvE27atMb1gm4bUzp5OoTWhoQKBgQDrfuxqvouVvM3AyxUY
+e6r7vegg5NiODjpBlT/QUqJjhqTSw6Tq4/f5VWnLy3bzipwvzxFQ8E2LjQMtl2Su
+aQ8jSb9jwpmmWCoOecRExWgboYPzpczhnXpF4DIYhyomBKTBVbk9EI0wJ/tx9F1B
+XCHhA3z8tJvkPTM+QAGGJxdcEQKBgQD/OHN4ujRZ5NgXZp4L9VDosMREvRUbwz+4
+7fgQ70JKdWIVbKFa5/TVIObspLZoRI0jaa4OaaE3v6rqF/yxdPsaPAXW7URR7K52
+HbI41skH0bcflISDdeTpqmlIRAzHG7MeAobV/ARmCnLpa7Lt4p8wT+zAzuY+ncv3
+DabNjePCkwKBgQDoVH/Jj9MGFw6mdbSKQvedBO5OBXfgLgkrSqN6UwwCRIO3q2y4
+j8/FHI8Tj9f6zXTpddAPmgPm+Wd5QzMBHoTgu5EmSoZrpe9X+Km5b0gWenJDnf9T
+Vpma9mR17mOWvl4MnxXxOLMSH1/iPMMECHEkHNziMwzZT8eOUncucsKJAQKBgEnp
+62c3ZhnysLJ2Qads8HWzW+QcbpSPw1CneoRNBoHR5QoXX9OYAcwHr1kxirI/yDBN
+Vt9NsCcZF0Kcl8489svuPjK0nGithwkmKItViPr+vW4j8QyxhA44EC2hp6GyX/l8
++dfXGN8Ef6siSbujOj8fpo1gXkYcJQnzpi85vJCJAoGAdheX12Afx94YbljuaCdT
+T/E+t6xHHnDCpETHmsLh53H03Kv91JCrANMu+BZzKUXI+FW06GJB43S26hF5s+k5
+ZAjJKpgbVC1Jo4Zq5SjlCQhiOvwJ9rt2/6g7qzHZsQMjY/FZKd+8PMgPxWkvjeI7
+lAagooTJyC/VDf6LB05mitg=
+-----END PRIVATE KEY-----
diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh
index 8ccf7bc6e3..c3f7ac14b5 100755
--- a/test/certs/mkcert.sh
+++ b/test/certs/mkcert.sh
@@ -195,6 +195,23 @@ genpc() {
 	 -set_serial 2 -days "${DAYS}"
 }
 
+geneeconfig() {
+    local key=$1; shift
+    local cert=$1; shift
+    local cakey=$1; shift
+    local ca=$1; shift
+    local conf=$1; shift
+
+    exts=$(printf "%s\n%s\n%s\n%s\n" \
+        "subjectKeyIdentifier = hash" \
+        "authorityKeyIdentifier = keyid" \
+        "basicConstraints = CA:false"; \
+        echo "$conf")
+
+    cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
+        -set_serial 2 -days "${DAYS}"
+}
+
 # Usage: $0 geneealt keyname certname cakeyname cacertname alt1 alt2 ...
 #
 # Note: takes csr on stdin, so must be used with $0 req like this:
@@ -206,15 +223,11 @@ geneealt() {
     local cakey=$1; shift
     local ca=$1; shift
 
-    exts=$(printf "%s\n%s\n%s\n%s\n" \
-	    "subjectKeyIdentifier = hash" \
-	    "authorityKeyIdentifier = keyid" \
-	    "basicConstraints = CA:false" \
-	    "subjectAltName = @alts";
+    conf=$(echo "subjectAltName = @alts"
            echo "[alts]";
-           for x in "$@"; do echo $x; done)
-    cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
-	 -set_serial 2 -days "${DAYS}"
+           for x in "$@"; do echo "$x"; done)
+
+    geneeconfig $key $cert $cakey $ca "$conf"
 }
 
 genee() {
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
index f1d5d5187c..21f9355b8b 100755
--- a/test/certs/setup.sh
+++ b/test/certs/setup.sh
@@ -282,6 +282,12 @@ NC=$NC ./mkcert.sh genca "Test NC sub CA" ncca3-key ncca3-cert \
     ./mkcert.sh geneealt goodcn1-key goodcn1-cert ncca1-key ncca1-cert \
     "IP = 127.0.0.1" "IP = 192.168.0.1"
 
+# all DNS-like CNs allowed by CA1, no SANs
+
+./mkcert.sh req goodcn2-key "O = Good NC Test Certificate 1" \
+    "CN=www.good.org" | \
+    ./mkcert.sh geneeconfig goodcn2-key goodcn2-cert ncca1-key ncca1-cert
+
 # Some DNS-like CNs not permitted by CA1, no DNS SANs.
 
