diff --git a/include/unistd.h b/include/unistd.h
index 33fc6fdc2..2ae7fa615 100644
--- a/include/unistd.h
+++ b/include/unistd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: unistd.h,v 1.110 2024/08/02 01:53:21 guenther Exp $ */
+/*	$OpenBSD: unistd.h,v 1.111 2024/08/02 22:14:54 guenther Exp $ */
 /*	$NetBSD: unistd.h,v 1.26.4.1 1996/05/28 02:31:51 mrg Exp $	*/
 
 /*-
@@ -474,6 +474,12 @@ int	unlinkat(int, const char *, int);
 #if __POSIX_VISIBLE >= 202405 || __BSD_VISIBLE
 int	getentropy(void *, size_t);
 #endif
+#if __XPG_VISIBLE >= 800 || __BSD_VISIBLE
+int	getresgid(gid_t *, gid_t *, gid_t *);
+int	getresuid(uid_t *, uid_t *, uid_t *);
+int	setresgid(gid_t, gid_t, gid_t);
+int	setresuid(uid_t, uid_t, uid_t);
+#endif
 
 #if __BSD_VISIBLE
 int	dup3(int, int, int);
@@ -492,8 +498,6 @@ int	 getdomainname(char *, size_t)
 int	 getdtablecount(void);
 int	 getgrouplist(const char *, gid_t, gid_t *, int *);
 mode_t	 getmode(const void *, mode_t);
-int	 getresgid(gid_t *, gid_t *, gid_t *);
-int	 getresuid(uid_t *, uid_t *, uid_t *);
 pid_t	 getthrid(void);
 int	 getthrname(pid_t, char *, size_t);
 char	*getusershell(void);
@@ -523,8 +527,6 @@ int	 sethostname(const char *, size_t);
 int	 setlogin(const char *);
 void	*setmode(const char *);
 int	 setpgrp(pid_t _pid, pid_t _pgrp);	/* BSD compat version */
-int	 setresgid(gid_t, gid_t, gid_t);
-int	 setresuid(uid_t, uid_t, uid_t);
 int	 setthrname(pid_t, const char *);
 void	 setusershell(void);
 int	 strtofflags(char **, u_int32_t *, u_int32_t *);
diff --git a/lib/libc/sys/setresuid.2 b/lib/libc/sys/setresuid.2
index 7268f77ca..43e2dde19 100644
--- a/lib/libc/sys/setresuid.2
+++ b/lib/libc/sys/setresuid.2
@@ -1,4 +1,4 @@
-.\" $OpenBSD: setresuid.2,v 1.9 2015/09/10 17:55:21 schwarze Exp $
+.\" $OpenBSD: setresuid.2,v 1.10 2024/08/02 22:14:54 guenther Exp $
 .\"
 .\" Copyright (c) 2000
 .\"      Sheldon Hearn.  All rights reserved.
@@ -21,7 +21,7 @@
 .\"
 .\" $FreeBSD: src/lib/libc/sys/setresuid.2,v 1.12 2001/10/01 16:09:02 ru Exp $
 .\"
-.Dd $Mdocdate: September 10 2015 $
+.Dd $Mdocdate: August 2 2024 $
 .Dt SETRESUID 2
 .Os
 .Sh NAME
@@ -31,7 +31,6 @@
 .Nm setresuid
 .Nd get or set real, effective and saved user or group ID
 .Sh SYNOPSIS
-.In sys/types.h
 .In unistd.h
 .Ft int
 .Fn getresgid "gid_t *rgid" "gid_t *egid" "gid_t *sgid"
@@ -89,10 +88,13 @@ was invalid.
 .Xr setreuid 2 ,
 .Xr setuid 2
 .Sh STANDARDS
-These functions are not part of the
-.St -p1003.1
-specification.
-While they are not completely portable, they are the least ambiguous way to
-manage user and group IDs.
+The
+.Fn getresgid ,
+.Fn getresuid ,
+.Fn setresgid ,
+and
+.Fn setresuid
+functions conform to the X/Open System Interfaces option of
+.St -p1003.1-2024 .
 .Sh HISTORY
 These functions first appeared in HP-UX.
diff --git a/lib/libcrypto/crypto_ex_data.c b/lib/libcrypto/crypto_ex_data.c
index 2b3e28fac..ceb3a92e5 100644
--- a/lib/libcrypto/crypto_ex_data.c
+++ b/lib/libcrypto/crypto_ex_data.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: crypto_ex_data.c,v 1.2 2024/08/02 14:02:33 tb Exp $ */
+/* $OpenBSD: crypto_ex_data.c,v 1.4 2024/08/03 07:45:26 tb Exp $ */
 /*
  * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
  *
@@ -19,7 +19,7 @@
 
