libressl: Update to 4.3.1

pkg/libressl/gen.lua

@@ -574,7 +574,6 @@ lib('libssl.a', [[ssl/(
 	ssl_kex.c
 	ssl_lib.c
 	ssl_methods.c
-	ssl_packet.c
 	ssl_pkt.c
 	ssl_rsa.c
 	ssl_seclevel.c

pkg/libressl/patch/0004-Avoid-implicit-pointer-sign-conversions.patch

@@ -1,4 +1,4 @@
-From 89e3854e0e38996edb165111a24b1bf498b392dc Mon Sep 17 00:00:00 2001
+From 44bc6dfcdd2581f64fc869c8863dd590ea947033 Mon Sep 17 00:00:00 2001
 From: Michael Forney <mforney@mforney.org>
 Date: Thu, 2 Apr 2026 23:52:53 -0700
 Subject: [PATCH] Avoid implicit pointer sign conversions
@@ -35,7 +35,7 @@ All other changes simply make explicit the conversions among pointers
 to character types already being done. These implicit conversions
 are constraint violations in ISO C.
 ---
- apps/openssl/ca.c              |  6 +++---
+ apps/openssl/ca.c              |  7 ++++---
  apps/openssl/cms.c             |  2 +-
  apps/openssl/s_client.c        |  4 ++--
  crypto/asn1/a_object.c         | 12 ++++++------
@@ -67,44 +67,45 @@ are constraint violations in ISO C.
  ssl/tls13_lib.c                |  3 ++-
  ssl/tls13_record_layer.c       |  2 +-
  ssl/tls13_server.c             | 10 +++++-----
- 32 files changed, 95 insertions(+), 85 deletions(-)
+ 32 files changed, 96 insertions(+), 85 deletions(-)
 
 diff --git a/apps/openssl/ca.c b/apps/openssl/ca.c
-index b644b74..0d78f63 100644
+index a2e8a6836..5505983ff 100644
 --- a/apps/openssl/ca.c
 +++ b/apps/openssl/ca.c
-@@ -2153,7 +2153,7 @@ do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
+@@ -2197,7 +2197,7 @@ do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
  
  	if ((tm = X509_get_notAfter(ret)) == NULL)
  		goto err;
--	row[DB_exp_date] = strndup(tm->data, tm->length);
-+	row[DB_exp_date] = strndup((char *)tm->data, tm->length);
+-	row[DB_exp_date] = strndup(ASN1_STRING_get0_data(tm),
++	row[DB_exp_date] = strndup((char *)ASN1_STRING_get0_data(tm),
+ 	    ASN1_STRING_length(tm));
  	if (row[DB_type] == NULL || row[DB_exp_date] == NULL) {
  		BIO_printf(bio_err, "Memory allocation failure\n");
- 		goto err;
-@@ -2280,7 +2280,7 @@ do_revoke(X509 *x509, CA_DB *db, int type, char *value)
+@@ -2325,7 +2325,7 @@ do_revoke(X509 *x509, CA_DB *db, int type, char *value)
  
