diff --git a/README.md b/README.md
index ef1b432f..779bed26 100644
--- a/README.md
+++ b/README.md
@@ -7,9 +7,9 @@ The `go-libtor` project is a self-contained, fully statically linked Tor library
 | Library  | Version | Commit |
 |:-:|:-:|:-:|
 | zlib | 1.2.12 | [`21767c654d31d2dccdde4330529775c6c5fd5389`](https://github.com/madler/zlib/commit/21767c654d31d2dccdde4330529775c6c5fd5389) |
-| libevent | 2.2.0-alpha-dev | [`21e2862689edc59b6265998c4a1a2729552ab0b1`](https://github.com/libevent/libevent/commit/21e2862689edc59b6265998c4a1a2729552ab0b1) |
-| openssl | 1.1.1-stable | [`564a8d442cbd8ce68d452ff2e8a58c0aea6b0632`](https://github.com/openssl/openssl/commit/564a8d442cbd8ce68d452ff2e8a58c0aea6b0632) |
-| tor | 0.4.6.10-dev | [`18cc67f1614a3819b55883a421710a59a66c27a5`](https://gitweb.torproject.org/tor.git/commit/?id=18cc67f1614a3819b55883a421710a59a66c27a5) |
+| libevent | 2.2.0-alpha-dev | [`b19af675c7601a7867f26c33072cda7ea125adb2`](https://github.com/libevent/libevent/commit/b19af675c7601a7867f26c33072cda7ea125adb2) |
+| openssl | 1.1.1-stable | [`9eae491721209f302a9a475bffd271370e8bcb8f`](https://github.com/openssl/openssl/commit/9eae491721209f302a9a475bffd271370e8bcb8f) |
+| tor | 0.4.6.12-dev | [`e7dddda9c155bc91ef87dc6cb0600f6986e63b52`](https://gitweb.torproject.org/tor.git/commit/?id=e7dddda9c155bc91ef87dc6cb0600f6986e63b52) |
 
 The library is currently supported on:
 
diff --git a/darwin/libevent/buffer.c b/darwin/libevent/buffer.c
index 6c96f054..825f6a29 100644
--- a/darwin/libevent/buffer.c
+++ b/darwin/libevent/buffer.c
@@ -1668,7 +1668,7 @@ evbuffer_search_eol(struct evbuffer *buffer,
 		if (evbuffer_strchr(&it, '\n') < 0)
 			goto done;
 		extra_drain = 1;
-		/* ... optionally preceeded by a CR. */
+		/* ... optionally preceded by a CR. */
 		if (it.pos == start_pos)
 			break; /* If the first character is \n, don't back up */
 		/* This potentially does an extra linear walk over the first
@@ -3080,7 +3080,11 @@ evbuffer_file_segment_materialize(struct evbuffer_file_segment *seg)
 			offset_leftover = offset % page_size;
 			offset_rounded = offset - offset_leftover;
 		}
+#if defined(EVENT__HAVE_MMAP64)
+		mapped = mmap64(NULL, length + offset_leftover,
+#else
 		mapped = mmap(NULL, length + offset_leftover,
+#endif
 		    PROT_READ,
 #ifdef MAP_NOCACHE
 		    MAP_NOCACHE | /* ??? */
diff --git a/darwin/libevent/buffer_iocp.c b/darwin/libevent/buffer_iocp.c
index 2af0c49c..77619760 100644
--- a/darwin/libevent/buffer_iocp.c
+++ b/darwin/libevent/buffer_iocp.c
@@ -69,7 +69,7 @@ struct evbuffer_overlapped {
 	WSABUF buffers[MAX_WSABUFS];
 };
 
-/** Given an evbuffer, return the correponding evbuffer structure, or NULL if
+/** Given an evbuffer, return the corresponding evbuffer structure, or NULL if
  * the evbuffer isn't overlapped. */
 static inline struct evbuffer_overlapped *
 upcast_evbuffer(struct evbuffer *buf)
diff --git a/darwin/libevent/bufferevent-internal.h b/darwin/libevent/bufferevent-internal.h
index 3ad0acf0..8db48d12 100644
--- a/darwin/libevent/bufferevent-internal.h
+++ b/darwin/libevent/bufferevent-internal.h
@@ -485,8 +485,8 @@ bufferevent_socket_set_conn_address_(struct bufferevent *bev, struct sockaddr *a
 #define BEV_UPCAST(b) EVUTIL_UPCAST((b), struct bufferevent_private, bev)
 
 #ifdef EVENT__DISABLE_THREAD_SUPPORT
-#define BEV_LOCK(b) EVUTIL_NIL_STMT_
-#define BEV_UNLOCK(b) EVUTIL_NIL_STMT_
+#define BEV_LOCK(b) (void)(b)
+#define BEV_UNLOCK(b) (void)(b)
 #else
 /** Internal: Grab the lock (if any) on a bufferevent */
 #define BEV_LOCK(b) do {						\
diff --git a/darwin/libevent/bufferevent.c b/darwin/libevent/bufferevent.c
index 53d3a995..79f76f4e 100644
--- a/darwin/libevent/bufferevent.c
+++ b/darwin/libevent/bufferevent.c
@@ -501,7 +501,7 @@ bufferevent_enable(struct bufferevent *bufev, short event)
 	if (impl_events && bufev->be_ops->enable(bufev, impl_events) < 0)
 		r = -1;
 	if (r)
-		event_debug(("%s: cannot enable 0x%hx on %p", __func__, event, bufev));
+		event_debug(("%s: cannot enable 0x%hx on %p", __func__, event, (void *)bufev));
 
 	bufferevent_decref_and_unlock_(bufev);
 	return r;
@@ -585,7 +585,7 @@ bufferevent_disable(struct bufferevent *bufev, short event)
 	if (bufev->be_ops->disable(bufev, event) < 0)
 		r = -1;
 	if (r)
-		event_debug(("%s: cannot disable 0x%hx on %p", __func__, event, bufev));
+		event_debug(("%s: cannot disable 0x%hx on %p", __func__, event, (void *)bufev));
 
 	BEV_UNLOCK(bufev);
 	return r;
@@ -876,7 +876,7 @@ bufferevent_setfd(struct bufferevent *bev, evutil_socket_t fd)
 	if (bev->be_ops->ctrl)
 		res = bev->be_ops->ctrl(bev, BEV_CTRL_SET_FD, &d);
 	if (res)
-		event_debug(("%s: cannot set fd for %p to "EV_SOCK_FMT, __func__, bev, fd));
+		event_debug(("%s: cannot set fd for %p to "EV_SOCK_FMT, __func__, (void *)bev, fd));
 	BEV_UNLOCK(bev);
 	return res;
 }
@@ -903,7 +903,7 @@ bufferevent_replacefd(struct bufferevent *bev, evutil_socket_t fd)
 		}
 	}
 	if (err)
-		event_debug(("%s: cannot replace fd for %p from "EV_SOCK_FMT" to "EV_SOCK_FMT, __func__, bev, old_fd, fd));
+		event_debug(("%s: cannot replace fd for %p from "EV_SOCK_FMT" to "EV_SOCK_FMT, __func__, (void *)bev, old_fd, fd));
 	BEV_UNLOCK(bev);
 
 	return err;
@@ -919,7 +919,7 @@ bufferevent_getfd(struct bufferevent *bev)
 	if (bev->be_ops->ctrl)
 		res = bev->be_ops->ctrl(bev, BEV_CTRL_GET_FD, &d);
 	if (res)
-		event_debug(("%s: cannot get fd for %p", __func__, bev));
+		event_debug(("%s: cannot get fd for %p", __func__, (void *)bev));
 	BEV_UNLOCK(bev);
 	return (res<0) ? -1 : d.fd;
 }
diff --git a/darwin/libevent/bufferevent_mbedtls.c b/darwin/libevent/bufferevent_mbedtls.c
index f42da2ae..ca96f723 100644
--- a/darwin/libevent/bufferevent_mbedtls.c
+++ b/darwin/libevent/bufferevent_mbedtls.c
@@ -24,8 +24,15 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+
+/* Mbed-TLS 3.x does not currently expose a function to retrieve
+   the bio parameters from the SSL object. When the above issue has been
+   fixed, remove the MBEDTLS_ALLOW_PRIVATE_ACCESS define and use the
+   appropriate getter function in bufferevent_mbedtls_socket_new rather than
+   accessing the struct fields directly. */
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
 #include "mbedtls-compat.h"
-#include <mbedtls/config.h>
+#include <mbedtls/version.h>
 #include <mbedtls/ssl.h>
 #include <mbedtls/error.h>
 
diff --git a/darwin/libevent/bufferevent_openssl.c b/darwin/libevent/bufferevent_openssl.c
index 6ace1e3a..c74a76e4 100644
--- a/darwin/libevent/bufferevent_openssl.c
+++ b/darwin/libevent/bufferevent_openssl.c
@@ -259,7 +259,9 @@ conn_closed(struct bufferevent_ssl *bev_ssl, int when, int errcode, int ret)
 		bufferevent_ssl_put_error(bev_ssl, errcode);
 		break;
 	case SSL_ERROR_SSL:
-		/* Protocol error. */
+		/* Protocol error; possibly a dirty shutdown. */
+		if (ret == 0 && SSL_is_init_finished(bev_ssl->ssl) == 0)
+			dirty_shutdown = 1;
 		bufferevent_ssl_put_error(bev_ssl, errcode);
 		break;
 	case SSL_ERROR_WANT_X509_LOOKUP:
@@ -475,7 +477,7 @@ bufferevent_openssl_socket_new(struct event_base *base,
 			   This is probably an error on our part.  Fail. */
 			goto err;
 		}
-		BIO_set_close(bio, 0);
+		(void)BIO_set_close(bio, 0);
 	} else {
 		/* The SSL isn't configured with a BIO with an fd. */
 		if (fd >= 0) {
diff --git a/darwin/libevent/bufferevent_ratelim.c b/darwin/libevent/bufferevent_ratelim.c
index 3b7ae51b..1fed9d15 100644
--- a/darwin/libevent/bufferevent_ratelim.c
+++ b/darwin/libevent/bufferevent_ratelim.c
@@ -76,7 +76,7 @@ ev_token_bucket_update_(struct ev_token_bucket *bucket,
     ev_uint32_t current_tick)
 {
 	/* It's okay if the tick number overflows, since we'll just
-	 * wrap around when we do the unsigned substraction. */
+	 * wrap around when we do the unsigned subtraction. */
 	unsigned n_ticks = current_tick - bucket->last_updated;
 
 	/* Make sure some ticks actually happened, and that time didn't
diff --git a/darwin/libevent/config.h b/darwin/libevent/config.h
index f49ac73c..a0902d84 100644
--- a/darwin/libevent/config.h
+++ b/darwin/libevent/config.h
@@ -156,6 +156,9 @@
 /* Define to 1 if you have the `mmap' function. */
 #define HAVE_MMAP 1
 
+/* Define to 1 if you have the `mmap64' function. */
+/* #undef HAVE_MMAP64 */
+
 /* Define to 1 if you have the `nanosleep' function. */
 #define HAVE_NANOSLEEP 1
 
diff --git a/darwin/libevent/evdns.c b/darwin/libevent/evdns.c
index ee06fdda..684582f9 100644
--- a/darwin/libevent/evdns.c
+++ b/darwin/libevent/evdns.c
@@ -122,8 +122,8 @@
 #define EVDNS_LOG_WARN EVENT_LOG_WARN
 #define EVDNS_LOG_MSG EVENT_LOG_MSG
 
-#ifndef HOST_NAME_MAX
-#define HOST_NAME_MAX 255
+#ifndef EVDNS_NAME_MAX
+#define EVDNS_NAME_MAX 255
 #endif
 
 #include <stdio.h>
@@ -854,7 +854,7 @@ request_finished(struct request *const req, struct request **head, int free_hand
 	if (head)
 		evdns_request_remove(req, head);
 
-	log(EVDNS_LOG_DEBUG, "Removing timeout for request %p", req);
+	log(EVDNS_LOG_DEBUG, "Removing timeout for request %p", (void *)req);
 	if (was_inflight) {
 		evtimer_del(&req->timeout_event);
 		base->global_requests_inflight--;
@@ -1350,7 +1350,7 @@ reply_parse(struct evdns_base *base, u8 *packet, int length)
 	 * to parse the response. To simplify things let's just allocate
 	 * a little bit more to avoid complex evaluations.
 	 */
-	buf_size = MAX(length - j, HOST_NAME_MAX);
+	buf_size = MAX(length - j, EVDNS_NAME_MAX);
 	reply.data.raw = mm_malloc(buf_size);
 
 	/* now we have the answer section which looks like
@@ -1394,7 +1394,7 @@ reply_parse(struct evdns_base *base, u8 *packet, int length)
 			reply.have_answer = 1;
 			break;
 		} else if (type == TYPE_CNAME) {
-			char cname[HOST_NAME_MAX];
+			char cname[EVDNS_NAME_MAX];
 			if (name_parse(packet, length, &j, cname,
 				sizeof(cname))<0)
 				goto err;
@@ -1755,7 +1755,7 @@ server_send_response(struct evdns_server_port *port, struct server_request *req)
 	}
 
 beferevent_error:
-	log(EVDNS_LOG_WARN, "Failed to send reply to request %p for client %p", req, req->client);
+	log(EVDNS_LOG_WARN, "Failed to send reply to request %p for client %p", (void *)req, (void *)req->client);
 	/* disconnect if we got bufferevent error */
 	evdns_remove_tcp_client(port, req->client);
 	return -1;
@@ -2196,7 +2196,7 @@ server_tcp_read_packet_cb(struct bufferevent *bev, void *ctx)
 
 	while (1) {
 		if (tcp_read_message(conn, &msg, &msg_len)) {
-			log(EVDNS_LOG_MSG, "Closing client connection %p due to error", bev);
+			log(EVDNS_LOG_MSG, "Closing client connection %p due to error", (void *)bev);
 			evdns_remove_tcp_client(port, client);
 			rc = port->refcnt;
 			EVDNS_UNLOCK(port);
@@ -2230,7 +2230,7 @@ server_tcp_event_cb(struct bufferevent *bev, short events, void *ctx)
 	EVUTIL_ASSERT(port && bev);
 	EVDNS_LOCK(port);
 	if (events & (BEV_EVENT_EOF | BEV_EVENT_ERROR | BEV_EVENT_TIMEOUT)) {
-		log(EVDNS_LOG_DEBUG, "Closing connection %p", bev);
+		log(EVDNS_LOG_DEBUG, "Closing connection %p", (void *)bev);
 		evdns_remove_tcp_client(port, client);
 	}
 	rc = port->refcnt;
@@ -2250,7 +2250,7 @@ incoming_conn_cb(struct evconnlistener *listener, evutil_socket_t fd,
 
 	if (!bev)
 		goto error;
-	log(EVDNS_LOG_DEBUG, "New incoming client connection %p", bev);
+	log(EVDNS_LOG_DEBUG, "New incoming client connection %p", (void *)bev);
 
 	bufferevent_set_timeouts(bev, &port->tcp_idle_timeout, &port->tcp_idle_timeout);
 
@@ -2721,7 +2721,7 @@ retransmit_all_tcp_requests_for(struct nameserver *server)
 			if (req->ns == server && (req->handle->tcp_flags & DNS_QUERY_USEVC)) {
 				if (req->tx_count >= req->base->global_max_retransmits) {
 					log(EVDNS_LOG_DEBUG, "Giving up on request %p; tx_count==%d",
-						req, req->tx_count);
+						(void *)req, req->tx_count);
 					reply_schedule_callback(req, 0, DNS_ERR_TIMEOUT, NULL);
 					request_finished(req, &REQ_HEAD(req->base, req->trans_id), 1);
 				} else {
@@ -2843,7 +2843,7 @@ evdns_tcp_connect_if_disconnected(struct nameserver *server)
 		return 1;
 
 	conn->state = TS_CONNECTING;
-	log(EVDNS_LOG_DEBUG, "New tcp connection %p created", conn);
+	log(EVDNS_LOG_DEBUG, "New tcp connection %p created", (void *)conn);
 	return 0;
 }
 
@@ -2893,7 +2893,7 @@ client_tcp_event_cb(struct bufferevent *bev, short events, void *ctx) {
 	EVDNS_LOCK(server->base);
 	EVUTIL_ASSERT(conn && conn->bev == bev && bev);
 
-	log(EVDNS_LOG_DEBUG, "Event %d on connection %p", events, conn);
+	log(EVDNS_LOG_DEBUG, "Event %d on connection %p", events, (void *)conn);
 
 	if (events & (BEV_EVENT_TIMEOUT)) {
 		disconnect_and_free_connection(server->connection);
@@ -2931,7 +2931,7 @@ evdns_request_transmit_through_tcp(struct request *req, struct nameserver *serve
 	conn = server->connection;
 	bufferevent_setcb(conn->bev, client_tcp_read_packet_cb, NULL, client_tcp_event_cb, server);
 
-	log(EVDNS_LOG_DEBUG, "Sending request %p via tcp connection %p", req, conn);
+	log(EVDNS_LOG_DEBUG, "Sending request %p via tcp connection %p", (void *)req, (void *)conn);
 	packet_size = htons(req->request_len);
 	if (bufferevent_write(conn->bev, &packet_size, sizeof(packet_size)) )
 		goto fail;
@@ -2944,7 +2944,7 @@ evdns_request_transmit_through_tcp(struct request *req, struct nameserver *serve
 
 	return 0;
 fail:
-	log(EVDNS_LOG_WARN, "Failed to send request %p via tcp connection %p", req, conn);
+	log(EVDNS_LOG_WARN, "Failed to send request %p via tcp connection %p", (void *)req, (void *)conn);
 	disconnect_and_free_connection(server->connection);
 	server->connection = NULL;
 	return 2;
@@ -3006,11 +3006,11 @@ evdns_request_transmit(struct request *req) {
 	default:
 		/* all ok */
 		log(EVDNS_LOG_DEBUG,
-		    "Setting timeout for request %p, sent to nameserver %p", req, req->ns);
+		    "Setting timeout for request %p, sent to nameserver %p", (void *)req, (void *)req->ns);
 		if (evtimer_add(&req->timeout_event, &req->base->global_timeout) < 0) {
 			log(EVDNS_LOG_WARN,
 		      "Error from libevent when adding timer for request %p",
-			    req);
+			    (void *)req);
 			/* ???? Do more? */
 		}
 		req->tx_count++;
@@ -3290,7 +3290,7 @@ evdns_nameserver_add_impl_(struct evdns_base *base, const struct sockaddr *addre
 	}
 
 	log(EVDNS_LOG_DEBUG, "Added nameserver %s as %p",
-	    evutil_format_sockaddr_port_(address, addrbuf, sizeof(addrbuf)), ns);
+	    evutil_format_sockaddr_port_(address, addrbuf, sizeof(addrbuf)), (void *)ns);
 
 	/* insert this nameserver into the list of them */
 	if (!base->server_head) {
@@ -3982,7 +3982,7 @@ evdns_search_ndots_set(const int ndots) {
 
 static void
 search_set_from_hostname(struct evdns_base *base) {
-	char hostname[HOST_NAME_MAX + 1], *domainname;
+	char hostname[EVDNS_NAME_MAX + 1], *domainname;
 
 	ASSERT_LOCKED(base);
 	search_postfix_clear(base);
@@ -5670,7 +5670,7 @@ evdns_getaddrinfo(struct evdns_base *dns_base,
 
 	if (hints.ai_family != PF_INET6) {
 		log(EVDNS_LOG_DEBUG, "Sending request for %s on ipv4 as %p",
-		    nodename, &data->ipv4_request);
+		    nodename, (void *)&data->ipv4_request);
 
 		data->ipv4_request.r = evdns_base_resolve_ipv4(dns_base,
 		    nodename, 0, evdns_getaddrinfo_gotresolve,
@@ -5681,7 +5681,7 @@ evdns_getaddrinfo(struct evdns_base *dns_base,
 	}
 	if (hints.ai_family != PF_INET) {
 		log(EVDNS_LOG_DEBUG, "Sending request for %s on ipv6 as %p",
-		    nodename, &data->ipv6_request);
+		    nodename, (void *)&data->ipv6_request);
 
 		data->ipv6_request.r = evdns_base_resolve_ipv6(dns_base,
 		    nodename, 0, evdns_getaddrinfo_gotresolve,
diff --git a/darwin/libevent/event.c b/darwin/libevent/event.c
index 1fb437e9..56be024f 100644
--- a/darwin/libevent/event.c
+++ b/darwin/libevent/event.c
@@ -302,7 +302,7 @@ static void event_debug_note_add_(const struct event *ev)
 		    "%s: noting an add on a non-setup event %p"
 		    " (events: 0x%x, fd: "EV_SOCK_FMT
 		    ", flags: 0x%x)",
-		    __func__, ev, ev->ev_events,
+		    __func__, (void *)ev, ev->ev_events,
 		    EV_SOCK_ARG(ev->ev_fd), ev->ev_flags);
 	}
 	EVLOCK_UNLOCK(event_debug_map_lock_, 0);
@@ -328,7 +328,7 @@ static void event_debug_note_del_(const struct event *ev)
 		    "%s: noting a del on a non-setup event %p"
 		    " (events: 0x%x, fd: "EV_SOCK_FMT
 		    ", flags: 0x%x)",
-		    __func__, ev, ev->ev_events,
+		    __func__, (void *)ev, ev->ev_events,
 		    EV_SOCK_ARG(ev->ev_fd), ev->ev_flags);
 	}
 	EVLOCK_UNLOCK(event_debug_map_lock_, 0);
@@ -352,7 +352,7 @@ static void event_debug_assert_is_setup_(const struct event *ev)
 		    "%s called on a non-initialized event %p"
 		    " (events: 0x%x, fd: "EV_SOCK_FMT
 		    ", flags: 0x%x)",
-		    __func__, ev, ev->ev_events,
+		    __func__, (void *)ev, ev->ev_events,
 		    EV_SOCK_ARG(ev->ev_fd), ev->ev_flags);
 	}
 	EVLOCK_UNLOCK(event_debug_map_lock_, 0);
@@ -373,7 +373,7 @@ static void event_debug_assert_not_added_(const struct event *ev)
 		    "%s called on an already added event %p"
 		    " (events: 0x%x, fd: "EV_SOCK_FMT", "
 		    "flags: 0x%x)",
-		    __func__, ev, ev->ev_events,
+		    __func__, (void *)ev, ev->ev_events,
 		    EV_SOCK_ARG(ev->ev_fd), ev->ev_flags);
 	}
 	EVLOCK_UNLOCK(event_debug_map_lock_, 0);
@@ -1673,16 +1673,16 @@ event_process_active_single_queue(struct event_base *base,
 				event_del_nolock_(ev, EVENT_DEL_NOBLOCK);
 			event_debug((
 			    "event_process_active: event: %p, %s%s%scall %p",
-			    ev,
+			    (void *)ev,
 			    ev->ev_res & EV_READ ? "EV_READ " : " ",
 			    ev->ev_res & EV_WRITE ? "EV_WRITE " : " ",
 			    ev->ev_res & EV_CLOSED ? "EV_CLOSED " : " ",
-			    ev->ev_callback));
+			    (void *)ev->ev_callback));
 		} else {
 			event_queue_remove_active(base, evcb);
 			event_debug(("event_process_active: event_callback %p, "
 				"closure %d, call %p",
-				evcb, evcb->evcb_closure, evcb->evcb_cb_union.evcb_callback));
+				(void *)evcb, evcb->evcb_closure, (void *)evcb->evcb_cb_union.evcb_callback));
 		}
 
 		if (!(evcb->evcb_flags & EVLIST_INTERNAL))
@@ -2600,7 +2600,7 @@ event_remove_timer_nolock_(struct event *ev)
 	EVENT_BASE_ASSERT_LOCKED(base);
 	event_debug_assert_is_setup_(ev);
 
-	event_debug(("event_remove_timer_nolock: event: %p", ev));
+	event_debug(("event_remove_timer_nolock: event: %p", (void *)ev));
 
 	/* If it's not pending on a timeout, we don't need to do anything. */
 	if (ev->ev_flags & EVLIST_TIMEOUT) {
@@ -2647,13 +2647,13 @@ event_add_nolock_(struct event *ev, const struct timeval *tv,
 
 	event_debug((
 		 "event_add: event: %p (fd "EV_SOCK_FMT"), %s%s%s%scall %p",
-		 ev,
+		 (void *)ev,
 		 EV_SOCK_ARG(ev->ev_fd),
 		 ev->ev_events & EV_READ ? "EV_READ " : " ",
 		 ev->ev_events & EV_WRITE ? "EV_WRITE " : " ",
 		 ev->ev_events & EV_CLOSED ? "EV_CLOSED " : " ",
 		 tv ? "EV_TIMEOUT " : " ",
-		 ev->ev_callback));
+		 (void *)ev->ev_callback));
 
 	EVUTIL_ASSERT(!(ev->ev_flags & ~EVLIST_ALL));
 
@@ -2767,7 +2767,7 @@ event_add_nolock_(struct event *ev, const struct timeval *tv,
 
 		event_debug((
 			 "event_add: event %p, timeout in %d seconds %d useconds, call %p",
-			 ev, (int)tv->tv_sec, (int)tv->tv_usec, ev->ev_callback));
+			 (void *)ev, (int)tv->tv_sec, (int)tv->tv_usec, (void *)ev->ev_callback));
 
 #ifdef USE_REINSERT_TIMEOUT
 		event_queue_reinsert_timeout(base, ev, was_common, common_timeout, old_timeout_idx);
@@ -2854,7 +2854,7 @@ event_del_nolock_(struct event *ev, int blocking)
 	int res = 0, notify = 0;
 
 	event_debug(("event_del: %p (fd "EV_SOCK_FMT"), callback %p",
-		ev, EV_SOCK_ARG(ev->ev_fd), ev->ev_callback));
+		(void *)ev, EV_SOCK_ARG(ev->ev_fd), (void *)ev->ev_callback));
 
 	/* An event without a base has not been added */
 	if (ev->ev_base == NULL)
@@ -2962,7 +2962,7 @@ event_active_nolock_(struct event *ev, int res, short ncalls)
 	struct event_base *base;
 
 	event_debug(("event_active: %p (fd "EV_SOCK_FMT"), res %d, callback %p",
-		ev, EV_SOCK_ARG(ev->ev_fd), (int)res, ev->ev_callback));
+		(void *)ev, EV_SOCK_ARG(ev->ev_fd), (int)res, (void *)ev->ev_callback));
 
 	base = ev->ev_base;
 	EVENT_BASE_ASSERT_LOCKED(base);
@@ -3211,7 +3211,7 @@ timeout_next(struct event_base *base, struct timeval **tv_p)
 
 	EVUTIL_ASSERT(tv->tv_sec >= 0);
 	EVUTIL_ASSERT(tv->tv_usec >= 0);
-	event_debug(("timeout_next: event: %p, in %d seconds, %d useconds", ev, (int)tv->tv_sec, (int)tv->tv_usec));
+	event_debug(("timeout_next: event: %p, in %d seconds, %d useconds", (void *)ev, (int)tv->tv_sec, (int)tv->tv_usec));
 
 out:
 	return (res);
@@ -3239,7 +3239,7 @@ timeout_process(struct event_base *base)
 		event_del_nolock_(ev, EVENT_DEL_NOBLOCK);
 
 		event_debug(("timeout_process: event: %p, call %p",
-			 ev, ev->ev_callback));
+			 (void *)ev, (void *)ev->ev_callback));
 		event_active_nolock_(ev, EV_TIMEOUT, 1);
 	}
 }
@@ -3267,7 +3267,7 @@ event_queue_remove_inserted(struct event_base *base, struct event *ev)
 	EVENT_BASE_ASSERT_LOCKED(base);
 	if (EVUTIL_FAILURE_CHECK(!(ev->ev_flags & EVLIST_INSERTED))) {
 		event_errx(1, "%s: %p(fd "EV_SOCK_FMT") not on queue %x", __func__,
-		    ev, EV_SOCK_ARG(ev->ev_fd), EVLIST_INSERTED);
+                   (void *)ev, EV_SOCK_ARG(ev->ev_fd), EVLIST_INSERTED);
 		return;
 	}
 	DECR_EVENT_COUNT(base, ev->ev_flags);
@@ -3279,7 +3279,7 @@ event_queue_remove_active(struct event_base *base, struct event_callback *evcb)
 	EVENT_BASE_ASSERT_LOCKED(base);
 	if (EVUTIL_FAILURE_CHECK(!(evcb->evcb_flags & EVLIST_ACTIVE))) {
 		event_errx(1, "%s: %p not on queue %x", __func__,
-			   evcb, EVLIST_ACTIVE);
+                          (void *)evcb, EVLIST_ACTIVE);
 		return;
 	}
 	DECR_EVENT_COUNT(base, evcb->evcb_flags);
@@ -3295,7 +3295,7 @@ event_queue_remove_active_later(struct event_base *base, struct event_callback *
 	EVENT_BASE_ASSERT_LOCKED(base);
 	if (EVUTIL_FAILURE_CHECK(!(evcb->evcb_flags & EVLIST_ACTIVE_LATER))) {
 		event_errx(1, "%s: %p not on queue %x", __func__,
-			   evcb, EVLIST_ACTIVE_LATER);
+                          (void *)evcb, EVLIST_ACTIVE_LATER);
 		return;
 	}
 	DECR_EVENT_COUNT(base, evcb->evcb_flags);
@@ -3310,7 +3310,7 @@ event_queue_remove_timeout(struct event_base *base, struct event *ev)
 	EVENT_BASE_ASSERT_LOCKED(base);
 	if (EVUTIL_FAILURE_CHECK(!(ev->ev_flags & EVLIST_TIMEOUT))) {
 		event_errx(1, "%s: %p(fd "EV_SOCK_FMT") not on queue %x", __func__,
-		    ev, EV_SOCK_ARG(ev->ev_fd), EVLIST_TIMEOUT);
+                   (void *)ev, EV_SOCK_ARG(ev->ev_fd), EVLIST_TIMEOUT);
 		return;
 	}
 	DECR_EVENT_COUNT(base, ev->ev_flags);
@@ -3405,7 +3405,7 @@ event_queue_insert_inserted(struct event_base *base, struct event *ev)
 
 	if (EVUTIL_FAILURE_CHECK(ev->ev_flags & EVLIST_INSERTED)) {
 		event_errx(1, "%s: %p(fd "EV_SOCK_FMT") already inserted", __func__,
-		    ev, EV_SOCK_ARG(ev->ev_fd));
+                   (void *)ev, EV_SOCK_ARG(ev->ev_fd));
 		return;
 	}
 
@@ -3459,7 +3459,7 @@ event_queue_insert_timeout(struct event_base *base, struct event *ev)
 
 	if (EVUTIL_FAILURE_CHECK(ev->ev_flags & EVLIST_TIMEOUT)) {
 		event_errx(1, "%s: %p(fd "EV_SOCK_FMT") already on timeout", __func__,
-		    ev, EV_SOCK_ARG(ev->ev_fd));
+                   (void *)ev, EV_SOCK_ARG(ev->ev_fd));
 		return;
 	}
 
diff --git a/darwin/libevent/evthread-internal.h b/darwin/libevent/evthread-internal.h
index 83e409f0..2d926856 100644
--- a/darwin/libevent/evthread-internal.h
+++ b/darwin/libevent/evthread-internal.h
@@ -316,8 +316,8 @@ EVLOCK_TRY_LOCK_(void *lock)
 
 #define EVBASE_IN_THREAD(base)	1
 #define EVBASE_NEED_NOTIFY(base) 0
-#define EVBASE_ACQUIRE_LOCK(base, lock) EVUTIL_NIL_STMT_
-#define EVBASE_RELEASE_LOCK(base, lock) EVUTIL_NIL_STMT_
+#define EVBASE_ACQUIRE_LOCK(base, lock) (void)(base)
+#define EVBASE_RELEASE_LOCK(base, lock) (void)(base)
 #define EVLOCK_ASSERT_LOCKED(lock) EVUTIL_NIL_STMT_
 
 #define EVLOCK_TRY_LOCK_(lock) 1
diff --git a/darwin/libevent/http-internal.h b/darwin/libevent/http-internal.h
index a5844e1d..705daba2 100644
--- a/darwin/libevent/http-internal.h
+++ b/darwin/libevent/http-internal.h
@@ -128,6 +128,10 @@ TAILQ_HEAD(evconq, evhttp_connection);
 struct evhttp_bound_socket {
 	TAILQ_ENTRY(evhttp_bound_socket) next;
 
+	struct evhttp *http;
+	struct bufferevent* (*bevcb)(struct event_base *, void *);
+	void *bevcbarg;
+
 	struct evconnlistener *listener;
 };
 
diff --git a/darwin/libevent/http.c b/darwin/libevent/http.c
index 9cebbb7c..1421a8e6 100644
--- a/darwin/libevent/http.c
+++ b/darwin/libevent/http.c
@@ -197,7 +197,7 @@ static void evhttp_read_header(struct evhttp_connection *evcon,
 static int evhttp_add_header_internal(struct evkeyvalq *headers,
     const char *key, const char *value);
 static const char *evhttp_response_phrase_internal(int code);
-static void evhttp_get_request(struct evhttp *, evutil_socket_t, struct sockaddr *, ev_socklen_t);
+static void evhttp_get_request(struct evhttp *, evutil_socket_t, struct sockaddr *, ev_socklen_t, struct bufferevent *bev);
 static void evhttp_write_buffer(struct evhttp_connection *,
     void (*)(struct evhttp_connection *, void *), void *);
 static void evhttp_make_header(struct evhttp_connection *, struct evhttp_request *);
@@ -500,7 +500,8 @@ evhttp_make_header_request(struct evhttp_connection *evcon,
     struct evhttp_request *req)
 {
 	const char *method;
-	ev_uint16_t flags;
+	/* NOTE: some version of GCC reports a warning that flags may be uninitialized, hence assignment */
+	ev_uint16_t flags = 0;
 
 	evhttp_remove_header(req->output_headers, "Proxy-Connection");
 
@@ -1741,7 +1742,7 @@ evhttp_parse_http_version(const char *version, struct evhttp_request *req)
 	int n = sscanf(version, "HTTP/%d.%d%c", &major, &minor, &ch);
 	if (n != 2 || major > 1) {
 		event_debug(("%s: bad version %s on message %p from %s",
-			__func__, version, req, req->remote_host));
+			__func__, version, (void *)req, req->remote_host));
 		return (-1);
 	}
 	req->major = major;
@@ -2013,7 +2014,7 @@ evhttp_parse_request_line(struct evhttp_request *req, char *line, size_t len)
 
 	if (!type) {
 		event_debug(("%s: bad method %s on request %p from %s",
-		            __func__, method, req, req->remote_host));
+		            __func__, method, (void *)req, req->remote_host));
 		/* No error yet; we'll give a better error later when
 		 * we see that req->type is unsupported. */
 	}
@@ -2351,7 +2352,8 @@ evhttp_get_body_length(struct evhttp_request *req)
 static int
 evhttp_method_may_have_body_(struct evhttp_connection *evcon, enum evhttp_cmd_type type)
 {
-	ev_uint16_t flags;
+	/* NOTE: some version of GCC reports a warning that flags may be uninitialized, hence assignment */
+	ev_uint16_t flags = 0;
 	evhttp_method_(evcon, type, &flags);
 	return (flags & EVHTTP_METHOD_HAS_BODY) ? 1 : 0;
 }
@@ -3793,9 +3795,15 @@ evhttp_handle_request(struct evhttp_request *req, void *arg)
 static void
 accept_socket_cb(struct evconnlistener *listener, evutil_socket_t nfd, struct sockaddr *peer_sa, int peer_socklen, void *arg)
 {
-	struct evhttp *http = arg;
+	struct evhttp_bound_socket *bound = arg;
+
+	struct evhttp *http = bound->http;
 
-	evhttp_get_request(http, nfd, peer_sa, peer_socklen);
+	struct bufferevent *bev = NULL;
+	if (bound->bevcb)
+		bev = bound->bevcb(http->base, bound->bevcbarg);
+
+	evhttp_get_request(http, nfd, peer_sa, peer_socklen, bev);
 }
 
 int
@@ -3891,9 +3899,11 @@ evhttp_bind_listener(struct evhttp *http, struct evconnlistener *listener)
 		return (NULL);
 
 	bound->listener = listener;
+	bound->bevcb = NULL;
+	bound->http = http;
 	TAILQ_INSERT_TAIL(&http->sockets, bound, next);
 
-	evconnlistener_set_cb(listener, accept_socket_cb, http);
+	evconnlistener_set_cb(listener, accept_socket_cb, bound);
 	return bound;
 }
 
@@ -3909,6 +3919,14 @@ evhttp_bound_socket_get_listener(struct evhttp_bound_socket *bound)
 	return bound->listener;
 }
 
+void
+evhttp_bound_set_bevcb(struct evhttp_bound_socket *bound,
+    struct bufferevent* (*cb)(struct event_base *, void *), void *cbarg)
+{
+	bound->bevcb = cb;
+	bound->bevcbarg = cbarg;
+}
+
 void
 evhttp_del_accept_socket(struct evhttp *http, struct evhttp_bound_socket *bound)
 {
@@ -4415,7 +4433,7 @@ evhttp_request_set_on_complete_cb(struct evhttp_request *req,
 const char *
 evhttp_request_get_uri(const struct evhttp_request *req) {
 	if (req->uri == NULL)
-		event_debug(("%s: request %p has no uri\n", __func__, req));
+		event_debug(("%s: request %p has no uri\n", __func__, (void *)req));
 	return (req->uri);
 }
 
@@ -4423,7 +4441,7 @@ const struct evhttp_uri *
 evhttp_request_get_evhttp_uri(const struct evhttp_request *req) {
 	if (req->uri_elems == NULL)
 		event_debug(("%s: request %p has no uri elems\n",
-			    __func__, req));
+			    __func__, (void *)req));
 	return (req->uri_elems);
 }
 
@@ -4515,10 +4533,10 @@ struct evbuffer *evhttp_request_get_output_buffer(struct evhttp_request *req)
 static struct evhttp_connection*
 evhttp_get_request_connection(
 	struct evhttp* http,
-	evutil_socket_t fd, struct sockaddr *sa, ev_socklen_t salen)
+	evutil_socket_t fd, struct sockaddr *sa, ev_socklen_t salen,
+	struct bufferevent* bev)
 {
 	struct evhttp_connection *evcon;
-	struct bufferevent* bev = NULL;
 
 #ifdef EVENT__HAVE_STRUCT_SOCKADDR_UN
 	if (sa->sa_family == AF_UNIX) {
@@ -4535,7 +4553,7 @@ evhttp_get_request_connection(
 			EV_SOCK_FMT"\n", __func__, EV_SOCK_ARG(fd)));
 
 		/* we need a connection object to put the http request on */
-		if (http->bevcb != NULL) {
+		if (!bev && http->bevcb != NULL) {
 			bev = (*http->bevcb)(http->base, http->bevcbarg);
 		}
 
@@ -4558,7 +4576,7 @@ evhttp_get_request_connection(
 			__func__, hostname, portname, EV_SOCK_ARG(fd)));
 
 		/* we need a connection object to put the http request on */
-		if (http->bevcb != NULL) {
+		if (!bev && http->bevcb != NULL) {
 			bev = (*http->bevcb)(http->base, http->bevcbarg);
 		}
 		evcon = evhttp_connection_base_bufferevent_new(
@@ -4634,11 +4652,12 @@ evhttp_associate_new_request_with_connection(struct evhttp_connection *evcon)
 
 static void
 evhttp_get_request(struct evhttp *http, evutil_socket_t fd,
-    struct sockaddr *sa, ev_socklen_t salen)
+    struct sockaddr *sa, ev_socklen_t salen,
+    struct bufferevent *bev)
 {
 	struct evhttp_connection *evcon;
 
-	evcon = evhttp_get_request_connection(http, fd, sa, salen);
+	evcon = evhttp_get_request_connection(http, fd, sa, salen, bev);
 	if (evcon == NULL) {
 		event_sock_warn(fd, "%s: cannot get connection on "EV_SOCK_FMT,
 		    __func__, EV_SOCK_ARG(fd));
diff --git a/darwin/libevent/include/event.h b/darwin/libevent/include/event.h
index ba518671..0e33f90f 100644
--- a/darwin/libevent/include/event.h
+++ b/darwin/libevent/include/event.h
@@ -54,7 +54,7 @@ extern "C" {
 #include <stdarg.h>
 
 /* For int types. */
-#include <evutil.h>
+#include <event2/util.h>
 
 #ifdef _WIN32
 #ifndef WIN32_LEAN_AND_MEAN
diff --git a/darwin/libevent/include/event2/event.h b/darwin/libevent/include/event2/event.h
index 83dfe540..b52fd846 100644
--- a/darwin/libevent/include/event2/event.h
+++ b/darwin/libevent/include/event2/event.h
@@ -396,7 +396,7 @@ const char *event_base_get_method(const struct event_base *eb);
 EVENT2_EXPORT_SYMBOL
 const char **event_get_supported_methods(void);
 
-/** Query the current monotonic time from a the timer for a struct
+/** Query the current monotonic time from the timer for a struct
  * event_base.
  */
 EVENT2_EXPORT_SYMBOL
@@ -542,6 +542,8 @@ enum event_base_config_flag {
 	    If this flag is set then bufferevent_socket_new() and
 	    evconn_listener_new() will use IOCP-backed implementations
 	    instead of the usual select-based one on Windows.
+
+	    Note: it is experimental feature, and has some bugs.
 	 */
 	EVENT_BASE_FLAG_STARTUP_IOCP = 0x04,
 	/** Instead of checking the current time every time the event loop is
diff --git a/darwin/libevent/include/event2/http.h b/darwin/libevent/include/event2/http.h
index 89175fb7..50c0a27b 100644
--- a/darwin/libevent/include/event2/http.h
+++ b/darwin/libevent/include/event2/http.h
@@ -53,18 +53,29 @@ struct evhttp_connection;
  */
 
 /* Response codes */
+#define HTTP_CONTINUE		100	/**< client should proceed to send */
+#define HTTP_SWITCH_PROTOCOLS	101	/**< switching to another protocol */
+#define HTTP_PROCESSING		102	/**< processing the request, but no response is available yet */
+#define HTTP_EARLYHINTS		103	/**< return some response headers */
 #define HTTP_OK			200	/**< request completed ok */
+#define HTTP_CREATED		201	/**< new resource is created */
+#define HTTP_ACCEPTED		202	/**< accepted for processing */
+#define HTTP_NONAUTHORITATIVE	203	/**< returning a modified version of the origin's response */
 #define HTTP_NOCONTENT		204	/**< request does not have content */
 #define HTTP_MOVEPERM		301	/**< the uri moved permanently */
 #define HTTP_MOVETEMP		302	/**< the uri moved temporarily */
 #define HTTP_NOTMODIFIED	304	/**< page was not modified from last */
 #define HTTP_BADREQUEST		400	/**< invalid http request was made */
+#define HTTP_UNAUTHORIZED	401	/**< authentication is required */
+#define HTTP_PAYMENTREQUIRED	402	/**< user exceeded limit on requests */
+#define HTTP_FORBIDDEN		403	/**< user not having the necessary permissions */
 #define HTTP_NOTFOUND		404	/**< could not find content for uri */
 #define HTTP_BADMETHOD		405 	/**< method not allowed for this uri */
-#define HTTP_ENTITYTOOLARGE	413	/**<  */
+#define HTTP_ENTITYTOOLARGE	413	/**< request is larger than the server is able to process */
 #define HTTP_EXPECTATIONFAILED	417	/**< we can't handle this expectation */
 #define HTTP_INTERNAL           500     /**< internal error */
 #define HTTP_NOTIMPLEMENTED     501     /**< not implemented */
+#define HTTP_BADGATEWAY		502	/**< received an invalid response from the upstream */
 #define HTTP_SERVUNAVAIL	503	/**< the server is not available */
 
 struct evhttp;
@@ -161,6 +172,14 @@ struct evhttp_bound_socket *evhttp_bind_listener(struct evhttp *http, struct evc
 EVENT2_EXPORT_SYMBOL
 struct evconnlistener *evhttp_bound_socket_get_listener(struct evhttp_bound_socket *bound);
 
+/*
+ * Like evhttp_set_bevcb.
+ * If cb returns a non-NULL bufferevent, * the callback supplied through
+ * evhttp_set_bevcb isn't used.
+ */
+EVENT2_EXPORT_SYMBOL
+void evhttp_bound_set_bevcb(struct evhttp_bound_socket *bound, struct bufferevent* (*cb)(struct event_base *, void *), void *cbarg);
+
 typedef void evhttp_bound_socket_foreach_fn(struct evhttp_bound_socket *, void *);
 /**
  * Applies the function specified in the first argument to all
@@ -322,6 +341,8 @@ void evhttp_set_gencb(struct evhttp *http,
 /**
    Set a callback used to create new bufferevents for connections
    to a given evhttp object.
+   cb is not called if a non-NULL bufferevent was supplied by
+   evhttp_bound_set_bevcb.
 
    You can use this to override the default bufferevent type -- for example,
    to make this evhttp object use SSL bufferevents rather than unencrypted
diff --git a/darwin/libevent/include/event2/http_struct.h b/darwin/libevent/include/event2/http_struct.h
index 4bf5b1ff..b828180e 100644
--- a/darwin/libevent/include/event2/http_struct.h
+++ b/darwin/libevent/include/event2/http_struct.h
@@ -129,7 +129,7 @@ struct {
 	int (*header_cb)(struct evhttp_request *, void *);
 
 	/*
-	 * Error callback - called when error is occured.
+	 * Error callback - called when error is occurred.
 	 * @see evhttp_request_error for error types.
 	 *
 	 * @see evhttp_request_set_error_cb()
diff --git a/darwin/libevent/listener.c b/darwin/libevent/listener.c
index 125c7286..fc7c2c58 100644
--- a/darwin/libevent/listener.c
+++ b/darwin/libevent/listener.c
@@ -275,8 +275,13 @@ evconnlistener_new_bind(struct event_base *base, evconnlistener_cb cb,
 
 	return listener;
 err:
-	evutil_closesocket(fd);
-	return NULL;
+	{
+		int saved_errno = EVUTIL_SOCKET_ERROR();
+		evutil_closesocket(fd);
+		if (saved_errno)
+			EVUTIL_SET_SOCKET_ERROR(saved_errno);
+		return NULL;
+	}
 }
 
 void
diff --git a/darwin/libevent/mbedtls-compat.h b/darwin/libevent/mbedtls-compat.h
index 34148e5b..b50ccd23 100644
--- a/darwin/libevent/mbedtls-compat.h
+++ b/darwin/libevent/mbedtls-compat.h
@@ -2,10 +2,29 @@
 #define MBEDTLS_COMPAT_H
 
 #include <mbedtls/version.h>
+
+#if MBEDTLS_VERSION_MAJOR >= 3
+# if defined(__clang__)
+#  pragma clang diagnostic push
+#  pragma clang diagnostic ignored "-Wcpp"
+# elif defined(__GNUC__)
+#  pragma GCC diagnostic push
+#  pragma GCC diagnostic ignored "-Wcpp"
+# endif
+
+# include <mbedtls/compat-2.x.h>
+
+# if defined(__clang__)
+#  pragma clang diagnostic pop
+# elif defined(__GNUC__)
+#  pragma GCC diagnostic pop
+# endif
+#endif // MBEDTLS_VERSION_MAJOR >= 3
+
 #if MBEDTLS_VERSION_MAJOR < 2 || (MBEDTLS_VERSION_MAJOR == 2 && MBEDTLS_VERSION_MINOR < 4)
-#include <mbedtls/net.h>
+# include <mbedtls/net.h>
 #else
-#include <mbedtls/net_sockets.h>
+# include <mbedtls/net_sockets.h>
 #endif
 
 #endif // LIBEVENT_MBEDTLS_COMPAT_H
diff --git a/darwin/libevent/signal.c b/darwin/libevent/signal.c
index 9a232710..551a454f 100644
--- a/darwin/libevent/signal.c
+++ b/darwin/libevent/signal.c
@@ -295,7 +295,7 @@ evsig_add(struct event_base *base, evutil_socket_t evsignal, short old, short ev
 		    "the most recently added signal or the most recent "
 		    "event_base_loop() call gets preference; do "
 		    "not rely on this behavior in future Libevent versions.",
-		    base, evsig_base, base->evsel->name);
+                   (void *)base, (void *)evsig_base, base->evsel->name);
 	}
 	evsig_base = base;
 	evsig_base_n_signals_added = ++sig->ev_n_signals_added;
diff --git a/darwin/openssl/crypto/aes/asm/aesni-x86.pl b/darwin/openssl/crypto/aes/asm/aesni-x86.pl
index fe2b2654..3502940d 100644
--- a/darwin/openssl/crypto/aes/asm/aesni-x86.pl
+++ b/darwin/openssl/crypto/aes/asm/aesni-x86.pl
@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -2027,7 +2027,7 @@ sub aesni_generate6
 	&movdqu		(&QWP(-16*2,$out,$inp),$inout4);
 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
 	&cmp		($inp,$len);			# done yet?
-	&jb		(&label("grandloop"));
+	&jbe		(&label("grandloop"));
 
 &set_label("short");
 	&add		($len,16*6);
@@ -2453,7 +2453,7 @@ sub aesni_generate6
 	&pxor		($rndkey1,$inout5);
 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
 	&cmp		($inp,$len);			# done yet?
-	&jb		(&label("grandloop"));
+	&jbe		(&label("grandloop"));
 
 &set_label("short");
 	&add		($len,16*6);
diff --git a/darwin/openssl/crypto/aes/asm/aesv8-armx.pl b/darwin/openssl/crypto/aes/asm/aesv8-armx.pl
index 2b0e9829..1856d997 100755
--- a/darwin/openssl/crypto/aes/asm/aesv8-armx.pl
+++ b/darwin/openssl/crypto/aes/asm/aesv8-armx.pl
@@ -740,6 +740,21 @@ ()
 #ifndef __ARMEB__
 	rev		$ctr, $ctr
 #endif
+___
+$code.=<<___	if ($flavour =~ /64/);
+	vorr		$dat1,$dat0,$dat0
+	add		$tctr1, $ctr, #1
+	vorr		$dat2,$dat0,$dat0
+	add		$ctr, $ctr, #2
+	vorr		$ivec,$dat0,$dat0
+	rev		$tctr1, $tctr1
+	vmov.32		${dat1}[3],$tctr1
+	b.ls		.Lctr32_tail
+	rev		$tctr2, $ctr
+	sub		$len,$len,#3		// bias
+	vmov.32		${dat2}[3],$tctr2
+___
+$code.=<<___	if ($flavour !~ /64/);
 	add		$tctr1, $ctr, #1
 	vorr		$ivec,$dat0,$dat0
 	rev		$tctr1, $tctr1
@@ -751,6 +766,8 @@ ()
 	vmov.32		${ivec}[3],$tctr2
 	sub		$len,$len,#3		// bias
 	vorr		$dat2,$ivec,$ivec
+___
+$code.=<<___;
 	b		.Loop3x_ctr32
 
 .align	4
@@ -777,11 +794,25 @@ ()
 	aese		$dat1,q8
 	aesmc		$tmp1,$dat1
 	 vld1.8		{$in0},[$inp],#16
+___
+$code.=<<___	if ($flavour =~ /64/);
+	 vorr		$dat0,$ivec,$ivec
+___
+$code.=<<___	if ($flavour !~ /64/);
 	 add		$tctr0,$ctr,#1
+___
+$code.=<<___;
 	aese		$dat2,q8
 	aesmc		$dat2,$dat2
 	 vld1.8		{$in1},[$inp],#16
+___
+$code.=<<___	if ($flavour =~ /64/);
+	 vorr		$dat1,$ivec,$ivec
+___
+$code.=<<___	if ($flavour !~ /64/);
 	 rev		$tctr0,$tctr0
+___
+$code.=<<___;
 	aese		$tmp0,q9
 	aesmc		$tmp0,$tmp0
 	aese		$tmp1,q9
@@ -790,6 +821,12 @@ ()
 	 mov		$key_,$key
 	aese		$dat2,q9
 	aesmc		$tmp2,$dat2
+___
+$code.=<<___	if ($flavour =~ /64/);
+	 vorr		$dat2,$ivec,$ivec
+	 add		$tctr0,$ctr,#1
+___
+$code.=<<___;
 	aese		$tmp0,q12
 	aesmc		$tmp0,$tmp0
 	aese		$tmp1,q12
@@ -805,22 +842,47 @@ ()
 	aese		$tmp1,q13
 	aesmc		$tmp1,$tmp1
 	 veor		$in2,$in2,$rndlast
+___
+$code.=<<___	if ($flavour =~ /64/);
+	 rev		$tctr0,$tctr0
+	aese		$tmp2,q13
+	aesmc		$tmp2,$tmp2
+	 vmov.32	${dat0}[3], $tctr0
+___
+$code.=<<___	if ($flavour !~ /64/);
 	 vmov.32	${ivec}[3], $tctr0
 	aese		$tmp2,q13
 	aesmc		$tmp2,$tmp2
 	 vorr		$dat0,$ivec,$ivec
+___
+$code.=<<___;
 	 rev		$tctr1,$tctr1
 	aese		$tmp0,q14
 	aesmc		$tmp0,$tmp0
+___
+$code.=<<___	if ($flavour !~ /64/);
 	 vmov.32	${ivec}[3], $tctr1
 	 rev		$tctr2,$ctr
+___
+$code.=<<___;
 	aese		$tmp1,q14
 	aesmc		$tmp1,$tmp1
+___
+$code.=<<___	if ($flavour =~ /64/);
+	 vmov.32	${dat1}[3], $tctr1
+	 rev		$tctr2,$ctr
+	aese		$tmp2,q14
+	aesmc		$tmp2,$tmp2
+	 vmov.32	${dat2}[3], $tctr2
+___
+$code.=<<___	if ($flavour !~ /64/);
 	 vorr		$dat1,$ivec,$ivec
 	 vmov.32	${ivec}[3], $tctr2
 	aese		$tmp2,q14
 	aesmc		$tmp2,$tmp2
 	 vorr		$dat2,$ivec,$ivec
+___
+$code.=<<___;
 	 subs		$len,$len,#3
 	aese		$tmp0,q15
 	aese		$tmp1,q15
diff --git a/darwin/openssl/crypto/asn1/charmap.pl b/darwin/openssl/crypto/asn1/charmap.pl
index dadd8df7..52fa5a79 100644
--- a/darwin/openssl/crypto/asn1/charmap.pl
+++ b/darwin/openssl/crypto/asn1/charmap.pl
@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -7,6 +7,9 @@
 # https://www.openssl.org/source/license.html
 
 use strict;
+use FindBin;
+use lib "$FindBin::Bin/../../util/perl";
+use OpenSSL::copyright;
 
 my ($i, @arr);
 
