Index: /branches/rel_ag_9_4_5/ssl-111/Makefile
===================================================================
--- /branches/rel_ag_9_4_5/ssl-111/Makefile	(revision 20645)
+++ /branches/rel_ag_9_4_5/ssl-111/Makefile	(working copy)
@@ -23,6 +23,7 @@
 PATCH14=sm4_gcm_ccm.patch
 PATCH15=openssl-1.1.1d-CVE-2022-0778.patch
 PATCH16=ocsp_retry.patch
+PATCH17=openssl-1.1.1d-CVE-2026-22795.patch
 #PATCHx=openssl-1.1.1d-bug102140.patch
 
 INST_LIB= $(OPENSSL_LIB)
@@ -57,7 +58,8 @@
 	patch -p1 < ../d_patch/$(PATCH13) && \
 	patch -p1 < ../d_patch/$(PATCH14) && \
 	patch -p1 < ../d_patch/$(PATCH15) && \
-	patch -p1 < ../d_patch/$(PATCH16);
+	patch -p1 < ../d_patch/$(PATCH16) && \
+	patch -p1 < ../d_patch/$(PATCH17);
 	cd openssl && \
 	/usr/local/bin/perl5.10.1 Configure BSD-x86_64 --prefix=$(PWD)/../$(CA_ROOT) --openssldir=$(PWD)/../$(CA_ROOT)/ssl-111 $(OPENSSL_OPT) && \
 	cd ..;
Index: /branches/rel_ag_9_4_5/ssl-111/d_patch/openssl-1.1.1d-CVE-2026-22795.patch
===================================================================
--- /branches/rel_ag_9_4_5/ssl-111/d_patch/openssl-1.1.1d-CVE-2026-22795.patch	(revision 0)
+++ /branches/rel_ag_9_4_5/ssl-111/d_patch/openssl-1.1.1d-CVE-2026-22795.patch	(working copy)
@@ -0,0 +1,71 @@
+From 572844beca95068394c916626a6d3a490f831a49 Mon Sep 17 00:00:00 2001
+From: Bob Beck <beck@openssl.org>
+Date: Wed, 7 Jan 2026 11:29:48 -0700
+Subject: [PATCH] Ensure ASN1 types are checked before use.
+
+Some of these were fixed by LibreSSL in commit https://github.com/openbsd/src/commit/aa1f637d454961d22117b4353f98253e984b3ba8
+this fix includes the other fixes in that commit, as well as fixes for others found by a scan
+for a similar unvalidated access paradigm in the tree.
+
+Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
+Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/29582)
+---
+ apps/s_client.c          |  3 ++-
+ crypto/pkcs12/p12_kiss.c | 10 ++++++++--
+ crypto/pkcs7/pk7_doit.c  |  2 ++
+ 3 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/apps/s_client.c b/apps/s_client.c
+index 1419aafc9c3fa..64e8127f67fde 100644
+--- a/apps/s_client.c
++++ b/apps/s_client.c
+@@ -2668,8 +2668,9 @@ int s_client_main(int argc, char **argv)
+                 goto end;
+             }
+             atyp = ASN1_generate_nconf(genstr, cnf);
+-            if (atyp == NULL) {
++            if (atyp == NULL || atyp->type != V_ASN1_SEQUENCE) {
+                 NCONF_free(cnf);
++                ASN1_TYPE_free(atyp);
+                 BIO_printf(bio_err, "ASN1_generate_nconf failed\n");
+                 goto end;
+             }
+diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c
+index 6b668d8350ddf..69fea530331c1 100644
+--- a/crypto/pkcs12/p12_kiss.c
++++ b/crypto/pkcs12/p12_kiss.c
+@@ -183,11 +183,17 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
+     ASN1_BMPSTRING *fname = NULL;
+     ASN1_OCTET_STRING *lkid = NULL;
+
+-    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName)))
++    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName))) {
++        if (attrib->type != V_ASN1_BMPSTRING)
++            return 0;
+         fname = attrib->value.bmpstring;
++    }
+
+-    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID)))
++    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID))) {
++        if (attrib->type != V_ASN1_OCTET_STRING)
++            return 0;
+         lkid = attrib->value.octet_string;
++    }
+