  		if ((tm = X509_get_notAfter(x509)) == NULL)
  			goto err;
--		row[DB_exp_date] = strndup(tm->data, tm->length);
-+		row[DB_exp_date] = strndup((char *)tm->data, tm->length);
+-		row[DB_exp_date] = strndup(ASN1_STRING_get0_data(tm),
++		row[DB_exp_date] = strndup((char *)ASN1_STRING_get0_data(tm),
+ 		    ASN1_STRING_length(tm));
  		if (row[DB_type] == NULL || row[DB_exp_date] == NULL) {
  			BIO_printf(bio_err, "Memory allocation failure\n");
- 			goto err;
-@@ -2443,7 +2443,7 @@ do_updatedb(CA_DB *db)
+@@ -2489,7 +2489,8 @@ do_updatedb(CA_DB *db)
  		cnt = -1;
  		goto err;
  	}
--	a_tm_s = strndup(a_tm->data, a_tm->length);
-+	a_tm_s = strndup((char *)a_tm->data, a_tm->length);
+-	a_tm_s = strndup(ASN1_STRING_get0_data(a_tm), ASN1_STRING_length(a_tm));
++	a_tm_s = strndup((char *)ASN1_STRING_get0_data(a_tm),
++	    ASN1_STRING_length(a_tm));
  	if (a_tm_s == NULL) {
  		cnt = -1;
  		goto err;
 diff --git a/apps/openssl/cms.c b/apps/openssl/cms.c
-index 458ddb0..26197ea 100644
+index 7430f4c93..a63d6e453 100644
 --- a/apps/openssl/cms.c
 +++ b/apps/openssl/cms.c
-@@ -1530,7 +1530,7 @@ cms_main(int argc, char **argv)
+@@ -1512,7 +1512,7 @@ cms_main(int argc, char **argv)
  			cfg.secret_keyid = NULL;
  		}
  		if (cfg.pwri_pass != NULL) {
@@ -114,10 +115,10 @@ index 458ddb0..26197ea 100644
  				goto end;
  			if (CMS_add0_recipient_password(cms, -1, NID_undef,
 diff --git a/apps/openssl/s_client.c b/apps/openssl/s_client.c
-index 84718c1..90c203e 100644
+index 2b05facc1..d12423d0f 100644
 --- a/apps/openssl/s_client.c
 +++ b/apps/openssl/s_client.c
-@@ -193,7 +193,7 @@ static struct {
+@@ -194,7 +194,7 @@ static struct {
  	char *cert_file;
  	int cert_format;
  	char *cipher;
@@ -126,7 +127,7 @@ index 84718c1..90c203e 100644
  	char *connect;
  	int crlf;
  	int debug;
-@@ -214,7 +214,7 @@ static struct {
+@@ -215,7 +215,7 @@ static struct {
  	int nbio_test;
  	int no_servername;
  	char *npn_in;
@@ -136,7 +137,7 @@ index 84718c1..90c203e 100644
  	int peekaboo;
  	char *port;
 diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c
-index 333ac60..25e7a2a 100644
+index 333ac6034..25e7a2ae6 100644
 --- a/crypto/asn1/a_object.c
 +++ b/crypto/asn1/a_object.c
 @@ -182,7 +182,7 @@ oid_add_arc_txt(CBB *cbb, uint64_t arc, int first)
@@ -194,7 +195,7 @@ index 333ac60..25e7a2a 100644
   err:
  	CBB_cleanup(&cbb);
 diff --git a/crypto/asn1/a_time.c b/crypto/asn1/a_time.c
-index 3deff56..10634c0 100644
+index 3deff56ed..10634c067 100644
 --- a/crypto/asn1/a_time.c
 +++ b/crypto/asn1/a_time.c
 @@ -99,7 +99,7 @@ ASN1_TIME_to_tm(const ASN1_TIME *s, struct tm *tm)
@@ -207,7 +208,7 @@ index 3deff56..10634c0 100644
  	time(&now);
  	memset(tm, 0, sizeof(*tm));
 diff --git a/crypto/asn1/a_time_tm.c b/crypto/asn1/a_time_tm.c
-index dd28931..c0e0d62 100644
+index dd2893167..c0e0d6245 100644
 --- a/crypto/asn1/a_time_tm.c
 +++ b/crypto/asn1/a_time_tm.c
 @@ -96,7 +96,7 @@ tm_to_gentime(struct tm *tm, ASN1_TIME *atime)
@@ -298,7 +299,7 @@ index dd28931..c0e0d62 100644
  LCRYPTO_ALIAS(ASN1_GENERALIZEDTIME_check);
  