@@ -82,8 +85,8 @@
 
 # Now generate the C code
 
-# Output year depends on the year of the script.
-my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900;
+# Year the file was generated.
+my $YEAR = OpenSSL::copyright::year_of($0);
 print <<EOF;
 /*
  * WARNING: do not edit!
diff --git a/darwin/openssl/crypto/bn/asm/x86_64-mont5.pl b/darwin/openssl/crypto/bn/asm/x86_64-mont5.pl
index 8c37d132..33cb769c 100755
--- a/darwin/openssl/crypto/bn/asm/x86_64-mont5.pl
+++ b/darwin/openssl/crypto/bn/asm/x86_64-mont5.pl
@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -2101,193 +2101,6 @@
 .size	__bn_post4x_internal,.-__bn_post4x_internal
 ___
 }
-{
-$code.=<<___;
-.globl	bn_from_montgomery
-.type	bn_from_montgomery,\@abi-omnipotent
-.align	32
-bn_from_montgomery:
-.cfi_startproc
-	testl	\$7,`($win64?"48(%rsp)":"%r9d")`
-	jz	bn_from_mont8x
-	xor	%eax,%eax
-	ret
-.cfi_endproc
-.size	bn_from_montgomery,.-bn_from_montgomery
-
-.type	bn_from_mont8x,\@function,6
-.align	32
-bn_from_mont8x:
-.cfi_startproc
-	.byte	0x67
-	mov	%rsp,%rax
-.cfi_def_cfa_register	%rax
-	push	%rbx
-.cfi_push	%rbx
-	push	%rbp
-.cfi_push	%rbp
-	push	%r12
-.cfi_push	%r12
-	push	%r13
-.cfi_push	%r13
-	push	%r14
-.cfi_push	%r14
-	push	%r15
-.cfi_push	%r15
-.Lfrom_prologue:
-
-	shl	\$3,${num}d		# convert $num to bytes
-	lea	($num,$num,2),%r10	# 3*$num in bytes
-	neg	$num
-	mov	($n0),$n0		# *n0
-
-	##############################################################
-	# Ensure that stack frame doesn't alias with $rptr+3*$num
-	# modulo 4096, which covers ret[num], am[num] and n[num]
-	# (see bn_exp.c). The stack is allocated to aligned with
-	# bn_power5's frame, and as bn_from_montgomery happens to be
-	# last operation, we use the opportunity to cleanse it.
-	#
-	lea	-320(%rsp,$num,2),%r11
-	mov	%rsp,%rbp
-	sub	$rptr,%r11
-	and	\$4095,%r11
-	cmp	%r11,%r10
-	jb	.Lfrom_sp_alt
-	sub	%r11,%rbp		# align with $aptr
-	lea	-320(%rbp,$num,2),%rbp	# future alloca(frame+2*$num*8+256)
-	jmp	.Lfrom_sp_done
-
-.align	32
-.Lfrom_sp_alt:
-	lea	4096-320(,$num,2),%r10
-	lea	-320(%rbp,$num,2),%rbp	# future alloca(frame+2*$num*8+256)
-	sub	%r10,%r11
-	mov	\$0,%r10
-	cmovc	%r10,%r11
-	sub	%r11,%rbp
-.Lfrom_sp_done:
-	and	\$-64,%rbp
-	mov	%rsp,%r11
-	sub	%rbp,%r11
-	and	\$-4096,%r11
-	lea	(%rbp,%r11),%rsp
-	mov	(%rsp),%r10
-	cmp	%rbp,%rsp
-	ja	.Lfrom_page_walk
-	jmp	.Lfrom_page_walk_done
-
-.Lfrom_page_walk:
-	lea	-4096(%rsp),%rsp
-	mov	(%rsp),%r10
-	cmp	%rbp,%rsp
-	ja	.Lfrom_page_walk
-.Lfrom_page_walk_done:
-
-	mov	$num,%r10
-	neg	$num
-
-	##############################################################
-	# Stack layout
-	#
-	# +0	saved $num, used in reduction section
-	# +8	&t[2*$num], used in reduction section
-	# +32	saved *n0
-	# +40	saved %rsp
-	# +48	t[2*$num]
-	#
-	mov	$n0,  32(%rsp)
-	mov	%rax, 40(%rsp)		# save original %rsp
-.cfi_cfa_expression	%rsp+40,deref,+8
-.Lfrom_body:
-	mov	$num,%r11
-	lea	48(%rsp),%rax
-	pxor	%xmm0,%xmm0
-	jmp	.Lmul_by_1
-
-.align	32
-.Lmul_by_1:
-	movdqu	($aptr),%xmm1
-	movdqu	16($aptr),%xmm2
-	movdqu	32($aptr),%xmm3
-	movdqa	%xmm0,(%rax,$num)
-	movdqu	48($aptr),%xmm4
-	movdqa	%xmm0,16(%rax,$num)
-	.byte	0x48,0x8d,0xb6,0x40,0x00,0x00,0x00	# lea	64($aptr),$aptr
-	movdqa	%xmm1,(%rax)
-	movdqa	%xmm0,32(%rax,$num)
-	movdqa	%xmm2,16(%rax)
-	movdqa	%xmm0,48(%rax,$num)
-	movdqa	%xmm3,32(%rax)
-	movdqa	%xmm4,48(%rax)
-	lea	64(%rax),%rax
-	sub	\$64,%r11
-	jnz	.Lmul_by_1
-
-	movq	$rptr,%xmm1
-	movq	$nptr,%xmm2
-	.byte	0x67
-	mov	$nptr,%rbp
-	movq	%r10, %xmm3		# -num
-___
-$code.=<<___ if ($addx);
-	mov	OPENSSL_ia32cap_P+8(%rip),%r11d
-	and	\$0x80108,%r11d
-	cmp	\$0x80108,%r11d		# check for AD*X+BMI2+BMI1
-	jne	.Lfrom_mont_nox
-
-	lea	(%rax,$num),$rptr
-	call	__bn_sqrx8x_reduction
-	call	__bn_postx4x_internal
-
-	pxor	%xmm0,%xmm0
-	lea	48(%rsp),%rax
-	jmp	.Lfrom_mont_zero
-
-.align	32
-.Lfrom_mont_nox:
-___
-$code.=<<___;
-	call	__bn_sqr8x_reduction
-	call	__bn_post4x_internal
-
-	pxor	%xmm0,%xmm0
-	lea	48(%rsp),%rax
-	jmp	.Lfrom_mont_zero
-
-.align	32
-.Lfrom_mont_zero:
-	mov	40(%rsp),%rsi		# restore %rsp
-.cfi_def_cfa	%rsi,8
-	movdqa	%xmm0,16*0(%rax)
-	movdqa	%xmm0,16*1(%rax)
-	movdqa	%xmm0,16*2(%rax)
-	movdqa	%xmm0,16*3(%rax)
-	lea	16*4(%rax),%rax
-	sub	\$32,$num
-	jnz	.Lfrom_mont_zero
-
-	mov	\$1,%rax
-	mov	-48(%rsi),%r15
-.cfi_restore	%r15
-	mov	-40(%rsi),%r14
-.cfi_restore	%r14
-	mov	-32(%rsi),%r13
-.cfi_restore	%r13
-	mov	-24(%rsi),%r12
-.cfi_restore	%r12
-	mov	-16(%rsi),%rbp
-.cfi_restore	%rbp
-	mov	-8(%rsi),%rbx
-.cfi_restore	%rbx
-	lea	(%rsi),%rsp
-.cfi_def_cfa_register	%rsp
-.Lfrom_epilogue:
-	ret
-.cfi_endproc
-.size	bn_from_mont8x,.-bn_from_mont8x
-___
-}
 }}}
 
 if ($addx) {{{
@@ -3894,10 +3707,6 @@
 	.rva	.LSEH_begin_bn_power5
 	.rva	.LSEH_end_bn_power5
 	.rva	.LSEH_info_bn_power5
-
-	.rva	.LSEH_begin_bn_from_mont8x
-	.rva	.LSEH_end_bn_from_mont8x
-	.rva	.LSEH_info_bn_from_mont8x
 ___
 $code.=<<___ if ($addx);
 	.rva	.LSEH_begin_bn_mulx4x_mont_gather5
@@ -3929,11 +3738,6 @@
 	.byte	9,0,0,0
 	.rva	mul_handler
 	.rva	.Lpower5_prologue,.Lpower5_body,.Lpower5_epilogue	# HandlerData[]
-.align	8
-.LSEH_info_bn_from_mont8x:
-	.byte	9,0,0,0
-	.rva	mul_handler
-	.rva	.Lfrom_prologue,.Lfrom_body,.Lfrom_epilogue		# HandlerData[]
 ___
 $code.=<<___ if ($addx);
 .align	8
diff --git a/darwin/openssl/crypto/bn/bn_div.c b/darwin/openssl/crypto/bn/bn_div.c
index e2821fb6..42736188 100644
--- a/darwin/openssl/crypto/bn/bn_div.c
+++ b/darwin/openssl/crypto/bn/bn_div.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/darwin/openssl/crypto/bn/bn_exp.c b/darwin/openssl/crypto/bn/bn_exp.c
index 451e88ac..e21dcff0 100644
--- a/darwin/openssl/crypto/bn/bn_exp.c
+++ b/darwin/openssl/crypto/bn/bn_exp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -900,14 +900,21 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 #if defined(OPENSSL_BN_ASM_MONT5)
     if (window == 5 && top > 1) {
         /*
-         * This optimization uses ideas from http://eprint.iacr.org/2011/239,
-         * specifically optimization of cache-timing attack countermeasures
-         * and pre-computation optimization.
-         */
-
-        /*
-         * Dedicated window==4 case improves 512-bit RSA sign by ~15%, but as
-         * 512-bit RSA is hardly relevant, we omit it to spare size...
+         * This optimization uses ideas from https://eprint.iacr.org/2011/239,
+         * specifically optimization of cache-timing attack countermeasures,
+         * pre-computation optimization, and Almost Montgomery Multiplication.
+         *
+         * The paper discusses a 4-bit window to optimize 512-bit modular
+         * exponentiation, used in RSA-1024 with CRT, but RSA-1024 is no longer
+         * important.
+         *
+         * |bn_mul_mont_gather5| and |bn_power5| implement the "almost"
+         * reduction variant, so the values here may not be fully reduced.
+         * They are bounded by R (i.e. they fit in |top| words), not |m|.
+         * Additionally, we pass these "almost" reduced inputs into
+         * |bn_mul_mont|, which implements the normal reduction variant.
+         * Given those inputs, |bn_mul_mont| may not give reduced
+         * output, but it will still produce "almost" reduced output.
          */
         void bn_mul_mont_gather5(BN_ULONG *rp, const BN_ULONG *ap,
                                  const void *table, const BN_ULONG *np,
@@ -919,9 +926,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
                        const void *table, const BN_ULONG *np,
                        const BN_ULONG *n0, int num, int power);
         int bn_get_bits5(const BN_ULONG *ap, int off);
-        int bn_from_montgomery(BN_ULONG *rp, const BN_ULONG *ap,
-                               const BN_ULONG *not_used, const BN_ULONG *np,
-                               const BN_ULONG *n0, int num);
 
         BN_ULONG *n0 = mont->n0, *np;
 
@@ -1010,14 +1014,18 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
             }
         }
 
-        ret = bn_from_montgomery(tmp.d, tmp.d, NULL, np, n0, top);
         tmp.top = top;
-        bn_correct_top(&tmp);
-        if (ret) {
-            if (!BN_copy(rr, &tmp))
-                ret = 0;
-            goto err;           /* non-zero ret means it's not error */
-        }
+        /*
+         * The result is now in |tmp| in Montgomery form, but it may not be
+         * fully reduced. This is within bounds for |BN_from_montgomery|
+         * (tmp < R <= m*R) so it will, when converting from Montgomery form,
+         * produce a fully reduced result.
+         *
+         * This differs from Figure 2 of the paper, which uses AMM(h, 1) to
+         * convert from Montgomery form with unreduced output, followed by an
+         * extra reduction step. In the paper's terminology, we replace
+         * steps 9 and 10 with MM(h, 1).
+         */
     } else
 #endif
     {
diff --git a/darwin/openssl/crypto/bn/bn_gcd.c b/darwin/openssl/crypto/bn/bn_gcd.c
index 0941f7b9..6190bf1e 100644
--- a/darwin/openssl/crypto/bn/bn_gcd.c
+++ b/darwin/openssl/crypto/bn/bn_gcd.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -47,7 +47,8 @@ BIGNUM *bn_mod_inverse_no_branch(BIGNUM *in,
     if (R == NULL)
         goto err;
 
-    BN_one(X);
+    if (!BN_one(X))
+        goto err;
     BN_zero(Y);
     if (BN_copy(B, a) == NULL)
         goto err;
@@ -235,7 +236,8 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
     if (R == NULL)
         goto err;
 
-    BN_one(X);
+    if (!BN_one(X))
+        goto err;
     BN_zero(Y);
     if (BN_copy(B, a) == NULL)
         goto err;
diff --git a/darwin/openssl/crypto/bn/bn_nist.c b/darwin/openssl/crypto/bn/bn_nist.c
index 325dc228..fcee38ec 100644
--- a/darwin/openssl/crypto/bn/bn_nist.c
+++ b/darwin/openssl/crypto/bn/bn_nist.c
@@ -249,17 +249,28 @@ const BIGNUM *BN_get0_nist_prime_521(void)
     return &_bignum_nist_p_521;
 }
 
-static void nist_cp_bn_0(BN_ULONG *dst, const BN_ULONG *src, int top, int max)
-{
-    int i;
-
-#ifdef BN_DEBUG
-    (void)ossl_assert(top <= max);
-#endif
-    for (i = 0; i < top; i++)
-        dst[i] = src[i];
-    for (; i < max; i++)
-        dst[i] = 0;
+/*
+ * To avoid more recent compilers (specifically clang-14) from treating this
+ * code as a violation of the strict aliasing conditions and omiting it, this
+ * cannot be declared as a function.  Moreover, the dst parameter cannot be
+ * cached in a local since this no longer references the union and again falls
+ * foul of the strict aliasing criteria.  Refer to #18225 for the initial
+ * diagnostics and llvm/llvm-project#55255 for the later discussions with the
+ * LLVM developers.  The problem boils down to if an array in the union is
+ * converted to a pointer or if it is used directly.
+ *
+ * This function was inlined regardless, so there is no space cost to be
+ * paid for making it a macro.
+ */
+#define nist_cp_bn_0(dst, src_in, top, max) \
+{                                           \
+    int ii;                                 \
+    const BN_ULONG *src = src_in;           \
+                                            \
+    for (ii = 0; ii < top; ii++)            \
+        (dst)[ii] = src[ii];                \
+    for (; ii < max; ii++)                  \
+        (dst)[ii] = 0;                      \
 }
 
 static void nist_cp_bn(BN_ULONG *dst, const BN_ULONG *src, int top)
diff --git a/darwin/openssl/crypto/bn/bn_prime.pl b/darwin/openssl/crypto/bn/bn_prime.pl
index b0b16087..d2eaac65 100644
--- a/darwin/openssl/crypto/bn/bn_prime.pl
+++ b/darwin/openssl/crypto/bn/bn_prime.pl
@@ -1,13 +1,16 @@
 #! /usr/bin/env perl
-# Copyright 1998-2019 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
 # in the file LICENSE in the source distribution or at
 # https://www.openssl.org/source/license.html
+use FindBin;
+use lib "$FindBin::Bin/../../util/perl";
+use OpenSSL::copyright;
 
-# Output year depends on the year of the script.
-my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900;
+# The year the output file is generated.
+my $YEAR = OpenSSL::copyright::year_of($0);
 print <<"EOF";
 /*
  * WARNING: do not edit!
diff --git a/darwin/openssl/crypto/bn/rsaz_exp.c b/darwin/openssl/crypto/bn/rsaz_exp.c
index 22455b8a..a2ab58bb 100644
--- a/darwin/openssl/crypto/bn/rsaz_exp.c
+++ b/darwin/openssl/crypto/bn/rsaz_exp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2012, Intel Corporation. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
@@ -66,6 +66,7 @@ void RSAZ_1024_mod_exp_avx2(BN_ULONG result_norm[16],
     unsigned char *R2 = table_s; /* borrow */
     int index;
     int wvalue;
+    BN_ULONG tmp[16];
 
     if ((((size_t)p_str & 4095) + 320) >> 12) {
         result = p_str;
@@ -237,7 +238,10 @@ void RSAZ_1024_mod_exp_avx2(BN_ULONG result_norm[16],
 
     rsaz_1024_red2norm_avx2(result_norm, result);
 
+    bn_reduce_once_in_place(result_norm, /*carry=*/0, m_norm, tmp, 16);
+
     OPENSSL_cleanse(storage, sizeof(storage));
+    OPENSSL_cleanse(tmp, sizeof(tmp));
 }
 
 /*
@@ -266,6 +270,7 @@ void RSAZ_512_mod_exp(BN_ULONG result[8],
     unsigned char *p_str = (unsigned char *)exponent;
     int index;
     unsigned int wvalue;
+    BN_ULONG tmp[8];
 
     /* table[0] = 1_inv */
     temp[0] = 0 - m[0];
@@ -309,7 +314,10 @@ void RSAZ_512_mod_exp(BN_ULONG result[8],
     /* from Montgomery */
     rsaz_512_mul_by_one(result, temp, m, k0);
 
+    bn_reduce_once_in_place(result, /*carry=*/0, m, tmp, 8);
+
     OPENSSL_cleanse(storage, sizeof(storage));
+    OPENSSL_cleanse(tmp, sizeof(tmp));
 }
 
 #endif
diff --git a/darwin/openssl/crypto/bn/rsaz_exp.h b/darwin/openssl/crypto/bn/rsaz_exp.h
index 88f65a4b..1532a7e0 100644
--- a/darwin/openssl/crypto/bn/rsaz_exp.h
+++ b/darwin/openssl/crypto/bn/rsaz_exp.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2013-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2012, Intel Corporation. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
@@ -22,6 +22,8 @@
 #  define RSAZ_ENABLED
 
 #  include <openssl/bn.h>
+#  include "internal/constant_time.h"
+#  include "bn_local.h"
 
 void RSAZ_1024_mod_exp_avx2(BN_ULONG result[16],
                             const BN_ULONG base_norm[16],
@@ -35,6 +37,27 @@ void RSAZ_512_mod_exp(BN_ULONG result[8],
                       const BN_ULONG m_norm[8], BN_ULONG k0,
                       const BN_ULONG RR[8]);
 
+static ossl_inline void bn_select_words(BN_ULONG *r, BN_ULONG mask,
+                                        const BN_ULONG *a,
+                                        const BN_ULONG *b, size_t num)
+{
+    size_t i;
+
+    for (i = 0; i < num; i++) {
+        r[i] = constant_time_select_64(mask, a[i], b[i]);
+    }
+}
+
+static ossl_inline BN_ULONG bn_reduce_once_in_place(BN_ULONG *r,
+                                                    BN_ULONG carry,
+                                                    const BN_ULONG *m,
+                                                    BN_ULONG *tmp, size_t num)
+{
+    carry -= bn_sub_words(tmp, r, m, num);
+    bn_select_words(r, carry, r /* tmp < 0 */, tmp /* tmp >= 0 */, num);
+    return carry;
+}
+
 # endif
 
 #endif
diff --git a/darwin/openssl/crypto/conf/keysets.pl b/darwin/openssl/crypto/conf/keysets.pl
index 27a7214c..9c9a00de 100644
--- a/darwin/openssl/crypto/conf/keysets.pl
+++ b/darwin/openssl/crypto/conf/keysets.pl
@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -8,6 +8,9 @@
 
 use strict;
 use warnings;
+use FindBin;
+use lib "$FindBin::Bin/../../util/perl";
+use OpenSSL::copyright;
 
 my $NUMBER      = 0x0001;
 my $UPPER       = 0x0002;
@@ -54,9 +57,8 @@
     push(@V_w32, $v);
 }
 
-# Output year depends on the year of the script.
-my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900;
-
+# The year the output file is generated.
+my $YEAR = OpenSSL::copyright::year_of($0);
 print <<"EOF";
 /*
  * WARNING: do not edit!
diff --git a/darwin/openssl/crypto/ec/curve448/curve448.c b/darwin/openssl/crypto/ec/curve448/curve448.c
index 3aff9802..3d4db445 100644
--- a/darwin/openssl/crypto/ec/curve448/curve448.c
+++ b/darwin/openssl/crypto/ec/curve448/curve448.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright 2015-2016 Cryptography Research, Inc.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
diff --git a/darwin/openssl/crypto/ec/ec_asn1.c b/darwin/openssl/crypto/ec/ec_asn1.c
index 4335b3da..1acbbde3 100644
--- a/darwin/openssl/crypto/ec/ec_asn1.c
+++ b/darwin/openssl/crypto/ec/ec_asn1.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -751,6 +751,16 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
 
     /* extract seed (optional) */
     if (params->curve->seed != NULL) {
+        /*
+         * This happens for instance with
+         * fuzz/corpora/asn1/65cf44e85614c62f10cf3b7a7184c26293a19e4a
+         * and causes the OPENSSL_malloc below to choke on the
+         * zero length allocation request.
+         */
+        if (params->curve->seed->length == 0) {
+            ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR);
+            goto err;
+        }
         OPENSSL_free(ret->seed);
         if ((ret->seed = OPENSSL_malloc(params->curve->seed->length)) == NULL) {
             ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
@@ -784,7 +794,7 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
     }
 
     /* extract the order */
-    if ((a = ASN1_INTEGER_to_BN(params->order, a)) == NULL) {
+    if (ASN1_INTEGER_to_BN(params->order, a) == NULL) {
         ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_ASN1_LIB);
         goto err;
     }
@@ -801,7 +811,7 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
     if (params->cofactor == NULL) {
         BN_free(b);
         b = NULL;
-    } else if ((b = ASN1_INTEGER_to_BN(params->cofactor, b)) == NULL) {
+    } else if (ASN1_INTEGER_to_BN(params->cofactor, b) == NULL) {
         ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_ASN1_LIB);
         goto err;
     }
diff --git a/darwin/openssl/crypto/ec/ec_key.c b/darwin/openssl/crypto/ec/ec_key.c
index 23efbd01..63799002 100644
--- a/darwin/openssl/crypto/ec/ec_key.c
+++ b/darwin/openssl/crypto/ec/ec_key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
@@ -443,6 +443,16 @@ int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key)
         && key->meth->set_private(key, priv_key) == 0)
         return 0;
 
+    /*
+     * Return `0` to comply with legacy behavior for this function, see
+     * https://github.com/openssl/openssl/issues/18744#issuecomment-1195175696
+     */
+    if (priv_key == NULL) {
+        BN_clear_free(key->priv_key);
+        key->priv_key = NULL;
+        return 0; /* intentional for legacy compatibility */
+    }
+
     /*
      * We should never leak the bit length of the secret scalar in the key,
      * so we always set the `BN_FLG_CONSTTIME` flag on the internal `BIGNUM`
@@ -657,8 +667,7 @@ int ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len)
         ECerr(EC_F_EC_KEY_SIMPLE_OCT2PRIV, ERR_R_MALLOC_FAILURE);
         return 0;
     }
-    eckey->priv_key = BN_bin2bn(buf, len, eckey->priv_key);
-    if (eckey->priv_key == NULL) {
+    if (BN_bin2bn(buf, len, eckey->priv_key) == NULL) {
         ECerr(EC_F_EC_KEY_SIMPLE_OCT2PRIV, ERR_R_BN_LIB);
         return 0;
     }
diff --git a/darwin/openssl/crypto/ec/ecp_nistz256.c b/darwin/openssl/crypto/ec/ecp_nistz256.c
index 43eab75f..cfad3e15 100644
--- a/darwin/openssl/crypto/ec/ecp_nistz256.c
+++ b/darwin/openssl/crypto/ec/ecp_nistz256.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2014, Intel Corporation. All Rights Reserved.
  * Copyright (c) 2015, CloudFlare, Inc.
  *
diff --git a/darwin/openssl/crypto/err/err.c b/darwin/openssl/crypto/err/err.c
index 49e6f479..239a3cea 100644
--- a/darwin/openssl/crypto/err/err.c
+++ b/darwin/openssl/crypto/err/err.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/darwin/openssl/crypto/evp/evp_enc.c b/darwin/openssl/crypto/evp/evp_enc.c
index b8b9d90d..e756624b 100644
--- a/darwin/openssl/crypto/evp/evp_enc.c
+++ b/darwin/openssl/crypto/evp/evp_enc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/darwin/openssl/crypto/evp/evp_local.h b/darwin/openssl/crypto/evp/evp_local.h
index cd3c1cf1..b59beee4 100644
--- a/darwin/openssl/crypto/evp/evp_local.h
+++ b/darwin/openssl/crypto/evp/evp_local.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/darwin/openssl/crypto/init.c b/darwin/openssl/crypto/init.c
index 09d75864..b23af797 100644
--- a/darwin/openssl/crypto/init.c
+++ b/darwin/openssl/crypto/init.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/darwin/openssl/crypto/objects/obj_dat.pl b/darwin/openssl/crypto/objects/obj_dat.pl
index e5d38147..6ae13b94 100644
--- a/darwin/openssl/crypto/objects/obj_dat.pl
+++ b/darwin/openssl/crypto/objects/obj_dat.pl
@@ -9,6 +9,9 @@
 use integer;
 use strict;
 use warnings;
+use FindBin;
+use lib "$FindBin::Bin/../../util/perl";
+use OpenSSL::copyright;
 
 # Generate the DER encoding for the given OID.
 sub der_it
@@ -36,10 +39,8 @@ sub der_it
     return $ret;
 }
 
-# Output year depends on the year of the script and the input file.
-my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900;
-my $iYEAR = [localtime([stat($ARGV[0])]->[9])]->[5] + 1900;
-$YEAR = $iYEAR if $iYEAR > $YEAR;
+# The year the output file is generated.
+my $YEAR = OpenSSL::copyright::latest(($0, $ARGV[0]));
 
 # Read input, parse all #define's into OID name and value.
 # Populate %ln and %sn with long and short names (%dupln and %dupsn)
diff --git a/darwin/openssl/crypto/objects/objects.pl b/darwin/openssl/crypto/objects/objects.pl
index d7d1962c..10a115f6 100644
--- a/darwin/openssl/crypto/objects/objects.pl
+++ b/darwin/openssl/crypto/objects/objects.pl
@@ -7,16 +7,15 @@
 # https://www.openssl.org/source/license.html
 
 use Getopt::Std;
+use FindBin;
+use lib "$FindBin::Bin/../../util/perl";
+use OpenSSL::copyright;
 
 our($opt_n);
 getopts('n');
 
-# Output year depends on the year of the script and the input file.
-my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900;
-my $iYEAR = [localtime([stat($ARGV[0])]->[9])]->[5] + 1900;
-$YEAR = $iYEAR if $iYEAR > $YEAR;
-$iYEAR = [localtime([stat($ARGV[1])]->[9])]->[5] + 1900;
-$YEAR = $iYEAR if $iYEAR > $YEAR;
+# The year the output file is generated.
+my $YEAR = OpenSSL::copyright::latest(($0, $ARGV[1], $ARGV[0]));
 
 open (NUMIN,"$ARGV[1]") || die "Can't open number file $ARGV[1]";
 $max_nid=0;
diff --git a/darwin/openssl/crypto/objects/objxref.pl b/darwin/openssl/crypto/objects/objxref.pl
index ce76cada..168d4be9 100644
--- a/darwin/openssl/crypto/objects/objxref.pl
+++ b/darwin/openssl/crypto/objects/objxref.pl
@@ -8,18 +8,17 @@
 
 
 use strict;
+use FindBin;
+use lib "$FindBin::Bin/../../util/perl";
+use OpenSSL::copyright;
 
 my %xref_tbl;
 my %oid_tbl;
 
 my ($mac_file, $xref_file) = @ARGV;
 
-# Output year depends on the year of the script and the input file.
-my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900;
-my $iYEAR = [localtime([stat($mac_file)]->[9])]->[5] + 1900;
-$YEAR = $iYEAR if $iYEAR > $YEAR;
-$iYEAR = [localtime([stat($xref_file)]->[9])]->[5] + 1900;
-$YEAR = $iYEAR if $iYEAR > $YEAR;
+# The year the output file is generated.
+my $YEAR = OpenSSL::copyright::latest(($0, $mac_file, $xref_file));
 
 open(IN, $mac_file) || die "Can't open $mac_file, $!\n";
 
diff --git a/darwin/openssl/crypto/pem/pem_lib.c b/darwin/openssl/crypto/pem/pem_lib.c
index 2de09359..c2cf4079 100644
--- a/darwin/openssl/crypto/pem/pem_lib.c
+++ b/darwin/openssl/crypto/pem/pem_lib.c
@@ -621,7 +621,7 @@ int PEM_write_bio(BIO *bp, const char *name, const char *header,
         (BIO_write(bp, "-----\n", 6) != 6))
         goto err;
 
-    i = strlen(header);
+    i = header != NULL ? strlen(header) : 0;
     if (i > 0) {
         if ((BIO_write(bp, header, i) != i) || (BIO_write(bp, "\n", 1) != 1))
             goto err;
diff --git a/darwin/openssl/crypto/rand/drbg_lib.c b/darwin/openssl/crypto/rand/drbg_lib.c
index 8c7c28c9..0ba20ca3 100644
--- a/darwin/openssl/crypto/rand/drbg_lib.c
+++ b/darwin/openssl/crypto/rand/drbg_lib.c
@@ -354,13 +354,8 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg,
     drbg->state = DRBG_READY;
     drbg->generate_counter = 1;
     drbg->reseed_time = time(NULL);
-    if (drbg->enable_reseed_propagation) {
-        if (drbg->parent == NULL)
-            tsan_counter(&drbg->reseed_counter);
-        else
-            tsan_store(&drbg->reseed_counter,
-                       tsan_load(&drbg->parent->reseed_counter));
-    }
+    if (drbg->enable_reseed_propagation && drbg->parent == NULL)
+        tsan_counter(&drbg->reseed_counter);
 
  end:
     if (entropy != NULL && drbg->cleanup_entropy != NULL)
@@ -444,13 +439,8 @@ int RAND_DRBG_reseed(RAND_DRBG *drbg,
     drbg->state = DRBG_READY;
     drbg->generate_counter = 1;
     drbg->reseed_time = time(NULL);
-    if (drbg->enable_reseed_propagation) {
-        if (drbg->parent == NULL)
-            tsan_counter(&drbg->reseed_counter);
-        else
-            tsan_store(&drbg->reseed_counter,
-                       tsan_load(&drbg->parent->reseed_counter));
-    }
+    if (drbg->enable_reseed_propagation && drbg->parent == NULL)
+        tsan_counter(&drbg->reseed_counter);
 
  end:
     if (entropy != NULL && drbg->cleanup_entropy != NULL)
diff --git a/darwin/openssl/crypto/rand/rand_lib.c b/darwin/openssl/crypto/rand/rand_lib.c
index 5c72fad8..545ab463 100644
--- a/darwin/openssl/crypto/rand/rand_lib.c
+++ b/darwin/openssl/crypto/rand/rand_lib.c
@@ -172,8 +172,12 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
             if (RAND_DRBG_generate(drbg->parent,
                                    buffer, bytes_needed,
                                    prediction_resistance,
-                                   (unsigned char *)&drbg, sizeof(drbg)) != 0)
+                                   (unsigned char *)&drbg, sizeof(drbg)) != 0) {
                 bytes = bytes_needed;
+                if (drbg->enable_reseed_propagation)
+                    tsan_store(&drbg->reseed_counter,
+                               tsan_load(&drbg->parent->reseed_counter));
+            }
             rand_drbg_unlock(drbg->parent);
 
             rand_pool_add_end(pool, bytes, 8 * bytes);
diff --git a/darwin/openssl/crypto/rand/rand_win.c b/darwin/openssl/crypto/rand/rand_win.c
index 90365460..75ed90bd 100644
--- a/darwin/openssl/crypto/rand/rand_win.c
+++ b/darwin/openssl/crypto/rand/rand_win.c
@@ -26,7 +26,9 @@
 
 # ifdef USE_BCRYPTGENRANDOM
 #  include <bcrypt.h>
-#  pragma comment(lib, "bcrypt.lib")
+#  ifdef _MSC_VER
+#   pragma comment(lib, "bcrypt.lib")
+#  endif
 #  ifndef STATUS_SUCCESS
 #   define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
 #  endif
diff --git a/darwin/openssl/crypto/s390x_arch.h b/darwin/openssl/crypto/s390x_arch.h
index b47dd53a..64e7ebb5 100644
--- a/darwin/openssl/crypto/s390x_arch.h
+++ b/darwin/openssl/crypto/s390x_arch.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/darwin/openssl/crypto/s390xcap.c b/darwin/openssl/crypto/s390xcap.c
index 1878b6a4..1097c703 100644
--- a/darwin/openssl/crypto/s390xcap.c
+++ b/darwin/openssl/crypto/s390xcap.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2010-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2010-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/darwin/openssl/crypto/x509/x509_cmp.c b/darwin/openssl/crypto/x509/x509_cmp.c
index 1d8d2d7b..3724a118 100644
--- a/darwin/openssl/crypto/x509/x509_cmp.c
+++ b/darwin/openssl/crypto/x509/x509_cmp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -34,7 +34,7 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
     unsigned long ret = 0;
     EVP_MD_CTX *ctx = EVP_MD_CTX_new();
     unsigned char md[16];
-    char *f;
+    char *f = NULL;
 
     if (ctx == NULL)
         goto err;
@@ -45,7 +45,6 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
         goto err;
     if (!EVP_DigestUpdate(ctx, (unsigned char *)f, strlen(f)))
         goto err;
-    OPENSSL_free(f);
     if (!EVP_DigestUpdate
         (ctx, (unsigned char *)a->cert_info.serialNumber.data,
          (unsigned long)a->cert_info.serialNumber.length))
@@ -56,6 +55,7 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
            ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)
         ) & 0xffffffffL;
  err:
+    OPENSSL_free(f);
     EVP_MD_CTX_free(ctx);
     return ret;
 }
diff --git a/darwin/openssl/crypto/x509/x509_req.c b/darwin/openssl/crypto/x509/x509_req.c
index dd674926..a69f9a72 100644
--- a/darwin/openssl/crypto/x509/x509_req.c
+++ b/darwin/openssl/crypto/x509/x509_req.c
@@ -167,7 +167,9 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
         ext = X509_ATTRIBUTE_get0_type(attr, 0);
         break;
     }
-    if (!ext || (ext->type != V_ASN1_SEQUENCE))
+    if (ext == NULL) /* no extensions is not an error */
+        return sk_X509_EXTENSION_new_null();
+    if (ext->type != V_ASN1_SEQUENCE)
         return NULL;
     p = ext->value.sequence->data;
     return (STACK_OF(X509_EXTENSION) *)
diff --git a/darwin/openssl/crypto/x509/x509_vfy.c b/darwin/openssl/crypto/x509/x509_vfy.c
index b18489f6..925fbb54 100644
--- a/darwin/openssl/crypto/x509/x509_vfy.c
+++ b/darwin/openssl/crypto/x509/x509_vfy.c
@@ -973,14 +973,14 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
     time_t *ptime;
     int i;
 
-    if (notify)
-        ctx->current_crl = crl;
     if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
         ptime = &ctx->param->check_time;
     else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
         return 1;
     else
         ptime = NULL;
+    if (notify)
+        ctx->current_crl = crl;
 
     i = X509_cmp_time(X509_CRL_get0_lastUpdate(crl), ptime);
     if (i == 0) {
diff --git a/darwin/openssl/crypto/x509/x_crl.c b/darwin/openssl/crypto/x509/x_crl.c
index c9762f9e..df0041c0 100644
--- a/darwin/openssl/crypto/x509/x_crl.c
+++ b/darwin/openssl/crypto/x509/x_crl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -103,13 +103,17 @@ static int crl_set_issuers(X509_CRL *crl)
 
         if (gtmp) {
             gens = gtmp;
-            if (!crl->issuers) {
+            if (crl->issuers == NULL) {
                 crl->issuers = sk_GENERAL_NAMES_new_null();
-                if (!crl->issuers)
+                if (crl->issuers == NULL) {
+                    GENERAL_NAMES_free(gtmp);
                     return 0;
+                }
             }
-            if (!sk_GENERAL_NAMES_push(crl->issuers, gtmp))
+            if (!sk_GENERAL_NAMES_push(crl->issuers, gtmp)) {
+                GENERAL_NAMES_free(gtmp);
                 return 0;
+            }
         }
         rev->issuer = gens;
 
@@ -255,7 +259,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
         break;
 
     case ASN1_OP_FREE_POST:
-        if (crl->meth->crl_free) {
+        if (crl->meth != NULL && crl->meth->crl_free != NULL) {
             if (!crl->meth->crl_free(crl))
                 return 0;
         }
diff --git a/darwin/openssl/crypto/x509v3/v3_addr.c b/darwin/openssl/crypto/x509v3/v3_addr.c
index 4258dbc4..f9c368be 100644
--- a/darwin/openssl/crypto/x509v3/v3_addr.c
+++ b/darwin/openssl/crypto/x509v3/v3_addr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -13,6 +13,8 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <assert.h>
+#include <string.h>
 
 #include "internal/cryptlib.h"
 #include <openssl/conf.h>
@@ -342,8 +344,13 @@ static int range_should_be_prefix(const unsigned char *min,
     unsigned char mask;
     int i, j;
 
-    if (memcmp(min, max, length) <= 0)
-        return -1;
+    /*
+     * It is the responsibility of the caller to confirm min <= max. We don't
+     * use ossl_assert() here since we have no way of signalling an error from
+     * this function - so we just use a plain assert instead.
+     */
+    assert(memcmp(min, max, length) <= 0);
+
     for (i = 0; i < length && min[i] == max[i]; i++) ;
     for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) ;
     if (i < j)
@@ -385,12 +392,14 @@ static int range_should_be_prefix(const unsigned char *min,
 /*
  * Construct a prefix.
  */
-static int make_addressPrefix(IPAddressOrRange **result,
-                              unsigned char *addr, const int prefixlen)
+static int make_addressPrefix(IPAddressOrRange **result, unsigned char *addr,
+                              const int prefixlen, const int afilen)
 {
     int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8;
     IPAddressOrRange *aor = IPAddressOrRange_new();
 
+    if (prefixlen < 0 || prefixlen > (afilen * 8))
+        return 0;
     if (aor == NULL)
         return 0;
     aor->type = IPAddressOrRange_addressPrefix;
@@ -426,8 +435,11 @@ static int make_addressRange(IPAddressOrRange **result,
     IPAddressOrRange *aor;
     int i, prefixlen;
 
+    if (memcmp(min, max, length) > 0)
+        return 0;
+
     if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0)
-        return make_addressPrefix(result, min, prefixlen);
+        return make_addressPrefix(result, min, prefixlen, length);
 
     if ((aor = IPAddressOrRange_new()) == NULL)
         return 0;
@@ -589,7 +601,9 @@ int X509v3_addr_add_prefix(IPAddrBlocks *addr,
 {
     IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
     IPAddressOrRange *aor;
-    if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen))
+
+    if (aors == NULL
+            || !make_addressPrefix(&aor, a, prefixlen, length_from_afi(afi)))
         return 0;
     if (sk_IPAddressOrRange_push(aors, aor))
         return 1;
@@ -986,7 +1000,10 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
         switch (delim) {
         case '/':
             prefixlen = (int)strtoul(s + i2, &t, 10);
-            if (t == s + i2 || *t != '\0') {
+            if (t == s + i2
+                    || *t != '\0'
+                    || prefixlen > (length * 8)
+                    || prefixlen < 0) {
                 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
                           X509V3_R_EXTENSION_VALUE_ERROR);
                 X509V3_conf_err(val);
diff --git a/darwin/openssl/crypto/x509v3/v3_asid.c b/darwin/openssl/crypto/x509v3/v3_asid.c
index ac685726..8e9e9198 100644
--- a/darwin/openssl/crypto/x509v3/v3_asid.c
+++ b/darwin/openssl/crypto/x509v3/v3_asid.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -700,15 +700,28 @@ static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child)
  */
 int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
 {
-    return (a == NULL ||
-            a == b ||
-            (b != NULL &&
-             !X509v3_asid_inherits(a) &&
-             !X509v3_asid_inherits(b) &&
-             asid_contains(b->asnum->u.asIdsOrRanges,
-                           a->asnum->u.asIdsOrRanges) &&
-             asid_contains(b->rdi->u.asIdsOrRanges,
-                           a->rdi->u.asIdsOrRanges)));
+    int subset;
+
+    if (a == NULL || a == b)
+        return 1;
+
+    if (b == NULL)
+        return 0;
+
+    if (X509v3_asid_inherits(a) || X509v3_asid_inherits(b))
+        return 0;
+
+    subset = a->asnum == NULL
+             || (b->asnum != NULL
+                 && asid_contains(b->asnum->u.asIdsOrRanges,
+                                  a->asnum->u.asIdsOrRanges));
+    if (!subset)
+        return 0;
+
+    return a->rdi == NULL
+           || (b->rdi != NULL
+               && asid_contains(b->rdi->u.asIdsOrRanges,
+                                a->rdi->u.asIdsOrRanges));
 }
 
 /*
diff --git a/darwin/openssl/crypto/x509v3/v3_lib.c b/darwin/openssl/crypto/x509v3/v3_lib.c
index 97c1cbc2..d7e7c9a5 100644
--- a/darwin/openssl/crypto/x509v3/v3_lib.c
+++ b/darwin/openssl/crypto/x509v3/v3_lib.c
@@ -242,8 +242,10 @@ int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
         }
         /* If delete, just delete it */
         if (ext_op == X509V3_ADD_DELETE) {
-            if (!sk_X509_EXTENSION_delete(*x, extidx))
+            extmp = sk_X509_EXTENSION_delete(*x, extidx);
+            if (extmp == NULL)
                 return -1;
+            X509_EXTENSION_free(extmp);
             return 1;
         }
     } else {
diff --git a/darwin/openssl/crypto/x509v3/v3_sxnet.c b/darwin/openssl/crypto/x509v3/v3_sxnet.c
index 89cda01b..3c5508f9 100644
--- a/darwin/openssl/crypto/x509v3/v3_sxnet.c
+++ b/darwin/openssl/crypto/x509v3/v3_sxnet.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -57,15 +57,29 @@ IMPLEMENT_ASN1_FUNCTIONS(SXNET)
 static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
                      int indent)
 {
-    long v;
+    int64_t v;
     char *tmp;
     SXNETID *id;
     int i;
-    v = ASN1_INTEGER_get(sx->version);
-    BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", v + 1, v);
+
+    /*
+     * Since we add 1 to the version number to display it, we don't support
+     * LONG_MAX since that would cause on overflow.
+     */
+    if (!ASN1_INTEGER_get_int64(&v, sx->version)
+            || v >= LONG_MAX
+            || v < LONG_MIN) {
+        BIO_printf(out, "%*sVersion: <unsupported>", indent, "");
+    } else {
+        long vl = (long)v;
+
+        BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", vl + 1, vl);
+    }
     for (i = 0; i < sk_SXNETID_num(sx->ids); i++) {
         id = sk_SXNETID_value(sx->ids, i);
         tmp = i2s_ASN1_INTEGER(NULL, id->zone);
+        if (tmp == NULL)
+            return 0;
         BIO_printf(out, "\n%*sZone: %s, User: ", indent, "", tmp);
         OPENSSL_free(tmp);
         ASN1_STRING_print(out, id->user);
diff --git a/darwin/openssl/crypto/x509v3/v3_utl.c b/darwin/openssl/crypto/x509v3/v3_utl.c
index a7ff4b4f..eac78259 100644
--- a/darwin/openssl/crypto/x509v3/v3_utl.c
+++ b/darwin/openssl/crypto/x509v3/v3_utl.c
@@ -1087,12 +1087,17 @@ int a2i_ipadd(unsigned char *ipout, const char *ipasc)
 
 static int ipv4_from_asc(unsigned char *v4, const char *in)
 {
-    int a0, a1, a2, a3;
-    if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
+    const char *p;
+    int a0, a1, a2, a3, n;
+
+    if (sscanf(in, "%d.%d.%d.%d%n", &a0, &a1, &a2, &a3, &n) != 4)
         return 0;
     if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255)
         || (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255))
         return 0;
+    p = in + n;
+    if (!(*p == '\0' || ossl_isspace(*p)))
+        return 0;
     v4[0] = a0;
     v4[1] = a1;
     v4[2] = a2;
diff --git a/darwin/openssl/include/openssl/opensslv.h b/darwin/openssl/include/openssl/opensslv.h
index 561593b4..036ebba2 100644
--- a/darwin/openssl/include/openssl/opensslv.h
+++ b/darwin/openssl/include/openssl/opensslv.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -39,8 +39,8 @@ extern "C" {
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-# define OPENSSL_VERSION_NUMBER  0x101010f0L
-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1o-dev  xx XXX xxxx"
+# define OPENSSL_VERSION_NUMBER  0x10101120L
+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1r-dev  xx XXX xxxx"
 
 /*-
  * The macros below are to be used for shared library (.so, .dll, ...)
diff --git a/darwin/openssl/include/openssl/ssl.h b/darwin/openssl/include/openssl/ssl.h
index fd0c5a99..9af0c899 100644
--- a/darwin/openssl/include/openssl/ssl.h
+++ b/darwin/openssl/include/openssl/ssl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  *
@@ -1305,6 +1305,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 # define SSL_CTRL_GET_MAX_PROTO_VERSION          131
 # define SSL_CTRL_GET_SIGNATURE_NID              132
 # define SSL_CTRL_GET_TMP_KEY                    133
+# define SSL_CTRL_GET_VERIFY_CERT_STORE          137
+# define SSL_CTRL_GET_CHAIN_CERT_STORE           138
 # define SSL_CERT_SET_FIRST                      1
 # define SSL_CERT_SET_NEXT                       2
 # define SSL_CERT_SET_SERVER                     3
@@ -1360,10 +1362,14 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
         SSL_CTX_ctrl(ctx,SSL_CTRL_SET_VERIFY_CERT_STORE,0,(char *)(st))
 # define SSL_CTX_set1_verify_cert_store(ctx,st) \
         SSL_CTX_ctrl(ctx,SSL_CTRL_SET_VERIFY_CERT_STORE,1,(char *)(st))
+# define SSL_CTX_get0_verify_cert_store(ctx,st) \
+        SSL_CTX_ctrl(ctx,SSL_CTRL_GET_VERIFY_CERT_STORE,0,(char *)(st))
 # define SSL_CTX_set0_chain_cert_store(ctx,st) \
         SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)(st))
 # define SSL_CTX_set1_chain_cert_store(ctx,st) \
         SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)(st))
+# define SSL_CTX_get0_chain_cert_store(ctx,st) \
+        SSL_CTX_ctrl(ctx,SSL_CTRL_GET_CHAIN_CERT_STORE,0,(char *)(st))
 # define SSL_set0_chain(s,sk) \
         SSL_ctrl(s,SSL_CTRL_CHAIN,0,(char *)(sk))
 # define SSL_set1_chain(s,sk) \
@@ -1386,10 +1392,14 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
         SSL_ctrl(s,SSL_CTRL_SET_VERIFY_CERT_STORE,0,(char *)(st))
 # define SSL_set1_verify_cert_store(s,st) \
         SSL_ctrl(s,SSL_CTRL_SET_VERIFY_CERT_STORE,1,(char *)(st))
+#define SSL_get0_verify_cert_store(s,st) \
+        SSL_ctrl(s,SSL_CTRL_GET_VERIFY_CERT_STORE,0,(char *)(st))
 # define SSL_set0_chain_cert_store(s,st) \
         SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)(st))
 # define SSL_set1_chain_cert_store(s,st) \
         SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)(st))
+#define SSL_get0_chain_cert_store(s,st) \
+        SSL_ctrl(s,SSL_CTRL_GET_CHAIN_CERT_STORE,0,(char *)(st))
 # define SSL_get1_groups(s, glist) \
         SSL_ctrl(s,SSL_CTRL_GET_GROUPS,0,(int*)(glist))
 # define SSL_CTX_set1_groups(ctx, glist, glistlen) \
diff --git a/darwin/openssl/ssl/packet.c b/darwin/openssl/ssl/packet.c
index 1ddde969..691a82b7 100644
--- a/darwin/openssl/ssl/packet.c
+++ b/darwin/openssl/ssl/packet.c
@@ -161,7 +161,7 @@ int WPACKET_set_flags(WPACKET *pkt, unsigned int flags)
 }
 
 /* Store the |value| of length |len| at location |data| */
-static int put_value(unsigned char *data, size_t value, size_t len)
+static int put_value(unsigned char *data, uint64_t value, size_t len)
 {
     for (data += len - 1; len > 0; len--) {
         *data = (unsigned char)(value & 0xff);
@@ -306,12 +306,12 @@ int WPACKET_start_sub_packet(WPACKET *pkt)
     return WPACKET_start_sub_packet_len__(pkt, 0);
 }
 
-int WPACKET_put_bytes__(WPACKET *pkt, unsigned int val, size_t size)
+int WPACKET_put_bytes__(WPACKET *pkt, uint64_t val, size_t size)
 {
     unsigned char *data;
 
     /* Internal API, so should not fail */
-    if (!ossl_assert(size <= sizeof(unsigned int))
+    if (!ossl_assert(size <= sizeof(uint64_t))
             || !WPACKET_allocate_bytes(pkt, size, &data)
             || !put_value(data, val, size))
         return 0;
diff --git a/darwin/openssl/ssl/packet_local.h b/darwin/openssl/ssl/packet_local.h
index 1b6c2fb9..e93680d8 100644
--- a/darwin/openssl/ssl/packet_local.h
+++ b/darwin/openssl/ssl/packet_local.h
@@ -227,6 +227,28 @@ __owur static ossl_inline int PACKET_peek_net_4(const PACKET *pkt,
     return 1;
 }
 
+/*
+ * Peek ahead at 8 bytes in network order from |pkt| and store the value in
+ * |*data|
+ */
+__owur static ossl_inline int PACKET_peek_net_8(const PACKET *pkt,
+                                                uint64_t *data)
+{
+    if (PACKET_remaining(pkt) < 8)
+        return 0;
+
+    *data = ((uint64_t)(*pkt->curr)) << 56;
+    *data |= ((uint64_t)(*(pkt->curr + 1))) << 48;
+    *data |= ((uint64_t)(*(pkt->curr + 2))) << 40;
+    *data |= ((uint64_t)(*(pkt->curr + 3))) << 32;
+    *data |= ((uint64_t)(*(pkt->curr + 4))) << 24;
+    *data |= ((uint64_t)(*(pkt->curr + 5))) << 16;
+    *data |= ((uint64_t)(*(pkt->curr + 6))) << 8;
+    *data |= *(pkt->curr + 7);
+
+    return 1;
+}
+
 /* Equivalent of n2l */
 /* Get 4 bytes in network order from |pkt| and store the value in |*data| */
 __owur static ossl_inline int PACKET_get_net_4(PACKET *pkt, unsigned long *data)
@@ -250,6 +272,17 @@ __owur static ossl_inline int PACKET_get_net_4_len(PACKET *pkt, size_t *data)
 
     return ret;
 }
+ 
+/* Get 8 bytes in network order from |pkt| and store the value in |*data| */
+__owur static ossl_inline int PACKET_get_net_8(PACKET *pkt, uint64_t *data)
+{
+    if (!PACKET_peek_net_8(pkt, data))
+        return 0;
+
+    packet_forward(pkt, 8);
+
+    return 1;
+}
 