 ./mkcert.sh req badcn1-key "O = Good NC Test Certificate 1" \
diff --git a/test/packettest.c b/test/packettest.c
index e8aec47446..b82b9fb502 100644
--- a/test/packettest.c
+++ b/test/packettest.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/test/recipes/05-test_rand.t b/test/recipes/05-test_rand.t
index f37b7bcb98..4da1e64cb6 100644
--- a/test/recipes/05-test_rand.t
+++ b/test/recipes/05-test_rand.t
@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index bcd823bcfb..700bbd849c 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -29,7 +29,7 @@ sub verify {
     run(app([@args]));
 }
 
-plan tests => 159;
+plan tests => 160;
 
 # Canonical success
 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -337,6 +337,9 @@ ok(verify("alt3-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
 ok(verify("goodcn1-cert", "", ["root-cert"], ["ncca1-cert"], ),
    "Name Constraints CNs permitted");
 
+ok(verify("goodcn2-cert", "", ["root-cert"], ["ncca1-cert"], ),
+   "Name Constraints CNs permitted - no SAN extension");
+
 ok(!verify("badcn1-cert", "", ["root-cert"], ["ncca1-cert"], ),
    "Name Constraints CNs not permitted");
 
diff --git a/test/recipes/30-test_engine.t b/test/recipes/30-test_engine.t
index 88db8ec9a7..d66c8b60c8 100644
--- a/test/recipes/30-test_engine.t
+++ b/test/recipes/30-test_engine.t
@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
diff --git a/test/recipes/80-test_dane.t b/test/recipes/80-test_dane.t
index 6f8df8e990..3191f964dc 100644
--- a/test/recipes/80-test_dane.t
+++ b/test/recipes/80-test_dane.t
@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
diff --git a/test/ssl-tests/01-simple.cnf b/test/ssl-tests/01-simple.cnf
index 7fc23f0b69..dfdd3ee337 100644
--- a/test/ssl-tests/01-simple.cnf
+++ b/test/ssl-tests/01-simple.cnf
@@ -1,10 +1,11 @@
 # Generated with generate_ssl_tests.pl
 
-num_tests = 3
+num_tests = 4
 
 test-0 = 0-default
 test-1 = 1-Server signature algorithms bug
 test-2 = 2-verify-cert
+test-3 = 3-name-constraints-no-san-in-ee
 # ===========================================================
 
 [0-default]
@@ -76,3 +77,26 @@ ExpectedClientAlert = UnknownCA
 ExpectedResult = ClientFail
 
 
+# ===========================================================
+
+[3-name-constraints-no-san-in-ee]
+ssl_conf = 3-name-constraints-no-san-in-ee-ssl
+
+[3-name-constraints-no-san-in-ee-ssl]
+server = 3-name-constraints-no-san-in-ee-server
+client = 3-name-constraints-no-san-in-ee-client
+
+[3-name-constraints-no-san-in-ee-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/goodcn2-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/goodcn2-key.pem
+
+[3-name-constraints-no-san-in-ee-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Peer
+
+[test-3]
+ExpectedResult = Success
+
+
diff --git a/test/ssl-tests/01-simple.cnf.in b/test/ssl-tests/01-simple.cnf.in
index 645b11382c..bcd41e3065 100644
--- a/test/ssl-tests/01-simple.cnf.in
+++ b/test/ssl-tests/01-simple.cnf.in
@@ -1,5 +1,5 @@
 # -*- mode: perl; -*-
-# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -39,4 +39,16 @@ our @tests = (
           "ExpectedClientAlert" => "UnknownCA",
         },
     },
+
+    {
+        name => "name-constraints-no-san-in-ee",
+        server => {
+            "Certificate" => test_pem("goodcn2-chain.pem"),
+            "PrivateKey"  => test_pem("goodcn2-key.pem"),
+        },
+        client => {
+            "VerifyCAFile" => test_pem("root-cert.pem"),
+        },
+        test   => { "ExpectedResult" => "Success" },
+    },
 );
diff --git a/test/testutil/tests.c b/test/testutil/tests.c
index b431657e05..ef7e224cd1 100644
--- a/test/testutil/tests.c
+++ b/test/testutil/tests.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/test/testutil/testutil_init.c b/test/testutil/testutil_init.c
index 3301551ab2..87013694c2 100644
--- a/test/testutil/testutil_init.c
+++ b/test/testutil/testutil_init.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/util/mkpod2html.pl b/util/mkpod2html.pl
index ea1164d597..cc2ab9d32a 100755
--- a/util/mkpod2html.pl
+++ b/util/mkpod2html.pl
@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy


More information about the openssl-commits mailing list