 diff --git a/crypto/bio/b_dump.c b/crypto/bio/b_dump.c
-index 3f67320..40b09dc 100644
+index 3f673205c..40b09dc23 100644
 --- a/crypto/bio/b_dump.c
 +++ b/crypto/bio/b_dump.c
 @@ -86,7 +86,7 @@ BIO_dump_indent(BIO *bio, const char *s, int len, int indent)
@@ -311,7 +312,7 @@ index 3f67320..40b09dc 100644
  	if (indent < 0)
  		indent = 0;
 diff --git a/crypto/bio/bss_mem.c b/crypto/bio/bss_mem.c
-index 0fa6317..afcd6b2 100644
+index 0fa6317a2..afcd6b216 100644
 --- a/crypto/bio/bss_mem.c
 +++ b/crypto/bio/bss_mem.c
 @@ -84,7 +84,7 @@ bio_mem_pending(struct bio_mem *bm)
@@ -333,10 +334,10 @@ index 0fa6317..afcd6b2 100644
  		if (p[i] == '\n') {
  			i++;
 diff --git a/crypto/bn/bn_convert.c b/crypto/bn/bn_convert.c
-index ca5c7d7..60d0c86 100644
+index ab5bc519c..cb006a209 100644
 --- a/crypto/bn/bn_convert.c
 +++ b/crypto/bn/bn_convert.c
-@@ -253,7 +253,7 @@ BN_asc2bn(BIGNUM **bnp, const char *s)
+@@ -261,7 +261,7 @@ BN_asc2bn(BIGNUM **bnp, const char *s)
  	if ((s_len = strlen(s)) == 0)
  		return 0;
  
@@ -345,7 +346,7 @@ index ca5c7d7..60d0c86 100644
  
  	/* Handle negative sign. */
  	if (!CBS_peek_u8(&cbs, &v))
-@@ -365,7 +365,7 @@ BN_bn2dec(const BIGNUM *bn)
+@@ -373,7 +373,7 @@ BN_bn2dec(const BIGNUM *bn)
  	CBB_cleanup(&cbb);
  	freezero(data, data_len);
  
@@ -354,7 +355,7 @@ index ca5c7d7..60d0c86 100644
  }
  LCRYPTO_ALIAS(BN_bn2dec);
  
-@@ -468,7 +468,7 @@ BN_dec2bn(BIGNUM **bnp, const char *s)
+@@ -476,7 +476,7 @@ BN_dec2bn(BIGNUM **bnp, const char *s)
  	if ((s_len = strlen(s)) == 0)
  		return 0;
  
@@ -363,7 +364,7 @@ index ca5c7d7..60d0c86 100644
  
  	return bn_dec2bn_cbs(bnp, &cbs);
  }
-@@ -669,7 +669,7 @@ BN_hex2bn(BIGNUM **bnp, const char *s)
+@@ -677,7 +677,7 @@ BN_hex2bn(BIGNUM **bnp, const char *s)
  	if ((s_len = strlen(s)) == 0)
  		return 0;
  
@@ -373,7 +374,7 @@ index ca5c7d7..60d0c86 100644
  	return bn_hex2bn_cbs(bnp, &cbs);
  }
 diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
-index cd8b663..6557324 100644
+index cd8b66360..655732413 100644
 --- a/crypto/bn/bn_print.c
 +++ b/crypto/bn/bn_print.c
 @@ -82,7 +82,7 @@ bn_print_bignum(BIO *bio, const BIGNUM *bn, int indent)
@@ -386,7 +387,7 @@ index cd8b663..6557324 100644
  	if (BN_is_negative(bn)) {
  		if (BIO_printf(bio, " (Negative)") <= 0)
 diff --git a/crypto/evp/e_sm4.c b/crypto/evp/e_sm4.c
-index cde2f6c..9f8b13e 100644
+index cde2f6c64..9f8b13ed1 100644
 --- a/crypto/evp/e_sm4.c
 +++ b/crypto/evp/e_sm4.c
 @@ -237,9 +237,11 @@ sm4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in,
@@ -403,7 +404,7 @@ index cde2f6c..9f8b13e 100644
  }
  
 diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c
-index 460c1bc..15a70b1 100644
+index 460c1bce5..15a70b1c5 100644
 --- a/crypto/ocsp/ocsp_cl.c
 +++ b/crypto/ocsp/ocsp_cl.c
 @@ -410,7 +410,7 @@ OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
@@ -425,7 +426,7 @@ index 460c1bc..15a70b1 100644
  		OCSPerror(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
  		return 0;
 diff --git a/crypto/pkcs7/pk7_attr.c b/crypto/pkcs7/pk7_attr.c
-index f2e1780..cb6b2e8 100644
+index f2e17806d..cb6b2e84f 100644
 --- a/crypto/pkcs7/pk7_attr.c
 +++ b/crypto/pkcs7/pk7_attr.c
 @@ -192,7 +192,7 @@ PKCS7_add0_attrib_signing_time(PKCS7_SIGNER_INFO *si, ASN1_TIME *t)
@@ -438,7 +439,7 @@ index f2e1780..cb6b2e8 100644
  	if (!PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime, tm->type, tm))
  		goto err;
 diff --git a/crypto/x509/x509_addr.c b/crypto/x509/x509_addr.c
-index b4ee92a..615375d 100644
+index b4ee92a14..615375dd6 100644
 --- a/crypto/x509/x509_addr.c
 +++ b/crypto/x509/x509_addr.c
 @@ -1875,7 +1875,7 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
@@ -451,7 +452,7 @@ index b4ee92a..615375d 100644
  
  	/* We need a non-empty chain to test against. */
 diff --git a/crypto/x509/x509_constraints.c b/crypto/x509/x509_constraints.c
-index 0773d2b..673a159 100644
+index c4f32c9cf..597fdde06 100644
 --- a/crypto/x509/x509_constraints.c
 +++ b/crypto/x509/x509_constraints.c
 @@ -347,7 +347,7 @@ x509_constraints_parse_mailbox(CBS *candidate,
@@ -492,7 +493,7 @@ index 0773d2b..673a159 100644
  	if (!x509_constraints_valid_host(&host_cbs, 1))
  		return 0;
  	if (hostpart != NULL && !CBS_strdup(&host_cbs, hostpart))
-@@ -648,8 +648,8 @@ x509_constraints_uri(uint8_t *uri, size_t ulen, uint8_t *constraint,
+@@ -667,8 +667,8 @@ x509_constraints_uri(uint8_t *uri, size_t ulen, uint8_t *constraint,
  		*error = X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX;
  		goto err;
  	}
@@ -503,7 +504,7 @@ index 0773d2b..673a159 100644
   err:
  	free(hostpart);
  	return ret;
-@@ -999,7 +999,7 @@ x509_constraints_validate(GENERAL_NAME *constraint,
+@@ -1018,7 +1018,7 @@ x509_constraints_validate(GENERAL_NAME *constraint,
  	case GEN_DNS:
  		if (!x509_constraints_valid_domain_constraint(&cbs))
  			goto err;
@@ -512,7 +513,7 @@ index 0773d2b..673a159 100644
  			error = X509_V_ERR_OUT_OF_MEM;
  			goto err;
  		}
-@@ -1045,7 +1045,7 @@ x509_constraints_validate(GENERAL_NAME *constraint,
+@@ -1064,7 +1064,7 @@ x509_constraints_validate(GENERAL_NAME *constraint,
  	case GEN_URI:
  		if (!x509_constraints_valid_domain_constraint(&cbs))
  			goto err;
@@ -522,7 +523,7 @@ index 0773d2b..673a159 100644
  			goto err;
  		}
 diff --git a/crypto/x509/x509_obj.c b/crypto/x509/x509_obj.c
-index db1741c..43afeb8 100644
+index db1741cc9..43afeb8cf 100644
 --- a/crypto/x509/x509_obj.c
 +++ b/crypto/x509/x509_obj.c
 @@ -78,13 +78,13 @@ X509_NAME_ENTRY_add_object_cbb(CBB *cbb, const ASN1_OBJECT *aobj)
@@ -555,10 +556,10 @@ index db1741c..43afeb8 100644
  
  	return buf;
 diff --git a/crypto/x509/x509_utl.c b/crypto/x509/x509_utl.c
-index 4be8630..0960fc9 100644
+index 2e60834ed..0746ac0c5 100644
 --- a/crypto/x509/x509_utl.c
 +++ b/crypto/x509/x509_utl.c
-@@ -508,7 +508,7 @@ hex_to_string(const unsigned char *buffer, long len)
+@@ -504,7 +504,7 @@ hex_to_string(const unsigned char *buffer, long len)
   err:
  	CBB_cleanup(&cbb);
  