 /* Peek ahead at 1 byte from |pkt| and store the value in |*data| */
 __owur static ossl_inline int PACKET_peek_1(const PACKET *pkt,
@@ -808,7 +841,7 @@ int WPACKET_sub_reserve_bytes__(WPACKET *pkt, size_t len,
  * 1 byte will fail. Don't call this directly. Use the convenience macros below
  * instead.
  */
-int WPACKET_put_bytes__(WPACKET *pkt, unsigned int val, size_t bytes);
+int WPACKET_put_bytes__(WPACKET *pkt, uint64_t val, size_t bytes);
 
 /*
  * Convenience macros for calling WPACKET_put_bytes with different
@@ -822,6 +855,8 @@ int WPACKET_put_bytes__(WPACKET *pkt, unsigned int val, size_t bytes);
     WPACKET_put_bytes__((pkt), (val), 3)
 #define WPACKET_put_bytes_u32(pkt, val) \
     WPACKET_put_bytes__((pkt), (val), 4)
+#define WPACKET_put_bytes_u64(pkt, val) \
+    WPACKET_put_bytes__((pkt), (val), 8)
 
 /* Set a maximum size that we will not allow the WPACKET to grow beyond */
 int WPACKET_set_max_size(WPACKET *pkt, size_t maxsize);
diff --git a/darwin/openssl/ssl/record/rec_layer_s3.c b/darwin/openssl/ssl/record/rec_layer_s3.c
index 8249b4ac..23cd4219 100644
--- a/darwin/openssl/ssl/record/rec_layer_s3.c
+++ b/darwin/openssl/ssl/record/rec_layer_s3.c
@@ -115,10 +115,22 @@ size_t ssl3_pending(const SSL *s)
     if (s->rlayer.rstate == SSL_ST_READ_BODY)
         return 0;
 
+    /* Take into account DTLS buffered app data */
+    if (SSL_IS_DTLS(s)) {
+        DTLS1_RECORD_DATA *rdata;
+        pitem *item, *iter;
+
+        iter = pqueue_iterator(s->rlayer.d->buffered_app_data.q);
+        while ((item = pqueue_next(&iter)) != NULL) {
+            rdata = item->data;
+            num += rdata->rrec.length;
+        }
+    }
+
     for (i = 0; i < RECORD_LAYER_get_numrpipes(&s->rlayer); i++) {
         if (SSL3_RECORD_get_type(&s->rlayer.rrec[i])
             != SSL3_RT_APPLICATION_DATA)
-            return 0;
+            return num;
         num += SSL3_RECORD_get_length(&s->rlayer.rrec[i]);
     }
 
diff --git a/darwin/openssl/ssl/record/ssl3_record.c b/darwin/openssl/ssl/record/ssl3_record.c
index f1585447..47c7369e 100644
--- a/darwin/openssl/ssl/record/ssl3_record.c
+++ b/darwin/openssl/ssl/record/ssl3_record.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -1532,6 +1532,7 @@ int ssl3_cbc_copy_mac(unsigned char *out,
 #if defined(CBC_MAC_ROTATE_IN_PLACE)
     unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE];
     unsigned char *rotated_mac;
+    char aux1, aux2, aux3, mask;
 #else
     unsigned char rotated_mac[EVP_MAX_MD_SIZE];
 #endif
@@ -1581,9 +1582,16 @@ int ssl3_cbc_copy_mac(unsigned char *out,
 #if defined(CBC_MAC_ROTATE_IN_PLACE)
     j = 0;
     for (i = 0; i < md_size; i++) {
-        /* in case cache-line is 32 bytes, touch second line */
-        ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32];
-        out[j++] = rotated_mac[rotate_offset++];
+        /*
+         * in case cache-line is 32 bytes,
+         * load from both lines and select appropriately
+         */
+        aux1 = rotated_mac[rotate_offset & ~32];
+        aux2 = rotated_mac[rotate_offset | 32];
+        mask = constant_time_eq_8(rotate_offset & ~32, rotate_offset);
+        aux3 = constant_time_select_8(mask, aux1, aux2);
+        out[j++] = aux3;
+        rotate_offset++;
         rotate_offset &= constant_time_lt_s(rotate_offset, md_size);
     }
 #else
diff --git a/darwin/openssl/ssl/s3_enc.c b/darwin/openssl/ssl/s3_enc.c
index eb1f36ac..7b119b45 100644
--- a/darwin/openssl/ssl/s3_enc.c
+++ b/darwin/openssl/ssl/s3_enc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright 2005 Nokia. All rights reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
diff --git a/darwin/openssl/ssl/s3_lib.c b/darwin/openssl/ssl/s3_lib.c
index e4cf007f..32f9b257 100644
--- a/darwin/openssl/ssl/s3_lib.c
+++ b/darwin/openssl/ssl/s3_lib.c
@@ -3676,6 +3676,12 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
     case SSL_CTRL_SET_CHAIN_CERT_STORE:
         return ssl_cert_set_cert_store(s->cert, parg, 1, larg);
 
+    case SSL_CTRL_GET_VERIFY_CERT_STORE:
+        return ssl_cert_get_cert_store(s->cert, parg, 0);
+
+    case SSL_CTRL_GET_CHAIN_CERT_STORE:
+        return ssl_cert_get_cert_store(s->cert, parg, 1);
+
     case SSL_CTRL_GET_PEER_SIGNATURE_NID:
         if (s->s3->tmp.peer_sigalg == NULL)
             return 0;
@@ -3949,6 +3955,12 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
     case SSL_CTRL_SET_CHAIN_CERT_STORE:
         return ssl_cert_set_cert_store(ctx->cert, parg, 1, larg);
 
+    case SSL_CTRL_GET_VERIFY_CERT_STORE:
+        return ssl_cert_get_cert_store(ctx->cert, parg, 0);
+
+    case SSL_CTRL_GET_CHAIN_CERT_STORE:
+        return ssl_cert_get_cert_store(ctx->cert, parg, 1);
+
         /* A Thawte special :-) */
     case SSL_CTRL_EXTRA_CHAIN_CERT:
         if (ctx->extra_certs == NULL) {
diff --git a/darwin/openssl/ssl/ssl_cert.c b/darwin/openssl/ssl/ssl_cert.c
index eba96b20..b615e704 100644
--- a/darwin/openssl/ssl/ssl_cert.c
+++ b/darwin/openssl/ssl/ssl_cert.c
@@ -876,6 +876,12 @@ int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref)
     return 1;
 }
 
+int ssl_cert_get_cert_store(CERT *c, X509_STORE **pstore, int chain)
+{
+    *pstore = (chain ? c->chain_store : c->verify_store);
+    return 1;
+}
+
 int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp)
 {
     int level;
diff --git a/darwin/openssl/ssl/ssl_init.c b/darwin/openssl/ssl/ssl_init.c
index d2bcd973..a5d45480 100644
--- a/darwin/openssl/ssl/ssl_init.c
+++ b/darwin/openssl/ssl/ssl_init.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/darwin/openssl/ssl/ssl_lib.c b/darwin/openssl/ssl/ssl_lib.c
index 7383badc..47adc321 100644
--- a/darwin/openssl/ssl/ssl_lib.c
+++ b/darwin/openssl/ssl/ssl_lib.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  *
@@ -1510,12 +1510,26 @@ int SSL_has_pending(const SSL *s)
 {
     /*
      * Similar to SSL_pending() but returns a 1 to indicate that we have
-     * unprocessed data available or 0 otherwise (as opposed to the number of
-     * bytes available). Unlike SSL_pending() this will take into account
-     * read_ahead data. A 1 return simply indicates that we have unprocessed
-     * data. That data may not result in any application data, or we may fail
-     * to parse the records for some reason.
+     * processed or unprocessed data available or 0 otherwise (as opposed to the
+     * number of bytes available). Unlike SSL_pending() this will take into
+     * account read_ahead data. A 1 return simply indicates that we have data.
+     * That data may not result in any application data, or we may fail to parse
+     * the records for some reason.
      */
+
+    /* Check buffered app data if any first */
+    if (SSL_IS_DTLS(s)) {
+        DTLS1_RECORD_DATA *rdata;
+        pitem *item, *iter;
+
+        iter = pqueue_iterator(s->rlayer.d->buffered_app_data.q);
+        while ((item = pqueue_next(&iter)) != NULL) {
+            rdata = item->data;
+            if (rdata->rrec.length > 0)
+                return 1;
+        }
+    }
+
     if (RECORD_LAYER_processed_read_pending(&s->rlayer))
         return 1;
 
diff --git a/darwin/openssl/ssl/ssl_local.h b/darwin/openssl/ssl/ssl_local.h
index 9f346e30..5c792154 100644
--- a/darwin/openssl/ssl/ssl_local.h
+++ b/darwin/openssl/ssl/ssl_local.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  *
@@ -2301,6 +2301,7 @@ __owur int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk);
 __owur int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags);
 __owur int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain,
                                    int ref);
+__owur int ssl_cert_get_cert_store(CERT *c, X509_STORE **pstore, int chain);
 
 __owur int ssl_security(const SSL *s, int op, int bits, int nid, void *other);
 __owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid,
diff --git a/darwin/openssl/ssl/ssl_txt.c b/darwin/openssl/ssl/ssl_txt.c
index eb5d01e3..759e1873 100644
--- a/darwin/openssl/ssl/ssl_txt.c
+++ b/darwin/openssl/ssl/ssl_txt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright 2005 Nokia. All rights reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
diff --git a/darwin/openssl/ssl/statem/extensions_clnt.c b/darwin/openssl/ssl/statem/extensions_clnt.c
index 9d38ac23..1cbaefa9 100644
--- a/darwin/openssl/ssl/statem/extensions_clnt.c
+++ b/darwin/openssl/ssl/statem/extensions_clnt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -118,6 +118,8 @@ static int use_ecc(SSL *s)
     int i, end, ret = 0;
     unsigned long alg_k, alg_a;
     STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
+    const uint16_t *pgroups = NULL;
+    size_t num_groups, j;
 
     /* See if we support any ECC ciphersuites */
     if (s->version == SSL3_VERSION)
@@ -139,7 +141,19 @@ static int use_ecc(SSL *s)
     }
 
     sk_SSL_CIPHER_free(cipher_stack);
-    return ret;
+    if (!ret)
+        return 0;
+
+    /* Check we have at least one EC supported group */
+    tls1_get_supported_groups(s, &pgroups, &num_groups);
+    for (j = 0; j < num_groups; j++) {
+        uint16_t ctmp = pgroups[j];
+
+        if (tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED))
+            return 1;
+    }
+
+    return 0;
 }
 
 EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
@@ -988,7 +1002,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
                                   X509 *x, size_t chainidx)
 {
 #ifndef OPENSSL_NO_TLS1_3
-    uint32_t now, agesec, agems = 0;
+    uint32_t agesec, agems = 0;
     size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen;
     unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL;
     const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
@@ -1045,8 +1059,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
          * this in multiple places in the code, so portability shouldn't be an
          * issue.
          */
-        now = (uint32_t)time(NULL);
-        agesec = now - (uint32_t)s->session->time;
+        agesec = (uint32_t)(time(NULL) - s->session->time);
         /*
          * We calculate the age in seconds but the server may work in ms. Due to
          * rounding errors we could overestimate the age by up to 1s. It is
diff --git a/darwin/openssl/ssl/statem/extensions_srvr.c b/darwin/openssl/ssl/statem/extensions_srvr.c
index 04f64f81..93a9b675 100644
--- a/darwin/openssl/ssl/statem/extensions_srvr.c
+++ b/darwin/openssl/ssl/statem/extensions_srvr.c
@@ -12,16 +12,16 @@
 #include "statem_local.h"
 #include "internal/cryptlib.h"
 
-#define COOKIE_STATE_FORMAT_VERSION     0
+#define COOKIE_STATE_FORMAT_VERSION     1
 
 /*
  * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
  * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
- * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
+ * key_share present flag, 8 bytes for timestamp, 2 bytes for the hashlen,
  * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
  * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
  */
-#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
+#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 8 + 2 + EVP_MAX_MD_SIZE + 1 \
                          + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
 
 /*
@@ -741,7 +741,7 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
     unsigned char hmac[SHA256_DIGEST_LENGTH];
     unsigned char hrr[MAX_HRR_SIZE];
     size_t rawlen, hmaclen, hrrlen, ciphlen;
-    unsigned long tm, now;
+    uint64_t tm, now;
 
     /* Ignore any cookie if we're not set up to verify it */
     if (s->ctx->verify_stateless_cookie_cb == NULL
@@ -851,7 +851,7 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
     }
 
     if (!PACKET_get_1(&cookie, &key_share)
-            || !PACKET_get_net_4(&cookie, &tm)
+            || !PACKET_get_net_8(&cookie, &tm)
             || !PACKET_get_length_prefixed_2(&cookie, &chhash)
             || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
             || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
@@ -861,7 +861,7 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
     }
 
     /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
-    now = (unsigned long)time(NULL);
+    now = time(NULL);
     if (tm > now || (now - tm) > 600) {
         /* Cookie is stale. Ignore it */
         return 1;
@@ -1167,7 +1167,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
                 s->ext.early_data_ok = 1;
             s->ext.ticket_expected = 1;
         } else {
-            uint32_t ticket_age = 0, now, agesec, agems;
+            uint32_t ticket_age = 0, agesec, agems;
             int ret;
 
             /*
@@ -1209,8 +1209,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
             }
 
             ticket_age = (uint32_t)ticket_agel;
-            now = (uint32_t)time(NULL);
-            agesec = now - (uint32_t)sess->time;
+            agesec = (uint32_t)(time(NULL) - sess->time);
             agems = agesec * (uint32_t)1000;
             ticket_age -= sess->ext.tick_age_add;
 
@@ -1800,7 +1799,7 @@ EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
                                               &ciphlen)
                /* Is there a key_share extension present in this HRR? */
             || !WPACKET_put_bytes_u8(pkt, s->s3->peer_tmp == NULL)
-            || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL))
+            || !WPACKET_put_bytes_u64(pkt, time(NULL))
             || !WPACKET_start_sub_packet_u16(pkt)
             || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
diff --git a/darwin/openssl/ssl/statem/statem_clnt.c b/darwin/openssl/ssl/statem/statem_clnt.c
index 2bc5cf5e..d19c44e8 100644
--- a/darwin/openssl/ssl/statem/statem_clnt.c
+++ b/darwin/openssl/ssl/statem/statem_clnt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  *
diff --git a/darwin/openssl/ssl/statem/statem_dtls.c b/darwin/openssl/ssl/statem/statem_dtls.c
index 620367ac..8fe6cea7 100644
--- a/darwin/openssl/ssl/statem/statem_dtls.c
+++ b/darwin/openssl/ssl/statem/statem_dtls.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2005-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/darwin/openssl/ssl/statem/statem_srvr.c b/darwin/openssl/ssl/statem/statem_srvr.c
index 79cfd1d8..43f77a58 100644
--- a/darwin/openssl/ssl/statem/statem_srvr.c
+++ b/darwin/openssl/ssl/statem/statem_srvr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  *
diff --git a/darwin/openssl/ssl/t1_enc.c b/darwin/openssl/ssl/t1_enc.c
index 2087b274..f8e53d4e 100644
--- a/darwin/openssl/ssl/t1_enc.c
+++ b/darwin/openssl/ssl/t1_enc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright 2005 Nokia. All rights reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
diff --git a/darwin/openssl/ssl/t1_lib.c b/darwin/openssl/ssl/t1_lib.c
index b1d3add1..5f657f88 100644
--- a/darwin/openssl/ssl/t1_lib.c
+++ b/darwin/openssl/ssl/t1_lib.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -2369,22 +2369,20 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
 
         ca_dn = s->s3->tmp.peer_ca_names;
 
-        if (!sk_X509_NAME_num(ca_dn))
+        if (ca_dn == NULL
+            || sk_X509_NAME_num(ca_dn) == 0
+            || ssl_check_ca_name(ca_dn, x))
             rv |= CERT_PKEY_ISSUER_NAME;
-
-        if (!(rv & CERT_PKEY_ISSUER_NAME)) {
-            if (ssl_check_ca_name(ca_dn, x))
-                rv |= CERT_PKEY_ISSUER_NAME;
-        }
-        if (!(rv & CERT_PKEY_ISSUER_NAME)) {
+        else
             for (i = 0; i < sk_X509_num(chain); i++) {
                 X509 *xtmp = sk_X509_value(chain, i);
+
                 if (ssl_check_ca_name(ca_dn, xtmp)) {
                     rv |= CERT_PKEY_ISSUER_NAME;
                     break;
                 }
             }
-        }
+
         if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
             goto end;
     } else
@@ -2555,6 +2553,8 @@ int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
     int rv, start_idx, i;
     if (x == NULL) {
         x = sk_X509_value(sk, 0);
+        if (x == NULL)
+            return ERR_R_INTERNAL_ERROR;
         start_idx = 1;
     } else
         start_idx = 0;
diff --git a/darwin/openssl/ssl/tls13_enc.c b/darwin/openssl/ssl/tls13_enc.c
index b8fb07f2..51ca1050 100644
--- a/darwin/openssl/ssl/tls13_enc.c
+++ b/darwin/openssl/ssl/tls13_enc.c
@@ -190,6 +190,7 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md,
     if (!ossl_assert(mdleni >= 0)) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET,
                  ERR_R_INTERNAL_ERROR);
+        EVP_PKEY_CTX_free(pctx);
         return 0;
     }
     mdlen = (size_t)mdleni;
diff --git a/darwin/tor/src/app/config/fallback_dirs.inc b/darwin/tor/src/app/config/fallback_dirs.inc
index 87c1886e..24c17391 100644
--- a/darwin/tor/src/app/config/fallback_dirs.inc
+++ b/darwin/tor/src/app/config/fallback_dirs.inc
@@ -3,1100 +3,1093 @@
 /* timestamp=20210412000000 */
 /* source=offer-list */
 //
-// Generated on: Fri, 04 Feb 2022 15:49:02 +0000
+// Generated on: Thu, 11 Aug 2022 13:39:28 +0000
 
