Ride the libcrypto bump with some simple cleanup:

Remove BIO_s_log(): already unhooked in portable, completely unused.
Remove X509_PKEY_new/free from public API. Remove PEM_X509_INFO_read()
PEM_X509_INFO_write_bio(): all unused garbage.

The simplify X509_PKEY_new/free was ok kenjiro.

8 files changed, 15 insertions, 197 deletions

diff --git a/src/lib/libcrypto/Makefile b/src/lib/libcrypto/Makefile
index b51103712c..b0ab507983 100644
--- a/src/lib/libcrypto/Makefile
+++ b/src/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.240 2025/07/12 20:22:40 tb Exp $
+# $OpenBSD: Makefile,v 1.241 2025/07/16 15:59:26 tb Exp $
 
 LIB=    crypto
 LIBREBUILD=y
@@ -150,7 +150,6 @@ SRCS+= bss_conn.c
 SRCS+= bss_dgram.c
 SRCS+= bss_fd.c
 SRCS+= bss_file.c
-SRCS+= bss_log.c
 SRCS+= bss_mem.c
 SRCS+= bss_null.c
 SRCS+= bss_sock.c
diff --git a/src/lib/libcrypto/Symbols.list b/src/lib/libcrypto/Symbols.list
index e259430bbf..2aae617f0a 100644
--- a/src/lib/libcrypto/Symbols.list
+++ b/src/lib/libcrypto/Symbols.list
@@ -308,7 +308,6 @@ BIO_s_connect
 BIO_s_datagram
 BIO_s_fd
 BIO_s_file
-BIO_s_log
 BIO_s_mem
 BIO_s_null
 BIO_s_socket
@@ -1664,9 +1663,7 @@ PEM_ASN1_write_bio
 PEM_SignFinal
 PEM_SignInit
 PEM_SignUpdate
-PEM_X509_INFO_read
 PEM_X509_INFO_read_bio
-PEM_X509_INFO_write_bio
 PEM_bytes_read_bio
 PEM_def_callback
 PEM_dek_info
@@ -2474,8 +2471,6 @@ X509_OBJECT_idx_by_subject
 X509_OBJECT_new
 X509_OBJECT_retrieve_by_subject
 X509_OBJECT_retrieve_match
-X509_PKEY_free
-X509_PKEY_new
 X509_PUBKEY_free
 X509_PUBKEY_get
 X509_PUBKEY_get0
diff --git a/src/lib/libcrypto/hidden/openssl/bio.h b/src/lib/libcrypto/hidden/openssl/bio.h
index 03da75a795..69651cf3cb 100644
--- a/src/lib/libcrypto/hidden/openssl/bio.h
+++ b/src/lib/libcrypto/hidden/openssl/bio.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bio.h,v 1.8 2024/07/09 06:14:59 beck Exp $ */
+/* $OpenBSD: bio.h,v 1.9 2025/07/16 15:59:26 tb Exp $ */
 /*
  * Copyright (c) 2023 Bob Beck <beck@openbsd.org>
  *
@@ -103,7 +103,6 @@ LCRYPTO_USED(BIO_s_socket);
 LCRYPTO_USED(BIO_s_connect);
 LCRYPTO_USED(BIO_s_accept);
 LCRYPTO_USED(BIO_s_fd);
-LCRYPTO_USED(BIO_s_log);
 LCRYPTO_USED(BIO_s_bio);
 LCRYPTO_USED(BIO_s_null);
 LCRYPTO_USED(BIO_f_null);
diff --git a/src/lib/libcrypto/hidden/openssl/pem.h b/src/lib/libcrypto/hidden/openssl/pem.h
index 5838f07f4d..233fd8859b 100644
--- a/src/lib/libcrypto/hidden/openssl/pem.h
+++ b/src/lib/libcrypto/hidden/openssl/pem.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem.h,v 1.2 2023/07/07 19:37:54 beck Exp $ */
+/* $OpenBSD: pem.h,v 1.3 2025/07/16 15:59:26 tb Exp $ */
 /*
  * Copyright (c) 2023 Bob Beck <beck@openbsd.org>
  *
@@ -33,12 +33,10 @@ LCRYPTO_USED(PEM_bytes_read_bio);
 LCRYPTO_USED(PEM_ASN1_read_bio);
 LCRYPTO_USED(PEM_ASN1_write_bio);
 LCRYPTO_USED(PEM_X509_INFO_read_bio);
-LCRYPTO_USED(PEM_X509_INFO_write_bio);
 LCRYPTO_USED(PEM_read);
 LCRYPTO_USED(PEM_write);
 LCRYPTO_USED(PEM_ASN1_read);
 LCRYPTO_USED(PEM_ASN1_write);
-LCRYPTO_USED(PEM_X509_INFO_read);
 LCRYPTO_USED(PEM_SignInit);
 LCRYPTO_USED(PEM_SignUpdate);
 LCRYPTO_USED(PEM_SignFinal);
diff --git a/src/lib/libcrypto/hidden/openssl/x509.h b/src/lib/libcrypto/hidden/openssl/x509.h
index e6104cd451..5e78f7af97 100644
--- a/src/lib/libcrypto/hidden/openssl/x509.h
+++ b/src/lib/libcrypto/hidden/openssl/x509.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.h,v 1.15 2025/03/09 15:17:22 tb Exp $ */
+/* $OpenBSD: x509.h,v 1.16 2025/07/16 15:59:26 tb Exp $ */
 /*
  * Copyright (c) 2022 Bob Beck <beck@openbsd.org>
  *
@@ -401,8 +401,6 @@ LCRYPTO_USED(i2d_X509_CRL);
 LCRYPTO_USED(X509_CRL_add0_revoked);
 LCRYPTO_USED(X509_CRL_get0_by_serial);
 LCRYPTO_USED(X509_CRL_get0_by_cert);
-LCRYPTO_USED(X509_PKEY_new);
-LCRYPTO_USED(X509_PKEY_free);
 LCRYPTO_USED(NETSCAPE_SPKI_new);
 LCRYPTO_USED(NETSCAPE_SPKI_free);
 LCRYPTO_USED(d2i_NETSCAPE_SPKI);
diff --git a/src/lib/libcrypto/pem/pem.h b/src/lib/libcrypto/pem/pem.h
index 4fdab48bb2..709e17308b 100644
--- a/src/lib/libcrypto/pem/pem.h
+++ b/src/lib/libcrypto/pem/pem.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem.h,v 1.28 2024/05/11 05:41:28 tb Exp $ */
+/* $OpenBSD: pem.h,v 1.29 2025/07/16 15:59:26 tb Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -338,8 +338,6 @@ int	PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x,
 