@@ -567,7 +568,7 @@ index 4be8630..0960fc9 100644
  }
  LCRYPTO_ALIAS(hex_to_string);
  
-@@ -573,7 +573,7 @@ string_to_hex(const char *str, long *len)
+@@ -569,7 +569,7 @@ string_to_hex(const char *str, long *len)
  		goto err;
  	}
  
@@ -576,7 +577,7 @@ index 4be8630..0960fc9 100644
  	while (CBS_len(&cbs) > 0) {
  		/*
  		 * Skipping only a single colon between two pairs of digits
-@@ -817,7 +817,7 @@ equal_nocase(const unsigned char *pattern, size_t pattern_len,
+@@ -813,7 +813,7 @@ equal_nocase(const unsigned char *pattern, size_t pattern_len,
  	skip_prefix(&pattern, &pattern_len, subject, subject_len, flags);
  	if (pattern_len != subject_len)
  		return 0;
@@ -585,7 +586,7 @@ index 4be8630..0960fc9 100644
  }
  
  /* Compare using strncmp. */
-@@ -832,7 +832,7 @@ equal_case(const unsigned char *pattern, size_t pattern_len,
+@@ -828,7 +828,7 @@ equal_case(const unsigned char *pattern, size_t pattern_len,
  	skip_prefix(&pattern, &pattern_len, subject, subject_len, flags);
  	if (pattern_len != subject_len)
  		return 0;
@@ -595,7 +596,7 @@ index 4be8630..0960fc9 100644
  
  /*
 diff --git a/crypto/x509/x509_verify.c b/crypto/x509/x509_verify.c
-index f25e2b3..c52be9e 100644
+index fc3fbc14d..95c6cf359 100644
 --- a/crypto/x509/x509_verify.c
 +++ b/crypto/x509/x509_verify.c
 @@ -55,7 +55,8 @@ x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notAfter,
@@ -609,7 +610,7 @@ index f25e2b3..c52be9e 100644
  		return 0;
  
 diff --git a/crypto/x509/x509name.c b/crypto/x509/x509name.c
-index 9a582d3..20498dd 100644
+index e60d8b7a3..5fc4d2ee0 100644
 --- a/crypto/x509/x509name.c
 +++ b/crypto/x509/x509name.c
 @@ -107,7 +107,8 @@ X509_NAME_get_text_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, char *buf,
@@ -623,10 +624,10 @@ index 9a582d3..20498dd 100644
  		/* It must be a C string */
  		buf[text_len] = '\0';
 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
-index 86b32ae..e760c0b 100644
+index bcf26bec4..431af32f2 100644
 --- a/ssl/s3_lib.c
 +++ b/ssl/s3_lib.c
-@@ -1548,7 +1548,7 @@ _SSL_set_tlsext_host_name(SSL *s, const char *name)
+@@ -1551,7 +1551,7 @@ _SSL_set_tlsext_host_name(SSL *s, const char *name)
  	if (name == NULL)
  		return 1;
  
@@ -636,10 +637,10 @@ index 86b32ae..e760c0b 100644
  	if (!tlsext_sni_is_valid_hostname(&cbs, &is_ip)) {
  		SSLerror(s, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
 diff --git a/ssl/ssl_clnt.c b/ssl/ssl_clnt.c
-index 0d3dcf7..9a59d98 100644
+index 6ef81a170..ffc55e5f9 100644
 --- a/ssl/ssl_clnt.c
 +++ b/ssl/ssl_clnt.c
-@@ -2330,7 +2330,7 @@ ssl3_send_client_change_cipher_spec(SSL *s)
+@@ -2337,7 +2337,7 @@ ssl3_send_client_change_cipher_spec(SSL *s)
  	memset(&cbb, 0, sizeof(cbb));
  
  	if (s->s3->hs.state == SSL3_ST_CW_CHANGE_A) {
@@ -649,7 +650,7 @@ index 0d3dcf7..9a59d98 100644
  			goto err;
  		if (!CBB_add_u8(&cbb, SSL3_MT_CCS))
 diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
-index 630724e..32ab533 100644
+index 630724e67..32ab5332a 100644
 --- a/ssl/ssl_lib.c
 +++ b/ssl/ssl_lib.c
 @@ -2004,12 +2004,12 @@ SSL_export_keying_material(SSL *s, unsigned char *out, size_t out_len,
@@ -670,10 +671,10 @@ index 630724e..32ab533 100644
  LSSL_ALIAS(SSL_export_keying_material);
  