-"140.78.100.21 orport=5443 id=6E3508CB2374D411CD41FEE8ECDF70DA3A2F7A28"
-/* nickname=INSRelay21at5443 */
+"93.174.89.131 orport=9005 id=C0DC5DC08B91A5A17BF530E33F02FF4236ADE001"
+/* nickname=Gulltopp */
 /* extrainfo=0 */
 /* ===== */
 ,
-"88.196.80.132 orport=443 id=86CDD0D92AB972538416A382D99666736CDDF141"
-/* nickname=RyderIII */
+"51.254.45.43 orport=9000 id=F9CB3FD4C7804F03105AAF1BF7B6C7D2DA7DD522"
+/* nickname=Unnamed */
 /* extrainfo=0 */
 /* ===== */
 ,
-"213.239.217.68 orport=4433 id=FFBC69467B37D6AC66598BBD295F9B0D74119ADC"
-/* nickname=plan9leia */
+"162.250.191.222 orport=9001 id=B709788A358ED835EF8608D27A02F5D1D632D234"
+/* nickname=hdjfgsfkmNflnzjg */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.220.100.247 orport=9100 id=B891CB6370CF7C51C6FB24D80947AFB7ED463D00"
-" ipv6=[2a0b:f4c0:16c:9::1]:9100"
-/* nickname=niftygrolantor */
+"188.68.38.76 orport=9001 id=6C1B288D873C75A696EB70E9FF713B786D37D192"
+" ipv6=[2a03:4000:13:aeb::1]:9001"
+/* nickname=BigOnion */
 /* extrainfo=0 */
 /* ===== */
 ,
-"192.121.108.236 orport=9001 id=C5F0591A16BD68EB88170D921B0E331F180E624B"
-/* nickname=HjelmEnterprises01 */
+"144.217.95.12 orport=9001 id=8885EA6F74A694825B13B8A7080F6CF164DF74FB"
+" ipv6=[2607:5300:201:3000::49be]:9001"
+/* nickname=Unnamed */
 /* extrainfo=0 */
 /* ===== */
 ,
-"104.244.72.7 orport=9000 id=035F813195F0CB9F567EDFDF60C6745CA36BA0BD"
-" ipv6=[2605:6400:30:ed94:5152:73e1:5e88:35f4]:9000"
-/* nickname=Quetzalcoatl */
+"158.101.203.38 orport=9001 id=145223A4F761DD9F0E14DCDF5120FED4F998FDC6"
+" ipv6=[2603:c022:c002:b0e:df68:94b3:52b1:5f2c]:9001"
+/* nickname=RelayChu2 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"46.126.164.243 orport=443 id=7B28971D4A29995784E3066B9D87E42E9C685F3A"
-/* nickname=torified */
+"188.138.33.149 orport=443 id=BD6FFF1AD5A88A8D43870D43EC4450081B4B2BBA"
+/* nickname=bonjour2 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"99.45.175.117 orport=443 id=515100EDE19C0F5E0CADD391DE33E0DE14B00FDD"
-" ipv6=[2600:1700:6972:1200:dea6:32ff:fec5:ff87]:443"
-/* nickname=pi87 */
+"185.220.103.115 orport=443 id=29D245A6831839CBD12CF61B6BD6AC4F0461BFAD"
+/* nickname=psychopomp8 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"54.38.219.251 orport=443 id=C303038FDCC72805A160FF64E994333A49ECDA71"
-" ipv6=[2001:470:73f7::7]:443"
-/* nickname=Fission12 */
+"193.189.100.199 orport=443 id=9FA8A16163FB6BDF228E45E329B0E5ACEDBD8309"
+" ipv6=[2a0f:df00:0:255::199]:443"
+/* nickname=TORKeFFORG6 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.183.194.90 orport=443 id=4CEAFCE5841C0DAE30164B4F59452F7F4D818A67"
-" ipv6=[2001:1620:425a:6fde::10]:443"
-/* nickname=QOnan */
+"163.172.45.4 orport=3302 id=2ABE8A09D3403BE5CF896F77EABE23762002A761"
+/* nickname=anoncicada */
 /* extrainfo=0 */
 /* ===== */
 ,
-"199.249.230.179 orport=443 id=3A1BC65DF03ECD50FDF7CFF9C5A4E049FCB9C1AF"
-" ipv6=[2620:7:6001::179]:80"
-/* nickname=Quintex90 */
+"185.207.106.222 orport=9100 id=555A6B7CB3D8ECA376B4CB6701596A7B211E21D3"
+" ipv6=[2a03:4000:1e:7f5:38a9:d5ff:fe31:66f6]:9100"
+/* nickname=Quetzalcoatl */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.220.101.10 orport=9443 id=DA9ABAEA49FBF9E75E9EC020380E361688A3B23E"
-" ipv6=[2a0b:f4c2::10]:9443"
-/* nickname=artikel10ber20 */
+"51.15.37.100 orport=9001 id=FF06E7A068A1CA66CE593DCE85E2477807C48302"
+" ipv6=[2001:bc8:1820:e50::1]:9001"
+/* nickname=hsjeufh24h6 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"67.3.185.13 orport=443 id=EC4B6AF202EFE752C4D9E2FBD092C4EAE779ADA1"
-/* nickname=Unnamed */
+"82.221.131.71 orport=443 id=038C30D2AD053147C91EFB1291527ED621D7D1B1"
+/* nickname=turnt */
 /* extrainfo=0 */
 /* ===== */
 ,
-"104.244.77.73 orport=9001 id=2FE81C1FD45AC593193F04DF781980257E4BCD03"
-/* nickname=Hydra62 */
+"51.159.158.157 orport=443 id=69C9BFA0C228AFA0548A9FF9B7C8C229B6AA9FAC"
+/* nickname=tirz */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.4.134.104 orport=9001 id=C6E3910CBADCA6D2D7E932AB31A038EDD6A6FB79"
-" ipv6=[2a02:c500:2:110::2d49]:9001"
-/* nickname=Assange023gr */
+"193.31.24.154 orport=9001 id=68057FD302B0F83C0ED00B6D70FDAD6BEEF2005B"
+/* nickname=4punk7e2 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"82.223.14.245 orport=443 id=9C5AFD49AAE4E0272BAD780C6DD71CE1A36012A6"
-" ipv6=[2001:ba0:1800:91::1]:443"
-/* nickname=coffswifi4 */
+"185.227.68.78 orport=443 id=1137AB1F84EC2D52DFB1915717F14FF1A10EB392"
+/* nickname=giovanna */
 /* extrainfo=0 */
 /* ===== */
 ,
-"87.118.116.103 orport=443 id=26C28F29B611DF4DE23ACF5D9DC1EB4895EF5E8B"
-" ipv6=[2001:1b60:3:221:4134:101:0:1]:443"
-/* nickname=artikel5ev4 */
+"178.175.148.195 orport=9001 id=FE08DBDFAB6DB54CECA7F25D259EDF1D597DD28C"
+" ipv6=[2a00:1dc0:caff:189::3582]:9001"
+/* nickname=COCAINE */
 /* extrainfo=0 */
 /* ===== */
 ,
-"80.98.81.157 orport=9001 id=2D8A907F61CAED48170963B76BE4FB0ED33E5E88"
-/* nickname=nCT8d6e5bW2v */
+"93.190.143.41 orport=9001 id=504F23DC734459DBBA58B2F11A4799EB945188A3"
+/* nickname=whiplash */
 /* extrainfo=0 */
 /* ===== */
 ,
-"108.184.13.208 orport=9001 id=D195E5CE8AE77BAC91673E6CFB7BD0AF57281646"
-/* nickname=OhNoAnotherRelay01 */
+"139.99.46.190 orport=443 id=07C102D6B027E5B2B9C942E3E942C0F24DFEE51B"
+/* nickname=FreeMirrorOrgSG */
 /* extrainfo=0 */
 /* ===== */
 ,
-"195.54.33.64 orport=9001 id=54D1F9D1EE2CBC48F8F4BBF9CF0A0E7ED45FE6B7"
-/* nickname=Assange042de */
+"195.154.200.68 orport=9001 id=FFF599954C3821A28620E95C08CBDC6245E9DDAA"
+/* nickname=DoctorWho */
 /* extrainfo=0 */
 /* ===== */
 ,
-"91.143.88.62 orport=443 id=F9246DEF2B653807236DA134F2AEAB103D58ABFE"
-" ipv6=[2a02:180:6:1::3d8]:443"
-/* nickname=Freebird31 */
+"12.208.119.235 orport=1500 id=6FB696082627843949A808CEC38903DB8190F811"
+/* nickname=SmallTownHostingTOR */
 /* extrainfo=0 */
 /* ===== */
 ,
-"199.249.230.78 orport=443 id=CB7C0D841FE376EF43F7845FF201B0290C0A239E"
-" ipv6=[2620:7:6001::ffff:c759:e64e]:80"
-/* nickname=QuintexAirVPN25 */
+"62.182.84.241 orport=9001 id=2062C6FE40ED6329F02EAC8FB8DE3B682F9910EC"
+/* nickname=EpicTor4 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"78.47.178.97 orport=8080 id=1CA811478AB30F5DE80825E15F95AF18DCD32B2F"
-" ipv6=[2a01:4f8:c0c:57ef::1]:8080"
-/* nickname=mig5rezo */
+"46.246.44.53 orport=443 id=9AA3EC3BD334C8998762CF358761164D22481EB4"
+" ipv6=[2a02:752:0:18::17c2]:443"
+/* nickname=FromSwedenWithLove */
 /* extrainfo=0 */
 /* ===== */
 ,
-"84.75.28.247 orport=9201 id=175D63EFB9176BFADD306843960BFC085A2ABA93"
-/* nickname=bluemax666 */
+"23.129.64.170 orport=443 id=40B461D3F99EA2DE118902AD22B1BA7AE7E9281F"
+" ipv6=[2620:18c:0:192::170]:443"
+/* nickname=Saiberpunk2077 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"140.78.100.29 orport=5443 id=795D165D2AD5E7FFE28573924F92895D08E0170D"
-/* nickname=INSRelay29at5443 */
+"185.86.151.168 orport=443 id=557B39146EB121C8CFA22C48AD78BDBDBC8FF3A1"
+" ipv6=[2a02:7aa0:43::e748:81a9]:443"
+/* nickname=KUEXBON */
 /* extrainfo=0 */
 /* ===== */
 ,
-"141.105.67.58 orport=443 id=B15C0071EAF508AAEE29DB9D07607C84AA2DDEB3"
-/* nickname=cytherea */
+"185.220.101.11 orport=9443 id=F82E2221121EB77A2DE3E6941027265027EA2378"
+" ipv6=[2a0b:f4c2::11]:9443"
+/* nickname=artikel10ber22 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"193.105.73.80 orport=9001 id=9DC8B0282A8D3C45212167C454B503243BC93957"
-/* nickname=akira */
+"77.20.28.103 orport=14353 id=56EB7166B05DB6531F663F8317CE02EEE5AFED4F"
+/* nickname=DocTor */
 /* extrainfo=0 */
 /* ===== */
 ,
-"51.15.246.170 orport=443 id=C0DAAAE5EE461BBE13945FE4B52F32ABDC6BC376"
-" ipv6=[2001:bc8:47b0:1756::1]:443"
-/* nickname=mitsuha */
+"51.83.129.245 orport=443 id=FD63B0A3E3C7B3759DE54B509BD3CD1A8C0D01C1"
+/* nickname=Mataka */
 /* extrainfo=0 */
 /* ===== */
 ,
-"194.59.46.2 orport=9001 id=A6E3A3C6CE962E917A12E586AE750805899C117B"
-/* nickname=dewebit */
+"207.244.238.230 orport=9001 id=7DA3460B7C1C13DCAB3B49EDD6C376CA8562B3C9"
+" ipv6=[2605:a140:2050:8019::1]:9001"
+/* nickname=Assange006us */
 /* extrainfo=0 */
 /* ===== */
 ,
-"88.198.91.74 orport=443 id=44DC23661E05DEFD94398936D9334987ABCB6E5E"
-" ipv6=[2a01:4f8:160:6092:d7bd:a39:3e52:b65d]:443"
-/* nickname=currentlane */
+"139.59.45.242 orport=9001 id=98EAC67EA6814038285F1A100D786AD8A0CD2A5E"
+" ipv6=[2400:6180:100:d0::ffa:8001]:9050"
+/* nickname=pablobm006 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"141.98.103.251 orport=43344 id=4AB1F36362042FCA7100A283599122B6D107E826"
-/* nickname=amun3062 */
+"116.202.55.100 orport=9001 id=C3DFB7BD40B072EB6D46578F1BE021FDD9D60713"
+" ipv6=[2a01:4f8:10b:439b::2]:9001"
+/* nickname=imherefortheparty */
 /* extrainfo=0 */
 /* ===== */
 ,
-"138.197.150.159 orport=443 id=75CF0F66FE18C3116AAB7B678899151DB762B795"
-/* nickname=hrck */
+"185.94.223.112 orport=9001 id=5645739E8EF72CA7D9EE1E12678B51A6FF8711C1"
+/* nickname=5h4d0wNet */
 /* extrainfo=0 */
 /* ===== */
 ,
-"104.244.79.234 orport=9100 id=A15676F5F0F2BA7B1CA54446DDB46BEE6F699A95"
-" ipv6=[2605:6400:30:eeec:4913:c3c1:eec2:151a]:9100"
-/* nickname=Quetzalcoatl */
+"157.90.183.103 orport=9001 id=CC701FCE86D6AF95FC3D5B71645D3430794910C1"
+/* nickname=sutsuj */
 /* extrainfo=0 */
 /* ===== */
 ,
-"107.173.159.48 orport=9001 id=4141FDA554F56E9E24DA41153B5C1A756EE43249"
-/* nickname=lamprlogin */
+"104.244.74.28 orport=9001 id=2DB8A946826D0CB4F5C3A8264628DD0F16F6612D"
+" ipv6=[2605:6400:30:f63d:1:ca11:911:1]:9001"
+/* nickname=a9Exit */
 /* extrainfo=0 */
 /* ===== */
 ,
-"163.172.169.253 orport=9001 id=04A28A62F27D9C4A60F9ED0C4264E98B988C65A3"
-" ipv6=[2001:bc8:47a4:e0a::1]:9001"
-/* nickname=darknebula */
+"87.118.116.12 orport=443 id=4A3B874F0187F2CF0DA3C8F76063B070F9F7A14F"
+/* nickname=tormachine */
 /* extrainfo=0 */
 /* ===== */
 ,
-"24.53.51.144 orport=9002 id=C473C772282D5078E5137C1DB83B62224D5B42DD"
-/* nickname=ClericalSummoning */
+"51.83.132.103 orport=9001 id=94F6A4893A80149AEEEB7509BEFCDBA1AE4D5898"
+" ipv6=[2001:41d0:601:1100::5a7f]:9001"
+/* nickname=torRelayTaledoCorp */
 /* extrainfo=0 */
 /* ===== */
 ,
-"195.154.237.147 orport=443 id=FE1B74C7CEE0493613929A92F9A1D890E58DC649"
-/* nickname=unnamed */
+"199.249.230.148 orport=443 id=A389C523BE3B29EA59C75AC557BF5CFB69586DCB"
+" ipv6=[2620:7:6001::148]:80"
+/* nickname=Quintex59 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.162.251.94 orport=9001 id=9C1E47FF205F349D69D569AE7ED15366A5554A46"
-" ipv6=[2a03:4000:1a:5de:6489:b7ff:fe8f:8434]:9001"
-/* nickname=Piratenpartei04 */
+"213.152.168.27 orport=443 id=2F9AFDE43DC8E3F05803304C01BD3DBF329169AC"
+/* nickname=dutreuil */
 /* extrainfo=0 */
 /* ===== */
 ,
-"192.42.253.215 orport=9001 id=568B6913AE5123EDBA304909A569AFE8F9E73C4C"
-/* nickname=OrwellianNightmare */
+"46.38.242.125 orport=9001 id=F50CF02A0E6A9D9B25F7EB220FC26F7BD1B74999"
+" ipv6=[2a03:4000:7:64d:547b:27ff:fe79:b9e0]:9001"
+/* nickname=flowjob02 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.220.101.51 orport=10051 id=04749CD6A6BE1C0B14EE63DFD0F13EEB9EFEE8AB"
-" ipv6=[2a0b:f4c2:2::51]:10051"
-/* nickname=ForPrivacyNET */
+"171.25.193.235 orport=80 id=5D8EEBCC17764DD213CD17B9A56844E41EEDA174"
+" ipv6=[2001:67c:289c:2::235]:80"
+/* nickname=DFRI12 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"97.93.202.22 orport=9001 id=9BEED1E03101B2BC9393C560FCF13A1E46E49352"
-/* nickname=TheToadHole */
+"62.141.48.175 orport=443 id=A6AA94B4007A0E2919B2DA8ECF2CFA3CA1761A13"
+" ipv6=[2001:1b60:2:32:4104:104:0:1]:443"
+/* nickname=dc6jgk6 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"78.42.186.218 orport=9001 id=80654A16C954422C9A1B6DBEFBB6A32157A8BAB5"
-/* nickname=northwind84 */
+"45.58.156.77 orport=80 id=0A1ECCB7DF0272492A4F37FB57DC0F9F42A77D71"
+/* nickname=kingpins2 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"194.145.150.15 orport=443 id=326853AA78DA467E997E6040ADD0DCFF840E0CB5"
-" ipv6=[2001:1578:200:10::c]:443"
-/* nickname=Unnamed */
+"207.180.234.231 orport=9002 id=6DCCA448F8EDC79553CE60E8E21030E942CCC3B9"
+" ipv6=[2a02:c207:2023:2621::1]:9002"
+/* nickname=someonesRelay */
 /* extrainfo=0 */
 /* ===== */
 ,
-"81.7.16.182 orport=443 id=51E1CF613FD6F9F11FE24743C91D6F9981807D82"
-" ipv6=[2a02:180:1:1::517:10b6]:993"
-/* nickname=torpidsDEisppro3 */
+"51.186.10.59 orport=9001 id=D149FDA6E3DA3E0FAACB369692E8D65D5DE783F8"
+/* nickname=nosplash3 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"178.17.174.162 orport=9001 id=E685733A4A2F184AB320846094651806A62627B5"
-" ipv6=[2a00:1dc0:caff:db::e9d6]:9001"
-/* nickname=Hydra76 */
+"185.163.45.107 orport=9001 id=A171F8332AA037A2855C390488F8EFDFD438AAE6"
+" ipv6=[2001:67c:2db8:7::a6]:9001"
+/* nickname=mephistopheles */
 /* extrainfo=0 */
 /* ===== */
 ,
-"107.189.8.230 orport=9001 id=B845B963455133613C9694FD46D0432945A00871"
-/* nickname=TSFORT1 */
+"131.188.40.188 orport=11180 id=EBE718E1A49EE229071702964F8DB1F318075FF8"
+" ipv6=[2001:638:a000:4140::ffff:188]:11180"
+/* nickname=fluxe4 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"213.95.149.22 orport=9001 id=7574975BA76DE0726231FC916DD70B09B3824CE5"
-" ipv6=[2001:780:107:b::85]:9001"
-/* nickname=smurfix */
+"92.220.50.122 orport=8379 id=F3BA9A70CC0AA14AD325ADEA11FAF438360BC98C"
+/* nickname=SomeOrdinaryDude */
 /* extrainfo=0 */
 /* ===== */
 ,
-"107.189.12.238 orport=9000 id=E84F41FA1D1FA303FD7A99A35E50ACEF4269868C"
-" ipv6=[2605:6400:30:eff9:35d3:a7ce:167c:2141]:9000"
-/* nickname=Quetzalcoatl */
+"109.70.100.79 orport=443 id=2F367DF6E2A7BB56C8EA4C064A3519ACBC013CFE"
+" ipv6=[2a03:e600:100::79]:443"
+/* nickname=rentier */
 /* extrainfo=0 */
 /* ===== */
 ,
-"198.211.40.226 orport=9001 id=CB5700E1FB46FC98251DD8F0852B63A3B78DB830"
-/* nickname=jaalkabil */
+"213.239.197.35 orport=18732 id=DB6AC7DFB25C9CFC7036B53C78F91D8E3A9279CD"
+" ipv6=[2a01:4f8:222:141b::1337]:18732"
+/* nickname=sauberesache */
 /* extrainfo=0 */
 /* ===== */
 ,
-"157.230.112.120 orport=19001 id=6CDE3363F9F9AD5A6EA484DEFB58217CC9685E31"
-" ipv6=[2a03:b0c0:3:e0::374:c001]:19001"
-/* nickname=nsq */
+"199.249.230.77 orport=443 id=FDD700C791CC6BB0AC1C2099A82CBC367AD4B764"
+" ipv6=[2620:7:6001::ffff:c759:e64d]:80"
+/* nickname=QuintexAirVPN24 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"102.130.113.42 orport=9001 id=066FE3C4E07A18EA53B2828F753D3788D58D771D"
-/* nickname=Psyduck */
+"185.220.101.228 orport=9443 id=1CE4020801F2E69DCE6BAB916C4FD15DDAB653C9"
+" ipv6=[2a0b:f4c2::228]:9443"
+/* nickname=artikel10ber74 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"165.227.174.150 orport=9001 id=FFB605C86D606991ADED7842269FA25A03B4A4D0"
-/* nickname=Unnamed */
+"185.245.60.6 orport=9100 id=F40016C5A2D7460DA5CCBF8A2346135D6BBC3DD0"
+/* nickname=jwt85328 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"45.151.167.10 orport=8443 id=A14D96E6C4C3A5AF3D7E57AC0A85AE82BDFB0F4B"
-" ipv6=[2001:678:e3c::a]:8443"
-/* nickname=artikel10ams01 */
+"45.55.141.66 orport=9010 id=A3BDCEAE18DBFF593CC3DA2F2255507DAC768F3C"
+" ipv6=[2604:a880:800:10::14:8001]:9010"
+/* nickname=parabellvm */
 /* extrainfo=0 */
 /* ===== */
 ,
-"194.32.107.220 orport=443 id=3CF935BB48C27EA0FEA4D6B9025A566364C38E92"
-" ipv6=[2a03:94e0:ffff:194:32:107:0:220]:443"
-/* nickname=FlashElk */
+"185.220.101.12 orport=8443 id=C4019EC5FBDB0401072599BC34E6FECD5F26692D"
+" ipv6=[2a0b:f4c2::12]:8443"
+/* nickname=artikel10ber23 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"114.23.164.80 orport=9001 id=CB81BCFD44FC142616BB5983648BD8AF01930789"
-/* nickname=ss23voyager */
+"78.138.98.42 orport=9001 id=07F0E652E4CCB0A0F1E88D0046ECB322E6318C86"
+/* nickname=RiggsOceanlock */
 /* extrainfo=0 */
 /* ===== */
 ,
-"199.195.251.54 orport=9001 id=E09782C5F119131D5DF3C77B83E3214697AB6376"
-/* nickname=dappertr */
+"185.220.101.4 orport=9443 id=330A5D4F9D5D5326B9AAC12C339EB49279D60237"
+" ipv6=[2a0b:f4c2::4]:9443"
+/* nickname=artikel10ber08 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"104.244.72.120 orport=9000 id=D11665375F333356E21A0FE2B6AAF7B91B9916DA"
-" ipv6=[2605:6400:30:f772:ff34:e615:9cef:6f9a]:9000"
-/* nickname=Quetzalcoatl */
+"83.97.20.189 orport=443 id=B1EC3EA6B5DA669676AF19CD0BE067A7E6B310F0"
+" ipv6=[2a04:9dc0:31::c0cc:bd]:443"
+/* nickname=LottaNode */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.225.69.90 orport=443 id=8C612213C4B5C154FA90847F36FBF36DB78AB1AC"
-/* nickname=davy */
+"194.118.235.140 orport=993 id=4E54ED940563663F4AEBCA5EAF541FA296C70E16"
+/* nickname=burnigHell */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.220.102.251 orport=443 id=FDCFEA18CC64461455DE5EA3FC31834C6B42FEC7"
-" ipv6=[2a0b:f4c1:2::251]:443"
-/* nickname=Digitalcourage4ip4a */
+"76.210.199.227 orport=9001 id=308EA2AD69C87D44BFB561D43DFE8D7929C6C9A9"
+/* nickname=ratscornRelay0 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"95.211.138.7 orport=9001 id=5CE3AD8AD04ADE66C0037A3CF5F7F7A40D48A20B"
-/* nickname=polizeierziehung */
+"109.190.177.33 orport=9999 id=A8874E2C45F445DBA462A914ED8D3AF045734FFB"
+/* nickname=computel */
 /* extrainfo=0 */
 /* ===== */
 ,
-"78.47.18.110 orport=80 id=F8D27B163B9247B232A2EEE68DD8B698695C28DE"
-" ipv6=[2a01:4f8:120:4023::110]:80"
-/* nickname=fluxe3 */
+"178.174.235.8 orport=9001 id=C6E23345E9DB5325B62AE956CA6E8AE6DAB6D1BE"
+/* nickname=torsten */
 /* extrainfo=0 */
 /* ===== */
 ,
-"144.217.95.12 orport=9001 id=8885EA6F74A694825B13B8A7080F6CF164DF74FB"
-" ipv6=[2607:5300:201:3000::49be]:9001"
-/* nickname=Unnamed */
+"24.134.234.17 orport=9029 id=445D891CE6C7AC3D80E1EDCA61F921D3A6E91CC5"
+/* nickname=Feidhlim01 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"104.244.73.13 orport=9000 id=13FBC97516DC854399E70BC7CA9A4513FFD4F08C"
-" ipv6=[2605:6400:30:f916:2d21:9c43:1935:81f7]:9000"
-/* nickname=Quetzalcoatl */
+"138.3.242.31 orport=443 id=57C9D8FD12AF654158AD5345CB7934CA13094C10"
+/* nickname=jebacputina */
 /* extrainfo=0 */
 /* ===== */
 ,
-"176.10.99.208 orport=443 id=7E006A46A222CE42F84B4A175698B3B593A7B3B7"
-/* nickname=AccessNow008 */
+"89.191.217.1 orport=9001 id=F2ED5032B52021E7BADBBB82E6594F1A872FFD09"
+/* nickname=runninglizard */
 /* extrainfo=0 */
 /* ===== */
 ,
-"79.143.177.247 orport=9001 id=75093A959F344BC6B304EFFEDE1019F46548A3C2"
-" ipv6=[2a02:c205:2023:7000::1]:9001"
-/* nickname=O1G */
+"5.189.181.61 orport=443 id=63C81BCA835570069A7FCD48312DEA707F6CBAA2"
+" ipv6=[2a02:c207:3001:6426::1]:443"
+/* nickname=dontpanic */
 /* extrainfo=0 */
 /* ===== */
 ,
-"163.172.76.56 orport=9001 id=03BD56B5072FB07D2B4D79E2FB04366D415EF3EC"
-/* nickname=Totonicapanp6 */
+"131.153.152.122 orport=443 id=8330C8C52A4DC562135369D317D86887BBFE1685"
+/* nickname=derailleur */
 /* extrainfo=0 */
 /* ===== */
 ,
-"178.17.174.79 orport=9001 id=BBDE12C320FD1C3FFBEC15202F46D5620FC1444E"
-" ipv6=[2a00:1dc0:cafe::a3f6:4721]:9001"
-/* nickname=hanktor */
+"37.120.186.122 orport=4711 id=D6D677014A583E6F783A03F523A6C5DC2F6347D1"
+" ipv6=[2a03:4000:f:992:98d8:54ff:fe3d:fc2b]:4711"
+/* nickname=mittelerde */
 /* extrainfo=0 */
 /* ===== */
 ,
-"119.59.110.153 orport=80 id=5A6AD8BFBA74F646822996EC03FD3484353A41B3"
-/* nickname=always2 */
+"91.149.225.172 orport=9001 id=7B077965A032FEE91F8DDFD3F18F9943398AAE3F"
+/* nickname=Ragnarok */
 /* extrainfo=0 */
 /* ===== */
 ,
-"192.160.102.164 orport=9001 id=823AA81E277F366505545522CEDC2F529CE4DC3F"
-" ipv6=[2620:132:300c:c01d::4]:9002"
-/* nickname=snowfall */
+"23.154.177.2 orport=443 id=F34EE673122518873E717C128E35A389B72C7837"
+/* nickname=UnredactedSnowden */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.22.174.119 orport=9001 id=D2169E641B2C10CACEA266D31370479200BB9AD7"
-" ipv6=[2a00:1838:36:115::8a3d]:9001"
-/* nickname=FlashBear */
+"185.112.144.18 orport=8443 id=3F98580C881A3DA7EF2E9A8927491AD4E5ED684F"
+/* nickname=Freyr */
 /* extrainfo=0 */
 /* ===== */
 ,
-"152.70.64.30 orport=9001 id=8765C6AFF62C266A38D8C73A76604A5B1669FAA7"
-" ipv6=[2603:c024:8001:dfea:2::]:9001"
-/* nickname=plithismos */
+"82.213.229.137 orport=9101 id=20446B81B32B197BB09DDC4EFEB162732669F9DF"
+/* nickname=mytornoderpi1 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"51.75.206.12 orport=9100 id=4837A6DFFC8E3681D70AD9E8D057C029093DA2F7"
-" ipv6=[2001:41d0:305:2100::7cb4]:9100"
-/* nickname=KherNl */
+"46.101.183.160 orport=443 id=75A931404453030821C547A4FAA9094A06C48C7A"
+/* nickname=Tiberius */
 /* extrainfo=0 */
 /* ===== */
 ,
-"51.68.204.139 orport=9001 id=9AB93B5422149E5DFF4BE6A3814E2F6D9648DB6A"
-" ipv6=[2001:41d0:800:158b::]:9001"
-/* nickname=atomcats */
+"195.37.209.9 orport=9001 id=83C50784528AD3823CB7E7DF4B34B92A42CC7639"
+/* nickname=KarlHessenberg */
 /* extrainfo=0 */
 /* ===== */
 ,
-"52.47.91.150 orport=9001 id=C6EF115D997317A32C784AC0F9944AE0581CA37E"
-/* nickname=LSRodentNinjaRelay */
+"185.220.101.72 orport=9100 id=D3DFB8F9A878F44ED80E2B34F794FDF6334FC5F9"
+" ipv6=[2a0b:f4c2:3::87]:9100"
+/* nickname=CCCStuttgartBer */
 /* extrainfo=0 */
 /* ===== */
 ,
-"198.98.59.35 orport=9100 id=6E736FF4BA2845381A2FEE4DEE6CC565C5A7D781"
-" ipv6=[2605:6400:10:542:d124:fa7a:9141:db6c]:9100"
-/* nickname=Quetzalcoatl */
+"185.220.101.0 orport=8443 id=6A01150EAB04007E2E08D9C603B1467193805B06"
+" ipv6=[2a0b:f4c2::]:8443"
+/* nickname=artikel10ber63 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"65.108.3.114 orport=1066 id=0C3D5E19E3C75B505C8ACD26F89DCA2DF970553E"
-" ipv6=[2a01:4f9:6a:528d::a]:1066"
-/* nickname=HORUS1 */
+"104.244.79.187 orport=443 id=7737F24640F9F4C772C226CAA778093F34A03E78"
+" ipv6=[2605:6400:30:f868::]:443"
+/* nickname=l0kz0r */
 /* extrainfo=0 */
 /* ===== */
 ,
-"173.212.239.78 orport=9201 id=3B3F451BD58F96DC0E8EB7D01F209FC8803C33DF"
-" ipv6=[2a02:c207:2031:2233::1]:9201"
-/* nickname=Assange009de2 */
+"149.154.159.87 orport=443 id=18A5ED4B9AA434883275C15D6CF3F795BA86744A"
+/* nickname=TorMePlz */
 /* extrainfo=0 */
 /* ===== */
 ,
-"45.61.186.108 orport=9100 id=5756D9C403D89B79AFE69D50BB0682BA318319FB"
-" ipv6=[2605:6400:40:fedc:e3d4:d2c1:5a61:7a97]:9100"
-/* nickname=Quetzalcoatl */
+"77.232.149.26 orport=9001 id=83F75BC5789323CA9FB55813A7ACD61291E31123"
+/* nickname=zhuknode45 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"212.16.170.158 orport=443 id=3FEBFB6A491D30CACC2C2995EDB41717A6F94E95"
-/* nickname=remedy */
+"65.21.56.56 orport=9011 id=9958EC94922F1252E1E1DA748A5EE3889CE3CB83"
+/* nickname=Unnamed */
 /* extrainfo=0 */
 /* ===== */
 ,
-"45.62.210.14 orport=9001 id=0FB5D0E2B14B19C9080A5BD38DEC649587FEC262"
-/* nickname=nodv23 */
+"195.154.164.111 orport=9001 id=DF02E357B268BA6E9029FA6DFB8BC289E7763FCF"
+/* nickname=anityatvarelay */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.94.223.112 orport=9001 id=5645739E8EF72CA7D9EE1E12678B51A6FF8711C1"
-/* nickname=5h4d0wNet */
+"144.76.37.242 orport=8443 id=645DE9BF7A2E858F8A6B45F1F530371176D0238A"
+/* nickname=coco */
 /* extrainfo=0 */
 /* ===== */
 ,
-"151.115.41.209 orport=443 id=F6D34AA29FC551A5E1706D164B44809D6DC09240"
-/* nickname=tirz */
+"176.123.1.208 orport=9001 id=C08A5BC504B9D6ECCE2AA2EE51E69125A39D0595"
+" ipv6=[2001:678:6d4:4010::3f]:9001"
+/* nickname=TheOnionRelay */
 /* extrainfo=0 */
 /* ===== */
 ,
-"37.252.187.129 orport=9001 id=79B207AD51842FA215D956B9307B3D01CD347368"
-" ipv6=[2a00:63c1:c:129::2]:9001"
-/* nickname=1d1dchang3th3c0nf1g */
+"192.160.102.169 orport=9001 id=C0192FF43E777250084175F4E59AC1BA2290CE38"
+" ipv6=[2620:132:300c:c01d::9]:9002"
+/* nickname=manipogo */
 /* extrainfo=0 */
 /* ===== */
 ,
-"51.158.148.230 orport=993 id=F9E32D4058F7F35E9BC4F1D8C3B2DAA0C4466660"
-" ipv6=[2001:bc8:2dd2:2000::1]:993"
-/* nickname=KagamineLenTwilight */
+"185.220.102.246 orport=993 id=13FB26F9361F803AD190FE88B35E241DC084B026"
+" ipv6=[2a0b:f4c1:2::246]:993"
+/* nickname=Digitalcourage4ipgb */
 /* extrainfo=0 */
 /* ===== */
 ,
-"199.249.230.158 orport=443 id=90BF7147B422A1BABEFA503656EBD17987424441"
-" ipv6=[2620:7:6001::158]:80"
-/* nickname=Quintex69 */
+"178.254.44.176 orport=8174 id=F53169959223F5DF73A705FE7261F129DBA66545"
+/* nickname=1blu2DEicebeer74 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"193.108.117.209 orport=443 id=7600680249A22080ECC6173FBBF64D6FCF330A61"
-/* nickname=Ichotolot62 */
+"62.210.99.238 orport=39819 id=3E18FEBABD94CDC986416C957DF323FEDE97A2BD"
+/* nickname=Unnamed */
 /* extrainfo=0 */
 /* ===== */
 ,
-"94.26.73.162 orport=9001 id=215616527FB97ED5BE0BF8D2166BDB44EEB6A840"
-/* nickname=Assange013us */
+"54.36.183.48 orport=9001 id=9A9D48F3D5C572C87DE79236A3FA9353E08E3FF2"
+/* nickname=Unnamed */
 /* extrainfo=0 */
 /* ===== */
 ,
-"51.158.187.110 orport=443 id=04C3468BE24740347CBCC00534C940DBCBCABC82"
-" ipv6=[2001:bc8:1824:421::1]:443"
-/* nickname=aaron0x10c */
+"188.68.36.209 orport=59001 id=FF87E49EF33078B04A5DE26AAE170DDF8BAE139F"
+" ipv6=[2a03:4000:13:33::1]:59001"
+/* nickname=MehlTor1 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"148.251.7.156 orport=9001 id=14308846BD3FF2FB32981F0F0A6BED40F0DC7731"
-" ipv6=[2a01:4f8:201:61a6::2]:9001"
-/* nickname=Dalite */
+"51.81.236.225 orport=56395 id=F34B1257DB168D406B57FF71F8A3876AE0190D14"
+/* nickname=GreatCamas */
 /* extrainfo=0 */
 /* ===== */
 ,
-"47.181.71.250 orport=443 id=D2368BAEDAC94AF05AB32EC391346A2968379C31"
-/* nickname=Nickkkkk */
+"89.58.42.28 orport=8080 id=C8AB7044683F82618FAD5D521B55C77B29FC0722"
+" ipv6=[2a03:4000:66:fcf::]:8080"
+/* nickname=webhusoB2 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"81.169.186.16 orport=29001 id=C265517257154ABD003861F2B914E350B011AAE2"
-" ipv6=[2a01:238:429c:9600:40e6:e961:9cf7:31d1]:29001"
-/* nickname=viennaOnTheRun */
+"65.21.251.26 orport=443 id=1211AC1BBB8A1AF7CBA86BCE8689AA3146B86423"
+" ipv6=[2a01:4f9:c011:344::2]:443"
+/* nickname=ccrelaycc */
 /* extrainfo=0 */
 /* ===== */
 ,
-"146.185.189.197 orport=443 id=1944F3A473CB77B12BDB4E3D15963A24DF58E4E7"
-/* nickname=Thrones */
+"51.159.136.111 orport=443 id=C983807EA7ACADCF29A373E09F853E737A1E9D46"
+/* nickname=tirz */
 /* extrainfo=0 */
 /* ===== */
 ,
-"37.191.206.77 orport=8443 id=3FFDFB5A9A278C7C303745606DB5B68FC5B9FADF"
-/* nickname=Unnamed */
+"135.148.53.55 orport=443 id=78F6CC48735658F9F7C2A9FD587BB726EFCD08B1"
+/* nickname=amaze */
 /* extrainfo=0 */
 /* ===== */
 ,
-"199.249.230.69 orport=443 id=C78AFFEEE320EA0F860961763E613FD2FAC855F5"
-" ipv6=[2620:7:6001::ffff:c759:e645]:80"
-/* nickname=Quintex46 */
+"82.168.32.82 orport=9001 id=69497036653189531207746B3D0E4ECB56888F3C"
+/* nickname=octavsly */
 /* extrainfo=0 */
 /* ===== */
 ,
-"95.211.205.138 orport=443 id=8B6B10A0AED89408E509D4422EC926C89C7933D0"
-/* nickname=laurita */
+"109.70.100.10 orport=8080 id=B2FB3A302B56EFDBF0CA061E84BE4599305CE477"
+" ipv6=[2a03:e600:100::10]:8080"
+/* nickname=mangold */
 /* extrainfo=0 */
 /* ===== */
 ,
-"104.57.231.26 orport=443 id=1F772DD93DA20A6745E334BAFFC7B9765876BB11"
-/* nickname=ballers1 */
+"185.220.101.31 orport=8443 id=4A531AA712A3DF0A90EB42711EEBE90B6918B37A"
+" ipv6=[2a0b:f4c2::31]:8443"
+/* nickname=artikel10ber61 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"176.9.40.131 orport=443 id=1CD48F4ED0F1821FFBF1940802A13EEFD4C27502"
-" ipv6=[2a01:4f8:150:518e::2]:443"
-/* nickname=Piratenpartei00 */
+"74.116.186.120 orport=443 id=B921B8B8F9014E7D0FE72DE6E5C431FA1BBA1A91"
+" ipv6=[2606:6d00:1ab:e701::235a]:443"
+/* nickname=bitplane */
 /* extrainfo=0 */
 /* ===== */
 ,
-"90.202.106.141 orport=9001 id=863BD07491BD53C75C9BA186CD1DAD46F65B62BF"
-/* nickname=satori */
+"199.249.230.86 orport=443 id=66E19E8C4773086F669A1E06A3F8C23B6C079129"
+" ipv6=[2620:7:6001::ffff:c759:e656]:80"
+/* nickname=Quintex37 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"162.250.191.15 orport=9001 id=1C3C4AEF036D1202EEC623228EBA5FB71931E2A3"
-/* nickname=Assange020ca */
+"46.232.251.191 orport=443 id=4D0DF468DC816F8096702C2DA2C6FD67561F81C8"
+" ipv6=[2a03:4000:2b:66e:dead:beef:ca1f:1337]:443"
+/* nickname=artikel5ev8 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"85.7.221.196 orport=9001 id=209B6DC8584D0DBC569DBA8DAE88B567A24C9467"
-/* nickname=cercatrova */
+"213.164.204.146 orport=9001 id=369E10A48B0AF046498AA4A0F1FF8D039549BB7C"
+/* nickname=Augustiner1328 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"151.237.82.153 orport=9001 id=3864A437EDAEBF7859B9CC71348E1214BEE5BF62"
-/* nickname=Unnamed */
+"193.218.118.182 orport=9001 id=0E92BF02B3C11B0DD18301A0DE1B164A0546E36F"
+" ipv6=[2a0f:e586:f:f::182]:9001"
+/* nickname=ua321 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"46.226.107.206 orport=10400 id=B0C17B973F4DBFE3662DC149BCCD8098666C298B"
-" ipv6=[2001:4b98:dc0:43:f816:3eff:feed:683f]:10400"
-/* nickname=periskop */
+"172.127.92.239 orport=9001 id=C639DF8B38EA2E1AD2F550F261E5B8032CD14480"
+/* nickname=Lapras */
 /* extrainfo=0 */
 /* ===== */
 ,
-"87.15.33.124 orport=9001 id=1DC42BD783671E2879457224758837E67FC7E64C"
-/* nickname=AnonimaCasalserugo */
+"188.138.33.233 orport=443 id=D80EA21626BFAE8044E4037FE765252E157E3586"
+/* nickname=bonjour1 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"107.189.28.84 orport=9100 id=3863FD538658F6671631E78CEBB2693FB42DFA7D"
-" ipv6=[2605:6400:30:f09e:c57f:a8fd:ce14:6f3b]:9100"
-/* nickname=Quetzalcoatl */
+"217.12.221.75 orport=9001 id=6287129CB9EC475E816A0D283FE4E45D632A4A4B"
+" ipv6=[2a02:27a8:0:a::100]:9001"
+/* nickname=zwewwlUA1 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"2.56.98.121 orport=9005 id=7F844518369C1A572F3211F40D16F04D76F12878"
-/* nickname=BienwaldKA05 */
+"94.130.189.8 orport=9001 id=588413A3B8BE4C438B530AC5E184E1ED89A07F6A"
+/* nickname=momo */
 /* extrainfo=0 */
 /* ===== */
 ,
-"82.221.128.191 orport=443 id=D5228FA5AA9FDB3825E6F199AFA9F9E6F9526A17"
-/* nickname=SmokeAspectRangers */
+"195.90.201.93 orport=9100 id=D027AD4E6A57755BC80ADD1BF6C8BC7F51E8A2B0"
+/* nickname=skankhunt42de3 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.25.50.199 orport=9000 id=1B9C26C1DAB190EAD3EBADB70914E0949ADC2588"
-/* nickname=sqrrm */
+"97.121.138.197 orport=443 id=20BBFFDD799E09DD9ADB865B3B95608170DBE312"
+/* nickname=RockyMountainRelay */
 /* extrainfo=0 */
 /* ===== */
 ,
-"5.2.70.141 orport=9001 id=8454D200E13A41A93F4B6523740EBC78505D0DF0"
-" ipv6=[2a04:52c0:101:39e::]:9001"
-/* nickname=Unnamed */
+"85.131.16.29 orport=9050 id=FCC392FC20A5C1C5B5E95AB6E24735E493E3AEB7"
+" ipv6=[2001:14ba:1400::8857:e4fa:d28f]:9050"
+/* nickname=ktj8rmhy53b16bwqg */
 /* extrainfo=0 */
 /* ===== */
 ,
-"45.33.123.222 orport=9001 id=37FCDCAFAAA17742BE58A36382A768E21B65B34C"
-" ipv6=[2600:3c00::f03c:91ff:fe96:466c]:9001"
-/* nickname=PictureEnchanter */
+"77.21.71.189 orport=9001 id=2DACC26F1D3BA64F32EEB4185BAD696A88BA832D"
+/* nickname=just1small4relay */
 /* extrainfo=0 */
 /* ===== */
 ,
-"130.225.244.90 orport=9001 id=AC7C0F9D57DADAD5D8F4568EE1543EF3E22A47CE"
-" ipv6=[2001:878:346:1cf9:446a:c4eb:4548:7062]:9001"
-/* nickname=dotsrcRelay2 */
+"162.251.119.2 orport=443 id=253E7C6802F75BD54616872693A5922ED2A1534D"
+/* nickname=porcelain */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.112.146.188 orport=9001 id=85D3D0C3D4699AFA897FE9DD9270BAACBBE3E3F1"
-/* nickname=Unnamed */
+"180.183.10.154 orport=9001 id=95672A3D3EC0AE97F208A17E212DE02110A6508D"
+/* nickname=STRelay */
 /* extrainfo=0 */
 /* ===== */
 ,
-"65.50.203.5 orport=9001 id=BA348901BC6A0FE4DA86C53433414A3124934FCF"
-/* nickname=UEUEUEU */
+"92.243.0.179 orport=9001 id=C9B68C802CA20C3E4FA46D77153D6EDC80F13CF5"
+" ipv6=[2001:4b98:dc0:41:216:3eff:feb3:28bd]:9001"
+/* nickname=sybaze */
 /* extrainfo=0 */
 /* ===== */
 ,
-"109.201.133.100 orport=443 id=973607526BE9C8FDA03EBBAF527D67AE6FFD65DD"
-/* nickname=eddy */
+"94.130.185.68 orport=9001 id=A9E43431EF473BEEF0EEC98DBDDD1B8C3E3FB071"
+" ipv6=[2a01:4f8:1c0c:453a::1]:9001"
+/* nickname=torthias */
 /* extrainfo=0 */
 /* ===== */
 ,
-"85.241.106.203 orport=9001 id=2CD5474E33D12629156B92FBD61FAAB22D07B0F7"
-/* nickname=onYourOwn */
+"37.187.23.232 orport=80 id=F4873B3EC3325B81DC36C7E38AD3A5ED12B2F339"
+" ipv6=[2001:41d0:a:17e8::1]:80"
+/* nickname=Islay */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.130.44.108 orport=443 id=D8A1F5A8EA1AF53E3414B9C48FE6B10C31ACC9B2"
-" ipv6=[2a07:e01:2:13::2]:443"
-/* nickname=privexse1exit */
+"144.76.166.199 orport=9002 id=AF2B014CBE98D2E66B288323B47F2E8DDDD9904E"
+" ipv6=[2a01:4f8:200:42c6::2]:9002"
+/* nickname=justinjoker */
 /* extrainfo=0 */
 /* ===== */
 ,
-"193.218.118.158 orport=9001 id=0A56985BBDDB5FD1FAA8C9133C7115961AA6C370"
-/* nickname=Privacy9001 */
+"193.189.100.200 orport=443 id=E5D7D35357E9C55B47E2ADDE73199153888BD4CB"
+" ipv6=[2a0f:df00:0:255::200]:443"
+/* nickname=TORKeFFORG7 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"74.208.120.64 orport=443 id=46053D5D5916F20C333406F16911711AB55164C0"
-/* nickname=Schlaraffenland */
+"194.26.192.187 orport=443 id=33E9B36F48DB20F437578433973156F0185442B1"
+/* nickname=bauruine */
 /* extrainfo=0 */
 /* ===== */
 ,
-"198.98.60.97 orport=443 id=30C472441D910A8BCDA571F2637C80119E76D082"
-" ipv6=[2605:6400:10:36b:1cb3:5586:cdb7:31ea]:443"
-/* nickname=Quetzalcoatl */
+"121.200.11.168 orport=9001 id=3B6A1C9B65AA395D21600F805A06B9995885487E"
+/* nickname=whynot */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.220.100.249 orport=9100 id=887CAB501A9DB68A2C44EDF98BF50B0304EED8B6"
-" ipv6=[2a0b:f4c0:16c:7::1]:9100"
-/* nickname=niftykostchtchie */
+"130.225.244.90 orport=9001 id=AC7C0F9D57DADAD5D8F4568EE1543EF3E22A47CE"
+" ipv6=[2001:878:346:1cf9:446a:c4eb:4548:7062]:9001"
+/* nickname=dotsrcRelay2 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"85.25.213.211 orport=80 id=CE47F0356D86CF0A1A2008D97623216D560FB0A8"
-/* nickname=BeastieJoy61 */
+"109.238.11.6 orport=443 id=AC00AEBA1AE2A80CF4184C4362157BF91487B902"
+/* nickname=DanaScully */
 /* extrainfo=0 */
 /* ===== */
 ,
-"141.136.52.7 orport=9001 id=F85B74A470159AADD7D1C2398CE1813371BB6ACF"
-/* nickname=Unnamed */
+"37.252.187.111 orport=443 id=EE4AF632058F0734C1426B1AD689F47445CA2056"
+" ipv6=[2a00:63c1:c:111::2]:443"
+/* nickname=rinderwahnRelay7L */
 /* extrainfo=0 */
 /* ===== */
 ,
-"31.201.16.30 orport=443 id=E8ED405E47A477D92D9EFB201FADF28FF7FBAF5D"
-/* nickname=Tortue */
+"94.100.6.27 orport=443 id=D6670FB54B21818CE7C13524AA003258B8E35D38"
+/* nickname=drogo */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.100.85.132 orport=443 id=5F875CFB7E2ED0D24E85A5A8B8904A3650AB1ED8"
-/* nickname=vandergriff */
+"217.197.86.173 orport=443 id=C2EE40EE8451F27C2357E8B1EA1E8E6F642273EB"
+" ipv6=[2001:67c:1401:2051::3]:443"
+/* nickname=Bastard */
 /* extrainfo=0 */
 /* ===== */
 ,
-"213.167.242.183 orport=9001 id=5E114AD608428C23B38CCC77DA22E4CD0C27F2CE"
-" ipv6=[2001:4b98:dc2:55:216:3eff:fee8:6e97]:9001"
-/* nickname=TitounNet */
+"178.132.78.148 orport=443 id=BF7BFCB3096FC81FBD0B7ADA66164431EC7FD117"
+/* nickname=weepy */
 /* extrainfo=0 */
 /* ===== */
 ,
-"199.249.230.156 orport=443 id=139C86C4C9BC94E89BAF79B15EBFDF9396DD5BB0"
-" ipv6=[2620:7:6001::156]:80"
-/* nickname=Quintex67 */
+"185.129.61.3 orport=443 id=36196F1ADF33DD6EEA6C5FADA69FC43C18D05C5A"
+" ipv6=[2001:67c:89c:702:1ce:1ce:babe:3]:443"
+/* nickname=dotsrcExit3 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"91.143.88.2 orport=443 id=ED7F2BE5D2AC7FCF821A909E2486FFFB95D65272"
-" ipv6=[2a02:180:6:1::2efd]:443"
-/* nickname=Planetclaire63 */
+"80.66.135.13 orport=9001 id=70090E9F85FBE004EEBF58461FD6EDD5BF8A523E"
+/* nickname=OatMeal99 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"77.123.155.45 orport=443 id=C0E6A667064385B9CB5A685CEB06B85EDDA6AA00"
-/* nickname=FreedomForParrots2 */
+"116.203.140.74 orport=9001 id=BC7ACFAC04854C77167C7D66B7E471314ED8C410"
+" ipv6=[2a01:4f8:c0c:e646::1]:9001"
+/* nickname=YagaTorRelay */
 /* extrainfo=0 */
 /* ===== */
 ,
-"163.172.211.128 orport=443 id=241ED37B98E822F328B8D883EF8ECA3ADAB0EE12"
-" ipv6=[2001:bc8:3fec:b00:b007::]:443"
-/* nickname=Casper12 */
+"45.33.27.210 orport=9001 id=C9B16B5D37F531C8C6C0281E4EC4F056E84541D0"
+" ipv6=[2600:3c00::f03c:91ff:feb7:9351]:9001"
+/* nickname=CedarHill */
 /* extrainfo=0 */
 /* ===== */
 ,
-"107.189.30.230 orport=9001 id=B12536F2F1BBFE0B47FAAD0D5D05BFAEC6C2DE9F"
-/* nickname=Hydra40 */
+"172.241.140.249 orport=443 id=4FD9A030C9DC98FA24076071CBB6FD843BC62D7D"
+/* nickname=ashP */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.203.116.252 orport=443 id=70D0893564051D9B6DF3B6E0519DDE6061D4895E"
-" ipv6=[2a07:5741:0:f87::1]:443"
-/* nickname=Valhalla */
+"193.0.213.42 orport=443 id=84D7EA4046826E312B32F822A592651121890EAE"
+/* nickname=kleptoman */
 /* extrainfo=0 */
 /* ===== */
 ,
-"42.191.94.69 orport=9001 id=B974F0C815C707F57F97CD159874770692BDA7EA"
-/* nickname=chrRelay */
+"213.164.204.177 orport=9001 id=378AD3D089A01EC802F165A936122B60B5B1035E"
+/* nickname=Hydra55 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"31.6.70.71 orport=9001 id=7F3D20E72A24ED2EBD92AA9C430B805BA389D02B"
-" ipv6=[2a02:2430:3:2500::321e:67c4]:9001"
-/* nickname=PolishTatraSheepdog */
+"161.97.167.148 orport=443 id=44D3069C9EE3B1EAF3CE6B268581C4510CAE9D54"
+/* nickname=alejandria */
 /* extrainfo=0 */
 /* ===== */
 ,
-"199.249.230.112 orport=443 id=D25210CE07C49F2A4F2BC7A506EB0F5EA7F5E2C2"
-" ipv6=[2620:7:6001::112]:80"
-/* nickname=QuintexPhoulRules */
+"199.249.230.108 orport=443 id=155D6F57425F16C0624D77777641E4EB1B47C6F0"
+" ipv6=[2620:7:6001::108]:80"
+/* nickname=Quintex18 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"147.92.88.67 orport=9001 id=901592FBE2A2335F5DC3A5434600B9A4F9D9C68E"
-" ipv6=[2604:21c0:100:1::cafe]:9001"
-/* nickname=SillyRelay */
+"185.220.101.5 orport=8443 id=6EA5A7EA8C2F192C37DCEB2AAD481DC7E72E65DE"
+" ipv6=[2a0b:f4c2::5]:8443"
+/* nickname=artikel10ber09 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"198.251.68.144 orport=9001 id=83AEDBDB4BE3AD0ED91850BF1A521B843077759E"
-/* nickname=focaltohr */
+"45.151.125.191 orport=443 id=8275A435C8D783EEC835A64A3EA2ADF8C3C4531D"
+/* nickname=tor2 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"54.36.120.156 orport=443 id=D0273C8566CC9AECE4C762376C9B066FE0F1DADD"
-/* nickname=Kimchi */
+"172.106.12.246 orport=443 id=3B675F5DB8C36AE6DB5889AE8DA1ACDF5DD51A0D"
+/* nickname=recyclops */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.220.102.244 orport=443 id=1C7700A94DBBFECFA234C1ADD0D23FB87D1D7599"
-" ipv6=[2a0b:f4c1:2::244]:443"
-/* nickname=Digitalcourage4ipea */
+"185.220.101.30 orport=8443 id=7C4B37F45CFF88B36C0A77DC3331FA58F29963DB"
+" ipv6=[2a0b:f4c2::30]:8443"
+/* nickname=artikel10ber59 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"68.67.32.31 orport=9001 id=964B4E8A75263A69769541F2764563DABDD995D2"
-/* nickname=MHcXthX9Eb34WYyEN7H */
+"185.163.45.253 orport=443 id=09F1936587D5A82ABCD79B11599C044E72C13840"
+/* nickname=torrelay */
 /* extrainfo=0 */
 /* ===== */
 ,
-"195.176.3.20 orport=8443 id=08CE3DBFDAA27DB6C044A677AF68D7235C2AFC85"
-" ipv6=[2001:620:20d0::20]:8443"
-/* nickname=DigiGesTor4e4 */
+"185.245.60.11 orport=9000 id=3EEDC806C524DF7A4B031CE314806E3FF6CC25F4"
+/* nickname=jwt61472 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"94.140.115.114 orport=443 id=879B036468D30AB1A2195F96D2C91F3CAA8D1DC2"
-/* nickname=kbtr7lv */
+"82.128.229.109 orport=443 id=B50A98267A63713F37319D895EA1151C4B27BE4D"
+/* nickname=Unnamed */
 /* extrainfo=0 */
 /* ===== */
 ,
-"23.129.64.140 orport=443 id=1228111A6D4AFC619ED3A70079A3A0B678476A43"
-" ipv6=[2620:18c:0:192::140]:443"
-/* nickname=BeGayDoCrimes */
+"172.241.140.26 orport=443 id=13B2354C74CCE29815B4E1F692F2F0E86C7F13DD"
+/* nickname=TORtitan */
 /* extrainfo=0 */
 /* ===== */
 ,
-"213.141.71.102 orport=4433 id=C15A8BE46A0025371C3C41247CF8911AD82A7A1C"
-/* nickname=rainyValbo */
+"81.4.122.99 orport=4433 id=DDF0EFB98CDD4A28896668AEA48966BA5E23EDEE"
+/* nickname=AntonKlingRelay */
 /* extrainfo=0 */
 /* ===== */
 ,
-"45.62.244.154 orport=9001 id=45F80CFCE0FF65EAE012049BAF66084F76E6D68B"
-/* nickname=Machiavelli */
+"45.35.33.198 orport=443 id=453EE12D7E73F9935B932670091CAD03D91C006D"
+/* nickname=FinishLine */
 /* extrainfo=0 */
 /* ===== */
 ,
-"170.239.86.145 orport=443 id=5414065F98A160F630DAE0689973FC66D7EA62E9"
-/* nickname=DTFNODE04 */
+"141.94.71.180 orport=443 id=BA2575B9E13EBA158FD916394C5046A6BD6F6198"
+" ipv6=[2001:41d0:304:200::afec]:443"
+/* nickname=WWW */
 /* extrainfo=0 */
 /* ===== */
 ,
-"37.9.231.195 orport=443 id=13F7EAE731CA4600951986921E08ECAB9B1D2AF6"
-" ipv6=[2001:4b78:2006:ffc3::1]:443"
-/* nickname=CanopoIT */
+"5.45.102.119 orport=9000 id=DF55C90D7EB87A13B044259951CA784F2F596E8D"
+" ipv6=[2a03:4000:6:608:942a:42ff:fe77:728c]:9000"
+/* nickname=Quetzalcoatl */
 /* extrainfo=0 */
 /* ===== */
 ,
-"37.120.171.230 orport=9001 id=E8965A79FB2F335194141E8968755524840C44B6"
-" ipv6=[2a03:4000:6:543f:78b2:4fff:fe7b:fb6a]:9001"
-/* nickname=Piratenpartei08 */
+"195.154.250.239 orport=443 id=DD5DA21CC5036533AE2010DE2C7E72BE2CDF9C5E"
+/* nickname=Unnamed */
 /* extrainfo=0 */
 /* ===== */
 ,
-"93.115.241.194 orport=443 id=B594EFDDBA2A8F12DEF827DFEE6992A6EB310B2A"
-/* nickname=heaney */
+"51.178.86.137 orport=9001 id=BD33EF180B1118B00BDF073E2771210E3BDDD8CD"
+/* nickname=Hydra22 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.239.222.243 orport=443 id=9B12C0D5A3435004F3DE149F83E752E44522E297"
-" ipv6=[2a09:2681:101:9001::4]:443"
-/* nickname=BM04 */
+"185.225.69.90 orport=443 id=8C612213C4B5C154FA90847F36FBF36DB78AB1AC"
+/* nickname=davy */
 /* extrainfo=0 */
 /* ===== */
 ,
-"31.164.176.95 orport=19927 id=D23F48B37526F904EECB3C8ED0747EF254C11BB4"
-" ipv6=[2001:1711:fa4b:5f1:222:15ff:fe47:96b5]:19927"
-/* nickname=tantricsnake */
+"185.4.132.183 orport=443 id=CC0A89217E999A6478D0358116C926625F84EBE6"
+/* nickname=Grexit */
 /* extrainfo=0 */
 /* ===== */
 ,
-"157.90.38.9 orport=443 id=42A51FFF7AB2A2F396CB924B56676F09BCB52245"
-/* nickname=SoySauceR */
+"85.214.18.225 orport=1329 id=029650EE0E3E79803B7358DC94BC9FC3A367732C"
+/* nickname=cLmIsACapitalist */
 /* extrainfo=0 */
 /* ===== */
 ,
-"93.115.86.4 orport=443 id=CE863C22AD5ABBEAF606AE35A22781C409D895E5"
-/* nickname=mj4 */
+"81.17.30.48 orport=443 id=4E737BBFCCBE45A923CE82577E99DCFFABC5BFF4"
+/* nickname=fento */
 /* extrainfo=0 */
 /* ===== */
 ,
-"136.243.60.188 orport=9001 id=675CFAC38BE3C9A26C3A2DD7CBC0E616F68624CA"
-" ipv6=[2a01:4f8:212:1b8b:3::8]:9001"
-/* nickname=mullbinde5 */
+"91.213.233.60 orport=443 id=49BC7301250F6D87BCD676DFC9AF22048F96F599"
+/* nickname=kleinbach */
 /* extrainfo=0 */
 /* ===== */
 ,
-"77.23.162.55 orport=9999 id=11C9529C9D0671545EAEF80DFE209AD977BCE908"
-/* nickname=mekansm */
+"51.158.231.76 orport=443 id=33D6A3A8BD977723FD4C053151F78D852AC62775"
+/* nickname=tirz */
 /* extrainfo=0 */
 /* ===== */
 ,
-"212.74.233.19 orport=9003 id=126E438B6921882FC17F1FC32AAC617300561938"
-/* nickname=Bathtub */
+"209.141.37.233 orport=443 id=9085A30783FBB38DFA96CE024EDC5A0F9F5FAA24"
+/* nickname=kekw */
 /* extrainfo=0 */
 /* ===== */
 ,
-"94.140.115.16 orport=443 id=A191F6309396DAD373FE7E4D1EF64B40F38A3637"
-" ipv6=[2a02:7aa0:4000::29]:443"
-/* nickname=rinderwahnRelay6L */
+"217.12.221.131 orport=443 id=424BF86927E80D916589BB12248BD468BB470684"
+/* nickname=RunningOnFumes2 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"192.166.245.122 orport=443 id=F9AEA07ACE06E8E7D55E10FFBAE037E8C833FA93"
-/* nickname=DTFNODE46 */
+"94.140.114.174 orport=9001 id=5A0643E452E143BE549BAB3BFE575F40DDBD527C"
+/* nickname=Hydra67 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"94.140.115.146 orport=9001 id=3B2EB73B3C61E9C302479B44D881E049049BF048"
-/* nickname=Yanush3 */
+"199.249.230.183 orport=443 id=A2C3CB1520C75BEDB21244FD1DF1C371C26E959E"
+" ipv6=[2620:7:6001::183]:80"
+/* nickname=Quintex94 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"37.187.9.31 orport=9001 id=1E26A119172E2EBFC299D5B2DE26B9652D3B7F34"
-/* nickname=hxcsys */
+"5.9.120.18 orport=443 id=3CCEF96871A49AC06149E4AA8E14D270D881F6D3"
+" ipv6=[2a01:4f8:162:7018::2]:443"
+/* nickname=torsethforprivacy */
 /* extrainfo=0 */
 /* ===== */
 ,
-"90.146.176.221 orport=9003 id=65F86FD8B92C3AC01887D86B2171E657D5C19F79"
-/* nickname=eclipse03 */
+"37.187.20.164 orport=443 id=DAAB8E7AA811DE4020560D7D63D4A392C6BA621A"
+" ipv6=[2001:41d0:a:14a4::1]:443"
+/* nickname=mxcz */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.100.87.192 orport=9443 id=C962D865AE72B6F2EF08E77F3B15894B9539C2B6"
-" ipv6=[2a06:1700:0:12::2]:9443"
-/* nickname=artikel10buc04 */
+"3.121.167.65 orport=9001 id=8F5ACB40B42628045E6D8CA4CB103CDAEB112A3E"
+/* nickname=Martell */
 /* extrainfo=0 */
 /* ===== */
 ,
-"130.180.111.194 orport=9010 id=3DF28C6A21F9F063FA1640F7367BE8143816D40F"
-/* nickname=DerRaffke */
+"185.165.168.77 orport=443 id=2C752C180089DDC89BC3FFCCB17FACFEEAFD79AA"
+/* nickname=rittervgexit */
 /* extrainfo=0 */
 /* ===== */
 ,
-"172.81.131.111 orport=9001 id=12836441FEAC9AEE13A144A64E51AB2AD98885B4"
-/* nickname=TheEndOfTheInternet */
+"178.20.55.16 orport=443 id=EFAE44728264982224445E96214C15F9075DEE1D"
+/* nickname=marcuse1 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"104.244.79.6 orport=9100 id=EF4CD1F369E8080DFB5A46187CFA9768D7857082"
-" ipv6=[2605:6400:30:f920:4cbe:d6a6:82b1:4e22]:9100"
-/* nickname=Quetzalcoatl */
+"194.59.46.2 orport=9001 id=A6E3A3C6CE962E917A12E586AE750805899C117B"
+/* nickname=dewebit */
 /* extrainfo=0 */
 /* ===== */
 ,
-"107.189.13.254 orport=9000 id=392BEFDCB026A568E077786E79FDE589A9C0E451"
-" ipv6=[2605:6400:30:ee75:46fc:7871:dfeb:8ad3]:9000"
-/* nickname=Quetzalcoatl */
+"185.220.101.3 orport=9443 id=99E152CDB12F5ABBE08C0A2EA5B126CD3F1FAC5F"
+" ipv6=[2a0b:f4c2::3]:9443"
+/* nickname=artikel10ber06 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"51.15.218.190 orport=443 id=8927AD37F39D10C3F4CFDD5213606E4881CCF6B0"
-/* nickname=tirz */
+"188.68.56.100 orport=9090 id=D447D8180D5FB67D0E3AD08AC0A123EF943D84D4"
+" ipv6=[2a03:4000:6:f776:5862:30ff:fecf:d2c]:9090"
+/* nickname=Eigentor */
 /* extrainfo=0 */
 /* ===== */
 ,
-"205.185.124.164 orport=9001 id=7B67A3AD2395536FD15CB97588A0BC1A015AC267"
-/* nickname=stubbornoxen */
+"94.211.220.163 orport=9001 id=5DFF2F64A41EB91BAE553A860A953009105E3343"
+/* nickname=UnseenMoonBeam */
 /* extrainfo=0 */
 /* ===== */
 ,
-"91.201.65.91 orport=443 id=57C6DF5B93E54EB9C8DB90029D9E9A1111BD34D2"
-" ipv6=[2a06:f905:1:100::4e]:443"
-/* nickname=rinderwahnRelay12L */
+"192.42.116.28 orport=443 id=1DBACC31486FC670FBD403FAE877342EC696D598"
+" ipv6=[2001:67c:6ec:203:218:33ff:fe44:5528]:443"
+/* nickname=hviv128 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"195.154.164.243 orport=443 id=AC66FFA4AB35A59EBBF5BF4C70008BF24D8A7A5C"
-" ipv6=[2001:bc8:399f:f000::1]:993"
-/* nickname=torpidsFRonline3 */
+"185.220.101.208 orport=8443 id=18671DE5092C67883BFB2450C3267B92618BEC66"
+" ipv6=[2a0b:f4c2:2:1::208]:8443"
+/* nickname=ForPrivacyNET */
 /* extrainfo=0 */
 /* ===== */
 ,
-"142.252.252.254 orport=8081 id=7488F5265C5E331EB4F1CE5D750685492627464F"
-/* nickname=Altrosky4 */
+"217.23.8.2 orport=9001 id=B42C797CC8CD63C60FB643E820A11D113DF4F5C8"
+/* nickname=firefly */
 /* extrainfo=0 */
 /* ===== */
 ,
-"95.217.248.169 orport=9001 id=F08A3744CA6568ED28545C2B7C1BE7D8BA27CBDE"
-" ipv6=[2a01:4f9:4a:f230::10:4]:9001"
-/* nickname=winR */
+"185.100.87.192 orport=9443 id=C962D865AE72B6F2EF08E77F3B15894B9539C2B6"
+" ipv6=[2a06:1700:0:12::2]:9443"
+/* nickname=artikel10buc04 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"163.44.173.37 orport=443 id=ED7FDF68D504AEED4E28C6396B3E4A4ED04406B9"
-/* nickname=Unnamed */
+"109.202.205.68 orport=9001 id=E9DA4101B0E0D718ADF52100A9B30A67BA35A67C"
+/* nickname=Urgl */
 /* extrainfo=0 */
 /* ===== */
 ,
-"158.255.1.112 orport=443 id=76B4FEDD0696D924A407CFAB50B6E574B28CCDCA"
-/* nickname=vladimir */
+"104.244.76.184 orport=443 id=D5A2B3AE1E8047017A0BBC7209FD624DB84D47CE"
+" ipv6=[2605:6400:30:f99f::1]:443"
+/* nickname=komeru2 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"102.130.119.48 orport=9001 id=A636F3A27D9C10713C7A77ED00183DE8727E3D84"
-/* nickname=axeTorA */
+"72.174.136.71 orport=59001 id=9E7C2C6DEDA3A90ED7D43527126AB67936FB038E"
+/* nickname=Veil */
 /* extrainfo=0 */
 /* ===== */
 ,
-"109.70.100.11 orport=443 id=96E095D5CDBFC3988DEB708EC155346472402C32"
-" ipv6=[2a03:e600:100::11]:443"
-/* nickname=karfiol */
+"193.110.95.34 orport=9001 id=094A0E6B4BDCED81B8A2811430F5FAF03464A3A8"
+" ipv6=[2a02:169:55f5:2::2]:9001"
+/* nickname=sten */
 /* extrainfo=0 */
 /* ===== */
 ,
-"85.195.255.85 orport=9001 id=A3AFBDEE30238E44899C9F8B7666D12B09C8EE32"
-/* nickname=isthisthereallife */
+"213.164.204.116 orport=9001 id=E001D2724CEA5615E828D30111B866AB277E86C2"
+/* nickname=Hydra7 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"116.203.50.182 orport=8080 id=00E1649E69FF91D7F01E74A5E62EF14F7D9915E4"
-" ipv6=[2a01:4f8:1c1c:b16b::1]:8080"
-/* nickname=dragonhoard */
+"185.220.101.5 orport=9443 id=EBA0FFA5799A9B9D79A3BE2DBD601E301ACFB087"
+" ipv6=[2a0b:f4c2::5]:9443"
+/* nickname=artikel10ber10 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"213.164.204.165 orport=9001 id=43ED841926B5DA9487032D789A31B5E74A7525E2"
-/* nickname=Hydra14 */
+"95.128.43.164 orport=443 id=616081EC829593AF4232550DE6FFAA1D75B37A90"
+" ipv6=[2a02:ec0:209:10::4]:443"
+/* nickname=AquaRayTerminus */
 /* extrainfo=0 */
 /* ===== */
 ,
-"213.164.204.152 orport=9001 id=E1D2328D0DB2A06EE85ABD9D8D75CC5DBDDFDA5C"
-/* nickname=Hydra8 */
+"178.254.44.176 orport=8173 id=AE6CE2B402C2930EBAF59A616E80AD43F7AB123B"
+/* nickname=1blu2DEicebeer73 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"45.61.186.166 orport=9000 id=B0CF3131A8097FFAF9E9B54566F12A2C6E560C48"
-" ipv6=[2605:6400:40:feca:bc44:119e:7d58:8792]:9000"
-/* nickname=Quetzalcoatl */
+"91.208.184.123 orport=443 id=ACF8FC6C14032A045B44F6B98525EE5C0472DD50"
+/* nickname=TorDiversity */
 /* extrainfo=0 */
 /* ===== */
 ,
-"195.176.3.23 orport=443 id=BCF55F865EE6EF17E25EFEAF851BC429F190B85D"
-" ipv6=[2001:620:20d0::23]:443"
-/* nickname=DigiGesTor5e1 */
+"72.167.47.69 orport=443 id=8BDBE498180C41249D3230FC5092CB3EB5A62482"
+/* nickname=Minotaur */
 /* extrainfo=0 */
 /* ===== */
 ,
-"194.182.179.34 orport=443 id=EFE89ECF4EE11613A19248777EBBA28719BF5FF7"
-" ipv6=[2a04:c47:e00:7cdf:4b9:a0ff:fe00:2f0]:443"
-/* nickname=Slavyanka */
+"103.251.167.10 orport=443 id=AF8DB275960279B87F098B16CC9C78092E118DB3"
+" ipv6=[2a01:6340:2:501::10]:443"
+/* nickname=NLfreedom1 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"138.59.18.106 orport=443 id=0BADD9510440C9BF3A728F2CB630836FF98142B2"
-/* nickname=Albis */
+"23.106.120.42 orport=9001 id=D55BE90E549B4A21033672EA69030D2047FFC58B"
+/* nickname=CraigBrightbane */
 /* extrainfo=0 */
 /* ===== */
 ,
-"148.251.66.75 orport=9001 id=4BC6B5DA381A0044E81CA7B6170D46588C060ADA"
-/* nickname=ChlewigenRelay */
+"185.100.85.25 orport=9443 id=B99C68B77AE06CD0FD3C19E6F5552872BE2E7604"
+" ipv6=[2a06:1700:0:12::4]:9443"
+/* nickname=artikel10buc08 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"37.157.254.114 orport=443 id=18671DE5092C67883BFB2450C3267B92618BEC66"
-" ipv6=[2001:4ba0:ffff:1ce::3]:443"
-/* nickname=ForPrivacyNET */
+"50.116.47.139 orport=9001 id=954B221CFDC3F56A15FE3C29F85D5FE34BB144B2"
+/* nickname=Unnamed */
 /* extrainfo=0 */
 /* ===== */
 ,
-"72.89.32.196 orport=9001 id=67F5AC35DBA20D22A0178BFB6F4AC076C3B16829"
-/* nickname=hubble */
+"92.219.112.13 orport=9001 id=AF1852AACF490755ED00A2454618C8C8D172D307"
+/* nickname=lonninator01 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.220.101.17 orport=9443 id=6E3DD22CF40499F67CCADC5C024397748C0E63B4"
-" ipv6=[2a0b:f4c2::17]:9443"
-/* nickname=artikel10ber34 */
+"134.102.200.101 orport=9001 id=F1CD870D7A8FA364E459ABA70B1737D40B0B4BB3"
+" ipv6=[2001:638:708:30c8::65]:9001"
+/* nickname=csUniHB */
 /* extrainfo=0 */
 /* ===== */
 ,
-"94.75.194.221 orport=9001 id=38F21DEE29E40DCDF9460A80662B7723562CA008"
-/* nickname=trabajando */
+"185.195.71.6 orport=443 id=D255268BACBB4562554CF20147731BDA0D8C452B"
+/* nickname=AccessNow004 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"78.47.14.99 orport=9001 id=A1688972E4AA4F24C4C9AA2372CD387B82834C40"
-" ipv6=[2a01:4f8:c17:13aa::1]:9001"
-/* nickname=whatnick2 */
+"23.129.64.177 orport=443 id=8B4381CBDD1358AC8EE66C23B5BE5E0A3F780F21"
+" ipv6=[2620:18c:0:192::177]:443"
+/* nickname=AlanTuringLGBTQ */
 /* extrainfo=0 */
 /* ===== */
 ,
-"89.163.164.202 orport=443 id=FF9FC6D130FA26AE3AE8B23688691DC419F0F22E"
-" ipv6=[2001:4ba0:cafe:12a1::]:443"
-/* nickname=rinderwahnRelay3L */
+"65.108.136.189 orport=80 id=624B7391B9790E7CD2AF6A7238239BA3D6928A57"
+" ipv6=[2a01:4f9:6b:3408::3]:80"
+/* nickname=arbitraryKenzie3 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"94.100.6.30 orport=9001 id=669102E6FA8E116AC05FE823B0634B44499944E3"
-/* nickname=Quiv */
+"179.43.146.230 orport=443 id=B63410CD48185ED34E9C6AE62D048D8A6854A5CA"
+/* nickname=leuwerik */
 /* extrainfo=0 */
 /* ===== */
 ,
-"82.48.198.112 orport=9443 id=94F367A130296C9EB92BE32E25AAEB7F227DE0D6"
-/* nickname=FreeZion */
+"176.223.141.106 orport=443 id=5262556D44A7F2434990FDE1AE7973C67DF49E58"
+" ipv6=[2a02:7b40:b0df:8d6a::1]:443"
+/* nickname=Theoden */
 /* extrainfo=0 */
 /* ===== */
 ,
-"140.78.100.41 orport=8443 id=C9525872E3AA926402D8998085A409C7BBDFAE59"
-/* nickname=INSRelay41at8443 */
+"144.91.114.27 orport=9001 id=451AD42EDB2598B06AF87403D6FA23BCA165BF5F"
+" ipv6=[2a02:c207:3008:5548::1]:9001"
+/* nickname=AomoriDevRel1 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.82.219.109 orport=443 id=2B34099ED2BC598C4745C96C873FD73A445646BD"
-/* nickname=RunningOnFumes4 */
+"159.89.124.240 orport=9000 id=C8FE57A0C112E123CB8B9A81B1E505B2E8F75CEF"
+" ipv6=[2604:a880:cad:d0::bbd:f001]:9000"
+/* nickname=trecinex01 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"159.89.87.126 orport=143 id=9D07DFA6472B80277798D73234348CEF02F2E7D5"
-/* nickname=incircuitryrelay */
+"104.217.250.206 orport=443 id=63EF43219D7FB80DA34C80D507395A8A5EE7993D"
+/* nickname=emokid */
 /* extrainfo=0 */
 /* ===== */
 ,
-"45.61.185.114 orport=9100 id=5E4EBE4078DFBE6CA4648C4D32EEBFE6D822CACB"
-" ipv6=[2605:6400:40:fec5:3c19:b3c1:b8a1:1f27]:9100"
-/* nickname=Quetzalcoatl */
+"37.143.118.9 orport=443 id=263907E9D48FBEAE6E64B10C628AE8BDF466869B"
+/* nickname=msBobo */
 /* extrainfo=0 */
 /* ===== */
 ,
-"51.15.197.24 orport=443 id=FBCD904030EA49971E4766A9009DEE96F2FEC4F4"
-" ipv6=[2001:bc8:630:299::1]:443"
-/* nickname=charlie */
+"95.216.100.82 orport=9001 id=3E9FEEADB71C1397EABEFABC96865CB8FAB06E6D"
+/* nickname=stoertetor01 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"205.185.115.163 orport=443 id=ABCE9719136F55FB44608274DA2CA9F64237AD27"
-/* nickname=Unnamed */
+"88.208.215.95 orport=1503 id=4853A70DB9F95203A1544A0245D9D229F97B481A"
+" ipv6=[2a00:da00:1800:1f5::1]:1503"
+/* nickname=AndrewRyan */
 /* extrainfo=0 */
 /* ===== */
 ,
-"178.170.42.112 orport=9001 id=6CF8862649ED845917BF35EA4F7986F782CCFFCE"
-" ipv6=[2a00:c70:1:178:170:42:112:8]:9001"
-/* nickname=mullbinde7 */
+"135.148.53.61 orport=443 id=7551C1446DBA7BCF8395389A125445E71952D467"
+/* nickname=adrian */
 /* extrainfo=0 */
 /* ===== */
 ,
-"176.10.99.207 orport=443 id=0516085D6CAC40ED4CDCEFDFC5CCF6B00DE61DED"
-/* nickname=AccessNow007 */
+"170.133.2.76 orport=9001 id=1AC45083EBC7E02720C13254CEA3F7B032C248E2"
+" ipv6=[2001:470:5429::b3]:9001"
+/* nickname=vsm */
 /* extrainfo=0 */
 /* ===== */
 ,
-"198.98.59.35 orport=9000 id=9376A43695CBB66C256DCC87932EE885EA9AF5EC"
-" ipv6=[2605:6400:10:542:d124:fa7a:9141:db6c]:9000"
-/* nickname=Quetzalcoatl */
+"94.140.115.114 orport=8443 id=66C102FA5DDF48C9EEEB048C1630933B66C50ECC"
+/* nickname=kbtr7lv */
 /* extrainfo=0 */
 /* ===== */
 ,
diff --git a/darwin/tor/src/core/or/channelpadding.c b/darwin/tor/src/core/or/channelpadding.c
index 47a04e52..1f559f6c 100644
--- a/darwin/tor/src/core/or/channelpadding.c
+++ b/darwin/tor/src/core/or/channelpadding.c
@@ -186,7 +186,7 @@ channelpadding_get_netflow_inactive_timeout_ms(const channel_t *chan)
     high_timeout = MAX(high_timeout, chan->padding_timeout_high_ms);
   }
 
-  if (low_timeout == high_timeout)
+  if (low_timeout >= high_timeout)
     return low_timeout; // No randomization
 
   /*
diff --git a/darwin/tor/src/core/or/command.c b/darwin/tor/src/core/or/command.c
index 622217a7..9155f52a 100644
--- a/darwin/tor/src/core/or/command.c
+++ b/darwin/tor/src/core/or/command.c
@@ -652,19 +652,22 @@ command_process_destroy_cell(cell_t *cell, channel_t *chan)
   if (!CIRCUIT_IS_ORIGIN(circ) &&
       chan == TO_OR_CIRCUIT(circ)->p_chan &&
       cell->circ_id == TO_OR_CIRCUIT(circ)->p_circ_id) {
-    /* the destroy came from behind */
+    /* The destroy came from behind so nullify its p_chan. Close the circuit
+     * with a DESTROYED reason so we don't propagate along the path forward the
+     * reason which could be used as a side channel. */
     circuit_set_p_circid_chan(TO_OR_CIRCUIT(circ), 0, NULL);
-    circuit_mark_for_close(circ, reason|END_CIRC_REASON_FLAG_REMOTE);
+    circuit_mark_for_close(circ, END_CIRC_REASON_DESTROYED);
   } else { /* the destroy came from ahead */
     circuit_set_n_circid_chan(circ, 0, NULL);
     if (CIRCUIT_IS_ORIGIN(circ)) {
       circuit_mark_for_close(circ, reason|END_CIRC_REASON_FLAG_REMOTE);
     } else {
-      char payload[1];
-      log_debug(LD_OR, "Delivering 'truncated' back.");
-      payload[0] = (char)reason;
-      relay_send_command_from_edge(0, circ, RELAY_COMMAND_TRUNCATED,
-                                   payload, sizeof(payload), NULL);
+      /* Close the circuit so we stop queuing cells for it and propagate the
+       * DESTROY cell down the circuit so relays can stop queuing in-flight
+       * cells for this circuit which helps with memory pressure. We do NOT
+       * propagate the remote reason so not to create a side channel. */
+      log_debug(LD_OR, "Received DESTROY cell from n_chan, closing circuit.");
+      circuit_mark_for_close(circ, END_CIRC_REASON_DESTROYED);
     }
   }
 }
diff --git a/darwin/tor/src/core/or/connection_or.c b/darwin/tor/src/core/or/connection_or.c
index dd31638e..6d9f1c75 100644
--- a/darwin/tor/src/core/or/connection_or.c
+++ b/darwin/tor/src/core/or/connection_or.c
@@ -805,6 +805,10 @@ connection_or_about_to_close(or_connection_t *or_conn)
   } else if (!tor_digest_is_zero(or_conn->identity_digest)) {
     connection_or_event_status(or_conn, OR_CONN_EVENT_CLOSED,
                 tls_error_to_orconn_end_reason(or_conn->tls_error));
+  } else {
+    /* Normal close, we notify of a done connection. */
+    connection_or_event_status(or_conn, OR_CONN_EVENT_CLOSED,
+                               END_OR_CONN_REASON_DONE);
   }
 }
 
diff --git a/darwin/tor/src/lib/sandbox/sandbox.c b/darwin/tor/src/lib/sandbox/sandbox.c
index 5f73fd2b..9a7487a2 100644
--- a/darwin/tor/src/lib/sandbox/sandbox.c
+++ b/darwin/tor/src/lib/sandbox/sandbox.c
@@ -227,6 +227,9 @@ static int filter_nopar_gen[] = {
 #endif
     SCMP_SYS(read),
     SCMP_SYS(rt_sigreturn),
+#ifdef __NR_rseq
+    SCMP_SYS(rseq),
+#endif
     SCMP_SYS(sched_getaffinity),
 #ifdef __NR_sched_yield
     SCMP_SYS(sched_yield),
diff --git a/darwin/tor/src/win32/orconfig.h b/darwin/tor/src/win32/orconfig.h
index 6c8997e5..1de08280 100644
--- a/darwin/tor/src/win32/orconfig.h
+++ b/darwin/tor/src/win32/orconfig.h
@@ -217,7 +217,7 @@
 #define USING_TWOS_COMPLEMENT
 
 /* Version number of package */
-#define VERSION "0.4.6.10-dev"
+#define VERSION "0.4.6.12-dev"
 
 #define HAVE_STRUCT_SOCKADDR_IN6
 #define HAVE_STRUCT_IN6_ADDR
diff --git a/linux/libevent/buffer.c b/linux/libevent/buffer.c
index 6c96f054..825f6a29 100644
--- a/linux/libevent/buffer.c
+++ b/linux/libevent/buffer.c
@@ -1668,7 +1668,7 @@ evbuffer_search_eol(struct evbuffer *buffer,
 		if (evbuffer_strchr(&it, '\n') < 0)
 			goto done;
 		extra_drain = 1;
-		/* ... optionally preceeded by a CR. */
+		/* ... optionally preceded by a CR. */
 		if (it.pos == start_pos)
 			break; /* If the first character is \n, don't back up */
 		/* This potentially does an extra linear walk over the first
@@ -3080,7 +3080,11 @@ evbuffer_file_segment_materialize(struct evbuffer_file_segment *seg)
 			offset_leftover = offset % page_size;
 			offset_rounded = offset - offset_leftover;
 		}
+#if defined(EVENT__HAVE_MMAP64)
+		mapped = mmap64(NULL, length + offset_leftover,
+#else
 		mapped = mmap(NULL, length + offset_leftover,
+#endif
 		    PROT_READ,
 #ifdef MAP_NOCACHE
 		    MAP_NOCACHE | /* ??? */
diff --git a/linux/libevent/buffer_iocp.c b/linux/libevent/buffer_iocp.c
index 2af0c49c..77619760 100644
--- a/linux/libevent/buffer_iocp.c
+++ b/linux/libevent/buffer_iocp.c
@@ -69,7 +69,7 @@ struct evbuffer_overlapped {
 	WSABUF buffers[MAX_WSABUFS];
 };
 
-/** Given an evbuffer, return the correponding evbuffer structure, or NULL if
+/** Given an evbuffer, return the corresponding evbuffer structure, or NULL if
  * the evbuffer isn't overlapped. */
 static inline struct evbuffer_overlapped *
 upcast_evbuffer(struct evbuffer *buf)
diff --git a/linux/libevent/bufferevent-internal.h b/linux/libevent/bufferevent-internal.h
index 3ad0acf0..8db48d12 100644
--- a/linux/libevent/bufferevent-internal.h
+++ b/linux/libevent/bufferevent-internal.h
@@ -485,8 +485,8 @@ bufferevent_socket_set_conn_address_(struct bufferevent *bev, struct sockaddr *a
 #define BEV_UPCAST(b) EVUTIL_UPCAST((b), struct bufferevent_private, bev)
 
 #ifdef EVENT__DISABLE_THREAD_SUPPORT
-#define BEV_LOCK(b) EVUTIL_NIL_STMT_
-#define BEV_UNLOCK(b) EVUTIL_NIL_STMT_
+#define BEV_LOCK(b) (void)(b)
+#define BEV_UNLOCK(b) (void)(b)
 #else
 /** Internal: Grab the lock (if any) on a bufferevent */
 #define BEV_LOCK(b) do {						\
diff --git a/linux/libevent/bufferevent.c b/linux/libevent/bufferevent.c
index 53d3a995..79f76f4e 100644
--- a/linux/libevent/bufferevent.c
+++ b/linux/libevent/bufferevent.c
@@ -501,7 +501,7 @@ bufferevent_enable(struct bufferevent *bufev, short event)
 	if (impl_events && bufev->be_ops->enable(bufev, impl_events) < 0)
 		r = -1;
 	if (r)
-		event_debug(("%s: cannot enable 0x%hx on %p", __func__, event, bufev));
+		event_debug(("%s: cannot enable 0x%hx on %p", __func__, event, (void *)bufev));
 
 	bufferevent_decref_and_unlock_(bufev);
 	return r;
@@ -585,7 +585,7 @@ bufferevent_disable(struct bufferevent *bufev, short event)
 	if (bufev->be_ops->disable(bufev, event) < 0)
 		r = -1;
 	if (r)
-		event_debug(("%s: cannot disable 0x%hx on %p", __func__, event, bufev));
+		event_debug(("%s: cannot disable 0x%hx on %p", __func__, event, (void *)bufev));
 