 STACK_OF(X509_INFO) *   PEM_X509_INFO_read_bio(BIO *bp,
             STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *u);
-int     PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
-            unsigned char *kstr, int klen, pem_password_cb *cd, void *u);
 #endif
 
 int     PEM_read(FILE *fp, char **name, char **header,
@@ -351,8 +349,6 @@ void *  PEM_ASN1_read(d2i_of_void *d2i, const char *name, FILE *fp, void **x,
 int     PEM_ASN1_write(i2d_of_void *i2d, const char *name, FILE *fp,
             void *x, const EVP_CIPHER *enc, unsigned char *kstr,
             int klen, pem_password_cb *callback, void *u);
-STACK_OF(X509_INFO) *   PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk,
-            pem_password_cb *cb, void *u);
 
 int    PEM_SignInit(EVP_MD_CTX *ctx, EVP_MD *type);
 int    PEM_SignUpdate(EVP_MD_CTX *ctx, unsigned char *d, unsigned int cnt);
diff --git a/src/lib/libcrypto/pem/pem_info.c b/src/lib/libcrypto/pem/pem_info.c
index 4f2be892d1..26061f6f08 100644
--- a/src/lib/libcrypto/pem/pem_info.c
+++ b/src/lib/libcrypto/pem/pem_info.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_info.c,v 1.32 2025/07/12 20:22:40 tb Exp $ */
+/* $OpenBSD: pem_info.c,v 1.33 2025/07/16 15:59:26 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -80,60 +80,25 @@
 X509_PKEY *
 X509_PKEY_new(void)
 {
-        X509_PKEY *ret = NULL;
+        X509_PKEY *x_pkey;
 