 diff --git a/ssl/ssl_srvr.c b/ssl/ssl_srvr.c
-index db4ba38..4dfaaf5 100644
+index af4b20f6c..e877bb3f9 100644
 --- a/ssl/ssl_srvr.c
 +++ b/ssl/ssl_srvr.c
-@@ -2371,7 +2371,7 @@ ssl3_send_server_change_cipher_spec(SSL *s)
+@@ -2378,7 +2378,7 @@ ssl3_send_server_change_cipher_spec(SSL *s)
  	memset(&cbb, 0, sizeof(cbb));
  
  	if (s->s3->hs.state == SSL3_ST_SW_CHANGE_A) {
@@ -683,7 +684,7 @@ index db4ba38..4dfaaf5 100644
  			goto err;
  		if (!CBB_add_u8(&cbb, SSL3_MT_CCS))
 diff --git a/ssl/ssl_tlsext.c b/ssl/ssl_tlsext.c
-index 311c29b..e1c9b3c 100644
+index d879b3304..2b75b0fbb 100644
 --- a/ssl/ssl_tlsext.c
 +++ b/ssl/ssl_tlsext.c
 @@ -808,7 +808,8 @@ tlsext_sni_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
@@ -697,7 +698,7 @@ index 311c29b..e1c9b3c 100644
  			*alert = SSL_AD_UNRECOGNIZED_NAME;
  			goto err;
 diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c
-index 4ed76c9..1ad3b92 100644
+index 4ed76c95a..1ad3b9255 100644
 --- a/ssl/ssl_txt.c
 +++ b/ssl/ssl_txt.c
 @@ -170,8 +170,8 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
@@ -712,10 +713,10 @@ index 4ed76c9..1ad3b92 100644
  	}
  
 diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index 57cd180..9797aab 100644
+index 912bea592..c93107383 100644
 --- a/ssl/t1_lib.c
 +++ b/ssl/t1_lib.c
-@@ -1018,6 +1018,7 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess)
+@@ -1014,6 +1014,7 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess)
  	EVP_CIPHER_CTX *cctx = NULL;
  	SSL_CTX *tctx = s->initial_ctx;
  	int slen, hlen, iv_len;
@@ -723,7 +724,7 @@ index 57cd180..9797aab 100644
  	int alert_desc = SSL_AD_INTERNAL_ERROR;
  	int ret = TLS1_TICKET_FATAL_ERROR;
  
-@@ -1112,8 +1113,9 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess)
+@@ -1108,8 +1109,9 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess)
  	if (HMAC_Update(hctx, CBS_data(&ticket_encdata),
  	    CBS_len(&ticket_encdata)) <= 0)
  		goto err;
@@ -735,10 +736,10 @@ index 57cd180..9797aab 100644
  	if (!CBS_mem_equal(&ticket_hmac, hmac, hlen))
  		goto derr;
 diff --git a/ssl/tls13_client.c b/ssl/tls13_client.c
-index 901b38f..414c9cb 100644
+index 21d396079..a837b85fe 100644
 --- a/ssl/tls13_client.c
 +++ b/ssl/tls13_client.c
-@@ -656,7 +656,7 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
+@@ -668,7 +668,7 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
  	    sizeof(tls13_cert_verify_pad)))
  		goto err;
  	if (!CBB_add_bytes(&cbb, tls13_cert_server_verify_context,
@@ -747,7 +748,7 @@ index 901b38f..414c9cb 100644
  		goto err;
  	if (!CBB_add_u8(&cbb, 0))
  		goto err;
-@@ -710,7 +710,7 @@ int
+@@ -722,7 +722,7 @@ int
  tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
  {
  	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
@@ -756,7 +757,7 @@ index 901b38f..414c9cb 100644
  	struct tls13_secret finished_key;
  	uint8_t transcript_hash[EVP_MAX_MD_SIZE];
  	size_t transcript_hash_len;
-@@ -932,7 +932,7 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
+@@ -944,7 +944,7 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
  	    sizeof(tls13_cert_verify_pad)))
  		goto err;
  	if (!CBB_add_bytes(&sig_cbb, tls13_cert_client_verify_context,
@@ -765,7 +766,7 @@ index 901b38f..414c9cb 100644
  		goto err;
  	if (!CBB_add_u8(&sig_cbb, 0))
  		goto err;
-@@ -993,7 +993,7 @@ int
+@@ -1005,7 +1005,7 @@ int
  tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb)
  {
  	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
@@ -775,7 +776,7 @@ index 901b38f..414c9cb 100644
  	uint8_t transcript_hash[EVP_MAX_MD_SIZE];
  	size_t transcript_hash_len;
 diff --git a/ssl/tls13_key_schedule.c b/ssl/tls13_key_schedule.c
-index 05bcf0f..19afc79 100644
+index 05bcf0f00..19afc7999 100644
 --- a/ssl/tls13_key_schedule.c
 +++ b/ssl/tls13_key_schedule.c
 @@ -160,8 +160,8 @@ tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest,
@@ -826,10 +827,10 @@ index 05bcf0f..19afc79 100644
  	}
  