 	BEV_UNLOCK(bufev);
 	return r;
@@ -876,7 +876,7 @@ bufferevent_setfd(struct bufferevent *bev, evutil_socket_t fd)
 	if (bev->be_ops->ctrl)
 		res = bev->be_ops->ctrl(bev, BEV_CTRL_SET_FD, &d);
 	if (res)
-		event_debug(("%s: cannot set fd for %p to "EV_SOCK_FMT, __func__, bev, fd));
+		event_debug(("%s: cannot set fd for %p to "EV_SOCK_FMT, __func__, (void *)bev, fd));
 	BEV_UNLOCK(bev);
 	return res;
 }
@@ -903,7 +903,7 @@ bufferevent_replacefd(struct bufferevent *bev, evutil_socket_t fd)
 		}
 	}
 	if (err)
-		event_debug(("%s: cannot replace fd for %p from "EV_SOCK_FMT" to "EV_SOCK_FMT, __func__, bev, old_fd, fd));
+		event_debug(("%s: cannot replace fd for %p from "EV_SOCK_FMT" to "EV_SOCK_FMT, __func__, (void *)bev, old_fd, fd));
 	BEV_UNLOCK(bev);
 
 	return err;
@@ -919,7 +919,7 @@ bufferevent_getfd(struct bufferevent *bev)
 	if (bev->be_ops->ctrl)
 		res = bev->be_ops->ctrl(bev, BEV_CTRL_GET_FD, &d);
 	if (res)
-		event_debug(("%s: cannot get fd for %p", __func__, bev));
+		event_debug(("%s: cannot get fd for %p", __func__, (void *)bev));
 	BEV_UNLOCK(bev);
 	return (res<0) ? -1 : d.fd;
 }
diff --git a/linux/libevent/bufferevent_mbedtls.c b/linux/libevent/bufferevent_mbedtls.c
index f42da2ae..ca96f723 100644
--- a/linux/libevent/bufferevent_mbedtls.c
+++ b/linux/libevent/bufferevent_mbedtls.c
@@ -24,8 +24,15 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+
+/* Mbed-TLS 3.x does not currently expose a function to retrieve
+   the bio parameters from the SSL object. When the above issue has been
+   fixed, remove the MBEDTLS_ALLOW_PRIVATE_ACCESS define and use the
+   appropriate getter function in bufferevent_mbedtls_socket_new rather than
+   accessing the struct fields directly. */
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
 #include "mbedtls-compat.h"
-#include <mbedtls/config.h>
+#include <mbedtls/version.h>
 #include <mbedtls/ssl.h>
 #include <mbedtls/error.h>
 
diff --git a/linux/libevent/bufferevent_openssl.c b/linux/libevent/bufferevent_openssl.c
index 6ace1e3a..c74a76e4 100644
--- a/linux/libevent/bufferevent_openssl.c
+++ b/linux/libevent/bufferevent_openssl.c
@@ -259,7 +259,9 @@ conn_closed(struct bufferevent_ssl *bev_ssl, int when, int errcode, int ret)
 		bufferevent_ssl_put_error(bev_ssl, errcode);
 		break;
 	case SSL_ERROR_SSL:
-		/* Protocol error. */
+		/* Protocol error; possibly a dirty shutdown. */
+		if (ret == 0 && SSL_is_init_finished(bev_ssl->ssl) == 0)
+			dirty_shutdown = 1;
 		bufferevent_ssl_put_error(bev_ssl, errcode);
 		break;
 	case SSL_ERROR_WANT_X509_LOOKUP:
@@ -475,7 +477,7 @@ bufferevent_openssl_socket_new(struct event_base *base,
 			   This is probably an error on our part.  Fail. */
 			goto err;
 		}
-		BIO_set_close(bio, 0);
+		(void)BIO_set_close(bio, 0);
 	} else {
 		/* The SSL isn't configured with a BIO with an fd. */
 		if (fd >= 0) {
diff --git a/linux/libevent/bufferevent_ratelim.c b/linux/libevent/bufferevent_ratelim.c
index 3b7ae51b..1fed9d15 100644
--- a/linux/libevent/bufferevent_ratelim.c
+++ b/linux/libevent/bufferevent_ratelim.c
@@ -76,7 +76,7 @@ ev_token_bucket_update_(struct ev_token_bucket *bucket,
     ev_uint32_t current_tick)
 {
 	/* It's okay if the tick number overflows, since we'll just
-	 * wrap around when we do the unsigned substraction. */
+	 * wrap around when we do the unsigned subtraction. */
 	unsigned n_ticks = current_tick - bucket->last_updated;
 
 	/* Make sure some ticks actually happened, and that time didn't
diff --git a/linux/libevent/config.h b/linux/libevent/config.h
index 88176d65..e3710107 100644
--- a/linux/libevent/config.h
+++ b/linux/libevent/config.h
@@ -156,6 +156,9 @@
 /* Define to 1 if you have the `mmap' function. */
 #define HAVE_MMAP 1
 
+/* Define to 1 if you have the `mmap64' function. */
+#define HAVE_MMAP64 1
+
 /* Define to 1 if you have the `nanosleep' function. */
 #define HAVE_NANOSLEEP 1
 
diff --git a/linux/libevent/evdns.c b/linux/libevent/evdns.c
index ee06fdda..684582f9 100644
--- a/linux/libevent/evdns.c
+++ b/linux/libevent/evdns.c
@@ -122,8 +122,8 @@
 #define EVDNS_LOG_WARN EVENT_LOG_WARN
 #define EVDNS_LOG_MSG EVENT_LOG_MSG
 
-#ifndef HOST_NAME_MAX
-#define HOST_NAME_MAX 255
+#ifndef EVDNS_NAME_MAX
+#define EVDNS_NAME_MAX 255
 #endif
 
 #include <stdio.h>
@@ -854,7 +854,7 @@ request_finished(struct request *const req, struct request **head, int free_hand
 	if (head)
 		evdns_request_remove(req, head);
 
-	log(EVDNS_LOG_DEBUG, "Removing timeout for request %p", req);
+	log(EVDNS_LOG_DEBUG, "Removing timeout for request %p", (void *)req);
 	if (was_inflight) {
 		evtimer_del(&req->timeout_event);
 		base->global_requests_inflight--;
@@ -1350,7 +1350,7 @@ reply_parse(struct evdns_base *base, u8 *packet, int length)
 	 * to parse the response. To simplify things let's just allocate
 	 * a little bit more to avoid complex evaluations.
 	 */
-	buf_size = MAX(length - j, HOST_NAME_MAX);
+	buf_size = MAX(length - j, EVDNS_NAME_MAX);
 	reply.data.raw = mm_malloc(buf_size);
 
 	/* now we have the answer section which looks like
@@ -1394,7 +1394,7 @@ reply_parse(struct evdns_base *base, u8 *packet, int length)
 			reply.have_answer = 1;
 			break;
 		} else if (type == TYPE_CNAME) {
-			char cname[HOST_NAME_MAX];
+			char cname[EVDNS_NAME_MAX];
 			if (name_parse(packet, length, &j, cname,
 				sizeof(cname))<0)
 				goto err;
@@ -1755,7 +1755,7 @@ server_send_response(struct evdns_server_port *port, struct server_request *req)
 	}
 
 beferevent_error:
-	log(EVDNS_LOG_WARN, "Failed to send reply to request %p for client %p", req, req->client);
+	log(EVDNS_LOG_WARN, "Failed to send reply to request %p for client %p", (void *)req, (void *)req->client);
 	/* disconnect if we got bufferevent error */
 	evdns_remove_tcp_client(port, req->client);
 	return -1;
@@ -2196,7 +2196,7 @@ server_tcp_read_packet_cb(struct bufferevent *bev, void *ctx)
 
 	while (1) {
 		if (tcp_read_message(conn, &msg, &msg_len)) {
-			log(EVDNS_LOG_MSG, "Closing client connection %p due to error", bev);
+			log(EVDNS_LOG_MSG, "Closing client connection %p due to error", (void *)bev);
 			evdns_remove_tcp_client(port, client);
 			rc = port->refcnt;
 			EVDNS_UNLOCK(port);
@@ -2230,7 +2230,7 @@ server_tcp_event_cb(struct bufferevent *bev, short events, void *ctx)
 	EVUTIL_ASSERT(port && bev);
 	EVDNS_LOCK(port);
 	if (events & (BEV_EVENT_EOF | BEV_EVENT_ERROR | BEV_EVENT_TIMEOUT)) {
-		log(EVDNS_LOG_DEBUG, "Closing connection %p", bev);
+		log(EVDNS_LOG_DEBUG, "Closing connection %p", (void *)bev);
 		evdns_remove_tcp_client(port, client);
 	}
 	rc = port->refcnt;
@@ -2250,7 +2250,7 @@ incoming_conn_cb(struct evconnlistener *listener, evutil_socket_t fd,
 
 	if (!bev)
 		goto error;
-	log(EVDNS_LOG_DEBUG, "New incoming client connection %p", bev);
+	log(EVDNS_LOG_DEBUG, "New incoming client connection %p", (void *)bev);
 
 	bufferevent_set_timeouts(bev, &port->tcp_idle_timeout, &port->tcp_idle_timeout);
 
@@ -2721,7 +2721,7 @@ retransmit_all_tcp_requests_for(struct nameserver *server)
 			if (req->ns == server && (req->handle->tcp_flags & DNS_QUERY_USEVC)) {
 				if (req->tx_count >= req->base->global_max_retransmits) {
 					log(EVDNS_LOG_DEBUG, "Giving up on request %p; tx_count==%d",
-						req, req->tx_count);
+						(void *)req, req->tx_count);
 					reply_schedule_callback(req, 0, DNS_ERR_TIMEOUT, NULL);
 					request_finished(req, &REQ_HEAD(req->base, req->trans_id), 1);
 				} else {
@@ -2843,7 +2843,7 @@ evdns_tcp_connect_if_disconnected(struct nameserver *server)
 		return 1;
 
 	conn->state = TS_CONNECTING;
-	log(EVDNS_LOG_DEBUG, "New tcp connection %p created", conn);
+	log(EVDNS_LOG_DEBUG, "New tcp connection %p created", (void *)conn);
 	return 0;
 }
 
@@ -2893,7 +2893,7 @@ client_tcp_event_cb(struct bufferevent *bev, short events, void *ctx) {
 	EVDNS_LOCK(server->base);
 	EVUTIL_ASSERT(conn && conn->bev == bev && bev);
 
-	log(EVDNS_LOG_DEBUG, "Event %d on connection %p", events, conn);
+	log(EVDNS_LOG_DEBUG, "Event %d on connection %p", events, (void *)conn);
 
 	if (events & (BEV_EVENT_TIMEOUT)) {
 		disconnect_and_free_connection(server->connection);
@@ -2931,7 +2931,7 @@ evdns_request_transmit_through_tcp(struct request *req, struct nameserver *serve
 	conn = server->connection;
 	bufferevent_setcb(conn->bev, client_tcp_read_packet_cb, NULL, client_tcp_event_cb, server);
 
-	log(EVDNS_LOG_DEBUG, "Sending request %p via tcp connection %p", req, conn);
+	log(EVDNS_LOG_DEBUG, "Sending request %p via tcp connection %p", (void *)req, (void *)conn);
 	packet_size = htons(req->request_len);
 	if (bufferevent_write(conn->bev, &packet_size, sizeof(packet_size)) )
 		goto fail;
@@ -2944,7 +2944,7 @@ evdns_request_transmit_through_tcp(struct request *req, struct nameserver *serve
 
 	return 0;
 fail:
-	log(EVDNS_LOG_WARN, "Failed to send request %p via tcp connection %p", req, conn);
+	log(EVDNS_LOG_WARN, "Failed to send request %p via tcp connection %p", (void *)req, (void *)conn);
 	disconnect_and_free_connection(server->connection);
 	server->connection = NULL;
 	return 2;
@@ -3006,11 +3006,11 @@ evdns_request_transmit(struct request *req) {
 	default:
 		/* all ok */
 		log(EVDNS_LOG_DEBUG,
-		    "Setting timeout for request %p, sent to nameserver %p", req, req->ns);
+		    "Setting timeout for request %p, sent to nameserver %p", (void *)req, (void *)req->ns);
 		if (evtimer_add(&req->timeout_event, &req->base->global_timeout) < 0) {
 			log(EVDNS_LOG_WARN,
 		      "Error from libevent when adding timer for request %p",
-			    req);
+			    (void *)req);
 			/* ???? Do more? */
 		}
 		req->tx_count++;
@@ -3290,7 +3290,7 @@ evdns_nameserver_add_impl_(struct evdns_base *base, const struct sockaddr *addre
 	}
 
 	log(EVDNS_LOG_DEBUG, "Added nameserver %s as %p",
-	    evutil_format_sockaddr_port_(address, addrbuf, sizeof(addrbuf)), ns);
+	    evutil_format_sockaddr_port_(address, addrbuf, sizeof(addrbuf)), (void *)ns);
 
 	/* insert this nameserver into the list of them */
 	if (!base->server_head) {
@@ -3982,7 +3982,7 @@ evdns_search_ndots_set(const int ndots) {
 
 static void
 search_set_from_hostname(struct evdns_base *base) {
-	char hostname[HOST_NAME_MAX + 1], *domainname;
+	char hostname[EVDNS_NAME_MAX + 1], *domainname;
 
 	ASSERT_LOCKED(base);
 	search_postfix_clear(base);
@@ -5670,7 +5670,7 @@ evdns_getaddrinfo(struct evdns_base *dns_base,
 
 	if (hints.ai_family != PF_INET6) {
 		log(EVDNS_LOG_DEBUG, "Sending request for %s on ipv4 as %p",
-		    nodename, &data->ipv4_request);
+		    nodename, (void *)&data->ipv4_request);
 
 		data->ipv4_request.r = evdns_base_resolve_ipv4(dns_base,
 		    nodename, 0, evdns_getaddrinfo_gotresolve,
@@ -5681,7 +5681,7 @@ evdns_getaddrinfo(struct evdns_base *dns_base,
 	}
 	if (hints.ai_family != PF_INET) {
 		log(EVDNS_LOG_DEBUG, "Sending request for %s on ipv6 as %p",
-		    nodename, &data->ipv6_request);
+		    nodename, (void *)&data->ipv6_request);
 
 		data->ipv6_request.r = evdns_base_resolve_ipv6(dns_base,
 		    nodename, 0, evdns_getaddrinfo_gotresolve,
diff --git a/linux/libevent/event.c b/linux/libevent/event.c
index 1fb437e9..56be024f 100644
--- a/linux/libevent/event.c
+++ b/linux/libevent/event.c
@@ -302,7 +302,7 @@ static void event_debug_note_add_(const struct event *ev)
 		    "%s: noting an add on a non-setup event %p"
 		    " (events: 0x%x, fd: "EV_SOCK_FMT
 		    ", flags: 0x%x)",
-		    __func__, ev, ev->ev_events,
+		    __func__, (void *)ev, ev->ev_events,
 		    EV_SOCK_ARG(ev->ev_fd), ev->ev_flags);
 	}
 	EVLOCK_UNLOCK(event_debug_map_lock_, 0);
@@ -328,7 +328,7 @@ static void event_debug_note_del_(const struct event *ev)
 		    "%s: noting a del on a non-setup event %p"
 		    " (events: 0x%x, fd: "EV_SOCK_FMT
 		    ", flags: 0x%x)",
-		    __func__, ev, ev->ev_events,
+		    __func__, (void *)ev, ev->ev_events,
 		    EV_SOCK_ARG(ev->ev_fd), ev->ev_flags);
 	}
 	EVLOCK_UNLOCK(event_debug_map_lock_, 0);
@@ -352,7 +352,7 @@ static void event_debug_assert_is_setup_(const struct event *ev)
 		    "%s called on a non-initialized event %p"
 		    " (events: 0x%x, fd: "EV_SOCK_FMT
 		    ", flags: 0x%x)",
-		    __func__, ev, ev->ev_events,
+		    __func__, (void *)ev, ev->ev_events,
 		    EV_SOCK_ARG(ev->ev_fd), ev->ev_flags);
 	}
 	EVLOCK_UNLOCK(event_debug_map_lock_, 0);
@@ -373,7 +373,7 @@ static void event_debug_assert_not_added_(const struct event *ev)
 		    "%s called on an already added event %p"
 		    " (events: 0x%x, fd: "EV_SOCK_FMT", "
 		    "flags: 0x%x)",
-		    __func__, ev, ev->ev_events,
+		    __func__, (void *)ev, ev->ev_events,
 		    EV_SOCK_ARG(ev->ev_fd), ev->ev_flags);
 	}
 	EVLOCK_UNLOCK(event_debug_map_lock_, 0);
@@ -1673,16 +1673,16 @@ event_process_active_single_queue(struct event_base *base,
 				event_del_nolock_(ev, EVENT_DEL_NOBLOCK);
 			event_debug((
 			    "event_process_active: event: %p, %s%s%scall %p",
-			    ev,
+			    (void *)ev,
 			    ev->ev_res & EV_READ ? "EV_READ " : " ",
 			    ev->ev_res & EV_WRITE ? "EV_WRITE " : " ",
 			    ev->ev_res & EV_CLOSED ? "EV_CLOSED " : " ",
-			    ev->ev_callback));
+			    (void *)ev->ev_callback));
 		} else {
 			event_queue_remove_active(base, evcb);
 			event_debug(("event_process_active: event_callback %p, "
 				"closure %d, call %p",
-				evcb, evcb->evcb_closure, evcb->evcb_cb_union.evcb_callback));
+				(void *)evcb, evcb->evcb_closure, (void *)evcb->evcb_cb_union.evcb_callback));
 		}
 
 		if (!(evcb->evcb_flags & EVLIST_INTERNAL))
@@ -2600,7 +2600,7 @@ event_remove_timer_nolock_(struct event *ev)
 	EVENT_BASE_ASSERT_LOCKED(base);
 	event_debug_assert_is_setup_(ev);
 
-	event_debug(("event_remove_timer_nolock: event: %p", ev));
+	event_debug(("event_remove_timer_nolock: event: %p", (void *)ev));
 
 	/* If it's not pending on a timeout, we don't need to do anything. */
 	if (ev->ev_flags & EVLIST_TIMEOUT) {
@@ -2647,13 +2647,13 @@ event_add_nolock_(struct event *ev, const struct timeval *tv,
 
 	event_debug((
 		 "event_add: event: %p (fd "EV_SOCK_FMT"), %s%s%s%scall %p",
-		 ev,
+		 (void *)ev,
 		 EV_SOCK_ARG(ev->ev_fd),
 		 ev->ev_events & EV_READ ? "EV_READ " : " ",
 		 ev->ev_events & EV_WRITE ? "EV_WRITE " : " ",
 		 ev->ev_events & EV_CLOSED ? "EV_CLOSED " : " ",
 		 tv ? "EV_TIMEOUT " : " ",
-		 ev->ev_callback));
+		 (void *)ev->ev_callback));
 
 	EVUTIL_ASSERT(!(ev->ev_flags & ~EVLIST_ALL));
 
@@ -2767,7 +2767,7 @@ event_add_nolock_(struct event *ev, const struct timeval *tv,
 
 		event_debug((
 			 "event_add: event %p, timeout in %d seconds %d useconds, call %p",
-			 ev, (int)tv->tv_sec, (int)tv->tv_usec, ev->ev_callback));
+			 (void *)ev, (int)tv->tv_sec, (int)tv->tv_usec, (void *)ev->ev_callback));
 
 #ifdef USE_REINSERT_TIMEOUT
 		event_queue_reinsert_timeout(base, ev, was_common, common_timeout, old_timeout_idx);
@@ -2854,7 +2854,7 @@ event_del_nolock_(struct event *ev, int blocking)
 	int res = 0, notify = 0;
 
 	event_debug(("event_del: %p (fd "EV_SOCK_FMT"), callback %p",
-		ev, EV_SOCK_ARG(ev->ev_fd), ev->ev_callback));
+		(void *)ev, EV_SOCK_ARG(ev->ev_fd), (void *)ev->ev_callback));
 
 	/* An event without a base has not been added */
 	if (ev->ev_base == NULL)
@@ -2962,7 +2962,7 @@ event_active_nolock_(struct event *ev, int res, short ncalls)
 	struct event_base *base;
 
 	event_debug(("event_active: %p (fd "EV_SOCK_FMT"), res %d, callback %p",
-		ev, EV_SOCK_ARG(ev->ev_fd), (int)res, ev->ev_callback));
+		(void *)ev, EV_SOCK_ARG(ev->ev_fd), (int)res, (void *)ev->ev_callback));
 
 	base = ev->ev_base;
 	EVENT_BASE_ASSERT_LOCKED(base);
@@ -3211,7 +3211,7 @@ timeout_next(struct event_base *base, struct timeval **tv_p)
 
 	EVUTIL_ASSERT(tv->tv_sec >= 0);
 	EVUTIL_ASSERT(tv->tv_usec >= 0);
-	event_debug(("timeout_next: event: %p, in %d seconds, %d useconds", ev, (int)tv->tv_sec, (int)tv->tv_usec));
+	event_debug(("timeout_next: event: %p, in %d seconds, %d useconds", (void *)ev, (int)tv->tv_sec, (int)tv->tv_usec));
 
 out:
 	return (res);
@@ -3239,7 +3239,7 @@ timeout_process(struct event_base *base)
 		event_del_nolock_(ev, EVENT_DEL_NOBLOCK);
 
 		event_debug(("timeout_process: event: %p, call %p",
-			 ev, ev->ev_callback));
+			 (void *)ev, (void *)ev->ev_callback));
 		event_active_nolock_(ev, EV_TIMEOUT, 1);
 	}
 }
@@ -3267,7 +3267,7 @@ event_queue_remove_inserted(struct event_base *base, struct event *ev)
 	EVENT_BASE_ASSERT_LOCKED(base);
 	if (EVUTIL_FAILURE_CHECK(!(ev->ev_flags & EVLIST_INSERTED))) {
 		event_errx(1, "%s: %p(fd "EV_SOCK_FMT") not on queue %x", __func__,
-		    ev, EV_SOCK_ARG(ev->ev_fd), EVLIST_INSERTED);
+                   (void *)ev, EV_SOCK_ARG(ev->ev_fd), EVLIST_INSERTED);
 		return;
 	}
 	DECR_EVENT_COUNT(base, ev->ev_flags);
@@ -3279,7 +3279,7 @@ event_queue_remove_active(struct event_base *base, struct event_callback *evcb)
 	EVENT_BASE_ASSERT_LOCKED(base);
 	if (EVUTIL_FAILURE_CHECK(!(evcb->evcb_flags & EVLIST_ACTIVE))) {
 		event_errx(1, "%s: %p not on queue %x", __func__,
-			   evcb, EVLIST_ACTIVE);
+                          (void *)evcb, EVLIST_ACTIVE);
 		return;
 	}
 	DECR_EVENT_COUNT(base, evcb->evcb_flags);
@@ -3295,7 +3295,7 @@ event_queue_remove_active_later(struct event_base *base, struct event_callback *
 	EVENT_BASE_ASSERT_LOCKED(base);
 	if (EVUTIL_FAILURE_CHECK(!(evcb->evcb_flags & EVLIST_ACTIVE_LATER))) {
 		event_errx(1, "%s: %p not on queue %x", __func__,
-			   evcb, EVLIST_ACTIVE_LATER);
+                          (void *)evcb, EVLIST_ACTIVE_LATER);
 		return;
 	}
 	DECR_EVENT_COUNT(base, evcb->evcb_flags);
@@ -3310,7 +3310,7 @@ event_queue_remove_timeout(struct event_base *base, struct event *ev)
 	EVENT_BASE_ASSERT_LOCKED(base);
 	if (EVUTIL_FAILURE_CHECK(!(ev->ev_flags & EVLIST_TIMEOUT))) {
 		event_errx(1, "%s: %p(fd "EV_SOCK_FMT") not on queue %x", __func__,
-		    ev, EV_SOCK_ARG(ev->ev_fd), EVLIST_TIMEOUT);
+                   (void *)ev, EV_SOCK_ARG(ev->ev_fd), EVLIST_TIMEOUT);
 		return;
 	}
 	DECR_EVENT_COUNT(base, ev->ev_flags);
@@ -3405,7 +3405,7 @@ event_queue_insert_inserted(struct event_base *base, struct event *ev)
 
 	if (EVUTIL_FAILURE_CHECK(ev->ev_flags & EVLIST_INSERTED)) {
 		event_errx(1, "%s: %p(fd "EV_SOCK_FMT") already inserted", __func__,
-		    ev, EV_SOCK_ARG(ev->ev_fd));
+                   (void *)ev, EV_SOCK_ARG(ev->ev_fd));
 		return;
 	}
 
@@ -3459,7 +3459,7 @@ event_queue_insert_timeout(struct event_base *base, struct event *ev)
 
 	if (EVUTIL_FAILURE_CHECK(ev->ev_flags & EVLIST_TIMEOUT)) {
 		event_errx(1, "%s: %p(fd "EV_SOCK_FMT") already on timeout", __func__,
-		    ev, EV_SOCK_ARG(ev->ev_fd));
+                   (void *)ev, EV_SOCK_ARG(ev->ev_fd));
 		return;
 	}
 
diff --git a/linux/libevent/evthread-internal.h b/linux/libevent/evthread-internal.h
index 83e409f0..2d926856 100644
--- a/linux/libevent/evthread-internal.h
+++ b/linux/libevent/evthread-internal.h
@@ -316,8 +316,8 @@ EVLOCK_TRY_LOCK_(void *lock)
 
 #define EVBASE_IN_THREAD(base)	1
 #define EVBASE_NEED_NOTIFY(base) 0
-#define EVBASE_ACQUIRE_LOCK(base, lock) EVUTIL_NIL_STMT_
-#define EVBASE_RELEASE_LOCK(base, lock) EVUTIL_NIL_STMT_
+#define EVBASE_ACQUIRE_LOCK(base, lock) (void)(base)
+#define EVBASE_RELEASE_LOCK(base, lock) (void)(base)
 #define EVLOCK_ASSERT_LOCKED(lock) EVUTIL_NIL_STMT_
 
 #define EVLOCK_TRY_LOCK_(lock) 1
diff --git a/linux/libevent/http-internal.h b/linux/libevent/http-internal.h
index a5844e1d..705daba2 100644
--- a/linux/libevent/http-internal.h
+++ b/linux/libevent/http-internal.h
@@ -128,6 +128,10 @@ TAILQ_HEAD(evconq, evhttp_connection);
 struct evhttp_bound_socket {
 	TAILQ_ENTRY(evhttp_bound_socket) next;
 
+	struct evhttp *http;
+	struct bufferevent* (*bevcb)(struct event_base *, void *);
+	void *bevcbarg;
+
 	struct evconnlistener *listener;
 };
 
diff --git a/linux/libevent/http.c b/linux/libevent/http.c
index 9cebbb7c..1421a8e6 100644
--- a/linux/libevent/http.c
+++ b/linux/libevent/http.c
@@ -197,7 +197,7 @@ static void evhttp_read_header(struct evhttp_connection *evcon,
 static int evhttp_add_header_internal(struct evkeyvalq *headers,
     const char *key, const char *value);
 static const char *evhttp_response_phrase_internal(int code);
-static void evhttp_get_request(struct evhttp *, evutil_socket_t, struct sockaddr *, ev_socklen_t);
+static void evhttp_get_request(struct evhttp *, evutil_socket_t, struct sockaddr *, ev_socklen_t, struct bufferevent *bev);
 static void evhttp_write_buffer(struct evhttp_connection *,
     void (*)(struct evhttp_connection *, void *), void *);
 static void evhttp_make_header(struct evhttp_connection *, struct evhttp_request *);
@@ -500,7 +500,8 @@ evhttp_make_header_request(struct evhttp_connection *evcon,
     struct evhttp_request *req)
 {
 	const char *method;
-	ev_uint16_t flags;
+	/* NOTE: some version of GCC reports a warning that flags may be uninitialized, hence assignment */
+	ev_uint16_t flags = 0;
 
 	evhttp_remove_header(req->output_headers, "Proxy-Connection");
 
@@ -1741,7 +1742,7 @@ evhttp_parse_http_version(const char *version, struct evhttp_request *req)
 	int n = sscanf(version, "HTTP/%d.%d%c", &major, &minor, &ch);
 	if (n != 2 || major > 1) {
 		event_debug(("%s: bad version %s on message %p from %s",
-			__func__, version, req, req->remote_host));
+			__func__, version, (void *)req, req->remote_host));
 		return (-1);
 	}
 	req->major = major;
@@ -2013,7 +2014,7 @@ evhttp_parse_request_line(struct evhttp_request *req, char *line, size_t len)
 
 	if (!type) {
 		event_debug(("%s: bad method %s on request %p from %s",
-		            __func__, method, req, req->remote_host));
+		            __func__, method, (void *)req, req->remote_host));
 		/* No error yet; we'll give a better error later when
 		 * we see that req->type is unsupported. */
 	}
@@ -2351,7 +2352,8 @@ evhttp_get_body_length(struct evhttp_request *req)
 static int
 evhttp_method_may_have_body_(struct evhttp_connection *evcon, enum evhttp_cmd_type type)
 {
-	ev_uint16_t flags;
+	/* NOTE: some version of GCC reports a warning that flags may be uninitialized, hence assignment */
+	ev_uint16_t flags = 0;
 	evhttp_method_(evcon, type, &flags);
 	return (flags & EVHTTP_METHOD_HAS_BODY) ? 1 : 0;
 }
@@ -3793,9 +3795,15 @@ evhttp_handle_request(struct evhttp_request *req, void *arg)
 static void
 accept_socket_cb(struct evconnlistener *listener, evutil_socket_t nfd, struct sockaddr *peer_sa, int peer_socklen, void *arg)
 {
-	struct evhttp *http = arg;
+	struct evhttp_bound_socket *bound = arg;
+
+	struct evhttp *http = bound->http;
 
-	evhttp_get_request(http, nfd, peer_sa, peer_socklen);
+	struct bufferevent *bev = NULL;
+	if (bound->bevcb)
+		bev = bound->bevcb(http->base, bound->bevcbarg);
+
+	evhttp_get_request(http, nfd, peer_sa, peer_socklen, bev);
 }
 
 int
@@ -3891,9 +3899,11 @@ evhttp_bind_listener(struct evhttp *http, struct evconnlistener *listener)
 		return (NULL);
 
 	bound->listener = listener;
+	bound->bevcb = NULL;
+	bound->http = http;
 	TAILQ_INSERT_TAIL(&http->sockets, bound, next);
 
-	evconnlistener_set_cb(listener, accept_socket_cb, http);
+	evconnlistener_set_cb(listener, accept_socket_cb, bound);
 	return bound;
 }
 
@@ -3909,6 +3919,14 @@ evhttp_bound_socket_get_listener(struct evhttp_bound_socket *bound)
 	return bound->listener;
 }
 
+void
+evhttp_bound_set_bevcb(struct evhttp_bound_socket *bound,
+    struct bufferevent* (*cb)(struct event_base *, void *), void *cbarg)
+{
+	bound->bevcb = cb;
+	bound->bevcbarg = cbarg;
+}
+
 void
 evhttp_del_accept_socket(struct evhttp *http, struct evhttp_bound_socket *bound)
 {
@@ -4415,7 +4433,7 @@ evhttp_request_set_on_complete_cb(struct evhttp_request *req,
 const char *
 evhttp_request_get_uri(const struct evhttp_request *req) {
 	if (req->uri == NULL)
-		event_debug(("%s: request %p has no uri\n", __func__, req));
+		event_debug(("%s: request %p has no uri\n", __func__, (void *)req));
 	return (req->uri);
 }
 
@@ -4423,7 +4441,7 @@ const struct evhttp_uri *
 evhttp_request_get_evhttp_uri(const struct evhttp_request *req) {
 	if (req->uri_elems == NULL)
 		event_debug(("%s: request %p has no uri elems\n",
-			    __func__, req));
+			    __func__, (void *)req));
 	return (req->uri_elems);
 }
 
@@ -4515,10 +4533,10 @@ struct evbuffer *evhttp_request_get_output_buffer(struct evhttp_request *req)
 static struct evhttp_connection*
 evhttp_get_request_connection(
 	struct evhttp* http,
-	evutil_socket_t fd, struct sockaddr *sa, ev_socklen_t salen)
+	evutil_socket_t fd, struct sockaddr *sa, ev_socklen_t salen,
+	struct bufferevent* bev)
 {
 	struct evhttp_connection *evcon;
-	struct bufferevent* bev = NULL;
 
 #ifdef EVENT__HAVE_STRUCT_SOCKADDR_UN
 	if (sa->sa_family == AF_UNIX) {
@@ -4535,7 +4553,7 @@ evhttp_get_request_connection(
 			EV_SOCK_FMT"\n", __func__, EV_SOCK_ARG(fd)));
 
 		/* we need a connection object to put the http request on */
-		if (http->bevcb != NULL) {
+		if (!bev && http->bevcb != NULL) {
 			bev = (*http->bevcb)(http->base, http->bevcbarg);
 		}
 
@@ -4558,7 +4576,7 @@ evhttp_get_request_connection(
 			__func__, hostname, portname, EV_SOCK_ARG(fd)));
 
 		/* we need a connection object to put the http request on */
-		if (http->bevcb != NULL) {
+		if (!bev && http->bevcb != NULL) {
 			bev = (*http->bevcb)(http->base, http->bevcbarg);
 		}
 		evcon = evhttp_connection_base_bufferevent_new(
@@ -4634,11 +4652,12 @@ evhttp_associate_new_request_with_connection(struct evhttp_connection *evcon)
 
 static void
 evhttp_get_request(struct evhttp *http, evutil_socket_t fd,
-    struct sockaddr *sa, ev_socklen_t salen)
+    struct sockaddr *sa, ev_socklen_t salen,
+    struct bufferevent *bev)
 {
 	struct evhttp_connection *evcon;
 
-	evcon = evhttp_get_request_connection(http, fd, sa, salen);
+	evcon = evhttp_get_request_connection(http, fd, sa, salen, bev);
 	if (evcon == NULL) {
 		event_sock_warn(fd, "%s: cannot get connection on "EV_SOCK_FMT,
 		    __func__, EV_SOCK_ARG(fd));
diff --git a/linux/libevent/include/event.h b/linux/libevent/include/event.h
index ba518671..0e33f90f 100644
--- a/linux/libevent/include/event.h
+++ b/linux/libevent/include/event.h
@@ -54,7 +54,7 @@ extern "C" {
 #include <stdarg.h>
 
 /* For int types. */
-#include <evutil.h>
+#include <event2/util.h>
 
 #ifdef _WIN32
 #ifndef WIN32_LEAN_AND_MEAN
diff --git a/linux/libevent/include/event2/event.h b/linux/libevent/include/event2/event.h
index 83dfe540..b52fd846 100644
--- a/linux/libevent/include/event2/event.h
+++ b/linux/libevent/include/event2/event.h
@@ -396,7 +396,7 @@ const char *event_base_get_method(const struct event_base *eb);
 EVENT2_EXPORT_SYMBOL
 const char **event_get_supported_methods(void);
 
-/** Query the current monotonic time from a the timer for a struct
+/** Query the current monotonic time from the timer for a struct
  * event_base.
  */
 EVENT2_EXPORT_SYMBOL
@@ -542,6 +542,8 @@ enum event_base_config_flag {
 	    If this flag is set then bufferevent_socket_new() and
 	    evconn_listener_new() will use IOCP-backed implementations
 	    instead of the usual select-based one on Windows.
+
+	    Note: it is experimental feature, and has some bugs.
 	 */
 	EVENT_BASE_FLAG_STARTUP_IOCP = 0x04,
 	/** Instead of checking the current time every time the event loop is
diff --git a/linux/libevent/include/event2/http.h b/linux/libevent/include/event2/http.h
index 89175fb7..50c0a27b 100644
--- a/linux/libevent/include/event2/http.h
+++ b/linux/libevent/include/event2/http.h
@@ -53,18 +53,29 @@ struct evhttp_connection;
  */
 
 /* Response codes */
+#define HTTP_CONTINUE		100	/**< client should proceed to send */
+#define HTTP_SWITCH_PROTOCOLS	101	/**< switching to another protocol */
+#define HTTP_PROCESSING		102	/**< processing the request, but no response is available yet */
+#define HTTP_EARLYHINTS		103	/**< return some response headers */
 #define HTTP_OK			200	/**< request completed ok */
+#define HTTP_CREATED		201	/**< new resource is created */
+#define HTTP_ACCEPTED		202	/**< accepted for processing */
+#define HTTP_NONAUTHORITATIVE	203	/**< returning a modified version of the origin's response */
 #define HTTP_NOCONTENT		204	/**< request does not have content */
 #define HTTP_MOVEPERM		301	/**< the uri moved permanently */
 #define HTTP_MOVETEMP		302	/**< the uri moved temporarily */
 #define HTTP_NOTMODIFIED	304	/**< page was not modified from last */
 #define HTTP_BADREQUEST		400	/**< invalid http request was made */
+#define HTTP_UNAUTHORIZED	401	/**< authentication is required */
+#define HTTP_PAYMENTREQUIRED	402	/**< user exceeded limit on requests */
+#define HTTP_FORBIDDEN		403	/**< user not having the necessary permissions */
 #define HTTP_NOTFOUND		404	/**< could not find content for uri */
 #define HTTP_BADMETHOD		405 	/**< method not allowed for this uri */
-#define HTTP_ENTITYTOOLARGE	413	/**<  */
+#define HTTP_ENTITYTOOLARGE	413	/**< request is larger than the server is able to process */
 #define HTTP_EXPECTATIONFAILED	417	/**< we can't handle this expectation */
 #define HTTP_INTERNAL           500     /**< internal error */
 #define HTTP_NOTIMPLEMENTED     501     /**< not implemented */
+#define HTTP_BADGATEWAY		502	/**< received an invalid response from the upstream */
 #define HTTP_SERVUNAVAIL	503	/**< the server is not available */
 
 struct evhttp;
@@ -161,6 +172,14 @@ struct evhttp_bound_socket *evhttp_bind_listener(struct evhttp *http, struct evc
 EVENT2_EXPORT_SYMBOL
 struct evconnlistener *evhttp_bound_socket_get_listener(struct evhttp_bound_socket *bound);
 
+/*
+ * Like evhttp_set_bevcb.
+ * If cb returns a non-NULL bufferevent, * the callback supplied through
+ * evhttp_set_bevcb isn't used.
+ */
+EVENT2_EXPORT_SYMBOL
+void evhttp_bound_set_bevcb(struct evhttp_bound_socket *bound, struct bufferevent* (*cb)(struct event_base *, void *), void *cbarg);
+
 typedef void evhttp_bound_socket_foreach_fn(struct evhttp_bound_socket *, void *);
 /**
  * Applies the function specified in the first argument to all
@@ -322,6 +341,8 @@ void evhttp_set_gencb(struct evhttp *http,
 /**
    Set a callback used to create new bufferevents for connections
    to a given evhttp object.
+   cb is not called if a non-NULL bufferevent was supplied by
+   evhttp_bound_set_bevcb.
 
    You can use this to override the default bufferevent type -- for example,
    to make this evhttp object use SSL bufferevents rather than unencrypted
diff --git a/linux/libevent/include/event2/http_struct.h b/linux/libevent/include/event2/http_struct.h
index 4bf5b1ff..b828180e 100644
--- a/linux/libevent/include/event2/http_struct.h
+++ b/linux/libevent/include/event2/http_struct.h
@@ -129,7 +129,7 @@ struct {
 	int (*header_cb)(struct evhttp_request *, void *);
 
 	/*
-	 * Error callback - called when error is occured.
+	 * Error callback - called when error is occurred.
 	 * @see evhttp_request_error for error types.
 	 *
 	 * @see evhttp_request_set_error_cb()
diff --git a/linux/libevent/listener.c b/linux/libevent/listener.c
index 125c7286..fc7c2c58 100644
--- a/linux/libevent/listener.c
+++ b/linux/libevent/listener.c
@@ -275,8 +275,13 @@ evconnlistener_new_bind(struct event_base *base, evconnlistener_cb cb,
 
 	return listener;
 err:
-	evutil_closesocket(fd);
-	return NULL;
+	{
+		int saved_errno = EVUTIL_SOCKET_ERROR();
+		evutil_closesocket(fd);
+		if (saved_errno)
+			EVUTIL_SET_SOCKET_ERROR(saved_errno);
+		return NULL;
+	}
 }
 
 void
diff --git a/linux/libevent/mbedtls-compat.h b/linux/libevent/mbedtls-compat.h
index 34148e5b..b50ccd23 100644
--- a/linux/libevent/mbedtls-compat.h
+++ b/linux/libevent/mbedtls-compat.h
@@ -2,10 +2,29 @@
 #define MBEDTLS_COMPAT_H
 
 #include <mbedtls/version.h>
+
+#if MBEDTLS_VERSION_MAJOR >= 3
+# if defined(__clang__)
+#  pragma clang diagnostic push
+#  pragma clang diagnostic ignored "-Wcpp"
+# elif defined(__GNUC__)
+#  pragma GCC diagnostic push
+#  pragma GCC diagnostic ignored "-Wcpp"
+# endif
+
+# include <mbedtls/compat-2.x.h>
+
+# if defined(__clang__)
+#  pragma clang diagnostic pop
+# elif defined(__GNUC__)
+#  pragma GCC diagnostic pop
+# endif
+#endif // MBEDTLS_VERSION_MAJOR >= 3
+
 #if MBEDTLS_VERSION_MAJOR < 2 || (MBEDTLS_VERSION_MAJOR == 2 && MBEDTLS_VERSION_MINOR < 4)
-#include <mbedtls/net.h>
+# include <mbedtls/net.h>
 #else
-#include <mbedtls/net_sockets.h>
+# include <mbedtls/net_sockets.h>
 #endif
 
 #endif // LIBEVENT_MBEDTLS_COMPAT_H
diff --git a/linux/libevent/signal.c b/linux/libevent/signal.c
index 9a232710..551a454f 100644
--- a/linux/libevent/signal.c
+++ b/linux/libevent/signal.c
@@ -295,7 +295,7 @@ evsig_add(struct event_base *base, evutil_socket_t evsignal, short old, short ev
 		    "the most recently added signal or the most recent "
 		    "event_base_loop() call gets preference; do "
 		    "not rely on this behavior in future Libevent versions.",
-		    base, evsig_base, base->evsel->name);
+                   (void *)base, (void *)evsig_base, base->evsel->name);
 	}
 	evsig_base = base;
 	evsig_base_n_signals_added = ++sig->ev_n_signals_added;
diff --git a/linux/openssl/crypto/aes/asm/aesni-x86.pl b/linux/openssl/crypto/aes/asm/aesni-x86.pl
index fe2b2654..3502940d 100644
--- a/linux/openssl/crypto/aes/asm/aesni-x86.pl
+++ b/linux/openssl/crypto/aes/asm/aesni-x86.pl
@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -2027,7 +2027,7 @@ sub aesni_generate6
 	&movdqu		(&QWP(-16*2,$out,$inp),$inout4);
 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
 	&cmp		($inp,$len);			# done yet?
-	&jb		(&label("grandloop"));
+	&jbe		(&label("grandloop"));
 
 &set_label("short");
 	&add		($len,16*6);
@@ -2453,7 +2453,7 @@ sub aesni_generate6
 	&pxor		($rndkey1,$inout5);
 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
 	&cmp		($inp,$len);			# done yet?
-	&jb		(&label("grandloop"));
+	&jbe		(&label("grandloop"));
 
 &set_label("short");
 	&add		($len,16*6);
diff --git a/linux/openssl/crypto/aes/asm/aesv8-armx.pl b/linux/openssl/crypto/aes/asm/aesv8-armx.pl
index 2b0e9829..1856d997 100755
--- a/linux/openssl/crypto/aes/asm/aesv8-armx.pl
+++ b/linux/openssl/crypto/aes/asm/aesv8-armx.pl
@@ -740,6 +740,21 @@ ()
 #ifndef __ARMEB__
 	rev		$ctr, $ctr
 #endif
+___
+$code.=<<___	if ($flavour =~ /64/);
+	vorr		$dat1,$dat0,$dat0
+	add		$tctr1, $ctr, #1
+	vorr		$dat2,$dat0,$dat0
+	add		$ctr, $ctr, #2
+	vorr		$ivec,$dat0,$dat0
+	rev		$tctr1, $tctr1
+	vmov.32		${dat1}[3],$tctr1
+	b.ls		.Lctr32_tail
+	rev		$tctr2, $ctr
+	sub		$len,$len,#3		// bias
+	vmov.32		${dat2}[3],$tctr2
+___
+$code.=<<___	if ($flavour !~ /64/);
 	add		$tctr1, $ctr, #1
 	vorr		$ivec,$dat0,$dat0
 	rev		$tctr1, $tctr1
@@ -751,6 +766,8 @@ ()
 	vmov.32		${ivec}[3],$tctr2
 	sub		$len,$len,#3		// bias
 	vorr		$dat2,$ivec,$ivec
+___
+$code.=<<___;
 	b		.Loop3x_ctr32
 
 .align	4
@@ -777,11 +794,25 @@ ()
 	aese		$dat1,q8
 	aesmc		$tmp1,$dat1
 	 vld1.8		{$in0},[$inp],#16
+___
+$code.=<<___	if ($flavour =~ /64/);
+	 vorr		$dat0,$ivec,$ivec
+___
+$code.=<<___	if ($flavour !~ /64/);
 	 add		$tctr0,$ctr,#1
+___
+$code.=<<___;
 	aese		$dat2,q8
 	aesmc		$dat2,$dat2
 	 vld1.8		{$in1},[$inp],#16
+___
+$code.=<<___	if ($flavour =~ /64/);
+	 vorr		$dat1,$ivec,$ivec
+___
+$code.=<<___	if ($flavour !~ /64/);
 	 rev		$tctr0,$tctr0
+___
+$code.=<<___;
 	aese		$tmp0,q9
 	aesmc		$tmp0,$tmp0
 	aese		$tmp1,q9
@@ -790,6 +821,12 @@ ()
 	 mov		$key_,$key
 	aese		$dat2,q9
 	aesmc		$tmp2,$dat2
+___
+$code.=<<___	if ($flavour =~ /64/);
+	 vorr		$dat2,$ivec,$ivec
+	 add		$tctr0,$ctr,#1
+___
+$code.=<<___;
 	aese		$tmp0,q12
 	aesmc		$tmp0,$tmp0
 	aese		$tmp1,q12
@@ -805,22 +842,47 @@ ()
 	aese		$tmp1,q13
 	aesmc		$tmp1,$tmp1
 	 veor		$in2,$in2,$rndlast
+___
+$code.=<<___	if ($flavour =~ /64/);
+	 rev		$tctr0,$tctr0
+	aese		$tmp2,q13
+	aesmc		$tmp2,$tmp2
+	 vmov.32	${dat0}[3], $tctr0
+___
+$code.=<<___	if ($flavour !~ /64/);
 	 vmov.32	${ivec}[3], $tctr0
 	aese		$tmp2,q13
 	aesmc		$tmp2,$tmp2
 	 vorr		$dat0,$ivec,$ivec
+___
+$code.=<<___;
 	 rev		$tctr1,$tctr1
 	aese		$tmp0,q14
 	aesmc		$tmp0,$tmp0
+___
+$code.=<<___	if ($flavour !~ /64/);
 	 vmov.32	${ivec}[3], $tctr1
 	 rev		$tctr2,$ctr
+___
+$code.=<<___;
 	aese		$tmp1,q14
 	aesmc		$tmp1,$tmp1
+___
+$code.=<<___	if ($flavour =~ /64/);
+	 vmov.32	${dat1}[3], $tctr1
+	 rev		$tctr2,$ctr
+	aese		$tmp2,q14
+	aesmc		$tmp2,$tmp2
+	 vmov.32	${dat2}[3], $tctr2
+___
+$code.=<<___	if ($flavour !~ /64/);
 	 vorr		$dat1,$ivec,$ivec
 	 vmov.32	${ivec}[3], $tctr2
 	aese		$tmp2,q14
 	aesmc		$tmp2,$tmp2
 	 vorr		$dat2,$ivec,$ivec
+___
+$code.=<<___;
 	 subs		$len,$len,#3
 	aese		$tmp0,q15
 	aese		$tmp1,q15
diff --git a/linux/openssl/crypto/asn1/charmap.pl b/linux/openssl/crypto/asn1/charmap.pl
index dadd8df7..52fa5a79 100644
--- a/linux/openssl/crypto/asn1/charmap.pl
+++ b/linux/openssl/crypto/asn1/charmap.pl
@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -7,6 +7,9 @@
 # https://www.openssl.org/source/license.html
 
 use strict;
+use FindBin;
+use lib "$FindBin::Bin/../../util/perl";
+use OpenSSL::copyright;
 
 my ($i, @arr);
 