-        if ((ret = malloc(sizeof(X509_PKEY))) == NULL) {
+        if ((x_pkey = calloc(1, sizeof(*x_pkey))) == NULL) {
                 ASN1error(ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        ret->version = 0;
-        if ((ret->enc_algor = X509_ALGOR_new()) == NULL) {
-                ASN1error(ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        if ((ret->enc_pkey = ASN1_OCTET_STRING_new()) == NULL) {
-                ASN1error(ERR_R_MALLOC_FAILURE);
-                goto err;
+                return NULL;
         }
-        ret->dec_pkey = NULL;
-        ret->key_length = 0;
-        ret->key_data = NULL;
-        ret->key_free = 0;
-        ret->cipher.cipher = NULL;
-        memset(ret->cipher.iv, 0, EVP_MAX_IV_LENGTH);
-        ret->references = 1;
-        return (ret);
 
- err:
-        if (ret) {
-                X509_ALGOR_free(ret->enc_algor);
-                free(ret);
-        }
-        return NULL;
+        return x_pkey;
 }
-LCRYPTO_ALIAS(X509_PKEY_new);
 
 void
-X509_PKEY_free(X509_PKEY *x)
+X509_PKEY_free(X509_PKEY *x_pkey)
 {
-        int i;
-
-        if (x == NULL)
+        if (x_pkey == NULL)
                 return;
 
-        i = CRYPTO_add(&x->references, -1, CRYPTO_LOCK_X509_PKEY);
-        if (i > 0)
-                return;
-
-        if (x->enc_algor != NULL)
-                X509_ALGOR_free(x->enc_algor);
-        ASN1_OCTET_STRING_free(x->enc_pkey);
-        EVP_PKEY_free(x->dec_pkey);
-        if ((x->key_data != NULL) && (x->key_free))
-                free(x->key_data);
-        free(x);
+        EVP_PKEY_free(x_pkey->dec_pkey);
+        free(x_pkey);
 }
-LCRYPTO_ALIAS(X509_PKEY_free);
 
 X509_INFO *
 X509_INFO_new(void)
@@ -169,24 +134,6 @@ X509_INFO_free(X509_INFO *x)
 LCRYPTO_ALIAS(X509_INFO_free);
 