 #include <openssl/crypto.h>
 
-#define CRYPTO_EX_DATA_MAX_INDEX 16
+#define CRYPTO_EX_DATA_MAX_INDEX 32
 
 struct crypto_ex_data {
 	int class_index;
@@ -104,7 +104,7 @@ CRYPTO_get_ex_new_index(int class_index, long argl, void *argp,
 		    sizeof(struct crypto_ex_data_class))) == NULL)
 			goto err;
 		if ((new_class->indexes = calloc(CRYPTO_EX_DATA_MAX_INDEX,
-                    sizeof(struct crypto_ex_data_index))) == NULL)
+                    sizeof(struct crypto_ex_data_index *))) == NULL)
 			goto err;
 		new_class->indexes_len = CRYPTO_EX_DATA_MAX_INDEX;
 		new_class->next_index = 1;
diff --git a/lib/libcrypto/ec/ec_kmeth.c b/lib/libcrypto/ec/ec_kmeth.c
index 856afc89d..fa79b9a29 100644
--- a/lib/libcrypto/ec/ec_kmeth.c
+++ b/lib/libcrypto/ec/ec_kmeth.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ec_kmeth.c,v 1.13 2023/11/19 15:46:09 tb Exp $	*/
+/*	$OpenBSD: ec_kmeth.c,v 1.14 2024/08/03 13:06:37 tb Exp $	*/
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
@@ -149,7 +149,7 @@ EC_KEY_new_method(ENGINE *engine)
 	ret->conv_form = POINT_CONVERSION_UNCOMPRESSED;
 	ret->references = 1;
 
-	if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data))
+	if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_EC_KEY, ret, &ret->ex_data))
 		goto err;
 	if (ret->meth->init != NULL && ret->meth->init(ret) == 0)
 		goto err;
diff --git a/lib/libssl/hidden/openssl/ssl.h b/lib/libssl/hidden/openssl/ssl.h
index cff250ee7..6cf8d0c79 100644
--- a/lib/libssl/hidden/openssl/ssl.h
+++ b/lib/libssl/hidden/openssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.7 2024/07/14 15:39:36 tb Exp $ */
+/* $OpenBSD: ssl.h,v 1.8 2024/08/03 04:50:27 tb Exp $ */
 /*
  * Copyright (c) 2023 Bob Beck <beck@openbsd.org>
  *
@@ -105,6 +105,7 @@ LSSL_USED(SSL_CTX_set_timeout);
 LSSL_USED(SSL_CTX_get_timeout);
 LSSL_USED(SSL_CTX_get_cert_store);
 LSSL_USED(SSL_CTX_set_cert_store);
+LSSL_USED(SSL_CTX_set1_cert_store);
 LSSL_USED(SSL_CTX_get0_certificate);
 LSSL_USED(SSL_CTX_get0_privatekey);
 LSSL_USED(SSL_want);
diff --git a/lib/libssl/man/SSL_CTX_set_cert_store.3 b/lib/libssl/man/SSL_CTX_set_cert_store.3
index b23e3c4a1..1be1ba2f6 100644
--- a/lib/libssl/man/SSL_CTX_set_cert_store.3
+++ b/lib/libssl/man/SSL_CTX_set_cert_store.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: SSL_CTX_set_cert_store.3,v 1.7 2018/03/27 17:35:50 schwarze Exp $
+.\"	$OpenBSD: SSL_CTX_set_cert_store.3,v 1.8 2024/08/03 04:53:01 tb Exp $
 .\"	OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,17 +48,20 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: August 3 2024 $
 .Dt SSL_CTX_SET_CERT_STORE 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_set_cert_store ,
+.Nm SSL_CTX_set1_cert_store ,
 .Nm SSL_CTX_get_cert_store
 .Nd manipulate X509 certificate verification storage
 .Sh SYNOPSIS
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_set_cert_store "SSL_CTX *ctx" "X509_STORE *store"
+.Ft void
+.Fn SSL_CTX_set1_cert_store "SSL_CTX *ctx" "X509_STORE *store"
 .Ft X509_STORE *
 .Fn SSL_CTX_get_cert_store "const SSL_CTX *ctx"
 .Sh DESCRIPTION
@@ -73,6 +76,15 @@ object is currently set in
 .Fa ctx ,
 it will be freed.
 .Pp
+.Fn SSL_CTX_set1_cert_store
+sets the verification storage of
+.Fa ctx
+to or replaces it with
+.Fa store .
+The
+.Fa store Ns 's
+reference count is incremented.
+.Pp
 .Fn SSL_CTX_get_cert_store
 returns a pointer to the current certificate verification storage.
 .Pp
@@ -128,3 +140,7 @@ and
 .Fn SSL_CTX_get_cert_store
 first appeared in SSLeay 0.8.1 and have been available since
 .Ox 2.4 .
+.Pp
+.Fn SSL_CTX_set1_cert_store
+first appeared in OpenSSL 1.1.1 and has been available since
+.Ox 7.6 .
diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h
index d8846a485..7f9db9406 100644
--- a/lib/libssl/ssl.h
+++ b/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.239 2024/07/14 15:39:36 tb Exp $ */
+/* $OpenBSD: ssl.h,v 1.240 2024/08/03 04:50:27 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1107,6 +1107,9 @@ long SSL_CTX_set_timeout(SSL_CTX *ctx, long t);
 long SSL_CTX_get_timeout(const SSL_CTX *ctx);
 X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *);
 void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *);
+#if defined(LIBRESSL_INTERNAL) || defined(LIBRESSL_NEXT_API)
+void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store);
+#endif
 X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx);
 EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx);
 int SSL_want(const SSL *s);
diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c
index 4cf5c46fd..1a2bf3695 100644
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.328 2024/07/20 04:04:23 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.329 2024/08/03 04:50:27 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -3403,6 +3403,16 @@ SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store)
 }
 LSSL_ALIAS(SSL_CTX_set_cert_store);
 