@@ -82,8 +85,8 @@
 
 # Now generate the C code
 
-# Output year depends on the year of the script.
-my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900;
+# Year the file was generated.
+my $YEAR = OpenSSL::copyright::year_of($0);
 print <<EOF;
 /*
  * WARNING: do not edit!
diff --git a/linux/openssl/crypto/bn/asm/x86_64-mont5.pl b/linux/openssl/crypto/bn/asm/x86_64-mont5.pl
index 8c37d132..33cb769c 100755
--- a/linux/openssl/crypto/bn/asm/x86_64-mont5.pl
+++ b/linux/openssl/crypto/bn/asm/x86_64-mont5.pl
@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -2101,193 +2101,6 @@
 .size	__bn_post4x_internal,.-__bn_post4x_internal
 ___
 }
-{
-$code.=<<___;
-.globl	bn_from_montgomery
-.type	bn_from_montgomery,\@abi-omnipotent
-.align	32
-bn_from_montgomery:
-.cfi_startproc
-	testl	\$7,`($win64?"48(%rsp)":"%r9d")`
-	jz	bn_from_mont8x
-	xor	%eax,%eax
-	ret
-.cfi_endproc
-.size	bn_from_montgomery,.-bn_from_montgomery
-
-.type	bn_from_mont8x,\@function,6
-.align	32
-bn_from_mont8x:
-.cfi_startproc
-	.byte	0x67
-	mov	%rsp,%rax
-.cfi_def_cfa_register	%rax
-	push	%rbx
-.cfi_push	%rbx
-	push	%rbp
-.cfi_push	%rbp
-	push	%r12
-.cfi_push	%r12
-	push	%r13
-.cfi_push	%r13
-	push	%r14
-.cfi_push	%r14
-	push	%r15
-.cfi_push	%r15
-.Lfrom_prologue:
-
-	shl	\$3,${num}d		# convert $num to bytes
-	lea	($num,$num,2),%r10	# 3*$num in bytes
-	neg	$num
-	mov	($n0),$n0		# *n0
-
-	##############################################################
-	# Ensure that stack frame doesn't alias with $rptr+3*$num
-	# modulo 4096, which covers ret[num], am[num] and n[num]
-	# (see bn_exp.c). The stack is allocated to aligned with
-	# bn_power5's frame, and as bn_from_montgomery happens to be
-	# last operation, we use the opportunity to cleanse it.
-	#
-	lea	-320(%rsp,$num,2),%r11
-	mov	%rsp,%rbp
-	sub	$rptr,%r11
-	and	\$4095,%r11
-	cmp	%r11,%r10
-	jb	.Lfrom_sp_alt
-	sub	%r11,%rbp		# align with $aptr
-	lea	-320(%rbp,$num,2),%rbp	# future alloca(frame+2*$num*8+256)
-	jmp	.Lfrom_sp_done
-
-.align	32
-.Lfrom_sp_alt:
-	lea	4096-320(,$num,2),%r10
-	lea	-320(%rbp,$num,2),%rbp	# future alloca(frame+2*$num*8+256)
-	sub	%r10,%r11
-	mov	\$0,%r10
-	cmovc	%r10,%r11
-	sub	%r11,%rbp
-.Lfrom_sp_done:
-	and	\$-64,%rbp
-	mov	%rsp,%r11
-	sub	%rbp,%r11
-	and	\$-4096,%r11
-	lea	(%rbp,%r11),%rsp
-	mov	(%rsp),%r10
-	cmp	%rbp,%rsp
-	ja	.Lfrom_page_walk
-	jmp	.Lfrom_page_walk_done
-
-.Lfrom_page_walk:
-	lea	-4096(%rsp),%rsp
-	mov	(%rsp),%r10
-	cmp	%rbp,%rsp
-	ja	.Lfrom_page_walk
-.Lfrom_page_walk_done:
-
-	mov	$num,%r10
-	neg	$num
-
-	##############################################################
-	# Stack layout
-	#
-	# +0	saved $num, used in reduction section
-	# +8	&t[2*$num], used in reduction section
-	# +32	saved *n0
-	# +40	saved %rsp
-	# +48	t[2*$num]
-	#
-	mov	$n0,  32(%rsp)
-	mov	%rax, 40(%rsp)		# save original %rsp
-.cfi_cfa_expression	%rsp+40,deref,+8
-.Lfrom_body:
-	mov	$num,%r11
-	lea	48(%rsp),%rax
-	pxor	%xmm0,%xmm0
-	jmp	.Lmul_by_1
-
-.align	32
-.Lmul_by_1:
-	movdqu	($aptr),%xmm1
-	movdqu	16($aptr),%xmm2
-	movdqu	32($aptr),%xmm3
-	movdqa	%xmm0,(%rax,$num)
-	movdqu	48($aptr),%xmm4
-	movdqa	%xmm0,16(%rax,$num)
-	.byte	0x48,0x8d,0xb6,0x40,0x00,0x00,0x00	# lea	64($aptr),$aptr
-	movdqa	%xmm1,(%rax)
-	movdqa	%xmm0,32(%rax,$num)
-	movdqa	%xmm2,16(%rax)
-	movdqa	%xmm0,48(%rax,$num)
-	movdqa	%xmm3,32(%rax)
-	movdqa	%xmm4,48(%rax)
-	lea	64(%rax),%rax
-	sub	\$64,%r11
-	jnz	.Lmul_by_1
-
-	movq	$rptr,%xmm1
-	movq	$nptr,%xmm2
-	.byte	0x67
-	mov	$nptr,%rbp
-	movq	%r10, %xmm3		# -num
-___
-$code.=<<___ if ($addx);
-	mov	OPENSSL_ia32cap_P+8(%rip),%r11d
-	and	\$0x80108,%r11d
-	cmp	\$0x80108,%r11d		# check for AD*X+BMI2+BMI1
-	jne	.Lfrom_mont_nox
-
-	lea	(%rax,$num),$rptr
-	call	__bn_sqrx8x_reduction
-	call	__bn_postx4x_internal
-
-	pxor	%xmm0,%xmm0
-	lea	48(%rsp),%rax
-	jmp	.Lfrom_mont_zero
-
-.align	32
-.Lfrom_mont_nox:
-___
-$code.=<<___;
-	call	__bn_sqr8x_reduction
-	call	__bn_post4x_internal
-
-	pxor	%xmm0,%xmm0
-	lea	48(%rsp),%rax
-	jmp	.Lfrom_mont_zero
-
-.align	32
-.Lfrom_mont_zero:
-	mov	40(%rsp),%rsi		# restore %rsp
-.cfi_def_cfa	%rsi,8
-	movdqa	%xmm0,16*0(%rax)
-	movdqa	%xmm0,16*1(%rax)
-	movdqa	%xmm0,16*2(%rax)
-	movdqa	%xmm0,16*3(%rax)
-	lea	16*4(%rax),%rax
-	sub	\$32,$num
-	jnz	.Lfrom_mont_zero
-
-	mov	\$1,%rax
-	mov	-48(%rsi),%r15
-.cfi_restore	%r15
-	mov	-40(%rsi),%r14
-.cfi_restore	%r14
-	mov	-32(%rsi),%r13
-.cfi_restore	%r13
-	mov	-24(%rsi),%r12
-.cfi_restore	%r12
-	mov	-16(%rsi),%rbp
-.cfi_restore	%rbp
-	mov	-8(%rsi),%rbx
-.cfi_restore	%rbx
-	lea	(%rsi),%rsp
-.cfi_def_cfa_register	%rsp
-.Lfrom_epilogue:
-	ret
-.cfi_endproc
-.size	bn_from_mont8x,.-bn_from_mont8x
-___
-}
 }}}
 
 if ($addx) {{{
@@ -3894,10 +3707,6 @@
 	.rva	.LSEH_begin_bn_power5
 	.rva	.LSEH_end_bn_power5
 	.rva	.LSEH_info_bn_power5
-
-	.rva	.LSEH_begin_bn_from_mont8x
-	.rva	.LSEH_end_bn_from_mont8x
-	.rva	.LSEH_info_bn_from_mont8x
 ___
 $code.=<<___ if ($addx);
 	.rva	.LSEH_begin_bn_mulx4x_mont_gather5
@@ -3929,11 +3738,6 @@
 	.byte	9,0,0,0
 	.rva	mul_handler
 	.rva	.Lpower5_prologue,.Lpower5_body,.Lpower5_epilogue	# HandlerData[]
-.align	8
-.LSEH_info_bn_from_mont8x:
-	.byte	9,0,0,0
-	.rva	mul_handler
-	.rva	.Lfrom_prologue,.Lfrom_body,.Lfrom_epilogue		# HandlerData[]
 ___
 $code.=<<___ if ($addx);
 .align	8
diff --git a/linux/openssl/crypto/bn/bn_div.c b/linux/openssl/crypto/bn/bn_div.c
index e2821fb6..42736188 100644
--- a/linux/openssl/crypto/bn/bn_div.c
+++ b/linux/openssl/crypto/bn/bn_div.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/linux/openssl/crypto/bn/bn_exp.c b/linux/openssl/crypto/bn/bn_exp.c
index 451e88ac..e21dcff0 100644
--- a/linux/openssl/crypto/bn/bn_exp.c
+++ b/linux/openssl/crypto/bn/bn_exp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -900,14 +900,21 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 #if defined(OPENSSL_BN_ASM_MONT5)
     if (window == 5 && top > 1) {
         /*
-         * This optimization uses ideas from http://eprint.iacr.org/2011/239,
-         * specifically optimization of cache-timing attack countermeasures
-         * and pre-computation optimization.
-         */
-
-        /*
-         * Dedicated window==4 case improves 512-bit RSA sign by ~15%, but as
-         * 512-bit RSA is hardly relevant, we omit it to spare size...
+         * This optimization uses ideas from https://eprint.iacr.org/2011/239,
+         * specifically optimization of cache-timing attack countermeasures,
+         * pre-computation optimization, and Almost Montgomery Multiplication.
+         *
+         * The paper discusses a 4-bit window to optimize 512-bit modular
+         * exponentiation, used in RSA-1024 with CRT, but RSA-1024 is no longer
+         * important.
+         *
+         * |bn_mul_mont_gather5| and |bn_power5| implement the "almost"
+         * reduction variant, so the values here may not be fully reduced.
+         * They are bounded by R (i.e. they fit in |top| words), not |m|.
+         * Additionally, we pass these "almost" reduced inputs into
+         * |bn_mul_mont|, which implements the normal reduction variant.
+         * Given those inputs, |bn_mul_mont| may not give reduced
+         * output, but it will still produce "almost" reduced output.
          */
         void bn_mul_mont_gather5(BN_ULONG *rp, const BN_ULONG *ap,
                                  const void *table, const BN_ULONG *np,
@@ -919,9 +926,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
                        const void *table, const BN_ULONG *np,
                        const BN_ULONG *n0, int num, int power);
         int bn_get_bits5(const BN_ULONG *ap, int off);
-        int bn_from_montgomery(BN_ULONG *rp, const BN_ULONG *ap,
-                               const BN_ULONG *not_used, const BN_ULONG *np,
-                               const BN_ULONG *n0, int num);
 
         BN_ULONG *n0 = mont->n0, *np;
 
@@ -1010,14 +1014,18 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
             }
         }
 
-        ret = bn_from_montgomery(tmp.d, tmp.d, NULL, np, n0, top);
         tmp.top = top;
-        bn_correct_top(&tmp);
-        if (ret) {
-            if (!BN_copy(rr, &tmp))
-                ret = 0;
-            goto err;           /* non-zero ret means it's not error */
-        }
+        /*
+         * The result is now in |tmp| in Montgomery form, but it may not be
+         * fully reduced. This is within bounds for |BN_from_montgomery|
+         * (tmp < R <= m*R) so it will, when converting from Montgomery form,
+         * produce a fully reduced result.
+         *
+         * This differs from Figure 2 of the paper, which uses AMM(h, 1) to
+         * convert from Montgomery form with unreduced output, followed by an
+         * extra reduction step. In the paper's terminology, we replace
+         * steps 9 and 10 with MM(h, 1).
+         */
     } else
 #endif
     {
diff --git a/linux/openssl/crypto/bn/bn_gcd.c b/linux/openssl/crypto/bn/bn_gcd.c
index 0941f7b9..6190bf1e 100644
--- a/linux/openssl/crypto/bn/bn_gcd.c
+++ b/linux/openssl/crypto/bn/bn_gcd.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -47,7 +47,8 @@ BIGNUM *bn_mod_inverse_no_branch(BIGNUM *in,
     if (R == NULL)
         goto err;
 
-    BN_one(X);
+    if (!BN_one(X))
+        goto err;
     BN_zero(Y);
     if (BN_copy(B, a) == NULL)
         goto err;
@@ -235,7 +236,8 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
     if (R == NULL)
         goto err;
 
-    BN_one(X);
+    if (!BN_one(X))
+        goto err;
     BN_zero(Y);
     if (BN_copy(B, a) == NULL)
         goto err;
diff --git a/linux/openssl/crypto/bn/bn_nist.c b/linux/openssl/crypto/bn/bn_nist.c
index 325dc228..fcee38ec 100644
--- a/linux/openssl/crypto/bn/bn_nist.c
+++ b/linux/openssl/crypto/bn/bn_nist.c
@@ -249,17 +249,28 @@ const BIGNUM *BN_get0_nist_prime_521(void)
     return &_bignum_nist_p_521;
 }
 
-static void nist_cp_bn_0(BN_ULONG *dst, const BN_ULONG *src, int top, int max)
-{
-    int i;
-
-#ifdef BN_DEBUG
-    (void)ossl_assert(top <= max);
-#endif
-    for (i = 0; i < top; i++)
-        dst[i] = src[i];
-    for (; i < max; i++)
-        dst[i] = 0;
+/*
+ * To avoid more recent compilers (specifically clang-14) from treating this
+ * code as a violation of the strict aliasing conditions and omiting it, this
+ * cannot be declared as a function.  Moreover, the dst parameter cannot be
+ * cached in a local since this no longer references the union and again falls
+ * foul of the strict aliasing criteria.  Refer to #18225 for the initial
+ * diagnostics and llvm/llvm-project#55255 for the later discussions with the
+ * LLVM developers.  The problem boils down to if an array in the union is
+ * converted to a pointer or if it is used directly.
+ *
+ * This function was inlined regardless, so there is no space cost to be
+ * paid for making it a macro.
+ */
+#define nist_cp_bn_0(dst, src_in, top, max) \
+{                                           \
+    int ii;                                 \
+    const BN_ULONG *src = src_in;           \
+                                            \
+    for (ii = 0; ii < top; ii++)            \
+        (dst)[ii] = src[ii];                \
+    for (; ii < max; ii++)                  \
+        (dst)[ii] = 0;                      \
 }
 
 static void nist_cp_bn(BN_ULONG *dst, const BN_ULONG *src, int top)
diff --git a/linux/openssl/crypto/bn/bn_prime.pl b/linux/openssl/crypto/bn/bn_prime.pl
index b0b16087..d2eaac65 100644
--- a/linux/openssl/crypto/bn/bn_prime.pl
+++ b/linux/openssl/crypto/bn/bn_prime.pl
@@ -1,13 +1,16 @@
 #! /usr/bin/env perl
-# Copyright 1998-2019 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
 # in the file LICENSE in the source distribution or at
 # https://www.openssl.org/source/license.html
+use FindBin;
+use lib "$FindBin::Bin/../../util/perl";
+use OpenSSL::copyright;
 
-# Output year depends on the year of the script.
-my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900;
+# The year the output file is generated.
+my $YEAR = OpenSSL::copyright::year_of($0);
 print <<"EOF";
 /*
  * WARNING: do not edit!
diff --git a/linux/openssl/crypto/bn/rsaz_exp.c b/linux/openssl/crypto/bn/rsaz_exp.c
index 22455b8a..a2ab58bb 100644
--- a/linux/openssl/crypto/bn/rsaz_exp.c
+++ b/linux/openssl/crypto/bn/rsaz_exp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2012, Intel Corporation. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
@@ -66,6 +66,7 @@ void RSAZ_1024_mod_exp_avx2(BN_ULONG result_norm[16],
     unsigned char *R2 = table_s; /* borrow */
     int index;
     int wvalue;
+    BN_ULONG tmp[16];
 
     if ((((size_t)p_str & 4095) + 320) >> 12) {
         result = p_str;
@@ -237,7 +238,10 @@ void RSAZ_1024_mod_exp_avx2(BN_ULONG result_norm[16],
 
     rsaz_1024_red2norm_avx2(result_norm, result);
 
+    bn_reduce_once_in_place(result_norm, /*carry=*/0, m_norm, tmp, 16);
+
     OPENSSL_cleanse(storage, sizeof(storage));
+    OPENSSL_cleanse(tmp, sizeof(tmp));
 }
 
 /*
@@ -266,6 +270,7 @@ void RSAZ_512_mod_exp(BN_ULONG result[8],
     unsigned char *p_str = (unsigned char *)exponent;
     int index;
     unsigned int wvalue;
+    BN_ULONG tmp[8];
 
     /* table[0] = 1_inv */
     temp[0] = 0 - m[0];
@@ -309,7 +314,10 @@ void RSAZ_512_mod_exp(BN_ULONG result[8],
     /* from Montgomery */
     rsaz_512_mul_by_one(result, temp, m, k0);
 
+    bn_reduce_once_in_place(result, /*carry=*/0, m, tmp, 8);
+
     OPENSSL_cleanse(storage, sizeof(storage));
+    OPENSSL_cleanse(tmp, sizeof(tmp));
 }
 
 #endif
diff --git a/linux/openssl/crypto/bn/rsaz_exp.h b/linux/openssl/crypto/bn/rsaz_exp.h
index 88f65a4b..1532a7e0 100644
--- a/linux/openssl/crypto/bn/rsaz_exp.h
+++ b/linux/openssl/crypto/bn/rsaz_exp.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2013-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2012, Intel Corporation. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
@@ -22,6 +22,8 @@
 #  define RSAZ_ENABLED
 
 #  include <openssl/bn.h>
+#  include "internal/constant_time.h"
+#  include "bn_local.h"
 
 void RSAZ_1024_mod_exp_avx2(BN_ULONG result[16],
                             const BN_ULONG base_norm[16],
@@ -35,6 +37,27 @@ void RSAZ_512_mod_exp(BN_ULONG result[8],
                       const BN_ULONG m_norm[8], BN_ULONG k0,
                       const BN_ULONG RR[8]);
 
+static ossl_inline void bn_select_words(BN_ULONG *r, BN_ULONG mask,
+                                        const BN_ULONG *a,
+                                        const BN_ULONG *b, size_t num)
+{
+    size_t i;
+
+    for (i = 0; i < num; i++) {
+        r[i] = constant_time_select_64(mask, a[i], b[i]);
+    }
+}
+
+static ossl_inline BN_ULONG bn_reduce_once_in_place(BN_ULONG *r,
+                                                    BN_ULONG carry,
+                                                    const BN_ULONG *m,
+                                                    BN_ULONG *tmp, size_t num)
+{
+    carry -= bn_sub_words(tmp, r, m, num);
+    bn_select_words(r, carry, r /* tmp < 0 */, tmp /* tmp >= 0 */, num);
+    return carry;
+}
+
 # endif
 
 #endif
diff --git a/linux/openssl/crypto/conf/keysets.pl b/linux/openssl/crypto/conf/keysets.pl
index 27a7214c..9c9a00de 100644
--- a/linux/openssl/crypto/conf/keysets.pl
+++ b/linux/openssl/crypto/conf/keysets.pl
@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -8,6 +8,9 @@
 
 use strict;
 use warnings;
+use FindBin;
+use lib "$FindBin::Bin/../../util/perl";
+use OpenSSL::copyright;
 
 my $NUMBER      = 0x0001;
 my $UPPER       = 0x0002;
@@ -54,9 +57,8 @@
     push(@V_w32, $v);
 }
 
-# Output year depends on the year of the script.
-my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900;
-
+# The year the output file is generated.
+my $YEAR = OpenSSL::copyright::year_of($0);
 print <<"EOF";
 /*
  * WARNING: do not edit!
diff --git a/linux/openssl/crypto/ec/curve448/curve448.c b/linux/openssl/crypto/ec/curve448/curve448.c
index 3aff9802..3d4db445 100644
--- a/linux/openssl/crypto/ec/curve448/curve448.c
+++ b/linux/openssl/crypto/ec/curve448/curve448.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright 2015-2016 Cryptography Research, Inc.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
diff --git a/linux/openssl/crypto/ec/ec_asn1.c b/linux/openssl/crypto/ec/ec_asn1.c
index 4335b3da..1acbbde3 100644
--- a/linux/openssl/crypto/ec/ec_asn1.c
+++ b/linux/openssl/crypto/ec/ec_asn1.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -751,6 +751,16 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
 
     /* extract seed (optional) */
     if (params->curve->seed != NULL) {
+        /*
+         * This happens for instance with
+         * fuzz/corpora/asn1/65cf44e85614c62f10cf3b7a7184c26293a19e4a
+         * and causes the OPENSSL_malloc below to choke on the
+         * zero length allocation request.
+         */
+        if (params->curve->seed->length == 0) {
+            ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR);
+            goto err;
+        }
         OPENSSL_free(ret->seed);
         if ((ret->seed = OPENSSL_malloc(params->curve->seed->length)) == NULL) {
             ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
@@ -784,7 +794,7 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
     }
 
     /* extract the order */
-    if ((a = ASN1_INTEGER_to_BN(params->order, a)) == NULL) {
+    if (ASN1_INTEGER_to_BN(params->order, a) == NULL) {
         ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_ASN1_LIB);
         goto err;
     }
@@ -801,7 +811,7 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
     if (params->cofactor == NULL) {
         BN_free(b);
         b = NULL;
-    } else if ((b = ASN1_INTEGER_to_BN(params->cofactor, b)) == NULL) {
+    } else if (ASN1_INTEGER_to_BN(params->cofactor, b) == NULL) {
         ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, ERR_R_ASN1_LIB);
         goto err;
     }
diff --git a/linux/openssl/crypto/ec/ec_key.c b/linux/openssl/crypto/ec/ec_key.c
index 23efbd01..63799002 100644
--- a/linux/openssl/crypto/ec/ec_key.c
+++ b/linux/openssl/crypto/ec/ec_key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
@@ -443,6 +443,16 @@ int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key)
         && key->meth->set_private(key, priv_key) == 0)
         return 0;
 
+    /*
+     * Return `0` to comply with legacy behavior for this function, see
+     * https://github.com/openssl/openssl/issues/18744#issuecomment-1195175696
+     */
+    if (priv_key == NULL) {
+        BN_clear_free(key->priv_key);
+        key->priv_key = NULL;
+        return 0; /* intentional for legacy compatibility */
+    }
+
     /*
      * We should never leak the bit length of the secret scalar in the key,
      * so we always set the `BN_FLG_CONSTTIME` flag on the internal `BIGNUM`
@@ -657,8 +667,7 @@ int ec_key_simple_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len)
         ECerr(EC_F_EC_KEY_SIMPLE_OCT2PRIV, ERR_R_MALLOC_FAILURE);
         return 0;
     }
-    eckey->priv_key = BN_bin2bn(buf, len, eckey->priv_key);
-    if (eckey->priv_key == NULL) {
+    if (BN_bin2bn(buf, len, eckey->priv_key) == NULL) {
         ECerr(EC_F_EC_KEY_SIMPLE_OCT2PRIV, ERR_R_BN_LIB);
         return 0;
     }
diff --git a/linux/openssl/crypto/ec/ecp_nistz256.c b/linux/openssl/crypto/ec/ecp_nistz256.c
index 43eab75f..cfad3e15 100644
--- a/linux/openssl/crypto/ec/ecp_nistz256.c
+++ b/linux/openssl/crypto/ec/ecp_nistz256.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2014, Intel Corporation. All Rights Reserved.
  * Copyright (c) 2015, CloudFlare, Inc.
  *
diff --git a/linux/openssl/crypto/err/err.c b/linux/openssl/crypto/err/err.c
index 49e6f479..239a3cea 100644
--- a/linux/openssl/crypto/err/err.c
+++ b/linux/openssl/crypto/err/err.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/linux/openssl/crypto/evp/evp_enc.c b/linux/openssl/crypto/evp/evp_enc.c
index b8b9d90d..e756624b 100644
--- a/linux/openssl/crypto/evp/evp_enc.c
+++ b/linux/openssl/crypto/evp/evp_enc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/linux/openssl/crypto/evp/evp_local.h b/linux/openssl/crypto/evp/evp_local.h
index cd3c1cf1..b59beee4 100644
--- a/linux/openssl/crypto/evp/evp_local.h
+++ b/linux/openssl/crypto/evp/evp_local.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/linux/openssl/crypto/init.c b/linux/openssl/crypto/init.c
index 09d75864..b23af797 100644
--- a/linux/openssl/crypto/init.c
+++ b/linux/openssl/crypto/init.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/linux/openssl/crypto/objects/obj_dat.pl b/linux/openssl/crypto/objects/obj_dat.pl
index e5d38147..6ae13b94 100644
--- a/linux/openssl/crypto/objects/obj_dat.pl
+++ b/linux/openssl/crypto/objects/obj_dat.pl
@@ -9,6 +9,9 @@
 use integer;
 use strict;
 use warnings;
+use FindBin;
+use lib "$FindBin::Bin/../../util/perl";
+use OpenSSL::copyright;
 
 # Generate the DER encoding for the given OID.
 sub der_it
@@ -36,10 +39,8 @@ sub der_it
     return $ret;
 }
 
-# Output year depends on the year of the script and the input file.
-my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900;
-my $iYEAR = [localtime([stat($ARGV[0])]->[9])]->[5] + 1900;
-$YEAR = $iYEAR if $iYEAR > $YEAR;
+# The year the output file is generated.
+my $YEAR = OpenSSL::copyright::latest(($0, $ARGV[0]));
 
 # Read input, parse all #define's into OID name and value.
 # Populate %ln and %sn with long and short names (%dupln and %dupsn)
diff --git a/linux/openssl/crypto/objects/objects.pl b/linux/openssl/crypto/objects/objects.pl
index d7d1962c..10a115f6 100644
--- a/linux/openssl/crypto/objects/objects.pl
+++ b/linux/openssl/crypto/objects/objects.pl
@@ -7,16 +7,15 @@
 # https://www.openssl.org/source/license.html
 
 use Getopt::Std;
+use FindBin;
+use lib "$FindBin::Bin/../../util/perl";
+use OpenSSL::copyright;
 
 our($opt_n);
 getopts('n');
 
-# Output year depends on the year of the script and the input file.
-my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900;
-my $iYEAR = [localtime([stat($ARGV[0])]->[9])]->[5] + 1900;
-$YEAR = $iYEAR if $iYEAR > $YEAR;
-$iYEAR = [localtime([stat($ARGV[1])]->[9])]->[5] + 1900;
-$YEAR = $iYEAR if $iYEAR > $YEAR;
+# The year the output file is generated.
+my $YEAR = OpenSSL::copyright::latest(($0, $ARGV[1], $ARGV[0]));
 
 open (NUMIN,"$ARGV[1]") || die "Can't open number file $ARGV[1]";
 $max_nid=0;
diff --git a/linux/openssl/crypto/objects/objxref.pl b/linux/openssl/crypto/objects/objxref.pl
index ce76cada..168d4be9 100644
--- a/linux/openssl/crypto/objects/objxref.pl
+++ b/linux/openssl/crypto/objects/objxref.pl
@@ -8,18 +8,17 @@
 
 
 use strict;
+use FindBin;
+use lib "$FindBin::Bin/../../util/perl";
+use OpenSSL::copyright;
 
 my %xref_tbl;
 my %oid_tbl;
 
 my ($mac_file, $xref_file) = @ARGV;
 
-# Output year depends on the year of the script and the input file.
-my $YEAR = [localtime([stat($0)]->[9])]->[5] + 1900;
-my $iYEAR = [localtime([stat($mac_file)]->[9])]->[5] + 1900;
-$YEAR = $iYEAR if $iYEAR > $YEAR;
-$iYEAR = [localtime([stat($xref_file)]->[9])]->[5] + 1900;
-$YEAR = $iYEAR if $iYEAR > $YEAR;
+# The year the output file is generated.
+my $YEAR = OpenSSL::copyright::latest(($0, $mac_file, $xref_file));
 
 open(IN, $mac_file) || die "Can't open $mac_file, $!\n";
 
diff --git a/linux/openssl/crypto/pem/pem_lib.c b/linux/openssl/crypto/pem/pem_lib.c
index 2de09359..c2cf4079 100644
--- a/linux/openssl/crypto/pem/pem_lib.c
+++ b/linux/openssl/crypto/pem/pem_lib.c
@@ -621,7 +621,7 @@ int PEM_write_bio(BIO *bp, const char *name, const char *header,
         (BIO_write(bp, "-----\n", 6) != 6))
         goto err;
 
-    i = strlen(header);
+    i = header != NULL ? strlen(header) : 0;
     if (i > 0) {
         if ((BIO_write(bp, header, i) != i) || (BIO_write(bp, "\n", 1) != 1))
             goto err;
diff --git a/linux/openssl/crypto/rand/drbg_lib.c b/linux/openssl/crypto/rand/drbg_lib.c
index 8c7c28c9..0ba20ca3 100644
--- a/linux/openssl/crypto/rand/drbg_lib.c
+++ b/linux/openssl/crypto/rand/drbg_lib.c
@@ -354,13 +354,8 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg,
     drbg->state = DRBG_READY;
     drbg->generate_counter = 1;
     drbg->reseed_time = time(NULL);
-    if (drbg->enable_reseed_propagation) {
-        if (drbg->parent == NULL)
-            tsan_counter(&drbg->reseed_counter);
-        else
-            tsan_store(&drbg->reseed_counter,
-                       tsan_load(&drbg->parent->reseed_counter));
-    }
+    if (drbg->enable_reseed_propagation && drbg->parent == NULL)
+        tsan_counter(&drbg->reseed_counter);
 
  end:
     if (entropy != NULL && drbg->cleanup_entropy != NULL)
@@ -444,13 +439,8 @@ int RAND_DRBG_reseed(RAND_DRBG *drbg,
     drbg->state = DRBG_READY;
     drbg->generate_counter = 1;
     drbg->reseed_time = time(NULL);
-    if (drbg->enable_reseed_propagation) {
-        if (drbg->parent == NULL)
-            tsan_counter(&drbg->reseed_counter);
-        else
-            tsan_store(&drbg->reseed_counter,
-                       tsan_load(&drbg->parent->reseed_counter));
-    }
+    if (drbg->enable_reseed_propagation && drbg->parent == NULL)
+        tsan_counter(&drbg->reseed_counter);
 
  end:
     if (entropy != NULL && drbg->cleanup_entropy != NULL)
diff --git a/linux/openssl/crypto/rand/rand_lib.c b/linux/openssl/crypto/rand/rand_lib.c
index 5c72fad8..545ab463 100644
--- a/linux/openssl/crypto/rand/rand_lib.c
+++ b/linux/openssl/crypto/rand/rand_lib.c
@@ -172,8 +172,12 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
             if (RAND_DRBG_generate(drbg->parent,
                                    buffer, bytes_needed,
                                    prediction_resistance,
-                                   (unsigned char *)&drbg, sizeof(drbg)) != 0)
+                                   (unsigned char *)&drbg, sizeof(drbg)) != 0) {
                 bytes = bytes_needed;
+                if (drbg->enable_reseed_propagation)
+                    tsan_store(&drbg->reseed_counter,
+                               tsan_load(&drbg->parent->reseed_counter));
+            }
             rand_drbg_unlock(drbg->parent);
 
             rand_pool_add_end(pool, bytes, 8 * bytes);
diff --git a/linux/openssl/crypto/rand/rand_win.c b/linux/openssl/crypto/rand/rand_win.c
index 90365460..75ed90bd 100644
--- a/linux/openssl/crypto/rand/rand_win.c
+++ b/linux/openssl/crypto/rand/rand_win.c
@@ -26,7 +26,9 @@
 
 # ifdef USE_BCRYPTGENRANDOM
 #  include <bcrypt.h>
-#  pragma comment(lib, "bcrypt.lib")
+#  ifdef _MSC_VER
+#   pragma comment(lib, "bcrypt.lib")
+#  endif
 #  ifndef STATUS_SUCCESS
 #   define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
 #  endif
diff --git a/linux/openssl/crypto/s390x_arch.h b/linux/openssl/crypto/s390x_arch.h
index b47dd53a..64e7ebb5 100644
--- a/linux/openssl/crypto/s390x_arch.h
+++ b/linux/openssl/crypto/s390x_arch.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/linux/openssl/crypto/s390xcap.c b/linux/openssl/crypto/s390xcap.c
index 1878b6a4..1097c703 100644
--- a/linux/openssl/crypto/s390xcap.c
+++ b/linux/openssl/crypto/s390xcap.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2010-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2010-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/linux/openssl/crypto/x509/x509_cmp.c b/linux/openssl/crypto/x509/x509_cmp.c
index 1d8d2d7b..3724a118 100644
--- a/linux/openssl/crypto/x509/x509_cmp.c
+++ b/linux/openssl/crypto/x509/x509_cmp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -34,7 +34,7 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
     unsigned long ret = 0;
     EVP_MD_CTX *ctx = EVP_MD_CTX_new();
     unsigned char md[16];
-    char *f;
+    char *f = NULL;
 
     if (ctx == NULL)
         goto err;
@@ -45,7 +45,6 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
         goto err;
     if (!EVP_DigestUpdate(ctx, (unsigned char *)f, strlen(f)))
         goto err;
-    OPENSSL_free(f);
     if (!EVP_DigestUpdate
         (ctx, (unsigned char *)a->cert_info.serialNumber.data,
          (unsigned long)a->cert_info.serialNumber.length))
@@ -56,6 +55,7 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
            ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)
         ) & 0xffffffffL;
  err:
+    OPENSSL_free(f);
     EVP_MD_CTX_free(ctx);
     return ret;
 }
diff --git a/linux/openssl/crypto/x509/x509_req.c b/linux/openssl/crypto/x509/x509_req.c
index dd674926..a69f9a72 100644
--- a/linux/openssl/crypto/x509/x509_req.c
+++ b/linux/openssl/crypto/x509/x509_req.c
@@ -167,7 +167,9 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
         ext = X509_ATTRIBUTE_get0_type(attr, 0);
         break;
     }
-    if (!ext || (ext->type != V_ASN1_SEQUENCE))
+    if (ext == NULL) /* no extensions is not an error */
+        return sk_X509_EXTENSION_new_null();
+    if (ext->type != V_ASN1_SEQUENCE)
         return NULL;
     p = ext->value.sequence->data;
     return (STACK_OF(X509_EXTENSION) *)
diff --git a/linux/openssl/crypto/x509/x509_vfy.c b/linux/openssl/crypto/x509/x509_vfy.c
index b18489f6..925fbb54 100644
--- a/linux/openssl/crypto/x509/x509_vfy.c
+++ b/linux/openssl/crypto/x509/x509_vfy.c
@@ -973,14 +973,14 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
     time_t *ptime;
     int i;
 
-    if (notify)
-        ctx->current_crl = crl;
     if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
         ptime = &ctx->param->check_time;
     else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
         return 1;
     else
         ptime = NULL;
+    if (notify)
+        ctx->current_crl = crl;
 
     i = X509_cmp_time(X509_CRL_get0_lastUpdate(crl), ptime);
     if (i == 0) {
diff --git a/linux/openssl/crypto/x509/x_crl.c b/linux/openssl/crypto/x509/x_crl.c
index c9762f9e..df0041c0 100644
--- a/linux/openssl/crypto/x509/x_crl.c
+++ b/linux/openssl/crypto/x509/x_crl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -103,13 +103,17 @@ static int crl_set_issuers(X509_CRL *crl)
 
         if (gtmp) {
             gens = gtmp;
-            if (!crl->issuers) {
+            if (crl->issuers == NULL) {
                 crl->issuers = sk_GENERAL_NAMES_new_null();
-                if (!crl->issuers)
+                if (crl->issuers == NULL) {
+                    GENERAL_NAMES_free(gtmp);
                     return 0;
+                }
             }
-            if (!sk_GENERAL_NAMES_push(crl->issuers, gtmp))
+            if (!sk_GENERAL_NAMES_push(crl->issuers, gtmp)) {
+                GENERAL_NAMES_free(gtmp);
                 return 0;
+            }
         }
         rev->issuer = gens;
 
@@ -255,7 +259,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
         break;
 
     case ASN1_OP_FREE_POST:
-        if (crl->meth->crl_free) {
+        if (crl->meth != NULL && crl->meth->crl_free != NULL) {
             if (!crl->meth->crl_free(crl))
                 return 0;
         }
diff --git a/linux/openssl/crypto/x509v3/v3_addr.c b/linux/openssl/crypto/x509v3/v3_addr.c
index 4258dbc4..f9c368be 100644
--- a/linux/openssl/crypto/x509v3/v3_addr.c
+++ b/linux/openssl/crypto/x509v3/v3_addr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -13,6 +13,8 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <assert.h>
+#include <string.h>
 
 #include "internal/cryptlib.h"
 #include <openssl/conf.h>
@@ -342,8 +344,13 @@ static int range_should_be_prefix(const unsigned char *min,
     unsigned char mask;
     int i, j;
 
-    if (memcmp(min, max, length) <= 0)
-        return -1;
+    /*
+     * It is the responsibility of the caller to confirm min <= max. We don't
+     * use ossl_assert() here since we have no way of signalling an error from
+     * this function - so we just use a plain assert instead.
+     */
+    assert(memcmp(min, max, length) <= 0);
+
     for (i = 0; i < length && min[i] == max[i]; i++) ;
     for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) ;
     if (i < j)
@@ -385,12 +392,14 @@ static int range_should_be_prefix(const unsigned char *min,
 /*
  * Construct a prefix.
  */
-static int make_addressPrefix(IPAddressOrRange **result,
-                              unsigned char *addr, const int prefixlen)
+static int make_addressPrefix(IPAddressOrRange **result, unsigned char *addr,
+                              const int prefixlen, const int afilen)
 {
     int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8;
     IPAddressOrRange *aor = IPAddressOrRange_new();
 
+    if (prefixlen < 0 || prefixlen > (afilen * 8))
+        return 0;
     if (aor == NULL)
         return 0;
     aor->type = IPAddressOrRange_addressPrefix;
@@ -426,8 +435,11 @@ static int make_addressRange(IPAddressOrRange **result,
     IPAddressOrRange *aor;
     int i, prefixlen;
 
+    if (memcmp(min, max, length) > 0)
+        return 0;
+
     if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0)
-        return make_addressPrefix(result, min, prefixlen);
+        return make_addressPrefix(result, min, prefixlen, length);
 
     if ((aor = IPAddressOrRange_new()) == NULL)
         return 0;
@@ -589,7 +601,9 @@ int X509v3_addr_add_prefix(IPAddrBlocks *addr,
 {
     IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
     IPAddressOrRange *aor;
-    if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen))
+
+    if (aors == NULL
+            || !make_addressPrefix(&aor, a, prefixlen, length_from_afi(afi)))
         return 0;
     if (sk_IPAddressOrRange_push(aors, aor))
         return 1;
@@ -986,7 +1000,10 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
         switch (delim) {
         case '/':
             prefixlen = (int)strtoul(s + i2, &t, 10);
-            if (t == s + i2 || *t != '\0') {
+            if (t == s + i2
+                    || *t != '\0'
+                    || prefixlen > (length * 8)
+                    || prefixlen < 0) {
                 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
                           X509V3_R_EXTENSION_VALUE_ERROR);
                 X509V3_conf_err(val);
diff --git a/linux/openssl/crypto/x509v3/v3_asid.c b/linux/openssl/crypto/x509v3/v3_asid.c
index ac685726..8e9e9198 100644
--- a/linux/openssl/crypto/x509v3/v3_asid.c
+++ b/linux/openssl/crypto/x509v3/v3_asid.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -700,15 +700,28 @@ static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child)
  */
 int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
 {
-    return (a == NULL ||
-            a == b ||
-            (b != NULL &&
-             !X509v3_asid_inherits(a) &&
-             !X509v3_asid_inherits(b) &&
-             asid_contains(b->asnum->u.asIdsOrRanges,
-                           a->asnum->u.asIdsOrRanges) &&
-             asid_contains(b->rdi->u.asIdsOrRanges,
-                           a->rdi->u.asIdsOrRanges)));
+    int subset;
+
+    if (a == NULL || a == b)
+        return 1;
+
+    if (b == NULL)
+        return 0;
+
+    if (X509v3_asid_inherits(a) || X509v3_asid_inherits(b))
+        return 0;
+
+    subset = a->asnum == NULL
+             || (b->asnum != NULL
+                 && asid_contains(b->asnum->u.asIdsOrRanges,
+                                  a->asnum->u.asIdsOrRanges));
+    if (!subset)
+        return 0;
+
+    return a->rdi == NULL
+           || (b->rdi != NULL
+               && asid_contains(b->rdi->u.asIdsOrRanges,
+                                a->rdi->u.asIdsOrRanges));
 }
 
 /*
diff --git a/linux/openssl/crypto/x509v3/v3_lib.c b/linux/openssl/crypto/x509v3/v3_lib.c
index 97c1cbc2..d7e7c9a5 100644
--- a/linux/openssl/crypto/x509v3/v3_lib.c
+++ b/linux/openssl/crypto/x509v3/v3_lib.c
@@ -242,8 +242,10 @@ int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
         }
         /* If delete, just delete it */
         if (ext_op == X509V3_ADD_DELETE) {
-            if (!sk_X509_EXTENSION_delete(*x, extidx))
+            extmp = sk_X509_EXTENSION_delete(*x, extidx);
+            if (extmp == NULL)
                 return -1;
+            X509_EXTENSION_free(extmp);
             return 1;
         }
     } else {
diff --git a/linux/openssl/crypto/x509v3/v3_sxnet.c b/linux/openssl/crypto/x509v3/v3_sxnet.c
index 89cda01b..3c5508f9 100644
--- a/linux/openssl/crypto/x509v3/v3_sxnet.c
+++ b/linux/openssl/crypto/x509v3/v3_sxnet.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -57,15 +57,29 @@ IMPLEMENT_ASN1_FUNCTIONS(SXNET)
 static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
                      int indent)
 {
-    long v;
+    int64_t v;
     char *tmp;
     SXNETID *id;
     int i;
-    v = ASN1_INTEGER_get(sx->version);
-    BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", v + 1, v);
+
+    /*
+     * Since we add 1 to the version number to display it, we don't support
+     * LONG_MAX since that would cause on overflow.
+     */
+    if (!ASN1_INTEGER_get_int64(&v, sx->version)
+            || v >= LONG_MAX
+            || v < LONG_MIN) {
+        BIO_printf(out, "%*sVersion: <unsupported>", indent, "");
+    } else {
+        long vl = (long)v;
+
+        BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", vl + 1, vl);
+    }
     for (i = 0; i < sk_SXNETID_num(sx->ids); i++) {
         id = sk_SXNETID_value(sx->ids, i);
         tmp = i2s_ASN1_INTEGER(NULL, id->zone);
+        if (tmp == NULL)
+            return 0;
         BIO_printf(out, "\n%*sZone: %s, User: ", indent, "", tmp);
         OPENSSL_free(tmp);
         ASN1_STRING_print(out, id->user);
diff --git a/linux/openssl/crypto/x509v3/v3_utl.c b/linux/openssl/crypto/x509v3/v3_utl.c
index a7ff4b4f..eac78259 100644
--- a/linux/openssl/crypto/x509v3/v3_utl.c
+++ b/linux/openssl/crypto/x509v3/v3_utl.c
@@ -1087,12 +1087,17 @@ int a2i_ipadd(unsigned char *ipout, const char *ipasc)
 
 static int ipv4_from_asc(unsigned char *v4, const char *in)
 {
-    int a0, a1, a2, a3;
-    if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
+    const char *p;
+    int a0, a1, a2, a3, n;
+
+    if (sscanf(in, "%d.%d.%d.%d%n", &a0, &a1, &a2, &a3, &n) != 4)
         return 0;
     if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255)
         || (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255))
         return 0;
+    p = in + n;
+    if (!(*p == '\0' || ossl_isspace(*p)))
+        return 0;
     v4[0] = a0;
     v4[1] = a1;
     v4[2] = a2;
diff --git a/linux/openssl/include/openssl/opensslv.h b/linux/openssl/include/openssl/opensslv.h
index 561593b4..036ebba2 100644
--- a/linux/openssl/include/openssl/opensslv.h
+++ b/linux/openssl/include/openssl/opensslv.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -39,8 +39,8 @@ extern "C" {
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-# define OPENSSL_VERSION_NUMBER  0x101010f0L
-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1o-dev  xx XXX xxxx"
+# define OPENSSL_VERSION_NUMBER  0x10101120L
+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1r-dev  xx XXX xxxx"
 
 /*-
  * The macros below are to be used for shared library (.so, .dll, ...)
diff --git a/linux/openssl/include/openssl/ssl.h b/linux/openssl/include/openssl/ssl.h
index fd0c5a99..9af0c899 100644
--- a/linux/openssl/include/openssl/ssl.h
+++ b/linux/openssl/include/openssl/ssl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  *
@@ -1305,6 +1305,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 # define SSL_CTRL_GET_MAX_PROTO_VERSION          131
 # define SSL_CTRL_GET_SIGNATURE_NID              132
 # define SSL_CTRL_GET_TMP_KEY                    133
+# define SSL_CTRL_GET_VERIFY_CERT_STORE          137
+# define SSL_CTRL_GET_CHAIN_CERT_STORE           138
 # define SSL_CERT_SET_FIRST                      1
 # define SSL_CERT_SET_NEXT                       2
 # define SSL_CERT_SET_SERVER                     3
@@ -1360,10 +1362,14 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
         SSL_CTX_ctrl(ctx,SSL_CTRL_SET_VERIFY_CERT_STORE,0,(char *)(st))
 # define SSL_CTX_set1_verify_cert_store(ctx,st) \
         SSL_CTX_ctrl(ctx,SSL_CTRL_SET_VERIFY_CERT_STORE,1,(char *)(st))
+# define SSL_CTX_get0_verify_cert_store(ctx,st) \
+        SSL_CTX_ctrl(ctx,SSL_CTRL_GET_VERIFY_CERT_STORE,0,(char *)(st))
 # define SSL_CTX_set0_chain_cert_store(ctx,st) \
         SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)(st))
 # define SSL_CTX_set1_chain_cert_store(ctx,st) \
         SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)(st))
+# define SSL_CTX_get0_chain_cert_store(ctx,st) \
+        SSL_CTX_ctrl(ctx,SSL_CTRL_GET_CHAIN_CERT_STORE,0,(char *)(st))
 # define SSL_set0_chain(s,sk) \
         SSL_ctrl(s,SSL_CTRL_CHAIN,0,(char *)(sk))
 # define SSL_set1_chain(s,sk) \
@@ -1386,10 +1392,14 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
         SSL_ctrl(s,SSL_CTRL_SET_VERIFY_CERT_STORE,0,(char *)(st))
 # define SSL_set1_verify_cert_store(s,st) \
         SSL_ctrl(s,SSL_CTRL_SET_VERIFY_CERT_STORE,1,(char *)(st))
+#define SSL_get0_verify_cert_store(s,st) \
+        SSL_ctrl(s,SSL_CTRL_GET_VERIFY_CERT_STORE,0,(char *)(st))
 # define SSL_set0_chain_cert_store(s,st) \
         SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)(st))
 # define SSL_set1_chain_cert_store(s,st) \
         SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)(st))
+#define SSL_get0_chain_cert_store(s,st) \
+        SSL_ctrl(s,SSL_CTRL_GET_CHAIN_CERT_STORE,0,(char *)(st))
 # define SSL_get1_groups(s, glist) \
         SSL_ctrl(s,SSL_CTRL_GET_GROUPS,0,(int*)(glist))
 # define SSL_CTX_set1_groups(ctx, glist, glistlen) \
diff --git a/linux/openssl/ssl/packet.c b/linux/openssl/ssl/packet.c
index 1ddde969..691a82b7 100644
--- a/linux/openssl/ssl/packet.c
+++ b/linux/openssl/ssl/packet.c
@@ -161,7 +161,7 @@ int WPACKET_set_flags(WPACKET *pkt, unsigned int flags)
 }
 
 /* Store the |value| of length |len| at location |data| */
-static int put_value(unsigned char *data, size_t value, size_t len)
+static int put_value(unsigned char *data, uint64_t value, size_t len)
 {
     for (data += len - 1; len > 0; len--) {
         *data = (unsigned char)(value & 0xff);
@@ -306,12 +306,12 @@ int WPACKET_start_sub_packet(WPACKET *pkt)
     return WPACKET_start_sub_packet_len__(pkt, 0);
 }
 
-int WPACKET_put_bytes__(WPACKET *pkt, unsigned int val, size_t size)
+int WPACKET_put_bytes__(WPACKET *pkt, uint64_t val, size_t size)
 {
     unsigned char *data;
 
     /* Internal API, so should not fail */
-    if (!ossl_assert(size <= sizeof(unsigned int))
+    if (!ossl_assert(size <= sizeof(uint64_t))
             || !WPACKET_allocate_bytes(pkt, size, &data)
             || !put_value(data, val, size))
         return 0;
diff --git a/linux/openssl/ssl/packet_local.h b/linux/openssl/ssl/packet_local.h
index 1b6c2fb9..e93680d8 100644
--- a/linux/openssl/ssl/packet_local.h
+++ b/linux/openssl/ssl/packet_local.h
@@ -227,6 +227,28 @@ __owur static ossl_inline int PACKET_peek_net_4(const PACKET *pkt,
     return 1;
 }
 
+/*
+ * Peek ahead at 8 bytes in network order from |pkt| and store the value in
+ * |*data|
+ */
+__owur static ossl_inline int PACKET_peek_net_8(const PACKET *pkt,
+                                                uint64_t *data)
+{
+    if (PACKET_remaining(pkt) < 8)
+        return 0;
+
+    *data = ((uint64_t)(*pkt->curr)) << 56;
+    *data |= ((uint64_t)(*(pkt->curr + 1))) << 48;
+    *data |= ((uint64_t)(*(pkt->curr + 2))) << 40;
+    *data |= ((uint64_t)(*(pkt->curr + 3))) << 32;
+    *data |= ((uint64_t)(*(pkt->curr + 4))) << 24;
+    *data |= ((uint64_t)(*(pkt->curr + 5))) << 16;
+    *data |= ((uint64_t)(*(pkt->curr + 6))) << 8;
+    *data |= *(pkt->curr + 7);
+
+    return 1;
+}
+
 /* Equivalent of n2l */
 /* Get 4 bytes in network order from |pkt| and store the value in |*data| */
 __owur static ossl_inline int PACKET_get_net_4(PACKET *pkt, unsigned long *data)
@@ -250,6 +272,17 @@ __owur static ossl_inline int PACKET_get_net_4_len(PACKET *pkt, size_t *data)
 
     return ret;
 }
+ 
+/* Get 8 bytes in network order from |pkt| and store the value in |*data| */
+__owur static ossl_inline int PACKET_get_net_8(PACKET *pkt, uint64_t *data)
+{
+    if (!PACKET_peek_net_8(pkt, data))
+        return 0;
+
+    packet_forward(pkt, 8);
+
+    return 1;
+}
 
 /* Peek ahead at 1 byte from |pkt| and store the value in |*data| */
 __owur static ossl_inline int PACKET_peek_1(const PACKET *pkt,
@@ -808,7 +841,7 @@ int WPACKET_sub_reserve_bytes__(WPACKET *pkt, size_t len,
  * 1 byte will fail. Don't call this directly. Use the convenience macros below
  * instead.
  */
-int WPACKET_put_bytes__(WPACKET *pkt, unsigned int val, size_t bytes);
+int WPACKET_put_bytes__(WPACKET *pkt, uint64_t val, size_t bytes);
 
 /*
  * Convenience macros for calling WPACKET_put_bytes with different
@@ -822,6 +855,8 @@ int WPACKET_put_bytes__(WPACKET *pkt, unsigned int val, size_t bytes);
     WPACKET_put_bytes__((pkt), (val), 3)
 #define WPACKET_put_bytes_u32(pkt, val) \
     WPACKET_put_bytes__((pkt), (val), 4)
+#define WPACKET_put_bytes_u64(pkt, val) \
+    WPACKET_put_bytes__((pkt), (val), 8)
 
 /* Set a maximum size that we will not allow the WPACKET to grow beyond */
 int WPACKET_set_max_size(WPACKET *pkt, size_t maxsize);
diff --git a/linux/openssl/ssl/record/rec_layer_s3.c b/linux/openssl/ssl/record/rec_layer_s3.c
index 8249b4ac..23cd4219 100644
--- a/linux/openssl/ssl/record/rec_layer_s3.c
+++ b/linux/openssl/ssl/record/rec_layer_s3.c
@@ -115,10 +115,22 @@ size_t ssl3_pending(const SSL *s)
     if (s->rlayer.rstate == SSL_ST_READ_BODY)
         return 0;
 
+    /* Take into account DTLS buffered app data */
+    if (SSL_IS_DTLS(s)) {
+        DTLS1_RECORD_DATA *rdata;
+        pitem *item, *iter;
+
+        iter = pqueue_iterator(s->rlayer.d->buffered_app_data.q);
+        while ((item = pqueue_next(&iter)) != NULL) {
+            rdata = item->data;
+            num += rdata->rrec.length;
+        }
+    }
+
     for (i = 0; i < RECORD_LAYER_get_numrpipes(&s->rlayer); i++) {
         if (SSL3_RECORD_get_type(&s->rlayer.rrec[i])
             != SSL3_RT_APPLICATION_DATA)
-            return 0;
+            return num;
         num += SSL3_RECORD_get_length(&s->rlayer.rrec[i]);
     }
 
diff --git a/linux/openssl/ssl/record/ssl3_record.c b/linux/openssl/ssl/record/ssl3_record.c
index f1585447..47c7369e 100644
--- a/linux/openssl/ssl/record/ssl3_record.c
+++ b/linux/openssl/ssl/record/ssl3_record.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -1532,6 +1532,7 @@ int ssl3_cbc_copy_mac(unsigned char *out,
 #if defined(CBC_MAC_ROTATE_IN_PLACE)
     unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE];
     unsigned char *rotated_mac;
+    char aux1, aux2, aux3, mask;
 #else
     unsigned char rotated_mac[EVP_MAX_MD_SIZE];
 #endif
@@ -1581,9 +1582,16 @@ int ssl3_cbc_copy_mac(unsigned char *out,
 #if defined(CBC_MAC_ROTATE_IN_PLACE)
     j = 0;
     for (i = 0; i < md_size; i++) {
-        /* in case cache-line is 32 bytes, touch second line */
-        ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32];
-        out[j++] = rotated_mac[rotate_offset++];
+        /*
+         * in case cache-line is 32 bytes,
+         * load from both lines and select appropriately
+         */
+        aux1 = rotated_mac[rotate_offset & ~32];
+        aux2 = rotated_mac[rotate_offset | 32];
+        mask = constant_time_eq_8(rotate_offset & ~32, rotate_offset);
+        aux3 = constant_time_select_8(mask, aux1, aux2);
+        out[j++] = aux3;
+        rotate_offset++;
         rotate_offset &= constant_time_lt_s(rotate_offset, md_size);
     }
 #else
diff --git a/linux/openssl/ssl/s3_enc.c b/linux/openssl/ssl/s3_enc.c
index eb1f36ac..7b119b45 100644
--- a/linux/openssl/ssl/s3_enc.c
+++ b/linux/openssl/ssl/s3_enc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright 2005 Nokia. All rights reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
diff --git a/linux/openssl/ssl/s3_lib.c b/linux/openssl/ssl/s3_lib.c
index e4cf007f..32f9b257 100644
--- a/linux/openssl/ssl/s3_lib.c
+++ b/linux/openssl/ssl/s3_lib.c
@@ -3676,6 +3676,12 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
     case SSL_CTRL_SET_CHAIN_CERT_STORE:
         return ssl_cert_set_cert_store(s->cert, parg, 1, larg);
 
+    case SSL_CTRL_GET_VERIFY_CERT_STORE:
+        return ssl_cert_get_cert_store(s->cert, parg, 0);
+
+    case SSL_CTRL_GET_CHAIN_CERT_STORE:
+        return ssl_cert_get_cert_store(s->cert, parg, 1);
+
     case SSL_CTRL_GET_PEER_SIGNATURE_NID:
         if (s->s3->tmp.peer_sigalg == NULL)
             return 0;
@@ -3949,6 +3955,12 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
     case SSL_CTRL_SET_CHAIN_CERT_STORE:
         return ssl_cert_set_cert_store(ctx->cert, parg, 1, larg);
 
+    case SSL_CTRL_GET_VERIFY_CERT_STORE:
+        return ssl_cert_get_cert_store(ctx->cert, parg, 0);
+
+    case SSL_CTRL_GET_CHAIN_CERT_STORE:
+        return ssl_cert_get_cert_store(ctx->cert, parg, 1);
+
         /* A Thawte special :-) */
     case SSL_CTRL_EXTRA_CHAIN_CERT:
         if (ctx->extra_certs == NULL) {
diff --git a/linux/openssl/ssl/ssl_cert.c b/linux/openssl/ssl/ssl_cert.c
index eba96b20..b615e704 100644
--- a/linux/openssl/ssl/ssl_cert.c
+++ b/linux/openssl/ssl/ssl_cert.c
@@ -876,6 +876,12 @@ int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref)
     return 1;
 }
 