+     switch (PKCS12_SAFEBAG_get_nid(bag)) {
+     case NID_keyBag:
+diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
+index 4b0414f8e04c5..69b301122504b 100644
+--- a/crypto/pkcs7/pk7_doit.c
++++ b/crypto/pkcs7/pk7_doit.c
+@@ -1092,6 +1092,8 @@ ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk)
+     ASN1_TYPE *astype;
+     if ((astype = get_attribute(sk, NID_pkcs9_messageDigest)) == NULL)
+         return NULL;
++    if (astype->type != V_ASN1_OCTET_STRING)
++        return NULL;
+     return astype->value.octet_string;
+ }
+
Index: /branches/rel_ag_9_4_5/ssl/Makefile
===================================================================
--- /branches/rel_ag_9_4_5/ssl/Makefile	(revision 20645)
+++ /branches/rel_ag_9_4_5/ssl/Makefile	(working copy)
@@ -75,6 +75,7 @@
 	patch < CVE-2021-3712.patch -d ../${OPENSSL_PKG} && \
 	patch < CVE-2022-0778.patch -d ../${OPENSSL_PKG} && \
 	patch < CVE-2025-9230.patch -p1 -d ../${OPENSSL_PKG} && \
+	patch < CVE-2026-22795.patch -p1 -d ../${OPENSSL_PKG} && \
 	cd ..;
 	chmod +x copy_sm2_files.sh patch_openssl_sm2.sh
 	./copy_sm2_files.sh ${OPENSSL_PKG};
Index: /branches/rel_ag_9_4_5/ssl/patch/CVE-2026-22795.patch
===================================================================
--- /branches/rel_ag_9_4_5/ssl/patch/CVE-2026-22795.patch	(revision 0)
+++ /branches/rel_ag_9_4_5/ssl/patch/CVE-2026-22795.patch	(working copy)
@@ -0,0 +1,55 @@
+From 572844beca95068394c916626a6d3a490f831a49 Mon Sep 17 00:00:00 2001
+From: Bob Beck <beck@openssl.org>
+Date: Wed, 7 Jan 2026 11:29:48 -0700
+Subject: [PATCH] Ensure ASN1 types are checked before use.
+
+Some of these were fixed by LibreSSL in commit https://github.com/openbsd/src/commit/aa1f637d454961d22117b4353f98253e984b3ba8
+this fix includes the other fixes in that commit, as well as fixes for others found by a scan
+for a similar unvalidated access paradigm in the tree.
+
+Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
+Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/29582)
+---
+ crypto/pkcs12/p12_kiss.c | 10 ++++++++--
+ crypto/pkcs7/pk7_doit.c  |  2 ++
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c
+index 6b668d8350ddf..69fea530331c1 100644
+--- a/crypto/pkcs12/p12_kiss.c
++++ b/crypto/pkcs12/p12_kiss.c
+@@ -237,11 +237,17 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
+     ASN1_BMPSTRING *fname = NULL;
+     ASN1_OCTET_STRING *lkid = NULL;
+
+-    if ((attrib = PKCS12_get_attr(bag, NID_friendlyName)))
++    if ((attrib = PKCS12_get_attr(bag, NID_friendlyName))) {
++        if (attrib->type != V_ASN1_BMPSTRING)
++            return 0;
+         fname = attrib->value.bmpstring;
++    }
+
+-    if ((attrib = PKCS12_get_attr(bag, NID_localKeyID)))
++    if ((attrib = PKCS12_get_attr(bag, NID_localKeyID))) {
++        if (attrib->type != V_ASN1_OCTET_STRING)
++            return 0;
+         lkid = attrib->value.octet_string;
++    }
+
+     switch (M_PKCS12_bag_type(bag)) {
+     case NID_keyBag:
+diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
+index 4b0414f8e04c5..69b301122504b 100644
+--- a/crypto/pkcs7/pk7_doit.c
++++ b/crypto/pkcs7/pk7_doit.c
+@@ -1208,6 +1208,8 @@ ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk)
+     ASN1_TYPE *astype;
+     if (!(astype = get_attribute(sk, NID_pkcs9_messageDigest)))
+         return NULL;
++    if (astype->type != V_ASN1_OCTET_STRING)
++        return NULL;
+     return astype->value.octet_string;
+ }
+