 diff --git a/ssl/tls13_legacy.c b/ssl/tls13_legacy.c
-index 6c33ecc..481ca9e 100644
+index 6a06330b2..220999745 100644
 --- a/ssl/tls13_legacy.c
 +++ b/ssl/tls13_legacy.c
-@@ -360,7 +360,7 @@ tls13_use_legacy_stack(struct tls13_ctx *ctx)
+@@ -359,7 +359,7 @@ tls13_use_legacy_stack(struct tls13_ctx *ctx)
  	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
  	if (!BUF_MEM_grow_clean(s->init_buf, CBS_len(&cbs)))
  		goto err;
@@ -839,7 +840,7 @@ index 6c33ecc..481ca9e 100644
  		goto err;
  
 diff --git a/ssl/tls13_lib.c b/ssl/tls13_lib.c
-index c3470b2..5d9f159 100644
+index c3470b293..5d9f15950 100644
 --- a/ssl/tls13_lib.c
 +++ b/ssl/tls13_lib.c
 @@ -378,7 +378,8 @@ tls13_new_session_ticket_recv(struct tls13_ctx *ctx, CBS *cbs)
@@ -853,7 +854,7 @@ index c3470b2..5d9f159 100644
  
  	memset(&nonce, 0, sizeof(nonce));
 diff --git a/ssl/tls13_record_layer.c b/ssl/tls13_record_layer.c
-index f5604ad..9bdd61c 100644
+index f5604adbe..9bdd61c91 100644
 --- a/ssl/tls13_record_layer.c
 +++ b/ssl/tls13_record_layer.c
 @@ -467,7 +467,7 @@ static int
@@ -866,7 +867,7 @@ index f5604ad..9bdd61c 100644
  	int ret = 0;
  
 diff --git a/ssl/tls13_server.c b/ssl/tls13_server.c
-index 650fd13..184b3d3 100644
+index 604dab4cb..2beb72636 100644
 --- a/ssl/tls13_server.c
 +++ b/ssl/tls13_server.c
 @@ -728,7 +728,7 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)

pkg/libressl/sha256

@@ -1 +1 @@
-6d5c2f58583588ea791f4c8645004071d00dfa554a5bf788a006ca1eb5abd70b  libressl-4.2.1.tar.gz
+c2db42ace14e7d5419826fab35a742ec6e4d12725a051a51d0cea3c10ba0fa50  libressl-4.3.1.tar.gz

pkg/libressl/url

@@ -1 +1 @@
-url = "https://cdn.openbsd.org/pub/OpenBSD/LibreSSL/libressl-4.2.1.tar.gz"
+url = "https://cdn.openbsd.org/pub/OpenBSD/LibreSSL/libressl-4.3.1.tar.gz"

pkg/libressl/ver

@@ -1 +1 @@
-4.2.1 r0
+4.3.1 r0