+int ssl_cert_get_cert_store(CERT *c, X509_STORE **pstore, int chain)
+{
+    *pstore = (chain ? c->chain_store : c->verify_store);
+    return 1;
+}
+
 int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp)
 {
     int level;
diff --git a/linux/openssl/ssl/ssl_init.c b/linux/openssl/ssl/ssl_init.c
index d2bcd973..a5d45480 100644
--- a/linux/openssl/ssl/ssl_init.c
+++ b/linux/openssl/ssl/ssl_init.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/linux/openssl/ssl/ssl_lib.c b/linux/openssl/ssl/ssl_lib.c
index 7383badc..47adc321 100644
--- a/linux/openssl/ssl/ssl_lib.c
+++ b/linux/openssl/ssl/ssl_lib.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  *
@@ -1510,12 +1510,26 @@ int SSL_has_pending(const SSL *s)
 {
     /*
      * Similar to SSL_pending() but returns a 1 to indicate that we have
-     * unprocessed data available or 0 otherwise (as opposed to the number of
-     * bytes available). Unlike SSL_pending() this will take into account
-     * read_ahead data. A 1 return simply indicates that we have unprocessed
-     * data. That data may not result in any application data, or we may fail
-     * to parse the records for some reason.
+     * processed or unprocessed data available or 0 otherwise (as opposed to the
+     * number of bytes available). Unlike SSL_pending() this will take into
+     * account read_ahead data. A 1 return simply indicates that we have data.
+     * That data may not result in any application data, or we may fail to parse
+     * the records for some reason.
      */
+
+    /* Check buffered app data if any first */
+    if (SSL_IS_DTLS(s)) {
+        DTLS1_RECORD_DATA *rdata;
+        pitem *item, *iter;
+
+        iter = pqueue_iterator(s->rlayer.d->buffered_app_data.q);
+        while ((item = pqueue_next(&iter)) != NULL) {
+            rdata = item->data;
+            if (rdata->rrec.length > 0)
+                return 1;
+        }
+    }
+
     if (RECORD_LAYER_processed_read_pending(&s->rlayer))
         return 1;
 
diff --git a/linux/openssl/ssl/ssl_local.h b/linux/openssl/ssl/ssl_local.h
index 9f346e30..5c792154 100644
--- a/linux/openssl/ssl/ssl_local.h
+++ b/linux/openssl/ssl/ssl_local.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  *
@@ -2301,6 +2301,7 @@ __owur int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk);
 __owur int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags);
 __owur int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain,
                                    int ref);
+__owur int ssl_cert_get_cert_store(CERT *c, X509_STORE **pstore, int chain);
 
 __owur int ssl_security(const SSL *s, int op, int bits, int nid, void *other);
 __owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid,
diff --git a/linux/openssl/ssl/ssl_txt.c b/linux/openssl/ssl/ssl_txt.c
index eb5d01e3..759e1873 100644
--- a/linux/openssl/ssl/ssl_txt.c
+++ b/linux/openssl/ssl/ssl_txt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright 2005 Nokia. All rights reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
diff --git a/linux/openssl/ssl/statem/extensions_clnt.c b/linux/openssl/ssl/statem/extensions_clnt.c
index 9d38ac23..1cbaefa9 100644
--- a/linux/openssl/ssl/statem/extensions_clnt.c
+++ b/linux/openssl/ssl/statem/extensions_clnt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -118,6 +118,8 @@ static int use_ecc(SSL *s)
     int i, end, ret = 0;
     unsigned long alg_k, alg_a;
     STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
+    const uint16_t *pgroups = NULL;
+    size_t num_groups, j;
 
     /* See if we support any ECC ciphersuites */
     if (s->version == SSL3_VERSION)
@@ -139,7 +141,19 @@ static int use_ecc(SSL *s)
     }
 
     sk_SSL_CIPHER_free(cipher_stack);
-    return ret;
+    if (!ret)
+        return 0;
+
+    /* Check we have at least one EC supported group */
+    tls1_get_supported_groups(s, &pgroups, &num_groups);
+    for (j = 0; j < num_groups; j++) {
+        uint16_t ctmp = pgroups[j];
+
+        if (tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED))
+            return 1;
+    }
+
+    return 0;
 }
 
 EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
@@ -988,7 +1002,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
                                   X509 *x, size_t chainidx)
 {
 #ifndef OPENSSL_NO_TLS1_3
-    uint32_t now, agesec, agems = 0;
+    uint32_t agesec, agems = 0;
     size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen;
     unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL;
     const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
@@ -1045,8 +1059,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
          * this in multiple places in the code, so portability shouldn't be an
          * issue.
          */
-        now = (uint32_t)time(NULL);
-        agesec = now - (uint32_t)s->session->time;
+        agesec = (uint32_t)(time(NULL) - s->session->time);
         /*
          * We calculate the age in seconds but the server may work in ms. Due to
          * rounding errors we could overestimate the age by up to 1s. It is
diff --git a/linux/openssl/ssl/statem/extensions_srvr.c b/linux/openssl/ssl/statem/extensions_srvr.c
index 04f64f81..93a9b675 100644
--- a/linux/openssl/ssl/statem/extensions_srvr.c
+++ b/linux/openssl/ssl/statem/extensions_srvr.c
@@ -12,16 +12,16 @@
 #include "statem_local.h"
 #include "internal/cryptlib.h"
 
-#define COOKIE_STATE_FORMAT_VERSION     0
+#define COOKIE_STATE_FORMAT_VERSION     1
 
 /*
  * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
  * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
- * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
+ * key_share present flag, 8 bytes for timestamp, 2 bytes for the hashlen,
  * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
  * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
  */
-#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
+#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 8 + 2 + EVP_MAX_MD_SIZE + 1 \
                          + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
 
 /*
@@ -741,7 +741,7 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
     unsigned char hmac[SHA256_DIGEST_LENGTH];
     unsigned char hrr[MAX_HRR_SIZE];
     size_t rawlen, hmaclen, hrrlen, ciphlen;
-    unsigned long tm, now;
+    uint64_t tm, now;
 
     /* Ignore any cookie if we're not set up to verify it */
     if (s->ctx->verify_stateless_cookie_cb == NULL
@@ -851,7 +851,7 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
     }
 
     if (!PACKET_get_1(&cookie, &key_share)
-            || !PACKET_get_net_4(&cookie, &tm)
+            || !PACKET_get_net_8(&cookie, &tm)
             || !PACKET_get_length_prefixed_2(&cookie, &chhash)
             || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
             || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
@@ -861,7 +861,7 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
     }
 
     /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
-    now = (unsigned long)time(NULL);
+    now = time(NULL);
     if (tm > now || (now - tm) > 600) {
         /* Cookie is stale. Ignore it */
         return 1;
@@ -1167,7 +1167,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
                 s->ext.early_data_ok = 1;
             s->ext.ticket_expected = 1;
         } else {
-            uint32_t ticket_age = 0, now, agesec, agems;
+            uint32_t ticket_age = 0, agesec, agems;
             int ret;
 
             /*
@@ -1209,8 +1209,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
             }
 
             ticket_age = (uint32_t)ticket_agel;
-            now = (uint32_t)time(NULL);
-            agesec = now - (uint32_t)sess->time;
+            agesec = (uint32_t)(time(NULL) - sess->time);
             agems = agesec * (uint32_t)1000;
             ticket_age -= sess->ext.tick_age_add;
 
@@ -1800,7 +1799,7 @@ EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
                                               &ciphlen)
                /* Is there a key_share extension present in this HRR? */
             || !WPACKET_put_bytes_u8(pkt, s->s3->peer_tmp == NULL)
-            || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL))
+            || !WPACKET_put_bytes_u64(pkt, time(NULL))
             || !WPACKET_start_sub_packet_u16(pkt)
             || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
diff --git a/linux/openssl/ssl/statem/statem_clnt.c b/linux/openssl/ssl/statem/statem_clnt.c
index 2bc5cf5e..d19c44e8 100644
--- a/linux/openssl/ssl/statem/statem_clnt.c
+++ b/linux/openssl/ssl/statem/statem_clnt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  *
diff --git a/linux/openssl/ssl/statem/statem_dtls.c b/linux/openssl/ssl/statem/statem_dtls.c
index 620367ac..8fe6cea7 100644
--- a/linux/openssl/ssl/statem/statem_dtls.c
+++ b/linux/openssl/ssl/statem/statem_dtls.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2005-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/linux/openssl/ssl/statem/statem_srvr.c b/linux/openssl/ssl/statem/statem_srvr.c
index 79cfd1d8..43f77a58 100644
--- a/linux/openssl/ssl/statem/statem_srvr.c
+++ b/linux/openssl/ssl/statem/statem_srvr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  *
diff --git a/linux/openssl/ssl/t1_enc.c b/linux/openssl/ssl/t1_enc.c
index 2087b274..f8e53d4e 100644
--- a/linux/openssl/ssl/t1_enc.c
+++ b/linux/openssl/ssl/t1_enc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright 2005 Nokia. All rights reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
diff --git a/linux/openssl/ssl/t1_lib.c b/linux/openssl/ssl/t1_lib.c
index b1d3add1..5f657f88 100644
--- a/linux/openssl/ssl/t1_lib.c
+++ b/linux/openssl/ssl/t1_lib.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -2369,22 +2369,20 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
 
         ca_dn = s->s3->tmp.peer_ca_names;
 
-        if (!sk_X509_NAME_num(ca_dn))
+        if (ca_dn == NULL
+            || sk_X509_NAME_num(ca_dn) == 0
+            || ssl_check_ca_name(ca_dn, x))
             rv |= CERT_PKEY_ISSUER_NAME;
-
-        if (!(rv & CERT_PKEY_ISSUER_NAME)) {
-            if (ssl_check_ca_name(ca_dn, x))
-                rv |= CERT_PKEY_ISSUER_NAME;
-        }
-        if (!(rv & CERT_PKEY_ISSUER_NAME)) {
+        else
             for (i = 0; i < sk_X509_num(chain); i++) {
                 X509 *xtmp = sk_X509_value(chain, i);
+
                 if (ssl_check_ca_name(ca_dn, xtmp)) {
                     rv |= CERT_PKEY_ISSUER_NAME;
                     break;
                 }
             }
-        }
+
         if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
             goto end;
     } else
@@ -2555,6 +2553,8 @@ int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *x, int vfy)
     int rv, start_idx, i;
     if (x == NULL) {
         x = sk_X509_value(sk, 0);
+        if (x == NULL)
+            return ERR_R_INTERNAL_ERROR;
         start_idx = 1;
     } else
         start_idx = 0;
diff --git a/linux/openssl/ssl/tls13_enc.c b/linux/openssl/ssl/tls13_enc.c
index b8fb07f2..51ca1050 100644
--- a/linux/openssl/ssl/tls13_enc.c
+++ b/linux/openssl/ssl/tls13_enc.c
@@ -190,6 +190,7 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md,
     if (!ossl_assert(mdleni >= 0)) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET,
                  ERR_R_INTERNAL_ERROR);
+        EVP_PKEY_CTX_free(pctx);
         return 0;
     }
     mdlen = (size_t)mdleni;
diff --git a/linux/tor/src/app/config/fallback_dirs.inc b/linux/tor/src/app/config/fallback_dirs.inc
index 87c1886e..24c17391 100644
--- a/linux/tor/src/app/config/fallback_dirs.inc
+++ b/linux/tor/src/app/config/fallback_dirs.inc
@@ -3,1100 +3,1093 @@
 /* timestamp=20210412000000 */
 /* source=offer-list */
 //
-// Generated on: Fri, 04 Feb 2022 15:49:02 +0000
+// Generated on: Thu, 11 Aug 2022 13:39:28 +0000
 
-"140.78.100.21 orport=5443 id=6E3508CB2374D411CD41FEE8ECDF70DA3A2F7A28"
-/* nickname=INSRelay21at5443 */
+"93.174.89.131 orport=9005 id=C0DC5DC08B91A5A17BF530E33F02FF4236ADE001"
+/* nickname=Gulltopp */
 /* extrainfo=0 */
 /* ===== */
 ,
-"88.196.80.132 orport=443 id=86CDD0D92AB972538416A382D99666736CDDF141"
-/* nickname=RyderIII */
+"51.254.45.43 orport=9000 id=F9CB3FD4C7804F03105AAF1BF7B6C7D2DA7DD522"
+/* nickname=Unnamed */
 /* extrainfo=0 */
 /* ===== */
 ,
-"213.239.217.68 orport=4433 id=FFBC69467B37D6AC66598BBD295F9B0D74119ADC"
-/* nickname=plan9leia */
+"162.250.191.222 orport=9001 id=B709788A358ED835EF8608D27A02F5D1D632D234"
+/* nickname=hdjfgsfkmNflnzjg */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.220.100.247 orport=9100 id=B891CB6370CF7C51C6FB24D80947AFB7ED463D00"
-" ipv6=[2a0b:f4c0:16c:9::1]:9100"
-/* nickname=niftygrolantor */
+"188.68.38.76 orport=9001 id=6C1B288D873C75A696EB70E9FF713B786D37D192"
+" ipv6=[2a03:4000:13:aeb::1]:9001"
+/* nickname=BigOnion */
 /* extrainfo=0 */
 /* ===== */
 ,
-"192.121.108.236 orport=9001 id=C5F0591A16BD68EB88170D921B0E331F180E624B"
-/* nickname=HjelmEnterprises01 */
+"144.217.95.12 orport=9001 id=8885EA6F74A694825B13B8A7080F6CF164DF74FB"
+" ipv6=[2607:5300:201:3000::49be]:9001"
+/* nickname=Unnamed */
 /* extrainfo=0 */
 /* ===== */
 ,
-"104.244.72.7 orport=9000 id=035F813195F0CB9F567EDFDF60C6745CA36BA0BD"
-" ipv6=[2605:6400:30:ed94:5152:73e1:5e88:35f4]:9000"
-/* nickname=Quetzalcoatl */
+"158.101.203.38 orport=9001 id=145223A4F761DD9F0E14DCDF5120FED4F998FDC6"
+" ipv6=[2603:c022:c002:b0e:df68:94b3:52b1:5f2c]:9001"
+/* nickname=RelayChu2 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"46.126.164.243 orport=443 id=7B28971D4A29995784E3066B9D87E42E9C685F3A"
-/* nickname=torified */
+"188.138.33.149 orport=443 id=BD6FFF1AD5A88A8D43870D43EC4450081B4B2BBA"
+/* nickname=bonjour2 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"99.45.175.117 orport=443 id=515100EDE19C0F5E0CADD391DE33E0DE14B00FDD"
-" ipv6=[2600:1700:6972:1200:dea6:32ff:fec5:ff87]:443"
-/* nickname=pi87 */
+"185.220.103.115 orport=443 id=29D245A6831839CBD12CF61B6BD6AC4F0461BFAD"
+/* nickname=psychopomp8 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"54.38.219.251 orport=443 id=C303038FDCC72805A160FF64E994333A49ECDA71"
-" ipv6=[2001:470:73f7::7]:443"
-/* nickname=Fission12 */
+"193.189.100.199 orport=443 id=9FA8A16163FB6BDF228E45E329B0E5ACEDBD8309"
+" ipv6=[2a0f:df00:0:255::199]:443"
+/* nickname=TORKeFFORG6 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.183.194.90 orport=443 id=4CEAFCE5841C0DAE30164B4F59452F7F4D818A67"
-" ipv6=[2001:1620:425a:6fde::10]:443"
-/* nickname=QOnan */
+"163.172.45.4 orport=3302 id=2ABE8A09D3403BE5CF896F77EABE23762002A761"
+/* nickname=anoncicada */
 /* extrainfo=0 */
 /* ===== */
 ,
-"199.249.230.179 orport=443 id=3A1BC65DF03ECD50FDF7CFF9C5A4E049FCB9C1AF"
-" ipv6=[2620:7:6001::179]:80"
-/* nickname=Quintex90 */
+"185.207.106.222 orport=9100 id=555A6B7CB3D8ECA376B4CB6701596A7B211E21D3"
+" ipv6=[2a03:4000:1e:7f5:38a9:d5ff:fe31:66f6]:9100"
+/* nickname=Quetzalcoatl */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.220.101.10 orport=9443 id=DA9ABAEA49FBF9E75E9EC020380E361688A3B23E"
-" ipv6=[2a0b:f4c2::10]:9443"
-/* nickname=artikel10ber20 */
+"51.15.37.100 orport=9001 id=FF06E7A068A1CA66CE593DCE85E2477807C48302"
+" ipv6=[2001:bc8:1820:e50::1]:9001"
+/* nickname=hsjeufh24h6 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"67.3.185.13 orport=443 id=EC4B6AF202EFE752C4D9E2FBD092C4EAE779ADA1"
-/* nickname=Unnamed */
+"82.221.131.71 orport=443 id=038C30D2AD053147C91EFB1291527ED621D7D1B1"
+/* nickname=turnt */
 /* extrainfo=0 */
 /* ===== */
 ,
-"104.244.77.73 orport=9001 id=2FE81C1FD45AC593193F04DF781980257E4BCD03"
-/* nickname=Hydra62 */
+"51.159.158.157 orport=443 id=69C9BFA0C228AFA0548A9FF9B7C8C229B6AA9FAC"
+/* nickname=tirz */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.4.134.104 orport=9001 id=C6E3910CBADCA6D2D7E932AB31A038EDD6A6FB79"
-" ipv6=[2a02:c500:2:110::2d49]:9001"
-/* nickname=Assange023gr */
+"193.31.24.154 orport=9001 id=68057FD302B0F83C0ED00B6D70FDAD6BEEF2005B"
+/* nickname=4punk7e2 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"82.223.14.245 orport=443 id=9C5AFD49AAE4E0272BAD780C6DD71CE1A36012A6"
-" ipv6=[2001:ba0:1800:91::1]:443"
-/* nickname=coffswifi4 */
+"185.227.68.78 orport=443 id=1137AB1F84EC2D52DFB1915717F14FF1A10EB392"
+/* nickname=giovanna */
 /* extrainfo=0 */
 /* ===== */
 ,
-"87.118.116.103 orport=443 id=26C28F29B611DF4DE23ACF5D9DC1EB4895EF5E8B"
-" ipv6=[2001:1b60:3:221:4134:101:0:1]:443"
-/* nickname=artikel5ev4 */
+"178.175.148.195 orport=9001 id=FE08DBDFAB6DB54CECA7F25D259EDF1D597DD28C"
+" ipv6=[2a00:1dc0:caff:189::3582]:9001"
+/* nickname=COCAINE */
 /* extrainfo=0 */
 /* ===== */
 ,
-"80.98.81.157 orport=9001 id=2D8A907F61CAED48170963B76BE4FB0ED33E5E88"
-/* nickname=nCT8d6e5bW2v */
+"93.190.143.41 orport=9001 id=504F23DC734459DBBA58B2F11A4799EB945188A3"
+/* nickname=whiplash */
 /* extrainfo=0 */
 /* ===== */
 ,
-"108.184.13.208 orport=9001 id=D195E5CE8AE77BAC91673E6CFB7BD0AF57281646"
-/* nickname=OhNoAnotherRelay01 */
+"139.99.46.190 orport=443 id=07C102D6B027E5B2B9C942E3E942C0F24DFEE51B"
+/* nickname=FreeMirrorOrgSG */
 /* extrainfo=0 */
 /* ===== */
 ,
-"195.54.33.64 orport=9001 id=54D1F9D1EE2CBC48F8F4BBF9CF0A0E7ED45FE6B7"
-/* nickname=Assange042de */
+"195.154.200.68 orport=9001 id=FFF599954C3821A28620E95C08CBDC6245E9DDAA"
+/* nickname=DoctorWho */
 /* extrainfo=0 */
 /* ===== */
 ,
-"91.143.88.62 orport=443 id=F9246DEF2B653807236DA134F2AEAB103D58ABFE"
-" ipv6=[2a02:180:6:1::3d8]:443"
-/* nickname=Freebird31 */
+"12.208.119.235 orport=1500 id=6FB696082627843949A808CEC38903DB8190F811"
+/* nickname=SmallTownHostingTOR */
 /* extrainfo=0 */
 /* ===== */
 ,
-"199.249.230.78 orport=443 id=CB7C0D841FE376EF43F7845FF201B0290C0A239E"
-" ipv6=[2620:7:6001::ffff:c759:e64e]:80"
-/* nickname=QuintexAirVPN25 */
+"62.182.84.241 orport=9001 id=2062C6FE40ED6329F02EAC8FB8DE3B682F9910EC"
+/* nickname=EpicTor4 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"78.47.178.97 orport=8080 id=1CA811478AB30F5DE80825E15F95AF18DCD32B2F"
-" ipv6=[2a01:4f8:c0c:57ef::1]:8080"
-/* nickname=mig5rezo */
+"46.246.44.53 orport=443 id=9AA3EC3BD334C8998762CF358761164D22481EB4"
+" ipv6=[2a02:752:0:18::17c2]:443"
+/* nickname=FromSwedenWithLove */
 /* extrainfo=0 */
 /* ===== */
 ,
-"84.75.28.247 orport=9201 id=175D63EFB9176BFADD306843960BFC085A2ABA93"
-/* nickname=bluemax666 */
+"23.129.64.170 orport=443 id=40B461D3F99EA2DE118902AD22B1BA7AE7E9281F"
+" ipv6=[2620:18c:0:192::170]:443"
+/* nickname=Saiberpunk2077 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"140.78.100.29 orport=5443 id=795D165D2AD5E7FFE28573924F92895D08E0170D"
-/* nickname=INSRelay29at5443 */
+"185.86.151.168 orport=443 id=557B39146EB121C8CFA22C48AD78BDBDBC8FF3A1"
+" ipv6=[2a02:7aa0:43::e748:81a9]:443"
+/* nickname=KUEXBON */
 /* extrainfo=0 */
 /* ===== */
 ,
-"141.105.67.58 orport=443 id=B15C0071EAF508AAEE29DB9D07607C84AA2DDEB3"
-/* nickname=cytherea */
+"185.220.101.11 orport=9443 id=F82E2221121EB77A2DE3E6941027265027EA2378"
+" ipv6=[2a0b:f4c2::11]:9443"
+/* nickname=artikel10ber22 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"193.105.73.80 orport=9001 id=9DC8B0282A8D3C45212167C454B503243BC93957"
-/* nickname=akira */
+"77.20.28.103 orport=14353 id=56EB7166B05DB6531F663F8317CE02EEE5AFED4F"
+/* nickname=DocTor */
 /* extrainfo=0 */
 /* ===== */
 ,
-"51.15.246.170 orport=443 id=C0DAAAE5EE461BBE13945FE4B52F32ABDC6BC376"
-" ipv6=[2001:bc8:47b0:1756::1]:443"
-/* nickname=mitsuha */
+"51.83.129.245 orport=443 id=FD63B0A3E3C7B3759DE54B509BD3CD1A8C0D01C1"
+/* nickname=Mataka */
 /* extrainfo=0 */
 /* ===== */
 ,
-"194.59.46.2 orport=9001 id=A6E3A3C6CE962E917A12E586AE750805899C117B"
-/* nickname=dewebit */
+"207.244.238.230 orport=9001 id=7DA3460B7C1C13DCAB3B49EDD6C376CA8562B3C9"
+" ipv6=[2605:a140:2050:8019::1]:9001"
+/* nickname=Assange006us */
 /* extrainfo=0 */
 /* ===== */
 ,
-"88.198.91.74 orport=443 id=44DC23661E05DEFD94398936D9334987ABCB6E5E"
-" ipv6=[2a01:4f8:160:6092:d7bd:a39:3e52:b65d]:443"
-/* nickname=currentlane */
+"139.59.45.242 orport=9001 id=98EAC67EA6814038285F1A100D786AD8A0CD2A5E"
+" ipv6=[2400:6180:100:d0::ffa:8001]:9050"
+/* nickname=pablobm006 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"141.98.103.251 orport=43344 id=4AB1F36362042FCA7100A283599122B6D107E826"
-/* nickname=amun3062 */
+"116.202.55.100 orport=9001 id=C3DFB7BD40B072EB6D46578F1BE021FDD9D60713"
+" ipv6=[2a01:4f8:10b:439b::2]:9001"
+/* nickname=imherefortheparty */
 /* extrainfo=0 */
 /* ===== */
 ,
-"138.197.150.159 orport=443 id=75CF0F66FE18C3116AAB7B678899151DB762B795"
-/* nickname=hrck */
+"185.94.223.112 orport=9001 id=5645739E8EF72CA7D9EE1E12678B51A6FF8711C1"
+/* nickname=5h4d0wNet */
 /* extrainfo=0 */
 /* ===== */
 ,
-"104.244.79.234 orport=9100 id=A15676F5F0F2BA7B1CA54446DDB46BEE6F699A95"
-" ipv6=[2605:6400:30:eeec:4913:c3c1:eec2:151a]:9100"
-/* nickname=Quetzalcoatl */
+"157.90.183.103 orport=9001 id=CC701FCE86D6AF95FC3D5B71645D3430794910C1"
+/* nickname=sutsuj */
 /* extrainfo=0 */
 /* ===== */
 ,
-"107.173.159.48 orport=9001 id=4141FDA554F56E9E24DA41153B5C1A756EE43249"
-/* nickname=lamprlogin */
+"104.244.74.28 orport=9001 id=2DB8A946826D0CB4F5C3A8264628DD0F16F6612D"
+" ipv6=[2605:6400:30:f63d:1:ca11:911:1]:9001"
+/* nickname=a9Exit */
 /* extrainfo=0 */
 /* ===== */
 ,
-"163.172.169.253 orport=9001 id=04A28A62F27D9C4A60F9ED0C4264E98B988C65A3"
-" ipv6=[2001:bc8:47a4:e0a::1]:9001"
-/* nickname=darknebula */
+"87.118.116.12 orport=443 id=4A3B874F0187F2CF0DA3C8F76063B070F9F7A14F"
+/* nickname=tormachine */
 /* extrainfo=0 */
 /* ===== */
 ,
-"24.53.51.144 orport=9002 id=C473C772282D5078E5137C1DB83B62224D5B42DD"
-/* nickname=ClericalSummoning */
+"51.83.132.103 orport=9001 id=94F6A4893A80149AEEEB7509BEFCDBA1AE4D5898"
+" ipv6=[2001:41d0:601:1100::5a7f]:9001"
+/* nickname=torRelayTaledoCorp */
 /* extrainfo=0 */
 /* ===== */
 ,
-"195.154.237.147 orport=443 id=FE1B74C7CEE0493613929A92F9A1D890E58DC649"
-/* nickname=unnamed */
+"199.249.230.148 orport=443 id=A389C523BE3B29EA59C75AC557BF5CFB69586DCB"
+" ipv6=[2620:7:6001::148]:80"
+/* nickname=Quintex59 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.162.251.94 orport=9001 id=9C1E47FF205F349D69D569AE7ED15366A5554A46"
-" ipv6=[2a03:4000:1a:5de:6489:b7ff:fe8f:8434]:9001"
-/* nickname=Piratenpartei04 */
+"213.152.168.27 orport=443 id=2F9AFDE43DC8E3F05803304C01BD3DBF329169AC"
+/* nickname=dutreuil */
 /* extrainfo=0 */
 /* ===== */
 ,
-"192.42.253.215 orport=9001 id=568B6913AE5123EDBA304909A569AFE8F9E73C4C"
-/* nickname=OrwellianNightmare */
+"46.38.242.125 orport=9001 id=F50CF02A0E6A9D9B25F7EB220FC26F7BD1B74999"
+" ipv6=[2a03:4000:7:64d:547b:27ff:fe79:b9e0]:9001"
+/* nickname=flowjob02 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.220.101.51 orport=10051 id=04749CD6A6BE1C0B14EE63DFD0F13EEB9EFEE8AB"
-" ipv6=[2a0b:f4c2:2::51]:10051"
-/* nickname=ForPrivacyNET */
+"171.25.193.235 orport=80 id=5D8EEBCC17764DD213CD17B9A56844E41EEDA174"
+" ipv6=[2001:67c:289c:2::235]:80"
+/* nickname=DFRI12 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"97.93.202.22 orport=9001 id=9BEED1E03101B2BC9393C560FCF13A1E46E49352"
-/* nickname=TheToadHole */
+"62.141.48.175 orport=443 id=A6AA94B4007A0E2919B2DA8ECF2CFA3CA1761A13"
+" ipv6=[2001:1b60:2:32:4104:104:0:1]:443"
+/* nickname=dc6jgk6 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"78.42.186.218 orport=9001 id=80654A16C954422C9A1B6DBEFBB6A32157A8BAB5"
-/* nickname=northwind84 */
+"45.58.156.77 orport=80 id=0A1ECCB7DF0272492A4F37FB57DC0F9F42A77D71"
+/* nickname=kingpins2 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"194.145.150.15 orport=443 id=326853AA78DA467E997E6040ADD0DCFF840E0CB5"
-" ipv6=[2001:1578:200:10::c]:443"
-/* nickname=Unnamed */
+"207.180.234.231 orport=9002 id=6DCCA448F8EDC79553CE60E8E21030E942CCC3B9"
+" ipv6=[2a02:c207:2023:2621::1]:9002"
+/* nickname=someonesRelay */
 /* extrainfo=0 */
 /* ===== */
 ,
-"81.7.16.182 orport=443 id=51E1CF613FD6F9F11FE24743C91D6F9981807D82"
-" ipv6=[2a02:180:1:1::517:10b6]:993"
-/* nickname=torpidsDEisppro3 */
+"51.186.10.59 orport=9001 id=D149FDA6E3DA3E0FAACB369692E8D65D5DE783F8"
+/* nickname=nosplash3 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"178.17.174.162 orport=9001 id=E685733A4A2F184AB320846094651806A62627B5"
-" ipv6=[2a00:1dc0:caff:db::e9d6]:9001"
-/* nickname=Hydra76 */
+"185.163.45.107 orport=9001 id=A171F8332AA037A2855C390488F8EFDFD438AAE6"
+" ipv6=[2001:67c:2db8:7::a6]:9001"
+/* nickname=mephistopheles */
 /* extrainfo=0 */
 /* ===== */
 ,
-"107.189.8.230 orport=9001 id=B845B963455133613C9694FD46D0432945A00871"
-/* nickname=TSFORT1 */
+"131.188.40.188 orport=11180 id=EBE718E1A49EE229071702964F8DB1F318075FF8"
+" ipv6=[2001:638:a000:4140::ffff:188]:11180"
+/* nickname=fluxe4 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"213.95.149.22 orport=9001 id=7574975BA76DE0726231FC916DD70B09B3824CE5"
-" ipv6=[2001:780:107:b::85]:9001"
-/* nickname=smurfix */
+"92.220.50.122 orport=8379 id=F3BA9A70CC0AA14AD325ADEA11FAF438360BC98C"
+/* nickname=SomeOrdinaryDude */
 /* extrainfo=0 */
 /* ===== */
 ,
-"107.189.12.238 orport=9000 id=E84F41FA1D1FA303FD7A99A35E50ACEF4269868C"
-" ipv6=[2605:6400:30:eff9:35d3:a7ce:167c:2141]:9000"
-/* nickname=Quetzalcoatl */
+"109.70.100.79 orport=443 id=2F367DF6E2A7BB56C8EA4C064A3519ACBC013CFE"
+" ipv6=[2a03:e600:100::79]:443"
+/* nickname=rentier */
 /* extrainfo=0 */
 /* ===== */
 ,
-"198.211.40.226 orport=9001 id=CB5700E1FB46FC98251DD8F0852B63A3B78DB830"
-/* nickname=jaalkabil */
+"213.239.197.35 orport=18732 id=DB6AC7DFB25C9CFC7036B53C78F91D8E3A9279CD"
+" ipv6=[2a01:4f8:222:141b::1337]:18732"
+/* nickname=sauberesache */
 /* extrainfo=0 */
 /* ===== */
 ,
-"157.230.112.120 orport=19001 id=6CDE3363F9F9AD5A6EA484DEFB58217CC9685E31"
-" ipv6=[2a03:b0c0:3:e0::374:c001]:19001"
-/* nickname=nsq */
+"199.249.230.77 orport=443 id=FDD700C791CC6BB0AC1C2099A82CBC367AD4B764"
+" ipv6=[2620:7:6001::ffff:c759:e64d]:80"
+/* nickname=QuintexAirVPN24 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"102.130.113.42 orport=9001 id=066FE3C4E07A18EA53B2828F753D3788D58D771D"
-/* nickname=Psyduck */
+"185.220.101.228 orport=9443 id=1CE4020801F2E69DCE6BAB916C4FD15DDAB653C9"
+" ipv6=[2a0b:f4c2::228]:9443"
+/* nickname=artikel10ber74 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"165.227.174.150 orport=9001 id=FFB605C86D606991ADED7842269FA25A03B4A4D0"
-/* nickname=Unnamed */
+"185.245.60.6 orport=9100 id=F40016C5A2D7460DA5CCBF8A2346135D6BBC3DD0"
+/* nickname=jwt85328 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"45.151.167.10 orport=8443 id=A14D96E6C4C3A5AF3D7E57AC0A85AE82BDFB0F4B"
-" ipv6=[2001:678:e3c::a]:8443"
-/* nickname=artikel10ams01 */
+"45.55.141.66 orport=9010 id=A3BDCEAE18DBFF593CC3DA2F2255507DAC768F3C"
+" ipv6=[2604:a880:800:10::14:8001]:9010"
+/* nickname=parabellvm */
 /* extrainfo=0 */
 /* ===== */
 ,
-"194.32.107.220 orport=443 id=3CF935BB48C27EA0FEA4D6B9025A566364C38E92"
-" ipv6=[2a03:94e0:ffff:194:32:107:0:220]:443"
-/* nickname=FlashElk */
+"185.220.101.12 orport=8443 id=C4019EC5FBDB0401072599BC34E6FECD5F26692D"
+" ipv6=[2a0b:f4c2::12]:8443"
+/* nickname=artikel10ber23 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"114.23.164.80 orport=9001 id=CB81BCFD44FC142616BB5983648BD8AF01930789"
-/* nickname=ss23voyager */
+"78.138.98.42 orport=9001 id=07F0E652E4CCB0A0F1E88D0046ECB322E6318C86"
+/* nickname=RiggsOceanlock */
 /* extrainfo=0 */
 /* ===== */
 ,
-"199.195.251.54 orport=9001 id=E09782C5F119131D5DF3C77B83E3214697AB6376"
-/* nickname=dappertr */
+"185.220.101.4 orport=9443 id=330A5D4F9D5D5326B9AAC12C339EB49279D60237"
+" ipv6=[2a0b:f4c2::4]:9443"
+/* nickname=artikel10ber08 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"104.244.72.120 orport=9000 id=D11665375F333356E21A0FE2B6AAF7B91B9916DA"
-" ipv6=[2605:6400:30:f772:ff34:e615:9cef:6f9a]:9000"
-/* nickname=Quetzalcoatl */
+"83.97.20.189 orport=443 id=B1EC3EA6B5DA669676AF19CD0BE067A7E6B310F0"
+" ipv6=[2a04:9dc0:31::c0cc:bd]:443"
+/* nickname=LottaNode */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.225.69.90 orport=443 id=8C612213C4B5C154FA90847F36FBF36DB78AB1AC"
-/* nickname=davy */
+"194.118.235.140 orport=993 id=4E54ED940563663F4AEBCA5EAF541FA296C70E16"
+/* nickname=burnigHell */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.220.102.251 orport=443 id=FDCFEA18CC64461455DE5EA3FC31834C6B42FEC7"
-" ipv6=[2a0b:f4c1:2::251]:443"
-/* nickname=Digitalcourage4ip4a */
+"76.210.199.227 orport=9001 id=308EA2AD69C87D44BFB561D43DFE8D7929C6C9A9"
+/* nickname=ratscornRelay0 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"95.211.138.7 orport=9001 id=5CE3AD8AD04ADE66C0037A3CF5F7F7A40D48A20B"
-/* nickname=polizeierziehung */
+"109.190.177.33 orport=9999 id=A8874E2C45F445DBA462A914ED8D3AF045734FFB"
+/* nickname=computel */
 /* extrainfo=0 */
 /* ===== */
 ,
-"78.47.18.110 orport=80 id=F8D27B163B9247B232A2EEE68DD8B698695C28DE"
-" ipv6=[2a01:4f8:120:4023::110]:80"
-/* nickname=fluxe3 */
+"178.174.235.8 orport=9001 id=C6E23345E9DB5325B62AE956CA6E8AE6DAB6D1BE"
+/* nickname=torsten */
 /* extrainfo=0 */
 /* ===== */
 ,
-"144.217.95.12 orport=9001 id=8885EA6F74A694825B13B8A7080F6CF164DF74FB"
-" ipv6=[2607:5300:201:3000::49be]:9001"
-/* nickname=Unnamed */
+"24.134.234.17 orport=9029 id=445D891CE6C7AC3D80E1EDCA61F921D3A6E91CC5"
+/* nickname=Feidhlim01 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"104.244.73.13 orport=9000 id=13FBC97516DC854399E70BC7CA9A4513FFD4F08C"
-" ipv6=[2605:6400:30:f916:2d21:9c43:1935:81f7]:9000"
-/* nickname=Quetzalcoatl */
+"138.3.242.31 orport=443 id=57C9D8FD12AF654158AD5345CB7934CA13094C10"
+/* nickname=jebacputina */
 /* extrainfo=0 */
 /* ===== */
 ,
-"176.10.99.208 orport=443 id=7E006A46A222CE42F84B4A175698B3B593A7B3B7"
-/* nickname=AccessNow008 */
+"89.191.217.1 orport=9001 id=F2ED5032B52021E7BADBBB82E6594F1A872FFD09"
+/* nickname=runninglizard */
 /* extrainfo=0 */
 /* ===== */
 ,
-"79.143.177.247 orport=9001 id=75093A959F344BC6B304EFFEDE1019F46548A3C2"
-" ipv6=[2a02:c205:2023:7000::1]:9001"
-/* nickname=O1G */
+"5.189.181.61 orport=443 id=63C81BCA835570069A7FCD48312DEA707F6CBAA2"
+" ipv6=[2a02:c207:3001:6426::1]:443"
+/* nickname=dontpanic */
 /* extrainfo=0 */
 /* ===== */
 ,
-"163.172.76.56 orport=9001 id=03BD56B5072FB07D2B4D79E2FB04366D415EF3EC"
-/* nickname=Totonicapanp6 */
+"131.153.152.122 orport=443 id=8330C8C52A4DC562135369D317D86887BBFE1685"
+/* nickname=derailleur */
 /* extrainfo=0 */
 /* ===== */
 ,
-"178.17.174.79 orport=9001 id=BBDE12C320FD1C3FFBEC15202F46D5620FC1444E"
-" ipv6=[2a00:1dc0:cafe::a3f6:4721]:9001"
-/* nickname=hanktor */
+"37.120.186.122 orport=4711 id=D6D677014A583E6F783A03F523A6C5DC2F6347D1"
+" ipv6=[2a03:4000:f:992:98d8:54ff:fe3d:fc2b]:4711"
+/* nickname=mittelerde */
 /* extrainfo=0 */
 /* ===== */
 ,
-"119.59.110.153 orport=80 id=5A6AD8BFBA74F646822996EC03FD3484353A41B3"
-/* nickname=always2 */
+"91.149.225.172 orport=9001 id=7B077965A032FEE91F8DDFD3F18F9943398AAE3F"
+/* nickname=Ragnarok */
 /* extrainfo=0 */
 /* ===== */
 ,
-"192.160.102.164 orport=9001 id=823AA81E277F366505545522CEDC2F529CE4DC3F"
-" ipv6=[2620:132:300c:c01d::4]:9002"
-/* nickname=snowfall */
+"23.154.177.2 orport=443 id=F34EE673122518873E717C128E35A389B72C7837"
+/* nickname=UnredactedSnowden */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.22.174.119 orport=9001 id=D2169E641B2C10CACEA266D31370479200BB9AD7"
-" ipv6=[2a00:1838:36:115::8a3d]:9001"
-/* nickname=FlashBear */
+"185.112.144.18 orport=8443 id=3F98580C881A3DA7EF2E9A8927491AD4E5ED684F"
+/* nickname=Freyr */
 /* extrainfo=0 */
 /* ===== */
 ,
-"152.70.64.30 orport=9001 id=8765C6AFF62C266A38D8C73A76604A5B1669FAA7"
-" ipv6=[2603:c024:8001:dfea:2::]:9001"
-/* nickname=plithismos */
+"82.213.229.137 orport=9101 id=20446B81B32B197BB09DDC4EFEB162732669F9DF"
+/* nickname=mytornoderpi1 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"51.75.206.12 orport=9100 id=4837A6DFFC8E3681D70AD9E8D057C029093DA2F7"
-" ipv6=[2001:41d0:305:2100::7cb4]:9100"
-/* nickname=KherNl */
+"46.101.183.160 orport=443 id=75A931404453030821C547A4FAA9094A06C48C7A"
+/* nickname=Tiberius */
 /* extrainfo=0 */
 /* ===== */
 ,
-"51.68.204.139 orport=9001 id=9AB93B5422149E5DFF4BE6A3814E2F6D9648DB6A"
-" ipv6=[2001:41d0:800:158b::]:9001"
-/* nickname=atomcats */
+"195.37.209.9 orport=9001 id=83C50784528AD3823CB7E7DF4B34B92A42CC7639"
+/* nickname=KarlHessenberg */
 /* extrainfo=0 */
 /* ===== */
 ,
-"52.47.91.150 orport=9001 id=C6EF115D997317A32C784AC0F9944AE0581CA37E"
-/* nickname=LSRodentNinjaRelay */
+"185.220.101.72 orport=9100 id=D3DFB8F9A878F44ED80E2B34F794FDF6334FC5F9"
+" ipv6=[2a0b:f4c2:3::87]:9100"
+/* nickname=CCCStuttgartBer */
 /* extrainfo=0 */
 /* ===== */
 ,
-"198.98.59.35 orport=9100 id=6E736FF4BA2845381A2FEE4DEE6CC565C5A7D781"
-" ipv6=[2605:6400:10:542:d124:fa7a:9141:db6c]:9100"
-/* nickname=Quetzalcoatl */
+"185.220.101.0 orport=8443 id=6A01150EAB04007E2E08D9C603B1467193805B06"
+" ipv6=[2a0b:f4c2::]:8443"
+/* nickname=artikel10ber63 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"65.108.3.114 orport=1066 id=0C3D5E19E3C75B505C8ACD26F89DCA2DF970553E"
-" ipv6=[2a01:4f9:6a:528d::a]:1066"
-/* nickname=HORUS1 */
+"104.244.79.187 orport=443 id=7737F24640F9F4C772C226CAA778093F34A03E78"
+" ipv6=[2605:6400:30:f868::]:443"
+/* nickname=l0kz0r */
 /* extrainfo=0 */
 /* ===== */
 ,
-"173.212.239.78 orport=9201 id=3B3F451BD58F96DC0E8EB7D01F209FC8803C33DF"
-" ipv6=[2a02:c207:2031:2233::1]:9201"
-/* nickname=Assange009de2 */
+"149.154.159.87 orport=443 id=18A5ED4B9AA434883275C15D6CF3F795BA86744A"
+/* nickname=TorMePlz */
 /* extrainfo=0 */
 /* ===== */
 ,
-"45.61.186.108 orport=9100 id=5756D9C403D89B79AFE69D50BB0682BA318319FB"
-" ipv6=[2605:6400:40:fedc:e3d4:d2c1:5a61:7a97]:9100"
-/* nickname=Quetzalcoatl */
+"77.232.149.26 orport=9001 id=83F75BC5789323CA9FB55813A7ACD61291E31123"
+/* nickname=zhuknode45 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"212.16.170.158 orport=443 id=3FEBFB6A491D30CACC2C2995EDB41717A6F94E95"
-/* nickname=remedy */
+"65.21.56.56 orport=9011 id=9958EC94922F1252E1E1DA748A5EE3889CE3CB83"
+/* nickname=Unnamed */
 /* extrainfo=0 */
 /* ===== */
 ,
-"45.62.210.14 orport=9001 id=0FB5D0E2B14B19C9080A5BD38DEC649587FEC262"
-/* nickname=nodv23 */
+"195.154.164.111 orport=9001 id=DF02E357B268BA6E9029FA6DFB8BC289E7763FCF"
+/* nickname=anityatvarelay */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.94.223.112 orport=9001 id=5645739E8EF72CA7D9EE1E12678B51A6FF8711C1"
-/* nickname=5h4d0wNet */
+"144.76.37.242 orport=8443 id=645DE9BF7A2E858F8A6B45F1F530371176D0238A"
+/* nickname=coco */
 /* extrainfo=0 */
 /* ===== */
 ,
-"151.115.41.209 orport=443 id=F6D34AA29FC551A5E1706D164B44809D6DC09240"
-/* nickname=tirz */
+"176.123.1.208 orport=9001 id=C08A5BC504B9D6ECCE2AA2EE51E69125A39D0595"
+" ipv6=[2001:678:6d4:4010::3f]:9001"
+/* nickname=TheOnionRelay */
 /* extrainfo=0 */
 /* ===== */
 ,
-"37.252.187.129 orport=9001 id=79B207AD51842FA215D956B9307B3D01CD347368"
-" ipv6=[2a00:63c1:c:129::2]:9001"
-/* nickname=1d1dchang3th3c0nf1g */
+"192.160.102.169 orport=9001 id=C0192FF43E777250084175F4E59AC1BA2290CE38"
+" ipv6=[2620:132:300c:c01d::9]:9002"
+/* nickname=manipogo */
 /* extrainfo=0 */
 /* ===== */
 ,
-"51.158.148.230 orport=993 id=F9E32D4058F7F35E9BC4F1D8C3B2DAA0C4466660"
-" ipv6=[2001:bc8:2dd2:2000::1]:993"
-/* nickname=KagamineLenTwilight */
+"185.220.102.246 orport=993 id=13FB26F9361F803AD190FE88B35E241DC084B026"
+" ipv6=[2a0b:f4c1:2::246]:993"
+/* nickname=Digitalcourage4ipgb */
 /* extrainfo=0 */
 /* ===== */
 ,
-"199.249.230.158 orport=443 id=90BF7147B422A1BABEFA503656EBD17987424441"
-" ipv6=[2620:7:6001::158]:80"
-/* nickname=Quintex69 */
+"178.254.44.176 orport=8174 id=F53169959223F5DF73A705FE7261F129DBA66545"
+/* nickname=1blu2DEicebeer74 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"193.108.117.209 orport=443 id=7600680249A22080ECC6173FBBF64D6FCF330A61"
-/* nickname=Ichotolot62 */
+"62.210.99.238 orport=39819 id=3E18FEBABD94CDC986416C957DF323FEDE97A2BD"
+/* nickname=Unnamed */
 /* extrainfo=0 */
 /* ===== */
 ,
-"94.26.73.162 orport=9001 id=215616527FB97ED5BE0BF8D2166BDB44EEB6A840"
-/* nickname=Assange013us */
+"54.36.183.48 orport=9001 id=9A9D48F3D5C572C87DE79236A3FA9353E08E3FF2"
+/* nickname=Unnamed */
 /* extrainfo=0 */
 /* ===== */
 ,
-"51.158.187.110 orport=443 id=04C3468BE24740347CBCC00534C940DBCBCABC82"
-" ipv6=[2001:bc8:1824:421::1]:443"
-/* nickname=aaron0x10c */
+"188.68.36.209 orport=59001 id=FF87E49EF33078B04A5DE26AAE170DDF8BAE139F"
+" ipv6=[2a03:4000:13:33::1]:59001"
+/* nickname=MehlTor1 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"148.251.7.156 orport=9001 id=14308846BD3FF2FB32981F0F0A6BED40F0DC7731"
-" ipv6=[2a01:4f8:201:61a6::2]:9001"
-/* nickname=Dalite */
+"51.81.236.225 orport=56395 id=F34B1257DB168D406B57FF71F8A3876AE0190D14"
+/* nickname=GreatCamas */
 /* extrainfo=0 */
 /* ===== */
 ,
-"47.181.71.250 orport=443 id=D2368BAEDAC94AF05AB32EC391346A2968379C31"
-/* nickname=Nickkkkk */
+"89.58.42.28 orport=8080 id=C8AB7044683F82618FAD5D521B55C77B29FC0722"
+" ipv6=[2a03:4000:66:fcf::]:8080"
+/* nickname=webhusoB2 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"81.169.186.16 orport=29001 id=C265517257154ABD003861F2B914E350B011AAE2"
-" ipv6=[2a01:238:429c:9600:40e6:e961:9cf7:31d1]:29001"
-/* nickname=viennaOnTheRun */
+"65.21.251.26 orport=443 id=1211AC1BBB8A1AF7CBA86BCE8689AA3146B86423"
+" ipv6=[2a01:4f9:c011:344::2]:443"
+/* nickname=ccrelaycc */
 /* extrainfo=0 */
 /* ===== */
 ,
-"146.185.189.197 orport=443 id=1944F3A473CB77B12BDB4E3D15963A24DF58E4E7"
-/* nickname=Thrones */
+"51.159.136.111 orport=443 id=C983807EA7ACADCF29A373E09F853E737A1E9D46"
+/* nickname=tirz */
 /* extrainfo=0 */
 /* ===== */
 ,
-"37.191.206.77 orport=8443 id=3FFDFB5A9A278C7C303745606DB5B68FC5B9FADF"
-/* nickname=Unnamed */
+"135.148.53.55 orport=443 id=78F6CC48735658F9F7C2A9FD587BB726EFCD08B1"
+/* nickname=amaze */
 /* extrainfo=0 */
 /* ===== */
 ,
-"199.249.230.69 orport=443 id=C78AFFEEE320EA0F860961763E613FD2FAC855F5"
-" ipv6=[2620:7:6001::ffff:c759:e645]:80"
-/* nickname=Quintex46 */
+"82.168.32.82 orport=9001 id=69497036653189531207746B3D0E4ECB56888F3C"
+/* nickname=octavsly */
 /* extrainfo=0 */
 /* ===== */
 ,
-"95.211.205.138 orport=443 id=8B6B10A0AED89408E509D4422EC926C89C7933D0"
-/* nickname=laurita */
+"109.70.100.10 orport=8080 id=B2FB3A302B56EFDBF0CA061E84BE4599305CE477"
+" ipv6=[2a03:e600:100::10]:8080"
+/* nickname=mangold */
 /* extrainfo=0 */
 /* ===== */
 ,
-"104.57.231.26 orport=443 id=1F772DD93DA20A6745E334BAFFC7B9765876BB11"
-/* nickname=ballers1 */
+"185.220.101.31 orport=8443 id=4A531AA712A3DF0A90EB42711EEBE90B6918B37A"
+" ipv6=[2a0b:f4c2::31]:8443"
+/* nickname=artikel10ber61 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"176.9.40.131 orport=443 id=1CD48F4ED0F1821FFBF1940802A13EEFD4C27502"
-" ipv6=[2a01:4f8:150:518e::2]:443"
-/* nickname=Piratenpartei00 */
+"74.116.186.120 orport=443 id=B921B8B8F9014E7D0FE72DE6E5C431FA1BBA1A91"
+" ipv6=[2606:6d00:1ab:e701::235a]:443"
+/* nickname=bitplane */
 /* extrainfo=0 */
 /* ===== */
 ,
-"90.202.106.141 orport=9001 id=863BD07491BD53C75C9BA186CD1DAD46F65B62BF"
-/* nickname=satori */
+"199.249.230.86 orport=443 id=66E19E8C4773086F669A1E06A3F8C23B6C079129"
+" ipv6=[2620:7:6001::ffff:c759:e656]:80"
+/* nickname=Quintex37 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"162.250.191.15 orport=9001 id=1C3C4AEF036D1202EEC623228EBA5FB71931E2A3"
-/* nickname=Assange020ca */
+"46.232.251.191 orport=443 id=4D0DF468DC816F8096702C2DA2C6FD67561F81C8"
+" ipv6=[2a03:4000:2b:66e:dead:beef:ca1f:1337]:443"
+/* nickname=artikel5ev8 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"85.7.221.196 orport=9001 id=209B6DC8584D0DBC569DBA8DAE88B567A24C9467"
-/* nickname=cercatrova */
+"213.164.204.146 orport=9001 id=369E10A48B0AF046498AA4A0F1FF8D039549BB7C"
+/* nickname=Augustiner1328 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"151.237.82.153 orport=9001 id=3864A437EDAEBF7859B9CC71348E1214BEE5BF62"
-/* nickname=Unnamed */
+"193.218.118.182 orport=9001 id=0E92BF02B3C11B0DD18301A0DE1B164A0546E36F"
+" ipv6=[2a0f:e586:f:f::182]:9001"
+/* nickname=ua321 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"46.226.107.206 orport=10400 id=B0C17B973F4DBFE3662DC149BCCD8098666C298B"
-" ipv6=[2001:4b98:dc0:43:f816:3eff:feed:683f]:10400"
-/* nickname=periskop */
+"172.127.92.239 orport=9001 id=C639DF8B38EA2E1AD2F550F261E5B8032CD14480"
+/* nickname=Lapras */
 /* extrainfo=0 */
 /* ===== */
 ,
-"87.15.33.124 orport=9001 id=1DC42BD783671E2879457224758837E67FC7E64C"
-/* nickname=AnonimaCasalserugo */
+"188.138.33.233 orport=443 id=D80EA21626BFAE8044E4037FE765252E157E3586"
+/* nickname=bonjour1 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"107.189.28.84 orport=9100 id=3863FD538658F6671631E78CEBB2693FB42DFA7D"
-" ipv6=[2605:6400:30:f09e:c57f:a8fd:ce14:6f3b]:9100"
-/* nickname=Quetzalcoatl */
+"217.12.221.75 orport=9001 id=6287129CB9EC475E816A0D283FE4E45D632A4A4B"
+" ipv6=[2a02:27a8:0:a::100]:9001"
+/* nickname=zwewwlUA1 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"2.56.98.121 orport=9005 id=7F844518369C1A572F3211F40D16F04D76F12878"
-/* nickname=BienwaldKA05 */
+"94.130.189.8 orport=9001 id=588413A3B8BE4C438B530AC5E184E1ED89A07F6A"
+/* nickname=momo */
 /* extrainfo=0 */
 /* ===== */
 ,
-"82.221.128.191 orport=443 id=D5228FA5AA9FDB3825E6F199AFA9F9E6F9526A17"
-/* nickname=SmokeAspectRangers */
+"195.90.201.93 orport=9100 id=D027AD4E6A57755BC80ADD1BF6C8BC7F51E8A2B0"
+/* nickname=skankhunt42de3 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.25.50.199 orport=9000 id=1B9C26C1DAB190EAD3EBADB70914E0949ADC2588"
-/* nickname=sqrrm */
+"97.121.138.197 orport=443 id=20BBFFDD799E09DD9ADB865B3B95608170DBE312"
+/* nickname=RockyMountainRelay */
 /* extrainfo=0 */
 /* ===== */
 ,
-"5.2.70.141 orport=9001 id=8454D200E13A41A93F4B6523740EBC78505D0DF0"
-" ipv6=[2a04:52c0:101:39e::]:9001"
-/* nickname=Unnamed */
+"85.131.16.29 orport=9050 id=FCC392FC20A5C1C5B5E95AB6E24735E493E3AEB7"
+" ipv6=[2001:14ba:1400::8857:e4fa:d28f]:9050"
+/* nickname=ktj8rmhy53b16bwqg */
 /* extrainfo=0 */
 /* ===== */
 ,
-"45.33.123.222 orport=9001 id=37FCDCAFAAA17742BE58A36382A768E21B65B34C"
-" ipv6=[2600:3c00::f03c:91ff:fe96:466c]:9001"
-/* nickname=PictureEnchanter */
+"77.21.71.189 orport=9001 id=2DACC26F1D3BA64F32EEB4185BAD696A88BA832D"
+/* nickname=just1small4relay */
 /* extrainfo=0 */
 /* ===== */
 ,
-"130.225.244.90 orport=9001 id=AC7C0F9D57DADAD5D8F4568EE1543EF3E22A47CE"
-" ipv6=[2001:878:346:1cf9:446a:c4eb:4548:7062]:9001"
-/* nickname=dotsrcRelay2 */
+"162.251.119.2 orport=443 id=253E7C6802F75BD54616872693A5922ED2A1534D"
+/* nickname=porcelain */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.112.146.188 orport=9001 id=85D3D0C3D4699AFA897FE9DD9270BAACBBE3E3F1"
-/* nickname=Unnamed */
+"180.183.10.154 orport=9001 id=95672A3D3EC0AE97F208A17E212DE02110A6508D"
+/* nickname=STRelay */
 /* extrainfo=0 */
 /* ===== */
 ,
-"65.50.203.5 orport=9001 id=BA348901BC6A0FE4DA86C53433414A3124934FCF"
-/* nickname=UEUEUEU */
+"92.243.0.179 orport=9001 id=C9B68C802CA20C3E4FA46D77153D6EDC80F13CF5"
+" ipv6=[2001:4b98:dc0:41:216:3eff:feb3:28bd]:9001"
+/* nickname=sybaze */
 /* extrainfo=0 */
 /* ===== */
 ,
-"109.201.133.100 orport=443 id=973607526BE9C8FDA03EBBAF527D67AE6FFD65DD"
-/* nickname=eddy */
+"94.130.185.68 orport=9001 id=A9E43431EF473BEEF0EEC98DBDDD1B8C3E3FB071"
+" ipv6=[2a01:4f8:1c0c:453a::1]:9001"
+/* nickname=torthias */
 /* extrainfo=0 */
 /* ===== */
 ,
-"85.241.106.203 orport=9001 id=2CD5474E33D12629156B92FBD61FAAB22D07B0F7"
-/* nickname=onYourOwn */
+"37.187.23.232 orport=80 id=F4873B3EC3325B81DC36C7E38AD3A5ED12B2F339"
+" ipv6=[2001:41d0:a:17e8::1]:80"
+/* nickname=Islay */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.130.44.108 orport=443 id=D8A1F5A8EA1AF53E3414B9C48FE6B10C31ACC9B2"
-" ipv6=[2a07:e01:2:13::2]:443"
-/* nickname=privexse1exit */
+"144.76.166.199 orport=9002 id=AF2B014CBE98D2E66B288323B47F2E8DDDD9904E"
+" ipv6=[2a01:4f8:200:42c6::2]:9002"
+/* nickname=justinjoker */
 /* extrainfo=0 */
 /* ===== */
 ,
-"193.218.118.158 orport=9001 id=0A56985BBDDB5FD1FAA8C9133C7115961AA6C370"
-/* nickname=Privacy9001 */
+"193.189.100.200 orport=443 id=E5D7D35357E9C55B47E2ADDE73199153888BD4CB"
+" ipv6=[2a0f:df00:0:255::200]:443"
+/* nickname=TORKeFFORG7 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"74.208.120.64 orport=443 id=46053D5D5916F20C333406F16911711AB55164C0"
-/* nickname=Schlaraffenland */
+"194.26.192.187 orport=443 id=33E9B36F48DB20F437578433973156F0185442B1"
+/* nickname=bauruine */
 /* extrainfo=0 */
 /* ===== */
 ,
-"198.98.60.97 orport=443 id=30C472441D910A8BCDA571F2637C80119E76D082"
-" ipv6=[2605:6400:10:36b:1cb3:5586:cdb7:31ea]:443"
-/* nickname=Quetzalcoatl */
+"121.200.11.168 orport=9001 id=3B6A1C9B65AA395D21600F805A06B9995885487E"
+/* nickname=whynot */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.220.100.249 orport=9100 id=887CAB501A9DB68A2C44EDF98BF50B0304EED8B6"
-" ipv6=[2a0b:f4c0:16c:7::1]:9100"
-/* nickname=niftykostchtchie */
+"130.225.244.90 orport=9001 id=AC7C0F9D57DADAD5D8F4568EE1543EF3E22A47CE"
+" ipv6=[2001:878:346:1cf9:446a:c4eb:4548:7062]:9001"
+/* nickname=dotsrcRelay2 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"85.25.213.211 orport=80 id=CE47F0356D86CF0A1A2008D97623216D560FB0A8"
-/* nickname=BeastieJoy61 */
+"109.238.11.6 orport=443 id=AC00AEBA1AE2A80CF4184C4362157BF91487B902"
+/* nickname=DanaScully */
 /* extrainfo=0 */
 /* ===== */
 ,
-"141.136.52.7 orport=9001 id=F85B74A470159AADD7D1C2398CE1813371BB6ACF"
-/* nickname=Unnamed */
+"37.252.187.111 orport=443 id=EE4AF632058F0734C1426B1AD689F47445CA2056"
+" ipv6=[2a00:63c1:c:111::2]:443"
+/* nickname=rinderwahnRelay7L */
 /* extrainfo=0 */
 /* ===== */
 ,
-"31.201.16.30 orport=443 id=E8ED405E47A477D92D9EFB201FADF28FF7FBAF5D"
-/* nickname=Tortue */
+"94.100.6.27 orport=443 id=D6670FB54B21818CE7C13524AA003258B8E35D38"
+/* nickname=drogo */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.100.85.132 orport=443 id=5F875CFB7E2ED0D24E85A5A8B8904A3650AB1ED8"
-/* nickname=vandergriff */
+"217.197.86.173 orport=443 id=C2EE40EE8451F27C2357E8B1EA1E8E6F642273EB"
+" ipv6=[2001:67c:1401:2051::3]:443"
+/* nickname=Bastard */
 /* extrainfo=0 */
 /* ===== */
 ,
-"213.167.242.183 orport=9001 id=5E114AD608428C23B38CCC77DA22E4CD0C27F2CE"
-" ipv6=[2001:4b98:dc2:55:216:3eff:fee8:6e97]:9001"
-/* nickname=TitounNet */
+"178.132.78.148 orport=443 id=BF7BFCB3096FC81FBD0B7ADA66164431EC7FD117"
+/* nickname=weepy */
 /* extrainfo=0 */
 /* ===== */
 ,
-"199.249.230.156 orport=443 id=139C86C4C9BC94E89BAF79B15EBFDF9396DD5BB0"
-" ipv6=[2620:7:6001::156]:80"
-/* nickname=Quintex67 */
+"185.129.61.3 orport=443 id=36196F1ADF33DD6EEA6C5FADA69FC43C18D05C5A"
+" ipv6=[2001:67c:89c:702:1ce:1ce:babe:3]:443"
+/* nickname=dotsrcExit3 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"91.143.88.2 orport=443 id=ED7F2BE5D2AC7FCF821A909E2486FFFB95D65272"
-" ipv6=[2a02:180:6:1::2efd]:443"
-/* nickname=Planetclaire63 */
+"80.66.135.13 orport=9001 id=70090E9F85FBE004EEBF58461FD6EDD5BF8A523E"
+/* nickname=OatMeal99 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"77.123.155.45 orport=443 id=C0E6A667064385B9CB5A685CEB06B85EDDA6AA00"
-/* nickname=FreedomForParrots2 */
+"116.203.140.74 orport=9001 id=BC7ACFAC04854C77167C7D66B7E471314ED8C410"
+" ipv6=[2a01:4f8:c0c:e646::1]:9001"
+/* nickname=YagaTorRelay */
 /* extrainfo=0 */
 /* ===== */
 ,
-"163.172.211.128 orport=443 id=241ED37B98E822F328B8D883EF8ECA3ADAB0EE12"
-" ipv6=[2001:bc8:3fec:b00:b007::]:443"
-/* nickname=Casper12 */
+"45.33.27.210 orport=9001 id=C9B16B5D37F531C8C6C0281E4EC4F056E84541D0"
+" ipv6=[2600:3c00::f03c:91ff:feb7:9351]:9001"
+/* nickname=CedarHill */
 /* extrainfo=0 */
 /* ===== */
 ,
-"107.189.30.230 orport=9001 id=B12536F2F1BBFE0B47FAAD0D5D05BFAEC6C2DE9F"
-/* nickname=Hydra40 */
+"172.241.140.249 orport=443 id=4FD9A030C9DC98FA24076071CBB6FD843BC62D7D"
+/* nickname=ashP */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.203.116.252 orport=443 id=70D0893564051D9B6DF3B6E0519DDE6061D4895E"
-" ipv6=[2a07:5741:0:f87::1]:443"
-/* nickname=Valhalla */
+"193.0.213.42 orport=443 id=84D7EA4046826E312B32F822A592651121890EAE"
+/* nickname=kleptoman */
 /* extrainfo=0 */
 /* ===== */
 ,
-"42.191.94.69 orport=9001 id=B974F0C815C707F57F97CD159874770692BDA7EA"
-/* nickname=chrRelay */
+"213.164.204.177 orport=9001 id=378AD3D089A01EC802F165A936122B60B5B1035E"
+/* nickname=Hydra55 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"31.6.70.71 orport=9001 id=7F3D20E72A24ED2EBD92AA9C430B805BA389D02B"
-" ipv6=[2a02:2430:3:2500::321e:67c4]:9001"
-/* nickname=PolishTatraSheepdog */
+"161.97.167.148 orport=443 id=44D3069C9EE3B1EAF3CE6B268581C4510CAE9D54"
+/* nickname=alejandria */
 /* extrainfo=0 */
 /* ===== */
 ,
-"199.249.230.112 orport=443 id=D25210CE07C49F2A4F2BC7A506EB0F5EA7F5E2C2"
-" ipv6=[2620:7:6001::112]:80"
-/* nickname=QuintexPhoulRules */
+"199.249.230.108 orport=443 id=155D6F57425F16C0624D77777641E4EB1B47C6F0"
+" ipv6=[2620:7:6001::108]:80"
+/* nickname=Quintex18 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"147.92.88.67 orport=9001 id=901592FBE2A2335F5DC3A5434600B9A4F9D9C68E"
-" ipv6=[2604:21c0:100:1::cafe]:9001"
-/* nickname=SillyRelay */
+"185.220.101.5 orport=8443 id=6EA5A7EA8C2F192C37DCEB2AAD481DC7E72E65DE"
+" ipv6=[2a0b:f4c2::5]:8443"
+/* nickname=artikel10ber09 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"198.251.68.144 orport=9001 id=83AEDBDB4BE3AD0ED91850BF1A521B843077759E"
-/* nickname=focaltohr */
+"45.151.125.191 orport=443 id=8275A435C8D783EEC835A64A3EA2ADF8C3C4531D"
+/* nickname=tor2 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"54.36.120.156 orport=443 id=D0273C8566CC9AECE4C762376C9B066FE0F1DADD"
-/* nickname=Kimchi */
+"172.106.12.246 orport=443 id=3B675F5DB8C36AE6DB5889AE8DA1ACDF5DD51A0D"
+/* nickname=recyclops */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.220.102.244 orport=443 id=1C7700A94DBBFECFA234C1ADD0D23FB87D1D7599"
-" ipv6=[2a0b:f4c1:2::244]:443"
-/* nickname=Digitalcourage4ipea */
+"185.220.101.30 orport=8443 id=7C4B37F45CFF88B36C0A77DC3331FA58F29963DB"
+" ipv6=[2a0b:f4c2::30]:8443"
+/* nickname=artikel10ber59 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"68.67.32.31 orport=9001 id=964B4E8A75263A69769541F2764563DABDD995D2"
-/* nickname=MHcXthX9Eb34WYyEN7H */
+"185.163.45.253 orport=443 id=09F1936587D5A82ABCD79B11599C044E72C13840"
+/* nickname=torrelay */
 /* extrainfo=0 */
 /* ===== */
 ,
-"195.176.3.20 orport=8443 id=08CE3DBFDAA27DB6C044A677AF68D7235C2AFC85"
-" ipv6=[2001:620:20d0::20]:8443"
-/* nickname=DigiGesTor4e4 */
+"185.245.60.11 orport=9000 id=3EEDC806C524DF7A4B031CE314806E3FF6CC25F4"
+/* nickname=jwt61472 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"94.140.115.114 orport=443 id=879B036468D30AB1A2195F96D2C91F3CAA8D1DC2"
-/* nickname=kbtr7lv */
+"82.128.229.109 orport=443 id=B50A98267A63713F37319D895EA1151C4B27BE4D"
+/* nickname=Unnamed */
 /* extrainfo=0 */
 /* ===== */
 ,
-"23.129.64.140 orport=443 id=1228111A6D4AFC619ED3A70079A3A0B678476A43"
-" ipv6=[2620:18c:0:192::140]:443"
-/* nickname=BeGayDoCrimes */
+"172.241.140.26 orport=443 id=13B2354C74CCE29815B4E1F692F2F0E86C7F13DD"
+/* nickname=TORtitan */
 /* extrainfo=0 */
 /* ===== */
 ,
-"213.141.71.102 orport=4433 id=C15A8BE46A0025371C3C41247CF8911AD82A7A1C"
-/* nickname=rainyValbo */
+"81.4.122.99 orport=4433 id=DDF0EFB98CDD4A28896668AEA48966BA5E23EDEE"
+/* nickname=AntonKlingRelay */
 /* extrainfo=0 */
 /* ===== */
 ,
-"45.62.244.154 orport=9001 id=45F80CFCE0FF65EAE012049BAF66084F76E6D68B"
-/* nickname=Machiavelli */
+"45.35.33.198 orport=443 id=453EE12D7E73F9935B932670091CAD03D91C006D"
+/* nickname=FinishLine */
 /* extrainfo=0 */
 /* ===== */
 ,
-"170.239.86.145 orport=443 id=5414065F98A160F630DAE0689973FC66D7EA62E9"
-/* nickname=DTFNODE04 */
+"141.94.71.180 orport=443 id=BA2575B9E13EBA158FD916394C5046A6BD6F6198"
+" ipv6=[2001:41d0:304:200::afec]:443"
+/* nickname=WWW */
 /* extrainfo=0 */
 /* ===== */
 ,
-"37.9.231.195 orport=443 id=13F7EAE731CA4600951986921E08ECAB9B1D2AF6"
-" ipv6=[2001:4b78:2006:ffc3::1]:443"
-/* nickname=CanopoIT */
+"5.45.102.119 orport=9000 id=DF55C90D7EB87A13B044259951CA784F2F596E8D"
+" ipv6=[2a03:4000:6:608:942a:42ff:fe77:728c]:9000"
+/* nickname=Quetzalcoatl */
 /* extrainfo=0 */
 /* ===== */
 ,
-"37.120.171.230 orport=9001 id=E8965A79FB2F335194141E8968755524840C44B6"
-" ipv6=[2a03:4000:6:543f:78b2:4fff:fe7b:fb6a]:9001"
-/* nickname=Piratenpartei08 */
+"195.154.250.239 orport=443 id=DD5DA21CC5036533AE2010DE2C7E72BE2CDF9C5E"
+/* nickname=Unnamed */
 /* extrainfo=0 */
 /* ===== */
 ,
-"93.115.241.194 orport=443 id=B594EFDDBA2A8F12DEF827DFEE6992A6EB310B2A"
-/* nickname=heaney */
+"51.178.86.137 orport=9001 id=BD33EF180B1118B00BDF073E2771210E3BDDD8CD"
+/* nickname=Hydra22 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.239.222.243 orport=443 id=9B12C0D5A3435004F3DE149F83E752E44522E297"
-" ipv6=[2a09:2681:101:9001::4]:443"
-/* nickname=BM04 */
+"185.225.69.90 orport=443 id=8C612213C4B5C154FA90847F36FBF36DB78AB1AC"
+/* nickname=davy */
 /* extrainfo=0 */
 /* ===== */
 ,
-"31.164.176.95 orport=19927 id=D23F48B37526F904EECB3C8ED0747EF254C11BB4"
-" ipv6=[2001:1711:fa4b:5f1:222:15ff:fe47:96b5]:19927"
-/* nickname=tantricsnake */
+"185.4.132.183 orport=443 id=CC0A89217E999A6478D0358116C926625F84EBE6"
+/* nickname=Grexit */
 /* extrainfo=0 */
 /* ===== */
 ,
-"157.90.38.9 orport=443 id=42A51FFF7AB2A2F396CB924B56676F09BCB52245"
-/* nickname=SoySauceR */
+"85.214.18.225 orport=1329 id=029650EE0E3E79803B7358DC94BC9FC3A367732C"
+/* nickname=cLmIsACapitalist */
 /* extrainfo=0 */
 /* ===== */
 ,
-"93.115.86.4 orport=443 id=CE863C22AD5ABBEAF606AE35A22781C409D895E5"
-/* nickname=mj4 */
+"81.17.30.48 orport=443 id=4E737BBFCCBE45A923CE82577E99DCFFABC5BFF4"
+/* nickname=fento */
 /* extrainfo=0 */
 /* ===== */
 ,
-"136.243.60.188 orport=9001 id=675CFAC38BE3C9A26C3A2DD7CBC0E616F68624CA"
-" ipv6=[2a01:4f8:212:1b8b:3::8]:9001"
-/* nickname=mullbinde5 */
+"91.213.233.60 orport=443 id=49BC7301250F6D87BCD676DFC9AF22048F96F599"
+/* nickname=kleinbach */
 /* extrainfo=0 */
 /* ===== */
 ,
-"77.23.162.55 orport=9999 id=11C9529C9D0671545EAEF80DFE209AD977BCE908"
-/* nickname=mekansm */
+"51.158.231.76 orport=443 id=33D6A3A8BD977723FD4C053151F78D852AC62775"
+/* nickname=tirz */
 /* extrainfo=0 */
 /* ===== */
 ,
-"212.74.233.19 orport=9003 id=126E438B6921882FC17F1FC32AAC617300561938"
-/* nickname=Bathtub */
+"209.141.37.233 orport=443 id=9085A30783FBB38DFA96CE024EDC5A0F9F5FAA24"
+/* nickname=kekw */
 /* extrainfo=0 */
 /* ===== */
 ,
-"94.140.115.16 orport=443 id=A191F6309396DAD373FE7E4D1EF64B40F38A3637"
-" ipv6=[2a02:7aa0:4000::29]:443"
-/* nickname=rinderwahnRelay6L */
+"217.12.221.131 orport=443 id=424BF86927E80D916589BB12248BD468BB470684"
+/* nickname=RunningOnFumes2 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"192.166.245.122 orport=443 id=F9AEA07ACE06E8E7D55E10FFBAE037E8C833FA93"
-/* nickname=DTFNODE46 */
+"94.140.114.174 orport=9001 id=5A0643E452E143BE549BAB3BFE575F40DDBD527C"
+/* nickname=Hydra67 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"94.140.115.146 orport=9001 id=3B2EB73B3C61E9C302479B44D881E049049BF048"
-/* nickname=Yanush3 */
+"199.249.230.183 orport=443 id=A2C3CB1520C75BEDB21244FD1DF1C371C26E959E"
+" ipv6=[2620:7:6001::183]:80"
+/* nickname=Quintex94 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"37.187.9.31 orport=9001 id=1E26A119172E2EBFC299D5B2DE26B9652D3B7F34"
-/* nickname=hxcsys */
+"5.9.120.18 orport=443 id=3CCEF96871A49AC06149E4AA8E14D270D881F6D3"
+" ipv6=[2a01:4f8:162:7018::2]:443"
+/* nickname=torsethforprivacy */
 /* extrainfo=0 */
 /* ===== */
 ,
-"90.146.176.221 orport=9003 id=65F86FD8B92C3AC01887D86B2171E657D5C19F79"
-/* nickname=eclipse03 */
+"37.187.20.164 orport=443 id=DAAB8E7AA811DE4020560D7D63D4A392C6BA621A"
+" ipv6=[2001:41d0:a:14a4::1]:443"
+/* nickname=mxcz */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.100.87.192 orport=9443 id=C962D865AE72B6F2EF08E77F3B15894B9539C2B6"
-" ipv6=[2a06:1700:0:12::2]:9443"
-/* nickname=artikel10buc04 */
+"3.121.167.65 orport=9001 id=8F5ACB40B42628045E6D8CA4CB103CDAEB112A3E"
+/* nickname=Martell */
 /* extrainfo=0 */
 /* ===== */
 ,
-"130.180.111.194 orport=9010 id=3DF28C6A21F9F063FA1640F7367BE8143816D40F"
-/* nickname=DerRaffke */
+"185.165.168.77 orport=443 id=2C752C180089DDC89BC3FFCCB17FACFEEAFD79AA"
+/* nickname=rittervgexit */
 /* extrainfo=0 */
 /* ===== */
 ,
-"172.81.131.111 orport=9001 id=12836441FEAC9AEE13A144A64E51AB2AD98885B4"
-/* nickname=TheEndOfTheInternet */
+"178.20.55.16 orport=443 id=EFAE44728264982224445E96214C15F9075DEE1D"
+/* nickname=marcuse1 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"104.244.79.6 orport=9100 id=EF4CD1F369E8080DFB5A46187CFA9768D7857082"
-" ipv6=[2605:6400:30:f920:4cbe:d6a6:82b1:4e22]:9100"
-/* nickname=Quetzalcoatl */
+"194.59.46.2 orport=9001 id=A6E3A3C6CE962E917A12E586AE750805899C117B"
+/* nickname=dewebit */
 /* extrainfo=0 */
 /* ===== */
 ,
-"107.189.13.254 orport=9000 id=392BEFDCB026A568E077786E79FDE589A9C0E451"
-" ipv6=[2605:6400:30:ee75:46fc:7871:dfeb:8ad3]:9000"
-/* nickname=Quetzalcoatl */
+"185.220.101.3 orport=9443 id=99E152CDB12F5ABBE08C0A2EA5B126CD3F1FAC5F"
+" ipv6=[2a0b:f4c2::3]:9443"
+/* nickname=artikel10ber06 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"51.15.218.190 orport=443 id=8927AD37F39D10C3F4CFDD5213606E4881CCF6B0"
-/* nickname=tirz */
+"188.68.56.100 orport=9090 id=D447D8180D5FB67D0E3AD08AC0A123EF943D84D4"
+" ipv6=[2a03:4000:6:f776:5862:30ff:fecf:d2c]:9090"
+/* nickname=Eigentor */
 /* extrainfo=0 */
 /* ===== */
 ,
-"205.185.124.164 orport=9001 id=7B67A3AD2395536FD15CB97588A0BC1A015AC267"
-/* nickname=stubbornoxen */
+"94.211.220.163 orport=9001 id=5DFF2F64A41EB91BAE553A860A953009105E3343"
+/* nickname=UnseenMoonBeam */
 /* extrainfo=0 */
 /* ===== */
 ,
-"91.201.65.91 orport=443 id=57C6DF5B93E54EB9C8DB90029D9E9A1111BD34D2"
-" ipv6=[2a06:f905:1:100::4e]:443"
-/* nickname=rinderwahnRelay12L */
+"192.42.116.28 orport=443 id=1DBACC31486FC670FBD403FAE877342EC696D598"
+" ipv6=[2001:67c:6ec:203:218:33ff:fe44:5528]:443"
+/* nickname=hviv128 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"195.154.164.243 orport=443 id=AC66FFA4AB35A59EBBF5BF4C70008BF24D8A7A5C"
-" ipv6=[2001:bc8:399f:f000::1]:993"
-/* nickname=torpidsFRonline3 */
+"185.220.101.208 orport=8443 id=18671DE5092C67883BFB2450C3267B92618BEC66"
+" ipv6=[2a0b:f4c2:2:1::208]:8443"
+/* nickname=ForPrivacyNET */
 /* extrainfo=0 */
 /* ===== */
 ,
-"142.252.252.254 orport=8081 id=7488F5265C5E331EB4F1CE5D750685492627464F"
-/* nickname=Altrosky4 */
+"217.23.8.2 orport=9001 id=B42C797CC8CD63C60FB643E820A11D113DF4F5C8"
+/* nickname=firefly */
 /* extrainfo=0 */
 /* ===== */
 ,
-"95.217.248.169 orport=9001 id=F08A3744CA6568ED28545C2B7C1BE7D8BA27CBDE"
-" ipv6=[2a01:4f9:4a:f230::10:4]:9001"
-/* nickname=winR */
+"185.100.87.192 orport=9443 id=C962D865AE72B6F2EF08E77F3B15894B9539C2B6"
+" ipv6=[2a06:1700:0:12::2]:9443"
+/* nickname=artikel10buc04 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"163.44.173.37 orport=443 id=ED7FDF68D504AEED4E28C6396B3E4A4ED04406B9"
-/* nickname=Unnamed */
+"109.202.205.68 orport=9001 id=E9DA4101B0E0D718ADF52100A9B30A67BA35A67C"
+/* nickname=Urgl */
 /* extrainfo=0 */
 /* ===== */
 ,
-"158.255.1.112 orport=443 id=76B4FEDD0696D924A407CFAB50B6E574B28CCDCA"
-/* nickname=vladimir */
+"104.244.76.184 orport=443 id=D5A2B3AE1E8047017A0BBC7209FD624DB84D47CE"
+" ipv6=[2605:6400:30:f99f::1]:443"
+/* nickname=komeru2 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"102.130.119.48 orport=9001 id=A636F3A27D9C10713C7A77ED00183DE8727E3D84"
-/* nickname=axeTorA */
+"72.174.136.71 orport=59001 id=9E7C2C6DEDA3A90ED7D43527126AB67936FB038E"
+/* nickname=Veil */
 /* extrainfo=0 */
 /* ===== */
 ,
-"109.70.100.11 orport=443 id=96E095D5CDBFC3988DEB708EC155346472402C32"
-" ipv6=[2a03:e600:100::11]:443"
-/* nickname=karfiol */
+"193.110.95.34 orport=9001 id=094A0E6B4BDCED81B8A2811430F5FAF03464A3A8"
+" ipv6=[2a02:169:55f5:2::2]:9001"
+/* nickname=sten */
 /* extrainfo=0 */
 /* ===== */
 ,
-"85.195.255.85 orport=9001 id=A3AFBDEE30238E44899C9F8B7666D12B09C8EE32"
-/* nickname=isthisthereallife */
+"213.164.204.116 orport=9001 id=E001D2724CEA5615E828D30111B866AB277E86C2"
+/* nickname=Hydra7 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"116.203.50.182 orport=8080 id=00E1649E69FF91D7F01E74A5E62EF14F7D9915E4"
-" ipv6=[2a01:4f8:1c1c:b16b::1]:8080"
-/* nickname=dragonhoard */
+"185.220.101.5 orport=9443 id=EBA0FFA5799A9B9D79A3BE2DBD601E301ACFB087"
+" ipv6=[2a0b:f4c2::5]:9443"
+/* nickname=artikel10ber10 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"213.164.204.165 orport=9001 id=43ED841926B5DA9487032D789A31B5E74A7525E2"
-/* nickname=Hydra14 */
+"95.128.43.164 orport=443 id=616081EC829593AF4232550DE6FFAA1D75B37A90"
+" ipv6=[2a02:ec0:209:10::4]:443"
+/* nickname=AquaRayTerminus */
 /* extrainfo=0 */
 /* ===== */
 ,
-"213.164.204.152 orport=9001 id=E1D2328D0DB2A06EE85ABD9D8D75CC5DBDDFDA5C"
-/* nickname=Hydra8 */
+"178.254.44.176 orport=8173 id=AE6CE2B402C2930EBAF59A616E80AD43F7AB123B"
+/* nickname=1blu2DEicebeer73 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"45.61.186.166 orport=9000 id=B0CF3131A8097FFAF9E9B54566F12A2C6E560C48"
-" ipv6=[2605:6400:40:feca:bc44:119e:7d58:8792]:9000"
-/* nickname=Quetzalcoatl */
+"91.208.184.123 orport=443 id=ACF8FC6C14032A045B44F6B98525EE5C0472DD50"
+/* nickname=TorDiversity */
 /* extrainfo=0 */
 /* ===== */
 ,
-"195.176.3.23 orport=443 id=BCF55F865EE6EF17E25EFEAF851BC429F190B85D"
-" ipv6=[2001:620:20d0::23]:443"
-/* nickname=DigiGesTor5e1 */
+"72.167.47.69 orport=443 id=8BDBE498180C41249D3230FC5092CB3EB5A62482"
+/* nickname=Minotaur */
 /* extrainfo=0 */
 /* ===== */
 ,
-"194.182.179.34 orport=443 id=EFE89ECF4EE11613A19248777EBBA28719BF5FF7"
-" ipv6=[2a04:c47:e00:7cdf:4b9:a0ff:fe00:2f0]:443"
-/* nickname=Slavyanka */
+"103.251.167.10 orport=443 id=AF8DB275960279B87F098B16CC9C78092E118DB3"
+" ipv6=[2a01:6340:2:501::10]:443"
+/* nickname=NLfreedom1 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"138.59.18.106 orport=443 id=0BADD9510440C9BF3A728F2CB630836FF98142B2"
-/* nickname=Albis */
+"23.106.120.42 orport=9001 id=D55BE90E549B4A21033672EA69030D2047FFC58B"
+/* nickname=CraigBrightbane */
 /* extrainfo=0 */
 /* ===== */
 ,
-"148.251.66.75 orport=9001 id=4BC6B5DA381A0044E81CA7B6170D46588C060ADA"
-/* nickname=ChlewigenRelay */
+"185.100.85.25 orport=9443 id=B99C68B77AE06CD0FD3C19E6F5552872BE2E7604"
+" ipv6=[2a06:1700:0:12::4]:9443"
+/* nickname=artikel10buc08 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"37.157.254.114 orport=443 id=18671DE5092C67883BFB2450C3267B92618BEC66"
-" ipv6=[2001:4ba0:ffff:1ce::3]:443"
-/* nickname=ForPrivacyNET */
+"50.116.47.139 orport=9001 id=954B221CFDC3F56A15FE3C29F85D5FE34BB144B2"
+/* nickname=Unnamed */
 /* extrainfo=0 */
 /* ===== */
 ,
-"72.89.32.196 orport=9001 id=67F5AC35DBA20D22A0178BFB6F4AC076C3B16829"
-/* nickname=hubble */
+"92.219.112.13 orport=9001 id=AF1852AACF490755ED00A2454618C8C8D172D307"
+/* nickname=lonninator01 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.220.101.17 orport=9443 id=6E3DD22CF40499F67CCADC5C024397748C0E63B4"
-" ipv6=[2a0b:f4c2::17]:9443"
-/* nickname=artikel10ber34 */
+"134.102.200.101 orport=9001 id=F1CD870D7A8FA364E459ABA70B1737D40B0B4BB3"
+" ipv6=[2001:638:708:30c8::65]:9001"
+/* nickname=csUniHB */
 /* extrainfo=0 */
 /* ===== */
 ,
-"94.75.194.221 orport=9001 id=38F21DEE29E40DCDF9460A80662B7723562CA008"
-/* nickname=trabajando */
+"185.195.71.6 orport=443 id=D255268BACBB4562554CF20147731BDA0D8C452B"
+/* nickname=AccessNow004 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"78.47.14.99 orport=9001 id=A1688972E4AA4F24C4C9AA2372CD387B82834C40"
-" ipv6=[2a01:4f8:c17:13aa::1]:9001"
-/* nickname=whatnick2 */
+"23.129.64.177 orport=443 id=8B4381CBDD1358AC8EE66C23B5BE5E0A3F780F21"
+" ipv6=[2620:18c:0:192::177]:443"
+/* nickname=AlanTuringLGBTQ */
 /* extrainfo=0 */
 /* ===== */
 ,
-"89.163.164.202 orport=443 id=FF9FC6D130FA26AE3AE8B23688691DC419F0F22E"
-" ipv6=[2001:4ba0:cafe:12a1::]:443"
-/* nickname=rinderwahnRelay3L */
+"65.108.136.189 orport=80 id=624B7391B9790E7CD2AF6A7238239BA3D6928A57"
+" ipv6=[2a01:4f9:6b:3408::3]:80"
+/* nickname=arbitraryKenzie3 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"94.100.6.30 orport=9001 id=669102E6FA8E116AC05FE823B0634B44499944E3"
-/* nickname=Quiv */
+"179.43.146.230 orport=443 id=B63410CD48185ED34E9C6AE62D048D8A6854A5CA"
+/* nickname=leuwerik */
 /* extrainfo=0 */
 /* ===== */
 ,
-"82.48.198.112 orport=9443 id=94F367A130296C9EB92BE32E25AAEB7F227DE0D6"
-/* nickname=FreeZion */
+"176.223.141.106 orport=443 id=5262556D44A7F2434990FDE1AE7973C67DF49E58"
+" ipv6=[2a02:7b40:b0df:8d6a::1]:443"
+/* nickname=Theoden */
 /* extrainfo=0 */
 /* ===== */
 ,
-"140.78.100.41 orport=8443 id=C9525872E3AA926402D8998085A409C7BBDFAE59"
-/* nickname=INSRelay41at8443 */
+"144.91.114.27 orport=9001 id=451AD42EDB2598B06AF87403D6FA23BCA165BF5F"
+" ipv6=[2a02:c207:3008:5548::1]:9001"
+/* nickname=AomoriDevRel1 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"185.82.219.109 orport=443 id=2B34099ED2BC598C4745C96C873FD73A445646BD"
-/* nickname=RunningOnFumes4 */
+"159.89.124.240 orport=9000 id=C8FE57A0C112E123CB8B9A81B1E505B2E8F75CEF"
+" ipv6=[2604:a880:cad:d0::bbd:f001]:9000"
+/* nickname=trecinex01 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"159.89.87.126 orport=143 id=9D07DFA6472B80277798D73234348CEF02F2E7D5"
-/* nickname=incircuitryrelay */
+"104.217.250.206 orport=443 id=63EF43219D7FB80DA34C80D507395A8A5EE7993D"
+/* nickname=emokid */
 /* extrainfo=0 */
 /* ===== */
 ,
-"45.61.185.114 orport=9100 id=5E4EBE4078DFBE6CA4648C4D32EEBFE6D822CACB"
-" ipv6=[2605:6400:40:fec5:3c19:b3c1:b8a1:1f27]:9100"
-/* nickname=Quetzalcoatl */
+"37.143.118.9 orport=443 id=263907E9D48FBEAE6E64B10C628AE8BDF466869B"
+/* nickname=msBobo */
 /* extrainfo=0 */
 /* ===== */
 ,
-"51.15.197.24 orport=443 id=FBCD904030EA49971E4766A9009DEE96F2FEC4F4"
-" ipv6=[2001:bc8:630:299::1]:443"
-/* nickname=charlie */
+"95.216.100.82 orport=9001 id=3E9FEEADB71C1397EABEFABC96865CB8FAB06E6D"
+/* nickname=stoertetor01 */
 /* extrainfo=0 */
 /* ===== */
 ,
-"205.185.115.163 orport=443 id=ABCE9719136F55FB44608274DA2CA9F64237AD27"
-/* nickname=Unnamed */
+"88.208.215.95 orport=1503 id=4853A70DB9F95203A1544A0245D9D229F97B481A"
+" ipv6=[2a00:da00:1800:1f5::1]:1503"
+/* nickname=AndrewRyan */
 /* extrainfo=0 */
 /* ===== */
 ,
-"178.170.42.112 orport=9001 id=6CF8862649ED845917BF35EA4F7986F782CCFFCE"
-" ipv6=[2a00:c70:1:178:170:42:112:8]:9001"
-/* nickname=mullbinde7 */
+"135.148.53.61 orport=443 id=7551C1446DBA7BCF8395389A125445E71952D467"
+/* nickname=adrian */
 /* extrainfo=0 */
 /* ===== */
 ,
-"176.10.99.207 orport=443 id=0516085D6CAC40ED4CDCEFDFC5CCF6B00DE61DED"
-/* nickname=AccessNow007 */
+"170.133.2.76 orport=9001 id=1AC45083EBC7E02720C13254CEA3F7B032C248E2"
+" ipv6=[2001:470:5429::b3]:9001"
+/* nickname=vsm */
 /* extrainfo=0 */
 /* ===== */
 ,
-"198.98.59.35 orport=9000 id=9376A43695CBB66C256DCC87932EE885EA9AF5EC"
-" ipv6=[2605:6400:10:542:d124:fa7a:9141:db6c]:9000"
-/* nickname=Quetzalcoatl */
+"94.140.115.114 orport=8443 id=66C102FA5DDF48C9EEEB048C1630933B66C50ECC"
+/* nickname=kbtr7lv */
 /* extrainfo=0 */
 /* ===== */
 ,
diff --git a/linux/tor/src/core/or/channelpadding.c b/linux/tor/src/core/or/channelpadding.c
index 47a04e52..1f559f6c 100644
--- a/linux/tor/src/core/or/channelpadding.c
+++ b/linux/tor/src/core/or/channelpadding.c
@@ -186,7 +186,7 @@ channelpadding_get_netflow_inactive_timeout_ms(const channel_t *chan)
     high_timeout = MAX(high_timeout, chan->padding_timeout_high_ms);
   }
 