+void
+SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store)
+{
+	if (store != NULL)
+		X509_STORE_up_ref(store);
+
+	SSL_CTX_set_cert_store(ctx, store);
+}
+LSSL_ALIAS(SSL_CTX_set1_cert_store);
+
 X509 *
 SSL_CTX_get0_certificate(const SSL_CTX *ctx)
 {
diff --git a/sys/arch/amd64/amd64/locore.S b/sys/arch/amd64/amd64/locore.S
index d45180e0a..f4ca11405 100644
--- a/sys/arch/amd64/amd64/locore.S
+++ b/sys/arch/amd64/amd64/locore.S
@@ -1,4 +1,4 @@
-/*	$OpenBSD: locore.S,v 1.147 2024/03/17 05:49:41 guenther Exp $	*/
+/*	$OpenBSD: locore.S,v 1.148 2024/08/02 22:24:51 guenther Exp $	*/
 /*	$NetBSD: locore.S,v 1.13 2004/03/25 18:33:17 drochner Exp $	*/
 
 /*
@@ -182,7 +182,9 @@ sigcodecall:
 	.globl	sigcoderet
 sigcoderet:
 	int3
-1:	JMP_RETPOLINE(rax)
+1:	CODEPATCH_START
+	JMP_RETPOLINE(rax)
+	CODEPATCH_END(CPTAG_RETPOLINE_RAX)
 	.globl	esigcode
 esigcode:
 	.globl	sigfill
diff --git a/usr.bin/nc/netcat.c b/usr.bin/nc/netcat.c
index 54ddd0ffc..856a01c2b 100644
--- a/usr.bin/nc/netcat.c
+++ b/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.226 2023/08/14 08:07:27 tb Exp $ */
+/* $OpenBSD: netcat.c,v 1.227 2024/08/02 21:08:47 jan Exp $ */
 /*
  * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
  * Copyright (c) 2015 Bob Beck.  All rights reserved.
@@ -778,7 +778,7 @@ timeout_tls(int s, struct tls *tls_ctx, int (*func)(struct tls *))
 	struct pollfd pfd;
 	int ret;
 
-	while ((ret = (*func)(tls_ctx)) != 0) {
+	while ((ret = func(tls_ctx)) != 0) {
 		if (ret == TLS_WANT_POLLIN)
 			pfd.events = POLLIN;
 		else if (ret == TLS_WANT_POLLOUT)