 STACK_OF(X509_INFO) *
-PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb,
-    void *u)
-{
-        BIO *b;
-        STACK_OF(X509_INFO) *ret;
-
-        if ((b = BIO_new(BIO_s_file())) == NULL) {
-                PEMerror(ERR_R_BUF_LIB);
-                return (0);
-        }
-        BIO_set_fp(b, fp, BIO_NOCLOSE);
-        ret = PEM_X509_INFO_read_bio(b, sk, cb, u);
-        BIO_free(b);
-        return (ret);
-}
-LCRYPTO_ALIAS(PEM_X509_INFO_read);
-
-STACK_OF(X509_INFO) *
 PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb,
     void *u)
 {
@@ -381,98 +328,3 @@ err:
         return ret;
 }
 LCRYPTO_ALIAS(PEM_X509_INFO_read_bio);
-
-
-/* A TJH addition */
-int
-PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
-    unsigned char *kstr, int klen, pem_password_cb *cb, void *u)
-{
-        EVP_CIPHER_CTX ctx;
-        int i, ret = 0;
-        unsigned char *data = NULL;
-        const char *objstr = NULL;
-        char buf[PEM_BUFSIZE];
-        unsigned char *iv = NULL;
-
-        if (enc != NULL) {
-                objstr = OBJ_nid2sn(EVP_CIPHER_nid(enc));
-                if (objstr == NULL) {
-                        PEMerror(PEM_R_UNSUPPORTED_CIPHER);
-                        goto err;
-                }
-        }
-
-        /* now for the fun part ... if we have a private key then
-         * we have to be able to handle a not-yet-decrypted key
-         * being written out correctly ... if it is decrypted or
-         * it is non-encrypted then we use the base code
-         */
-        if (xi->x_pkey != NULL) {
-                if ((xi->enc_data != NULL) && (xi->enc_len > 0) ) {
-                        if (enc == NULL) {
-                                PEMerror(PEM_R_CIPHER_IS_NULL);
-                                goto err;
-                        }
-
-                        /* copy from weirdo names into more normal things */
-                        iv = xi->enc_cipher.iv;
-                        data = (unsigned char *)xi->enc_data;
-                        i = xi->enc_len;
-
-                        /* we take the encryption data from the
-                         * internal stuff rather than what the
-                         * user has passed us ... as we have to
-                         * match exactly for some strange reason
-                         */
-                        objstr = OBJ_nid2sn(
-                            EVP_CIPHER_nid(xi->enc_cipher.cipher));
-                        if (objstr == NULL) {
-                                PEMerror(PEM_R_UNSUPPORTED_CIPHER);
-                                goto err;
-                        }
-
-                        /* create the right magic header stuff */
-                        if (strlen(objstr) + 23 + 2 * enc->iv_len + 13 >
-                            sizeof buf) {
-                                PEMerror(ASN1_R_BUFFER_TOO_SMALL);
-                                goto err;
-                        }
-                        buf[0] = '\0';
-                        PEM_proc_type(buf, PEM_TYPE_ENCRYPTED);
-                        PEM_dek_info(buf, objstr, enc->iv_len, (char *)iv);
-
-                        /* use the normal code to write things out */
-                        i = PEM_write_bio(bp, PEM_STRING_RSA, buf, data, i);
-                        if (i <= 0)
-                                goto err;
-                } else {
-                        /* Add DSA/DH */
-#ifndef OPENSSL_NO_RSA
-                        /* normal optionally encrypted stuff */
-                        if (PEM_write_bio_RSAPrivateKey(bp,
-                            xi->x_pkey->dec_pkey->pkey.rsa,
-                            enc, kstr, klen, cb, u) <= 0)
-                                goto err;
-#endif
-                }
-        }
-
-        /* if we have a certificate then write it out now */
-        if ((xi->x509 != NULL) && (PEM_write_bio_X509(bp, xi->x509) <= 0))
-                goto err;
-
-        /* we are ignoring anything else that is loaded into the X509_INFO
-         * structure for the moment ... as I don't need it so I'm not
-         * coding it here and Eric can do it when this makes it into the
-         * base library --tjh
-         */
-
-        ret = 1;
-
-err:
-        explicit_bzero((char *)&ctx, sizeof(ctx));
-        explicit_bzero(buf, PEM_BUFSIZE);
-        return (ret);
-}
-LCRYPTO_ALIAS(PEM_X509_INFO_write_bio);
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index e779dfb6a9..729a06d0ed 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.h,v 1.122 2025/07/01 06:35:16 tb Exp $ */
+/* $OpenBSD: x509.h,v 1.123 2025/07/16 15:59:26 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -245,23 +245,7 @@ typedef struct X509_crl_info_st X509_CRL_INFO;
 DECLARE_STACK_OF(X509_CRL)
 
 typedef struct private_key_st {
-        int version;
-        /* The PKCS#8 data types */
-        X509_ALGOR *enc_algor;
-        ASN1_OCTET_STRING *enc_pkey;    /* encrypted pub key */
-
-        /* When decrypted, the following will not be NULL */
         EVP_PKEY *dec_pkey;
-
-        /* used to encrypt and decrypt */
-        int key_length;
-        char *key_data;
-        int key_free;   /* true if we should auto free key_data */
-
-        /* expanded version of 'enc_algor' */
-        EVP_CIPHER_INFO cipher;
-
-        int references;
 } X509_PKEY;
 
 #ifndef OPENSSL_NO_EVP
@@ -647,9 +631,6 @@ int X509_CRL_get0_by_serial(X509_CRL *crl,
                 X509_REVOKED **ret, ASN1_INTEGER *serial);
 int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x);
 
-X509_PKEY *     X509_PKEY_new(void );
-void            X509_PKEY_free(X509_PKEY *a);
-
 NETSCAPE_SPKI *NETSCAPE_SPKI_new(void);
 void NETSCAPE_SPKI_free(NETSCAPE_SPKI *a);
 NETSCAPE_SPKI *d2i_NETSCAPE_SPKI(NETSCAPE_SPKI **a, const unsigned char **in, long len);