-  if (low_timeout == high_timeout)
+  if (low_timeout >= high_timeout)
     return low_timeout; // No randomization
 
   /*
diff --git a/linux/tor/src/core/or/command.c b/linux/tor/src/core/or/command.c
index 622217a7..9155f52a 100644
--- a/linux/tor/src/core/or/command.c
+++ b/linux/tor/src/core/or/command.c
@@ -652,19 +652,22 @@ command_process_destroy_cell(cell_t *cell, channel_t *chan)
   if (!CIRCUIT_IS_ORIGIN(circ) &&
       chan == TO_OR_CIRCUIT(circ)->p_chan &&
       cell->circ_id == TO_OR_CIRCUIT(circ)->p_circ_id) {
-    /* the destroy came from behind */
+    /* The destroy came from behind so nullify its p_chan. Close the circuit
+     * with a DESTROYED reason so we don't propagate along the path forward the
+     * reason which could be used as a side channel. */
     circuit_set_p_circid_chan(TO_OR_CIRCUIT(circ), 0, NULL);
-    circuit_mark_for_close(circ, reason|END_CIRC_REASON_FLAG_REMOTE);
+    circuit_mark_for_close(circ, END_CIRC_REASON_DESTROYED);
   } else { /* the destroy came from ahead */
     circuit_set_n_circid_chan(circ, 0, NULL);
     if (CIRCUIT_IS_ORIGIN(circ)) {
       circuit_mark_for_close(circ, reason|END_CIRC_REASON_FLAG_REMOTE);
     } else {
-      char payload[1];
-      log_debug(LD_OR, "Delivering 'truncated' back.");
-      payload[0] = (char)reason;
-      relay_send_command_from_edge(0, circ, RELAY_COMMAND_TRUNCATED,
-                                   payload, sizeof(payload), NULL);
+      /* Close the circuit so we stop queuing cells for it and propagate the
+       * DESTROY cell down the circuit so relays can stop queuing in-flight
+       * cells for this circuit which helps with memory pressure. We do NOT
+       * propagate the remote reason so not to create a side channel. */
+      log_debug(LD_OR, "Received DESTROY cell from n_chan, closing circuit.");
+      circuit_mark_for_close(circ, END_CIRC_REASON_DESTROYED);
     }
   }
 }
diff --git a/linux/tor/src/core/or/connection_or.c b/linux/tor/src/core/or/connection_or.c
index dd31638e..6d9f1c75 100644
--- a/linux/tor/src/core/or/connection_or.c
+++ b/linux/tor/src/core/or/connection_or.c
@@ -805,6 +805,10 @@ connection_or_about_to_close(or_connection_t *or_conn)
   } else if (!tor_digest_is_zero(or_conn->identity_digest)) {
     connection_or_event_status(or_conn, OR_CONN_EVENT_CLOSED,
                 tls_error_to_orconn_end_reason(or_conn->tls_error));
+  } else {
+    /* Normal close, we notify of a done connection. */
+    connection_or_event_status(or_conn, OR_CONN_EVENT_CLOSED,
+                               END_OR_CONN_REASON_DONE);
   }
 }
 
diff --git a/linux/tor/src/lib/sandbox/sandbox.c b/linux/tor/src/lib/sandbox/sandbox.c
index 5f73fd2b..9a7487a2 100644
--- a/linux/tor/src/lib/sandbox/sandbox.c
+++ b/linux/tor/src/lib/sandbox/sandbox.c
@@ -227,6 +227,9 @@ static int filter_nopar_gen[] = {
 #endif
     SCMP_SYS(read),
     SCMP_SYS(rt_sigreturn),
+#ifdef __NR_rseq
+    SCMP_SYS(rseq),
+#endif
     SCMP_SYS(sched_getaffinity),
 #ifdef __NR_sched_yield
     SCMP_SYS(sched_yield),
diff --git a/linux/tor/src/win32/orconfig.h b/linux/tor/src/win32/orconfig.h
index 6c8997e5..1de08280 100644
--- a/linux/tor/src/win32/orconfig.h
+++ b/linux/tor/src/win32/orconfig.h
@@ -217,7 +217,7 @@
 #define USING_TWOS_COMPLEMENT
 
 /* Version number of package */
-#define VERSION "0.4.6.10-dev"
+#define VERSION "0.4.6.12-dev"
 
 #define HAVE_STRUCT_SOCKADDR_IN6
 #define HAVE_STRUCT_IN6_ADDR
diff --git a/lock.json b/lock.json
index d61e1f75..849bd868 100644
--- a/lock.json
+++ b/lock.json
@@ -1 +1 @@
-{"zlib":"21767c654d31d2dccdde4330529775c6c5fd5389","libevent":"21e2862689edc59b6265998c4a1a2729552ab0b1","openssl":"564a8d442cbd8ce68d452ff2e8a58c0aea6b0632","tor":"18cc67f1614a3819b55883a421710a59a66c27a5"}
\ No newline at end of file
+{"zlib":"21767c654d31d2dccdde4330529775c6c5fd5389","libevent":"b19af675c7601a7867f26c33072cda7ea125adb2","openssl":"9eae491721209f302a9a475bffd271370e8bcb8f","tor":"e7dddda9c155bc91ef87dc6cb0600f6986e63b52"}
\ No newline at end of file
diff --git a/openssl_config/buildinf.macos64.h b/openssl_config/buildinf.macos64.h
index 1f61a103..6bfb657e 100644
--- a/openssl_config/buildinf.macos64.h
+++ b/openssl_config/buildinf.macos64.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: darwin64-x86_64-cc"
-#define DATE "built on: Thu Apr 14 16:18:29 2022 +0200"
+#define DATE "built on: Tue Aug 23 11:05:54 2022 +1000"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/openssl_config/buildinf.x64.h b/openssl_config/buildinf.x64.h
index e10096e9..92caa18b 100644
--- a/openssl_config/buildinf.x64.h
+++ b/openssl_config/buildinf.x64.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux-x86_64"
-#define DATE "built on: Thu Apr 14 16:18:29 2022 +0200"
+#define DATE "built on: Tue Aug 23 11:05:54 2022 +1000"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/openssl_config/buildinf.x86.h b/openssl_config/buildinf.x86.h
index e0d8606a..bb963716 100644
--- a/openssl_config/buildinf.x86.h
+++ b/openssl_config/buildinf.x86.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux-x86"
-#define DATE "built on: Thu Apr 14 16:18:29 2022 +0200"
+#define DATE "built on: Tue Aug 23 11:05:54 2022 +1000"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/tor_config/orconfig.android32.h b/tor_config/orconfig.android32.h
index 7e019e8d..8d4ae5ba 100644
--- a/tor_config/orconfig.android32.h
+++ b/tor_config/orconfig.android32.h
@@ -7,7 +7,7 @@
 /* All assert failures are fatal */
 /* #undef ALL_BUGS_ARE_FATAL */
 
-/* # for 0.4.6.10-dev Approximate date when this software was released.
+/* # for 0.4.6.12-dev Approximate date when this software was released.
    (Updated when the version changes.) */
 #define APPROX_RELEASE_DATE "2021-10-28"
 
@@ -693,7 +693,7 @@
 #define PACKAGE_NAME "tor"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "tor 0.4.6.10-dev"
+#define PACKAGE_STRING "tor 0.4.6.12-dev"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "tor"
@@ -702,7 +702,7 @@
 #define PACKAGE_URL ""
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "0.4.6.10-dev"
+#define PACKAGE_VERSION "0.4.6.12-dev"
 
 /* How to access the PC from a struct ucontext */
 #define PC_FROM_UCONTEXT uc_mcontext.arm_pc
@@ -877,7 +877,7 @@
 #define USING_TWOS_COMPLEMENT 1
 
 /* Version number of package */
-#define VERSION "0.4.6.10-dev"
+#define VERSION "0.4.6.12-dev"
 
 /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
    significant byte first (like Motorola and SPARC, unlike Intel). */
diff --git a/tor_config/orconfig.android64.h b/tor_config/orconfig.android64.h
index 3fe0681a..334ccea2 100644
--- a/tor_config/orconfig.android64.h
+++ b/tor_config/orconfig.android64.h
@@ -7,7 +7,7 @@
 /* All assert failures are fatal */
 /* #undef ALL_BUGS_ARE_FATAL */
 
-/* # for 0.4.6.10-dev Approximate date when this software was released.
+/* # for 0.4.6.12-dev Approximate date when this software was released.
    (Updated when the version changes.) */
 #define APPROX_RELEASE_DATE "2021-10-28"
 
@@ -693,7 +693,7 @@
 #define PACKAGE_NAME "tor"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "tor 0.4.6.10-dev"
+#define PACKAGE_STRING "tor 0.4.6.12-dev"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "tor"
@@ -702,7 +702,7 @@
 #define PACKAGE_URL ""
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "0.4.6.10-dev"
+#define PACKAGE_VERSION "0.4.6.12-dev"
 
 /* How to access the PC from a struct ucontext */
 /* #undef PC_FROM_UCONTEXT */
@@ -877,7 +877,7 @@
 #define USING_TWOS_COMPLEMENT 1
 
 /* Version number of package */
-#define VERSION "0.4.6.10-dev"
+#define VERSION "0.4.6.12-dev"
 
 /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
    significant byte first (like Motorola and SPARC, unlike Intel). */
diff --git a/tor_config/orconfig.ios64.h b/tor_config/orconfig.ios64.h
index 77a230dc..4d47c7e4 100644
--- a/tor_config/orconfig.ios64.h
+++ b/tor_config/orconfig.ios64.h
@@ -7,7 +7,7 @@
 /* All assert failures are fatal */
 /* #undef ALL_BUGS_ARE_FATAL */
 
-/* # for 0.4.6.10-dev Approximate date when this software was released.
+/* # for 0.4.6.12-dev Approximate date when this software was released.
    (Updated when the version changes.) */
 #define APPROX_RELEASE_DATE "2021-10-28"
 
@@ -693,7 +693,7 @@
 #define PACKAGE_NAME "tor"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "tor 0.4.6.10-dev"
+#define PACKAGE_STRING "tor 0.4.6.12-dev"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "tor"
@@ -702,7 +702,7 @@
 #define PACKAGE_URL ""
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "0.4.6.10-dev"
+#define PACKAGE_VERSION "0.4.6.12-dev"
 
 /* How to access the PC from a struct ucontext */
 /* #undef PC_FROM_UCONTEXT */
@@ -877,7 +877,7 @@
 #define USING_TWOS_COMPLEMENT 1
 
 /* Version number of package */
-#define VERSION "0.4.6.10-dev"
+#define VERSION "0.4.6.12-dev"
 
 /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
    significant byte first (like Motorola and SPARC, unlike Intel). */
diff --git a/tor_config/orconfig.linux32.h b/tor_config/orconfig.linux32.h
index cba159a6..4ef211aa 100644
--- a/tor_config/orconfig.linux32.h
+++ b/tor_config/orconfig.linux32.h
@@ -693,7 +693,7 @@
 #define PACKAGE_NAME "tor"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "tor 0.4.6.10-dev"
+#define PACKAGE_STRING "tor 0.4.6.12-dev"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "tor"
@@ -702,7 +702,7 @@
 #define PACKAGE_URL ""
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "0.4.6.10-dev"
+#define PACKAGE_VERSION "0.4.6.12-dev"
 
 /* How to access the PC from a struct ucontext */
 #define PC_FROM_UCONTEXT uc_mcontext->__ss.__rip
@@ -877,7 +877,7 @@
 #define USING_TWOS_COMPLEMENT 1
 
 /* Version number of package */
-#define VERSION "0.4.6.10-dev"
+#define VERSION "0.4.6.12-dev"
 
 /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
    significant byte first (like Motorola and SPARC, unlike Intel). */
diff --git a/tor_config/orconfig.linux64.h b/tor_config/orconfig.linux64.h
index cba159a6..4ef211aa 100644
--- a/tor_config/orconfig.linux64.h
+++ b/tor_config/orconfig.linux64.h
@@ -693,7 +693,7 @@
 #define PACKAGE_NAME "tor"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "tor 0.4.6.10-dev"
+#define PACKAGE_STRING "tor 0.4.6.12-dev"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "tor"
@@ -702,7 +702,7 @@
 #define PACKAGE_URL ""
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "0.4.6.10-dev"
+#define PACKAGE_VERSION "0.4.6.12-dev"
 
 /* How to access the PC from a struct ucontext */
 #define PC_FROM_UCONTEXT uc_mcontext->__ss.__rip
@@ -877,7 +877,7 @@
 #define USING_TWOS_COMPLEMENT 1
 
 /* Version number of package */
-#define VERSION "0.4.6.10-dev"
+#define VERSION "0.4.6.12-dev"
 
 /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
    significant byte first (like Motorola and SPARC, unlike Intel). */
diff --git a/tor_config/orconfig.macos64.h b/tor_config/orconfig.macos64.h
index 111e62b3..cd3a4cf6 100644
--- a/tor_config/orconfig.macos64.h
+++ b/tor_config/orconfig.macos64.h
@@ -693,7 +693,7 @@
 #define PACKAGE_NAME "tor"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "tor 0.4.6.10-dev"
+#define PACKAGE_STRING "tor 0.4.6.12-dev"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "tor"
@@ -702,7 +702,7 @@
 #define PACKAGE_URL ""
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "0.4.6.10-dev"
+#define PACKAGE_VERSION "0.4.6.12-dev"
 
 /* How to access the PC from a struct ucontext */
 #define PC_FROM_UCONTEXT uc_mcontext->__ss.__rip
@@ -877,7 +877,7 @@
 #define USING_TWOS_COMPLEMENT 1
 
 /* Version number of package */
-#define VERSION "0.4.6.10-dev"
+#define VERSION "0.4.6.12-dev"
 
 /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
    significant byte first (like Motorola and SPARC, unlike Intel). */